Martian Defense NoteBook
  • Martian Defense Notebook
  • Training and Career
    • Keeping it Real for Beginners
    • Reading and Repos
    • Media
    • Guides
      • Cybersecurity Roadmaps
      • Cybersecurity Training Topics
      • AppSec Training Pathway
      • Interview Checklist
    • Platforms
      • General
      • Offensive Security
      • Defensive Security
      • CTF Sites
      • Live Vulnerable Sites
    • Entrepreneurship Roadmaps
      • Consulting
      • Starting a Business
  • Technical Resources
    • Offensive-Cybersecurity
      • Application Security
      • General
      • Recon + OSINT
      • Infrastructure Pentesting
      • Cloud Pentesting
      • Wordlists
      • Social Engineering
      • Mobile Pentesting
      • Container Security
      • Blockchain
    • Defensive-Cybersecurity
    • General Cybersecurity
      • Cybersecurity Operating Systems
    • Coding/Programming
    • Reverse Engineering
    • AI and ML
  • Notes
    • Product Security Engineering
      • DevSecOps
        • Docker
          • How to Dockerize Applications with Docker Compose (Using SQLite and Flask)
      • SAST/SCA
        • How to setup a GitHub Action for Code Security analysis
        • JavaScript Security Analysis
        • Java Security 101
        • Tools
        • CodeQL for Beginners
      • Product Security Hardening
      • Threat Modeling
      • PHP Security
    • AppSec Testing
      • Checklists
        • WEB APP PENTESTING CHECKLIST
        • API Testing Checklist
        • Android Pentesting Checklist
        • IoS Pentesting Checklist
        • Thick Client Pentesting Checklist
        • Secure Code Review Checklist
      • Targeted Test Cases
        • Part 1
        • Part 2
      • Common Web Attack and Prevention List
      • Ports and associated Vectors
      • DNS
      • Web Tools
      • Command Injection Testing
      • JWTs and JSON
    • Security Research
      • Publishing CVEs
      • Threat Intelligence
      • Shodan Dork Cheatsheet
      • Github Dorks
      • Bug Bounty
        • Bug Bounty Programs
      • Forums
    • Coding/Programming
      • Secure Coding Practices Checklist
      • JavaScript
      • Python
        • Quick Notes
        • Python Basics for Pentesters
        • Python Snippets
        • XML Basics with Python
      • Golang
        • Theory
        • Security
        • Modules
        • Entry Points
        • File Forensics
        • Cryptography and Encoding
        • Golang Snippets
      • PHP
        • Setup
        • Syntax
        • Variables and Data Types
        • Control Structures
        • Arrays
        • Functions
        • OOP Concepts
        • Database Integration
        • Handling HTTP Methods
        • Session Management
        • File Uploads
        • Email Function
        • Error Handling
        • Advanced Topics and Best Practices
    • Network Security
      • Domain Trust Enumeration
      • Bleeding Edge Vulnerabilities
      • Post-Exploitation
      • Access Control Lists and Entries (ACL & ACE)
      • Credentialed Enumeration
      • Password Attacks
        • Internal Password Spraying
        • Remote Password Attacks
        • Linux Local Password Attacks
        • Windows Local Password Attacks
        • Windows Lateral Movement
      • PowerView
      • Pivoting, Tunneling and Forwarding
        • Advanced Tunneling Methods
        • Dynamic Port Forwarding (SSH + Socks)
        • Port Forwarding Tools
        • SoCat
      • Linux Privilege Escalation
      • Windows Privesc
        • OS Attacks
        • Windows User Privileges
        • Windows Group Privileges
        • Manual Enumeration
        • Credential Theft
      • Kerberos Attacks
        • Kerberos Quick Reference Sheet
    • Cloud Security Testing
    • Defensive Security
      • Splunk
        • Basic Queries
        • Dashboards
      • Forensics
        • Volatility
      • WireShark filters
    • Governance, Risk, Compliance
      • Vulnerability Management Lifecycle
    • Capture-the-Flag Training
      • Vulnerable Machine Checklist
      • Reverse Engineering Checklist
      • Mobile Checklist
      • Forensics Checklist
      • Binary Exploitation
      • Cryptography Checklist
    • Reporting
    • PowerShell
    • Linux Basics
    • Basic IT Tasks
  • Digital Privacy and Hygiene
    • Personal Information Removal Services
    • De-Googling Android
    • DNS Services
    • Privacy References
    • Opsec
  • RedPlanet Labs
    • PyGOAT
    • OWASP Juice Shop
Powered by GitBook
On this page
  • Enumerating AD Users
  • Gather Domain Information
  • Gather Domain SID
  • Gather List DC's
  • Gather Domain Users
  • Gather User Count
  • Gather Most Important Users Information
  • Gather List of Users do not require Kerberos pre-authentication
  • Gather Users With Kerberos Constrained Delegation
  • Gather Kerberos Unconstrained Delegation
  • Gather Domain (User) Descriptions
  • Gather Account(s) With SPN
  • Gather Password Set Times
  • Enumerating AD Groups
  • Gather Groups
  • Gather More Information 1 Group
  • Gather Security Groups
  • Gather Security Operations Group
  • Gather Local Groups
  • Enumerating AD Computers
  • Gather Most Useful Information
  • Enumerating Domain ACLs
  • Gather ACLs With Built-In
  • Gather ACL With PowerView
  • Gather ACL File Shares
  • Gather DCsync ACL
  • Enumerating Domain GPOs
  • Gather GPO Data
  • Gather GPO of Computer
  • Gather GPO Permissions
  • Enumerating Domain Trusts
  • Gather Trusts That Exists
  • Gather Trusts Current Domain
  1. Notes
  2. Network Security

