📄
Bufu-Sec Wiki
GithubTwitter
  • Bufu-Sec Wiki
  • Active Directory
    • General
      • General
      • Installation
      • DNS
      • Kerberos
      • Kerberos Delegation
    • Enumeration
      • AD Module
      • Bloodhound
      • PowerShell Cheatsheet
      • PowerView Cheatsheet
      • Users
      • Groups
      • Computers
      • OUs
      • GPOs
      • ACLs
      • Domains
      • Trusts
      • Forest Mappings
      • Files and Shares
      • Kerbrute
    • Privilege Escalation
      • Kerberoasting
      • AS-REP Roasting
      • Constrained Delegation
      • Unconstrained Delegation
      • DNS Admins
    • Lateral Movement
      • PS Remoting
      • Credential Dumping
      • DC Sync
      • Overpass the Hash
      • Ticket Harvesting
      • Pass the Ticket
    • Persistence
      • Golden Tickets
      • Silver Tickets
      • ACL Attacks
      • Custom SSPs
      • DC Shadow
      • Skeleton Key
      • DSRM
    • Trust Attacks
      • Cross Domain Attacks
      • Cross Forest Attacks
      • MSSQL Servers
    • MITM & Relay Attacks
      • LLMNR Poisoning
      • SMB Relay
      • IPv6 Attacks
    • Detection & Defense
      • Domain Admins
      • Architectural Changes
      • Microsoft ATA
Powered by GitBook
On this page
  • Get Current Domain
  • Get Object of Another Domain
  • Get Domain SID for Current Domain
  • Get Domain Policy for Current Domain
  • Get Password Policy for Another Domain
  • Get Kerberos Policy for e.g. Mimikatz Golden Tickets
  • Get Domain Controllers for Current Domain
  • Get Domain Controllers for Another Domain
  • Enumerate All Gobal Catalogs in the Forest
  • Turn a List of Computer Short Names to FQDNs, Using a Global Catalog
  • Enumerate the Current Domain Controller Policy
  • Enumerate the Current Domain Policy
  1. Active Directory
  2. Enumeration

Domains

Get Current Domain

# AD Module
Get-ADDomain

# PowerView
Get-NetDomain

Get Object of Another Domain

# AD Module
Get-ADDomain -Identity lab.local

# PowerView
Get-NetDomain -Domain lab.local

Get Domain SID for Current Domain

# AD Module
(Get-ADDomain).DomainSID

# PowerView
Get-DomainSID

Get Domain Policy for Current Domain

# PowerView
Get-DomainPolicy
(Get-DomainPolicy)."System Access"

Get Password Policy for Another Domain

# PowerView
(Get-DomainPolicy -Domain lab.local)."System Access"

Get Kerberos Policy for e.g. Mimikatz Golden Tickets

# PowerView
(Get-DomainPolicy -Domain lab.local)."Kerberos Policy"

Get Domain Controllers for Current Domain

# AD Module
Get-ADDomainController

# PowerView
Get-NetDomainController

Get Domain Controllers for Another Domain

# AD Module
Get-ADDomainController -DomainName lab.local -Discover

# PowerView
Get-NetDomainController -Domain lab.local

Enumerate All Gobal Catalogs in the Forest

# PowerView
Get-ForestGlobalCatalog

Turn a List of Computer Short Names to FQDNs, Using a Global Catalog

# PowerView
gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname}

Enumerate the Current Domain Controller Policy

# PowerView
$DCPolicy = Get-DomainPolicy -Policy DC
$DCPolicy.PrivilegeRights # user privilege rights on the dc...

Enumerate the Current Domain Policy

# PowerView
$DomainPolicy = Get-DomainPolicy -Domain bufu-sec.local
$DomainPolicy.KerberosPolicy # useful for golden tickets ;)
$DomainPolicy.SystemAccess # password age/etc.
PreviousACLsNextTrusts

Last updated 2 years ago