ctfnote
  • /home/ret2basic.eth
  • Game Hacking
    • βœ…C++
    • Ghidra
    • Cheat Engine
    • Proxy
    • DLL injection
    • Keygen
    • Aimbot
  • Web3 Security Research
    • πŸ‘‘Web3 Security Research Trivia
    • βœ…Solidity
      • βœ…Mastering Ethereum
      • βœ…Storage
      • βœ…Memory
      • βœ…Calldata
      • βœ…ABI
    • βœ…Foundry
      • βœ…Introduction
      • βœ…How to Write Basic Tests
      • βœ…Set Soliditiy Compiler Version
      • βœ…Remappings
      • βœ…Auto Format Code
      • βœ…Console Log
      • βœ…Authentication
      • βœ…Error
      • βœ…Event
      • βœ…Time
      • βœ…Send ETH
      • βœ…Signature
      • βœ…Fork
      • βœ…Mint 1 Million DAI on Mainnet Fork
      • βœ…FFI
      • βœ…Fuzz
      • βœ…Invariant Testing - Part 1
      • Invariant Testing - Part 2
      • Invariant Testing - Part 3
      • Differential Test
    • βœ…Secureum
      • βœ…Epoch 0
        • βœ…Slot 1: Ethereum 101
          • βœ…Notes
          • βœ…Ethereum Whitepaper
          • βœ…Extra Study: What happens when you send 1 DAI
          • βœ…Quiz
        • βœ…Slot 2: Solidity 101
          • βœ…Notes
          • βœ…OpenZeppelin ERC20
          • βœ…OpenZeppelin ERC721
          • βœ…OpenZeppelin Ownable
          • βœ…OpenZeppelin Pausable
          • βœ…OpenZeppelin ReentrancyGuard
          • βœ…Quiz
        • βœ…Slot 3: Solidity 201
          • βœ…Notes
          • βœ…OpenZeppelin SafeERC20
          • βœ…OpenZeppelin ERC-777
          • βœ…OpenZeppelin ERC-1155
          • βœ…OpenZeppelin ERC-3156
          • βœ…OpenZeppelin - Proxy Upgrade Pattern
          • βœ…Quiz
        • βœ…Slot 4: Pitfalls and Best Practices 101
          • βœ…Notes
          • βœ…Intro to Security First Development
          • βœ…Quiz
        • βœ…Slot 5: Pitfalls and Best Practices 201
          • βœ…Notes
          • So you want to use a price oracle
          • The Dangers of Surprising Code
          • βœ…Quiz
        • βœ…Slot 6: Auditing Techniques & Tools 101
          • βœ…Notes
          • βœ…Quiz
        • βœ…Slot 7: Audit Findings 101
          • Notes
          • βœ…Fei Protocol - ConsenSys
          • βœ…Uniswap V3 - Trail of Bits
          • βœ…Chainlink - Sigma Prime
          • βœ…Opyn Gamma - OpenZeppelin
          • βœ…Quiz
        • βœ…Slot 8: Audit Findings 201
          • Notes
          • 1inch Liquidity - Consensus
          • Original Dollar - Trail of Bits
          • Synthetix EtherCollateral - Sigma Prime
          • Holdefi - OpenZeppelin
          • Quiz
      • βœ…Epoch ∞
        • βœ…RACE #4 - ERC20 Implementation
        • βœ…RACE #5 - ERC1155 Implementation
        • βœ…RACE #6 - ERC721 Application
        • βœ…RACE #7 - Bored Ape
        • βœ…RACE #8 - ERC721 Roles
        • βœ…RACE #9 - Proxy
        • βœ…RACE #10 - Test Cases
        • βœ…RACE #11 - Staking
        • βœ…RACE #12 - ERC20 Permit
        • βœ…RACE #13 - ERC20 with Callback
        • βœ…RACE #14 - Lending
        • βœ…RACE #15 - DEX
        • βœ…RACE #16 - Flash Loan
        • βœ…RACE #17
    • DeFi
      • Glossary
        • TWAP vs. VWAP
        • Tranches
      • DeFi MOOC
        • Lecture 2: Introduction to Blockchain Technologies
        • Lecture 5: DEX
        • Lecture 6: Decentralized Lending
        • Lecture 10: Privacy on the Blockchain
        • Lecture 12: Practical Smart Contract Security
        • Lecture 13: DeFi Security
      • Uniswap V2
      • Compound V3
        • βœ…Whitepaper
        • βœ…Interacting with Compound
          • βœ…Supply and Redeem
          • βœ…Borrow and Repay
          • βœ…Liquidation
          • βœ…Long and Short
        • βœ…Interest Model
        • CToken
      • Aave
      • Chainlink
        • βœ…Getting Started
        • βœ…Data Feeds
        • βœ…VRF
      • Optimism
        • Bedrock
      • LayerZero
      • Opensea
        • Seaport
    • EVM
      • βœ…Andreas Antonopoulos - The Ethereum Virtual Machine
      • βœ…Program The Blockchain - Smart Contract Storage
      • βœ…EVM Codes - EVM Playground for Opcodes
      • βœ…Fvictorio - EVM Puzzles
      • βœ…Daltyboy11 - More EVM Puzzles
      • βœ…EVM Through Huff
      • Noxx - EVM Deep Dives
      • βœ…Jordan McKinney - EVM Explained
      • Openzepplin - Deconstructing a Solidity Contract
      • Jeancvllr - EVM Assembly
      • Peter Robinson - Solidity to Bytecode, Memory & Storage
      • Marek Kirejczyk - Ethereum Under The Hood
      • βœ…Official Solidity Docs
      • Dissecting EVM using go-ethereum Eth client implementation - deliriusz.eth
    • Vulnerabilities
      • Rounding Issues
