4/27/2021 Active Directory Enumeration: PowerView
Hacking Articles
Raj Chandel's Blog
Menu
Home » Red Teaming » Active Directory Enumeration: PowerView
Red Teaming
Active Directory Enumeration: PowerView
April 26, 2021 By Raj Chandel
Active Directory Enumeration is a challenge for even some of the seasoned attackers and it is
easy to miss some key components and lose the change to elevate that initial foothold that you
might receive. In this article, we bring you methods that you can use to enumerate AD using
PowerShell.
Table of Contents
Introduction
Get-NetUser
Get-UserProperty
Find-UserField
Invoke-UserHunter
Get-NetDomain
Get-NetDomainController
Get-NetComputer
Get-UserProperty
Get-NetForest
Get-NetForestCatalog
Get-NetForestDomain
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 1/37
�4/27/2021 Active Directory Enumeration: PowerView
Get-NetLoggedon
Get-DomainPolicy
Get-NetOU
Get-NetGroup
Get-NetGroupMember
Get-NetGPO
Find-GPOLocation
Invoke-EnumerateLocalAdmin
Get-NetProcess
Invoke-ShareFinder
Invoke-FileFinder
Invoke-ACLScanner
Find-LocalAdminAccess
Get-NetSession
Conclusion
Introduction
We have con gured an Active Directory Lab that mimics a Real-Life Environment with a bunch
of Users, Machines, and Vulnerabilities. In this Article/Demonstration, we are focused on our
ability to Enumerate Information that can be then further be used to elevate privileges or be able
to help with Lateral Movement. A tool by the name of PowerView was developed and integrated
by Will Schroeder (a.k.a harmj0y). It soon became an integral toolkit to perform Active
Directory Attacks and Enumeration. For this demonstration, we will assume that we have
gained the initial foothold. Now we will use PowerShell with PowerView to enumerate the
machine and the Domain. In case you run into dif culties running any of the commands depicted
use the Of cial GitHub for the Installation Process.
Get-NetUser
In our Active Directory Lab Setup, we created 7 users with different roles and privileges. We can
con rm this by Viewing the Active Directory Users and Computers as shown in the image.
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 2/37
�4/27/2021 Active Directory Enumeration: PowerView
This was to show and co-relate the information that we are about to enumerate using
PowerShell. The attacker has transferred the PowerView to the Target System. To run the
PowerShell Script on the System, the Execution Policy must be set to Bypass as shown in the
image. Next, Importing the Modules from the PowerView Script. This was a one-time process.
After this, the attacker can directly use the Modules to perform Enumeration. To get the Users
that are active on the Network the attacker ran the following command.
1 Get-NetUser
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 3/37
�4/27/2021 Active Directory Enumeration: PowerView
Users that are enumerated are not just restricted to Usernames. Data collected consist of
logoncount that can give an idea of an active or inactive user in the network. Next, there is a
badpasswordtime which tells the last time and date that an attempt to log on was made with
an invalid password on this account. Then a small description of the user with the names of
groups that this particular user is part of. At last, it shows the date and time since the last
password change. All this information is very important when the attacker is trying to learn
about the User Behavior.
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 4/37
�4/27/2021 Active Directory Enumeration: PowerView
Similar Information is available for the users Yashika and Geet.
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 5/37
�4/27/2021 Active Directory Enumeration: PowerView
To get an abstract list of users created on the Network, Grab the Common Name by using the
select command on the output of the Get-NetUser Module.
1 Get-NetUser | select cn
Administrator, Yashika, Geet, Aarti, Raj, Pavan, Jeenali, Japneet, etc. are the various users in this
Network Environment.
Similarly to gather information about a particular user. For example, after the attacker extracted
users in the previous section, a speci c user is chosen to be targeted. Now, more information
about a particular user is required. This can be done using a ag -Username with the username
that the attacker wants to target. In this case, the attacker chose Yashika User.
1 Get-NetUser -UserName yashika
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 6/37
�4/27/2021 Active Directory Enumeration: PowerView
A streamlined but detailed output regarding the Yashika User is extracted by the attacker.
