Powershell Enum of Active Directory (Part 2)

Get a list of computer in the current domain :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer -OperatingSystem “*”

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer –Ping

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetComputer -FullData

AD :

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADComputer -Filter * | select Name


PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADComputer -Filter * -Properties *

This image has an empty alt attribute; its file name is image-30.png

Domain enumeration :

Get all the groups in the current domain :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> get-netgroup

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGroup -Domain security.local

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGroup –FullData

AD :

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADGroup -filter * | select name

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADGroup -filter * -Properties * 

Get all groups containing the word “admin” in group name :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGroup *admin*

PS C:\Users\victim.SECURITY\Downloads\ADModule-master\ADModule-master> Get-ADGroup -Filter ‘Name -like “*admin*”‘ | select name

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGroup ‘Domain Admins’

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGroup ‘Domain Admins’ –FullData

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGroup -GroupName *admin*

Get all members of the domain admins groups :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGroupMember -groupname “domain admins” –recurse

Get the membership of user :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGroup -UserName “administrator”

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGroupMember -GroupName ‘enterprise admins’

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGroupMember -GroupName ‘administrators’

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetGroupMember -GroupName ‘administrators’ –Recurse

Get all fileservers of the domain :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetFileServer

Find sensitive files on computers in the domain :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-FileFinder –versbose

Find shares on hosts in current domain :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Invoke-ShareFinder -verbose

List of all local groups on a machine (needs administrators privs on non-dc machines :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetLocalGroup -ComputerName DESKTOP-EL1JRUA.security.local –ListGroups

Get members of all the local groups on a machine :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetLocalGroup -ComputerName DESKTOP-EL1JRUA.security.local –Recurse

Get actively logged users on a computer :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-NetLoggedon -ComputerName DESKTOP-EL1JRUA.security.local

Get the last logged user on a computer :

PS C:\Users\victim.SECURITY\Downloads\PowerTools-master\PowerTools-master\PowerView> Get-LastLoggedOn -ComputerName DESKTOP-EL1JRUA.security.local