TL;DR this mostly comes from my CRTP notes with some handy stuff I learned elsewhere thrown in. This is a cheatsheet so if you want explanations then follow the links, for example regarding ASREPRoasting, Kerberoasting, etc.
Welcome to Part IV of our cheatsheet series!
Part I: Mimikatz cheatsheet
Part II: Set-Acl cheatsheet
Part III: Get-Acl cheatsheet
Part IV: Enumerating AD cheatsheet
Part V: Windows reverse shells cheatsheet
Part VI: MS Graph PowerShell cheatsheet
Part VII: Hash cracking cheatsheet
Part VIII: The Credential Theft Shuffle
Part IX: SACLs & Querying Collected Logs
Part X: Setting up a simple AD lab in Azure
How to get the AD module
If the system you are using does not have RSAT installed, just grab 4 files from here, from Microsoft, or from a system that already has RSAT.
- Microsoft.ActiveDirectroy.Management.dll
- ActiveDirectory.psd1
- ActiveDirectory.Format.ps1xml
- ActiveDirectory.Types.ps1xml
Drop them in a folder, C:\Temp for example, then:
Set-Location C:\TempImport-Module .\Microsoft.ActiveDirectory.Management.dllImport-Module .\ActiveDirectory.psd1
If you would like to keep using the AD module in future PS sessions then
Put Microsoft.ActiveDirectory.Management.dll in:
C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.ActiveDirectory.ManagementPut ActiveDirectory.psd1 in:
C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ActiveDirectory\I first started learning how to use the PS AD module after watching the AD portion of TCM’s Ethical Hacking course. He was showing everything in PowerView and I figured native PS should be able to do the job. I’m partial to native PS because
- It doesn’t trip Defender, obviously
- It’s on every Windows system already [you may just have to load the files above]
- Hence no change request required :)
Additionally I’m really fond of PowerShell_ISE. However if you like PowerView then that’s great too. I list both below.
OU enumeration
PowerView command shown first, native PS command shown second.
List all OUs:
Get-NetOUGet-ADOrganizationalUnit -Filter * | Select-Object DistinguishedName, Name
List info about an OU:
Get-NetOU StudentMachines -FullDataGet-ADOrganizationalUnit -Filter {Name -eq “StudentMachines”} -Properties *
List all systems in a given OU:
Get-NetOU <OU name> | @{Get-NetComputer -ADSPath $_}Get-ADComputer -Filter * -Properties * -SearchBase “ou=<OU name>,dc=<child domain>,dc=<parent domain>,dc=local” | Select-Object CanonicalName
Alt, old school method:
dsquery computer “OU=<OU name>,DC=<child domain>,DC=<parent domain>,DC=local” -o rdnList all GPOs:
Get-NetGPOGet-GPO -All
List GPOs applied to an OU, PS:
(Get-ADOrganizationalUnit “ou=clients,dc=test,dc=local” -Properties *).gpLinkFully enumerating Group Policy though is honestly easier using RSOP.msc. It’ll show what settings are pushed to the system and what the GPO names are.
Please note that if you have local admin on a compromised system you can add RSAT. I did this during CRTP and it greatly helped visualize the domain using ADUC & GPMC. You can also upload any standalone installer, for example nmap. This will help you see what services are running on what systems in case you miss it during other enumeration methods.
Trust relationships
PowerView command shown first, native PS command shown second.
Find all domains in the current forest:
Get-NetForestDomain -Verbose(Get-ADForest).Domains
Map all trusts:
Get-NetDomainTrustGet-ADTrust -Filter * | Select-Object Source, Target, TrustType, Direction
Map all trusts of the forest:
Get-NetForestDomain -Verbose | Get-NetDomainTrustGet-ADForest | %{Get-ADTrust -Filter *} | Select-Object Source, Target, TrustType, Direction
List only external trusts in the the forest:
Get-NetForestDomain -Verbose | Get-NetDomainTrust | ?{$_.TrustType -eq ‘External’}(Get-ADForest).Domains | %{Get-ADTrust -Filter ‘(intraForest -ne $True) -and (ForestTransitive -ne $True)’ -Server $_}
ID external trusts of the current domain:
Get-NetDomainTrust | ?{$_.TrustType -eq ‘External’}Get-ADTrust -Filter ‘(intraForest -ne $True) -and (ForestTransitive -ne $True)’ | Select-Object Source, Target, TrustType, Direction
Finds trusts for an external domain that trusts us:
Get-NetForestDomain -Forest <external domain name> -Verbose | Get-NetDomainTrustGet-ADTrust -Server <external domain name> -Filter * | Select-Object Source, Target, TrustType, Direction
User, computer, group, share enumeration
PowerView command shown first, native PS command shown second.
