3. PowerView Enumeration
Usage:
- Get to system.
- Run:
powershell -ep bypass
Import-Module .\PowerView.ps1
Common enumeration:
Domain information:
Get-NetDomain
Users:
#All information:
Get-NetUser
#Only account names:
Get-NetUser | select cn
Groups:
#All information:
Get-NetGroup
#Only account names:
Get-NetGroup | select cn
Last set password + last logon:
Get-NetUser | select cn,pwdlastset,lastlogon
User of group:
Get-NetGroup "Sales Department" | select member
Computer objects in domain:
Get-NetComputer
Domain computers and OS:
Get-NetComputer | select operatingsystem,dnshostname
Local admin privs on other hosts:
Find-LocalAdminAccess
Logged in users on hosts:
Get-NetSession -ComputerName <name> -Verbose
Other tools:
PsLoggedOn:
- Used to try to enumerate logged on users in domain
- May or may not work depending on Remote Registry service working
Usage:
- Get to system.
- Run:
powershell -ep bypass
.\PsLoggedon.exe \\<computername>