Basic Domain Enumeration Using PowerView

Before I enumerate the domain, let’s define first what is active directory?


  • It is like a phonebook in this phonebook stores data information that is called OBJECT. Everything in the AD is considered an object, which include users, groups, applications and devices.
  • The main function of AD is to enable administrators to manage permissions and control access to network resources.

SCHEMA - contains formal definitions of every object class that can be created in an Active Directory forest. The schema also contains formal definitions of every attribute that can exist in an Active Directory object

DOMAIN CONTROLLER - is the server that host Active Directory Domain Service and use data stored on AD for authentication and authorization of users.

DOMAIN - is a collection of objects within a Active Directory network. It are also used to group and manage objects in organization.

TREE - is made up of several domains that share a common schema and configuration, forming a contiguous namespace. Domains in a tree are also linked together by trust relationships. Active Directory is a set of one or more trees.

FOREST - is a set of one or more domain trees that do not form a contiguous namespace. All trees in a forest share a common schema, configuration, and global catalog.

ORGANIZATIONAL UNIT - in an Active Directory Domain Services (AD DS) managed domain let you logically group objects such as user accounts, service accounts, or computer accounts. You can then assign administrators to specific OUs, and apply group policy to enforce targeted configuration settings.

Domain Enumeration using PowerView

What is PowerView? It is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows “net *” commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.

Download Link: PowerView

#Get the current domain

#Get the object in other domain
Get-NetDomain -Domain $OTHER-DOMAIN

#Get domain controller of current domain

#Get domain controller of other domain
Get-NetDomainController -Domain $Specific-Domain

#Get domain SID of the current domain

#Get the domain policy of the current domain

#Enumerate specific domain policy of the current domain

#Get the domain policy for another domain
(Get-DomainPolicy -Domain $Specific-Domain)

#Enumerate specific domain policy of the current domain
(Get-DomainPolicy -Domain $Specific-Domain).”$SpecificPolicy”

#Get a list of users in current domain

#Get a specific user in the current domain
Get-NetUser -Username $Specific-User

#Enumerate a specific property in Net-User
Get-NetUser | select “$SPECIFIC-PROPERTY”

#Get list of all properties for users in current domain

#Enumerate specific property
Get-UserProperty -Properties $SPECIFIC-PROPERTY

#Get list of all computers in current domain

#Enumerate all computers with data information in current domain
Get-NetComputer -FullData

#Enumerate specific data of all computers in current domain
Get-NetComputer -FullData | select $SPECIFIC-DATA

#Enumerate which computer using this Operating System
Get-NetComputer -OperatingSystem “$OS-Version”

#Get list of all groups in current domain

#Enumerate a specific group
Get-NetGroup -GroupName “$Group-Name”

#Enumerate a specific group with information
Get-NetGroup -GroupName “$Group-Name” -FullData

#Enumerate members of a specific group
Get-NetGroupMember -GroupName “$Group-Name”

#Enumerate all SMB shares in the network, it shows what files is being shared and where they’re being shared

#Enumerate all list of GPO in current domain

#Enumerate specific information about GPO in current domain
Get-NetGPO | select $Specific-Detail

#Search for a specific string in a users attributes
Find-UserField -SearchField Description -SearchTerm built $STRING

Active Directory Domain Services — Win32 apps | Microsoft Docs
PowerSploit/Recon at dev · PowerShellMafia/PowerSploit · GitHub