Get-UserProperty
When working with the Users and their properties, we see that there is a variable by the name
pwdlastset. We can use this to check which user is reluctant to change their passwords. This
can be con gured to any of the property that was extracted in the previous. For this
demonstration, we will be extracting the password last set property of all the users.
1 Get-UserProperty -Properties pwdlastset
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 7/37
�4/27/2021 Active Directory Enumeration: PowerView
Find-UserField
There are times where there are so many users in the network that it becomes very dif cult for
the Domain Administrator to keep track of all users or their credentials. This is where they resort
to some of the risky techniques to save the credentials information. A good example that I have
seen more than ever in the real environment is saving the credentials or important information
about the user in their description. This can be extracted by the use of Find-UserField with a
search term. In this demonstration, we used the term pass to search for potential passwords.
The user Yashika has their password written and saved in their description. This is not limited to
this type of information. Lots of different data can also be extracted by using the right set of
keywords such as built. This will extract the attacker from the accounts that are Built-in
Accounts.
1 Find-UserField -SearchField Description -SearchTerm "pass"
2 Find-UserField -SearchField Description -SearchTerm "built"
The information that is extracted using UserField is the information stored at the Properties of
that user. While on the Server this can be viewed by opening the list of users and then right-
clicking on any particular user. Then choose Properties. This will lead to a window similar to the
one shown in the image below. Here, we can see that the Administrator has provided the
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 8/37
�4/27/2021 Active Directory Enumeration: PowerView
password in their Description Field. This goes without saying that this should not be done at all.
From the attacker’s point of view, always check for such descriptions as they will contain some
clue that can help you get further.
Invoke-UserHunter
While enumerating the Domain, the attacker that has a targeted approach will be able to
extract more data and that faster. The setup at home servers that we practice on doesn’t have a
time constrain that attackers have to adhere to. In real-life red teaming assessments, if the
attacker is taking their sweet time to extract data, they pose a risk to be detected and get
thrown out of their initial access or even get captured. This is where some Reconnaissance
comes in handy. During the Recon, the attacker can have a list of speci c users that take priority
to enumerate rst and it is possible that those users will help the attacker to elevate access and
they won’t need to enumerate other users. This reduces the time as well as the noise and logs
that will be created when the attacker enumerates users. This is solved using the Invoke-
UserHunter. It helps the attacker search or as its name suggests “hunt” for those speci c users.
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 9/37
�4/27/2021 Active Directory Enumeration: PowerView
It will accept usernames and if the attacker has a handy list of usernames, it will graciously
accept it as well. It accepts the domain group and host lists as well. It uses a mix of Get-
NetSessions and Get-NetLoggedon against every server and then compares the result against
the target user set. Then again it raises the question of the amount of noise it will generate. But
giving it a smaller number of usernames in the list or even giving it a single username will help
the attacker reduce the noise signi cantly. It is worth noting that Invoke-UserHunter will run
without any Administrator Privileges. Moving to the demonstration, the attacker runs the Invoke-
UserHunter directly without any users or options. It will run against all users that it could nd
that usually is the Administrator. It can be observed that the information extracted is pretty
basic but useful in the case of pro ling a user.
1 Invoke-UserHunter
A pretty nifty feature that was interesting enough to add was the CheckAcess function. This
feature allows the attacker to check for the Local Administrator Access of that particular user or
list of users that they provided. In the demonstration, the attacker tested the Access of the
Administrator which without surprise comes to be True.
1 Invoke-UserHunter -CheckAccess
Get-NetDomain
When the attacker needs to extract the domain-related information directly from the target
server, Get-NetDomain got them covered. It pretty much extracts the Domain data that includes
the Forest Name, Domain Controllers with Children (that might be con gured in a real
environment server). Then there is the Name of the Parents with the RidRoleOwner which is a
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 10/37
�4/27/2021 Active Directory Enumeration: PowerView
DC Object that holds the relative identi er (RID) master role and PdcRoleOwner another DC
Object that holds the PDC emulator role for that speci c Domain.
