Enumerating Active Directory with Powerview
In this blog post, we will practice enumerating the Active Directory using the Powershell PowerView module.
Net Command utilities
First, let’s remember some examples of helpful commands:
net view /domain: This command displays a list of all hosts in the specified domain.
net user /domain: Displays a list of users.
net accounts /domain: Displays the password policy.
net group /domain: Displays a list of domain groups.
net group "Domain Admins" /domain: Lists people in the group.
net share: Displays the current number of SMB units.
net session: This is used to examine SMB sessions.
Because net commands are incorporated into every Windows machine, understanding how to utilize them may be a valuable tool for testing Windows devices.
Querying Active Directory groups using PowerView
PowerView is an extremely useful PowerShell tool for obtaining precise information on an organization’s Active Directory domain and forest.
To utilize PowerView on our local machine, we first move the directory to where the PowerView module is located and disable PowerShell Execution Policy. The third command is then used to allow the use of PowerView with Powershell.
` powershell -ExecutionPolicy bypass`
To retrieve information about your current domain run this command:
In the following image, we get the forest and domain controller hostname.
We can also get the list of the domain policies of the defined domain with this command:
This command shows all operating systems on the domain.
Get-NetComputer -fulldata | select operatingsystem
We can get a list of all users on the domain with this command:
Get-NetUser | select cn
To retrieve the Security Identifier (SID) of the current domain, use the following command:
To easily retrieve the identity of the domain controller on the current domain, use the following command:
As shown in the following snippet, we got specific details about the domain controller such as its operating system, hostname, and IP addresses.
To get a list of all the users on the current domain, use the following command:
As shown in the following screenshot, we listed all user names which has a lowercase e in their username.
To list all domain computer accounts on the current domain, use the following command:
To list all the groups within the current domain, use the following command:
As shown in the following screenshot, all the groups, and their details were retrieved:
To get a list of all the GPOs from the current domain, use the following command:
To get specific details about the current forest, use the following command:
Get-NetForest. As shown in the following screenshot, we got information about the forest :
Looking to expand your knowledge of penetration testing? Check out our online course, MPT - Certified Penetration Tester