Domain Enumeration

Tools

Powershell

Get Current Forest

$Forest = [System.DirectoryServices.ActiveDirectory.Forest]
$Forest::GetCurrentForest()

Output:

Name : corp.com
Sites : {Default-First-Site-Name}
Domains : {corp.com}
GlobalCatalogs : {dc01.corp.com}
ApplicationPartitions : {DC=ForestDnsZones,DC=corp,DC=com, DC=DomainDnsZones,DC=corp,DC=com}
ForestModeLevel : 6
ForestMode : Windows2012R2Forest
RootDomain : corp.com
Schema : CN=Schema,CN=Configuration,DC=corp,DC=com
SchemaRoleOwner : dc01.corp.com
NamingRoleOwner : dc01.corp.com

Get Current Domain

$ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADClass::GetCurrentDomain()

Output:

Forest : corp.com
DomainControllers : {dc01.corp.com}
Children : {}
DomainMode : Windows2012R2Domain
DomainModeLevel : 6
Parent :
PdcRoleOwner : dc01.corp.com
RidRoleOwner : dc01.corp.com
InfrastructureRoleOwner : dc01.corp.com
Name : corp.com

Get Domain Kerberos Policy

Source: https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Get-DomainKerberosPolicy

Function Get-KerberosPolicy
{
# NOTE: This script REQUIRES the GroupPolicy module installed.
Import-Module GroupPolicy
[string]$PDCHostName = (Get-ADDomainController -Discover -Service PrimaryDC).HostName
[xml]$DefaultDomainPolicyXML = Get-GPO -Name "Default Domain Policy" -Server $PDCHostName | Get-GPOReport -ReportType XML # -Path c:\temp\DDP.xml
$NameSpaceManager = New-Object System.XML.XmlNamespaceManager($DefaultDomainPolicyXML.NameTable)
$NameSpaceManager.AddNamespace('root','http://www.microsoft.com/GroupPolicy/Settings')
$GPOsettings = [array]$DefaultDomainPolicyXML.SelectNodes('//root:Extension',$NameSpaceManager)
$KerberosPolicySettings = $GPOsettings.Account |?{$_.type -match "Kerberos"}
$KerberosPolicySettingsMaxRenewAge = $KerberosPolicySettings.MaxRenewAge
$KerberosPolicySettingsMaxTicketAge = $KerberosPolicySettings.MaxTicketAge
return $KerberosPolicySettings
}

Output:

Name SettingNumber Type
---- ------------- ----
MaxClockSkew 5 Kerberos
MaxRenewAge 7 Kerberos
MaxServiceAge 600 Kerberos
MaxTicketAge 10 Kerberos
TicketValidateClient Kerberos

PowerView

Import module

. .\PowerView.ps1

Get Current Domain

Get-NetDomain

Get object of another domain

Get-NetDomain -Domain corp.local

Get Domain SID for the current domain

Get-DomainSID

Get Domain Policy for the Current Domain

Get-DomainPolicy

Output:

Unicode : @{Unicode=yes}
SystemAccess : @{MinimumPasswordAge=1; MaximumPasswordAge=42; MinimumPasswordLength=7; PasswordComplexity=1;
PasswordHistorySize=24; LockoutBadCount=0; RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0;
ClearTextPassword=0; LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Version : @{signature="$CHICAGO$"; Revision=1}
Path : \\corp.local\sysvol\corp.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows
NT\SecEdit\GptTmpl.inf
GPOName : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy

Get Domain Controllers for the current domain

Get-NetDomainController

Output:

Forest : corp.local
CurrentTime : 1/14/2021 2:03:39 PM
HighestCommittedUsn : 24607
OSVersion : Windows Server 2016 Standard Evaluation
Roles : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain : corp.local
IPAddress : fe80::404f:47be:d5d7:54b2%5
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {}
OutboundConnections : {}
Name : W16DCORP.corp.local
Partitions : {DC=corp,DC=local, CN=Configuration,DC=corp,DC=local, CN=Schema,CN=Configuration,DC=corp,DC=local,
DC=DomainDnsZones,DC=corp,DC=local...}

Get Domain Controllers for another Domain

Get-NetDomainController -Domain domainname.local

Get a List of Users in the Current Domain

Get-NetUser

Output:

logoncount : 18
badpasswordtime : 1/1/1601 1:00:00 AM
description : Built-in account for administering the computer/domain
distinguishedname : CN=Administrator,CN=Users,DC=corp,DC=local
objectclass : {top, person, organizationalPerson, user}
lastlogontimestamp : 1/13/2021 11:32:04 AM
name : Administrator
objectsid : S-1-5-21-3597801137-3445022117-3132179924-500
samaccountname : Administrator
admincount : 1
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 1/13/2021 11:15:32 AM
instancetype : 4
objectguid : 9481d3d7-a62f-4845-8b88-5df6c8beae40
lastlogon : 1/14/2021 1:00:49 PM
lastlogoff : 1/1/1601 1:00:00 AM
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
dscorepropagationdata : {1/13/2021 11:15:32 AM, 1/13/2021 11:15:32 AM, 1/13/2021 11:00:22 AM, 1/1/1601 6:12:16 PM}
memberof : {CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local, CN=Domain Admins,CN=Users,DC=corp,DC=local,
CN=Enterprise Admins,CN=Users,DC=corp,DC=local, CN=Schema Admins,CN=Users,DC=corp,DC=local...}
whencreated : 1/13/2021 10:59:36 AM
iscriticalsystemobject : True
badpwdcount : 0
cn : Administrator
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
usncreated : 8196
primarygroupid : 513
pwdlastset : 1/13/2021 6:42:04 PM
usnchanged : 12770
pwdlastset : 1/1/1601 1:00:00 AM
[...]