        • Kyberswap
      • Bridges
      • Governance / Voting Escrows
      • Bizzare Bug Classes
        • TIME - ERC2771Context + Multicall calldata manipulation
    • Fancy Topics
      • Vulnerabilities SoK
        • βœ…Demystifying Exploitable Bugs in Smart Contracts
        • Blockchain Hacking Techniques 2022 Top 10 - Todo
      • yAcademy
        • Proxies
          • yAcademy - Proxy Basics
          • yAcademy - Proxies Deep Dive
          • yAcademy - Security Guide to Proxy Vulns
        • defi-fork-bugs
      • Spearbit
        • βœ…Community Workshop: Riley Holterhus
        • Economic Security with fmrmf
        • Numerical Analysis for DeFi Audits: A TWAMM Case Study by Kurt Barry
  • Red Teaming
    • βœ…Enumeration
      • Service Enumeration
        • SMTP (Port 25)
        • Samba (Port 139, 445)
        • SNMP (Port 161,162,10161,10162)
        • rsync (Port 873)
        • NFS (Port 2049)
        • Apache JServ Protocol (Port 8081)
        • NetBIOS
      • Nmap
      • Gobuster / Feroxbuster / FUFF / Wfuzz
      • Drupal
    • βœ…Exploitation
      • Public Exploits
      • PHP Webshells
      • Reverse Shell
      • TTY
      • File Transfer
      • Metasploit
      • Password Spray
    • βœ…Buffer Overflow
      • Step 0: Spiking (Optional)
      • Step 1: Fuzzing
      • Step 2: Finding the Offset
      • Step 3: Overwriting the EIP
      • Step 4: Finding Bad Characters
      • Step 5: Finding the Right Module
      • Step 6: Generating Shellcode and Gaining Root
    • βœ…Privilege Escalation
      • Linux Privilege Escalation
        • Linux Permissions
        • Manual Enumeration
        • Automated Tools
        • Kernel Exploits
        • Passwords and File Permissions
        • SSH Keys
        • Sudo
        • SUID
        • Capabilities
        • Cron Jobs
        • NFS Root Squashing
        • Docker
        • GNU C Library
        • Exim
        • Linux Privilege Escalation Course Capstone
      • Windows Privilege Escalation
        • Manual Enumeration
        • Automated Tools
        • Kernel Exploits
        • Passwords and Port Forwarding
        • WSL
        • Token Impersonation and Potato Attacks
        • Meterpreter getsystem
        • Runas
        • UAC Bypass
        • Registry
        • Executable Files
        • Startup Applications
        • DLL Hijacking
        • Service Permissions (Paths)
        • CVE-2019-1388
        • HiveNightmare
        • Bypass Space Filter
    • βœ…Post Exploitation
      • Linux Post Exploitation
        • Add a User
        • SSH Key
      • Windows Post Exploitation
        • windows-resources
        • Add a User
        • RDP
    • βœ…Pivoting
      • Windows: Chisel
      • Linux: sshuttle
    • Active Directory (AD)
      • Initial Compromise
        • HTA Phishing
        • VBA Macro Phishing
        • LLMNR Poisoning
        • SMB Relay
        • GPP / cPassword
      • Domain Enumeration
        • Manual Enumeration
        • PowerView
        • BloodHound
      • Lateral Movement
        • PsExec
        • WMI
        • Runas
        • Pass the Hash
        • Overpass the Hash
        • Pass the Ticket
      • Kerberos
        • Kerberoast
        • AS-REP Roast
      • MS SQL Server
    • Command & Control (C2)
      • Cobalt Strike
        • Bypassing Defences
          • Artifact Kit
          • Resource Kit
          • AMSI Bypass
          • PowerPick
        • Extending Cobalt Strike
          • Elevate Kit
          • Malleable C2 Profile
      • Metasploit
        • Payloads
        • Post Exploitation
        • Automation
      • C2 Development
    • Malware Development
      • "Hot Dropper"
      • PE Format
        • Overview
      • Process Injection
      • Reflective DLL
      • x86 <=> x64
      • Hooking
      • VeraCry
      • Offensive C#
      • AV Evasion
        • AV Evasion with C# and PowerShell
        • AMSI Bypass
  • Cryptography
    • Hash Functions
    • MAC
    • AES
      • Byte at a Time
      • CBC CCA
      • CBC Bit Flipping
      • CBC Padding Oracle
    • Diffie-Hellman
    • RSA
      • Prime Factors
      • Multiple Ciphertexts
      • Low Public Exponent
      • Low Private Exponent
    • ECC
    • Digital Signature
    • JWT
    • PRNG
    • SSL/TLS
    • Research
      • βœ…Lattice-based Cryptography (Lattice)
      • Elliptic Curve Cryptography (ECC)
      • Oblivious Transfer (OT)
      • Secure Multi-party Computation (MPC)
      • Learning with Error (LWE)
      • Fully Homomorphic Encryption (FHE)
      • Zero Knowledge Proof (ZKP)
