Pentesting and Red Teaming Notes
  • 🖥️Pentesting and Red Teaming Cheatsheet
  • Web Application Pentesting(BlackBox)
    • SQL Injection
    • Blind SQL Injection
    • Path Traversal
    • Attacking Authentication
    • Race Conditions
    • Business Logic Vulnerabilities
    • Command Injections
    • Information disclosure
    • Access Controls
    • File upload Attacks
    • XXE
    • Server Side Request Forgery
    • Api Testing
    • noSQL
    • DOM based vulnerabilities
    • Cross Site scripting
  • Infrastructure Pentesting
    • Windows Privilege Escalation
    • Attacking Active Directory
    • File Transfers and Download
    • Pivoting(Tunneling and Port Forwarding)
    • Linux Privilege Escalation
    • Stealing NTLM hashes
    • Tricks and Tips
  • Active Directory Pentesting
    • powershell theory
    • Methodology
    • domain enumeration
    • File Transfer
    • PowerShell ADModule
    • Local Privilege Escalation
    • PowerView Commands
    • ACLs Descriptions
    • ACLs Abuse
    • ACL
    • Trusts
    • User Hunting
    • group policy
    • Mimikatz
    • BloodHound
    • LateralMovement
    • Kerberoasting
    • defense bypasses
    • Set-SPN
    • ASREProasting
    • Unconstrained Delegation
    • Constrained Delegation
    • Resource Based Constrained Delegation
    • AD CS
    • Persistance
    • Priv Esc Trusts Inside Forest
    • MSSQL Servers
    • Priv Esc Trusts Across Forest
    • Tips And Tricks
    • Service Tickets and Abuses
  • Reconnaissance
    • Web Application Reconnaissance
    • External Reconnaissance
Powered by GitBook
On this page
  • Enumerate Current forest, domain, functional level, dc name
  • Tools
  • Find shares on hosts in current domain (Needs defense bypass modification)
  • Find sensative files on computers in the domain (Needs defense bypass modification)
  • Find all file servers of the domain (Needs defense bypass modification)
  1. Active Directory Pentesting

domain enumeration

PreviousMethodologyNextFile Transfer

Last updated 1 year ago

Enumerate Current forest, domain, functional level, dc name

$ADClass = [System.DirectoryServices.ActiveDirectory.Domain]
$ADClass::GetCurrentDomain()

Tools

Use microsoft AD module and dll in case if powershell has constrained language mode enabled.

  • Powerview =>

  • SharpView

  • ActiveDirectory powershell module =>

  • Microsoft signed DLL =>

Find shares on hosts in current domain (Needs defense bypass modification)

Invoke-ShareFinder -Verbose

Find sensative files on computers in the domain (Needs defense bypass modification)

Invoke-FileFinder -Verbose

Find all file servers of the domain (Needs defense bypass modification)

Get-NetFileServer

https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1
https://github.com/samratashok/ADModule
https://github.com/samratashok/ADModule
https://github.com/darkoperator/Veil-PowerView/blob/master/PowerView/functions/Invoke-ShareFinder.ps1
https://github.com/gryhathack/PowerSploit_Sensitive_Info_Hunter/blob/25cf4f3d755fef1bf08e766a11e29b03a7d2d4b9/Invoke-FileFinder.ps1#L2
https://github.com/zloeber/PSAD/blob/fcf2936b79b5e49c99f09cea96fbafd26e6ecbf2/src/inprogress/Get-NetFileServer.ps1#L2