Created
October 11, 2022 16:14
-
-
Save Misterguruman/33832b2ecc7d34338e9c0f6e8528d730 to your computer and use it in GitHub Desktop.
Some notes from a security course on AD
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#####Domain Enumeration##### | |
#Author: Joseph Langford | |
#Source: Active Directory Attack and Defense - PentesterAcademy.com | |
#.Net "Get Domain" | |
$ADClass = [System.DirectoryServices.ActiveDirectory.Domain] | |
$ADClass::GetCurrentDomain() | |
#Powerview GitHub Location THIS IS A PENTESTING TOOLKIT. DOWNLOADING IN SECURE ENVIRONMENTS CAN TRIGGER WINDOWS DEFENDER | |
"https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1" | |
#Active Directory PowerShell Module (To use without installation of RSAT in Windows) | |
#If signed into DC, this isn't needed. AD Module will already be installed. | |
"https://github.com/samratashok/ADModule" | |
#To Import | |
#git clone into C:/ | |
#cd C:/ADModule-master/ | |
Import-Module .\Microsoft.ActiveDirectory.Management.dll | |
Import-Module .\ActiveDirectory\ActiveDirectory.psd1 | |
#Get Current Domain | |
Get-ADDomain | |
#For another Domain | |
Get-ADDomain -Identity example.local | |
(Get-ADDomain).DomainSID | |
##Only in Powerview## | |
#-------------------# | |
#Get Domain Default Policies | |
#Get Domain SID for current Domain | |
Get-DomainPolicy | |
#For more verbose information about specific polices | |
#Displays default password policies | |
(Get-DomainPolicy)."system access" | |
#Displays Kerberos Policies | |
(Get-DomainPolicy)."Kerberos Policy" | |
#Displays Domain Controller information | |
Get-ADDomainController -Domain example.local -Discover | |
#Get All AD Users | |
Get-ADUser -Filter * -Properties * | |
#Get Specific AD User | |
Get-ADUser -Identity exampleuser -Properties * | |
#Get a list of all AD Properties for Users | |
Get-ADUser -Filter * -Properties * | Select -First 1 | Get-Member -MemberType *Property | Select Name | |
#Get Information about possible decoy accounts, filters for Name, Last time a new password was set, and how many bad pwds they've had since | |
Get-ADUser -Filter * -Properties * | Select Name, PasswordLastSet, badPwdCount, Description | |
# Lists all AD Computer objects and filters CN, OS, IPv4, and Last Login | |
# COMPUTER OBJECTS IN ACTIVE DIRECTORY DO NOT NEED TO BE PHYSICAL MACHINES, CAN BE CREATED IN AD WITHOUT ASSOCIATED COMPUTER | |
Get-ADComputer -Filter * -Properties * | Select Name, OperatingSystem, iPv4Address, LastLogonDate | |
#Test for Computers that are online on the network | |
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName} | |
#Notes about the percent operator in Powershell | |
"https://stackoverflow.com/questions/22846596/what-does-percent-do-in-powershell" | |
#Get All Groups in the current domain | |
#Enterprise level admin groups will only show if you search the forest root | |
Get-ADGroup -Filter * | Select Name | |
#or | |
Get-ADGroup -Filter * -Properties * | |
#admin search | |
Get-ADGroup -Filter 'Name -like "*admin*"' | Select Name | |
#For another domain TRUSTED DOMAINS ONLY ex. Parent/Child Domains | |
Get-ADGroup -Domain example.local | |
#Specific Group information | |
Get-ADGroup -Identity Users -Properties * | |
#Get Members of a specific AD Group | |
Get-ADGroupMember -Identity "Example Group" -Recursive | |
#Recursive shows if that group is a part of another group | |
#Get Group memberships of a specific User | |
Get-ADPrincipalGroupMembership -Identity ExampleUser | |
#Filter for just group names | |
Get-ADPrincipalGroupMembership -Identity ExampleUser | Select name | |
#Get OUs in a domain | |
Get-ADOrganizationalUnit -Filter * -Properties * | |
#NEEDS LOCAL ADMIN RIGHTS ON THE TARGET MACHINE# | |
#Powerview Only# | |
#Get actively logged on users on a machine | |
Get-NetLoggedOn -ComputerName ExampleServer | |
Get-LoggedonLocal -ComputerName exampleserver-dc.exampledomain.exampleforest.local | |
Get-LastLoggedOn -ComputerName ExampleServer | |
#Powerview Only# | |
#Find shares on hosts in current domain | |
Invoke-ShareFinder -Verbose #Includes -ExcludeStandard -ExcludePrint and -ExcludeIPC options | |
#Find sensitive files on computers in the domain | |
Invoke-FileFinder -Verbose | |
#Get all fileservers of the domain | |
Get-NetFileServer #Looks for 'high value targets' or highly logged into servers such as file servers | |
#Get list of GPO in current Domain | |
Get-NetGPO #Includes -GPOname that can be used after finding the GPO of an OU using Get-NetOU | |
Get-NetGPO -ComputerName examplecomputer.exampledomain.exampleforest.local | |
#Get GPO(s) which use restricted groups or groups.xml for interesting users | |
Get-NetGPOGroup | |
#Get OUs in a domain | |
Get-NetOU | |
#Access Control Model (ACLs) | |
#Enables control on the ability of a process to access objects and other resources in active directory based on: | |
#Access Tokens | |
#Security Descriptors(SID of the owner, Discretionary ACL (DACL) and System ACL (SACL)) | |
#ACEs (Access Control Entries) make up ACLs (Access Control Lists) | |
#DACLs Define the permissions trustees (users or groups) have on an object | |
#SACLs Log successes and failures audit messages when an object is accessed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment