Domain Enumeration

Tools

ActiveDirectory module (ADModule): https://github.com/samratashok/ADModule
PowerView (https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)

Powershell

Get Current Forest

$Forest = [System.DirectoryServices.ActiveDirectory.Forest]
$Forest::GetCurrentForest()

Output:

Name                  : corp.com
Sites                 : {Default-First-Site-Name}
Domains               : {corp.com}
GlobalCatalogs        : {dc01.corp.com}
ApplicationPartitions : {DC=ForestDnsZones,DC=corp,DC=com, DC=DomainDnsZones,DC=corp,DC=com}
ForestModeLevel       : 6
ForestMode            : Windows2012R2Forest
RootDomain            : corp.com
Schema                : CN=Schema,CN=Configuration,DC=corp,DC=com
SchemaRoleOwner       : dc01.corp.com
NamingRoleOwner       : dc01.corp.com

Get Current Domain

$ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADClass::GetCurrentDomain()

Output:

Forest                  : corp.com
DomainControllers       : {dc01.corp.com}
Children                : {}
DomainMode              : Windows2012R2Domain
DomainModeLevel         : 6
Parent                  : 
PdcRoleOwner            : dc01.corp.com
RidRoleOwner            : dc01.corp.com
InfrastructureRoleOwner : dc01.corp.com
Name                    : corp.com

Get Domain Kerberos Policy

Source: https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Get-DomainKerberosPolicy

Function Get-KerberosPolicy
    {
        # NOTE: This script REQUIRES the GroupPolicy module installed.
        Import-Module GroupPolicy

        [string]$PDCHostName = (Get-ADDomainController -Discover -Service PrimaryDC).HostName
        [xml]$DefaultDomainPolicyXML = Get-GPO -Name "Default Domain Policy" -Server $PDCHostName | Get-GPOReport -ReportType XML # -Path c:\temp\DDP.xml
        $NameSpaceManager = New-Object System.XML.XmlNamespaceManager($DefaultDomainPolicyXML.NameTable) 
        $NameSpaceManager.AddNamespace('root','http://www.microsoft.com/GroupPolicy/Settings')
        $GPOsettings = [array]$DefaultDomainPolicyXML.SelectNodes('//root:Extension',$NameSpaceManager)
        $KerberosPolicySettings = $GPOsettings.Account |?{$_.type -match "Kerberos"}

        $KerberosPolicySettingsMaxRenewAge = $KerberosPolicySettings.MaxRenewAge
        $KerberosPolicySettingsMaxTicketAge = $KerberosPolicySettings.MaxTicketAge

        return $KerberosPolicySettings
    }

Output:

Name                 SettingNumber Type    
----                 ------------- ----    
MaxClockSkew         5             Kerberos
MaxRenewAge          7             Kerberos
MaxServiceAge        600           Kerberos
MaxTicketAge         10            Kerberos
TicketValidateClient               Kerberos

PowerView

Import module

. .\PowerView.ps1

Get Current Domain

Get-NetDomain

Get object of another domain

Get-NetDomain -Domain corp.local

Get Domain SID for the current domain

Get-DomainSID

Get Domain Policy for the Current Domain

Get-DomainPolicy

Output:

Unicode        : @{Unicode=yes}
SystemAccess   : @{MinimumPasswordAge=1; MaximumPasswordAge=42; MinimumPasswordLength=7; PasswordComplexity=1;
                 PasswordHistorySize=24; LockoutBadCount=0; RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0;
                 ClearTextPassword=0; LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Version        : @{signature="$CHICAGO$"; Revision=1}
Path           : \\corp.local\sysvol\corp.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows
                 NT\SecEdit\GptTmpl.inf
GPOName        : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy

Get Domain Controllers for the current domain

Get-NetDomainController

Output:

Forest                     : corp.local
CurrentTime                : 1/14/2021 2:03:39 PM
HighestCommittedUsn        : 24607
OSVersion                  : Windows Server 2016 Standard Evaluation
Roles                      : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain                     : corp.local
IPAddress                  : fe80::404f:47be:d5d7:54b2%5
SiteName                   : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections         : {}
OutboundConnections        : {}
Name                       : W16DCORP.corp.local
Partitions                 : {DC=corp,DC=local, CN=Configuration,DC=corp,DC=local, CN=Schema,CN=Configuration,DC=corp,DC=local,
                             DC=DomainDnsZones,DC=corp,DC=local...}

