killchain-compendium/post_exploitation/docs/windows/active_directory.md

# Active Directory Enumeration

* Consists of
    * Domain Controller 
    * Organizational Units
    * AD Domains
    * AD Forest

* Administrative accounts are
    * Domain Admin
    * Enterprise Admin
    * Schema Admin
    * Server Operator
    * Account Operator

## Usage

* `systeminfo | findstr Domain`
* `Get-ADUser -filter *`
* Use found CN and DC and specify
* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`

### DNS
* Check ip via `ipconfig`
* `nslookup`, then `server <LocalIP>` and zone transfer via 
```sh
ls -d <Domain>
```
bump 2022-02-07 23:37:05 +01:00			`# Active Directory Enumeration`

			`* Consists of`
			`* Domain Controller`
			`* Organizational Units`
			`* AD Domains`
			`* AD Forest`

			`* Administrative accounts are`
			`* Domain Admin`
			`* Enterprise Admin`
			`* Schema Admin`
			`* Server Operator`
			`* Account Operator`

			`## Usage`

			* `systeminfo \| findstr Domain`
			* `Get-ADUser -filter *`
			`* Use found CN and DC and specify`
			* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`

			`### DNS`
			* Check ip via `ipconfig`
			* `nslookup`, then `server <LocalIP>` and zone transfer via
			```sh
			`ls -d <Domain>`
			```