# Domain Enumeration We use the following tools to enumerate: * **Active Directory PowerShell Module** ```powershell Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1 ``` * **BloodHound**: * **PowerView**: * Load PowerView: ```powershell . C:\AD\Tools\PowerView.ps1 ``` * **SharpView**: ## Common Enumeration Commands ### Domain Enumeration **Get Current Domain**: ```powershell Get-Domain (PowerView) Get-ADDomain (ActiveDirectory Module) ``` **Get object of another domain** ```powershell Get-Domain -Domain moneycorp.local Get-ADDomain -Identity moneycorp.local ``` **Get domain SID for the current domain**: ```powershell Get-DomainSID (Get-ADDomain).DomainSID ``` **Get domain policy for current domain:** ```powershell Get-DomainPolicyData (Get-DomainPolicyData).systemaccess ``` **Get Domain policy for another domain** ```powershell (Get-DomainPolicyData -domain moneycorp.local).systemaccess ``` **Get Domain controllers for current domain** ```powershell Get-DomainController Get-ADDomainController ``` **Get domain controllers for another domain** ```powershell Get-DomainController -Domain moneycorp.local Get-ADDomainController -DomainName moneycorp.local -Discover ``` **Get a list of computers in the current domain** ```powershell Get-DomainComputer | select Name Get-DomainComputer -OperatingSystem "*Server 2022*" Get-DomainComputer -Ping Get-ADComputer -Filter * | select Name Get-ADComputer -Filter * -Properties * Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -Properties OperatingSystem | select Name,OperatingSystem Get-ADComputer -Filter * -Properties DNSHostName | %{TestConnection -Count 1 -ComputerName $_.DNSHostName} ``` ### **Misc** **Get actively logged users on a computer (needs local admin rights on the target)** ```powershell Get-NetLoggedon -ComputerName dcorp-adminsrv ``` **Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)** ```powershell Get-LoggedonLocal -ComputerName dcorp-adminsrv ``` **Get the last logged user on a computer (needs administrative rights and remote registry on the target)** ```powershell Get-LastLoggedOn -ComputerName dcorp-adminsrv ``` **Find shares on hosts in current domain.** ```powershell Invoke-ShareFinder -Verbose ``` **Find sensitive files on computers in the domain** ```powershell Invoke-FileFinder -Verbose ``` **Get all fileservers of the domain** ```powershell Get-NetFileServer ```