1 Get-NetDomain
In case the attacker wanted to go against a speci c domain, they can use a domain option by
providing the name of the exact domain that they are looking for and Get-NetDomain will
extract the data for that particular domain.
1 Get-NetDomain -domain "ignite.local"
Get-NetDomainController
Next on the lineup, we have the Get-NetDomainController. This provides the information of the
particular server device instead of the domain. When an attacker wants to extract the data
about the Domain Controller Machine then this tool can be used. It extracts the Forest
Information, with the Time and Date con gured on the Server. IT tells the OS Version that can
help constraint the search for Kernel Exploits for the attacker. Then the attacker has the IP
Addressing data with the Inbound and Outbound connections.
1 Get-NetDomainController
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 11/37
�4/27/2021 Active Directory Enumeration: PowerView
Similar to the Get-NetDomain the attacker can con gure Get-NetDomainController to be
targeted to a speci c domain. The scenario that the attacker might be looking at multiple
domains set up with multiple server setup so the attacker can use the -Domain option to target
that speci c Domain Controller inside the Domain.
1 Get-NetDomainController -Domain ignite.local
Get-NetComputer
What seems to be a pretty simple option can turn out to be one of the most used tools to extract
a huge amount of data from either the Domain Controller or even a single device. If the attacker
runs the Get-NetComputer directly on the Domain Controller machine as demonstrated, it will
reveal the Computer Names of all the devices connected in the Domain.
1 Get-NetComputer
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 12/37
�4/27/2021 Active Directory Enumeration: PowerView
Moving on, if the attacker decides to use -Ping Option then they can get the list of all the devices
that can be pinged from the machine they are running the Get-NetComputer from.
1 Get-NetComputer -Ping
If the attacker doesn’t want to extract the data one parameter at a time there is an option to
extract all the data from the Machine. This can be done with the FullData option, but keep in
mind that a large amount of data extraction leads to large chances of getting detected.
1 Get-NetComputer -FullData
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 13/37
�4/27/2021 Active Directory Enumeration: PowerView
Moreover, if the attacker decides to use the -OperatingSystem option with the Get-NetComputer
and provide the Name of the OS as a parameter then they can extract all the machines that are
running that speci c Operating System.
1 Get-NetComputer -Operatingsystem "Windows Server 2016 Standard Evaluation"
Get-UserProperty
Next on the list is the UserProperty. Up until now, the attacker can extract the users and very
little information about them. This was limited but this problem is solved using UserProperty.
With it, the attacker can aim to those niche details about any particular property. Some of the
information extractable is check for Administrator Level Access, Password Time, Password
Change Date, Description of the User, check what group the different users are a part of, and
much more.
1 Get-UserProperty
To target a speci c Property, the attacker can use the Properties option and specify the property
they want to inquire about. For the demonstration, the property that was inquired here was
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 14/37
�4/27/2021 Active Directory Enumeration: PowerView
badpwdcount. This tells the attacker about the unsuccessful attempts that were made against
all the users.
1 Get-UserProperty -Properties badpwdcount
The attacker can focus on the logoncount property to get an understanding as to which of the
users are dormant and which among them are active. In a real-life scenario, inactive users might
be the users in a network of ex-employees that have been overlooked by the Administrator. This
can create a problem as rstly these accounts would not adhere to change their password also
the attack mounted on these accounts won’t raise ags being these users are legit.
1 Get-UserProperty -Properties logoncount
Get-NetForest
Apart from the domain information and the user information, the attacker can also gain
information about the forests and there can be multiple forests inside a domain. To procure
information about the forest in the current user’s domain is to use Get-NetForest.
1 Get-NetForest
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 15/37
�4/27/2021 Active Directory Enumeration: PowerView
1 Get-NetForestCatalog
Forests typically have different global catalogs that can help the attacker to get some precarious
information about the domain. This can be observed from the following demonstration of
extracting all the global catalogs of the current forest using the Get-NetForestCatalog.
