# Domain Enumeration We use the following tools to enumerate: * **Active Directory PowerShell Module** ```powershell Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1 ``` * **BloodHound**: * **PowerView**: * Load PowerView: ```powershell . C:\AD\Tools\PowerView.ps1 ``` * **SharpView**: ## Common Enumeration Commands ### Domain Enumeration **Get Current Domain**: ```powershell Get-Domain (PowerView) Get-ADDomain (ActiveDirectory Module) ``` **Get object of another domain** ```powershell Get-Domain -Domain moneycorp.local Get-ADDomain -Identity moneycorp.local ``` **Get domain SID for the current domain**: ```powershell Get-DomainSID (Get-ADDomain).DomainSID ``` **Get domain policy for current domain:** ```powershell Get-DomainPolicyData (Get-DomainPolicyData).systemaccess ``` **Get Domain policy for another domain** ```powershell (Get-DomainPolicyData -domain moneycorp.local).systemaccess ``` **Get Domain controllers for current domain** ```powershell Get-DomainController Get-ADDomainController ``` **Get domain controllers for another domain** ```powershell Get-DomainController -Domain moneycorp.local Get-ADDomainController -DomainName moneycorp.local -Discover ``` **Get a list of computers in the current domain** ```powershell Get-DomainComputer | select Name Get-DomainComputer -OperatingSystem "*Server 2022*" Get-DomainComputer -Ping Get-ADComputer -Filter * | select Name Get-ADComputer -Filter * -Properties * Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -Properties OperatingSystem | select Name,OperatingSystem Get-ADComputer -Filter * -Properties DNSHostName | %{TestConnection -Count 1 -ComputerName $_.DNSHostName} ``` ### **Misc** **Get actively logged users on a computer (needs local admin rights on the target)** ```powershell Get-NetLoggedon -ComputerName dcorp-adminsrv ``` **Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)** ```powershell Get-LoggedonLocal -ComputerName dcorp-adminsrv ``` **Get the last logged user on a computer (needs administrative rights and remote registry on the target)** ```powershell Get-LastLoggedOn -ComputerName dcorp-adminsrv ``` **Find shares on hosts in current domain.** ```powershell Invoke-ShareFinder -Verbose ``` **Find sensitive files on computers in the domain** ```powershell Invoke-FileFinder -Verbose ``` **Get all fileservers of the domain** ```powershell Get-NetFileServer ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://playbook.sidthoviti.com/active-directory-pentest/domain-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.