CSbyGB - Pentips
Buy me a tea
  • CS By GB - PenTips
    • Welcome to CSbyGB's Pentips
  • Networking, Protocols and Network pentest
    • Basics
    • DNS
    • FTP
    • HTTP & HTTPS
    • IMAP
    • IPMI
    • MSSQL
    • MYSQL
    • NFS
    • Oracle TNS
    • POP3
    • RDP
    • RPC
    • Rservices
    • Rsync
    • SMB
    • SMTP
    • SNMP
    • SSH
    • VOIP and related protocols
    • Winrm
    • WMI
    • Useful tips when you find unknown ports
  • Ethical Hacking - General Methodology
    • Introduction
    • Information Gathering
    • Scanning & Enumeration
    • Exploitation (basics)
    • Password Attacks
    • Post Exploitation
    • Lateral Movement
    • Proof-of-Concept
    • Post-Engagement
    • MITRE ATT&CK
  • External Pentest
    • External Pentest
  • Web Pentesting
    • Introduction to HTTP and web
    • Enumeration
    • OWASP Top 10
    • General Methodo & Misc Tips
    • Web Services and API
    • Vunerabilities and attacks
      • Clickjacking
      • CORS (Misconfigurations)
      • CSRF
      • SSRF
      • Bypass captcha
      • Template Injection (client and server side)
      • MFA bypass
      • XXE
    • Exposed git folder
    • Docker exploitation and Docker vulnerabilities
    • Websockets
  • Mobile App Pentest
    • Android
    • IOS
  • Wireless Pentest
    • Wireless pentest
  • Cloud Pentest
    • Cloud Pentest
    • Google Cloud Platform
    • AWS
  • Thick Client Pentest
    • Thick Client
  • Hardware Pentest
    • ATM
    • IoT
  • Secure Code Review
    • Secure code review
    • Java notes for Secure Code Review
  • AI & AI Pentest
    • MITRE ATLAS
    • OWASP ML and LLM
    • Hugging face
    • AI Python
    • Gemini
    • Ollama
  • Checklist
    • Web Application and API Pentest Checklist
    • Linux Privesc Checklist
    • Mobile App Pentest Checklist
  • Tools
    • Burpsuite
    • Android Studio
    • Frida
    • CrackMapExec
    • Netcat and alternatives
    • Nmap
    • Nuclei
    • Evil Winrm
    • Metasploit
    • Covenant
    • Mimikatz
    • Passwords, Hashes and wordlist tools
    • WFuzz
    • WPScan
    • Powershell Empire
    • Curl
    • Vulnerability Scanning tools
    • Payload Tools
    • Out of band Servers
    • STEWS
    • Webcrawlers
    • Websocat
  • VM and Labs
    • General tips
    • Setup your pentest lab
  • Linux
    • Initial Foothold
    • Useful commands and tools for pentest on Linux
    • Privilege Escalation
      • Kernel Exploits
      • Password and file permission
      • Sudo
      • SUID
      • Capabilities
      • Scheduled tasks
      • NFS Root Squashing
      • Services
      • PATH Abuse
      • Wildcard Abuse
      • Privileged groups
      • Exploit codes Cheat Sheet
  • Windows
    • Offensive windows
    • Enumeration and general Win tips
    • Privilege Escalation
    • Active Directory
    • Attacking Active Directory
      • LLMNR Poisoning
      • SMB Relay Attacks
      • Shell Access
      • IPv6 Attacks
      • Passback Attacks
      • Abusing ZeroLogon
    • Post-Compromise Enumeration
      • Powerview or SharpView (.NET equivalent)
      • AD Manual Enumeration
      • Bloodhound
      • Post Compromise Enumeration - Resources
    • Post Compromise Attacks
      • Pass the Password / Hash
      • Token Impersonation - Potato attacks
      • Kerberos
      • GPP/cPassword Attacks
      • URL File Attack
      • PrintNightmare
      • Printer Bug
      • AutoLogon exploitation
      • Always Installed Elevated exploitation
      • UAC Bypass
      • Abusing ACL
      • Unconstrained Delegation
    • Persistence
    • AV Evasion
    • Weaponization
    • Useful commands in Powershell, CMD and Sysinternals
    • Windows Internals
  • Programming
    • Python programming
    • My scripts
    • Kotlin
  • Binary Exploitation
    • Assembly
    • Buffer Overflow - Stack based - Winx86
    • Buffer Overflow - Stack based - Linux x86
  • OSINT
    • OSINT
    • Create an OSINT lab
