Generic info

Domain infos

Get domain name

echo %USERDOMAIN%
echo %USERDNSDOMAIN%
echo %LOGONSERVER%
whoami /all
wmic computersystem get domain

List

nltest /dclist:<domain>
nltest /dsgetdc:<domain>
nslookup -type=srv _kerberos._tcp.<fqdn_domain>

Domain info

nltest /dsgetdc:<domain>
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Forest info

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()

Users

PowerView

Find-DomainUserLocation -Stealth -ShowAll
Get-DomainForeignUser [-Domain <fqdn_domain>]

Inbound NTLM auth

PowerView

Get-DomainUserEvent | ?{$_.AuthenticationPackageName -eq 'NTLM'} | select TimeCreated,TargetUserName,*PackageName,IpAddress | ft -AutoSize

Sessions

PowerView

Get-NetSession

Shares

PowerView

Find-DomainShare -CheckShareAccess

BloodHound

https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/
https://github.com/BloodHoundAD/BloodHound/tree/master/Ingestors
.\SharpHound.ps1
Invoke-BloodHound -CollectionMethod All

Alertnative - not tested

pip install ldap3 dnspython ldapdomaindump 
ldapdomaindump -u "DOMAIN\user" <ip>

Check if SMB signing status

Nmap tcp

nmap --script smb-security-mode.nse -p445 <IP_or_range>

Nmap udp

nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 <IP_or_range>

Responder

/usr/share/responder/tools/RunFinger.py <IP_or_range>