Skip to main content

Manual Enumeration

Linux

LdapSearch

ldapsearch -x -H ldap://DC01.ad.lab -D 'john.doe@ad.lab' -W -b 'DC=ad,DC=lab' '(objectClass=user)' > ldap_users.txt

List users

ldapsearch -x -H ldap://DC01.ad.lab -D 'john.doe@ad.lab' -W -b 'DC=ad,DC=lab' '(objectClass=group)' > ldap_groups.txt

List groups

while read group ; do echo -e "${group}\n" ; ldapsearch -x -H ldap://DC01.ad.lab -b 'DC=ad,DC=lab' "(sAMAccountName=${group})" | grep 'member: ' ; echo '' ; done < <(grep sAMAccountName ldap_groups.txt | cut -d ':' -f 2)

Read input list of groups and retrieve members of each one

ldapsearch -x -H 'ldap://DC01.ad.lab' -D 'john.doe@ad.lab' \
-b 'CN=Deleted Objects,DC=ad,DC=lab' -s sub \
-E '1.2.840.113556.1.4.417' '(objectClass=*)'

Retrieve deleted objects

Windows

net.exe

Drawbacks

  • net does not show nested groups
  • net only shows up to 10 groups even if a user is in more

Local System

  • net user – Enumerate system local users
  • net user user.name – Get information about a specific local user
  • net localgroup – Enumerate system local groups
  • net localgroup group_name – Enumerate users a of a local group
  • net accounts – Get the account security policy for the local system

Domain

  • net user /domain – Run on a domain-joined host to enumerate domain users
  • net user user.name /domain – Run on a domain-joined host to get information about a specific domain user
  • net group /domain – Run on a domain-joined host to enumerate domain groups
  • net group groupName /domain – Run on a domain-joined host to get group members of a domain group
  • net accounts /domain – Run on a domain-joined host to show the domain password and account lockout policy


PowerShell

Local System

  • Get-LocalUser – Enumerate local users
  • Get-LocalUser <username> | Select-Object * – Get all information about a local user
  • Get-LocalGroup – Enumerate local groups
  • Get-LocalGroupMember <group_name> | Select-Object * – Enumerate members of a local group

Domain

Active Directory Module

No RSAT? No Problem.

On a domain-joined host, but don't have local admin? On a Windows box with access to the domain controller?
Check out my other note on importing the PowerShell Active Directory module as a DLL: https://notes.benheater.com/books/active-directory/page/powershell-ad-module-on-any-domain-host-as-any-user

  • Get-ADUser -Filter * – return all domain users
  • Get-ADUser -Filter 'Name -like "*stevens"' – find any user where name ends in ...stevens
  • Get-ADUser -Identity john.doe -Properties * – find the user john.doe and return all properties
  • Get-ADGroup -Filter * – return all domain groups
  • Get-ADGroup -Identity Administrators | Get-ADGroupMember
    • Pipe the Administrators group object to Get-ADGroupMember to retrieve members of the group
  • Get-ADObject -Filter "whenChanged -ge $(Get-Date '2022/02/28')" -IncludeDeletedObjects
    • Find any AD objects that have been modified after Feb. 28, 2022 (system time zone)
  • Get-ADDomain – get information about the domain from the domain controller

.NET Reflection

Must be run on a domain-joined host

Users

# Can enumerate specific users by changing the search filter

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$dc = $dom.PdcRoleOwner.Name
$distinguishedNameString = $dc -replace '\.', ',DC='
$searchString = "LDAP://$dc/$distinguishedNameString"
$domainSearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList [ADSI]$searchString
$domain = New-Object System.DirectoryServices.DirectoryEntry
$domainSearcher.SearchRoot = $domain
$domainSearcher.Filter = 'samAccountType=805306368' # All users filter
$domainUsers = $domainSearcher.FindAll() # Search the domain using the filter
$domainUsers

Users (one-liner)

# Can enumerate specific users by changing the search filter

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain(); $dc = $dom.PdcRoleOwner.Name; $distinguishedNameString = $dc -replace '\.', ',DC='; $searchString = "LDAP://$dc/$distinguishedNameString"; $domainSearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList [ADSI]$searchString; $domain = New-Object System.DirectoryServices.DirectoryEntry; $domainSearcher.SearchRoot = $domain; $domainSearcher.Filter = 'samAccountType=805306368' ; $domainUsers = $domainSearcher.FindAll() ; $domainUsers

Groups

# Can enumerate nested groups by changing the search filter
# And querying members property of the returned object

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$dc = $dom.PdcRoleOwner.Name
$distinguishedNameString = $dc -replace '\.', ',DC='
$searchString = "LDAP://$dc/$distinguishedNameString"
$domainSearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList [ADSI]$searchString
$domain = New-Object System.DirectoryServices.DirectoryEntry
$domainSearcher.SearchRoot = $domain
$domainSearcher.Filter = '(objectClass=Group)' # Any object of type group
$domainGroups = $domainSearcher.FindAll() # Search the domain using the filter
$domainGroups

Groups (one-liner)

# Can enumerate nested groups by changing the search filter
# And querying members property of the returned object

$dom = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain(); $dc = $dom.PdcRoleOwner.Name; $distinguishedNameString = $dc -replace '\.', ',DC='; $searchString = "LDAP://$dc/$distinguishedNameString"; $domainSearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList [ADSI]$searchString; $domain = New-Object System.DirectoryServices.DirectoryEntry; $domainSearcher.SearchRoot = $domain; $domainSearcher.Filter = '(objectClass=Group)' ; $domainGroups = $domainSearcher.FindAll() ; $domainGroups
Back to top