l01-Enum.md

Hands-On 1: Basic Enumeration

• Hands-On 1: Basic Enumeration
  • Tasks
  • Preparation - Import AD Module
  • Enumerate Users
  • Enumerate Computers
  • Enumerate Domain Admins
  • Enumerate Enterprise Admins
  • Enumerate Kerberos Policy

---

Tasks

Enumerate following for the us.techcorp.local domain:

• Users
• Computers
• Domain Administrators
• Enterprise Administrators
• Kerberos Policy

---

Preparation - Import AD Module

To import AD Module:

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll; Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

---

Enumerate Users

Get-ADUser -Filter * -Properties *

Get-ADUser -Filter * -Properties CN, Description, PrimaryGroup, LastLogonDate, pwdLastSet | Select CN, Description, PrimaryGroup, LastLogonDate, pwdLastSet

---

Enumerate Computers

Get-ADComputer -Filter * -Properties DNSHostName | Select DNSHostName

---

Enumerate Domain Admins

• To get information of the Domain Admins group:

Get-ADGroup -Filter 'Name -like "*Domain Admins*"' -Properties *

• To get members in the Domain Admins group:

Get-ADGroupMember -Identity "Domain Admins" -Recursive

---

Enumerate Enterprise Admins

• To get information of the Enterprise Admins group:

Get-ADGroup -Identity "Enterprise Admins" -Properties * -Server techcorp.local

• To get members in the Enterprise Admins group:

Get-ADGroupMember -Identity "Enterprise Admins" -Server techcorp.local -Recursive

---

Enumerate Kerberos Policy

To enumerate Kerberos Policy, we need to use PowerView.

First use InviShell:

cd C:\AD\Tools\InviShell; .\RunWithRegistryNonAdmin.bat

Then import PowerView:

cd ..; . .\PowerView.ps1

To get Kerberos Policy:

(Get-DomainPolicyData).KerberosPolicy

---