Dive into our comprehensive guide that discusses ‘Domain Enumeration using PowerView’, an essential process in the field of cybersecurity. Understand its core tenets, why it matters, the potential risks, and how to effectively use it to secure your online assets.
Learn from the experts as we dissect how Domain Enumeration can expose vulnerabilities, contribute to risk management, and bolster your organization’s cyber defenses.
Whether you’re a cybersecurity professional or a beginner, this blog post offers a wealth of knowledge on the intricacies and best practices of Domain Enumeration.
Table of Contents
Stay informed and ahead of the cyber threats lurking on the internet with our deep-dive into Domain Enumeration.
Get current domain
Get-NetDomain
Get object of another domain
Get-NetDomain -Domain moneycorp.localGet domain SID for the current domain
Get-DomainSIDGet domain policy for the current domain
Get-DomainPolicy (Get-DomainPolicy)."system access"
Get domain policy for another domain
(Get-DomainPolicy -domain moneycorp.local)."system access" (Get-DomainPolicy -domain moneycorp.local)."kerberos policy" (Get-DomainPolicy -domain moneycorp.local)."Privilege Rights" # OR (Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge) (Get-DomainPolicy)."SystemAccess" #Password policy (Get-DomainPolicy).PrivilegeRights #Check your privileges
Get domain controllers for the current domain
Get-NetDomainController
Get domain controllers for another domain
Get-NetDomainController -Domain moneycorp.local
Get a list of users in the current domain
Get-NetUser Get-NetUser -Username student1
Get list of all properties for users in the current domain
Get-UserProperty Get-UserProperty -Properties pwdlastset,logoncount,badpwdcount Get-UserProperty -Properties logoncount Get-UserProperty -Properties badpwdcount
Search for a particular string in a user’s attributes
Find-UserField -SearchField Description -SearchTerm "built"
Get a list of computers in the current domain
Get-NetComputer Get-NetComputer -OperatingSystem "*Server 2016*" Get-NetComputer -Ping Get-NetComputer -FullData
Get all the groups in the current domain
Get-NetGroup Get-NetGroup -Domain <targetdomain> Get-NetGroup -FullData Get-NetComputer -Domain
Get all groups containing the word “admin” in group name
Get-NetGroup *admin* Get-NetGroup -GroupName *admin* Get-NetGroup *admin* -FullData Get-NetGroup -GroupName *admin* -Doamin moneycorp.local
Get all the members of the Domain Admins group
Get-NetGroupMember -GroupName "Domain Admins" -Recurse #test the below command #Get-NetGroupMember -GroupName "Domain Admins" -Properties * | select DistinguishedName,GroupCategory,GroupScope,Name,Members
Get the group membership for a user
Get-NetGroup -UserName "student1"
List all the local groups on a machine (needs administrator privs on non-dc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -ListGroups
Get members of all the local groups on a machine (needs administrator privs on non-dc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Recurse
Get actively logged users on a computer (needs local admin rights on the target)
Get-NetLoggedon -ComputerName dcorp-dc.dollarcorp.moneycorp.local
Get locally logged users on a computer (needs remote registry on the target – started by-default on server OS)
Get-LoggedonLocal -ComputerName dcorp-dc.dollarcorp.moneycorp.local
Get the last logged user on a computer (needs administrative rights and remote registry on the target)
Get-LastLoggedon -ComputerName <servername>
Find shares on hosts in current domain.
Invoke-ShareFinder -Verbose
Find sensitive files on computers in the domain
Invoke-FileFinder -Verbose
Get all fileservers of the domain
Get-NetFileServer
Show Comments
