Skip to content

Latest commit

 

History

History
139 lines (115 loc) · 3.5 KB

1-Basic-Enumeration.md

File metadata and controls

139 lines (115 loc) · 3.5 KB

PowerView Enumeration

Get current domain

Get-NetDomain

Get object of another domain

Get-NetDomain -Domain moneycorp.local

Get domain SID for the current domain

Get-DomainSID

Get domain policy for the current domain

Get-DomainPolicy
(Get-DomainPolicy)."system access"

Get domain policy for another domain

(Get-DomainPolicy -domain moneycorp.local)."system access"
(Get-DomainPolicy -domain moneycorp.local)."kerberos policy"
(Get-DomainPolicy -domain moneycorp.local)."Privilege Rights"
# OR
(Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge)
(Get-DomainPolicy)."SystemAccess" #Password policy
(Get-DomainPolicy).PrivilegeRights #Check your privileges

Get domain controllers for the current domain

Get-NetDomainController

Get domain controllers for another domain

Get-NetDomainController -Domain moneycorp.local

Get a list of users in the current domain

Get-NetUser
Get-NetUser -Username student1

Get list of all properties for users in the current domain

Get-UserProperty
Get-UserProperty -Properties pwdlastset,logoncount,badpwdcount
Get-UserProperty -Properties logoncount
Get-UserProperty -Properties badpwdcount

Search for a particular string in a user's attributes

Find-UserField -SearchField Description -SearchTerm "built"

Get a list of computers in the current domain

Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData

Get all the groups in the current domain

Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-NetComputer -Domain

Get all groups containing the word "admin" in group name

Get-NetGroup *admin*
Get-NetGroup -GroupName *admin*
Get-NetGroup *admin* -FullData
Get-NetGroup -GroupName *admin* -Doamin moneycorp.local

Get all the members of the Domain Admins group

Get-NetGroupMember -GroupName "Domain Admins" -Recurse
#test the below command
#Get-NetGroupMember -GroupName "Domain Admins" -Properties * | select DistinguishedName,GroupCategory,GroupScope,Name,Members

Get the group membership for a user

Get-NetGroup -UserName "student1"

List all the local groups on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -ListGroups

Get members of all the local groups on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Recurse

Get actively logged users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)

Get-LoggedonLocal -ComputerName dcorp-dc.dollarcorp.moneycorp.local

Get the last logged user on a computer (needs administrative rights and remote registry on the target)

Get-LastLoggedon -ComputerName <servername>

Find shares on hosts in current domain.

Invoke-ShareFinder -Verbose

Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all fileservers of the domain

Get-NetFileServer