1 Get-NetForestCatalog
Get-NetForestDomain
Moving on from the catalogs, the attacker can also work on extracting the various domains of
the forest the current user is located in. This can be done by running Get-NetForestDomain as
shown in the demonstration.
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 16/37
�4/27/2021 Active Directory Enumeration: PowerView
1 Get-NetForestDomain
Get-NetLoggedon
That’s enough Forest, getting back to the users on the local or remote machine the attacker can
take advantage of the NetLoggedon module. It should be noted that Administrative Rights are
required to use this module. This module executes NetWkstaUserEnum Win32API call to extract
the users that are currently logged on. If the attacker is in a bit of a hurry, they can enumerate all
the uses that are logged on for all the machines in the domain by using the Get-
DomainComputer and then running the Get-NetLoggedon on that data. This can be
concatenated using a pipe.
1 Get-DomainComputer | Get-NetLoggedon
In this demonstration, however, it is shown how to enumerate users that are loggedon on a
particular machine with the help of the ComputerName option and providing the Name.
1 Get-NetLoggedon -ComputerName DC1
Get-DomainPolicy
Amongst other information, the Domain Policy of a Domain can also reveal some pretty good
information. The attacker can use the Get-Domain to extract the policy of the current domain. It
reads the default domain policy or the domain controller policy for the current domain or a
speci ed domain/domain controller. To get more focused on a particular domain the Domain
option. To extract Domain or Domain Controller using the Source Option or Server option to bind
to a particular Active Directory server.
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 17/37
�4/27/2021 Active Directory Enumeration: PowerView
1 Get-DomainPolicy
To enumerate Kerberos details, the attacker can try and go after the Kerberos Policy which
contains data such as the Max Ticket Age, Max Renew Age, and several Ticket Validation Client.
This kind of information can come in handy if the attacker is trying to perform a ticket forging
attack or similar attack.
1 (Get-DomainPolicy)."KerberosPolicy"
To extract the data regarding the System Access such as the password data that we extracted
earlier like Password Age, Password Complexity and Password Length, etc.
1 (Get-DomainPolicy)."SystemAccess"
Get-NetOU
OUs are the smallest unit in the Active Directory system. OU is abbreviated from is
Organizational Unit. OUs are containers for users, groups, and computers, and they exist within
a domain. OUs are useful when an administrator wants to deploy Group Policy settings to a
subset of users, groups, and computers within your domain. OUs also allows Administrators to
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 18/37
�4/27/2021 Active Directory Enumeration: PowerView
delegate admin tasks to users/groups without having to make him/her an administrator of the
directory.
To Enumerate, run the following command on PowerShell.
1 Get-NetOU
It can be observed that there are 4 OUs on the Target Server. Namely, Tech, VPN, Sales, and HR.
Get-NetGroup
During enumeration that the attacker is trying to perform extracting the Group, information is
one of the most important that the attacker can enumerate. To get all the groups in the current
domain, the attacker can use the Get-NetGroup as demonstrated.
1 Get-NetGroup
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 19/37
�4/27/2021 Active Directory Enumeration: PowerView
When the attacker requires to extract the groups that consist of the admin keyword as those
might be important or might contain some information regarding the administrator as this
would give all kinds of administrator groups as demonstrated.
1 Get-NetGroup *admin*
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 20/37
�4/27/2021 Active Directory Enumeration: PowerView
Suppose the attacker wanted to check for the membership of a particular user then they can use
the UserName option. This also can be checked as shown in the image below. The attacker
extracted the information for the Yashika User.
1 Get-NetGroup -UserName yashika
To target a speci c domain the attacker can use the Domain option with the domain name
provided against as shown in the demonstration.
1 Get-NetGroup -Domain ignite.local
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 21/37
�4/27/2021 Active Directory Enumeration: PowerView
Furthermore, if the attacker wanted to extract all the data regarding the groups working on the
Domain, they can use the FullData option and extract all the users with their group details. In the
demonstration, it can be observed that information enumerated such as there is an Admin in
this domain which is a part of Administrator Group and then other User Groups.
