Reconnaissance

Windows

dir /s flag.txt to find files in current directory and subdirectories named flag.txt.

Active Directory

Tool

Ldapsearch

ldapsearch -h <host> -p 389 -x -b "dc=cascade,dc=local" "(&(objectClass=user)(sAMAccountName=userid))" 

Net User Domain

net user /domain

Find domain and local admin

net localgroup administrators

CMDLETS

Get-ADUser

The command reveals that the user is a member of the Audit Share group, and also that the logon script MapAuditDrive.vbs is assigned to this account. Active Directory logon scripts are saved in the NETLOGON share by default)

*Evil-WinRM* PS C:\Users\s.smith\Desktop> Get-ADUser -identity s.smith -properties * 

Filter - Parameter that allows more controll over enumeration and use the Format-Table.

Get-ADUser -Filter 'Name -like "*stevens*"' -Server ad.server.com | Format-Table Name,SamAccountName -A

If we wanted to, for example, perform a password spraying attack without locking out accounts, we can use this to enumerate accounts that have a badPwdCount that is greater than 0, to avoid these accounts in our attack:

 Get-ADObject -Filter 'badPwdCount -gt 0' -Server ad.server.com
Further cmdlets

Get-ADGroup, Get-ADGroupMember, Get-ADObject, Get-ADDomain