Powershell AD reconnaissance (Powerview)

what are the odds of gaining initial access and doing some reconnaissance using PowerShell? sounds interesting right? lets test this out. powershell empire project is just simply superb resource if you want to dig into it more.

Download link: https://github.com/PowerShellMafia/PowerSploit/

Download from Github and drop the folder into the modules directory. 1) you can drop it into specific user modules location and if you have access to Sys32 folder it’s even better. Following are the locations.

This is an extract from the above website.

The default per-user module path is: “$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules” The default computer-level module path is: “$Env:windir\System32\WindowsPowerShell\v1.0\Modules”

Now copy all the folders into one of the above-specified locations.

Open powershell and import modules with Import-Module commandlet and see commands available with Get-command commandlet.

Let’s try some commandlets to extract information.

Get-Domainpolicy

This commandlet gives us information about minimum, maximum password age, complexity rules and other important information.

The best part of this is it is incredibly user-friendly. you can use get-help commandlet to see help, and also it comes with examples. look at the following commandlet.

0 Comments

Leave a Reply

Your email address will not be published.