Post

Part 1 - Domain Enumeration with PowerView

Posted Updated
By Nairpaa 3 min read

Tujuan

  • Post compromise enumeration

Prasyarat

  • Memiliki kredensial user domain

Tools

Enumerasi AD dengan PowerView

  • Get Current Domain: Get-Domain
  • Enumerate Other Domains: Get-Domain -Domain <DomainName>
  • Get Domain SID: Get-DomainSID
  • Get Domain Policy:
    1
2
3
4
5

    Get-DomainPolicy

#Will show us the policy configurations of the Domain about system access or kerberos
Get-DomainPolicy | Select-Object -ExpandProperty SystemAccess
Get-DomainPolicy | Select-Object -ExpandProperty KerberosPolicy
  • Get Domain Controllers:
    1
2

    Get-DomainController
Get-DomainController -Domain <DomainName>
  • Enumerate Domain Users:
    1
2
3
4
5
6
7
8
9
10
11
12
13
14

    #Save all Domain Users to a file
Get-DomainUser | Out-File -FilePath .\DomainUsers.txt

#Will return specific properties of a specific user
Get-DomainUser -Identity [username] -Properties DisplayName, MemberOf | Format-List
  
#Enumerate user logged on a machine
Get-NetLoggedon -ComputerName <ComputerName>
  
#Enumerate Session Information for a machine
Get-NetSession -ComputerName <ComputerName>
  
#Enumerate domain machines of the current/specified domain where specific users are logged into
Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromName
  • Enum Domain Computers:
    1
2
3
4

    Get-DomainComputer -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
  
#Enumerate Live machines 
Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
  • Enum Groups and Group Members:
    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

    #Save all Domain Groups to a file:
Get-DomainGroup | Out-File -FilePath .\DomainGroup.txt

#Return members of Specific Group (eg. Domain Admins & Enterprise Admins)
Get-DomainGroup -Identity '<GroupName>' | Select-Object -ExpandProperty Member 
Get-DomainGroupMember -Identity '<GroupName>' | Select-Object MemberDistinguishedName

#Enumerate the local groups on the local (or remote) machine. Requires local admin rights on the remote machine
Get-NetLocalGroup | Select-Object GroupName

#Enumerates members of a specific local group on the local (or remote) machine. Also requires local admin rights on the remote machine
Get-NetLocalGroupMember -GroupName Administrators | Select-Object MemberName, IsGroup, IsDomain

#Return all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy Preferences
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
  • Enumerate Shares:
    1
2
3
4
5
6
7
8

    #Enumerate Domain Shares
Find-DomainShare
  
#Enumerate Domain Shares the current user has access
Find-DomainShare -CheckShareAccess
  
#Enumerate "Interesting" Files on accessible shares
Find-InterestingDomainShareFile -Include *passwords*
  • Enum Group Policies:
    1
2
3
4
5
6
7

    Get-DomainGPO -Properties DisplayName | Sort-Object -Property DisplayName

#Enumerate all GPOs to a specific computer
Get-DomainGPO -ComputerIdentity <ComputerName> -Properties DisplayName | Sort-Object -Property DisplayName

#Get users that are part of a Machine's local Admin group
Get-DomainGPOComputerLocalGroupMapping -ComputerName <ComputerName>
  • Enum OUs:
    1

    Get-DomainOU -Properties Name | Sort-Object -Property Name
  • Enum ACLs:
    1
2
3
4
5
6
7
8

    # Returns the ACLs associated with the specified account
Get-DomaiObjectAcl -Identity <AccountName> -ResolveGUIDs

#Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs
  
#Check the ACLs associated with a specified path (e.g smb share)
Get-PathAcl -Path "\\Path\Of\A\Share"
  • Enum Domain Trust:
    1
2
3
4
5

    Get-DomainTrust
Get-DomainTrust -Domain <DomainName>

#Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds
Get-DomainTrustMapping
  • Enum Forest Trust:
    1
2
3
4
5
6

    Get-ForestDomain
Get-ForestDomain -Forest <ForestName>

#Map the Trust of the Forest
Get-ForestTrust
Get-ForestTrust -Forest <ForestName>
  • User Hunting:
    1
2
3
4
5
6
7
8
9
10
11

    #Finds all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose

#Find local admins on all machines of the domain
Find-DomainLocalGroupMember -Verbose

#Find computers were a Domain Admin OR a spesified user has a session
Find-DomainUserLocation | Select-Object UserName, SessionFromName

#Confirming admin access
Test-AdminAccess

Priv Esc ke Domain Admin dengan User Hunting:
Kita memiliki akses admin di salah satu mesin -> Domain Admins memiliki session di mesin tersebut -> Kita mencuri session-nya dan meng-impersonate-nya -> Profit!

Artikel Tips Menggunakan PowerSploit

Active Directory, Post Compromise Enumeration
active directory windows powerview enumeration
This post is licensed under CC BY 4.0 by the author.