Powerview
You need first to download PowerView to the host you compromised (up to you how you want to do it)
Now we need to launch powershell and bypass the execution policy by doing :
powershell -ep bypass
next we need to load PowerView :
. .\PowerView.ps1
Now obviously this script can retrieve a lot of information, you can for example get information about the domain by :
Get-NetDomain
or DC :
Get-NetDomainController
If for example you want to check a particular attribute (say, system access) of the Domain policy you can :
(Get-DomainPolicy)."system access"
Look for shares :
Invoke-ShareFinder
GPO:
Get-NetGPO
a cheat sheet is available here :
Last updated
Was this helpful?