PowerView

https://powersploit.readthedocs.io/en/latest/Recon/

Enumerating AD Users

Gather Domain Information

Get-Domain

Gather Domain SID

Get-DomainSID

Gather List DC's

Get-DomainController

Gather Domain Users

Get-DomainUser

Gather User Count

(Get-DomainUserr).count

Gather Most Important Users Information

Get-DomainUser -Identity harry.jones -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,mail,useraccountcontrol

Gather List of Users do not require Kerberos pre-authentication

Get-DomainUser -KerberosPreauthNotRequired -Properties samaccountname,useraccountcontrol,memberof

Gather Users With Kerberos Constrained Delegation

Get-DomainUser -TrustedToAuth -Properties samaccountname,useraccountcontrol,memberof

Gather Kerberos Unconstrained Delegation

Get-DomainUser -TrustedToAuth -Properties samaccountname,useraccountcontrol,memberof

Gather Domain (User) Descriptions

Get-DomainUser -Properties samaccountname,description | Where {$_.description -ne $null}

Gather Account(s) With SPN

Get-DomainUser -SPN -Properties samaccountname,memberof,serviceprincipalname

Gather Password Set Times

Get-DomainUser -Properties samaccountname,pwdlastset,lastlogon -Domain InlaneFreight.local | select samaccountname, pwdlastset, lastlogon | Sort-Object -Property pwdlastset

Enumerating AD Groups

Gather Groups

Get-DomainGroup -Properties Name

Gather More Information 1 Group

Get-DomainGroupMember -Identity '<Group name>'

Gather Security Groups

Find-ManagedSecurityGroups | select GroupName

Gather Security Operations Group

Get-DomainManagedSecurityGroup

Gather Local Groups


$sid = Convert-NameToSid <username>
$computers = Get-DomainComputer -Properties dnshostname | select -ExpandProperty dnshostname
foreach ($line in $computers) {Get-NetLocalGroupMember -ComputerName $line | ? {$_.SID -eq $sid}}

Enumerating AD Computers

Gather Most Useful Information

Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp,useraccountcontrol

Enumerating Domain ACLs

ForceChangePassword abused with Set-DomainUserPassword Add Members abused with Add-DomainGroupMember GenericAll abused with Set-DomainUserPassword or Add-DomainGroupMember GenericWrite abused with Set-DomainObject WriteOwner abused with Set-DomainObjectOwner WriteDACL abused with Add-DomainObjectACL AllExtendedRights abused with Set-DomainUserPassword or Add-DomainGroupMember

Gather ACLs With Built-In

 (Get-ACL "AD:$((Get-ADUser joe.evans).distinguishedname)").access  | ? {$_.ActiveDirectoryRights -match "WriteProperty" -or $_.Act
Rights -match "GenericAll"} | Select IdentityReference,ActiveDirectoryRights -Unique | ft -W

Gather ACL With PowerView

Get-DomainObjectAcl -Identity harry.jones -Domain inlanefreight.local -ResolveGUIDs

Gather ACL File Shares

 # list File Shares
Get-NetShare -ComputerName SQL01

# List Inside File Share
Get-PathAcl "\\SQL01\DB_backups"

Gather DCsync ACL

$dcsync = Get-ObjectACL "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')} | Select-Object -ExpandProperty SecurityIdentifier | Select -ExpandProperty value

# List Users who can DCSync
Convert-SidToName $dcsync

Enumerating Domain GPOs

Gather GPO Data

Get-DomainGPO | select displayname

Gather GPO of Computer

Get-DomainGPO -ComputerName WS01 | select displayname

Gather GPO Permissions

Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq 'S-1-5-21-2974783224-3764228556-2640795941-513'}

Enumerating Domain Trusts

Gather Trusts That Exists

Get-DomainTrust

Gather Trusts Current Domain

Get-DomainTrustMapping
PreviousWindows Lateral MovementNextPivoting, Tunneling and Forwarding

Last updated 5 months ago