Domain Enumeration

We use the following tools to enumerate:

  • Active Directory PowerShell Module

    Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

  • BloodHound: https://github.com/BloodHoundAD/BloodHound

  • PowerView: https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1

    • Load PowerView:

      . C:\AD\Tools\PowerView.ps1

  • SharpView: https://github.com/tevora-threat/SharpView/

Common Enumeration Commands

Domain Enumeration

Get Current Domain:

Get-Domain (PowerView)
Get-ADDomain (ActiveDirectory Module)

Get object of another domain

Get-Domain -Domain moneycorp.local
Get-ADDomain -Identity moneycorp.local

Get domain SID for the current domain:

Get-DomainSID
(Get-ADDomain).DomainSID

Get domain policy for current domain:

Get-DomainPolicyData
(Get-DomainPolicyData).systemaccess

Get Domain policy for another domain

(Get-DomainPolicyData -domain moneycorp.local).systemaccess

Get Domain controllers for current domain

Get-DomainController
Get-ADDomainController

Get domain controllers for another domain

Get-DomainController -Domain moneycorp.local
Get-ADDomainController -DomainName moneycorp.local -Discover

Get a list of computers in the current domain 

Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "*Server 2022*"
Get-DomainComputer -Ping

Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter * -Properties *
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * -Properties DNSHostName | %{TestConnection -Count 1 -ComputerName $_.DNSHostName}

Misc

Get actively logged users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName dcorp-adminsrv

Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS) 

Get-LoggedonLocal -ComputerName dcorp-adminsrv

Get the last logged user on a computer (needs administrative rights and remote registry on the target) 

Get-LastLoggedOn -ComputerName dcorp-adminsrv

Find shares on hosts in current domain.

Invoke-ShareFinder -Verbose

Find sensitive files on computers in the domain 

Invoke-FileFinder -Verbose

Get all fileservers of the domain 

Get-NetFileServer

PreviousActive Directory PentestNextUser Enumeration

Last updated