Skip to main content

Manual Enumeration

net.exe

Drawbacks

  • net does not show nested groups
  • net only shows up to 10 groups even if a user is in more

Local System

  • net user – Enumerate system local users
  • net user user.name – Get information about a specific local user
  • net localgroup – Enumerate system local groups
  • net localgroup group_name – Enumerate users a of a local group
  • net accounts – Get the account security policy for the local system

Domain

  • net user /domain – Run on a domain-joined host to enumerate domain users
  • net user user.name /domain – Run on a domain-joined host to get information about a specific domain user
  • net group /domain – Run on a domain-joined host to enumerate domain groups
  • net group groupName /domain – Run on a domain-joined host to get group members of a domain group
  • net accounts /domain – Run on a domain-joined host to show the domain password and account lockout policy


PowerShell

Local System

  • Get-LocalUser – Enumerate local users
  • Get-LocalUser <username> | Select-Object * – Get all information about a local user
  • Get-LocalGroup – Enumerate local groups
  • Get-LocalGroupMember <group_name> | Select-Object * – Enumerate members of a local group

Domain

Active Directory Module

No RSAT? No Problem.

On a domain-joined host, but don't have local admin? On a Windows box with access to the domain controller?
Check out my other note on importing the PowerShell Active Directory module as a DLL: https://notes.benheater.com/books/active-directory/page/powershell-ad-module-on-any-domain-host-as-any-user

  • Get-ADUser -Filter * – return all domain users
  • Get-ADUser -Filter 'Name -like "*stevens"' – find any user where name ends in ...stevens
  • Get-ADUser -Identity john.doe -Properties * – find the user john.doe and return all properties
  • Get-ADGroup -Filter * – return all domain groups
  • Get-ADGroup -Identity Administrators | Get-ADGroupMember
    • Pipe the Administrators group object to Get-ADGroupMember to retrieve members of the group
  • Get-ADObject -Filter "whenChanged -ge $(Get-Date '2022/02/28')" -IncludeDeletedObjects
    • Find any AD objects that have been modified after Feb. 28, 2022 (system time zone)
  • Get-ADDomain – get information about the domain from the domain controller

.NET Reflection

Must be run on a domain-joined host

Users

# Can enumerate specific users by changing the search filter

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$dc = $dom.PdcRoleOwner.Name
$distinguishedNameString = $dc -replace '\.', ',DC='
$searchString = "LDAP://$dc/$distinguishedNameString"
$domainSearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList [ADSI]$searchString
$domain = New-Object System.DirectoryServices.DirectoryEntry
$domainSearcher.SearchRoot = $domain
$domainSearcher.Filter = 'samAccountType=805306368' # All users filter
$domainUsers = $domainSearcher.FindAll() # Search the domain using the filter
$domainUsers

Users (one-liner)

# Can enumerate specific users by changing the search filter

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain(); $dc = $dom.PdcRoleOwner.Name; $distinguishedNameString = $dc -replace '\.', ',DC='; $searchString = "LDAP://$dc/$distinguishedNameString"; $domainSearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList [ADSI]$searchString; $domain = New-Object System.DirectoryServices.DirectoryEntry; $domainSearcher.SearchRoot = $domain; $domainSearcher.Filter = 'samAccountType=805306368' ; $domainUsers = $domainSearcher.FindAll() ; $domainUsers

Groups

# Can enumerate nested groups by changing the search filter
# And querying members property of the returned object

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$dc = $dom.PdcRoleOwner.Name
$distinguishedNameString = $dc -replace '\.', ',DC='
$searchString = "LDAP://$dc/$distinguishedNameString"
$domainSearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList [ADSI]$searchString
$domain = New-Object System.DirectoryServices.DirectoryEntry
$domainSearcher.SearchRoot = $domain
$domainSearcher.Filter = '(objectClass=Group)' # Any object of type group
$domainGroups = $domainSearcher.FindAll() # Search the domain using the filter
$domainGroups

Groups (one-liner)

# Can enumerate nested groups by changing the search filter
# And querying members property of the returned object

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain(); $dc = $dom.PdcRoleOwner.Name; $distinguishedNameString = $dc -replace '\.', ',DC='; $searchString = "LDAP://$dc/$distinguishedNameString"; $domainSearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList [ADSI]$searchString; $domain = New-Object System.DirectoryServices.DirectoryEntry; $domainSearcher.SearchRoot = $domain; $domainSearcher.Filter = '(objectClass=Group)' ; $domainGroups = $domainSearcher.FindAll() ; $domainGroups
Back to top