Basic Recon

Powerview

Domain/Computers Recon

Get-Domain => Get Domain Information. Get-DomainPolicy => Get Domain Policy. (Get-DomainPolicy)."SystemAccess" => Password Policy. Get-DomainController => Get Domain Controller Information.

Get-NetComputer| select name => Get a list of computers in the current domain. Get-NetComputer -OperatingSystem "*Server 2016*" | select name ,operatingsystem |Format-List => OS info.

Groups/Users Recon

Get-NetGroup | select name => Get names of groups Get-NetGroup 'Group-Name' => All data about the specific group Get-NetGroupMember -MemberName "Group Name" -Recurse | select MemberName => Get all members of the domain admin group

Get-DomainUser => Get user's info about everything on the domain. Get-DomainUser | select cn => Get users name. Get-DomainUser -Identity <username> -Properties DisplayName, MemberOf,objectsid,useraccountcontrol | Format-List => Properties of a specific user.

Bloodhound

Collectors.

Powershell Version ==> Invoke-BloodHound -CollectionMethod All SharpHound ==> ./SharpHound.exe --CollectionMethod All Python Bloodhound ==> bloodhound-python -u support -p '#00^BlackKnight' -ns 10.10.10.192 -d blackfield.local -c all