See: enumeration
Getting Started
Common commands
Also consider using this custom PowerShell AD searcher to perform LDAP queries.
User
- NetWkstaUserEnum API: requires admin privileges; returns users logged in on a target workstation
- NetSessionEnum API: requires regular domain user; returns active user sessions on all servers
Once a AD machine is compromised, try to use NetWkstaUserEnum on other machines to enumerate users (PowerView: Get-NetLoggedon -ComputerName THIS_COMPUTER_NAME
) and see if current user is an admin on any other machine)
Use NetSessionEnum (PowerView: Get-NetSession -ComputerName DC_NAME
) to enumerate logged-in server users.
net user [$USER] /domain
(shows max ten group memberships)
net group [$GROUP] /domain
net accounts /domain
(passpol)
Services
Use the searcher to look for services: $Searcher.filter='(serviceprincipalname=*http*)'