Domain Enumeration

Tools

ActiveDirectory module (ADModule): https://github.com/samratashok/ADModule
PowerView (https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)

Powershell

Get Current Forest

$Forest = [System.DirectoryServices.ActiveDirectory.Forest]
$Forest::GetCurrentForest()

Output:

Name                  : corp.com
Sites                 : {Default-First-Site-Name}
Domains               : {corp.com}
GlobalCatalogs        : {dc01.corp.com}
ApplicationPartitions : {DC=ForestDnsZones,DC=corp,DC=com, DC=DomainDnsZones,DC=corp,DC=com}
ForestModeLevel       : 6
ForestMode            : Windows2012R2Forest
RootDomain            : corp.com
Schema                : CN=Schema,CN=Configuration,DC=corp,DC=com
SchemaRoleOwner       : dc01.corp.com
NamingRoleOwner       : dc01.corp.com

Get Current Domain

$ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADClass::GetCurrentDomain()

Output:

Forest                  : corp.com
DomainControllers       : {dc01.corp.com}
Children                : {}
DomainMode              : Windows2012R2Domain
DomainModeLevel         : 6
Parent                  : 
PdcRoleOwner            : dc01.corp.com
RidRoleOwner            : dc01.corp.com
InfrastructureRoleOwner : dc01.corp.com
Name                    : corp.com

Get Domain Kerberos Policy

Source: https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Get-DomainKerberosPolicy

Function Get-KerberosPolicy
    {
        # NOTE: This script REQUIRES the GroupPolicy module installed.
        Import-Module GroupPolicy

        [string]$PDCHostName = (Get-ADDomainController -Discover -Service PrimaryDC).HostName
        [xml]$DefaultDomainPolicyXML = Get-GPO -Name "Default Domain Policy" -Server $PDCHostName | Get-GPOReport -ReportType XML # -Path c:\temp\DDP.xml
        $NameSpaceManager = New-Object System.XML.XmlNamespaceManager($DefaultDomainPolicyXML.NameTable) 
        $NameSpaceManager.AddNamespace('root','http://www.microsoft.com/GroupPolicy/Settings')
        $GPOsettings = [array]$DefaultDomainPolicyXML.SelectNodes('//root:Extension',$NameSpaceManager)
        $KerberosPolicySettings = $GPOsettings.Account |?{$_.type -match "Kerberos"}

        $KerberosPolicySettingsMaxRenewAge = $KerberosPolicySettings.MaxRenewAge
        $KerberosPolicySettingsMaxTicketAge = $KerberosPolicySettings.MaxTicketAge

        return $KerberosPolicySettings
    }

Output:

Name                 SettingNumber Type    
----                 ------------- ----    
MaxClockSkew         5             Kerberos
MaxRenewAge          7             Kerberos
MaxServiceAge        600           Kerberos
MaxTicketAge         10            Kerberos
TicketValidateClient               Kerberos

PowerView

Import module

. .\PowerView.ps1

Get Current Domain

Get-NetDomain

Get object of another domain

Get-NetDomain -Domain corp.local

Get Domain SID for the current domain

Get-DomainSID

Get Domain Policy for the Current Domain

Get-DomainPolicy

Output:

Unicode        : @{Unicode=yes}
SystemAccess   : @{MinimumPasswordAge=1; MaximumPasswordAge=42; MinimumPasswordLength=7; PasswordComplexity=1;
                 PasswordHistorySize=24; LockoutBadCount=0; RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0;
                 ClearTextPassword=0; LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Version        : @{signature="$CHICAGO$"; Revision=1}
Path           : \\corp.local\sysvol\corp.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows
                 NT\SecEdit\GptTmpl.inf
GPOName        : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy

Get Domain Controllers for the current domain

Get-NetDomainController

Output:

Forest                     : corp.local
CurrentTime                : 1/14/2021 2:03:39 PM
HighestCommittedUsn        : 24607
OSVersion                  : Windows Server 2016 Standard Evaluation
Roles                      : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain                     : corp.local
IPAddress                  : fe80::404f:47be:d5d7:54b2%5
SiteName                   : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections         : {}
OutboundConnections        : {}
Name                       : W16DCORP.corp.local
Partitions                 : {DC=corp,DC=local, CN=Configuration,DC=corp,DC=local, CN=Schema,CN=Configuration,DC=corp,DC=local,
                             DC=DomainDnsZones,DC=corp,DC=local...}

