# Enumeration

> **NOTE: Goal is to privilege escalate to Domain Administrator**

## Initial Access

### RDP

{% code overflow="wrap" %}

```bash
xfreerdp3 /u:'<Username>' /d:'<Domain Name>' /p:'<Password>' /v:<Target IP Address> /dynamic-resolution +clipboard /drive:/home/kali/offsec/downloads,/shared
```

{% endcode %}

## Enumeration

### Manual

> **NOTE: Make sure to run the following!**
>
> ```powershell
> powershell -ep bypass
> ```

Get users on domain

```powershell
net user /domain
```

Get info on particular user

```powershell
net user <Username> /domain
```

Get groups on domain

```powershell
net group /domain
```

Get info on particular **CUSTOM** group

```powershell
net group "<Group Name>" /domain
```

### PowerView

> **NOTE: Remember to run the following**
>
> * ```
>   powershell -ep bypass
>   ```
>
> * ```powershell
>   Import-Module .\PowerView.ps1
>   ```

Enumerate Users in the Domain

```powershell
Get-NetUser
```

To get filtered result

```powershell
Get-NetUser | select <Field Name> ...
```

> **EXAMPLE:**
>
> Get-NetUser | select samaccountname, cn, pwdlastset, lastlogon

To get specific information of a particular user

```powershell
Get-NetUser <Username>
```

Enumerate Groups in the Domain

```powershell
Get-NetGroup
```

To get filtered result

```powershell
Get-NetGroup | select <Field name> ...
```

> **EXAMPLE:**
>
> Get-NetGroup | select cn

To get specific information of a particular group

```powershell
Get-NetGroup <Group Name>
```

Enumerate Computers in the Domain

```powershell
Get-NetComputer
```

To get filtered result

```powershell
Get-NetComputer | select <Field name> ...
```

> **EXAMPLE:**
>
> Get-NetComputer | select operatingsystem, dnshostname

To get specific information of a particular computer

```powershell
Get-NetComputer <DNS Host Name>
```

To look for administrative rights on other computer for the current user

```powershell
Find-LocalAdminAccess
```

To look for logged on users on target machine

```powershell
Get-NetSession -ComputerName <Computer Name> -Verbose
```

> **NOTE: If something is not right check for permission.**
>
> Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity)

Alternatives

```powershell
C:\Tools\PSTools\PsLoggedon.exe \\<Host Name>
```

> **NOTE: Remote machine must have Remote Registry service enabled**

To check for permission

{% code overflow="wrap" %}

```powershell
Get-Acl -Path <Registery Hive>:<Registry Path> | fl
```

{% endcode %}

> **EXAMPLE:**
>
> Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl

To enumerate Service Principal Name

```powershell
Get-NetUser -SPN | select samaccountname, serviceprincipalname
```

To enumerate ACEs

```powershell
Get-ObjectAcl -Identity "<Username | Group Name>"
```

> **NOTE: Look out for ActiveDirectoryRights and SecurityIdentifier**

To enumerate interesting ACL

{% code overflow="wrap" %}

```powershell
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft
```

{% endcode %}

To enumerate all user that has ActiveDirectoryRights = GenericAll under a group

{% code overflow="wrap" %}

```powershell
Get-ObjectAcl -Identity "<Group Name>" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier, ActiveDirectoryRights
```

{% endcode %}

To enumerate all ActiveDirectoryRights = GenericWrite under a group

{% code overflow="wrap" %}

```powershell
Get-ObjectAcl -Identity "<Group Name>" | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier, ActiveDirectoryRights
```

{% endcode %}

To convert SID to Name in bulk

{% code overflow="wrap" %}

```powershell
"<SID>", "<SID>", "<SID>", "<SID>", "<SID>" | Convert-SidToName
```

{% endcode %}

To convert SID to Name individually

```powershell
Convert-SidToName "<SID>"
```

Add user into group in domain

```powershell
net group "<Group Name>" <Username> /add /domain
```

To enumerate all shares on Domain

```powershell
Find-DomainShare
```

To enumerate shares available to current user

```powershell
Find-DomainShare -CheckShareAccess
```

To enumerate Group Policy

```powershell
Get-GPO -Name "<Group Policy Name>"
```

> **EXAMPLE:**
>
> Get-GPO -Name "Default Domain Policy"

To enumerate permission on the group policy

{% code overflow="wrap" %}

```powershell
Get-GPPermission -Guid <Group Unique ID> -TargetType User -TargetName <Username>
```

{% endcode %}

> **NOTE: Only if the permission either contains "ModifySecurity" or "FullControl"**

### BloodHound

To import BloodHound

```powershell
Import-Module C:\Tools\Bloodhound.ps1
```

To begin enumerationg on BloodHound

{% code overflow="wrap" %}

```powershell
Invoke-BloodHound -CollectionMethod All -OutputDirectory <Path> -OutputPrefix "corp audit"
```

{% endcode %}

On kali:

```bash
sudo neo4j start
```

> **NOTE: Head over to <http://localhost:7474>**
>
> **Username: neo4j**
>
> **Password: arctic-iris-zipper-prism-courage-7161**