OSCP-CPTS NOTES
TwitterGithubLinkedinInstagramDiscord
  • oscp-cpts-notes
  • Pivoting & Tunneling
    • Local Port Forwarding
    • Remote Port Forwarding
    • Dynamic Port Forwarding
    • Ligolo-ng
  • Linux Privilege Escalation
    • Gathering Information of the System
    • Capabilities
    • Group Based
    • SUID Privilege Escalation
    • Cron Job
    • Exploiting NFS weak Permission
    • Sudo + LD_PRELOAD (Shared Libraries)
    • Shared Object Manipulation
    • Python Library Hijacking
  • Windows Privilege Escalation
    • Gathering Information of the System
    • User Privileges
      • SeImpersonatePrivilege and SeAssignPrimaryToken
      • SeDebugPrivilege
      • SeTakeOwnershipPrivilege
    • Group Privileges
      • Backup Operators
      • DnsAdmins
      • Server Operators
      • Always Install Elevated
      • Print Operators
      • Event Log Readers
      • Hyper-V Administrators
    • Credential Theft
  • Active Directory Attacks
    • Enumeration
    • Initial Foothold
    • Gathering Users & Password Policies
    • Password Spraying
    • Credentialed Enumeration From Linux
    • Credentialed Enumeration From Windows
    • Kerberoasting - From Linux
    • Kerberoasting - From Windows
  • Beyond OSCP - CPTS
    • RED TEAMING
      • Windows Local Persistence
        • Tampering With Unprivileged Accounts
        • Backdooring Files
        • Abusing Services
        • Abusing Scheduled Tasks
        • Logon Triggered Persistence
        • Backdooring the Login Screen / RDP
        • Persisting Through Existing Services
Powered by GitBook
On this page
  • Active Directory Credentialed Enumeration (Windows)
  • 1️⃣ PowerShell & Active Directory Module
  • 2️⃣ PowerView
  • 3️⃣ SharpView
  • 4️⃣ BloodHound & SharpHound
  • 5️⃣ Snaffler - File Scavenging Tool
  • 6️⃣ Additional Recon Tools & Methods

Was this helpful?

Edit on GitHub
  1. Active Directory Attacks

Credentialed Enumeration From Windows

Active Directory Credentialed Enumeration (Windows)

1️⃣ PowerShell & Active Directory Module

PowerShell’s built-in ActiveDirectory module provides essential tools for querying and managing Active Directory objects.

Loading the Module

  • Get-Module → Lists available PowerShell modules

  • Import-Module ActiveDirectory → Loads the Active Directory module if not already imported

Domain & User Enumeration

  • Get-ADDomain → Displays general domain information

  • Get-ADTrust -Filter * → Checks for domain trust relationships

  • Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName → Identifies Kerberoastable accounts

  • Get-ADGroup -Filter * | Select-Object Name → Lists all AD groups

  • Get-ADGroup -Identity "Administrators" → Retrieves details of a specific group

  • Get-ADGroupMember -Identity "Domain Admins" → Lists members of a specified group

2️⃣ PowerView

Basic Enumeration Commands

  • Get-Domain → Retrieves details about the Active Directory domain

  • Get-DomainUser → Lists users in the domain

  • Get-DomainComputer → Enumerates domain-joined computers

  • Get-DomainController → Identifies domain controllers

  • Get-DomainGroup → Lists all domain groups

  • Get-DomainOU → Enumerates Organizational Units (OUs)

  • Find-InterestingDomainAcl → Detects modification rights in domain ACLs

Privilege & Access Enumeration

  • Find-DomainUserLocation → Identifies machines where users are logged in

  • Find-DomainShare → Discovers accessible file shares in the domain

  • Find-InterestingDomainShareFile → Searches for potentially sensitive files in shares

  • Test-AdminAccess → Verifies administrative privileges on a remote machine

Trust & Group Membership Analysis

  • Get-DomainTrust → Retrieves domain trust relationships

  • Get-ForestTrust → Identifies forest-level trust relationships

  • Get-DomainForeignUser → Lists users who belong to groups outside their primary domain

  • Get-DomainForeignGroupMember → Finds groups with members from outside domains

  • Get-DomainTrustMapping → Maps domain trust relationships

3️⃣ SharpView

SharpView is a .NET alternative to PowerView, offering similar enumeration functionality in a compiled format.

  • .\SharpView.exe Get-DomainUser -Identity "john.doe" → Retrieves details about a specific user

4️⃣ BloodHound & SharpHound

BloodHound is a powerful tool used for visualizing Active Directory attack paths. The SharpHound.exe collector gathers necessary information.

  • .\SharpHound.exe -c All --zipfilename DataCollection → Executes full AD enumeration

Once collected, transfer the results to an attacker-controlled machine and analyze them in BloodHound.

5️⃣ Snaffler - File Scavenging Tool

  • Snaffler.exe -s -d corp.local -o findings.log -v data → Runs a deep scan for valuable files

6️⃣ Additional Recon Tools & Methods

General System Enumeration

  • Get-NetLocalGroup → Lists local groups on a machine

  • Get-NetLocalGroupMember → Enumerates members of a local group

  • Get-NetShare → Identifies accessible shared directories

  • Get-NetSession → Retrieves active session details on a machine

Service Principal Name (SPN) Enumeration

  • Get-DomainSPNTicket → Requests Kerberos tickets for Service Principal Name (SPN) accounts (potential Kerberoasting targets)

By leveraging these techniques, an attacker or pentester can gather valuable information about an Active Directory environment while minimizing detection. 🚀

PreviousCredentialed Enumeration From LinuxNextKerberoasting - From Linux

Last updated 1 month ago

Was this helpful?

is a robust PowerShell tool used for Active Directory reconnaissance.

automates the discovery of sensitive files within an Active Directory environment.

PowerView
Snaffler