we will experiment with a few tools for enumerating from a Windows attack host, such as SharpHound/BloodHound, PowerView/SharpView, Grouper2, Snaffler, and some built-in tools useful for AD enumeration.
https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps
Before we can utilize the module, we have to make sure it is imported first. The Get-Module cmdlet, which is part of the Microsoft.PowerShell.Core module, will list all available modules, their version, and potential commands for use. This is a great way to see if anything like Git or custom administrator scripts are installed. If the module is not loaded, run Import-Module ActiveDirectory to load it for use.
# Discover Modules
Get-Module
# Load AD Module / Import Module
Import-Module ActiveDirectory
Get-Module
#Get Domain info
Get-ADDomain
#Get-ADUser > Filtering for Acc wiht ServicePrincipalName property Populated
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName
#Checking for Trust Relationships
Get-ADTrust -Filter *
#Group Enumeration
Get-ADGroup -Filter * | select name
#Detailed Group Info
Get-ADGroup -Identity "Backup Operators"
#Group Membership
Get-ADGroupMember -Identity "Backup Operators"
PowerView is a tool written in PowerShell to help us gain situational awareness within an AD environment.
Much like BloodHound, it provides a way to identify where users are logged in on a network, enumerate domain information such as users, computers, groups, ACLS, trusts, hunt for file shares and passwords, perform Kerberoasting, and more. It is a highly versatile tool that can provide us with great insight into the security posture of our client's domain. It requires more manual work to determine misconfigurations and relationships within the domain than BloodHound but, when used right, can help us to identify subtle misconfigurations.
some of PowerView's capabilities and what data it returns. The table below describes some of the most useful functions PowerView offers.
| Command | Description |
|---|---|
Export-PowerViewCSV |
Append results to a CSV file |
ConvertTo-SID |
Convert a User or group name to its SID value |
Get-DomainSPNTicket |
Requests the Kerberos ticket for a specified Service Principal Name (SPN) account |
| Domain/LDAP Functions: | |
Get-Domain |
Will return the AD object for the current (or specified) domain |
Get-DomainController |
Return a list of the Domain Controllers for the specified domain |
Get-DomainUser |
Will return all users or specific user objects in AD |
Get-DomainComputer |
Will return all computers or specific computer objects in AD |
Get-DomainGroup |
Will return all groups or specific group objects in AD |
Get-DomainOU |
Search for all or specific OU objects in AD |
Find-InterestingDomainAcl |
Finds object ACLs in the domain with modification rights set to non-built in objects |
Get-DomainGroupMember |
Will return the members of a specific domain group |
Get-DomainFileServer |
Returns a list of servers likely functioning as file servers |
Get-DomainDFSShare |
Returns a list of all distributed file systems for the current (or specified) domain |
| GPO Functions: | |
Get-DomainGPO |
Will return all GPOs or specific GPO objects in AD |
Get-DomainPolicy |
Returns the default domain policy or the domain controller policy for the current domain |
| Computer Enumeration Functions: | |
Get-NetLocalGroup |
Enumerates local groups on the local or a remote machine |
Get-NetLocalGroupMember |
Enumerates members of a specific local group |
Get-NetShare |
Returns open shares on the local (or a remote) machine |
Get-NetSession |
Will return session information for the local (or a remote) machine |
Test-AdminAccess |
Tests if the current user has administrative access to the local (or a remote) machine |
| Threaded 'Meta'-Functions: | |
Find-DomainUserLocation |
Finds machines where specific users are logged in |
Find-DomainShare |
Finds reachable shares on domain machines |
Find-InterestingDomainShareFile |
Searches for files matching specific criteria on readable shares in the domain |
Find-LocalAdminAccess |
Find machines on the local domain where the current user has local administrator access |
| Domain Trust Functions: | |
Get-DomainTrust |
Returns domain trusts for the current domain or a specified domain |
Get-ForestTrust |
Returns all forest trusts for the current forest or a specified forest |
Get-DomainForeignUser |
Enumerates users who are in groups outside of the user's domain |
Get-DomainForeignGroupMember |
Enumerates groups with users outside of the group's domain and returns each foreign member |
Get-DomainTrustMapping |
Will enumerate all trusts for the current domain and any others seen. |
https://powersploit.readthedocs.io/en/latest/Recon/Get-DomainUser/
# Domain User Info
Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
#Recursive Group Membership
#Adding the -Recurse switch tells PowerView that if it finds any groups that are part of the target group (nested group membership) to list out the members of those groups.
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
#Trust Enumeration
Get-DomainTrustMapping
#Testing for Local Admin Access
Test-AdminAccess -ComputerName ACADEMY-EA-MS01
# Finding Users With SPN Set for Kerberoasting Attack
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
https://github.com/BC-SECURITY/Empire/blob/main/empire/server/data/module_source/situational_awareness/network/powerview.ps1
New version of PowerView - can use powerview commands and also more commands
SharpView, a .NET port of PowerView. Many of the same functions supported by PowerView can be used with SharpView. We can type a method name with -Help to get an argument list.
#Getting Help
.\\SharpView.exe Get-DomainUser -Help
.\\SharpView.exe Get-DomainUser -Identity forend