Generic infos

AD infos

GUI
C:\Windows\System32\rundll32.exe" dsquery.dll,OpenQueryWindow
1. Network
2. Search Active Directory
3. Browse

Domain / Forest infos

Get domain name

echo %USERDOMAIN%
echo %USERDNSDOMAIN%
echo %LOGONSERVER%
whoami /all
wmic computersystem get domain

List domains

nltest /dclist:<domain>
nltest /dsgetdc:<domain>
nslookup -type=srv _kerberos._tcp.<fqdn_domain>

Domain info

nltest /dsgetdc:<domain>
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Forest info

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs

Users

PowerView

Find-DomainUserLocation -Stealth -ShowAll
Get-DomainForeignUser [-Domain <fqdn_domain>]
get-aduser <user> -prop Created,PasswordLastSet,msDS-KeyVersionNumber,LastLogonDate,servicePrincipalName

Check for users with AllowReversiblePasswordEncryption

Get-ADuser -Filter * -Prop * | Where-Object {$_.AllowReversiblePasswordEncryption -ne $false}

DSQuery

dsquery user | dsget user -samid -email -display [-limit 10000]

Group

PowerView

(Get-DomainGroup -Domain <fqdn_domain>).samaccountname
Get-DomainGroupMember -Identity <domain> -Domain <fqdn_domain>
get-adgroupmember <group> -Recursive | select DistinguishedName

MISC

Convert SID to name

Convert-SidToName <SID>

Sessions

Get-NetSession

Shares

Find-DomainShare -CheckShareAccess

Inbound NTLM authentication

Get-DomainUserEvent | ?{$_.AuthenticationPackageName -eq 'NTLM'} | select TimeCreated,TargetUserName,*PackageName,IpAddress | ft -AutoSize

Check SMB signing status

nmap --script smb-security-mode.nse -p445 <IP_or_range>

nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 <IP_or_range>
/usr/share/responder/tools/RunFinger.py <IP_or_range>