3.3.1.1 - Domain Enumeration (Video Lab)

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

Start PowerView (using powershell, if you've run InviShell powershell It's already running)

. C:\AD\Tools\Powerview.ps1

Get-NetDomain
Get-DomainSID

Get-Domain -Domain moneycorp.local

Get-DomainPolicyData
Get-DomainPolicyData (Get-DomainPolicyData).systemaccess
(Get-DomainPolicyData -domain moneycorp.local).systemaccess

Get-DomainController

Get a list of users in the current domain:

Get-DomainUser
Get-DomainUser -Identity student867

Get list of all properties for users in the current domain

Get-DomainUser | select samaccountname
Get-DomainUser -Properties samaccountname,logonCount

Get-DomainUser -LDAPFilter "Description=*built*" | Select name,Description

Get-DomainGroup | select Name
Get-DomainGroup -Domain moneycorp.local

Get-DomainComputer | select dnshostname,logonCount

Get-DomainGroup | select Name
Get-DomainGroup -Domain Administrators

Get-DomainGroup *admin* | select name

Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainGroup -UserName student867

List all the local groups on a machine (needs administrator privs on a non dc machine):

Get-NetLocalGroup -ComputerName dcorp-dc

Get members of the local group "Administrators" on a machine (needs administrator privs on a non dc machine):

Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName Administrators

Get actively logged users on a computer (needs local admin rights on the target):

Get-NetLoggedon -ComputerName dcorp-adminsrv

Invoke-ShareFinder -Verbose

Another good thing to enumerate shares, files, ACLs for shares, networks, computers, etc genereting a nice HTML report is PowerHuntShares

Last updated 9 months ago