# Domain Enumeration ## Tools * ActiveDirectory module (ADModule): * PowerView () ## Powershell ### Get Current Forest ``` $Forest = [System.DirectoryServices.ActiveDirectory.Forest] $Forest::GetCurrentForest() ``` Output: ``` Name : corp.com Sites : {Default-First-Site-Name} Domains : {corp.com} GlobalCatalogs : {dc01.corp.com} ApplicationPartitions : {DC=ForestDnsZones,DC=corp,DC=com, DC=DomainDnsZones,DC=corp,DC=com} ForestModeLevel : 6 ForestMode : Windows2012R2Forest RootDomain : corp.com Schema : CN=Schema,CN=Configuration,DC=corp,DC=com SchemaRoleOwner : dc01.corp.com NamingRoleOwner : dc01.corp.com ``` ### Get Current Domain ``` $ADClass = [System.DirectoryServices.ActiveDirectory.Domain] $ADClass::GetCurrentDomain() ``` Output: ``` Forest : corp.com DomainControllers : {dc01.corp.com} Children : {} DomainMode : Windows2012R2Domain DomainModeLevel : 6 Parent : PdcRoleOwner : dc01.corp.com RidRoleOwner : dc01.corp.com InfrastructureRoleOwner : dc01.corp.com Name : corp.com ``` ## Get Domain Kerberos Policy Source: ``` Function Get-KerberosPolicy { # NOTE: This script REQUIRES the GroupPolicy module installed. Import-Module GroupPolicy [string]$PDCHostName = (Get-ADDomainController -Discover -Service PrimaryDC).HostName [xml]$DefaultDomainPolicyXML = Get-GPO -Name "Default Domain Policy" -Server $PDCHostName | Get-GPOReport -ReportType XML # -Path c:\temp\DDP.xml $NameSpaceManager = New-Object System.XML.XmlNamespaceManager($DefaultDomainPolicyXML.NameTable) $NameSpaceManager.AddNamespace('root','http://www.microsoft.com/GroupPolicy/Settings') $GPOsettings = [array]$DefaultDomainPolicyXML.SelectNodes('//root:Extension',$NameSpaceManager) $KerberosPolicySettings = $GPOsettings.Account |?{$_.type -match "Kerberos"} $KerberosPolicySettingsMaxRenewAge = $KerberosPolicySettings.MaxRenewAge $KerberosPolicySettingsMaxTicketAge = $KerberosPolicySettings.MaxTicketAge return $KerberosPolicySettings } ``` Output: ``` Name SettingNumber Type ---- ------------- ---- MaxClockSkew 5 Kerberos MaxRenewAge 7 Kerberos MaxServiceAge 600 Kerberos MaxTicketAge 10 Kerberos TicketValidateClient Kerberos ``` ## PowerView ### Import module ``` . .\PowerView.ps1 ``` ### Get Current Domain ``` Get-NetDomain ``` ### Get object of another domain ``` Get-NetDomain -Domain corp.local ``` ### Get Domain SID for the current domain ``` Get-DomainSID ``` ### Get Domain Policy for the Current Domain ``` Get-DomainPolicy ``` Output: ``` Unicode : @{Unicode=yes} SystemAccess : @{MinimumPasswordAge=1; MaximumPasswordAge=42; MinimumPasswordLength=7; PasswordComplexity=1; PasswordHistorySize=24; LockoutBadCount=0; RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0; LSAAnonymousNameLookup=0} KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1} RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]} Version : @{signature="$CHICAGO$"; Revision=1} Path : \\corp.local\sysvol\corp.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf GPOName : {31B2F340-016D-11D2-945F-00C04FB984F9} GPODisplayName : Default Domain Policy ``` ### Get Domain Controllers for the current domain ``` Get-NetDomainController ``` Output: ``` Forest : corp.local CurrentTime : 1/14/2021 2:03:39 PM HighestCommittedUsn : 24607 OSVersion : Windows Server 2016 Standard Evaluation Roles : {SchemaRole, NamingRole, PdcRole, RidRole...