/ AD - Bonus Content, Uncategorized / By

Active Directory More Enumeration

This post serves as a reference sheet for enumerating Active Directory (AD) environments using a combination of graphical and command-line methods. It includes usage of runas, RDP sessions, MMC (Microsoft Management Console), and the classic net command — all practical and stealthy methods to gather critical domain information.

Credential Injection with runas /netonly

When to Use:

  • You have domain credentials but are on a non-domain Windows machine
  • You want to authenticate to AD services (e.g., SMB, LDAP) over the network

Syntax:

runas /netonly /user:za.tryhackme.com\student mmc
  • /netonly: Use the credentials for network authentication only
  • mmc: Launch Microsoft Management Console (or cmd.exe, powershell.exe, etc.)

Using MMC + RSAT Snap-ins

Purpose:

Visually browse and enumerate:

  • Users
  • Computers
  • Groups
  • Organizational Units (OUs)

Required Snap-ins:

  • Active Directory Users and Computers
  • Active Directory Domains and Trusts
  • Active Directory Sites and Services

Steps:

  1. Launch MMC:
mmc
  1. File → Add/Remove Snap-in → Add the 3 snap-ins
  2. Right-click each snap-in → Change Forest/Domain → enter:
za.tryhackme.com
  1. In ADUC: View → Advanced Features (for full attribute visibility)

Use Case:

Ideal for RDP sessions or when GUI access is available to visualize AD structure and relationships.

DNS Configuration (If Required)

If domain resolution fails (e.g., \za.tryhackme.com won’t resolve), configure DNS manually:

$dnsip = "192.168.1.53"  # IP of the Domain Controller
$index = Get-NetAdapter | Where-Object {$_.Status -eq "Up"} | Select-Object -ExpandProperty ifIndex
Set-DnsClientServerAddress -InterfaceIndex $index -ServerAddresses $dnsip

Verify:

nslookup za.tryhackme.com

CMD-based AD Enumeration with net Commands

Users (List all domain users):

net user /domain

User Details:

net user zoe.marshall /domain

Returns full name, last logon, password policy, and group memberships.

Groups (List all domain groups):

net group /domain

Group Membership:

net group "Tier 1 Admins" /domain

Password Policy:

net accounts /domain
  • Shows password age, length, history, and lockout threshold

Benefits of net Commands

  • Native to Windows, no external tooling required
  • Works in phishing payloads, RATs, or macro execution
  • Useful when PowerShell is restricted or heavily monitored

Limitations:

  • Must be run on a domain-joined machine
  • Limited output (e.g., doesn’t show more than 10 group memberships)
  • Cannot export or search across OUs without scripts

PowerShell AD Enumeration with RSAT Cmdlets

PowerShell is a powerful upgrade over CMD that gives access to over 50 built-in AD enumeration cmdlets once RSAT is installed.

Start PowerShell:

powershell

Enumerate a Specific User:

Get-ADUser -Identity gordon.stevens -Server za.tryhackme.com -Properties *

Search for Users:

Get-ADUser -Filter 'Name -like "*stevens"' -Server za.tryhackme.com | Format-Table Name,SamAccountName -A

Get Group Info:

Get-ADGroup -Identity Administrators -Server za.tryhackme.com

List Group Members:

Get-ADGroupMember -Identity Administrators -Server za.tryhackme.com

Search for Any AD Object:

$ChangeDate = New-Object DateTime(2022, 02, 28, 12, 00, 00)
Get-ADObject -Filter 'whenChanged -gt $ChangeDate' -includeDeletedObjects -Server za.tryhackme.com

Password Spray Consideration:

Get-ADObject -Filter 'badPwdCount -gt 0' -Server za.tryhackme.com

Domain Info:

Get-ADDomain -Server za.tryhackme.com

Example – Change User Password:

Set-ADAccountPassword -Identity gordon.stevens -Server za.tryhackme.com -OldPassword (ConvertTo-SecureString -AsPlaintext "old" -force) -NewPassword (ConvertTo-SecureString -AsPlainText "new" -Force)

Benefits:

  • Enumerates more information than net commands
  • Can be used remotely with runas
  • Supports scripting and automation
  • Can create and modify AD objects (if privileges allow)

Drawbacks:

  • Often monitored more closely by blue teams
  • Requires RSAT installed or custom scripts

Summary: When to Use What

MethodUse Case
runas /netonlyInject creds into memory, run MMC or tools using network auth only
MMC Snap-insGUI view of users, OUs, machines, and groups (RDP helpful but not required)
net commandsQuick and dirty enumeration over CMD, no GUI or PowerShell needed
PowerShell RSATDeep, scriptable enumeration of users, groups, policies, and objects

You can combine all four to enumerate an AD domain efficiently — whether you’re on an internal jump box, pivoting via RAT, or setting up for lateral movement.

Tip: Add these commands into phishing payloads or reverse shells for stealthy recon.

Related Posts

Scroll to Top