      • Oblivious RAM (ORAM)
  • Computer Science
    • Linux
      • Setup
      • curl
      • Hard Link vs. Symlink
      • Man Page
      • /dev/null
    • Python
      • New Features
      • Operators, Expressions, and Data Manipulation
      • Program Structure and Control Flow
      • Objects, Types, and Protocols
      • Functions 101
      • Generators
      • Classes and Object-Oriented Programming
      • Memory Management
      • Concurrency and Parallelism
        • Multithreading and Thread Safety
        • Asynchronization
        • Multiprocessing
        • Global Interpreter Lock (GIL)
      • Built-in Functions and Standard Library
        • import collections
        • import itertools
        • import sys
        • import re
        • import pickle
        • import json
      • Third-party Library
        • from pwn import *
        • import requests
        • from bs4 import BeautifulSoup
        • from scapy.all import *
        • py2exe
    • HTML, CSS, JavaScript, and React
      • HTML
      • CSS
      • JavaScript
        • var vs. let
        • Objects
        • Arrays
        • Functions
        • Modules
        • Asynchronous JavaScript
      • React
    • Data Structures and Algorithms
      • Binary Search
    • The Linux Programming Interface
      • Processes
        • Memory Allocation
        • The Process API
        • Process Creation
        • Process Termination
        • Monitoring Child Processes
        • Program Execution
      • Signals
      • Threads
        • Thread Synchronization
        • Thread Safety and Pre-Thread Storage
      • IPC
        • Pipes and FIFOs
        • Memory Mappings
        • Virtual Memory Operations
      • Sockets
    • Computer Systems
      • Hexadecimal
      • Signedness
      • Registers
      • Instructions
      • Syscall
      • Process Memory
      • Stack Frame
      • Preemptive Multitasking
      • IPC
      • Threads
    • Databases
      • MySQL
        • Basic Syntax
        • Data Types
        • Modifying Tables
        • Duplicating and Deleting
        • SELECT
        • Transaction
      • GraphQL
    • Distributed Systems
      • Introduction
        • What is a Distributed System?
        • Design Goals
        • Scaling Techniques
        • Types of Distributed Systems
      • Architecture
        • System Architectures
        • Example Architectures
      • Communication
        • Foundations
        • Remote Procedure Call
        • Message-oriented Communication
      • Coordination
        • Clock Synchronization
        • Logical Clock
      • Consistency and Replication
        • Introduction
        • Data-centric Consistency
        • Client-centric Consistency
    • Static Analysis
      • Intermediate Representation
      • Data Flow Analysis
      • Interprocedural Analysis
      • Pointer Analysis
      • Static Analysis for Security
      • Datalog-Based Program Analysis
      • Soundness and Soundiness
      • CFL-Reachability and IFDS
  • Web
    • βœ…Prerequisites
      • OWASP Top 10
        • 1. Broken Access Control
        • 2. Cryptographic Failures
        • 3. Injection
        • 4. Insecure Design
        • 5. Security Misconfiguration
        • 6. Vulnerable and Outdated Components
        • 7. Identification and Authentication Failures
        • 8. Software and Data Integrity Failures
        • 9. Security Logging and Monitoring Failures
        • 10. SSRF
      • HTTP
        • HTTP Status Codes
        • HTTP Headers
      • Burp Suite
        • Burp Intruder
        • Burp Extender
        • Burp Collaborator
      • Information Gathering
        • DNS
        • Git
        • Editor
        • Server
      • Bug Bounty Report Writing
    • File Upload
      • Webshell
      • IIS, Nginx, and Apache Vulnerabilities
      • .htaccess (Apache) / web.config (IIS)
      • Alternate Data Stream
      • Code Review: bWAPP Unrestricted File Upload
    • SQL Injection (SQLi)
      • Cheat Sheet
      • UNION Attacks
      • Examining the Database
      • Blind SQL Injection
      • WAF Bypass
      • Out-Of-Band (OOB)
      • Webshell and UDF
      • sqlmap
        • Code Review: Initialization
        • Code Review: tamper
    • Cross-Site Scripting (XSS)
      • Cheat Sheet
      • Reflected XSS
      • Stored XSS
      • DOM-Based XSS
      • XSS Contexts
      • CSP
    • CSRF and SSRF
      • Client-Side Request Forgery (CSRF)
        • XSS vs. CSRF
        • CSRF Tokens and SameSite Cookies
      • Server-Side Request Forgery (SSRF)
        • Attacks
        • Bypassing Restrictions
