Manual Enum basics

#Enumerate all local accounts

net user

#Enumerate users in the entire domain

net user /domain

#Enumerate a specific user within the domain

net user redcliff /domain

#Enumerate groups

net group /domain

#Powershell

#retrieve domain name and DC name#

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

Sample output:

Forest: redcliff.com
DomainControllers: {DC01.recliff.com}
Children: {}
DomainMode: Unknown
DomainModeLevel: 7
Parent:
PdcRoleOwner: DC01.recliff.com
RidRoleOwner: DC01.redcliff.com
InfrastructureRoleOwner : DC01.redcliff.com
Name: redcliff.com

#Powershell script | build LDAP path --> enumerateAD.ps1

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString
$SearchString += $DistinguishedName

#Powershell script | Enumerate all users in the domain --> enumAD2.ps1

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$SearchString
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Searcher.FindAll()

#Powershell script | retrieve all users & attributes --> enumAD3.ps1

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }
    Write-Host "------------------------"
}

#enumAD3.ps1 --> modify the $Searcher.filter param. to query specific users. EG: $Searcher.filter="name=redcliff"

#Powershell script | enumerate nested groups in the domain --> enumAD4.ps1

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$SearchString = "LDAP://"
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="(objectClass=Group)"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    $obj.Properties.name
}

#Query a specific group member

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="(name=redcliff)"  ##modify this param
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    $obj.Properties.member    ##only displays the member attributes
}

#Enumerating SPNs --> Web services running on target

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="serviceprincipalname=*http*"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }
}

PreviousPower View NextBloodhound

Last updated 2 years ago