search

Domain Recon

The following are tools and scripts that can be used to collect information about the domain.

hashtag
Basic Domain Info

#Using Powerview
Get-NetDomain

hashtag
List of Computers

#Using Powerview
Get-NetComputer

hashtag
List of Domain Users

net user /domain

hashtag
Domain User Attributes and Details

net user <username> /domain

#Using Powerview and the output can be filtered using pipe & name (e.g. cn)
Get-NetUser

hashtag
Check User Admin Access

hashtag
List of Domain Groups

hashtag
Domain Group Privileges

hashtag
Domain Users to Domain Group Mapping

hashtag
List of Logged in Domain Users

The above commands can be used to find the logged in users in a remote machine. But for various reasons both commands could fail.

PsLoggedonarrow-up-right is executable made available by Microsoft to list the logged on users on a remote system.

hashtag
List of SPNs in Domain

Setspnarrow-up-right is an executable made available by Microsoft to list the SPNs present in a domain.

hashtag
Get Object ACL

hashtag
List Domain Shares

Cached AD Credentials

Credentials of users are usually cached and can be retrieved using the mimikatz executble.

PreviousInvoke-Kerberoast - ShortcutNextAuto Recon

Last updated