Using PowerView
Domain Information
1
2
3
4
5
6
PS C:\Users> Get-NetDomain
PS C:\Users> Get-NetDomain -Domain m.local
PS C:\Users> Get-NetDomainSID
PS C:\Users> Get-NetDomainController
PS C:\Users> Get-NetDomainController -Domian m.local
PS C:\Users> Find-UserField -SearchField Description -SearchTerm "pass"
Domain Policy
1
2
PS C:\> Get-DomainPolicy."system access"
PS C:\Users> Get-DomainPolicy."Kerberos Policy"
Computer Objects
1
2
PS C:\Users> Get-NetComputer
PS C:\Users> Get-NetComputer -FullData
Users Information
1
2
3
4
5
PS C:\Users\Administrator\Desktop> Get-NetUser
PS C:\Users\Administrator\Desktop> Get-NetUser | select cn
PS C:\Users\Administrator\Desktop> Get-NetUser -Username Student1
PS C:\Users\Administrator\Desktop> Get-UserProperty
PS C:\Users\Administrator\Desktop> Get-UserProperties -Properties admincount
Groups information
1
2
3
4
5
6
PS C:\Users> Get-NetGroup -FullData
PS C:\Users> Get-NetGroup -GroupName "*admin*"
PS C:\Users> Get-NetGroupMember -GroupName "Domain Admin"
PS C:\Users> Get-NetGPO
PS C:\Users> Get-NetGPO -GPOname "{}"
PS C:\Users> Get-NetGPOGroup // Restricted Groups
Organizational units
1
PS C:\Users> Get-NetOU
Shares
1
PS C:\Users> Invoke-ShareFinder -verbose
Sensitive Files
1
PS C:\Users> Invoke-FileFinder -Verbose
ACL
1
2
PS C:\Users> Get-ObjectAcl -SamAccountName fcastle
PS C:\Users> Invoke-ACLScanner // search for intersting ACEs
Trusts
1
2
PS C:\Users> Get-NetDomainTrust
PS C:\Users> Get-NetDomainTrust -Domain corp.local
Forest
1
2
3
4
5
PS C:\Users> Get-NetForest
PS C:\Users> Get-NetForest -Forest m.local
PS C:\Users> Get-NetForestDomain // Get all domains in the forest
PS C:\Users> Get-NetForestTrust
PS C:\Users> Get-NetForestCatalog
User Hunting
Its much more noisy because it is query information from all domains not just the DC. it is checking if the current user has an admin access in any other machines.
1
2
3
PS C:\Users> Find-LocalAdminAccess -Verbose
PS C:\Users> Invoke-EnumerateLocalAdmin -Verbose // needs Admin privs
PS C:\Users> Invoke-UserHunter
Blood Hound
Bloodhound is a graphical interface that allows you to visually map out the network. This tool along with SharpHound which similar to PowerView takes the user, groups, trusts etc. of the network and collects them into .json files to be used inside of Bloodhound.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
PS C:\Users\fcastle> Powershell -e bypass
PS C:\Users\fcastle> . .\SharpHound.ps1
PS C:\Users\fcastle> Invoke-BloodHound -CollectionMethod All -Domain Marvel.local -ZipFilename file.zip
------------------------------------------------
Initializing SharpHound at 5:45 AM on 11/15/2020
------------------------------------------------
Resolved Collection Methods: Group, Sessions, LoggedOn, Trusts, ACL, ObjectProps, LocalGroups, SPNTargets, Container
[+] Creating Schema map for domain MARVEL.LOCAL using path CN=Schema,CN=Configuration,DC=MARVEL,DC=LOCAL
PS C:\Users\fcastle> [+] Cache File Found! Loaded 100 Objects in cache
[+] Pre-populating Domain Controller SIDS
Status: 0 objects finished (+0) -- Using 82 MB RAM
Status: 64 objects finished (+64 64)/s -- Using 84 MB RAM
Enumeration finished in 00:00:01.7307250
Compressing data to C:\Users\fcastle\20201115054520_file.zip
You can upload this file directly to the UI
SharpHound Enumeration Completed at 5:45 AM on 11/15/2020! Happy Graphing!
After importing the grabbed files into blood hound. you can now map the whole active directory with a graphical view.
