Skip to content

Latest commit

 

History

History
197 lines (130 loc) · 2.84 KB

07-AD Enumeration - Powerup CheatSheet.md

File metadata and controls

197 lines (130 loc) · 2.84 KB
Raw
powershell -ep bypass
. .\powerview.ps1

Get Current Domain:

Get-Domain

Get Information about the parent Domain:

Get-Domain -Domain SECURITY.local

Get Domain SID:

Get-DomainSID

Get the Domain Policy:

Get-DomainPolicy

(Get-DomainPolicy)."SystemAccess"
(Get-DomainPolicy)."kerberospolicy"

Get Information about the domain controller:

Get-DomainController
Get-DomainController -Domain SECURITY.local

User Enumeration:

Get-DomainUser

Get-DomainUser | select samaccountname, objects

Get details of specific user:

Get-DomainUser -Identity USERNAME


Get-DomainUser -Identity USERNAME -Properties DisplayName,MemberOf,Objectsid,useraccountcontrol

Enumerate Domain Computers:

Get-NetComputer

Get-NetComputer -Domain SECURITY.local
Get-NetComputer | select name
Get-NetComputer | select name,cn,operatingsystem

Enumerate Groups:

Get-NetGroup
Get-NetGroup | select name

Get the info about the Domain Admins group:

Get-NetGroup 'Domain Admins'

Find the members of the group:

Get-NetGroupMember "Domain Admins" | select MemberName

A user member of which groups?:

Get-NetGroup -userName "USERNAME" | select name

Enumerate the Domain Shares:

Find-DomainShare -ComputerName prod.research.SECURITY.local -verbose

The shares for which the current user has read access to?

Find-DomainShare -ComputerName prod.research.SECURITY.local -CheckShareAccess -verbose

Find the Group Policy Objects (GPOs):

Get-NetGRP | select displayname

Get the organizational Units:

Get-NetOU

Get-NetOU | select name

Get Trust:

Get-NetDomainTrust

Get Forest:

Get-NetForest

Map the trust of forest:

Get-NetForestTrust
Get-NetForestTrust -Forest tech.local
Get-NetForest -Forest tech.local

So, the trust is established. Now we can start enumerating the other domain.

Get the all the domains in the current forests:

Get-NetForestDomain

Check Domains in the other forest:

Get-NetForestDomain -Forest OtherDomain.local

Check the mapping:

Get-DomaintrustMapping

ACLs

ACLs used to regulate access to resources.

Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs

Find interesting ACLS:

Find-InterestingDomainAcl -ResolveGUIDs

Finding Kerberoastable Accounts:

Get-NetUser -sPN | select samaccountname,serviceprincipalname

Find AREP Roastable accounts:

Get-NetUser -PreauthNotRequired select samaccountname,useraccountcontrol