Domain Enumeration – Part 3

Get list of GPO in current Domain :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGPO

Enumerate all the permissions for all GPOs in the current domain:

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}

display name of “SecurePolicy”. Let’s track this back and see what systems this GPO is applied to: GUID we pick from above command on the basis of identity reference if any misconfiguration we found here :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetOU -GUID “{6AC1786C-016F-11D2-945F-00C04fB984F9}” | %{Get-NetComputer -ADSpath $_}

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-EnumerateLocalAdmin –Verbose

Get GPO(s) which use restricted groups or groups.xml for ineresting users :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGPOGroup                                                                                           

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGPOGroup | select displayname                                                                      

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGPOGroup | select displayname                                                                      

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> gpresult /R

Get users which are in a local group of a machine using GPO :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Find-GPOComputerAdmin -ComputerName WIN-2RUMVG5JPOC.security.local

Get machine where the given user is member of a specific group :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Find-GPOLocation -UserName victim –verbose

Get OUs in a domain :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> get-netou -fulldata

Get GPO applied on an OU. Read GPOname from gplink attribute from get-netou :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> get-netou

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> get-netou –FullData

By this we get GPOname that is : 6AC1786C-016F-11D2-945F-00C04fB984F9

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGPO -GPOname ‘{6AC1786C-016F-11D2-945F-00C04fB984F9}’

Domain Enumeration (ACL)

Get the ACLs associated with the specified object :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-ObjectAcl -SamAccountName victim –ResolveGUIDs

Get the ACLs associated with specified prefix to be used for search :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-ObjectAcl -ADSprefix ‘CN=Victim, CN=Users’, -Verbose

We can also enumerate ACLs using Active Directory module But without resolving GUIDS:

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> (Get-Acl ‘AD:\CN=Administrator ,  CN=Users ,DC=security, DC=local’).Access

Get the ACL associated with the specified LDAP path to be used for search :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-ObjectAcl -ADSpath “LDAP://CN=Domain Admins,CN=Users,DC=security,DC=local” -ResolveGUIDs –Verbose

Search for interesting ACEs :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-ACLScanner –ResolveGUIDs

Get the ACLs associated with the specified path :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-PathAcl -path \\WIN-2RUMVG5JPOC.security.local\sysvol

@Saksham Dixit