Manual Enum basics
#Enumerate all local accounts
net user#Enumerate users in the entire domain
net user /domain#Enumerate a specific user within the domain
net user redcliff /domain#Enumerate groups
net group /domain#Powershell
#retrieve domain name and DC name#
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Sample output:
Forest: redcliff.com
DomainControllers: {DC01.recliff.com}
Children: {}
DomainMode: Unknown
DomainModeLevel: 7
Parent:
PdcRoleOwner: DC01.recliff.com
RidRoleOwner: DC01.redcliff.com
InfrastructureRoleOwner : DC01.redcliff.com
Name: redcliff.com
#Powershell script | build LDAP path --> enumerateAD.ps1
#Powershell script | Enumerate all users in the domain --> enumAD2.ps1
#Powershell script | retrieve all users & attributes --> enumAD3.ps1
#enumAD3.ps1 --> modify the $Searcher.filter param. to query specific users. EG: $Searcher.filter="name=redcliff"
#Powershell script | enumerate nested groups in the domain --> enumAD4.ps1
#Query a specific group member
#Enumerating SPNs --> Web services running on target
Last updated