    • Sock Puppets
    • Search engines
    • OSINT Images
    • OSINT Email
    • OSINT Password
    • OSINT Usernames
    • OSINT People
    • OSINT Social Media
    • OSINT Websites
    • OSINT Business
    • OSINT Wireless
    • OSINT Tools
    • Write an OSINT report
  • Pentester hardware toolbox
    • Flipper Zero
    • OMG cables
    • Rubber ducky
  • Post Exploitation
    • File transfers between target and attacking machine
    • Maintaining Access
    • Pivoting
    • Cleaning up
  • Reporting
    • How to report your findings
  • Red Team
    • Red Team
    • Defenses Enumeration
    • AV Evasion
  • Writeups
    • Hackthebox Tracks
      • Hackthebox - Introduction to Android Exploitation - Track
    • Hackthebox Writeups
      • Hackthebox - Academy
      • Hackthebox - Access
      • Hackthebox - Active
      • Hackthebox - Ambassador
      • Hackthebox - Arctic
      • Hackthebox - Awkward
      • Hackthebox - Backend
      • Hackthebox - BackendTwo
      • Hackthebox - Bastard
      • Hackthebox - Bastion
      • Hackthebox - Chatterbox
      • Hackthebox - Devel
      • Hackthebox - Driver
      • Hackthebox - Explore
      • Hackthebox - Forest
      • Hackthebox - Good games
      • Hackthebox - Grandpa
      • Hackthebox - Granny
      • Hackthebox - Inject
      • Hackthebox - Jeeves
      • Hackthebox - Jerry
      • Hackthebox - Lame
      • Hackthebox - Late
      • Hackthebox - Love
      • Hackthebox - Mentor
      • Hackthebox - MetaTwo
      • Hackthebox - Monteverde
      • Hackthebox - Nibbles
      • Hackthebox - Optimum
      • Hackthebox - Paper
      • Hackthebox - Photobomb
      • Hackthebox - Poison
      • Hackthebox - Precious
      • Hackthebox - Querier
      • Hackthebox - Resolute
      • Hackthebox - RouterSpace
      • Hackthebox - Sauna
      • Hackthebox - SecNotes
      • Hackthebox - Shoppy
      • Hackthebox - Soccer
      • Hackthebox - Steamcloud
      • Hackthebox - Toolbox
      • Hackthebox - Vault
      • Hackthebox - Updown
    • TryHackme Writeups
      • TryHackMe - Anonymous
      • TryHackMe - Blaster
      • TryHackMe - CMesS
      • TryHackMe - ConvertMyVideo
      • TryHackMe - Corridor
      • TryHackMe - LazyAdmin
      • TryHackMe - Looking Glass
      • TryHackMe - Nahamstore
      • TryHackMe - Overpass3
      • TryHackMe - OWASP Top 10 2021
      • TryHackMe - SimpleCTF
      • TryHackMe - SQL Injection Lab
      • TryHackMe - Sudo Security Bypass
      • TryHackMe - Tomghost
      • TryHackMe - Ultratech
      • TryHackMe - Vulnversity
      • TryHackMe - Wonderland
    • Vulnmachines Writeups
      • Web Labs Basic
      • Web Labs Intermediate
      • Cloud Labs
    • Mobile Hacking Lab
      • Mobile Hacking Lab - Lab - Config Editor
      • Mobile Hacking Lab - Lab - Strings
    • Portswigger Web Security Academy Writeups
      • PS - DomXSS
      • PS - Exploiting vulnerabilities in LLM APIs
    • OWASP projects and challenges writeups
      • OWASP MAS Crackmes
    • Vulnerable APIs
      • Vampi
      • Damn Vulnerable Web Service
      • Damn Vulnerable RESTaurant
    • Various Platforms
      • flAWS 1&2
  • Digital skills
    • How to make a gitbook
    • Marp
    • Linux Tips
    • Docker
    • VSCodium
    • Git Tips
    • Obsidian
  • Durable skills
    • Durable skills wheel/Roue des compétences durables
  • Projects
    • Projects
      • Technical Projects
      • General Projects
  • Talks
    • My Talks about Web Pentest
    • My talks about Android Application hacking
    • Other of my talks and Podcast
  • Resources
    • A list of random resources
Powered by GitBook
On this page
  • Enumerating Users
  • Enumerating Groups
  • Enumerating Domain Computers and Shares
  • Find interesting files
  • Enumerate Local Admin Users
  • Enumerating Group Policy Objects
  • Enumerating Access Control Lists
  • Enumerating the domain
  • Powerview - Resources
  1. Windows
  2. Post-Compromise Enumeration

