handbook/tools/5.Machine/3.Active-Directory/General/Exploitation/3.Enumeration-AD/4.Enumeration-through-CMD.md

CMD

One way to perform active directory enumeration is through the command line using the "net" command. This command provides a variety of options for interacting with the active directory, such as listing users, groups, and computers. For example, the "net user" command can be used to list all user accounts in the active directory, while the "net group" command can be used to list all security groups.

Commands

User Information

net user /domain     ---> List all the user form the AD
net user First_name.Last_name(user) /domain ---> List information about the user

• Search guest account and check if (Account = active) ---> net user guest /domain

Group Information

net group /domain            ---> List the groups in the AD
net group "Tier 1 Admins" /domain  ---> Get information on a specific group in the AD

Account Info / Password Policy

net accounts /domain    ---> Information on the account (Password Policy, Lockout...)

Result ---> If the account treshold is set to never = Account can be brute force (∞)

More net commands ---> https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/net-commands-on-operating-systems

Benefits

• No additional or external tooling is required, and these simple commands are often not monitored for by the Blue team.
• We do not need a GUI to do this enumeration.
• VBScript and other macro languages that are often used for phishing payloads support these commands natively so they can be used to enumerate initial information regarding the AD domain before more specific payloads are crafted.

Drawbacks

• The net commands must be executed from a domain-joined machine. If the machine is not domain-joined, it will default to the WORKGROUP domain.
• The net commands may not show all information. For example, if a user is a member of more than ten groups, not all of these groups will be shown in the output.