Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  • Enumerate Current forest, domain, functional level, dc name
  • Tools
  • Find shares on hosts in current domain (Needs defense bypass modification)
  • Find sensative files on computers in the domain (Needs defense bypass modification)
  • Find all file servers of the domain (Needs defense bypass modification)
  1. Active Directory Pentesting

domain enumeration

PreviousMethodologyNextFile Transfer

Last updated 10 months ago

Enumerate Current forest, domain, functional level, dc name

$ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADClass::GetCurrentDomain()

Tools

Use microsoft AD module and dll in case if powershell has constrained language mode enabled.

  • Powerview =>

  • SharpView

  • ActiveDirectory powershell module =>

  • Microsoft signed DLL =>

Find shares on hosts in current domain (Needs defense bypass modification)

Invoke-ShareFinder -Verbose

Find sensative files on computers in the domain (Needs defense bypass modification)

Invoke-FileFinder -Verbose

Find all file servers of the domain (Needs defense bypass modification)

Get-NetFileServer

https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1
https://github.com/samratashok/ADModule
https://github.com/samratashok/ADModule
https://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/functions/Invoke-ShareFinder.ps1
https://github.com/gryhathack/PowerSploit_Sensitive_Info_Hunter/blob/25cf4f3d755fef1bf08e766a11e29b03a7d2d4b9/Invoke-FileFinder.ps1#L2
https://github.com/zloeber/PSAD/blob/fcf2936b79b5e49c99f09cea96fbafd26e6ecbf2/src/inprogress/Get-NetFileServer.ps1#L2