Get Domain Controllers for another Domain

Get-NetDomainController -Domain domainname.local

Get a List of Users in the Current Domain

Get-NetUser

Output:

logoncount             : 18
badpasswordtime        : 1/1/1601 1:00:00 AM
description            : Built-in account for administering the computer/domain
distinguishedname      : CN=Administrator,CN=Users,DC=corp,DC=local
objectclass            : {top, person, organizationalPerson, user}
lastlogontimestamp     : 1/13/2021 11:32:04 AM
name                   : Administrator
objectsid              : S-1-5-21-3597801137-3445022117-3132179924-500
samaccountname         : Administrator
admincount             : 1
codepage               : 0
samaccounttype         : USER_OBJECT
accountexpires         : NEVER
countrycode            : 0
whenchanged            : 1/13/2021 11:15:32 AM
instancetype           : 4
objectguid             : 9481d3d7-a62f-4845-8b88-5df6c8beae40
lastlogon              : 1/14/2021 1:00:49 PM
lastlogoff             : 1/1/1601 1:00:00 AM
objectcategory         : CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
dscorepropagationdata  : {1/13/2021 11:15:32 AM, 1/13/2021 11:15:32 AM, 1/13/2021 11:00:22 AM, 1/1/1601 6:12:16 PM}
memberof               : {CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local, CN=Domain Admins,CN=Users,DC=corp,DC=local,
                         CN=Enterprise Admins,CN=Users,DC=corp,DC=local, CN=Schema Admins,CN=Users,DC=corp,DC=local...}
whencreated            : 1/13/2021 10:59:36 AM
iscriticalsystemobject : True
badpwdcount            : 0
cn                     : Administrator
useraccountcontrol     : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
usncreated             : 8196
primarygroupid         : 513
pwdlastset             : 1/13/2021 6:42:04 PM
usnchanged             : 12770

pwdlastset             : 1/1/1601 1:00:00 AM

[...]

ActiveDirectory module

Import module

Import-Module .\ActiveDirectory\ActiveDirectory.psd1
Import-Module .\Microsoft.ActiveDirectory.Management.dll

Get Current Domain

Get-ADDomain

Get object of another domain

Get-ADDomain -Identity corp.local

Get Domain SID for the current domain

(Get-ADDomain).DomainSID

Get Domain Controllers for the current domain

Get-ADDomainController

Output:

ComputerObjectDN           : CN=W16DCORP,OU=Domain Controllers,DC=corp,DC=local
DefaultPartition           : DC=corp,DC=local
Domain                     : corp.local
Enabled                    : True
Forest                     : corp.local
HostName                   : W16DCORP.corp.local
InvocationId               : a3356e5b-c259-4f76-84d0-df0ff4ebf6bf
IPv4Address                : 192.168.3.4
IPv6Address                :
IsGlobalCatalog            : True
IsReadOnly                 : False
LdapPort                   : 389
Name                       : W16DCORP
NTDSSettingsObjectDN       : CN=NTDS Settings,CN=W16DCORP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=local
OperatingSystem            : Windows Server 2016 Standard Evaluation
OperatingSystemHotfix      :
OperatingSystemServicePack :
OperatingSystemVersion     : 10.0 (14393)
OperationMasterRoles       : {SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster...}
Partitions                 : {DC=ForestDnsZones,DC=corp,DC=local, DC=DomainDnsZones,DC=corp,DC=local, CN=Schema,CN=Configuration,DC=corp,DC=local, CN=Configuration,DC=corp,DC=local...}
ServerObjectDN             : CN=W16DCORP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=local
ServerObjectGuid           : a06c3f4c-1312-4b3d-b765-cf07ee5e28c0
Site                       : Default-First-Site-Name
SslPort                    : 636

Get Domain Controllers for another Domain

Get-ADDomainController -DomainName domainname.local -Discover

Get a List of Users in the Current Domain

Get-ADUser -Filter * -Properties *

Output:

