📄
Bufu-Sec Wiki
GithubTwitter
  • Bufu-Sec Wiki
  • Active Directory
    • General
      • General
      • Installation
      • DNS
      • Kerberos
      • Kerberos Delegation
    • Enumeration
      • AD Module
      • Bloodhound
      • PowerShell Cheatsheet
      • PowerView Cheatsheet
      • Users
      • Groups
      • Computers
      • OUs
      • GPOs
      • ACLs
      • Domains
      • Trusts
      • Forest Mappings
      • Files and Shares
      • Kerbrute
    • Privilege Escalation
      • Kerberoasting
      • AS-REP Roasting
      • Constrained Delegation
      • Unconstrained Delegation
      • DNS Admins
    • Lateral Movement
      • PS Remoting
      • Credential Dumping
      • DC Sync
      • Overpass the Hash
      • Ticket Harvesting
      • Pass the Ticket
    • Persistence
      • Golden Tickets
      • Silver Tickets
      • ACL Attacks
      • Custom SSPs
      • DC Shadow
      • Skeleton Key
      • DSRM
    • Trust Attacks
      • Cross Domain Attacks
      • Cross Forest Attacks
      • MSSQL Servers
    • MITM & Relay Attacks
      • LLMNR Poisoning
      • SMB Relay
      • IPv6 Attacks
    • Detection & Defense
      • Domain Admins
      • Architectural Changes
      • Microsoft ATA
Powered by GitBook
On this page
  • Get List of Computers in Current Domain
  • Check for Live Hosts (depends on ICMP)
  • Information about Operating Systems
  • Get List of Sessions on Computer
  • Find Any Computers with Constrained Delegation Set
  • Find All Servers that Allow Unconstrained Delegation
  • Return the Local Groups of a Remote Server
  • Return the Local Group Members of a Remote Server Using Win32 API Methods (faster but less info)
  • Enumerates Computers in the Current Domain with 'outlier' Properties
  1. Active Directory
  2. Enumeration

Computers

Get List of Computers in Current Domain

# AD Module
Get-ADComputer -Filter * -Properties *
Get-ADComputer -Filter * | Select Name

# PowerView
Get-NetComputer
Get-NetComputer -FullData

Check for Live Hosts (depends on ICMP)

# AD Module
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}

# PowerView
Get-NetComputer -Ping

Information about Operating Systems

# AD Module
Get-ADComputer -Filter 'OperatingSystem -Like "*Server 2016"' -Properties OperatingSystem | Select Name,OperatingSystem

# PowerView
Get-NetComputer -OperatingSystem "*Server 2016"
Get-NetComputer -FullData | select dnshostname,operatingsystem

Get List of Sessions on Computer

# PowerView
Get-NetSession -ComputerName "dc01.lab.local"

Find Any Computers with Constrained Delegation Set

# PowerView
Get-DomainComputer -TrustedToAuth

Find All Servers that Allow Unconstrained Delegation

# PowerView
Get-DomainComputer -Unconstrained

Return the Local Groups of a Remote Server

# PowerView
Get-NetLocalGroup SERVER.domain.local

Return the Local Group Members of a Remote Server Using Win32 API Methods (faster but less info)

# PowerView
Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local

Enumerates Computers in the Current Domain with 'outlier' Properties

# PowerView
Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier
PreviousGroupsNextOUs

Last updated 2 years ago