Enumeration

Traditional Approach

User

net user
net user /domain

Group

net group
net group /domain

Modern Approach

Require DistinguishedName (DN) of the domain. User Powershell:

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Enumeration Template:

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName

$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain

# Domain Admins : $Searcher.filter="memberof=CN=Domain Admins,CN=Users,DC=corp,DC=com"
# Computers:  $Searcher.filter="objectcategory=CN=Computer,CN=Schema,CN=Configuration,DC=corp,DC=com"
# Find Win10:  $Searcher.filter="operatingsystem=*windows 10*"
$Searcher.filter="operatingsystem=*windows 10*"
$Result = $Searcher.FindAll()

ForEach($obj in $Result)
{
    ForEach($prop in $obj.Properties)
    {
        $prop
    }
    Write-Host "-------------------------"
}

PowerView

Service Account Attacks

Request SPN Ticket:

Add-Type -AssemblyName System.IdentityModel 
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList '<SPN>'

PreviousInput, Filter, OutputNextEmpire

Last updated