# Domain Recon The following are tools and scripts that can be used to collect information about the domain. ## Basic Domain Info ``` #Using Powerview Get-NetDomain ``` ## List of Computers ``` #Using Powerview Get-NetComputer ``` ## List of Domain Users ``` net user /domain ``` ## Domain User Attributes and Details ``` net user /domain #Using Powerview and the output can be filtered using pipe & name (e.g. cn) Get-NetUser ``` ## Check User Admin Access ``` #Using Powerview Find-LocalAdminAccess ``` ## List of Domain Groups ``` net group /domain ``` ## Domain Group Privileges ``` #Using Powerview Get-NetGroup ``` ## Domain Users to Domain Group Mapping ``` net group "" /domain #Using Powerview Get-NetGroup "" | select member ``` ## List of Logged in Domain Users ``` #Using Powerview Get-NetSession -ComputerName xyz -Verbose #Using PsLoggedon .\PsLoggedon.exe \\hostname ``` The above commands can be used to find the logged in users in a remote machine. But for various reasons both commands could fail. [PsLoggedon](https://learn.microsoft.com/en-us/sysinternals/downloads/psloggedon) is executable made available by Microsoft to list the logged on users on a remote system. ## List of SPNs in Domain ``` #Using Powerview Get-NetUser -SPN | select samaccountname,serviceprincipalname #Using setspn setspn -L ``` [Setspn](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731241\(v=ws.11\)) is an executable made available by Microsoft to list the SPNs present in a domain. ## Get Object ACL ``` #Using Powerview Get-ObjectAcl -Identity #Filtering down to Active Directory Rights with GenericAll persmission Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights ``` ## List Domain Shares ``` #Using Powerview Find-DomainShare ``` Cached AD Credentials Credentials of users are usually cached and can be retrieved using the mimikatz executble. ``` .\mimikatz.exe #Within mimikatz privilege::debug sekurlsa::logonpasswords #We can list the cached tickets using the following command, sekurlsa::tickets ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.particle42.com/active-directory/domain-recon.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.