powerview.ps1

powershell.exe -exec bypass; Import-Module PowerView.ps1
[OR] . .\PowerView.ps1

Domain information

Get-Domain [-Domain DOMAIN]
Get-DomainController [-Domain DOMAIN] 
Get-DomainSID
Get-DomainPolicy
(Get-DomainPolicy)."to-enumerate-further"

Domain Users & Computers

Get-DomainUser | Out-File -FilePath .\DomainUsers.txt
Get-DomainUser | select samaccountname,userprincipalname, memberof
Get-DomainUser * -Domain DOMAIN | Select-Object -Property name,samaccountname,description,memberof,admincount,userprincipalname, serviceprincipalname, useraccountcontrol
Get-UserProperty [-Properties FIELD]

Get-DomainComputer -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
# live hosts
Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName

Kerberoastable Users

Get-NetUser -SPN | select serviceprincipalname
Get-DomainUser * -SPN | Get-DomainSPNTicket -OutputFormat Hashcat

Domain Groups

# can use *admin*
Get-NetGroup [-GroupName "GROUPNAME"]
Get-NetGroupMember [-GroupName "GROUPNAME"]

SMB Shares

Invoke-ShareFinder [-CheckShareAccess]

GPO

Get-NetGPO [| select displayname]
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName

ACLs

# Returns the ACLs associated with the specified account
Get-DomaiObjectAcl -Identity <AccountName> -ResolveGUIDs

#Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs

#Check the ACLs associated with a specified path (e.g smb share)
Get-PathAcl -Path "\\Path\Of\A\Share"

Domain Trusts

Get-DomainTrust
Get-DomainTrust -Domain <DomainName>

#Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds
Get-DomainTrustMapping

User Hunting

#Finds all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose

#Find local admins on all machines of the domain
Find-DomainLocalGroupMember -Verbose

#Find computers were a Domain Admin OR a spesified user has a session
Find-DomainUserLocation | Select-Object UserName, SessionFromName

#Confirming admin access
Test-AdminAccess

References

PreviouskerberoastingNextad module

Last updated