Domain-Recon

To carry a successfull attack in Active Directory Environment, one should need to enumerate the Domain. We will use Powerview.ps1 module to enumerate the Domain.

Reconnaissance

First Import the Powerview.ps1 module.

import-module Powerview.ps1

. .\Powerview.ps1

1. Get-Domain Useful information includes the domain name, the forest name and the domain controllers.

Get-Domain

2. Get-DomainController Returns the domain controllers for the current or specified domain.

Get-DomainController | select Forest, Name, OSVersion | fl

3. Get-ForestDomain Returns all domains for the current forest or the forest specified by -Forest

Get-ForestDomain

4. Get-DomainPolicyData Useful for finding information such as the domain password policy.

Get-DomainPolicyData | select -ExpandProperty SystemAccess

5. Get-DomainUser Return all (or specific) user(s).

Get-DomainUser -Identity john -Properties DisplayName, MemberOf | fl

6. Get-DomainComputer Return all computers or specific computer objects.

Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName

7. Get-DomainOU Search for all organization units (OUs) or specific OU objects.

Get-DomainOU -Properties Name | sort -Property Name

8. Get-DomainGroup Return all groups or specific group objects.

Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName

9. Get-DomainGroupMember Return the members of a specific domain group.

Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName

10. Get-DomainGPO Return all Group Policy Objects (GPOs) or specific GPO objects.

Get-DomainGPO -Properties DisplayName | sort -Property DisplayName

(To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.)

Get-DomainGPO -ComputerIdentity wkstn-1 -Properties DisplayName | sort -Property DisplayName

11. Get-DomainGPOLocalGroup Returns all GPOs that modify local group membership.

Get-DomainGPOLocalGroup | select GPODisplayName, GroupName

12. Get-DomainGPOUserLocalGroupMapping Enumerates the machines where a specific domain user/group is a member of a specific local group.

Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName

13. Find-DomainUserLocation finds domain machines where those users are logged in (default domain admin)

Find-DomainUserLocation | select UserName, SessionFromName

14. Get-NetSession Returns session information for the local (or a remote) machine (where CName is the source IP).

Get-NetSession -ComputerName dc01 | select CName, UserName

15. Get-DomainTrust Return all domain trusts for the current or specified domain.

Get-DomainTrust

16. Find-DomainShare will find SMB shares in a domain and -CheckShareAccess will only display those that the executing principal has access to.

Find-DomainShare -ComputerDomain hackershell.io -CheckShareAccess

(To Get The Writable Share In a Domain)

Find-DomainShare -CheckShareAccess