        • SSRF + Redis
    • XML External Entities (XXE)
    • Insecure Deserialization
      • Python Deserialization
      • PHP Deserialization
      • Java Deserialization
        • Shiro
        • FastJSON
        • WebLogic
    • HTTP Request Smuggling
    • OS Command Injection
      • Whitespace Bypass
      • Blacklist Bypass
      • Blind OS Command Injection
      • Lab 1: HITCON 2015 BabyFirst
      • Lab 2: HITCON 2017 BabyFirst Revenge
      • Lab 3: HITCON 2017 BabyFirst Revenge v2
    • βœ…Directory Traversal
    • HTTP Parameter Pollution
    • Server-Side Template Injection (SSTI)
    • LDAP Injection
    • Redis
      • Authentication
      • RCE
      • Mitigations
  • Pwn
    • Linux Exploitation
      • Protections
      • Shellcoding
        • Calling Convention
        • Null-free
        • Reverse Shell
        • ORW
      • ROP
        • Stack Alignment
        • ret2text
        • ret2syscall
        • ret2libc
        • ret2csu
        • BROP
        • SROP
        • Stack Pivot
      • ptmalloc
        • chunks
        • malloc() and free()
        • bins
        • tcache
      • UAF
      • Race Conditions
        • TOCTTOU
        • Dirty Cow
        • Meltdown
        • Spectre
      • Kernel
      • Appendix: Tools
        • socat
        • LibcSearcher-ng
        • OneGadget
    • Windows Exploitation
      • Classic
      • SEH
      • Egghunting
      • Unicode
      • Shellcoding
      • ROP
      • Appendix: Tools
        • ImmunityDbg
        • Mona.py
    • Fuzzing
      • AFL++
        • Quickstart
        • Instrumentation
        • ASAN
        • Code Coverage
        • Dictionary
        • Parallelization
        • Partial Instrumentation
        • QEMU Mode
        • afl-libprotobuf-mutator
      • WinAFL
      • Fuzzilli
  • Reverse
    • Bytecode
      • Python Bytecode
    • πŸ‘‘Z3 solver
    • angr
      • angr Template
Powered by GitBook
On this page
  • Intro
  • Domain Enumeration
  • Import PowerView
  • Get current domain
  • Get object of another domain
  • Get domain SID for the current domain
  • Get the domain password policy
  • Users Groups and Computers Enumeration
  • Get Information of domain controller
  • Get information of users in the domain
  • Get list of all users
  • Get list of usernames, last logon and password last set
  • Get list of usernames and their groups
  • Get list of all properties for users in the current domain
  • Get descripton field from the user
  • Get computer information
  • Get computers with operating system "Server 2016"
  • Get list of all computer names and operating systems
  • List all groups of the domain
  • Get all the members of the group
  • Get the group membership of a user
  • List all the local groups on a machine (needs admin privs on non dc machines)
  • Get Member of all the local groups on a machine (needs admin privs on non dc machines)
  • Get actively logged users on a computer (needs local admin privs)
  • Get locally logged users on a computer (needs remote registry rights on the target)
  • Get the last logged users on a computer (needs admin rights and remote registary on the target)
  • Shares Enumeration
  • Find shared on hosts in the current domain
  • Find sensitive files on computers in the domain
  • Get all fileservers of the domain
  • GPO Enumeration
  • Get list of GPO's in the current domain
  • Get GPO's which uses restricteds groups or groups.xml for interesting users
  • Get users which are in a local group of a machine using GPO
  • Get machines where the given user is member of a specific group
  • Get OU's in a domain
  • Get machines that are part of an OU
  • Get GPO applied on an OU
  • ACL Enumeration
  • Get the ACL's associated with the specified object
  • Get the ACL's associated with the specified prefix to be used for search
  • Get the ACL's associated with the specified path
  • Search for interesting ACL's
  • Search of interesting ACL's for the current user
  • Domain Trust Enumeration
  • Get a list of all the domain trusts for the current domain
  • Get details about the forest
  • Get all domains in the forest
  • Get global catalogs for the current forest
  • Map trusts of a forest
  • User Hunting
  • Find all machines on the current domain where the current user has local admin access
  • Find local admins on all machines of the domain (needs administrator privs on non-dc machines)
  • Find Computers where a domain admin (or specified user/group) has session
  • Find computers where a domain admin is logged-in
  • Defense

