🌭List users, computers, domain, and enterprise admins
In this section, we will enumerate the following for the dollarcorp domain: users, computers, domain administrators, and enterprise administrators.
PowerView
We'll start by using Powershell to run InviShell:
I manually open the C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
file and run the following commands to start enumeration:
If we want quick informations about our domain, we can input the following:
To go even deeper in our enumeration, we can use the select-object cmdlet (it's good to know that there is an alias for this cmdlet that is simply the select cmdlet ->
There could be users with passwords who never expires or passwords in description field ->
We can start to look for users that could seem more interesting to us or start looking for the member computers in the domain:
To continue the enumeration, we could be interested in the domain groups and users that are part of certain groups ->
This would obviously be for the group Domain Admin but with our previous Get-DomainUser enumeration we can choose any of the groups
If we directly want to enumerate the users inside a group (and we're root domain) we can use the following command:
If we're not in the root domain we need to query the root domain as Enterprise Admins group is present only in the root of a forest.
If we want to get password policy for password spraying:
When doing a stealthy red team engagment we need to look at the logonCount, if a user with a single digit logonCount is a non-active user and will be detected
Same for computers:
ADModule
We can start by enumerating all the users in the current domain using ADModule:
Same for the computers ->
We can print out specific properties of computers but we can also dump everything:
To enumerate the Domain Administrators using ADModule we can query like that:
Same as above, if we need to call a group that is not in our domain we need to query the root domain:
Last updated