} Domain : corp.local IPAddress : fe80::404f:47be:d5d7:54b2%5 SiteName : Default-First-Site-Name SyncFromAllServersCallback : InboundConnections : {} OutboundConnections : {} Name : W16DCORP.corp.local Partitions : {DC=corp,DC=local, CN=Configuration,DC=corp,DC=local, CN=Schema,CN=Configuration,DC=corp,DC=local, DC=DomainDnsZones,DC=corp,DC=local...} ``` ### Get Domain Controllers for another Domain ``` Get-NetDomainController -Domain domainname.local ``` ### Get a List of Users in the Current Domain ``` Get-NetUser ``` Output: ``` logoncount : 18 badpasswordtime : 1/1/1601 1:00:00 AM description : Built-in account for administering the computer/domain distinguishedname : CN=Administrator,CN=Users,DC=corp,DC=local objectclass : {top, person, organizationalPerson, user} lastlogontimestamp : 1/13/2021 11:32:04 AM name : Administrator objectsid : S-1-5-21-3597801137-3445022117-3132179924-500 samaccountname : Administrator admincount : 1 codepage : 0 samaccounttype : USER_OBJECT accountexpires : NEVER countrycode : 0 whenchanged : 1/13/2021 11:15:32 AM instancetype : 4 objectguid : 9481d3d7-a62f-4845-8b88-5df6c8beae40 lastlogon : 1/14/2021 1:00:49 PM lastlogoff : 1/1/1601 1:00:00 AM objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local dscorepropagationdata : {1/13/2021 11:15:32 AM, 1/13/2021 11:15:32 AM, 1/13/2021 11:00:22 AM, 1/1/1601 6:12:16 PM} memberof : {CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local, CN=Domain Admins,CN=Users,DC=corp,DC=local, CN=Enterprise Admins,CN=Users,DC=corp,DC=local, CN=Schema Admins,CN=Users,DC=corp,DC=local...} whencreated : 1/13/2021 10:59:36 AM iscriticalsystemobject : True badpwdcount : 0 cn : Administrator useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD usncreated : 8196 primarygroupid : 513 pwdlastset : 1/13/2021 6:42:04 PM usnchanged : 12770 pwdlastset : 1/1/1601 1:00:00 AM [...] ``` ## ActiveDirectory module ### Import module ``` Import-Module .\ActiveDirectory\ActiveDirectory.psd1 Import-Module .\Microsoft.ActiveDirectory.Management.dll ``` ### Get Current Domain ``` Get-ADDomain ``` ### Get object of another domain ``` Get-ADDomain -Identity corp.local ``` ### Get Domain SID for the current domain ``` (Get-ADDomain).DomainSID ``` ### Get Domain Controllers for the current domain ``` Get-ADDomainController ``` Output: ``` ComputerObjectDN : CN=W16DCORP,OU=Domain Controllers,DC=corp,DC=local DefaultPartition : DC=corp,DC=local Domain : corp.local Enabled : True Forest : corp.local HostName : W16DCORP.corp.local InvocationId : a3356e5b-c259-4f76-84d0-df0ff4ebf6bf IPv4Address : 192.168.3.4 IPv6Address : IsGlobalCatalog : True IsReadOnly : False LdapPort : 389 Name : W16DCORP NTDSSettingsObjectDN : CN=NTDS Settings,CN=W16DCORP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=local OperatingSystem : Windows Server 2016 Standard Evaluation OperatingSystemHotfix : OperatingSystemServicePack : OperatingSystemVersion : 10.0 (14393) OperationMasterRoles : {SchemaMaster, DomainNamingMaster, PDCEmulator, RIDMaster...} Partitions : {DC=ForestDnsZones,DC=corp,DC=local, DC=DomainDnsZones,DC=corp,DC=local, CN=Schema,CN=Configuration,DC=corp,DC=local, CN=Configuration,DC=corp,DC=local...