Was this helpful?

  1. Red Teaming
  2. Active Directory (AD)
  3. Domain Enumeration

PowerView

PreviousManual EnumerationNextBloodHound

Last updated 2 years ago

Was this helpful?

Intro

PowerView has long been the de-facto tool for domain enumeration. It it part of the PowerSploit project:

Any standard user can run PowerView. High-privilege user account is not needed.

Domain Enumeration

Import PowerView

Import-Module .\PowerView.ps1

Or:

. .\PowerView.ps1

Get current domain

Get-NetDomain

Get object of another domain

Get-NetDomain -Domain moneycorp.local

Get domain SID for the current domain

Get-DomainSID

Get the domain password policy

Get-DomainPolicy

(Get-DomainPolicy)."System Access"

net accounts

Users Groups and Computers Enumeration

Get Information of domain controller

Get-NetDomainController

Get-NetDomainController | select-object Name

Get information of users in the domain

Get-NetUser

Get-NetUser -Username <username>

Get list of all users

Get-NetUser | select samaccountname

Get list of usernames, last logon and password last set

Get-NetUser | select samaccountname, lastlogon, pwdlastset

Get-NetUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon

Get list of usernames and their groups

Get-NetUser | select samaccountname, memberof

Get list of all properties for users in the current domain

get-userproperty -Properties pwdlastset

Get descripton field from the user

Find-UserField -SearchField Description -SearchTerm "built"
Get-netuser | Select-Object samaccountname,description

Get computer information

Get-NetComputer

Get-NetComputer -FullData

Get-NetComputer -Computername <computername> -FullData

Get computers with operating system "Server 2016"

Get-NetComputer -OperatingSystem "*Server 2016*"

Get list of all computer names and operating systems

Get-NetComputer -fulldata | select samaccountname, operatingsystem, operatingsystemversion

