Attacking AD- Post-Compromise Enum

Taken from the PEH course from TCM Academy

Domain Enumeration with PowerView

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.

PowerSploit/Recon/PowerView.ps1 at master · PowerShellMafia/PowerSploitGitHub

First of all we have to run this command:

powershell -ep bypass

-ep = Execution Policy

To run Powerview:

. \PowerView.ps1

Command examples

Get-NetDomain                   -   gets the name of the current user's domain
Get-NetForest                   -   gets the forest associated with the current user's domain
Get-NetForestDomains            -   gets all domains for the current forest
Get-NetDomainControllers        -   gets the domain controllers for the current computer's domain
Get-NetCurrentUser              -   gets the current [domain\\]username
Get-NetUser                     -   returns all user objects, or the user specified (wildcard specifiable)
Get-NetUserSPNs                 -   gets all user ServicePrincipalNames
Get-NetOUs                      -   gets data for domain organization units
Invoke-NetUserAdd               -   adds a local or domain user
Get-NetGroups                   -   gets a list of all current groups in the domain
Get-NetGroup                    -   gets data for each user in a specified domain group
Get-NetLocalGroups              -   gets a list of localgroups on a remote host or hosts
Get-NetLocalGroup               -   gets the members of a localgroup on a remote host or hosts
Get-NetLocalServices            -   gets a list of running services/paths on a remote host or hosts
Invoke-NetGroupUserAdd          -   adds a user to a specified local or domain group
Get-NetComputers                -   gets a list of all current servers in the domain
Get-NetFileServers              -   get a list of file servers used by current domain users
Get-NetShare                    -   gets share information for a specified server
Get-NetLoggedon                 -   gets users actively logged onto a specified server
Get-NetSessions                 -   gets active sessions on a specified server
Get-NetFileSessions             -   returned combined Get-NetSessions and Get-NetFiles
Get-NetConnections              -   gets active connections to a specific server resource (share)
Get-NetFiles                    -   gets open files on a server
Get-NetProcesses                -   gets the remote processes and owners on a remote server

We can find more commands here:

Veil-PowerView/PowerView at master · darkoperator/Veil-PowerViewGitHub

Bloodhound

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

To start bloodhound we just have to run the following command:

neo4j console

SharpHound

BloodHound-Legacy/Collectors/SharpHound.ps1 at master · SpecterOps/BloodHound-LegacyGitHub

. .\SharpHound.ps1

Invoke-BloodHound -CollectionMethod All -Domain dominio.local -ZipFileName file.zip

Bloodhound Examples

Uploading the zip generated by SharpHound