So in here we will see what we can do and how to ennumerate when we have a compromised user.Powerview is a tool that allows us to enumerate domain users,policies,etc.Bloodhound allows us to visualise what is going on in a domain .This should be used on almost every internal assesment that you do.


So what is powerview and how to install it.We go to this github page .

and then download it one of your windows machine on an assesment you can probably just send it throw console .But here it is in a easy to show way kinda.

To run it:

We go to cmd traverse to the directory where we have the file at then in the cmd we write

-ep bypass is gonna bypass the execuition policy for us which is something enabled by default to stop us from running weird ass scripts

Now in the second step we load it up basically its gonna execute and not show anything else.

powershell -ep bypass

. .\\Powerview.ps1
Get-NetDomain # This will get domain information for us 
Get-NetDomainController #To see specifically what the domain controller is and its information.
Get-DomainPolicy # Shows you all the Domain Policies ,Kerberos Policies etc.
(Get-DomainPolicy),"system access" #Shows policies about specific policies that were shown from the command above in more detail
Get-NetUser #A little long and it has a lot of information you might be able to find some intresting description and seeing a password or something like that.
Get-NetUser | select cn #Selects only the user names of all the users and you can change the cn with whatever category you need.
Get-UserProperty # Shows all the properties on those users
Get-UserProperty -Properties pwdlastset #Looks for when the password was last set on all these users.
Get-UsetProperty -Properties logoncount #Looks for how many times a user has been logged in to .And be carefull here because maybe if there are accounts with 0 loggins are honeypots or something.
Get-UserProperty -Properties badpwdcount # Shows how many times a user has logged in with a bad password like wrong password
Get-NetComputer #Lists all the amounts of computers in the network.But we can make it a lot of information by doing -FullData and you can use select like grep to get certain infromation.
Get-NetGroup #Gets all the groups you can try to sort them out by using -GroupName "Domain Admins" to see domain admins or also you can use wildcards and do stuff like *admin* to see if anything has admin at the end or something.
Get-NetGroupMember -GroupName "Domain Admins" #Lists out all the memebers of the Groups that are domain admins.
Invoke-ShareFinder #You can use to classify if there is any intresting SMB Shares or something like that.
Get-NetGPO #Shows us all the group policies pulls down heavy data again.
Get-NetGPO | select displayname , whenchanged #Pulls down policies names and when they were changed in the network.

Best tool to get information So learn more about it using this link →


This tool lets us download the data of an Active Directory for us once we are in a network and basically makes our testing easy.

How to download it :

Just do apt install bloodhound and its gonna be done .