3.3.1.1 - Domain Enumeration (Video Lab)

  • Start InviShell (using cmd)

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
  • Start PowerView (using powershell, if you've run InviShell powershell It's already running)

. C:\AD\Tools\Powerview.ps1
  • Get Domain Information and SID

Get-NetDomain
Get-DomainSID
  • We can get some information regarding forest using trust relationship:

Get-Domain -Domain moneycorp.local
  • Retrieve domain policy for the current domain and for another domain:

Get-DomainPolicyData
Get-DomainPolicyData (Get-DomainPolicyData).systemaccess
(Get-DomainPolicyData -domain moneycorp.local).systemaccess
  • Get Domain Controller:

Get-DomainController

Get a list of users in the current domain:

Get-DomainUser
Get-DomainUser -Identity student867

Get list of all properties for users in the current domain

Get-DomainUser | select samaccountname
Get-DomainUser -Properties samaccountname,logonCount
  • Search for a particular string in a user's attributes:

Get-DomainUser -LDAPFilter "Description=*built*" | Select name,Description
  • Get all the groups in the current domain

Get-DomainGroup | select Name
Get-DomainGroup -Domain moneycorp.local
  • Get a list of computers in the current domain:

Get-DomainComputer | select dnshostname,logonCount
  • Get all the groups in the current domain

Get-DomainGroup | select Name
Get-DomainGroup -Domain Administrators
  • Get all groups containing the word "admin" in group name:

Get-DomainGroup *admin* | select name
  • Get the membership of a domain:

Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainGroup -UserName student867
  • List all the local groups on a machine (needs administrator privs on a non dc machine):

Get-NetLocalGroup -ComputerName dcorp-dc
  • Get members of the local group "Administrators" on a machine (needs administrator privs on a non dc machine):

Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName Administrators
  • Get actively logged users on a computer (needs local admin rights on the target):

Get-NetLoggedon -ComputerName dcorp-adminsrv
  • Find shares on hosts in the current domain:

Invoke-ShareFinder -Verbose

Another good thing to enumerate shares, files, ACLs for shares, networks, computers, etc genereting a nice HTML report is PowerHuntShares

Last updated