List all groups of the domain

Get-NetGroup

Get-NetGroup -GroupName *admin*

Get-NetGroup -Domain <domain>

Get all the members of the group

Get-NetGroupMember -Groupname "Domain Admins" -Recurse

Get-NetGroupMember -Groupname "Domain Admins" -Recurse | select MemberName

Get the group membership of a user

Get-NetGroup -Username <username>

List all the local groups on a machine (needs admin privs on non dc machines)

Get-NetlocalGroup -Computername <computername> -ListGroups

Get Member of all the local groups on a machine (needs admin privs on non dc machines)

Get-NetlocalGroup -Computername <computername> -Recurse

Get actively logged users on a computer (needs local admin privs)

Get-NetLoggedon -Computername <computername>

Get locally logged users on a computer (needs remote registry rights on the target)

Get-LoggedonLocal -Computername <computername>

Get the last logged users on a computer (needs admin rights and remote registary on the target)

Get-LastLoggedOn -ComputerName <computername>

Shares Enumeration

Find shared on hosts in the current domain

Invoke-ShareFinder -Verbose

Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC

Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all fileservers of the domain

Get-NetFileServer

GPO Enumeration

Get list of GPO's in the current domain

Get-NetGPO

Get-NetGPO -Computername <computername>

Get GPO's which uses restricteds groups or groups.xml for interesting users

Get-NetGPOGroup

Get users which are in a local group of a machine using GPO

Find-GPOComputerAdmin -Computername <computername>

Get machines where the given user is member of a specific group

Find-GPOLocation -Username student244 -Verbose

Get OU's in a domain

Get-NetOU -Fulldata

Get machines that are part of an OU

Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_}

Get GPO applied on an OU

Get-NetGPO -GPOname "{<gplink>}"

ACL Enumeration

Get the ACL's associated with the specified object

Get-ObjectACL -SamAccountName <accountname> -ResolveGUIDS

Get the ACL's associated with the specified prefix to be used for search

Get-ObjectACL -ADSprefix β€˜CN=Administrator,CN=Users’ -Verbose

Get the ACL's associated with the specified path

Get-PathAcl -Path \\<Domain controller>\sysvol

Search for interesting ACL's

Invoke-ACLScanner -ResolveGUIDs

Invoke-ACLScanner -ResolveGUIDs | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl

Search of interesting ACL's for the current user

Invoke-ACLScanner | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}

Domain Trust Enumeration

Get a list of all the domain trusts for the current domain

Get-NetDomainTrust

Get details about the forest

Get-NetForest

Get all domains in the forest

Get-NetForestDomain

Get-NetforestDomain -Forest <domain name>

Get global catalogs for the current forest

Get-NetForestCatalog

Get-NetForestCatalog -Forest <domain name>

Map trusts of a forest

Get-NetForestTrust

Get-NetForestTrust -Forest <domain name>

Get-NetForestDomain -Verbose | Get-NetDomainTrust

User Hunting

Find all machines on the current domain where the current user has local admin access

Find-LocalAdminAccess -Verbose

Find local admins on all machines of the domain (needs administrator privs on non-dc machines)

Invoke-EnumerateLocalAdmin -Verbose

Find Computers where a domain admin (or specified user/group) has session

Invoke-UserHunter

Invoke-UserHunter -GroupName "RDPUsers"

To confirm admin access:

Invoke-UserHunter -CheckAccess

Find computers where a domain admin is logged-in

Invoke-UserHunter -Stealth

This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSesssion / Get-NetLoggedon) from each machine.

Defense

Most of the enumeration mixes really well with the normal traffic to the DC. Hardening can be done on the DC (or other machines) to contain the information provided by the queried machine. Let's have a look at defending against one of the most lethal enumeration techiques: user hunting.

Netcease is a script which changes permissions on the NetSEssionEnum method by removing permission for Authenticated Users group. This fails many of the attacker's session enumeration and hence user hunting capabilities:

.\NetCease.ps1

Another interesting script from the same author is SAMRi10 which hardens Windows 10 and Server 2016 against enumeration which uses SAMR protocol (like net.exe).

PowerSploit/PowerView.ps1 at master Β· PowerShellMafia/PowerSploitGitHub
PowerView.ps1
Logo