Powerview or SharpView (.NET equivalent)

PreviousPost-Compromise EnumerationNextAD Manual Enumeration

Last updated 2 years ago

  • Get it from and put it in the compromised machine

  • From a cmd in the target: powershell -ep bypass

  • Launch Powerview: . .\powerview.ps1

  • Get info on the Domain Controller: Get-NetDomain

  • Check policies: Get-DomainPolicy

  • Policies in System Access: (Get-DomainPolicy)."systemAccess" (e.g.: we get info about password policy and minimum length so min size if we want to password spray)

  • Info about the users Get-NetUser

  • Get only usenames Get-NetUser | select cn (e.g.: will output Jessica Jones)

  • Get only sam account name: Get-NetUser | select samaccountname (e.g.: will output jjones)

  • Get only description: Get-NetUser | select description (e.g.: will output a description if provided by sysadmn or a default one)

  • See all the properties a user have: Get-UserProperty

  • Get more details for example password last set: Get-UserProperty -Properties pwdlastset

  • Get more details for example logoncount: Get-UserProperty -Properties logoncount

  • See if users have entered bad passwd: Get-UserProperty -Properties badpwdcount

  • List all the computers in the Domain: Get-NetComputer

  • Same but with much more info: Get-NetComputer -FullData

  • Filter this load of data with specific info: Get-NetComputer -FullData | select OperatingSystem

  • Get info on groups: Get-NetGroup

  • Filter for a specific GroupName: Get-NetGroup -GroupName "Domain Admins"

  • Filter on GroupName with a wildcard: Get-NetGroup -GroupName *admin*

  • Get users from a specific group: Get-NetGroup -GroupName "Domain Admins"

  • Get smb shared in the network: Invoke-ShareFinder

  • Get group policies: Get-NetGPO

  • Filter the info: Get-NetGroup -GroupName "Domain Admins"

  • .\SharpView.exe ConvertTo-SID -Name first.last Find SID of a user

  • .\SharpView.exe Convert-ADName -ObjectName SID find user with SID

  • Get-DomainPolicy View the domain password policy (will show passwordhistorysize)

  • Get-DomainUser first.last \| ConvertFrom-UACValue -showall List all UAC values

  • .\SharpView.exe Get-Domain View information about the current domain

  • .\SharpView.exe Get-DomainOU List all OUs

  • .\SharpView.exe Get-DomainUser -KerberosPreauthNotRequired Find ASREPRoastable users

  • Get-DomainComputer Get a listing of domain computers

  • .\SharpView.exe Get-DomainGPO \| findstr displayname List all GPO names

  • Get-DomainGPO -ComputerIdentity HOSTNAME List GPOs on a specific host

  • Test-AdminAccess -ComputerName HOSTNAME Test local admin access on a remote host

  • .\SharpView.exe Get-NetShare -ComputerName HOSTNAME Enumerate open shares on a remote computer

