- PowerView https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Get-DomainUser
- SharpView https://github.com/tevora-threat/SharpView
- DS Tools
dsquery user "DC=<DOMAIN>,DC=local" -name * -scope subtree -limit 0 | dsget user -samid -fn -ln -display
- PowerShell Active Directory module
Get-ADUser -Filter * -Properties *
- Windows Management Instrumentation (WMI)
Get-WmiObject -Class win32_group -Filter "Domain='<DOMAIN>'" | Select Caption,Name
- AD Service Interfaces (ADSI)
([adsisearcher]"(&(objectClass=Computer))").FindAll() | select Path
- https://github.com/yaap7/ldapsearch-ad
- RSAT Tools + LDAP queries
- https://ldapwiki.com/wiki/Active%20Directory%20Computer%20Related%20LDAP%20Query
- https://ldapwiki.com/wiki/Active%20Directory%20User%20Related%20Searches
- https://ldapwiki.com/wiki/Active%20Directory%20Group%20Related%20Searches
- https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
#Example
Get-ADObject -LDAPFilter '(&(objectCategory=person)(objectClass=user))' -Properties *
- Linux hosts running open-source versions of LDAP and Linux vCenter appliances are often configured to allow anonymous binds.
sudo nmap -p 389,636 <RANGE>
- Python
from ldap3 import *
s = Server('<IP>',get_info = ALL)
c = Connection(s, '', '')
c.bind()
True
s.info
ldapsearch -h <IP> -p 389 -x -b "dc=<DOMAIN>,dc=local"
python windapsearch.py --dc-ip <IP>
python3 windapsearch.py --dc-ip 10.129.1.207 -u "" --functionality
python3 windapsearch.py --dc-ip 10.129.1.207 -u "" -U
python3 windapsearch.py --dc-ip 10.129.1.207 -u "" -C
. ./PowerView.ps1
Expand-Archive ADModule-master.zip
Import-Module .\ADModule-master\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module .\ADModule-master\ADModule-master\ActiveDirectory\ActiveDirectory.psd1
Get-Domain
Get-Domain -Domain <DOMAIN NAME>
Get-DomainSID
Get-DomainPolicy
Get-DomainPolicyData
(Get-DomainPolicy)."System Access"
net accounts /domain
Get-DomainController
Get-DomainController | select-object Name
Get-DomainUser
Get-DomainUser -Username <USERNAME>
Get-DomainUser | select samaccountname
Get-DomainUser | select samaccountname, lastlogon, pwdlastset
Get-DomainUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon
Get-DomainUser | select samaccountname, memberof
Get-Userproperty -Properties pwdlastset
Find-UserField -SearchField Description -SearchTerm "built"
Get-DomainUser | Select-Object samaccountname,description
Get-DomainComputer
Get-DomainComputer -FullData
Get-DomainComputer -Computername <COMPUTERNAME> -FullData
Get-DomainComputer -OperatingSystem "*<VERSION*"
Get-DomainComputer -fulldata | select samaccountname, operatingsystem, operatingsystemversion
Get-DomainGroup
Get-DomainGroup -Domain <DOMAIN>
Get-DomainGroup -GroupName *admin*
Get-DomainGroupMember -Groupname "<GROUP>" -Recurse
Get-DomainGroup -Username <SAMACCOUNTNAME>
Get-NetLocalGroup -Computername <COMPUTERNAME> -ListGroups
Get-NetLocalGroupMember -Computername <COMPUTERNAME> -Recurse
Get-NetLocalGroupMember -ComputerName <COMPUTERNAME -GroupName <GROUPNAME>
Get-NetLoggedon -Computername <COMPUTERNAME>
Get-LoggedonLocal -Computername <COMPUTERNAME>
Get-LastLoggedOn -ComputerName <COMPUTERNAME>
Find-DomainShare -ComputerDomain <DOMAIN> -CheckShareAccess
Find-InterestingDomainShareFile -Verbose
Get-DomainFileServer
Get-DomainGPO
Get-DomainGPO -Computername <COMPUTERNAME>
- Returns all GPOs that modify local group memberships through Restricted Groups or Group Policy Preferences.
Get-DomainGPOLocalGroup
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity <COMPUTERNAME>
- Enumerates the machines where a specific domain user/group is a member of a specific local group.
Get-DomainGPOUserLocalGroupMapping -Identity <SAMACCOUNTNAME> -Verbose
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName
- Read name from gplink attribute from
Get-DomainOU
Get-DomainGPO -Identity '{<ID>}'
(Get-DomainOU).distinguishedname | %{Get-DomainComputer -SearchBase $_} | Get-DomainGPOComputerLocalGroupMapping
(Get-DomainOU -Identity 'OU=Mgmt,DC=us,DC=techcorp,DC=local').distinguishedname | %{GetDomainComputer -SearchBase $_} | GetDomainGPOComputerLocalGroupMapping
Get-DomainOu -Fulldata
Get-DomainOu <OU> | %{Get-DomainComputer -ADSPath $_}
Get-DomainComputer | ? { $_.DistinguishedName -match "OU=<OU>" } | select DnsHostName
Get-DomainObjectAcl -Identity <SAMACCOUNTNAME> -ResolveGUIDS
Get-DomainObjectAcl -ADSprefix ‘CN=Administrator,CN=Users’ -Verbose
Get-DomainObjectAcl -Searchbase "LDAP://CN=Domain Admins,CN=Users,DC=us,DC=techcorp,DC=local" -ResolveGUIDs -Verbose
Get-PathAcl -Path "\\<DC>\sysvol"
Find-InterestingDomainAcl -ResolveGUIDs
Find-InterestingDomainAcl -ResolveGUIDs | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl
#New Powerview
Find-InterestingDomainAcl -ResolveGUIDs | select IdentityReferenceName, ObjectDN, ActiveDirectoryRights | fl
Find-InterestingDomainAcl | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}
Get-DomainTrust
Get-Forest
Get-ForestDomain
Get-forestDomain -Forest <FOREST NAME>
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest <FOREST NAME>
Get-ForestTrust
Get-ForestTrust -Forest <FOREST NAME>
Get-ForestDomain -Verbose | Get-DomainTrust
- Enumerates all machines and queries the domain for users of a specified group (default Domain Admins). Then finds domain machines where those users are logged into.
Find-DomainUserLocation | select UserName, SessionFromName
Get-NetSession
https://github.com/BloodHoundAD/BloodHound
cd Ingestors
. ./sharphound.ps1
Invoke-Bloodhound -CollectionMethod all -Verbose
Invoke-Bloodhound -CollectionMethod LoggedOn -Verbose
#Copy neo4j-community-3.5.1 to C:\
#Open cmd
cd C:\neo4j\neo4j-community-3.5.1-windows\bin
neo4j.bat install-service
neo4j.bat start
#Browse to BloodHound-win32-x64
Run BloodHound.exe
#Change credentials and login
- https://github.com/SadProcessor/Cheats/blob/master/DogWhispererV2.md#v--rest-api
- https://ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf
python3 windapsearch.py --dc-ip <DC IP> -u '<DOMAIN>\<USER>'
python3 ldapsearch-ad.py -l <DC IP> -d <DOMAIN> -u <USER> -p <PASSWORD>