search

Powerview

You need first to download PowerViewarrow-up-right to the host you compromised (up to you how you want to do it)

Now we need to launch powershell and bypass the execution policy by doing :

powershell -ep bypass

next we need to load PowerView :

. .\PowerView.ps1

Now obviously this script can retrieve a lot of information, you can for example get information about the domain by :

Get-NetDomain

or DC :

Get-NetDomainController

If for example you want to check a particular attribute (say, system access) of the Domain policy you can :

(Get-DomainPolicy)."system access"

Look for shares :

Invoke-ShareFinder

GPO:

Get-NetGPO

a cheat sheet is available here :

PreviousPost-Compromise EnumerationNextPingCastle

Last updated