Manual Enumeration
net.exe
Drawbacks
net
does not show nested groupsnet
only shows up to 10 groups even if a user is in more
Local System
net user
– Enumerate system local usersnet user user.name
– Get information about a specific local usernet localgroup
– Enumerate system local groupsnet localgroup group_name
– Enumerate users a of a local groupnet accounts
– Get the account security policy for the local system
Domain
net user /domain
– Run on a domain-joined host to enumerate domain usersnet user user.name /domain
– Run on a domain-joined host to get information about a specific domain usernet group /domain
– Run on a domain-joined host to enumerate domain groupsnet group groupName /domain
– Run on a domain-joined host to get group members of a domain groupnet accounts /domain
– Run on a domain-joined host to show the domain password and account lockout policy
PowerShell
Local System
Get-LocalUser
– Enumerate local usersGet-LocalUser <username> | Select-Object *
– Get all information about a local userGet-LocalGroup
– Enumerate local groupsGet-LocalGroupMember <group_name> | Select-Object *
– Enumerate members of a local group
Domain
Active Directory Module
No RSAT? No Problem.
On a domain-joined host, but don't have local admin? On a Windows box with access to the domain controller?
Check out my other note on importing the PowerShell Active Directory module as a DLL: https://notes.benheater.com/books/active-directory/page/powershell-ad-module-on-any-domain-host-as-any-user
Get-ADUser -Filter *
– return all domain usersGet-ADUser -Filter 'Name -like "*stevens"'
– find any user where name ends in...stevens
Get-ADUser -Identity john.doe -Properties *
– find the userjohn.doe
and return all propertiesGet-ADGroup -Filter *
– return all domain groupsGet-ADGroup -Identity Administrators | Get-ADGroupMember
- Pipe the
Administrators
group object toGet-ADGroupMember
to retrieve members of the group
- Pipe the
Get-ADObject -Filter "whenChanged -ge $(Get-Date '2022/02/28')" -IncludeDeletedObjects
- Find any AD objects that have been modified after Feb. 28, 2022 (system time zone)
Get-ADDomain
– get information about the domain from the domain controller
.NET Reflection
Must be run on a domain-joined host
Users
# Can enumerate specific users by changing the search filter
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$dc = $dom.PdcRoleOwner.Name
$distinguishedNameString = $dc -replace '\.', ',DC='
$searchString = "LDAP://$dc/$distinguishedNameString"
$domainSearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList [ADSI]$searchString
$domain = New-Object System.DirectoryServices.DirectoryEntry
$domainSearcher.SearchRoot = $domain
$domainSearcher.Filter = 'samAccountType=805306368' # All users filter
$domainUsers = $domainSearcher.FindAll() # Search the domain using the filter
$domainUsers
Users (one-liner)
# Can enumerate specific users by changing the search filter
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain(); $dc = $dom.PdcRoleOwner.Name; $distinguishedNameString = $dc -replace '\.', ',DC='; $searchString = "LDAP://$dc/$distinguishedNameString"; $domainSearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList [ADSI]$searchString; $domain = New-Object System.DirectoryServices.DirectoryEntry; $domainSearcher.SearchRoot = $domain; $domainSearcher.Filter = 'samAccountType=805306368' ; $domainUsers = $domainSearcher.FindAll() ; $domainUsers
Groups
# Can enumerate nested groups by changing the search filter
# And querying members property of the returned object
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$dc = $dom.PdcRoleOwner.Name
$distinguishedNameString = $dc -replace '\.', ',DC='
$searchString = "LDAP://$dc/$distinguishedNameString"
$domainSearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList [ADSI]$searchString
$domain = New-Object System.DirectoryServices.DirectoryEntry
$domainSearcher.SearchRoot = $domain
$domainSearcher.Filter = '(objectClass=Group)' # Any object of type group
$domainGroups = $domainSearcher.FindAll() # Search the domain using the filter
$domainGroups
Groups (one-liner)
# Can enumerate nested groups by changing the search filter
# And querying members property of the returned object
$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain(); $dc = $dom.PdcRoleOwner.Name; $distinguishedNameString = $dc -replace '\.', ',DC='; $searchString = "LDAP://$dc/$distinguishedNameString"; $domainSearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList [ADSI]$searchString; $domain = New-Object System.DirectoryServices.DirectoryEntry; $domainSearcher.SearchRoot = $domain; $domainSearcher.Filter = '(objectClass=Group)' ; $domainGroups = $domainSearcher.FindAll() ; $domainGroups