# Active Directory ### Enumeration There are numerous tools available for enumerating Active Directory environments. For the OSCP, I recommend picking one or two tools, getting familiar with those tools in the lab environment, and sticking with that tool through the exam. After you earned the OSCP you can explore additional tools and expand your Active Directory knowledge. For my OSCP journey my AD enumeration tool of choice was PowerView\.ps1. #### Bloodhound ``` pip install bloodhound bloodhound-python -u user -p pass -d domain -c All ``` #### PowerView To use PowerView we first need to modify the powershell execution policy to enable script execution. ``` Set-ExecutionPolicy -ExecutionPolicy (RemoteSigned) or (Bypass) ``` Next, dot source the script. ``` . .\script.ps1 (be sure to include the space between ellipses) ``` #### Basic enumeration (Powerview\.ps1) ``` Get-Domain Get-DomainPolicy (Get-DomainPolicy).KerberosPolicy Get-DomainController Get-DomainUser -Identity student1 Get-NetUser -SPN (Kerberoastable users) Get-NetUser -PreauthNotRequired (AS-REP Roastable users) Get-DomainGroup Get-DomainGroupMember -Identity "Domain Admins" -Recurse Get-DomainComputer Get-DomainComputer | select Name Get-NetComputer -Unconstrained (unconstrained delegation **need to verify**) Get-DomainUser Get-DomainUser | select samaccountname Get-DomainUser -SPN | select serviceprincipalname Get-NetLoggedon -ComputerName name (requires local admin rights) Get-DomainGPO Get-DomainOU | select name ``` #### User hunting ``` Find-LocalAdminAccess -Verbose : Finds all machines on the domain where the current user has local admin access Find-DomainUserLocation -Verbose Find-DomainUserLocation -UserGroupIdentity : Find computers where a domain admin (or specified user/group) has sessions ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.oncyberwar.com/3.-enumeration/active-directory.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.