Site Loader

Domain Trust Mapping :

Get a list of all domain trusts for the current domain :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetDomainTrust

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetDomainTrust -domain ujjtest.security.local

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADTrust

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADTrust -Identity setest.local

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> (Get-ADForest).domains

Forest Mapping :

Get all global catalogs for the current forest :

Map trusts of a forest :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetForestTrust

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetForestTrust -Forest security.local

Domain Enumeration – user hunting :

Find all machines on the current domain where the current user has local admin access :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Find-LocalAdminAccess –verbose

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer

Find local admins on all machines of the domain : (needs administrator privs on-dc machine )

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-EnumerateLocalAdmin -verbose

Find computers where a domain admin has sessions :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-UserHunter

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-UserHunter -GroupName “RDPUsers”

To confirm admin access :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-UserHunter -CheckAccess

Find computers where domain admin is logged-in :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-UserHunter –Stealth

Domain Enumeration Defense :

Now if we try to access

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetSessions -computername  WIN-2RUMVG5JPOC.security.local

https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b/file/165596/1/NetCease.zip

open administrator PS

PS C:\Users\victim.SECURITY\Downloads\NetCease> powershell.exe -executionpolicy bypass

PS C:\Users\victim.SECURITY\Downloads\NetCease> .\NetCease.ps1

PS C:\Users\victim.SECURITY\Downloads\NetCease> Restart-Service -Name server –force

Now if we try to access

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetSessions -computername  WIN-2RUMVG5JPOC.security.local

Access denied

Now to revert

PS C:\Users\victim.SECURITY\Downloads\NetCease> .\NetCease.ps1 -Revert

PS C:\Users\victim.SECURITY\Downloads\NetCease> Restart-Service -Name server –force

Now try

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetSessions -computername  WIN-2RUMVG5JPOC.security.local

Its working fine

Now try to access

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> net user /domain

@Saksham Dixit

Post Author: Saksham dixit

Leave a Reply

Your email address will not be published. Required fields are marked *