Powershell Enum of Active Directory (Part 1)

Hello everyone here I am back with Powershell pentesting enumeration of active directory. It includes the basics of the enumeration domain controller and a lot of stuff. Mainly in this post-Powerview module is utilized to do the task but at some places, the AD module is also included.

As per my experience below mentioned are the key steps to start from scratch :

Status of defender :

C:> sc query windefend

Disable defender (with administrator right)

PS C:\WINDOWS\system32> Set-MpPreference -DisableBehaviorMonitoring $true

Enable defender (with administrator right)

PS C:> Set-MpPreference -DisableRealtimeMonitoring $false

Disable firewall(with administrator right)

PS C:\WINDOWS\system32> Set-NetFirewallProfile -profile Domain,Public,Private -Enabled False

Bypass PS execution (with normal rights)

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> powershell.exe -executionpolicy bypass

PS C:\> whoami /priv

**Bypass protection : **(with normal rights)

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> powershell.exe -nop -exec bypass

**Load the module **(with normal rights)

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Import-Module ./powerview.ps1

Get Current Domain

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView>Get-NetDomain

Get Domain SID for the current domain

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> get-domainsid

**Get Domain Policy for the current domain **

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-DomainPolicy

**Get Domain Cntroller for the current domain **

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetDomainController

To load Active Directory module

Open this file :

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config

Put this content

Now open another terminal

PS C:\Users\victim.SECURITY\Downloads\ADModule-master> cd .\ADModule-master\

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Import-Module .\Microsoft.ActiveDirectory.Management.dll

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> get-addomain

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> get-addomaincontroller

Get a list of Users in the Current domain :

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-Netuser

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADUser -Filter *

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADUser -Filter * -Properties *

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-Netuser | select cn

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADUser -Identity victim

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-Netuser -UserName victim

Properties of users in current domain :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-UserProperties

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-UserProperties -Properties pwdlastset

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-UserProperties -Properties logoncount

**If user use bad password count : **

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-UserProperties -Properties badpwdcount

@Saksham Dixit