Get Domain Controllers for another Domain

Get-NetDomainController -Domain domainname.local

Get a List of Users in the Current Domain

Get-NetUser

Output:

logoncount             : 18
badpasswordtime        : 1/1/1601 1:00:00 AM
description            : Built-in account for administering the computer/domain
distinguishedname      : CN=Administrator,CN=Users,DC=corp,DC=local
objectclass            : {top, person, organizationalPerson, user}
lastlogontimestamp     : 1/13/2021 11:32:04 AM
name                   : Administrator
objectsid              : S-1-5-21-3597801137-3445022117-3132179924-500
samaccountname         : Administrator
admincount             : 1
codepage               : 0
samaccounttype         : USER_OBJECT
accountexpires         : NEVER
countrycode            : 0
whenchanged            : 1/13/2021 11:15:32 AM
instancetype           : 4
objectguid             : 9481d3d7-a62f-4845-8b88-5df6c8beae40
lastlogon              : 1/14/2021 1:00:49 PM
lastlogoff             : 1/1/1601 1:00:00 AM
objectcategory         : CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
dscorepropagationdata  : {1/13/2021 11:15:32 AM, 1/13/2021 11:15:32 AM, 1/13/2021 11:00:22 AM, 1/1/1601 6:12:16 PM}
memberof               : {CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local, CN=Domain Admins,CN=Users,DC=corp,DC=local,
                         CN=Enterprise Admins,CN=Users,DC=corp,DC=local, CN=Schema Admins,CN=Users,DC=corp,DC=local...}
whencreated            : 1/13/2021 10:59:36 AM
iscriticalsystemobject : True
badpwdcount            : 0
cn                     : Administrator
useraccountcontrol     : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
usncreated             : 8196
primarygroupid         : 513
pwdlastset             : 1/13/2021 6:42:04 PM
usnchanged             : 12770

pwdlastset             : 1/1/1601 1:00:00 AM

[...]

ActiveDirectory module

Import module

Import-Module .\ActiveDirectory\ActiveDirectory.psd1
Import-Module .\Microsoft.ActiveDirectory.Management.dll

Get Current Domain

Get-ADDomain

Get object of another domain

Get-ADDomain -Identity corp.local

Get Domain SID for the current domain

(Get-ADDomain).DomainSID

Get Domain Controllers for the current domain

Get-ADDomainController

Output:

ComputerObjectDN           : CN=W16DCORP,OU=Domain Controllers,DC=corp,DC=local
DefaultPartition           : DC=corp,DC=local
Domain                     : corp.local
Enabled                    : True
Forest                     : corp.local
HostName                   : W16DCORP.corp.local
InvocationId               : a3356e5b-c259-4f76-84d0-df0ff4ebf6bf
IPv4Address                : 192.168.3.4
IPv6Address                :
IsGlobalCatalog            : True
IsReadOnly                 : False
LdapPort                   : 389
Name                       : W16DCORP
NTDSSettingsObjectDN       : CN=NTDS Settings,CN=W16DCORP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=local
OperatingSystem            : Windows Server 2016 Standard Evaluation
OperatingSystemHotfix      :
OperatingSystemServicePack :
OperatingSystemVersion     : 10.0 (14393)
OperationMasterRoles       : {SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster...}
Partitions                 : {DC=ForestDnsZones,DC=corp,DC=local, DC=DomainDnsZones,DC=corp,DC=local, CN=Schema,CN=Configuration,DC=corp,DC=local, CN=Configuration,DC=corp,DC=local...}
ServerObjectDN             : CN=W16DCORP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=local
ServerObjectGuid           : a06c3f4c-1312-4b3d-b765-cf07ee5e28c0
Site                       : Default-First-Site-Name
SslPort                    : 636

Get Domain Controllers for another Domain

Get-ADDomainController -DomainName domainname.local -Discover

Get a List of Users in the Current Domain

Get-ADUser -Filter * -Properties *

Output:

AccountExpirationDate                :
accountExpires                       : 9223372036854775807
AccountLockoutTime                   :
AccountNotDelegated                  : False
adminCount                           : 1
AllowReversiblePasswordEncryption    : False
AuthenticationPolicy                 : {}
AuthenticationPolicySilo             : {}
BadLogonCount                        : 0
badPasswordTime                      : 0
badPwdCount                          : 0
CannotChangePassword                 : False
CanonicalName                        : corp.local/Users/Administrator
Certificates                         : {}
City                                 :
CN                                   : Administrator
codePage                             : 0
Company                              :
CompoundIdentitySupported            : {}
Country                              :
countryCode                          : 0
Created                              : 1/13/2021 11:59:36 AM
createTimeStamp                      : 1/13/2021 11:59:36 AM
Deleted                              :
Department                           :
Description                          : Built-in account for administering the computer/domain
DisplayName                          :
DistinguishedName                    : CN=Administrator,CN=Users,DC=corp,DC=local
Division                             :
DoesNotRequirePreAuth                : False
dSCorePropagationData                : {1/13/2021 12:15:32 PM, 1/13/2021 12:15:32 PM, 1/13/2021 12:00:22 PM, 1/1/1601 7:12:16 PM}
EmailAddress                         :
EmployeeID                           :
EmployeeNumber                       :
Enabled                              : True
Fax                                  :
GivenName                            :
HomeDirectory                        :
HomedirRequired                      : False
HomeDrive                            :
HomePage                             :
HomePhone                            :
Initials                             :
instanceType                         : 4
isCriticalSystemObject               : True
isDeleted                            :
KerberosEncryptionType               : {}
LastBadPasswordAttempt               :
LastKnownParent                      :
lastLogoff                           : 0
lastLogon                            : 132550992491978231
LastLogonDate                        : 1/13/2021 11:32:04 AM
lastLogonTimestamp                   : 132550075248868120
LockedOut                            : False
logonCount                           : 18
LogonWorkstations                    :
Manager                              :
MemberOf                             : {CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local, CN=Domain Admins,CN=Users,DC=corp,DC
MNSLogonAccount                      : False
MobilePhone                          :
Modified                             : 1/13/2021 12:15:32 PM
modifyTimeStamp                      : 1/13/2021 12:15:32 PM
msDS-User-Account-Control-Computed   : 0
Name                                 : Administrator
nTSecurityDescriptor                 : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                       : CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
ObjectClass                          : user
ObjectGUID                           : 9481d3d7-a62f-4845-8b88-5df6c8beae40
objectSid                            : S-1-5-21-3597801137-3445022117-3132179924-500
Office                               :
OfficePhone                          :
Organization                         :
OtherName                            :
PasswordExpired                      : False
PasswordLastSet                      : 1/13/2021 6:42:04 PM
PasswordNeverExpires                 : True
PasswordNotRequired                  : False
POBox                                :
PostalCode                           :
PrimaryGroup                         : CN=Domain Users,CN=Users,DC=corp,DC=local
primaryGroupID                       : 513
PrincipalsAllowedToDelegateToAccount : {}
ProfilePath                          :
ProtectedFromAccidentalDeletion      : False
pwdLastSet                           : 132550333241274896
SamAccountName                       : Administrator
sAMAccountType                       : 805306368
ScriptPath                           :
sDRightsEffective                    : 15
ServicePrincipalNames                : {}
SID                                  : S-1-5-21-3597801137-3445022117-3132179924-500
SIDHistory                           : {}
SmartcardLogonRequired               : False
State                                :
StreetAddress                        :
Surname                              :
Title                                :
TrustedForDelegation                 : False
TrustedToAuthForDelegation           : False
UseDESKeyOnly                        : False
userAccountControl                   : 66048
userCertificate                      : {}
UserPrincipalName                    :
uSNChanged                           : 12770
uSNCreated                           : 8196
whenChanged                          : 1/13/2021 12:15:32 PM
whenCreated                          : 1/13/2021 11:59:36 AM

Get list of all Properties for Users in the Current Domain

Get-ADUser -Identity Administrator -Properties *

Output:

DistinguishedName : CN=Administrator,CN=Users,DC=corp,DC=local
Enabled           : True
GivenName         :
Name              : Administrator
ObjectClass       : user
ObjectGUID        : 9481d3d7-a62f-4845-8b88-5df6c8beae40
SamAccountName    : Administrator
SID               : S-1-5-21-3597801137-3445022117-3132179924-500
Surname           :
UserPrincipalName :

[...]

PreviousInitial page NextLateral movement

Last updated 4 years ago

Was this helpful?