  • Find-DomainUserLocation Find machines where domain users are logged in

  • Get-DomainTrust View a list of domain trusts

  • (Get-DomainUser).count Count all domain users

  • .\SharpView.exe Get-DomainUser -Help Get help about a SharpView function

  • Get-DomainUser -Properties samaccountname,description \| Where {$_.description -ne $null} Find non-blank user description fields

  • .\SharpView.exe Get-DomainUser -SPN Find users with SPNs set

  • Find-ForeignGroup Find foreign domain users

  • Get-DomainGroup -Properties Name List domain groups

  • .\SharpView.exe Get-DomainGroupMember -Identity 'Help Desk' Get members of a domain group

  • .\SharpView.exe Get-DomainGroup -AdminCount List protected groups

  • .\SharpView.exe Find-ManagedSecurityGroups List managed security groups

  • Get-NetLocalGroup -ComputerName HOST Get local groups on a host

  • .\SharpView.exe Get-NetLocalGroupMember -ComputerName HOSTNAME Get members of a local group

  • .\SharpView.exe Get-DomainComputer -Unconstrained Find computers that allow unconstrained delegation

  • Get-DomainComputer -TrustedToAuth Find computers set with constrained delegation

  • Get-DomainObjectAcl -Identity first.last Enumerate ACLs on a user

  • Find-InterestingDomainAcl Find objects in the domain with modification rights over non built-in objects

  • Get-PathAcl "\\HOSTNAME\Directory" Find the ACLs set on a directory

  • gpresult /r /S HOSTNAME Get a report of all GPOs applied to a host

  • Get-DomainGPO \| Get-ObjectAcl Find GPO permissions

  • Get-DomainTrustMapping Enumerate trusts for our domain/reachable domains

  • Get-NetShare -ComputerName COMPUTER List share on computer

  • Get-DomainGPO list all gpo and related info

  • Get-DomainGPO | select displayname list all gpo names

  • Get-DomainGPO | select displayname,objectguid list gpo names with their guid

  • Get-DomainTrustMapping enumerate all trusts for our current domain and other reachable domains

  • Get-NetDomain similar to the ActiveDirectory module’s Get-ADDomain but contains a lot less information. Basic info such as the Forest, Domain Controllers, and Domain Name are enumerated.

  • Get-NetDomainController list all of the Domain Controllers within the network

  • Get-NetForest similar to Get-ADForest, and provides similar output. It provides all the associated Domains, the root domain, as well as the Domain Controllers for the root domain.

  • Get-NetDomainTrust is similar to Get-ADTrust with our SelectObject filter applied to it.

Enumerating Users

  • get-netuser will output all infos about users in the domain

  • get-netuser | select cn will list all users

  • get-netuser | select -expandproperty samaccountname will list users but only samccountname

  • find-userfield -SearchField description "password" will list description fields of users with a grep on "password"

Enumerating Groups

  • get-netgroup will list all the different groups in the domain

  • get-netgroup -Username "f.lastname" will show group of user f.lastname

  • get-netgroup -GroupName "domain admins" -FullData will show details of the group

Enumerating Domain Computers and Shares

  • Get-NetComputer -OperatingSystem "*Windows 10*" Get computer with Win 10 OS

  • Get-NetComputer -OperatingSystem "*server*" Get the server

  • Invoke-ShareFinder will list shares

  • Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC will list sharw without standard print and IPC

Find interesting files

  • Invoke-FileFinder

Enumerate Local Admin Users

  • Invoke-EnumerateLocalAdmin

Enumerating Group Policy Objects

  • get-netgpo

Enumerating Access Control Lists

  • get-objectacl

  • get-objectacl -SamAccountName "name" -ResolveGUIDs

Enumerating the domain

  • get-netdomain

  • Get-DomainPolicy

  • Get-domainsid useful for golden tickets

Note: If you do not get result with powerview, you can try this in powershell Import-Module .\PowerView.ps1

Powerview - Resources

here
PowerView Cheat Sheet