Active Directory

Enumeration

There are numerous tools available for enumerating Active Directory environments. For the OSCP, I recommend picking one or two tools, getting familiar with those tools in the lab environment, and sticking with that tool through the exam. After you earned the OSCP you can explore additional tools and expand your Active Directory knowledge. For my OSCP journey my AD enumeration tool of choice was PowerView.ps1.

Bloodhound

pip install bloodhound
bloodhound-python -u user -p pass -d domain -c All

PowerView

To use PowerView we first need to modify the powershell execution policy to enable script execution.

Set-ExecutionPolicy -ExecutionPolicy (RemoteSigned) or (Bypass)

Next, dot source the script.

. .\script.ps1 (be sure to include the space between ellipses)

Basic enumeration (Powerview.ps1)

Get-Domain
Get-DomainPolicy
(Get-DomainPolicy).KerberosPolicy
Get-DomainController
Get-DomainUser -Identity student1
Get-NetUser -SPN (Kerberoastable users)
Get-NetUser -PreauthNotRequired (AS-REP Roastable users)
Get-DomainGroup
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainComputer
Get-DomainComputer | select Name
Get-NetComputer -Unconstrained (unconstrained delegation **need to verify**)
Get-DomainUser
Get-DomainUser | select samaccountname
Get-DomainUser -SPN | select serviceprincipalname
Get-NetLoggedon -ComputerName name (requires local admin rights)
Get-DomainGPO
Get-DomainOU | select name

User hunting

Find-LocalAdminAccess -Verbose : Finds all machines on the domain where the current user has local admin access
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity : Find computers where a domain admin (or specified user/group) has sessions

PreviousFinger (Solaris)NextPublic exploits

Last updated 2 years ago

hashtagEnumeration

hashtagBloodhound

hashtagPowerView

hashtagBasic enumeration (Powerview.ps1)

hashtagUser hunting

Enumeration

Bloodhound

PowerView

Basic enumeration (Powerview.ps1)

User hunting