net users
net users /domain
net localgroup
net groups /domain
net groups /domain "Domain Admins"
Get-ADUser
Get-Domain
Get-DomainUser
Get-DomainGroup
Get-DomainGroupMember -identity "Domain Admins" -Domain m0chanAD.local -DomainController 10.10.14.10
Find-DomainShare
#Host Discovery
netdiscover -r subnet/24
nbtscan -r [range]
for /L %i in (1,1,255) do @ping.exe -n 1 -w 50 <10.10.10>.%i | findstr TTL
#Reverse DNS Lookup
$ComputerIPAddress = "10.10.14.14"
[System.Net.Dns]::GetHostEntry($ComputerIPAddress).HostName
https://github.com/tevora-threat/SharpView
Get-DomainUser -SPN
Get-ADComputer -filter {ServicePrincipalName -like <keyword>} -Properties OperatingSystem,OperatingSystemVersion,OperatingSystemServicePack,
PasswordLastSet,LastLogonDate,ServicePrincipalName,TrustedForDelegation,TrustedtoAuthForDelegation
nmap $TARGET -p 88 --script krb5-enum-users --script-args krb5-enum-users.realm='test'
#<https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts>
LDAPUtility.cs
Usage: ldaputility.exe options domain [arguments]
ldaputility.exe DumpAllUsers m0chan
ldaputility.exe DumpUser m0chan mr.un1k0d3r
ldaputility.exe DumpUsersEmail m0chan
ldaputility.exe DumpAllComputers m0chan
ldaputility.exe DumpComputer m0chan DC01
ldaputility.exe DumpAllGroups m0chan
ldaputility.exe DumpGroup m0chan "Domain Admins"
ldaputility.exe DumpPasswordPolicy m0chan
Also WMIUtility.cs for WMI Calls & LDAPQuery.cs for Raw LDAP Queries.
See github linked above for full details.
nltest /DCLIST:DomainName
nltest /DCNAME:DomainName
nltest /DSGETDC:DomainName
# Get Current Domain Info - Similar to Get-Domain
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# Get Domain Trust Info - Similar to Get-DomainTrust
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
# View Domain Info
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
# View Domain Trust Information
([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', 'forest-of-interest.local')))).GetAllTrustRelationships()
nltest [server:<fqdn_foreign_domain>] /domain_trusts /all_trusts /v
nltest /dsgetfti:<domain>
nltest /server:<ip_dc> /domain_trusts /all_trusts
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
# View All Domain Controllers
nltest /dclist:offense.local
net group "domain controllers" /domain
# View DC for Current Session
nltest /dsgetdc:m0chanAD.local
# View Domain Trusts from CMD
nltest /domain_trusts
# View User Info from CMD
nltest /user:"m0chan"
# get domain name and DC the user authenticated to
klist
# Get All Logged on Sessions, Includes NTLM & Kerberos
klist sessions
# View Kerb Tickets
klist
# View Cached Krbtgt
klist tgt
# whoami on older Windows systems
set u
#List all Usernames
([adsisearcher]"(&(objectClass=User)(samaccountname=*))").FindAll().Properties.samaccountname
#List Administrators
([adsisearcher]"(&(objectClass=User)(admincount=1))").FindAll().Properties.samaccountname
#List all Info about Specific User
([adsisearcher]"(&(objectClass=User)(samaccountname=<username>))").FindAll().Properties
#View All Users with Description Field Set
([adsisearcher]"(&(objectClass=group)(samaccountname=*))").FindAll().Properties | % { Write-Host $_.samaccountname : $_.description }
#<https://github.com/jasonwbarnett/linux-adtool>
tar zxvf adtools-1.x.tar.gz
cd adtools-1.x
./configure
make
make install
> adtool list ou=user,dc=example,dc=com
CN=allusers,OU=user,DC=example,DC=com
OU=finance,OU=user,DC=example,DC=com
OU=administration,OU=user,DC=example,DC=com
> adtool oucreate marketing ou=user,dc=example,dc=com
> adtool useradd jsmith ou=marketing,ou=user,dc=example,dc=com
> adtool setpass jsmith banana
> adtool unlock jsmith
> adtool groupadd allusers jsmith
> adtool attributereplace jsmith telephonenumber 123
> adtool attributereplace jsmith mail [email protected]
#<https://github.com/tevora-threat/SharpView>
Get-DomainFileServer
Get-DomainGPOUserLocalGroupMapping
Find-GPOLocation
Get-DomainGPOComputerLocalGroupMapping
Find-GPOComputerAdmin
Get-DomainObjectAcl
Get-ObjectAcl
Add-DomainObjectAcl
Add-ObjectAcl
Remove-DomainObjectAcl
Get-RegLoggedOn
Get-LoggedOnLocal
Get-NetRDPSession
Test-AdminAccess
Invoke-CheckLocalAdminAccess
Get-WMIProcess
Get-NetProcess
Get-WMIRegProxy
Get-Proxy
Get-WMIRegLastLoggedOn
Get-LastLoggedOn
Get-WMIRegCachedRDPConnection
Get-CachedRDPConnection
Get-WMIRegMountedDrive
Get-RegistryMountedDrive
Find-InterestingDomainAcl
Invoke-ACLScanner
Get-NetShare
Get-NetLoggedon
nmap -p 139,445 --script smb.nse,smb-enum-shares,smbls
enum4linux 1.3.3.7
smbmap -H 1.3.3.7
smbclient -L \\\\INSERTIPADDRESS
smbclient -L INSERTIPADDRESS
smbclient //INSERTIPADDRESS/tmp
smbclient \\\\\\\\INSERTIPADDRESS\\\\ipc$ -U john
smbclient //INSERTIPADDRESS/ipc$ -U john
smbclient //INSERTIPADDRESS/admin$ -U john
nbtscan [SUBNET]
#Check for SMB Signing
nmap --script smb-security-mode.nse -p 445 10.10.14.14