1 Get-NetGroup -FullData
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 22/37
�4/27/2021 Active Directory Enumeration: PowerView
There is a Member name Japneet that is a member of the Tech Group and looking for more
information about the user groups, it can be observed that the is a user by the name of geet that
is a part of the Tech group as well.
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 23/37
�4/27/2021 Active Directory Enumeration: PowerView
Moving on from the user-based Group Enumeration to the Group Based Enumeration by
providing the Group Name as shown in the image below.
1 Get-NetGroup "Domain Admins"
The attacker can also use multiple options to target a particular Group and enumerate all data
about that group as shown in the demonstration.
1 Get-NetGroup "Domain Admins" -FullData
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 24/37
�4/27/2021 Active Directory Enumeration: PowerView
There are more possible solutions for the attacker to streamline their enumeration process by
providing a bunch of options and parameters to target the exact information. This includes a
particular Group Name option and a Domain option.
1 Get-NetGroup -GroupName *admin* -Domain ignite.local
Get-NetGroupMember
In the enumeration, if the attacker gets to a stage where they have successfully enumerated the
group names then they can use that in collaboration with the Get-NetGroupMember to extract
the members of that group. In the demonstration, we extracted the members of the group
Domain Admins.
1 Get-NetGroupMember -GroupName "Domain Admins"
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 25/37
�4/27/2021 Active Directory Enumeration: PowerView
As discussed earlier Get-NetGroupMember also supports some options to run along such as the
Recurse. It helps the attacker extracts signi cant amounts of data about all the users of the
group they provided. As it can be observed from the screenshots of running Get-
NetGroupMember with and without Recurse there is some signi cant difference between them
both.
1 Get-NetGroupMember -GroupName "Administrators" -Recurse
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 26/37
�4/27/2021 Active Directory Enumeration: PowerView
Get-NetGPO
Group Policy is very interesting to gure out how the Domain is set up and what set of rules and
policies are designed by the Administrator to govern on the Domain. This can be enumerated
using the Get-NetGPO. It will extract all the information regarding Group Policies that are
con gured on the Target System.
1 Get-NetGPO
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 27/37
�4/27/2021 Active Directory Enumeration: PowerView
As it can be observed from the previous iteration of running the Get-NetGPO, the amount of
information is overwhelming. Hence to get a clean and easy-to-understand output selection can
be used to get those speci c names of the policies.
1 Get-NetGPO | select displayname
Find-GPOLocation
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 28/37
�4/27/2021 Active Directory Enumeration: PowerView
Getting the GPO location is a good way to map the abilities of a speci c user. It takes the
username that is provided to it and checks for the permissions for that users. This means that it
will return the locations that are accessible for that user. In this demonstration, we use the
Yashika user and we choose the verbose option as well to elaborate the result to get the most
out of it.
1 Find-GPOLocation -UserName yashika -verbose
Invoke-EnumerateLocalAdmin
Invoke-EnumerateLocalAdmin does exactly what the names say. It searched for the Local
Administrators for the domain. In our demonstration, we see that we have extracted the
Administrator, Enterprise Admins and Domain Admins for our domain ignite. local.
1 Invoke-EnumerateLocalAdmin
Get-NetProcess
Enumerating the running process is one of the most things that the attacker should. It can tell so
much about the target machine. It can extract information about any services that might be
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 29/37
�4/27/2021 Active Directory Enumeration: PowerView
vulnerable. It can tell if any process is running with elevated privileges. It also tells the Process ID
of the process so if the attacker has access to that process, they can tinker around with it such
as stopping or restarting such process.
1 Get-NetProcess
Invoke-ShareFinder
Any inexperienced attacker can tell that why is there a need for enumerating the shares when
that can be done externally using the SMB enumeration. But an experienced attacker will know
that some shares are not visible for all. It can be con gured as to if that particular share is visible
and accessible to all or some speci c user. Hence, to enumerate the shares in a domain use
Invoke-ShareFinder.
