# Red Teaming: The Art of Active Directory Enumeration

## Introduction :

In the ever-evolving landscape of cybersecurity, red teaming has emerged as a pivotal practice for organizations seeking to fortify their defenses against potential threats. Among the arsenal of techniques employed during red team assessments, the art of enumeration stands out as a crucial phase in the reconnaissance process.

Upon gaining entry to the network and obtaining access to a machine within the domain using a low-privileged user with PowerShell capabilities, we can start our enumeration process can be initiated.

Enumeration, the process of extracting valuable information about a target network, lays the foundation for subsequent stages of a red teaming engagement. It involves meticulous reconnaissance, where every bit of data becomes a potential key to unlocking vulnerabilities.

## **Identify Domain Controller :**

Before we dive into the main content of the blog, let's explore various techniques that can be employed to identify Domain Controllers (DC) within large networks.

#### 1\. **Obtaining the Domain Name**

1.1 Right-click on "This PC" or "Computer," go to Properties, and inspect the Full Computer Name.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702133354362/692c36f9-6fea-4b9d-aae1-812b3e9e3428.png align="center")

1.2 Command Prompt

```bash
echo %userdomain%
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702133436486/8b17e79f-f9b6-447b-a33a-b389a3bbd65b.png align="center")

1.3 IP Configuration

```bash
ipconfig /all
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702133522863/93d05694-b76a-4636-9e13-77a4886af34d.png align="center")

#### 2\. **Identifying Domain Controllers**

2.1 DNS Records

```bash
nslookup -type=SRV _ldap._tcp.<YourDomainName>
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702133604297/c7c49728-7939-4dc4-af4a-d8a58bdfae84.png align="center")

2.2 NetDom Command

```bash
netdom query /domain:<YourDomainName> dc
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702133714030/5778d5cc-bd51-4dd8-b6c6-0f146fca15f1.png align="center")

## **Enumerating Active Directory with In-built PowerShell Commands :**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702140317908/098ef407-583d-42ce-8ecc-b5f478378d5a.png align="center")

When it comes to enumeration, red teamers often face constraints, especially in environments where running external PowerShell scripts may be restricted due to security policies. However, there are built-in PowerShell commands that can adeptly navigate the intricate landscape of AD without relying on external scripts.

#### 1\. List all domain controllers

```powershell
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).DomainControllers | ForEach-Object { $_.Name }
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702128405068/f1413a61-19ef-4978-a812-4a52de1f89f4.png align="center")

#### 2\. **Retrieve information about a specific user**

```powershell
$userSearcher = [System.DirectoryServices.DirectorySearcher]'(&(objectClass=user)(sAMAccountName=<Username>))'
$userSearcher.FindOne().Properties
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702128523706/7899a19c-f7fb-4138-8e68-0d5f2d514720.png align="center")

#### 3\. **List all groups in the domain:**

```powershell
([ADSISearcher]"(&(ObjectClass=group))").FindAll() | ForEach-Object { $_.Properties['member'] | ForEach-Object { $_ } }
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702129068609/97ce6201-d7fd-481d-b32e-110966cf11d4.png align="center")

#### 4\. **Show group members for a specific group**

```powershell
([ADSISearcher]"(&(ObjectClass=group)(sAMAccountName=<GroupName>))").FindOne().Properties['member'] | ForEach-Object { $_ }
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702129265196/c4e411f3-0102-482e-85b1-032ad54187c5.png align="center")

#### 5\. **Display group memberships for a specific user**

```powershell
([ADSISearcher]"(&(ObjectClass=user)(sAMAccountName=<Username>))").FindOne().Properties['memberOf'] | ForEach-Object { $_ }
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702129397841/2cd6582f-1306-4d07-9c22-35f7f247e329.png align="center")

#### 6\. **List all computers in the domain**

```powershell
([ADSISearcher]"ObjectClass=computer").FindAll() | ForEach-Object { $_.Properties['name'][0] }
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702129466090/0b006128-6380-47f4-9c15-eb41fd514d88.png align="center")

#### 7\. **Retrieve information about a specific computer**

```powershell
([ADSISearcher]"(&(ObjectClass=computer)(ObjectCategory=computer)(cn=<Computer Name>))").FindOne().Properties
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702129784303/c32f5787-07e3-44c0-bff7-6de1e8ce4b54.png align="center")

#### 8\. **List and show details of a specific Organizational Unit (OUs)**

```powershell
([ADSISearcher]"ObjectClass=organizationalUnit").FindAll() | ForEach-Object { $_.Properties }
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702129902165/9904da06-d51f-4270-b6db-824a74466fb9.png align="center")

#### 9\. **Retrieve information about all Group Policy Objects**

```powershell
([ADSISearcher]"ObjectClass=groupPolicyContainer").FindAll() | ForEach-Object { $_.Properties }
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702129981500/19a478ed-bc2f-4919-bd15-6b8318ae7e9a.png align="center")

#### 10\. **Enumerate all domain users**

```powershell
([ADSISearcher]"ObjectClass=user").FindAll() | ForEach-Object { $_.Properties['sAMAccountName'][0] }
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702130026034/cf0f4a3d-ac30-4796-95eb-ba6683e18a44.png align="center")

#### 11\. Find all DNS Service Records (SRV)

```powershell
Resolve-DnsName -Type SRV -DnsOnly -Name "_ldap._tcp.dc._msdcs.<YourDomainName>"
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702130869486/c70d82c3-ac5b-45d5-a6e1-bf37900667cd.png align="center")

## **Enumerating Active Directory Using AD Module :**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702139722795/ad9bcc9c-1669-4888-9e29-c6f238e912ed.png align="center")

Leveraging the Active Directory module is a key tactic in efficient enumeration. This tool equips practitioners with precise commands to navigate and extract valuable insights from Active Directory, a critical aspect of comprehensive security assessments.

#### 1\. List all domain controllers