AccountExpirationDate                :
accountExpires                       : 9223372036854775807
AccountLockoutTime                   :
AccountNotDelegated                  : False
adminCount                           : 1
AllowReversiblePasswordEncryption    : False
AuthenticationPolicy                 : {}
AuthenticationPolicySilo             : {}
BadLogonCount                        : 0
badPasswordTime                      : 0
badPwdCount                          : 0
CannotChangePassword                 : False
CanonicalName                        : corp.local/Users/Administrator
Certificates                         : {}
City                                 :
CN                                   : Administrator
codePage                             : 0
Company                              :
CompoundIdentitySupported            : {}
Country                              :
countryCode                          : 0
Created                              : 1/13/2021 11:59:36 AM
createTimeStamp                      : 1/13/2021 11:59:36 AM
Deleted                              :
Department                           :
Description                          : Built-in account for administering the computer/domain
DisplayName                          :
DistinguishedName                    : CN=Administrator,CN=Users,DC=corp,DC=local
Division                             :
DoesNotRequirePreAuth                : False
dSCorePropagationData                : {1/13/2021 12:15:32 PM, 1/13/2021 12:15:32 PM, 1/13/2021 12:00:22 PM, 1/1/1601 7:12:16 PM}
EmailAddress                         :
EmployeeID                           :
EmployeeNumber                       :
Enabled                              : True
Fax                                  :
GivenName                            :
HomeDirectory                        :
HomedirRequired                      : False
HomeDrive                            :
HomePage                             :
HomePhone                            :
Initials                             :
instanceType                         : 4
isCriticalSystemObject               : True
isDeleted                            :
KerberosEncryptionType               : {}
LastBadPasswordAttempt               :
LastKnownParent                      :
lastLogoff                           : 0
lastLogon                            : 132550992491978231
LastLogonDate                        : 1/13/2021 11:32:04 AM
lastLogonTimestamp                   : 132550075248868120
LockedOut                            : False
logonCount                           : 18
LogonWorkstations                    :
Manager                              :
MemberOf                             : {CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local, CN=Domain Admins,CN=Users,DC=corp,DC
MNSLogonAccount                      : False
MobilePhone                          :
Modified                             : 1/13/2021 12:15:32 PM
modifyTimeStamp                      : 1/13/2021 12:15:32 PM
msDS-User-Account-Control-Computed   : 0
Name                                 : Administrator
nTSecurityDescriptor                 : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory                       : CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
ObjectClass                          : user
ObjectGUID                           : 9481d3d7-a62f-4845-8b88-5df6c8beae40
objectSid                            : S-1-5-21-3597801137-3445022117-3132179924-500
Office                               :
OfficePhone                          :
Organization                         :
OtherName                            :
PasswordExpired                      : False
PasswordLastSet                      : 1/13/2021 6:42:04 PM
PasswordNeverExpires                 : True
PasswordNotRequired                  : False
POBox                                :
PostalCode                           :
PrimaryGroup                         : CN=Domain Users,CN=Users,DC=corp,DC=local
primaryGroupID                       : 513
PrincipalsAllowedToDelegateToAccount : {}
ProfilePath                          :
ProtectedFromAccidentalDeletion      : False
pwdLastSet                           : 132550333241274896
SamAccountName                       : Administrator
sAMAccountType                       : 805306368
ScriptPath                           :
sDRightsEffective                    : 15
ServicePrincipalNames                : {}
SID                                  : S-1-5-21-3597801137-3445022117-3132179924-500
SIDHistory                           : {}
SmartcardLogonRequired               : False
State                                :
StreetAddress                        :
Surname                              :
Title                                :
TrustedForDelegation                 : False
TrustedToAuthForDelegation           : False
UseDESKeyOnly                        : False
userAccountControl                   : 66048
userCertificate                      : {}
UserPrincipalName                    :
uSNChanged                           : 12770
uSNCreated                           : 8196
whenChanged                          : 1/13/2021 12:15:32 PM
whenCreated                          : 1/13/2021 11:59:36 AM

Get list of all Properties for Users in the Current Domain

Get-ADUser -Identity Administrator -Properties *

Output:

DistinguishedName : CN=Administrator,CN=Users,DC=corp,DC=local
Enabled           : True
GivenName         :
Name              : Administrator
ObjectClass       : user
ObjectGUID        : 9481d3d7-a62f-4845-8b88-5df6c8beae40
SamAccountName    : Administrator
SID               : S-1-5-21-3597801137-3445022117-3132179924-500
Surname           :
UserPrincipalName :

[...]

PreviousInitial page NextLateral movement

Last updated 5 years ago

hashtagTools

hashtagPowershell

hashtagGet Current Forest

hashtagGet Current Domain

hashtagGet Domain Kerberos Policy

hashtagPowerView

hashtagImport module

hashtagGet Current Domain

hashtagGet object of another domain

hashtagGet Domain SID for the current domain

hashtagGet Domain Policy for the Current Domain

hashtagGet Domain Controllers for the current domain

hashtagGet Domain Controllers for another Domain

hashtagGet a List of Users in the Current Domain

hashtagActiveDirectory module

hashtagImport module

hashtagGet Current Domain

hashtagGet object of another domain

hashtagGet Domain SID for the current domain

hashtagGet Domain Controllers for the current domain

hashtagGet Domain Controllers for another Domain

hashtagGet a List of Users in the Current Domain

hashtagGet list of all Properties for Users in the Current Domain

Tools

Powershell

Get Current Forest

Get Current Domain

Get Domain Kerberos Policy

PowerView

Import module

Get Current Domain

Get object of another domain

Get Domain SID for the current domain

Get Domain Policy for the Current Domain

Get Domain Controllers for the current domain

Get Domain Controllers for another Domain

Get a List of Users in the Current Domain

ActiveDirectory module

Import module

Get Current Domain

Get object of another domain

Get Domain SID for the current domain

Get Domain Controllers for the current domain

Get Domain Controllers for another Domain

Get a List of Users in the Current Domain

Get list of all Properties for Users in the Current Domain