PowerShell For Enumeration

PowerShell is a task automation framework consisting of a command-line shell and scripting language, built on the .NET framework, used for system management and automation.

PowerShell tools like SharpHound, PowerView, and SharpView are used for Active Directory enumeration, identifying attack paths, group memberships, and trust relationships. These tools leverage PowerShell scripting to automate the discovery of users, groups, permissions, and potential vulnerabilities in AD environments.

---

ActiveDirectory PowerShell Module

The ActiveDirectory PowerShell Module is a set of cmdlets used for managing and automating Active Directory tasks. It allows administrators to query, modify, and manage Active Directory objects and services efficiently through PowerShell.

# Import the ActiveDirectory module (if not already loaded)
Import-Module ActiveDirectory

# List all loaded modules
Get-Module

# Domain Information Lookup
Get-ADDomain  # Retrieves details about the AD domain

# Identifying Users Vulnerable to Kerberoasting (users with SPNs set)
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

# Checking for Trust Relationships in the domain
Get-ADTrust -Filter *  # Lists all trust relationships

# Enumerating All Groups in the Domain
Get-ADGroup -Filter * | select name  # Lists all groups

# Enumerating a Specific Group (Example: "Computer Faculty")
Get-ADGroup -Identity "Computer Faculty"  # Retrieves group details for "Computer Faculty"

# Listing the Members of the "Computer Faculty" Group
Get-ADGroupMember -Identity "Computer Faculty"  # Lists members of the specified group

# Retrieving User Details by Username
Get-ADUser -Identity "rezydev"  # Retrieves details for a specific user

# Retrieving Group Memberships of a User
Get-ADUser -Identity "rezydev" | Get-ADUserMembership  # Lists all groups a user belongs to

# Retrieving All User Accounts in the Domain
Get-ADUser -Filter *  # Lists all user accounts

# Retrieve Active Directory Computers (Servers/Workstations)
Get-ADComputer -Filter *  # Lists all computers in the domain

# Retrieving Computer Account Details
Get-ADComputer -Identity "ComputerName"  # Retrieves details for a specific computer account

# Finding Out the Domain Controllers
Get-ADDomainController -Filter *  # Lists all domain controllers in the domain

# Retrieving Organizational Units (OUs)
Get-ADOrganizationalUnit -Filter *  # Lists all OUs in the domain

# Searching for Specific User Attributes (e.g., Display Name)
Get-ADUser -Filter {DisplayName -like "*John*"}  # Search for users with "John" in their display name

# Searching for Groups by Name Pattern
Get-ADGroup -Filter {Name -like "*Admin*"}  # Finds groups with "Admin" in the group name

# Exporting AD User Information to CSV
Get-ADUser -Filter * | Export-Csv -Path "ADUsers.csv" -NoTypeInformation  # Exports user data to CSV

# Retrieving Service Accounts with SPNs
Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName  # Finds service accounts (vulnerable to Kerberoasting)

# Enumerating All Group Members (Including Nested Groups)
Get-ADGroupMember -Identity "GroupName" -Recursive  # Retrieves all members, including nested groups

# Checking if a User is a Member of a Specific Group
Get-ADUser -Identity "rezydev" | Get-ADGroupMembership  # Retrieves groups a user is part of

---

PowerView

PowerView is a PowerShell tool used for network enumeration and exploitation within Active Directory environments.

# Export results to CSV
Export-PowerViewCSV -Path "C:\path\to\file.csv"  # Appends results to a CSV file

# Convert a user or group name to its SID
ConvertTo-SID -Name "username"  # Converts user/group name to SID

# Kerberos Ticket Requests
Get-DomainSPNTicket -SPN "serviceName/hostname"  # Requests Kerberos ticket for a specified SPN account

# Domain/LDAP Functions:
Get-Domain  # Returns the AD object for the current or specified domain
Get-DomainController -Domain "example.com"  # Returns list of Domain Controllers for the specified domain
Get-DomainUser -Filter * -Properties samaccountname,ServicePrincipalName  # Returns all users with specified properties in AD
Get-DomainComputer -Filter *  # Returns all computers or specific computer objects in AD
Get-DomainGroup -Filter *  # Returns all groups in the domain
Get-DomainOU -Filter *  # Searches for all or specific Organizational Units (OUs) in AD
Find-InterestingDomainAcl -Filter {ObjectType -like "user"}  # Finds object ACLs with modification rights set to non-built-in objects
Get-DomainGroupMember -GroupName "Domain Admins"  # Returns the members of the "Domain Admins" group
Get-DomainFileServer -Filter *  # Returns a list of servers likely functioning as file servers
Get-DomainDFSShare -Filter *  # Returns a list of all distributed file systems in the domain

# GPO Functions:
Get-DomainGPO -Filter *  # Returns all Group Policy Objects (GPOs) in the domain
Get-DomainPolicy -PolicyType "Domain"  # Returns the default domain or domain controller policy for the current domain

# Computer Enumeration Functions:
Get-NetLocalGroup -ComputerName "RemotePC"  # Enumerates local groups on a specific remote machine
Get-NetLocalGroupMember -GroupName "Administrators" -ComputerName "RemotePC"  # Enumerates members of the "Administrators" group on a remote machine
Get-NetShare -ComputerName "RemotePC"  # Returns open shares on the local or remote machine
Get-NetSession -ComputerName "RemotePC"  # Returns session information for a specific remote machine
Test-AdminAccess -ComputerName "RemotePC"  # Tests if the current user has administrative access to the local or remote machine

# Threaded 'Meta'-Functions:
Find-DomainUserLocation -UserName "username"  # Finds machines where the specified user is logged in
Find-DomainShare -ComputerName "RemotePC"  # Finds reachable shares on domain machines
Find-InterestingDomainShareFile -Filter {Name -like "*.txt"}  # Searches for .txt files on readable shares in the domain
Find-LocalAdminAccess -ComputerName "RemotePC"  # Finds if the current user has local admin access on a specific machine

# Domain Trust Functions:
Get-DomainTrust -Domain "example.com"  # Returns domain trusts for the current or specified domain
Get-ForestTrust -Forest "forestName"  # Returns all forest trusts for the specified forest
Get-DomainForeignUser -Filter *  # Enumerates users who are in groups outside of the user's domain
Get-DomainForeignGroupMember -GroupName "GroupName"  # Enumerates groups with users outside of the group's domain and returns each foreign member
Get-DomainTrustMapping -Domain "example.com"  # Enumerates all trusts for the current domain and any others seen

Cheatsheet

• https://zflemingg1.gitbook.io/undergrad-tutorials/powerview/powerview-cheatsheet
• https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
• https://netwerklabs.com/powerview-cheat-sheet/
• Use LLMs 😇

info

Since PowerSploit is deprecated, BC-Security now handles the current updated version of PowerSploit as part of part of their Empire 4 framework.

---

SharpView

SharpView is a .NET port of PowerView, designed for enumeration and exploitation of Active Directory environments. It provides similar functionality to PowerView, but with a focus on compatibility with Windows systems and the .NET framework.

SharpView.exe Get-DomainController -Help
SharpView.exe Get-DomainUser -Identity rezydev

---

Snaffler

Snaffler is a tool for pentesters and red teamers to help find delicious candy needles (creds mostly, but it's flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).

It might also be useful for other people doing other stuff, but it is explicitly NOT meant to be an "audit" tool.

snaffler.exe -s -d rezydev.local -o snaffler.log -v data