Intro
PowerView has long been the de-facto tool for domain enumeration. It it part of the PowerSploit project:
Domain Enumeration
Import PowerView
Copy Import-Module .\PowerView.ps1 Or:
Get current domain
Get object of another domain
Copy Get-NetDomain -Domain moneycorp.local Get domain SID for the current domain
Get the domain password policy
Copy Get-DomainPolicy
(Get-DomainPolicy)."System Access"
net accounts Users Groups and Computers Enumeration
Get Information of domain controller
Copy Get-NetDomainController
Get-NetDomainController | select-object Name Get information of users in the domain
Copy Get-NetUser
Get-NetUser -Username <username> Get list of all users
Copy Get-NetUser | select samaccountname Get list of usernames, last logon and password last set
Copy Get-NetUser | select samaccountname, lastlogon, pwdlastset
Get-NetUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon Get list of usernames and their groups
Copy Get-NetUser | select samaccountname, memberof Get list of all properties for users in the current domain
Copy get-userproperty -Properties pwdlastset Get descripton field from the user
Copy Find-UserField -SearchField Description -SearchTerm "built"
Get-netuser | Select-Object samaccountname,description
Copy Get-NetComputer
Get-NetComputer -FullData
Get-NetComputer -Computername <computername> -FullData Get computers with operating system "Server 2016"
Copy Get-NetComputer -OperatingSystem "*Server 2016*" Get list of all computer names and operating systems
Copy Get-NetComputer -fulldata | select samaccountname, operatingsystem, operatingsystemversion List all groups of the domain
Copy Get-NetGroup
Get-NetGroup -GroupName *admin*
Get-NetGroup -Domain <domain> Get all the members of the group
Copy Get-NetGroupMember -Groupname "Domain Admins" -Recurse
Get-NetGroupMember -Groupname "Domain Admins" -Recurse | select MemberName Get the group membership of a user
Copy Get-NetGroup -Username <username> List all the local groups on a machine (needs admin privs on non dc machines)
Copy Get-NetlocalGroup -Computername <computername> -ListGroups Get Member of all the local groups on a machine (needs admin privs on non dc machines)
Copy Get-NetlocalGroup -Computername <computername> -Recurse Get actively logged users on a computer (needs local admin privs)
Copy Get-NetLoggedon -Computername <computername> Get locally logged users on a computer (needs remote registry rights on the target)
Copy Get-LoggedonLocal -Computername <computername> Get the last logged users on a computer (needs admin rights and remote registary on the target)
Copy Get-LastLoggedOn -ComputerName <computername> Shares Enumeration
Find shared on hosts in the current domain
Copy Invoke-ShareFinder -Verbose
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC Find sensitive files on computers in the domain
Copy Invoke-FileFinder -Verbose Get all fileservers of the domain
GPO Enumeration
Get list of GPO's in the current domain
Copy Get-NetGPO
Get-NetGPO -Computername <computername> Get GPO's which uses restricteds groups or groups.xml for interesting users
Get users which are in a local group of a machine using GPO
Copy Find-GPOComputerAdmin -Computername <computername> Get machines where the given user is member of a specific group
Copy Find-GPOLocation -Username student244 -Verbose Get OU's in a domain
Get machines that are part of an OU
Copy Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} Get GPO applied on an OU
Copy Get-NetGPO -GPOname "{<gplink>}" ACL Enumeration
Get the ACL's associated with the specified object
Copy Get-ObjectACL -SamAccountName <accountname> -ResolveGUIDS Get the ACL's associated with the specified prefix to be used for search
Copy Get-ObjectACL -ADSprefix βCN=Administrator,CN=Usersβ -Verbose Get the ACL's associated with the specified path
Copy Get-PathAcl -Path \\<Domain controller>\sysvol Search for interesting ACL's
Copy Invoke-ACLScanner -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl Search of interesting ACL's for the current user
Copy Invoke-ACLScanner | Where-Object {$_.IdentityReference βeq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name} Domain Trust Enumeration
Get a list of all the domain trusts for the current domain
Get details about the forest
Get all domains in the forest
Copy Get-NetForestDomain
Get-NetforestDomain -Forest <domain name> Get global catalogs for the current forest
Copy Get-NetForestCatalog
Get-NetForestCatalog -Forest <domain name> Map trusts of a forest
Copy Get-NetForestTrust
Get-NetForestTrust -Forest <domain name>
Get-NetForestDomain -Verbose | Get-NetDomainTrust User Hunting
Find all machines on the current domain where the current user has local admin access
Copy Find-LocalAdminAccess -Verbose Find local admins on all machines of the domain (needs administrator privs on non-dc machines)
Copy Invoke-EnumerateLocalAdmin -Verbose Find Computers where a domain admin (or specified user/group) has session
Copy Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers" To confirm admin access:
Copy Invoke-UserHunter -CheckAccess Find computers where a domain admin is logged-in
Copy Invoke-UserHunter -Stealth This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSesssion / Get-NetLoggedon) from each machine.
Defense
Most of the enumeration mixes really well with the normal traffic to the DC. Hardening can be done on the DC (or other machines) to contain the information provided by the queried machine. Let's have a look at defending against one of the most lethal enumeration techiques: user hunting.
Netcease is a script which changes permissions on the NetSEssionEnum method by removing permission for Authenticated Users group. This fails many of the attacker's session enumeration and hence user hunting capabilities:
Another interesting script from the same author is SAMRi10 which hardens Windows 10 and Server 2016 against enumeration which uses SAMR protocol (like net.exe).
