Active Directory Enumeration

Automated

Bloodhound

Invoke-BloodHound -CollectionMethod All
Invoke-BloodHound -CollectionMethod All -ExcludeDC

Manual

Powerview

Domain Enum

#Current Domain
Get-Domain | select Name,Parent,Forest,DomainControllers| fl
Get-DomainSID

#Domain Policy
(Get-DomainPolicyData).systemaccess

#Domain Controllers
Get-DomainController | select Name,OSversion,IPAddress | fl

Trusts

#Domain Trusts
Get-DomainTrust | select SourceName.TrustAttributes,TargetName,TrustDirection

#Forest Enum
#Current Forest
Get-Forest | select Name,SchemaRoleOwner,RootDomainSid | fl

#Forest Domains
Get-ForestDomain | select Name,PdcRoleOwner

#Forest Global Catalogue
Get-ForestGlobalCatalogue | select Name,Domain,IPAddress,OSVersion,Forest

#Forest Trusts
#Current Trusts
Get-ForestTrust

#External Forest Trusts
Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

#Enum Domain External Trusts
Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

Computer Enum

#Current Domain Computers
Get-DomainComputer | select name,logoncount,description,operatingsystem

#Server
Get-DomainComputer -OperatingSystem "*Server*"

#Pingable Computers
Get-DomainComputer -Ping | select name,logoncount,description,operatingsystem

LoggedOn Users

#Current Local Logged on Users
Get-NetLoggedon | select username

#Current Computer Logged on Users
Get-NetLoggedon -ComputerName {HOST}

#Last Login for a Domian Computer
Get-LastLoggedOn -ComputerName {HOST}

User Enum

#Current Domain Users
Get-DomainUser | select name,logoncount,description,memberof,useraccountcontrol
#User Full Details
Get-DomainUser -Identify {USER} -Properties *

Group Enum

#Domain Groups
#Current Domain Groups
Get-DomainGroup | select Name

#Domain Groups Contains "Admin"
Get-DomainGroup *admin* | select name,Description

#Domain Group members
Get-DomainGroupMember -Identify "Domain Admins" | select MemberName,MemberObjectCLass,MemberSID

#Local Groups
#Local Groups for Computer
Get-NetLocalGroup -ComputerName {HOST}

#Local Group Members
Get-NetLocalGroupMember -group Administrators

#Other Computer's Group Members
Get-NetLocalGroupMember -ComputerName {HOST} -GroupName Administrators | select MemberName,IsGroup,IsDomain

Group Policy

#Domain GPOs
Get-DomainGPO | select displayname,name

#Domain GPOs for Computer
Get-DomainGPO -ComputerIdentity {HOST} | select displayname,name

#Local Group Users GPO
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity
Get-DomainGPOUserLocalGroupMapping -Identity {USER}

#GPO applied on speecific OU
Get-DomainGPO -Identity "{}"

Organizational Units (OUs)

#Current Domain OUs
Get-DomainOU | select name,gplink

#Computers on Specific OU
(Get-DomainOU -Identity {OU}).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

Access Controls Lists (ACL)

#ACLs for Object
Get-DomainObjectAcl -SamAccountName {USER} -ResolveGUIDs

#ACLS for Prefix or Group
Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=example,DC=domain,DC=com" -ResolveGUIDs | select ObjectDN,AceType,ActiveDirectoryRights

#Interesting ACLs
Find-InterestingDomainAcl -ResolveGUIDs | select IdentityReferenceName,AceType,ActiveDirectoryRights -Unique

#Path's ACL
Get-PathAcl -Path "\\{HOST}.{full.domain}\sysvol"

Other

#Share Enum
Invoke-ShareFinder
Invoke-ShareFinder -CheckShareAccess

#Sensitive Files
Invoke-FileFinder

#Domain File Servers
Get-NetFileServer

#Local Admin Access
Find-LocalAdminAccess -Verbose
Find-WMILocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess.ps1

Kerberoasting

#Find SPNs
Get-DomainUser -SPN | select samaccountname,serviceprinciplename
impacket-GetUserSPNs -request -dc-ip {IP} {full.domain}/{USER}:{PASS}
rubeus.exe kerberoast /stats

#Check for SPNs
Get-DomainUser -Identity {USER} | select serviceprinciplename

Kerberos Delegation

#Unconstrained
Get-DomainComputer -Unconstrained | select name,logoncount,msds-allowedtodelegateto | fl

#Constrained
#User Enum
Get-DomainUser -TrustedToAuth | select samaccountname,logoncount,msds-allowedtodelegateto | fl

#Computers Enum
Get-DomainComputer -TrustedToAuth | select name,logoncount,description,operatingsystem,msds-allowedtodelegateto | fl

#Resource-Based
Find-InterestingDomainACL | ?{$_.identityreferencename -match '{USER}'}

ASREPRoast

Get-DomainUser -PreauthNotRequired -Verbose
impacket-GetNPUsers -request -dc-ip {IP} {full.domain}/{USER}:{PASS}

#ASREPRoast.ps1
invoke-ASREPRoast -Verbose

Neko

Active Directory Enum

Automated

Bloodhound

Manual

Powerview

Domain Enum

Trusts

Computer Enum

LoggedOn Users

User Enum

Group Enum

Group Policy

Organizational Units (OUs)

Access Controls Lists (ACL)

Other

Kerberoasting

Kerberos Delegation

ASREPRoast

More coming soon.