Enumeration
Hack Responsibly.
Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.
Without Active Directory module installed
Get Current Domain Info
Get Domain Trusts
Get Forest Info
Get Forest Trust Relationships
Enumerate Domain Users
Get User-related Environment Variables (cmd.exe)
List all Usernames
List Administrators
List all Info about specific user
View All Users with Description Field Set
Using Active Directory PowerShell module
View all Active Directory commands
Display Basic Domain Information
Get Domain SID
Enumerate other Domains:
List Domain Controllers
Get all Domain Controllers by Hostname and Operating System
Enumerate Domain Computers:
Enumerate Domain Trust:
Enumerate Forest Trust:
Enumerate Local AppLocker Effective Policy:
Get all Fine Grained Password Policies
Get Domain Default Password Policy
Gets the password policy from the logged in domain
Backup Active Directory System State Remotely
This will back up the domain controllers system state data. Change DC-Name to your server name and change the Backup-Path. The backup path can be a local disk or a UNC path
AD User Enumeration
Get User and List All Properties (attributes)
For the variable $username
use the samAccountName
of the account
Get User and list only specific properties
Find a specific string in a certain user's attribute
Get All Active Directory Users in Domain
Get All Users From a Specific OU
OU = Full distinguished path of the OU
Get AD Users by Name
This command will find all users that have the word bob in the name.
Get All Disable User Accounts
Disable User Account
Enable User Account
Get All Accounts with Password Set to Never Expire
Find All Locked User Accounts
Unlock User Account
List all Disabled User Accounts
Force Password Change at Next Login
Move a Single User to a New OU
You will need the distinguishedName of the user and the target OU
Move Users from one OU to another using a CSV file
Create a csv with a name
field containing a list of the users SamAccountName
's. Then just change the target OU path to move the users.
AD Group Commands
Get All members of a Security group
Get All Security Groups
This will list all security groups in a domain
Add User to Group
Export Users From a Group
This will export group members to a CSV, change group-name to the group you want to export.
Get Group by keyword
Import a List of Users to a Group
AD Computer Commands
List All Computers
List All Computers by Name
Get All Computers from a specific OU
Get a Count of All Computers in Domain
Get all Windows 10 Computers
Get a Count of All computers by Operating System
This will provide a count of all computers and group them by the operating system. A great command to give you a quick inventory of computers in AD.
Delete a single Computer
Delete a List of Computer Accounts
Add the hostnames to a text file and run the command below.
Delete Computers From an OU
Using PowerView
Get Current Domain:
Get-NetDomain
Enumerate other Domains:
Get-NetDomain -Domain $DomainName
Get Domain SID:
Get-DomainSID
Get Domain Policy:
Get Domain Controllers:
Enumerate Domain Users:
Enumerate Domain Computers:
Enumerate Groups and Group Members:
Enumerate Shares
Enumerate Group Policies:
Enumerate OUs:
Enumerate ACLs:
Enumerate Domain Trust:
Enumerate Forest Trust:
User Hunting:
Escalate Privileges to Domain Admin with User Hunting:
If you have local admin access on a machine
If A Domain Admin has a session on that machine
Steal their token and impersonate them!
Using BloodHound
Group Policy
Get all GPO related commands
Get all GPOs by status
Backup all GPOs in the Domain
Enumeration using nltest and .Net
Get Domain Information
Get Current Domain Info
View Domain Forest Info
View Domain Trust Information
View All Domain Controllers
View DC for Current Session
Kerberos
Get domain name and DC the user authenticated to
Get All Logged on Sessions, Includes NTLM & Kerberos
View Current Kerberos Tickets
View Cached Krbtgt
Other useful AD enumeration tools
LDAPDomainDump Information dumper via LDAP, Gathers the AD schema details.
adidnsdump Integrated DNS dumping by any authenticated user
ACLight Advanced Discovery of Privileged Accounts
ADRecon Detailed Active Directory Recon Tool
ADExplorer easily navigate an AD database, save snapshots of an AD database for off-line viewing.
Last updated