Skip to content

AD - enumeration - powershell

On Active Directory Domain Controller

enumerate user

get-aduser -Filter *
get-aduser -Filter * -searchBase "CN=Users,DC=THMREDTEAM,DC=COM"
get-aduser -Filter * -searchBase "OU=THM,DC=THMREDTEAM,DC=COM"
get-aduser -Identity gordon.stevens -Server za.tryhackme.com -Properties *
get-aduser -Filter 'Name -like "*stevens"' -Server za.tryhackme.com | Format-Table Name,SamAccountName -A
enumerate groups
Get-ADGroup -Identity Administrators -Server za.tryhackme.com
Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com
enumerate objects looking for all AD objects that were changed after a specific date
$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server za.tryhackme.com
enumerate domains
Get-ADDomain -Server za.tryhackme.com

powershell and LDAP

error - execution of scripts is disabled on this system

Set-ExecutionPolicy RemoteSigned
get domain
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

#-> est                  : thm.local
#-> ainControllers       : {ADBASICS.thm.local}
#-> ldren                : {}
#-> ainMode              : Unknown
#-> ainModeLevel         : 7
#-> ent                  :
#-> RoleOwner            : ADBASICS.thm.local
#-> RoleOwner            : ADBASICS.thm.local
#-> rastructureRoleOwner : ADBASICS.thm.local
#-> e                    : thm.local
get users
$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

$PDC = ($domainObj.PdcRoleOwner).Name

$searchStr = "LDAP://"
$searchStr += $PDC + "/"
$Name = "DC=$($domainObj.Name.Replace('.',',DC='))"
$searchStr += $Name
$searchStr

$seracher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchStr)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$seracher.SearchRoot = $objDomain

$seracher.filter = "samAccountType=805306368"

$items = $seracher.FindAll()

Foreach($obj in $items) {
    Foreach($prop in $obj.Properties) {
        $prop.name # <- print only name
    }
    Write-Host "-------------------------"
}

get groups

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

$PDC = ($domainObj.PdcRoleOwner).Name

$searchStr = "LDAP://"
$searchStr += $PDC + "/"
$Name = "DC=$($domainObj.Name.Replace('.',',DC='))"
$searchStr += $Name
$searchStr

$seracher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchStr)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$seracher.SearchRoot = $objDomain

$seracher.filter = "(objectClass=group)"

$items = $seracher.FindAll()

Foreach($obj in $items) {
    Foreach($prop in $obj.Properties) {
        $prop.name
        $prop.member
    }
    Write-Host "-------------------------"
}

get serverprincipalname

$domainObj = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()

$PDC = ($domainObj.PdcRoleOwner).Name

$searchStr = "LDAP://"
$searchStr += $PDC + "/"
$Name = "DC=$($domainObj.Name.Replace('.',',DC='))"
$searchStr += $Name
$searchStr

$seracher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$searchStr)
$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$seracher.SearchRoot = $objDomain

$seracher.filter = "serviceprincipalname=*http*"

$items = $seracher.FindAll()

Foreach($obj in $items) {
    Foreach($prop in $obj.Properties) {
        $prop
    }
    Write-Host "-------------------------"
}

get loggedon users

Import-Module .\PowerView.ps1

Get-NetLoggedon -computername <computer-name>

get sessions from dc

Import-Module .\PowerView.ps1

Get-NetSession -ComputerName dc1