Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-11-14 00:07:14 +00:00
Code Issues Projects Releases Packages Wiki Activity
CTF-Writeups/Active Directory/Enumeration/6-User Hunting.md
ARZ 394a6629aa
Add files via upload
2021-12-07 17:41:40 +05:00

1.7 KiB
Raw Permalink Blame History

Domain Enumeration - User Hunting

Power View commands

Find all machines on current domain where the current user has local admin access

Find-LocalAdminAccess -verbose
Invoke-CheckLocalAdminAccess

If find-localadminaccess is blocked because it sends Get-NetComputer to DC , so we can try to use Find-WMILocalAdminAccess.ps1

Save the results of Get-NetComputer in a text file then run

. .\Find-WMILocalAdminAccess.ps1 -ComputerFile computer.txt -verbose

Find local admins on all machines of the domain (needs administrator on non-dc machines )

Invoke-EnumerateLocalAdmin -Verbose

this function queries DC of current or provided domain for a list of compters (Get-NetComputer) and then use multi-threaded Get-NetLocalGroup on each machine.

Find computers where a domain admin (or specified user/group) has sessions

Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"

this function queries DC of current or provided domain for members of the given group (Domain Admins bt default) using Get-NetGroupMember , gets a list of computers (Get-NetComputer) and list sessions and logged on users (Get-NetSession/Get-NetLoggedon)

To confirm admin access

Invoke-UserHunter -CheckAccess

Find computers where a domain admin is logged in

Invoke-UserHunter -Stealth

This option queries DC of current or provided domain for members of given group (Domain Admins by default) using Get-NetGroupMember , gets a list_only of high traffic servers (DC , file servers and Distributed file servers ) for less traffic generation and list sessions and logged on users (Get-NetSession/Get-NetLoggedon) from each machine