Dive into our comprehensive guide that discusses ‘Domain Enumeration using PowerView’, an essential process in the field of cybersecurity. Understand its core tenets, why it matters, the potential risks, and how to effectively use it to secure your online assets.

Learn from the experts as we dissect how Domain Enumeration can expose vulnerabilities, contribute to risk management, and bolster your organization’s cyber defenses.

Whether you’re a cybersecurity professional or a beginner, this blog post offers a wealth of knowledge on the intricacies and best practices of Domain Enumeration.

Stay informed and ahead of the cyber threats lurking on the internet with our deep-dive into Domain Enumeration.

Basic Domain Enumeration using PowerView
Basic Domain Enumeration using PowerView

Get current domain

Get-NetDomain

Get object of another domain

Get-NetDomain -Domain moneycorp.local

Get domain SID for the current domain

Get-DomainSID

Get domain policy for the current domain

Get-DomainPolicy
(Get-DomainPolicy)."system access"

Get domain policy for another domain

(Get-DomainPolicy -domain moneycorp.local)."system access"
(Get-DomainPolicy -domain moneycorp.local)."kerberos policy"
(Get-DomainPolicy -domain moneycorp.local)."Privilege Rights"
# OR
(Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge)
(Get-DomainPolicy)."SystemAccess" #Password policy
(Get-DomainPolicy).PrivilegeRights #Check your privileges

Get domain controllers for the current domain

Get-NetDomainController

Get domain controllers for another domain

Get-NetDomainController -Domain moneycorp.local

Get a list of users in the current domain

Get-NetUser
Get-NetUser -Username student1

Get list of all properties for users in the current domain

Get-UserProperty
Get-UserProperty -Properties pwdlastset,logoncount,badpwdcount
Get-UserProperty -Properties logoncount
Get-UserProperty -Properties badpwdcount

Search for a particular string in a user’s attributes

Find-UserField -SearchField Description -SearchTerm "built"

Get a list of computers in the current domain

Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData

Get all the groups in the current domain

Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-NetComputer -Domain

Get all groups containing the word “admin” in group name

Get-NetGroup *admin*
Get-NetGroup -GroupName *admin*
Get-NetGroup *admin* -FullData
Get-NetGroup -GroupName *admin* -Doamin moneycorp.local

Get all the members of the Domain Admins group

Get-NetGroupMember -GroupName "Domain Admins" -Recurse
#test the below command
#Get-NetGroupMember -GroupName "Domain Admins" -Properties * | select DistinguishedName,GroupCategory,GroupScope,Name,Members

Get the group membership for a user

Get-NetGroup -UserName "student1"

List all the local groups on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -ListGroups

Get members of all the local groups on a machine (needs administrator privs on non-dc machines)

Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Recurse

Get actively logged users on a computer (needs local admin rights on the target)

Get-NetLoggedon -ComputerName dcorp-dc.dollarcorp.moneycorp.local 

Get locally logged users on a computer (needs remote registry on the target – started by-default on server OS)

Get-LoggedonLocal -ComputerName dcorp-dc.dollarcorp.moneycorp.local 

Get the last logged user on a computer (needs administrative rights and remote registry on the target)

Get-LastLoggedon -ComputerName <servername>

Find shares on hosts in current domain.

Invoke-ShareFinder -Verbose

Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all fileservers of the domain

Get-NetFileServer