Domain Recon

Linux

All AD Users

# Impacket tool
GetADUsers.py -all active.htb/svc_tgs -dc-ip 10.129.51.164

GetADUsers.py -all north.sevenkingdoms.local/brandon.stark:iseedeadpeople 
GetADUsers.py -all north.sevenkingdoms.local/brandon.stark:iseedeadpeople | awk '/Administrator/,/sql_svc/ {print $1}' > findings/users-north-all.txt

LDAP (389)

# Dump ldap-based domain information
ldapdomaindump -u north.sevenkingdoms.local\\brandon.stark -p iseedeadpeople -d ';' 192.168.56.11  
ldapdomaindump -u north.sevenkingdoms.local\\brandon.stark -p iseedeadpeople -d ';' 192.168.56.10  

ldapdomaindump -u contoso\\kali -p Password0- -d ';' 10.10.10.1

# Kali with ldap query for domain information
ldapsearch -LLL -x -H ldap://10.10.10.1 -b '' -s base '(objectclass=*)
ldapsearch -h 10.10.10.1 -x -s base namingcontexts

ldapsearch -H ldap://192.168.56.11 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=north,DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" |grep 'distinguishedName:'

ldapsearch -H ldap://192.168.56.11 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=north,DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))" |grep 'description:'

ldapsearch -H ldap://192.168.56.12 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b ',DC=essos,DC=local' "(&(objectCategory=person)(objectClass=user))"

ldapsearch -H ldap://192.168.56.10 -D "brandon.stark@north.sevenkingdoms.local" -w iseedeadpeople -b 'DC=sevenkingdoms,DC=local' "(&(objectCategory=person)(objectClass=user))"

Windows

PowerView

https://github.com/PowerShellMafia/PowerSploit https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

Active Directory Module

Active Directory Module | Microsoft Docs https://github.com/samratashok/ADModule

Basic Enumeration

Active Directory Enumeration (PowerView)

PreviousSMB ReplayNextAD Interesting file location

Last updated