- Get it from here and put it in the compromised machine
- From a cmd in the target:
powershell -ep bypass - Launch Powerview:
. .\powerview.ps1 - Get info on the Domain Controller:
Get-NetDomain - Check policies:
Get-DomainPolicy - Policies in System Access:
(Get-DomainPolicy)."systemAccess"(e.g.: we get info about password policy and minimum length so min size if we want to password spray) - Info about the users
Get-NetUser - Get only usenames
Get-NetUser | select cn(e.g.: will output Jessica Jones) - Get only sam account name:
Get-NetUser | select samaccountname(e.g.: will output jjones) - Get only description:
Get-NetUser | select description(e.g.: will output a description if provided by sysadmn or a default one) - See all the properties a user have:
Get-UserProperty - Get more details for example password last set:
Get-UserProperty -Properties pwdlastset - Get more details for example logoncount:
Get-UserProperty -Properties logoncount - See if users have entered bad passwd:
Get-UserProperty -Properties badpwdcount - List all the computers in the Domain:
Get-NetComputer - Same but with much more info:
Get-NetComputer -FullData - Filter this load of data with specific info:
Get-NetComputer -FullData | select OperatingSystem - Get info on groups:
Get-NetGroup - Filter for a specific GroupName:
Get-NetGroup -GroupName "Domain Admins" - Filter on GroupName with a wildcard:
Get-NetGroup -GroupName *admin* - Get users from a specific group:
Get-NetGroup -GroupName "Domain Admins" - Get smb shared in the network:
Invoke-ShareFinder - Get group policies:
Get-NetGPO - Filter the info:
Get-NetGroup -GroupName "Domain Admins" .\SharpView.exe ConvertTo-SID -Name first.lastFind SID of a user.\SharpView.exe Convert-ADName -ObjectName SIDfind user with SIDGet-DomainPolicyView the domain password policy (will show passwordhistorysize)Get-DomainUser first.last \| ConvertFrom-UACValue -showallList all UAC values.\SharpView.exe Get-DomainView information about the current domain.\SharpView.exe Get-DomainOUList all OUs.\SharpView.exe Get-DomainUser -KerberosPreauthNotRequiredFind ASREPRoastable usersGet-DomainComputerGet a listing of domain computers.\SharpView.exe Get-DomainGPO \| findstr displaynameList all GPO namesGet-DomainGPO -ComputerIdentity HOSTNAMEList GPOs on a specific hostTest-AdminAccess -ComputerName HOSTNAMETest local admin access on a remote host.\SharpView.exe Get-NetShare -ComputerName HOSTNAMEEnumerate open shares on a remote computerFind-DomainUserLocationFind machines where domain users are logged inGet-DomainTrustView a list of domain trusts(Get-DomainUser).countCount all domain users.\SharpView.exe Get-DomainUser -HelpGet help about a SharpView functionGet-DomainUser -Properties samaccountname,description \| Where {$_.description -ne $null}Find non-blank user description fields.\SharpView.exe Get-DomainUser -SPNFind users with SPNs setFind-ForeignGroupFind foreign domain usersGet-DomainGroup -Properties NameList domain groups.\SharpView.exe Get-DomainGroupMember -Identity 'Help Desk'Get members of a domain group.\SharpView.exe Get-DomainGroup -AdminCountList protected groups.\SharpView.exe Find-ManagedSecurityGroupsList managed security groupsGet-NetLocalGroup -ComputerName HOSTGet local groups on a host.\SharpView.exe Get-NetLocalGroupMember -ComputerName HOSTNAMEGet members of a local group.\SharpView.exe Get-DomainComputer -UnconstrainedFind computers that allow unconstrained delegationGet-DomainComputer -TrustedToAuthFind computers set with constrained delegationGet-DomainObjectAcl -Identity first.lastEnumerate ACLs on a userFind-InterestingDomainAclFind objects in the domain with modification rights over non built-in objectsGet-PathAcl "\\HOSTNAME\Directory"Find the ACLs set on a directorygpresult /r /S HOSTNAMEGet a report of all GPOs applied to a hostGet-DomainGPO \| Get-ObjectAclFind GPO permissionsGet-DomainTrustMappingEnumerate trusts for our domain/reachable domainsGet-NetShare -ComputerName COMPUTERList share on computerGet-DomainGPOlist all gpo and related infoGet-DomainGPO | select displaynamelist all gpo namesGet-DomainGPO | select displayname,objectguidlist gpo names with their guidGet-DomainTrustMappingenumerate all trusts for our current domain and other reachable domainsGet-NetDomainsimilar to the ActiveDirectory module’s Get-ADDomain but contains a lot less information. Basic info such as the Forest, Domain Controllers, and Domain Name are enumerated.Get-NetDomainControllerlist all of the Domain Controllers within the networkGet-NetForestsimilar to Get-ADForest, and provides similar output. It provides all the associated Domains, the root domain, as well as the Domain Controllers for the root domain.Get-NetDomainTrustis similar to Get-ADTrust with our SelectObject filter applied to it.
get-netuserwill output all infos about users in the domainget-netuser | select cnwill list all usersget-netuser | select -expandproperty samaccountnamewill list users but only samccountnamefind-userfield -SearchField description "password"will list description fields of users with a grep on "password"
get-netgroupwill list all the different groups in the domainget-netgroup -Username "f.lastname"will show group of user f.lastnameget-netgroup -GroupName "domain admins" -FullDatawill show details of the group
Get-NetComputer -OperatingSystem "*Windows 10*"Get computer with Win 10 OSGet-NetComputer -OperatingSystem "*server*"Get the serverInvoke-ShareFinderwill list sharesInvoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPCwill list sharw without standard print and IPC
Invoke-FileFinder
Invoke-EnumerateLocalAdmin
get-netgpo
get-objectaclget-objectacl -SamAccountName "name" -ResolveGUIDs
get-netdomainGet-DomainPolicyGet-domainsiduseful for golden tickets
Note: If you do not get result with powerview, you can try this in powershell Import-Module .\PowerView.ps1