Active Directory Penetration Testing

Home Attacks Theory Author Discord

Domain Trusts Enumeration

PowerView Trust Enumeration

Get a list of all domain trusts for the current domain

Get-NetDomainTrust
Get-NetDomainTrust -Domain us.dollarcorp.moneycorp.local

Get details about the current forest

Get-NetForest
Get-NetForest -Forest eurocorp.local

Get all domains in the current forest

Get-NetForestDomain
Get-NetForestDomain -Forest eurocorp.local

Get all global catalogs for the current forest

Get-NetForestCatalog
Get-NetForestCatalog -Forest eurocorp.local

Map trusts of a forest

Get-NetForestTrust
Get-NetForestTrust -Forest eurocorp.local

PowerView Users Enumeration

Find all machines on the current domain where the current user has local admin access

Find-LocalAdminAccess -Verbose

Find computers where a domain admin (or specified user/group) has sessions

Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"

To confirm admin access

Invoke-UserHunter -CheckAccess

Find computers where a domain admin is logged-in

Invoke-UserHunter -Stealth

Find computers where a domain admin (or specified user/group) has sessions

Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "StudentUsers"

Find computers where a domain admin session is available and current user has admin access (uses Test-AdminAccess)

Find-DomainUserLocation -CheckAccess

Find computers (File Servers and Distributed File servers) where a domain admin session is available.

Find-DomainUserLocation –Stealth

PreviousShadow Credentials NextTrust Tickets

Last updated 7 months ago