Skip to main content

Table Of Contents

  • Domain and User Enumeration
    • Domain Enumeration with Net.exe
    • Domain Enumeration with DSQuery
    • Finding User System in a Windows Domain

DOMAIN AND USER ENUMERATION

  • Note: This section details important and useful domain enumeration commands. These commands can display computers, users, groups, etc.

DOMAIN ENUMERATION WITH NET.EXE

  • Note: Net.exe will NOT list groups in groups. Refer to DSQuery section to enumerate groups in groups.

List accounts with administrative access to the current machine

net localgroup administrators

List accounts and groups with administrative access to the domain controller

net localgroup administrators /domain

Display hosts currently visible on the network

net view /domain

Display all users in current domain

net user /domain

Display user information for domain user account (status,policy, groups, etc.)

net user <USERNAME> /domain

Display domain account policies

net accounts /domain

Display domain groups

net group /domain

Display users in a domain group

net group "<GROUPNAME>" /domain

Display domain controllers in the current domain

net group "Domain Controllers" /domain

Display all computer hostnames for current domain

net group "Domain Computers" /domain

Unlock domain user account

net user <USERNAME> /ACTIVE:YES /domain

Change domain user password

net user <USERNAME> "<PASSWORD>" /domain

DOMAIN ENUMERATION WITH DSQUERY

  • Note: All DSQuery commands must be run from a machine that has dsquery.exe on disk (commonly Windows Server) and most of the commands DO NOT require administrative privileges.

Display administrative users

dsquery * -filter "(&(objectclass=user)(admincount=1))" -attr samaccountname name

Output dsquery results to disk

dsquery * -filter "((objectclass=user))" -attr name samaccountname > <OUTPUT_PATH>

Compress dsquery results

makecab <INPUT_PATH> <OUTPUT_PATH>

Extract dsquery results

expand <INPUT_PATH> <OUTPUT_PATH>

Display Active Directory OUs

dsquery * -filter "(objectclass=organizationalUnit)" -attr name distinguishedName description -limit 0

Display computers filtering on operating system

dsquery * -filter "(operatingsystem=*10*)" -attr name operatingsystem dnshostname -limit 0

Display all computers with a pattern in the hostname -- (DC)

dsquery * -filter "(name=*DC*)" -attr name operatingsystem dnshostname -limit 0

Display all Active Directory objects with a pattern SMITH in the hostname. -- Great for finding user objects!

dsquery * -filter "(name=*smith*)" -attr name samaccountname description -limit 0

Filter on EPOCH time (password last changed, last login, etc.) -- 1 with 12 0's is a day in epoch (1000000000000). Add or subtract to adjust dsquery filter

dsquery * -filter "(&(objectclass=user)(lastlogon><EPOCH_TIME>))" -attr samaccountname name

Display trusts associated with current domain

dsquery * -filter "(objectclass=trusteddomain)" -attr flatname trustdirection

Display active directory objects in a remote domain (useful if trust exists)

dsquery * -filter "(operatingsystem=*server*)" -attr name operatingsystem description dnshostname -d <DOMAIN_FQDN>

Display computers with helpful attributes

dsquery * -filter "(objectclass=computer)" -attr name dnshostname operatingsystem description -limit 0

Display users with helpful attributes

dsquery * -filter "(objectclass=user)" -attr name samaccountname lastlogon memberof description -limit 0

Display groups with helpful attributes

dsquery * -filter "(objectclass=group)" -attr name samaccountname member description -limit 0

Display every Active Directory object with admin in the name

dsquery * -filter "(name=*admin*)" -attr name samaccountname description objectclass -limit 0

Convert NT epoch time (lastLogonTimestamp time format) to readable

w32tm /ntte <EPOCH_TIME>

FINDING USER SYSTEM IN A WINDOWS DOMAIN

  • Notes:

    • Query EventLogs for user logins looking for system that was logged into.
    • May need to be run from all DCs in domain to locate proper event log.
    • Is case sensitive.
    • Can be run remotely with credentials with the following argument: /r:<IP_ADDRESS>>
    wevtutil qe security /rd:true /f:text /q:"*[System/EventID=4624] and *[EventData/Data[@Name='TargetUserName']='<USERNAME>']" /c:20

  • Notes:

    • Utilize dsquery to search for user's last name in description (searches all AD objects).
    • Occasionally user workstation information could be stored in Active Directory objects or description
    dsquery * -filter "(description=*<USER_LAST_NAME>*)" -attr name samaccountname description

Connect to any server (likely a file server) that could have active user home directories mapped

net session