Skip to content

Enumaration of Active Directory

Enumeration via PowerView

PowerView is a PowerShell tool to gain information about the Active Directory. It is a part of the PowerSploit project. It can be used to enumerate the domain, users, groups, computers, and more.

You can download PowerView from the PowerSploit repository on GitHub.

wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1

To use PowerView, you need to import the module in PowerShell.

powershell -ep bypass
Import-Module .\PowerView.ps1

Enumerate the domain controllers in the domain.

Get-NetUser | select cn

Get shared folders on the domain controller.

Invoke-ShareFinder -CheckShareAccess -Verbose

Here's a cheatsheet to help you with commands

Enumeration via BloodHound

BloodHound is a tool to analyze the Active Directory and find attack paths. It can be used to find the shortest path to the domain admin. One of the main features of BloodHound is that it can visualize the attack paths.

wget https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1

To use BloodHound, you need to import the module in PowerShell.

powershell -ep bypass
Import-Module .\SharpHound.ps1

Get the data from the domain.

Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip

Upload the loot.zip file to the BloodHound interface to visualize the attack paths.