3.3.1.1 - Domain Enumeration (Video Lab)
Start InviShell (using cmd)
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
Start PowerView (using powershell, if you've run InviShell powershell It's already running)
. C:\AD\Tools\Powerview.ps1
Get Domain Information and SID
Get-NetDomain
Get-DomainSID

We can get some information regarding forest using trust relationship:
Get-Domain -Domain moneycorp.local

Retrieve domain policy for the current domain and for another domain:
Get-DomainPolicyData
Get-DomainPolicyData (Get-DomainPolicyData).systemaccess
(Get-DomainPolicyData -domain moneycorp.local).systemaccess

Get Domain Controller:
Get-DomainController

Get a list of users in the current domain:
Get-DomainUser
Get-DomainUser -Identity student867

Get list of all properties for users in the current domain
Get-DomainUser | select samaccountname
Get-DomainUser -Properties samaccountname,logonCount

Search for a particular string in a user's attributes:
Get-DomainUser -LDAPFilter "Description=*built*" | Select name,Description

Get all the groups in the current domain
Get-DomainGroup | select Name
Get-DomainGroup -Domain moneycorp.local
Get a list of computers in the current domain:
Get-DomainComputer | select dnshostname,logonCount

Get all the groups in the current domain
Get-DomainGroup | select Name
Get-DomainGroup -Domain Administrators

Get all groups containing the word "admin" in group name:
Get-DomainGroup *admin* | select name

Get the membership of a domain:
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainGroup -UserName student867


List all the local groups on a machine (needs administrator privs on a non dc machine):
Get-NetLocalGroup -ComputerName dcorp-dc

Get members of the local group "Administrators" on a machine (needs administrator privs on a non dc machine):
Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName Administrators

Get actively logged users on a computer (needs local admin rights on the target):
Get-NetLoggedon -ComputerName dcorp-adminsrv

Find shares on hosts in the current domain:
Invoke-ShareFinder -Verbose

Another good thing to enumerate shares, files, ACLs for shares, networks, computers, etc genereting a nice HTML report is PowerHuntShares
Last updated