# 3. Enumerating Active Directory

Once you have established foothold on the machine, we can enumerate for more valid accounts and credentials

## Microsoft Management Console (MMC) + RSAT

RSAT or Remote Server Administration is an AD "add-on" to the MMC application, and allows you to administer AD objects

On Windows, `Start->Run->mmc`

In mmc, `File->Add/Remove Snap-in` and add in these 3 Snap-ins

<figure><img src="/files/yn1U7TaMaOw9xO8TkJJq" alt=""><figcaption></figcaption></figure>

We can now start to enumerate AD objects in the AD

<figure><img src="/files/GTusC8Bk5QmqApd4xqam" alt=""><figcaption></figcaption></figure>

## Command line

Getting users in a domain

```
C:\> net user /domain
The request will be processed at a domain controller for domain za.tryhackme.com

User accounts for \\THMDC

-------------------------------------------------------------------------------
aaron.conway             aaron.hancock            aaron.harris
aaron.johnson            aaron.lewis              aaron.moore
```

Inspecting a single user

```
C:\> net user zoe.marshall /domain
The request will be processed at a domain controller for domain za.tryhackme.com

User name                    zoe.marshall
Full Name                    Zoe Marshall
Comment
```

Getting all groups in a domain

```
C:\> net group /domain
The request will be processed at a domain controller for domain za.tryhackme.com

Group Accounts for \\THMDC

-------------------------------------------------------------------------------
*Cloneable Domain Controllers

*Domain Users
[...]
*Schema Admins
```

Getting users in a group

```
C:\> net group "Tier 1 Admins" /domain
The request will be processed at a domain controller for domain za.tryhackme.com

Group name     Tier 1 Admins
Comment

Members

-------------------------------------------------------------------------------
t1_arthur.tyler          t1_gary.moss             t1_henry.miller
```

Getting password policy for a domain for brute-forcing

```
C:\> net accounts /domain
The request will be processed at a domain controller for domain za.tryhackme.com

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          Unlimited
```

## PowerView

Import PowerView for running subsequent commands

```
powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
```

```powershell
# Gets domain name, the forest name and the domain controllers.
powershell> Get-Domain

Forest                  : cyberbotic.io
DomainControllers       : {dc-2.dev.cyberbotic.io}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  : cyberbotic.io
PdcRoleOwner            : dc-2.dev.cyberbotic.io

# Returns the domain controllers for the current or specified domain.
powershell> Get-DomainController | select Forest, Name, OSVersion | fl

Forest    : cyberbotic.io
Name      : dc-2.dev.cyberbotic.io
OSVersion : Windows Server 2022 Datacenter

# Returns all domains for the current forest or the forest specified by -Forest.
powershell> Get-ForestDomain

Forest                  : cyberbotic.io
DomainControllers       : {dc-1.cyberbotic.io}
Children                : {dev.cyberbotic.io}

# Useful for finding domain password policy for password cracking
powershell> Get-DomainPolicyData | select -expand SystemAccess

MinimumPasswordAge           : 1
MaximumPasswordAge           : 42
MinimumPasswordLength        : 7
PasswordComplexity           : 1
PasswordHistorySize          : 24


# Return all users in the Domain.
# To only return specific properties, use -Properties.
# use -Identity to return a specific user.
powershell> Get-DomainUser -Identity jking -Properties DisplayName, MemberOf | fl

displayname : John King
memberof    : {CN=Internet Users,CN=Users,DC=dev,DC=cyberbotic,DC=io, CN=Support 
              Engineers,CN=Users,DC=dev,DC=cyberbotic,DC=io}


# Return all computers or specific computer objects in the domain
powershell> Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName

dnshostname              
-----------              
dc-2.dev.cyberbotic.io
fs.dev.cyberbotic.io


# Search for all organization units (OUs) or specific OU objects.
powershell> Get-DomainOU -Properties Name | sort -Property Name

name              
----              
Domain Controllers
File Servers
Servers


# Return all domain groups or specific domain group objects.
powershell> Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName

samaccountname
--------------
Domain Admins 
Key Admins    
DnsAdmins


# Return the members of a specific domain group.
powershell> Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName

MemberDistinguishedName                             
-----------------------                             
CN=Nina Lamb,CN=Users,DC=dev,DC=cyberbotic,DC=io    
CN=Administrator,CN=Users,DC=dev,DC=cyberbotic,DC=io


# Return all Group Policy Objects (GPOs) or specific GPO objects.
# To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.
powershell> Get-DomainGPO -Properties DisplayName | sort -Property DisplayName

displayname                      
-----------                      
Computer Certificates
Default Domain Controllers Policy
Default Domain Policy


# Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences.
powershell> Get-DomainGPOLocalGroup | select GPODisplayName, GroupName

GPODisplayName     GroupName            powershell
--------------     ---------            
Workstation Admins DEV\Support Engineers
Server Admins      DEV\Support Engineers


# Returns machines in a specific local group.
# This is useful for finding where domain groups have local admin access
powershell> Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

ObjectName     : Support Engineers
GPODisplayName : Server Admins
ContainerName  : {OU=Servers,DC=dev,DC=cyberbotic,DC=io}
ComputerName   : {web.dev.cyberbotic.io, sql-2.dev.cyberbotic.io, fs.dev.cyberbotic.io}

# Return all domain trusts for the current or specified domain.
# Refer to Active Directory page for how to exploit this
powershell> Get-DomainTrust

SourceName      : dev.cyberbotic.io
TargetName      : cyberbotic.io
TrustType       : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection  : Bidirectional
WhenCreated     : 8/15/2022 4:00:00 PM
WhenChanged     : 8/15/2022 4:00:00 PM
```

## BloodHound + SharpHound

Sharphound is the enumeration tool of Bloodhound.

Collecting information on the host machine using Sharphound

{% code overflow="wrap" %}

```
Sharphound.exe --CollectionMethods All  --Domain za.tryhackme.com --ExcludeDCs
```

{% endcode %}

Once done, move the artifacts to the attacker machine to open them with Bloodhound

##


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://sheepwall.gitbook.io/home/hacking/windows/3.-enumerating-active-directory.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.