} ServerObjectDN : CN=W16DCORP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=corp,DC=local ServerObjectGuid : a06c3f4c-1312-4b3d-b765-cf07ee5e28c0 Site : Default-First-Site-Name SslPort : 636 ``` ### Get Domain Controllers for another Domain ``` Get-ADDomainController -DomainName domainname.local -Discover ``` ### Get a List of Users in the Current Domain ``` Get-ADUser -Filter * -Properties * ``` Output: ``` AccountExpirationDate : accountExpires : 9223372036854775807 AccountLockoutTime : AccountNotDelegated : False adminCount : 1 AllowReversiblePasswordEncryption : False AuthenticationPolicy : {} AuthenticationPolicySilo : {} BadLogonCount : 0 badPasswordTime : 0 badPwdCount : 0 CannotChangePassword : False CanonicalName : corp.local/Users/Administrator Certificates : {} City : CN : Administrator codePage : 0 Company : CompoundIdentitySupported : {} Country : countryCode : 0 Created : 1/13/2021 11:59:36 AM createTimeStamp : 1/13/2021 11:59:36 AM Deleted : Department : Description : Built-in account for administering the computer/domain DisplayName : DistinguishedName : CN=Administrator,CN=Users,DC=corp,DC=local Division : DoesNotRequirePreAuth : False dSCorePropagationData : {1/13/2021 12:15:32 PM, 1/13/2021 12:15:32 PM, 1/13/2021 12:00:22 PM, 1/1/1601 7:12:16 PM} EmailAddress : EmployeeID : EmployeeNumber : Enabled : True Fax : GivenName : HomeDirectory : HomedirRequired : False HomeDrive : HomePage : HomePhone : Initials : instanceType : 4 isCriticalSystemObject : True isDeleted : KerberosEncryptionType : {} LastBadPasswordAttempt : LastKnownParent : lastLogoff : 0 lastLogon : 132550992491978231 LastLogonDate : 1/13/2021 11:32:04 AM lastLogonTimestamp : 132550075248868120 LockedOut : False logonCount : 18 LogonWorkstations : Manager : MemberOf : {CN=Group Policy Creator Owners,CN=Users,DC=corp,DC=local, CN=Domain Admins,CN=Users,DC=corp,DC MNSLogonAccount : False MobilePhone : Modified : 1/13/2021 12:15:32 PM modifyTimeStamp : 1/13/2021 12:15:32 PM msDS-User-Account-Control-Computed : 0 Name : Administrator nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=corp,DC=local ObjectClass : user ObjectGUID : 9481d3d7-a62f-4845-8b88-5df6c8beae40 objectSid : S-1-5-21-3597801137-3445022117-3132179924-500 Office : OfficePhone : Organization : OtherName : PasswordExpired : False PasswordLastSet : 1/13/2021 6:42:04 PM PasswordNeverExpires : True PasswordNotRequired : False POBox : PostalCode : PrimaryGroup : CN=Domain Users,CN=Users,DC=corp,DC=local primaryGroupID : 513 PrincipalsAllowedToDelegateToAccount : {} ProfilePath : ProtectedFromAccidentalDeletion : False pwdLastSet : 132550333241274896 SamAccountName : Administrator sAMAccountType : 805306368 ScriptPath : sDRightsEffective : 15 ServicePrincipalNames : {} SID : S-1-5-21-3597801137-3445022117-3132179924-500 SIDHistory : {} SmartcardLogonRequired : False State : StreetAddress : Surname : Title : TrustedForDelegation : False TrustedToAuthForDelegation : False UseDESKeyOnly : False userAccountControl : 66048 userCertificate : {} UserPrincipalName : uSNChanged : 12770 uSNCreated : 8196 whenChanged : 1/13/2021 12:15:32 PM whenCreated : 1/13/2021 11:59:36 AM ``` ### Get list of all Properties for Users in the Current Domain ``` Get-ADUser -Identity Administrator -Properties * ``` Output: ``` DistinguishedName : CN=Administrator,CN=Users,DC=corp,DC=local Enabled : True GivenName : Name : Administrator ObjectClass : user ObjectGUID : 9481d3d7-a62f-4845-8b88-5df6c8beae40 SamAccountName : Administrator SID : S-1-5-21-3597801137-3445022117-3132179924-500 Surname : UserPrincipalName : [...] ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://sys.disetti.it/windows-hacking/domain-enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.