3.3.1.1 - Domain Enumeration (Video Lab)
Start InviShell (using cmd)
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.batStart PowerView (using powershell, if you've run InviShell powershell It's already running)
. C:\AD\Tools\Powerview.ps1Get Domain Information and SID
Get-NetDomain
Get-DomainSID
We can get some information regarding forest using trust relationship:
Retrieve domain policy for the current domain and for another domain:
Get Domain Controller:
Get a list of users in the current domain:
Get list of all properties for users in the current domain
Search for a particular string in a user's attributes:
Get all the groups in the current domain
Get a list of computers in the current domain:
Get all the groups in the current domain
Get all groups containing the word "admin" in group name:
Get the membership of a domain:
List all the local groups on a machine (needs administrator privs on a non dc machine):
Get members of the local group "Administrators" on a machine (needs administrator privs on a non dc machine):
Get actively logged users on a computer (needs local admin rights on the target):
Find shares on hosts in the current domain:
Another good thing to enumerate shares, files, ACLs for shares, networks, computers, etc genereting a nice HTML report is PowerHuntShares
Last updated