Users, Computer, Groups
Users Enumeration
## Users Enumeration
Get-NetUser
Get user in a Domain
Get-NetUser *admin* -Domain grey.wargrey.mon
Get Admins in a Domain
Get-NetUser -AdminCount
Get-NetUser -AdminCount -Domain wargrey.mon
Filter by username
Get-DomainUser -Domain wargrey.mon | ?{$_.name -match "Grey Mon"}
Grab the cn
(common-name) from the list of users
cn
(common-name) from the list of usersGet-NetUser | select cn
Get actively logged users on a computer (needs local admin rights on the target)
Get-NetLoggedon -ComputerName <servername>
List all properties
Get-UserProperty
Display when the passwords were set last time
Get-UserProperty -Properties pwdlastset
Display when the accounts were created
Get-UserProperty -Properties whencreated
Get the list of users
Get-ADUser -Filter *
Get the list of users with properties
Get-ADUser -Filter * -Properties *
List samaccountname
and description for users
samaccountname
and description for usersGet-ADUser -Filter * -Properties * | select Samaccountname, Description
Get the list of users from cn
common-name
cn
common-nameGet-ADUser -Filter * -Properties * | select cn
Get the list of users from name
Get-ADUser -Filter * -Properties * | select name
Displays when the password was set
Get-ADUser -Filter * -Properties * | select name,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}
List samaccountname
, lastlogon
, pwdlastset
samaccountname
, lastlogon
, pwdlastset
Get-NetUser | select samaccountname, lastlogon, pwdlastset
Get-NetUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon
Get list of usernames and their groups
Get-NetUser | select samaccountname, memberof
Get description field from the user
Find-UserField -SearchField Description -SearchTerm "built"
Get-netuser | Select-Object samaccountname, description
Get SID for users
WMIC.exe useraccount get name, sid
Basic user enabled info
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount
Find users with sidHistory
set
sidHistory
setGet-NetUser -LDAPFilter '(sidHistory=*)'
Find local admin access on domain machines
Find all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose
This can also be done with remote administration tools like WMI and PowerShell remoting.
Useful when ports (RPC and SMB) used by
Find-LocalAdminAccess
are blocked.
Find-WMILocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess.ps1
Kerberoasting Enumeration
ASREPRoastable users
Get-NetUser -PreauthNotRequired
Kerberoastable users
Get-NetUser -SPN
Get-NetComputer -SPN
Kerberospolicy
(Get-DomainPolicyData).kerberospolicy
Groups Information
List groups and their details
Get-NetGroup | select samaccountname, admincount, description
Get AdminSDHolders
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=wargrey,DC=mon' | %{ $_.SecurityIdentifier } | Convert-SidToName
Computer Enumeration
Basic computer enumeration
Get-NetComputer
Get-ADComputer -Filter *
Get Computer name and OS
Get-NetComputer | select samaccountname, operatingsystem
Get-NetComputer -Domain wargrey.mon | select samaccountname, operatingsystem
Get computers with specific OS
Get-NetComputer -OperatingSystem "*Server 2016*"
DCs appear but aren't useful for privilege escalation
Get-NetComputer -Unconstrained | select samaccountname
Find computers with Constrained Delegation
Get-NetComputer -TrustedToAuth | select samaccountname
Find machine accounts in privileged groups
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*'}
Get-NetGroupMember -Identity "Domain Admins" -Recurse | select MemberName
List all the local groups on a machine (needs admin privileges on non-DC machines)
Get-NetlocalGroup -Computername <computername> -ListGroups
Get members of all the local groups on a machine (needs admin privileges on non-DC machines)
Get-NetlocalGroup -Computername <computername> -Recurse
Get actively logged users on a computer (needs local admin privileges)
Get-NetLoggedon -Computername <computername>
Get locally logged users on a computer (needs remote registry rights on the target)
Get-LoggedonLocal -Computername <computername>
Get the last logged users on a computer (needs admin rights and remote registry on the target)
Get-LastLoggedOn -ComputerName <computername>
Get computer operating system and other important info
Get-ADComputer -Filter * -Property PrimaryGroupID
Get-ADComputer -Filter {PrimaryGroupID -eq "<number>"} -Properties OperatingSystem, OperatingSystemVersion, OperatingSystemServicePack, PasswordLastSet, LastLogonDate, ServicePrincipalName, TrustedForDelegation, TrustedtoAuthForDelegation
Find computers where a domain admin (or specified user/group) has sessions
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity “RDPUsers”
Find computers where a domain admin session is available and current user has admin access
Uses
Test-AdminAccess
.
#Find-DomainUserLocation -CheckAccess
Find computers (File Servers and Distributed File servers) where a domain admin session is available
#Find-DomainUserLocation -Stealth
Shares Enumeration
Search readable shares
Find-DomainShare -CheckShareAccess
Groups and Members Enumeration
Basic group enumeration
Get-NetGroup
Get-NetLocalGroup
Get all groups containing "admin" in the group name
Get-NetGroup *Admin*
Get-NetGroupMember 'Domain Admins' -Recurse
Get-NetGroupMember 'Administrator' -Recurse
Get-NetGroupMember 'Remote Desktop Users' -Recurse
Get-NetGroupMember 'Remote Desktop' -Recurse
Get all members of the "Domain Admins" group
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Query the root domain for "Enterprise Admins"
Get-NetGroupMember -GroupName "Enterprise Admins" –Domain wargrey.mon
Get group membership for user "grey"
Get-NetGroup -UserName "grey"
List all group members in the "Users" group with full data
Get-NetGroup -GroupName "Users" -Fulldata
Get all groups that contain "admin" in the group name
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
Get all members of the "Domain Admins" group
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get group membership for "grey"
Get-ADPrincipalGroupMembership -Identity grey
Get computers and their Operating Systems
Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2016*"' -Properties OperatingSystem | select Name, OperatingSystem
Test connectivity for each computer in the domain
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}
Enumerate Domain Groups
#Get all the groups in the current domain
Get-DomainGroup | select Name
Get-DomainGroup –Domain <targetdomain>
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *
#Get all groups containing the word "admin" in group name
Get-DomainGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name
#Get all the members of the Domain Admins group
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive
#Get the group membership for a user:
Get-DomainGroup –UserName "grey"
Get-ADPrincipalGroupMembership -Identity grey
#Get Group admins
Get-NetGroup "*admins*" | Get-NetGroupMember -Recurse | ?{$_.MemberName -Like "*.*"}
#Get Clients on Host Domain
Get-NetGroup -ComputerName PDC
Get-NetGroup -ComputerName dc02
Last updated