One of the things that became apparent to me (which also came as a surprise) since I've started my journey with offensive security was that Windows systems and
Active Directory are absolutely everywhere. Most of the systems you will ever get to hack as an offensive security professional are going to be on Windows.
Probably the best tool for AD enumeration out there is the
PowerView, however, to start using it you need to first transfer it to the target machine, just to do some basic enumerations, which sometimes is not ideal and can be problematic. I've noticed that often instead, a pentester will write a small script in
PowerShell to start a simple enumeration of AD, just to see if there's anything there worth the attention. I've started practicing this approach myself and I find it much quicker - once I'm on a target system with access to
PowerShell, I can write a short code and run it on that system to get the basic detains about AD.
Having this in mind, I've created a small
PowerShell tool, called
adwalk, which allows me to do just that. The main purpose of it is to display all
OUs (Organization Units) in the Active Directory you are currently connected to, but you can also supply a filter in case you're looking for something specific, like an SQL server. Here's how it works:
Here an example of how to use it:
PS C:\> .\adwalk -filter "serviceprincipalname=*sql*"
Here's a quick demo:
For more details, head to the GitHub repo.