```powershell
Get-ADDomainController -Filter *
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702042020039/33053cb1-353c-43fa-a551-f83656818575.png align="center")

#### 2\. Retrieve information about a specific user

```powershell
Get-ADUser -Identity <Username> -Properties *
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702042054092/01c56707-41d0-421b-8609-ce9ff886116a.png align="center")

#### 3\. List all groups in the domain

```powershell
Get-ADGroup -Filter *
```

```bash
# Enumerate all the Group names and save it in a file 
(Get-ADGroup -Filter *).Name | Out-File -FilePath GroupNames.txt
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702042115254/2241f44b-a35e-4e78-b2f8-ed35c3691f7f.png align="center")

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702045097471/d86075a2-3101-4140-b4fb-d187e5c3ba89.png align="center")

#### 4\. Show group members for a specific group

```powershell
Get-ADGroupMember -Identity <GroupName>
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702042152987/e558ea6d-5c55-48dc-b0b4-c3d189ebb3ca.png align="center")

#### 5\. Display group memberships for a specific user

```powershell
Get-ADUser <Username> | Get-ADPrincipalGroupMembership
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702041888348/71d8bcc3-31e7-435b-bd36-28ab677cd7aa.png align="center")

#### 6\. List all computers in the domain

```powershell
Get-ADComputer -Filter *

# Enumerate all the Computer host names and save it in a file 
(Get-ADComputer -Filter *).DNSHostName | Out-File -FilePath ComputerHostnames.txt
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702042220522/1ec2fcd6-3d15-47c0-94e2-ee66f166738a.png align="center")

#### 7\. Retrieve information about a specific computer

```powershell
Get-ADComputer -Identity <ComputerName> -Properties *
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702042275918/2cd4f1f3-5382-4330-8122-39283f73a924.png align="center")

#### 8\. List and show details of a specific Organizational Unit (OUs)

```powershell
Get-ADOrganizationalUnit -Filter * Get-ADOrganizationalUnit -Identity <OUName> -Properties *
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702042335681/b19b0817-579e-4ae7-82c8-f34c8008f0ef.png align="center")

#### 9\. Retrieve information about all Group Policy Objects

```powershell
# Group Policy Objects & display details of a specific Group Policy Object
Get-GPO -All Get-GPO -Name <GPOName> -Detailed
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702042421377/8b7a6c5b-9be3-4c87-b96b-68d875720324.png align="center")

#### 10\. Enumerate all domain users

```powershell
Get-ADUser -Filter * -Properties * | Select-Object SamAccountName, DisplayName, UserPrincipalName, DistinguishedName | Export-Csv -Path C:\Path\To\Save\Users.csv -NoTypeInformation
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702042532749/c0244f63-534c-4457-a467-c84eb322eb3a.png align="center")

***Note:*** *If you want to save the output of each file you can add this cmdlet at the end of each command -* `| Out-File -FilePath "NameOfFile.txt"`

## **Enumerating Active Directory Using Command Prompt :**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702140582890/8f430030-3644-4801-9a29-a2970645c084.png align="center")

#### 1\. List all domain users

```powershell
net user /domain > Users.txt
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702042620894/d4cfeb99-4d53-4123-a9f5-475b41890b5b.png align="center")

#### 2\. **List all domain groups**

```bash
net group /domain
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702131878092/5edef2ab-266c-4db6-80a1-a4f831395ecd.png align="center")

#### 3\. **List all domain users in a specific group**

```bash
net group "<GroupName>" /domain
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702132088335/c8e5d279-9feb-483c-a059-b16323a4a59e.png align="center")

#### 4\. **List all domain groups a user is a member of**

```bash
net user "<Username>" /domain
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702132181055/28fc55bd-4134-44ef-b397-9877e516f524.png align="center")

#### 5\. **List all domain computers**

```bash
dsquery computer -limit 0
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702132299291/34444184-d03a-4c24-8d56-12d4638e1d87.png align="center")

#### 6\. Show domain policies

```bash
gpresult /SCOPE COMPUTER /Z
gpresult /SCOPE USER /Z
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1702132640197/18d65b1a-1f95-4ebb-90ae-617ca1fa4425.png align="center")

***Note:*** *If you want to save any output in cmd just give* `> filename.txt` *at the end of the command*

## **Enumerating Active Directory Using External PowerShell Scripts :**

While native PowerShell commands offer a robust foundation, the realm of possibilities expands exponentially with the incorporation of external PowerShell scripts.

In the real world of cybersecurity, exploring Active Directory can be tricky. We often run into issues like EDR (Endpoint Detection and Response) flags and antivirus roadblocks. Figuring out how to get around these defenses takes time that we usually don't have in urgent situations.

In our journey, we need to recognize that testing external PowerShell scripts, like PowerView and PowerViewDev, is essential. These scripts help us look into Active Directory beyond the basics. However, there are challenges; EDR might spot these scripts, and antivirus tools could raise alarms. So, our path involves using these scripts for exploration while dealing with the security measures in place.

1. AMSI bypass (https://amsi.fail)
    
2. Obfuscating/Breaking PowerShell scripts
    

## Conclusion :

In conclusion, the blog highlights the crucial role of enumeration in red teaming for fortifying cybersecurity defenses. While in-built PowerShell commands offer a solid foundation for Active Directory exploration, the real-world landscape introduces challenges, necessitating the use of external scripts like PowerView.