ActiveDirectory module

Import module

Import-Module .\ActiveDirectory\ActiveDirectory.psd1
Import-Module .\Microsoft.ActiveDirectory.Management.dll

Get Current Domain

Get-ADDomain

Get object of another domain

Get-ADDomain -Identity corp.local

Get Domain SID for the current domain

(Get-ADDomain).DomainSID

Get Domain Controllers for the current domain

Get-ADDomainController

Output:

ComputerObjectDN : CN=W16DCORP,OU=Domain Controllers,DC=corp,DC=local
DefaultPartition : DC=corp,DC=local
Domain : corp.local
Enabled : True
Forest : corp.local
HostName : W16DCORP.corp.local
InvocationId : a3356e5b-c259-4f76-84d0-df0ff4ebf6bf
IPv4Address : 192.168.3.4
IPv6Address :
IsGlobalCatalog : True
IsReadOnly : False
LdapPort : 389
Name : W16DCORP
NTDSSettingsObjectDN : CN=NTDS Settings,CN=W16DCORP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=local
OperatingSystem : Windows Server 2016 Standard Evaluation
OperatingSystemHotfix :
OperatingSystemServicePack :
OperatingSystemVersion : 10.0 (14393)
OperationMasterRoles : {SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster...}
Partitions : {DC=ForestDnsZones,DC=corp,DC=local, DC=DomainDnsZones,DC=corp,DC=local, CN=Schema,CN=Configuration,DC=corp,DC=local, CN=Configuration,DC=corp,DC=local...}
ServerObjectDN : CN=W16DCORP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=local
ServerObjectGuid : a06c3f4c-1312-4b3d-b765-cf07ee5e28c0
Site : Default-First-Site-Name
SslPort : 636

Get Domain Controllers for another Domain

Get-ADDomainController -DomainName domainname.local -Discover

Get a List of Users in the Current Domain

Get-ADUser -Filter * -Properties *

Output:

AccountExpirationDate :
accountExpires : 9223372036854775807
AccountLockoutTime :
AccountNotDelegated : False
adminCount : 1
AllowReversiblePasswordEncryption : False
AuthenticationPolicy : {}
AuthenticationPolicySilo : {}
BadLogonCount : 0
badPasswordTime : 0
badPwdCount : 0
CannotChangePassword : False
CanonicalName : corp.local/Users/Administrator
Certificates : {}
City :
CN : Administrator
codePage : 0
Company :
CompoundIdentitySupported : {}
Country :
countryCode : 0
Created : 1/13/2021 11:59:36 AM
createTimeStamp : 1/13/2021 11:59:36 AM
Deleted :
Department :
Description : Built-in account for administering the computer/domain
DisplayName :
DistinguishedName : CN=Administrator,CN=Users,DC=corp,DC=local
Division :
DoesNotRequirePreAuth : False
dSCorePropagationData : {1/13/2021 12:15:32 PM, 1/13/2021 12:15:32 PM, 1/13/2021 12:00:22 PM, 1/1/1601 7:12:16 PM}
EmailAddress :
EmployeeID :
EmployeeNumber :
Enabled : True
Fax :
GivenName :
HomeDirectory :
HomedirRequired : False
HomeDrive :
HomePage :
HomePhone :
Initials :
instanceType : 4
isCriticalSystemObject : True
isDeleted :
KerberosEncryptionType : {}
LastBadPasswordAttempt :
LastKnownParent :
lastLogoff : 0
lastLogon : 132550992491978231
LastLogonDate : 1/13/2021 11:32:04 AM
lastLogonTimestamp : 132550075248868120
LockedOut : False
logonCount : 18
LogonWorkstations :
Manager :
MemberOf : {CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local, CN=Domain Admins,CN=Users,DC=corp,DC
MNSLogonAccount : False
MobilePhone :
Modified : 1/13/2021 12:15:32 PM
modifyTimeStamp : 1/13/2021 12:15:32 PM
msDS-User-Account-Control-Computed : 0
Name : Administrator
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local
ObjectClass : user
ObjectGUID : 9481d3d7-a62f-4845-8b88-5df6c8beae40
objectSid : S-1-5-21-3597801137-3445022117-3132179924-500
Office :
OfficePhone :
Organization :
OtherName :
PasswordExpired : False
PasswordLastSet : 1/13/2021 6:42:04 PM
PasswordNeverExpires : True
PasswordNotRequired : False
POBox :
PostalCode :
PrimaryGroup : CN=Domain Users,CN=Users,DC=corp,DC=local
primaryGroupID : 513
PrincipalsAllowedToDelegateToAccount : {}
ProfilePath :
ProtectedFromAccidentalDeletion : False
pwdLastSet : 132550333241274896
SamAccountName : Administrator
sAMAccountType : 805306368
ScriptPath :
sDRightsEffective : 15
ServicePrincipalNames : {}
SID : S-1-5-21-3597801137-3445022117-3132179924-500
SIDHistory : {}
SmartcardLogonRequired : False
State :
StreetAddress :
Surname :
Title :
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UseDESKeyOnly : False
userAccountControl : 66048
userCertificate : {}
UserPrincipalName :
uSNChanged : 12770
uSNCreated : 8196
whenChanged : 1/13/2021 12:15:32 PM
whenCreated : 1/13/2021 11:59:36 AM

Get list of all Properties for Users in the Current Domain

Get-ADUser -Identity Administrator -Properties *

Output:

DistinguishedName : CN=Administrator,CN=Users,DC=corp,DC=local
Enabled : True
GivenName :
Name : Administrator
ObjectClass : user
ObjectGUID : 9481d3d7-a62f-4845-8b88-5df6c8beae40
SamAccountName : Administrator
SID : S-1-5-21-3597801137-3445022117-3132179924-500
Surname :
UserPrincipalName :
[...]