Generic infos

AD infos

GUI
C:\Windows\System32\rundll32.exe" dsquery.dll,OpenQueryWindow

1. Network
2. Search Active Directory
3. Browse
Script
. .\HostEnum.ps1
Invoke-HostEnum -Domain -HTMLReport

Domain / Forest infos

Get domain name

echo %USERDOMAIN%
echo %USERDNSDOMAIN%
echo %LOGONSERVER%
whoami /all
wmic computersystem get domain
set l

List domains

nltest /dclist:<domain>
nltest /dsgetdc:<domain>
nslookup -type=srv _kerberos._tcp.<fqdn_domain>

Domain info

nltest /dsgetdc:<domain>
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Forest info

[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().GlobalCatalogs

Users

PowerView

Find-DomainUserLocation -Stealth -ShowAll
Get-DomainForeignUser [-Domain <fqdn_domain>]
get-aduser <user> -prop Created,PasswordLastSet,msDS-KeyVersionNumber,LastLogonDate,servicePrincipalName

Check for users with AllowReversiblePasswordEncryption

powershell Get-ADuser -Filter * -Prop * | Where-Object {$_.AllowReversiblePasswordEncryption -ne $false}

powershell Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl

NULL password

Get-ADUser -Filter 'useraccountcontrol -band 32' -Properties useraccountcontrol | FT Name

DSQuery

dsquery user | dsget user -samid -email -display [-limit 10000]

Check for passwords in AD user comment

Get-WmiObject -Class Win32_UserAccount -Filter "Domain='<domain>' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID

Group

PowerView

(Get-DomainGroup -Domain <fqdn_domain>).samaccountname
Get-DomainGroupMember -Identity <domain> -Domain <fqdn_domain>
get-adgroupmember <group> -Recursive | select DistinguishedName

Based on ADSI and reflective DDLs

Share browsing

Shares

Find-DomainShare -CheckShareAccess
pth-smbclient -U "<domain>/<user>%<LM:NT>" //<ip>/<share>
crackmapexec smb <range_ip> -u <user> -p "<password>" -d <domain> --shares | grep "READ\|WRITE" | grep -v "print\|IPC"

DFS

Get-ADObject -filter * -SearchBase "CN=Dfs-Configuration,CN=System,DC=a,DC=b" | select name

$s=[adsisearcher]'(name=*)'; $s.SearchRoot = [adsi]"LDAP://CN=Dfs-Configuration,CN=System,dc=a,dc=b"; $s.FindAll() | % {$_.properties.name}

Get DFS Share mapping

PowerShell wrapper around a C# class which takes one or more UNC formatted DFS namespace paths and returns the names and targets of all links contained in that namespace.

Get-DfsLinks -Path <\\dfs\path>

Find intresting files

Find-InterestingFile -Path \\server\share [-Include keyword1,keyword2] [-OfficeDocs] [-LastAccessTime (Get-Date).AddDays(-7)]

sharpfinder [--path=<\\hostname\C$|C:\>] --grepable --readable --writeable --keywords=<admin,creds,credentials> --extensions=<kbdx,xlsx,doc,docx,txt,ps1,bat>
grep -r SharpFinder .

MISC

Convert GUID from sam account name

$guid = ([adsisearcher]"(&(objectClass=User)(samaccountname=<username>))").FindAll().Properties.objectguid
$a = New-Object guid(,$guid[0])
$a

Convert SID to name

Convert-SidToName <SID>

Sessions

Get-NetSession

Inbound NTLM authentication

Get-DomainUserEvent | ?{$_.AuthenticationPackageName -eq 'NTLM'} | select TimeCreated,TargetUserName,*PackageName,IpAddress | ft -AutoSize

Check SMB signing status

nmap --script smb-security-mode.nse -p445 <IP_or_range>

nmap -sU -sS --script smb-security-mode.nse -p U:137,T:139 <IP_or_range>
/usr/share/responder/tools/RunFinger.py <IP_or_range>