killchain-compendium/post_exploitation/docs/windows/active_directory.md

Active Directory Enumeration

• Consists of

  • Domain Controller
  • Organizational Units
  • AD Domains
  • AD Forest

• Administrative accounts are

  • Domain Admin
  • Enterprise Admin
  • Schema Admin
  • Server Operator
  • Account Operator

Usage

• systeminfo | findstr Domain
• Get-ADUser -filter *
• Use found CN and DC and specify
• Get-ADUser -filter * -searchBase "CN=Users,DC=<foundDC>,DC=<domainEnding>"

DNS

• Check ip via ipconfig
• nslookup, then server <LocalIP> and zone transfer via

ls -d <Domain>