To carry a successfull attack in Active Directory Environment, one should need to enumerate the Domain. We will use Powerview.ps1 module to enumerate the Domain.
First Import the Powerview.ps1 module.
import-module Powerview.ps1. .\Powerview.ps1- Get-Domain Useful information includes the domain name, the forest name and the domain controllers.
Get-Domain- Get-DomainController Returns the domain controllers for the current or specified domain.
Get-DomainController | select Forest, Name, OSVersion | fl- Get-ForestDomain Returns all domains for the current forest or the forest specified by -Forest
Get-ForestDomain- Get-DomainPolicyData Useful for finding information such as the domain password policy.
Get-DomainPolicyData | select -ExpandProperty SystemAccess- Get-DomainUser Return all (or specific) user(s).
Get-DomainUser -Identity john -Properties DisplayName, MemberOf | fl- Get-DomainComputer Return all computers or specific computer objects.
Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName- Get-DomainOU Search for all organization units (OUs) or specific OU objects.
Get-DomainOU -Properties Name | sort -Property Name- Get-DomainGroup Return all groups or specific group objects.
Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName- Get-DomainGroupMember Return the members of a specific domain group.
Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName- Get-DomainGPO Return all Group Policy Objects (GPOs) or specific GPO objects.
Get-DomainGPO -Properties DisplayName | sort -Property DisplayName(To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.)
Get-DomainGPO -ComputerIdentity wkstn-1 -Properties DisplayName | sort -Property DisplayName- Get-DomainGPOLocalGroup Returns all GPOs that modify local group membership.
Get-DomainGPOLocalGroup | select GPODisplayName, GroupName- Get-DomainGPOUserLocalGroupMapping Enumerates the machines where a specific domain user/group is a member of a specific local group.
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName- Find-DomainUserLocation finds domain machines where those users are logged in (default domain admin)
Find-DomainUserLocation | select UserName, SessionFromName- Get-NetSession Returns session information for the local (or a remote) machine (where CName is the source IP).
Get-NetSession -ComputerName dc01 | select CName, UserName- Get-DomainTrust Return all domain trusts for the current or specified domain.
Get-DomainTrust- Find-DomainShare will find SMB shares in a domain and -CheckShareAccess will only display those that the executing principal has access to.
Find-DomainShare -ComputerDomain hackershell.io -CheckShareAccess(To Get The Writable Share In a Domain)
Find-DomainShare -CheckShareAccess