Domain Recon

The following are tools and scripts that can be used to collect information about the domain.

Basic Domain Info

#Using Powerview
Get-NetDomain

List of Computers

#Using Powerview
Get-NetComputer

List of Domain Users

net user /domain

Domain User Attributes and Details

net user <username> /domain

#Using Powerview and the output can be filtered using pipe & name (e.g. cn)
Get-NetUser

Check User Admin Access

#Using Powerview
Find-LocalAdminAccess

List of Domain Groups

net group /domain

Domain Group Privileges

#Using Powerview
Get-NetGroup

Domain Users to Domain Group Mapping

net group "<group name>" /domain

#Using Powerview
Get-NetGroup "<group_Name>" | select member

List of Logged in Domain Users

#Using Powerview
Get-NetSession -ComputerName xyz -Verbose

#Using PsLoggedon
.\PsLoggedon.exe \\hostname

The above commands can be used to find the logged in users in a remote machine. But for various reasons both commands could fail.

PsLoggedon is executable made available by Microsoft to list the logged on users on a remote system.

List of SPNs in Domain

#Using Powerview
Get-NetUser -SPN | select samaccountname,serviceprincipalname

#Using setspn
setspn -L <user>

Setspn is an executable made available by Microsoft to list the SPNs present in a domain.

Get Object ACL

#Using Powerview
Get-ObjectAcl -Identity <obj name>

#Filtering down to Active Directory Rights with GenericAll persmission
Get-ObjectAcl -Identity "Management Department" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

List Domain Shares

#Using Powerview
Find-DomainShare

Cached AD Credentials

Credentials of users are usually cached and can be retrieved using the mimikatz executble.

.\mimikatz.exe

#Within mimikatz
privilege::debug
sekurlsa::logonpasswords

#We can list the cached tickets using the following command,
sekurlsa::tickets
PreviousInvoke-Kerberoast - ShortcutNextAuto Recon

Last updated