# Enumeration > **NOTE: Goal is to privilege escalate to Domain Administrator** ## Initial Access ### RDP {% code overflow="wrap" %} ```bash xfreerdp3 /u:'' /d:'' /p:'' /v: /dynamic-resolution +clipboard /drive:/home/kali/offsec/downloads,/shared ``` {% endcode %} ## Enumeration ### Manual > **NOTE: Make sure to run the following!** > > ```powershell > powershell -ep bypass > ``` Get users on domain ```powershell net user /domain ``` Get info on particular user ```powershell net user /domain ``` Get groups on domain ```powershell net group /domain ``` Get info on particular **CUSTOM** group ```powershell net group "" /domain ``` ### PowerView > **NOTE: Remember to run the following** > > * ``` > powershell -ep bypass > ``` > > * ```powershell > Import-Module .\PowerView.ps1 > ``` Enumerate Users in the Domain ```powershell Get-NetUser ``` To get filtered result ```powershell Get-NetUser | select ... ``` > **EXAMPLE:** > > Get-NetUser | select samaccountname, cn, pwdlastset, lastlogon To get specific information of a particular user ```powershell Get-NetUser ``` Enumerate Groups in the Domain ```powershell Get-NetGroup ``` To get filtered result ```powershell Get-NetGroup | select ... ``` > **EXAMPLE:** > > Get-NetGroup | select cn To get specific information of a particular group ```powershell Get-NetGroup ``` Enumerate Computers in the Domain ```powershell Get-NetComputer ``` To get filtered result ```powershell Get-NetComputer | select ... ``` > **EXAMPLE:** > > Get-NetComputer | select operatingsystem, dnshostname To get specific information of a particular computer ```powershell Get-NetComputer ``` To look for administrative rights on other computer for the current user ```powershell Find-LocalAdminAccess ``` To look for logged on users on target machine ```powershell Get-NetSession -ComputerName -Verbose ``` > **NOTE: If something is not right check for permission.** > > Permissions for NetSessionEnum are defined in SrvsvcSessionInfo registry key (HKEY\_LOCAL\_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity) Alternatives ```powershell C:\Tools\PSTools\PsLoggedon.exe \\ ``` > **NOTE: Remote machine must have Remote Registry service enabled** To check for permission {% code overflow="wrap" %} ```powershell Get-Acl -Path : | fl ``` {% endcode %} > **EXAMPLE:** > > Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl To enumerate Service Principal Name ```powershell Get-NetUser -SPN | select samaccountname, serviceprincipalname ``` To enumerate ACEs ```powershell Get-ObjectAcl -Identity "" ``` > **NOTE: Look out for ActiveDirectoryRights and SecurityIdentifier** To enumerate interesting ACL {% code overflow="wrap" %} ```powershell Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft ``` {% endcode %} To enumerate all user that has ActiveDirectoryRights = GenericAll under a group {% code overflow="wrap" %} ```powershell Get-ObjectAcl -Identity "" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier, ActiveDirectoryRights ``` {% endcode %} To enumerate all ActiveDirectoryRights = GenericWrite under a group {% code overflow="wrap" %} ```powershell Get-ObjectAcl -Identity "" | ?{$_.ActiveDirectoryRights -eq "GenericWrite"} | select SecurityIdentifier, ActiveDirectoryRights ``` {% endcode %} To convert SID to Name in bulk {% code overflow="wrap" %} ```powershell "", "", "", "", "" | Convert-SidToName ``` {% endcode %} To convert SID to Name individually ```powershell Convert-SidToName "" ``` Add user into group in domain ```powershell net group "" /add /domain ``` To enumerate all shares on Domain ```powershell Find-DomainShare ``` To enumerate shares available to current user ```powershell Find-DomainShare -CheckShareAccess ``` To enumerate Group Policy ```powershell Get-GPO -Name "" ``` > **EXAMPLE:** > > Get-GPO -Name "Default Domain Policy" To enumerate permission on the group policy {% code overflow="wrap" %} ```powershell Get-GPPermission -Guid -TargetType User -TargetName ``` {% endcode %} > **NOTE: Only if the permission either contains "ModifySecurity" or "FullControl"** ### BloodHound To import BloodHound ```powershell Import-Module C:\Tools\Bloodhound.ps1 ``` To begin enumerationg on BloodHound {% code overflow="wrap" %} ```powershell Invoke-BloodHound -CollectionMethod All -OutputDirectory -OutputPrefix "corp audit" ``` {% endcode %} On kali: ```bash sudo neo4j start ``` > **NOTE: Head over to ** > > **Username: neo4j** > > **Password: arctic-iris-zipper-prism-courage-7161** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://yongjun04.gitbook.io/oscp-cheatsheet/active-directory/enumeration.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.