1 Invoke-ShareFinder
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 30/37
�4/27/2021 Active Directory Enumeration: PowerView
Invoke-FileFinder
Searching on the machine that the attacker has an initial foothold is not that dif cult task. But to
search a speci c le across the network in the domain can be done using the Invoke FileFinder. It
will search for sensitive les such as the Credentials les and other les that can lead to a
serious compromise.
1 Invoke-FileFinder
Invoke-ACLScanner
ACL or Access Control Lists can be scanned on a domain that will return the weak permissions
on the les. Bear in mind that Domain Permission can be a bit challenging to wrap your head
around and the permission that you might nd using Invoke-ACLScanner can be dif cult to
exploit. However, this does not mean that any attacker should not check for those. In simpler
terms, Invoke-ACLScanner nds the permissions that the users and group have which are
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 31/37
�4/27/2021 Active Directory Enumeration: PowerView
possible subject to exploitation. It determines this by separating the default permission and
showing the list of permissions that do not default or new de ned by the Administrator.
1 Invoke-ACLScanner -ResolveGUIDs
Find-LocalAdminAccess
Find-LocalAdminAccess also is pretty self-de ned. It enumerated for machines on the local
domain that have the users who have the local administrator access. It checks if the user has
local administrator access using Test-AdminAccess. Then it checks for the Credential option. If
passed, then it uses Invoke-UserImpersonation to impersonate the speci ed user before
enumeration.
1 Find-LocalAdminAccess
Get-NetSession
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 32/37
�4/27/2021 Active Directory Enumeration: PowerView
At last, it’s time to shine some light on the Sessions that are generated inside a Domain. This
can be enumerated with the help of the Get-NetSession tool. Upon running this the attacker can
extract the session information for the local or a remote machine. This function executes the
NetSessionEnum Win32API call for extracting the session information. It can be used bare as
demonstrated or it can be used with a ComputerName Option to target a speci c host.
1 Get-NetSession
Conclusion
Active Directory is extensive and can be confusing for novice security professionals. We provide
this detailed resource so that you can enumerate your Active Directory Deployment and
understand the information that an attacker can extract. It will also help our Blue Teamers to
understand how this kind of information can be extracted and what kind of alerts they need to
set up to restrict the attacker.
Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be
Contacted on Twitter and LinkedIn
FACEBOOK T WITTER PINTEREST LINKEDIN
PREVIOUS POST
Defense Evasion: Windows Event Logging
(T1562.002)
Leave a Reply
Your email address will not be published. Required elds are marked *
Comment *
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 33/37
�4/27/2021 Active Directory Enumeration: PowerView
Name *
Email *
Website
Notify me of follow-up comments by email.
Notify me of new posts by email.
Post Comment
Search
Search … Search
Subscribe To Blog Via Email
Email Address
Subscribe
Join Our Training Programs
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 34/37
�4/27/2021 Active Directory Enumeration: PowerView
Follow Me On Twitter
Hacking Articles
@hackinarticles
Active Directory Enumeration: PowerView
Credit @pavan2318
hackingarticles.in/active-directo…#infosec
#redteam #pentest #hacking #ctf #oscp
8h
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 35/37
�4/27/2021 Active Directory Enumeration: PowerView
Categories
Cryptography & Stegnography
CTF Challenges
Cyber Forensics
Database Hacking
Footprinting
Hacking Tools
Kali Linux
Nmap
Others
Password Cracking
Penetration Testing
Pentest Lab Setup
Privilege Escalation
Red Teaming
Social Engineering Toolkit
Uncategorized
Website Hacking
Window Password Hacking
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 36/37
�4/27/2021 Active Directory Enumeration: PowerView
Wireless Hacking
Articles
Select Month
You may like
Defense Evasion: Windows Domain Persistence: DSRM
Event Logging (T1562.002) April 19, 2021
April 22, 2021
https://www.hackingarticles.in/active-directory-enumeration-powerview/ 37/37
