Generic Infos
AD infosâ
GUIâ
C:\Windows\System32\rundll32.exe" dsquery.dll,OpenQueryWindow
1. Network
2. Search Active Directory
3. Browse
Scriptâ
. .\HostEnum.ps1
Invoke-HostEnum -Domain -HTMLReport
Domain / Forest infosâ
Get domain name
echo %USERDOMAIN%
echo %USERDNSDOMAIN%
echo %LOGONSERVER%
whoami /all
wmic computersystem get domain
set l
List domains
nltest /dclist:<domain>
nltest /dsgetdc:<domain>
nslookup -type=srv _kerberos._tcp.<fqdn_domain>
Domain info
nltest /dsgetdc:<domain>
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Forest info
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs
Usersâ
PowerView
Find-DomainUserLocation -Stealth -ShowAll
Get-DomainForeignUser [-Domain <fqdn_domain>]
get-aduser <user> -prop Created,PasswordLastSet,msDS-KeyVersionNumber,LastLogonDate,servicePrincipalName
Check for users with AllowReversiblePasswordEncryption.
powershell Get-ADuser -Filter * -Prop * | Where-Object {$_.AllowReversiblePasswordEncryption -ne $false}
powershell Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
NULL password
Get-ADUser -Filter 'useraccountcontrol -band 32' -Properties useraccountcontrol | FT Name
DSQuery
dsquery user | dsget user -samid -email -display [-limit 10000]
Get-WmiObject -Class Win32_UserAccount -Filter "Domain='<domain>' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
Groupâ
PowerView
(Get-DomainGroup -Domain <fqdn_domain>).samaccountname
Get-DomainGroupMember -Identity <domain> -Domain <fqdn_domain>
get-adgroupmember <group> -Recursive | select DistinguishedName
Based on ADSI and reflective DDLsâ
Share browsingâ
SMB
Find-DomainShare -CheckShareAccess
pth-smbclient -U "<domain>/<user>%<LM:NT>" //<ip>/<share>
crackmapexec smb <range_ip> -u <user> -p "<password>" -d <domain> --shares | grep "READ\|WRITE" | grep -v "print\|IPC"
DFS
Get-ADObject -filter * -SearchBase "CN=Dfs-Configuration,CN=System,DC=a,DC=b" | select name
$s=[adsisearcher]'(name=*)'; $s.SearchRoot = [adsi]"LDAP://CN=Dfs-Configuration,CN=System,dc=a,dc=b"; $s.FindAll() | % {$_.properties.name}
Get-DfsLinks.ps1 is a PowerShell wrapper around a C# class which takes one or more UNC formatted DFS namespace paths and returns the names and targets of all links contained in that namespace.
Get-DfsLinks -Path <\\dfs\path>
Find intresting files
Find-InterestingFile -Path \\server\share [-Include keyword1,keyword2] [-OfficeDocs] [-LastAccessTime (Get-Date).AddDays(-7)]
sharpfinder [--path=<\\hostname\C$|C:\>] --grepable --readable --writeable --keywords=<admin,creds,credentials> --extensions=<kbdx,xlsx,doc,docx,txt,ps1,bat>
grep -r SharpFinder .
Miscâ
Convert GUID from SAM account name
$guid = ([adsisearcher]"(&(objectClass=User)(samaccountname=<username>))").FindAll().Properties.objectguid
$a = New-Object guid(,$guid[0])
$a
Convert SID to name
Convert-SidToName <SID>
Sessions
Get-NetSession
Inbound NTLM authentication
Get-DomainUserEvent | ?{$_.AuthenticationPackageName -eq 'NTLM'} | select TimeCreated,TargetUserName,*PackageName,IpAddress | ft -AutoSize
Check SMB signing status
nmap --script smb-security-mode.nse -p445 <IP_or_range>
nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 <IP_or_range>
/usr/share/responder/tools/RunFinger.py <IP_or_range>