Domain Recon
The following are tools and scripts that can be used to collect information about the domain.
Basic Domain Info
#Using Powerview
Get-NetDomain
List of Computers
#Using Powerview
Get-NetComputer
List of Domain Users
net user /domain
Domain User Attributes and Details
net user <username> /domain
#Using Powerview and the output can be filtered using pipe & name (e.g. cn)
Get-NetUser
Check User Admin Access
#Using Powerview
Find-LocalAdminAccess
List of Domain Groups
net group /domain
Domain Group Privileges
#Using Powerview
Get-NetGroup
Domain Users to Domain Group Mapping
net group "<group name>" /domain
#Using Powerview
Get-NetGroup "<group_Name>" | select member
List of Logged in Domain Users
#Using Powerview
Get-NetSession -ComputerName xyz -Verbose
#Using PsLoggedon
.\PsLoggedon.exe \\hostname
The above commands can be used to find the logged in users in a remote machine. But for various reasons both commands could fail.
PsLoggedon is executable made available by Microsoft to list the logged on users on a remote system.
List of SPNs in Domain
#Using Powerview
Get-NetUser -SPN | select samaccountname,serviceprincipalname
#Using setspn
setspn -L <user>
Setspn is an executable made available by Microsoft to list the SPNs present in a domain.
Get Object ACL
#Using Powerview
Get-ObjectAcl -Identity <obj name>
#Filtering down to Active Directory Rights with GenericAll persmission
Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights
List Domain Shares
#Using Powerview
Find-DomainShare
Cached AD Credentials
Credentials of users are usually cached and can be retrieved using the mimikatz executble.
.\mimikatz.exe
#Within mimikatz
privilege::debug
sekurlsa::logonpasswords
#We can list the cached tickets using the following command,
sekurlsa::tickets
Last updated
Was this helpful?