Powerview cont.

Usage:

1) Get Current Domain:

Get-NetDomain

2) Enum Other Domains:

Get-NetDomain -Domain DOMAIN_NAME

3) Get Domain SID:

Get-DomainSID

4) Get Domain Policy:

Get-DomainPolicy

Will show us the policy configurations of the Domain about system access or kerberos

(Get-DomainPolicy)."system access"

(Get-DomainPolicy)."kerberos policy"

5) Get Domain Controlers:

Get-NetDomainController

Get-NetDomainController -Domain DOMAIN_NAME

6) Enumerate Domain Users:

Get-NetUser

Get-NetUser -SamAccountName USER

Get-NetUser | select cn

Get-UserProperty

Check last password change

Get-UserProperty -Properties pwdlastset

Get a specific "string" on a user's attribute

Find-UserField -SearchField Description -SearchTerm "wtver"

Enumerate user logged on a machine

Get-NetLoggedon -ComputerName COMPUTER_NAME

Enumerate Session Information for a machine

Get-NetSession -ComputerName COMPUTER_NAME

Enumerate domain machines of the current/specified domain where specific users

Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromName

7) Enumerate Domain Computers:

Get-NetComputer -FullData

Get-DomainGroup

Enumerate Live machines

Get-NetComputer -Ping

8) Enumerate Groups and Group Members:

Get-NetGroupMember -GroupName "GROUP_NAME" -Domain DOMAIN_NAME

Enumerate the members of a specified group of the domain

Get-DomainGroup -Identity <GroupName> | Select-Object -ExpandProperty Member

Returns all GPOs in a domain that modify local group memberships through Restricted

Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName

9) Enumerate Shares

Enumerate Domain Shares

Find-DomainShare

Enumerate Domain Shares the current user has access

Find-DomainShare -CheckShareAccess

10) Enumerate Group Policies

Get-NetGPO

Shows active Policy on specified machine

Get-NetGPO -ComputerName NAME_OF_THE_PC

Get-NetGPOGroup

Get users that are part of a Machine's local Admin group

Find-GPOComputerAdmin -ComputerName COMPUTER_NAME

11) Enumerate OUs

Get-NetOU -FullData

Get-NetGPO -GPOname THE_GUID_OF_THE_GPO

12) Enumerate ACLs

Returns the ACLs associated with the specified account

Get-ObjectAcl -SamAccountName ACCOUNT_NAME -ResolveGUIDs

Get-ObjectAcl -ADSprefix 'CN=Administrator, CN=Users' -Verbose

Search for interesting ACEs

Invoke-ACLScanner -ResolveGUIDs

Get-PathAcl -Path "\\Path\Of\A\Share"

13) Enumerate Domain Trust

Get-NetDomainTrust

Get-NetDomainTrust -Domain DOMAIN_NAME

14) Enumerate Forest Trust

Get-NetForestDomain

Get-NetForestDomain Forest FOREST_NAME

Domains of Forest Enumeration

Get-NetForestDomain

Get-NetForestDomain Forest FOREST_NAME

Map the Trust of the Forest

Get-NetForestTrust

Get-NetDomainTrust -Forest FOREST_NAME

15) User Hunting

Finds all machines on the current domain where the current user has local admin access

Find-LocalAdminAccess -Verbose

Find local admins on all machines of the domain:

Invoke-EnumerateLocalAdmin -Verbose

Find computers were a Domain Admin OR a specified user has a session

Invoke-UserHunter

Invoke-UserHunter -GroupName "RDPUsers"

Invoke-UserHunter -Stealth

Confirming admin access:

Invoke-UserHunter -CheckAccess

!!! Priv Esc to Domain Admin with User Hunting: I have local admin access on a machine -> A Domain Admin has a session on that machine - > I steal his token and impersonate him -> Profit!

PreviousBloodhound NextPowerview

Last updated 4 months ago

hashtagUsage:

hashtag1) Get Current Domain:

hashtag2) Enum Other Domains:

hashtag3) Get Domain SID:

hashtag4) Get Domain Policy:

hashtagWill show us the policy configurations of the Domain about system access or kerberos

hashtag5) Get Domain Controlers:

hashtag6) Enumerate Domain Users:

hashtagCheck last password change

hashtagGet a specific "string" on a user's attribute

hashtagEnumerate user logged on a machine

hashtagEnumerate Session Information for a machine

hashtagEnumerate domain machines of the current/specified domain where specific users

hashtag7) Enumerate Domain Computers:

hashtagEnumerate Live machines

hashtag8) Enumerate Groups and Group Members:

hashtagEnumerate the members of a specified group of the domain

hashtagReturns all GPOs in a domain that modify local group memberships through Restricted

hashtag9) Enumerate Shares

hashtagEnumerate Domain Shares

hashtagEnumerate Domain Shares the current user has access

hashtag10) Enumerate Group Policies

hashtagShows active Policy on specified machine

hashtagGet users that are part of a Machine's local Admin group

hashtag11) Enumerate OUs

hashtag12) Enumerate ACLs

hashtagReturns the ACLs associated with the specified account

hashtagSearch for interesting ACEs

hashtagCheck the ACLs associated with a specified path (e.g smb share)

hashtag13) Enumerate Domain Trust

hashtag14) Enumerate Forest Trust

hashtagDomains of Forest Enumeration

hashtagMap the Trust of the Forest

hashtag15) User Hunting

hashtagFinds all machines on the current domain where the current user has local admin access

hashtagFind local admins on all machines of the domain:

hashtagFind computers were a Domain Admin OR a specified user has a session

hashtagConfirming admin access:

hashtag!!! Priv Esc to Domain Admin with User Hunting: I have local admin access on a machine -> A Domain Admin has a session on that machine - > I steal his token and impersonate him -> Profit!

Usage:

1) Get Current Domain:

2) Enum Other Domains:

3) Get Domain SID:

4) Get Domain Policy:

Will show us the policy configurations of the Domain about system access or kerberos

5) Get Domain Controlers:

6) Enumerate Domain Users:

Check last password change

Get a specific "string" on a user's attribute

Enumerate user logged on a machine

Enumerate Session Information for a machine

Enumerate domain machines of the current/specified domain where specific users

7) Enumerate Domain Computers:

Enumerate Live machines

8) Enumerate Groups and Group Members:

Enumerate the members of a specified group of the domain

Returns all GPOs in a domain that modify local group memberships through Restricted

9) Enumerate Shares

Enumerate Domain Shares

Enumerate Domain Shares the current user has access

10) Enumerate Group Policies

Shows active Policy on specified machine

Get users that are part of a Machine's local Admin group

11) Enumerate OUs

12) Enumerate ACLs

Returns the ACLs associated with the specified account

Search for interesting ACEs

Check the ACLs associated with a specified path (e.g smb share)

13) Enumerate Domain Trust

14) Enumerate Forest Trust

Domains of Forest Enumeration

Map the Trust of the Forest

15) User Hunting

Finds all machines on the current domain where the current user has local admin access

Find local admins on all machines of the domain:

Find computers were a Domain Admin OR a specified user has a session

Confirming admin access:

!!! Priv Esc to Domain Admin with User Hunting: I have local admin access on a machine -> A Domain Admin has a session on that machine - > I steal his token and impersonate him -> Profit!