POWERVIEW

https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

Resource

• https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
• https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

Start

powershell.exe -ExecutionPolicy bypass
Bypass PowerShell execution policy to run scripts.

. .\PowerView.ps1
Run POWERVIEW script.

Users and Groups

Get-NetUser
Enumerate users and their properties.

Get-NetUser | select cn
Enumerate domain Common Names for users.

Get-NetUser | select description
Enumeration description for users.

Get-UserPropery -Properties logoncount
Show connection count (might see a honeypot account).

Get-NetGroupMember -name "Domain Admins"
Enumerate users belonging to admin groups.

Get-NetGroup -name *admin*
Enumerate all groups with admin in it.

Domain

Get-NetDomain
Infos about the domain.

Get-NetDomainController
Info about the Domain Controller.

Get-NetComputer
Infos about servers and computers in the domain.

Get-DomainPolicy
Infos about Domain Policy.

Get-NetGPO
List GPOs.

Get-NetGPO | select displayname, whenchanged
List policies with when they were changed.