Set-ADAccountPassword sophie -Reset -NewPassword (Read-Host -AsSecureString -Prompt 'New Password') -Verbose
Set-ADUser -ChangePasswordAtLogon $true -Identity sophie -Verbose
- Enumerating User
(cmd) echo %USERNAME% | whoami
thm-winfun2\administrator
(In Powershell) $env:username
Administrator
Set-PSReadlineOption -HistorySaveStyle SaveNothing
whoami /priv
whoami /groups
-
Check Users :
-
$net user
-
$whoami /all
-
Useful Powershell Commands
-
Get-LocalUser | ft Name,Enabled,LastLogon (ft displays only those columns containing Name, Enabled, LastLogon)
- Get-ChildItem C:\Users\ -Force | select Name
-
$net accounts (Gives minimum and maximum days of password, Useful During Bruteforce)
-
$net user Administrator (Gives Informaton About Administrator account)
-
Get-LocalGroup
-
net localgroup Administrator (Lists groups of Specific User & Works on cmd )
- Check the ip address, Default gateway, hostname etc.
- $ Get-NetIPConfiguration | InterfaceAlias,InterfaceDescription,IPv4Address
- $ Get-DnsClientServerAddress
*Check Routing Information
-
route print
-
Get-NetRoute -AddressFamily IPv4/IPv6
-
Get-NetNeighbor -AddressFamily IPv4
- netstat -ano
- Check Firewall Status
- netsh firewall show state
- netsh firewall show config
- Disable Firewall
- netsh firewall set opmode disable (Disable Firewall)
- netsh firewall set opmode disable (Disable all Profiles)
- Get-MpComputerStatus
- CheckFirewall logs
- netsh advfirewall show domain
- Set-MpPreference -DisableRealtimeMonitoring $true (Disable Realtime Monitoring)
- Password Hash Location in Windows
- C:\Windows\System32\config\SAM C:\Windows\System32\config\SYSTEM (Combine both files using samdump and crack using john)
- Grep Strings containing password [cd C:\ & findstr /SI /M "password" *.xml *.txt *.ini]
- Go to event viewer and use filters. For eg. to see login activity use filter 4624 in event id.
- 4672 for time stamp.