Show all Domain Users:
Get-NetUser | select -ExpandProperty SamAccountNameGet-ADUser -Prop * | Select-Object SamAccountName
Show all Domain Computers:
Get-NetComputerGet-ADComputer -Filter * -Properties * | Select-Object CanonicalName
Get info on a group in another domain:
Get-NetGroupMember -GroupName “Enterprise Admins” -Domain OtherDomain.localGet-ADgroupMember -Identity “Enterprise Admins” -Server OtherDomain.local
See info on a given AD Group:
Get-NetGroup -GroupName “Domain Admins” -FullDataGet-ADGroup -Identity “Domain Admins”
Show members of Domain Admins group:
Get-NetGroupMember -GroupName “Domain Admins”Get-ADGroupMember -Identity “Domain Admins”
Find interesting shares (via PowerView):
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC –VerboseHandy stuff that wasn’t in my CRTP notes
Oldie but a goodie to show the DC that holds each role:
netdom query fsmoGet basic info about the domain itself:
Get-ADDomainGet the user you are logged in as and the system you are on:
$env:username ; $env:computernameGet your current group memberships, another oldie but a goodie:
whoami /groupsGet your current group memberships, PS version:
Get-ADUser $env:username -Properties * | Select-Object MemberOf | Format-ListFind some basic info on all users:
Get-ADUser -Filter * -Properties * | Select-Object SamAccountName, UserPrincipalName, ServicePrincipalName, SIDGet users from only a specified OU, in this case how many there are:
(Get-ADUser -Filter * -SearchBase “OU=THM,DC=thmredteam,DC=com”).CountFind user accounts with SPNs [possibly Kerberoastable]:
Get-ADUser -Filter {ServicePrincipalName -ne “$null”} -Properties * | Select-Object SamAccountName, ServicePrincipalName, MemberOfFind computer accounts with unconstrained delegation enabled (by default all DCs will show up in this query. You are looking for the ones that aren’t DCs):
Get-ADComputer -Filter {TrustedForDelegation -eq $true}Find users with interesting info in their account description (Worth a shot in a CTF, and some very poorly run domains.):
Get-ADUser -Filter {Description -like “*password*”} -Properties * | Select-Object SamAccountName, Description
Find a user with a known SID (worth a shot in CTFs & poorly run domains as SID 500 never locks out):
Get-ADUser -Filter * | Where-Object {$_.SID -like “*-500”}Find users without pre-auth required, aka ASREPRoastable:
Get-ADUser -Filter {DoesNotRequirePreAuth -eq $true} -Properties * | Select-Object SAMAccountNameExample query for exact attributes:
Get-ADUser -Filter * -Properties * | Where-Object {$_.SID -like “*-500”} | Select-Object SamAccountName, Enabled, LastLogonDate, PasswordLastSet, PasswordExpiredRemember if you are going to set the query result to a variable it’s normally best to use (<query>).<thing> :
$BruteForceMe = (Get-ADUser -Filter * -Properties * | Where-Object {$_.SID -like “*-500”}).SamAccountNameDon’t actually waste time on brute force if you take CRTP. They are very clear in their exam instructions that it is highly unlikely to work.
Connecting from Linux
Connect to RDP using xfreerdp:
xfreerdp /v:10.10.188.175 /u:kkiddPSRemote via evil-WinRM (using PTH):
evil-winrm -i 192.168.0.120 -u Administrator -H 03df526c49c8684ebed22fdb3ec5c533If you have credentials:
evil-winrm -i 192.168.0.120 -u Administrator -p <password>References:
Files required for PS AD module: https://github.com/samratashok/ADModule
Nikhil Mittal, howto use PS AD module without RSAT: http://www.labofapenetrationtester.com/2018/10/domain-enumeration-from-PowerShell-CLM.html
Ired, PS AD module without RSAT: https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges
