RSAT Active Directory Enumeration

by Vince
in Blog
Hits: 834

From the description:  "Remote Server Administration Tools (RSAT) lets IT admins manage Windows Server roles and features from a Windows 10 PC."

RSAT can be used to enumerate the domain from any Windows 10 workstation (probably lower versions too) as long as it's either already installed already or you have local admin access.  I wrote this collection of commands to replace PowerView because outside of lab environments, PowerView won't make it onto the machine without endpoint protection eating it. 

Adding the capability to a Windows 10 system:


When it's finished:


Querying for users:


Getting detailed properties on a specific account:


Getting a list of Domain Admins:


Getting computers by their Fully Qualified Domain Name (FQDN):


Identifying all of the servers and their specific operating system:


Searching all accounts for specific password information.


This one in particular is interesting because we can use it to possibly identify decoy accounts based on low counts.


On these two, we're searching the Description field to locate built-in account and service accounts:


On this one, we're looking for passwords in the Description field:


Like this one -- but it is the password:


Mind you, all of this information was gathered from a domain user on a workstation where that domain user has admin privileges.  A ton of information can be gathered while leverage what's built into Windows natively without introducing offensive tools from the interwebs.