PowerView

Setup

  • Download PowerSploit and/or Recon folder/module here:

    • https://github.com/PowerShellMafia/PowerSploit/tree/dev

    • Copy to Folder Path: C:\Windows\System32\WindowsPowerShell\v1.0\Modules

  • Add folders as exculsions or disable windows defender

  • Set unrestricted PowerShell execution policy:

    Set-ExecutionPolicy -ExecutionPolicy Unrestricted

  • Import PowerSploit and/or Recon module:

    Import-Module Recon

Domain Info

Display Current Domain

Get-NetDomain
 Get-NetDomain -Domain <DomainName>

Display Verbose Domain Info

Get-ADDomain
 Get-ADDomain -Domain <DomainName>

Get Domain SID

Get-DomainSID

Get Domain Controllers

Get-ADDomainController
Get-NetDomainController
 Get-NetDomainController -Identity <DomainName>

Detailed Domain Info

Get Domain Policy (might be deprecated)

Get-DomainPolicy

Get Domain Shares

Find-DomainShare
 Find-DomainShare -CheckShareAccess

Get GPOs

Get-NetGPO
 Get-NetGPO -ComputerName <Name of the PC>
 Get-NetGPO -GPOname <GUID of GPO>

Display OUs

Get-NetOU

Display ACLs

Get-ObjectAcl -SamAccountName <Account Name> -ResolveGUIDs

Find Interesting Access Control Entries

Invoke-ACLScanner -ResolveGUIDs

Display ACL of Specified Path

Get-PathAcl -Path "\\Path\Of\A\Share"

Display Domains of Forest

Get-NetForestDomain

Display Domain Trust (may be deprecated)

Get-ADTrust -Filter *
 Get-ADTrust -Identity <DomainName>

Display Local AppLocker Effective Policy

Get-AppLockerPolicy -Effective

Computer Info

Display Domain Computers

Get-ADComputer -Filter * -Properties *

More Detailed All Computer Info

Get-NetComputer

User Info

Get User Info

Get-NetUser
  Get-NetUser -SamAccountName <user> 
  Get-NetUser | select cn

Get Logged on User Info

Get-NetLoggedon -ComputerName <ComputerName>

Get Session Info for Machine

Get-NetSession -ComputerName <ComputerName>

Get Machines Where Current User is Logged In

Find-DomainUserLocation

Get Detailed User Info

Get-ADUser -Properties * -Filter *

Group Info

Get Members of a Specified Group

Get-DomainGroup -Identity <GroupName> | Select-Object -ExpandProperty Member

Display All Groups

Get-NetGroup

Display Detailed Info on All Groups

Get-ADGroup -Properties * -Filter *

User Hunting

Find all Machines Where Current User is Local Admin

Find-LocalAdminAccess -Verbose

Find Local Admins on Machines

Invoke-EnumerateLocalAdmin -Verbose

Find Machines Where Domain Admin or Specified User Has Session

Invoke-UserHunter
 Invoke-UserHunter -GroupName <GroupName>
 Invoke-UserHunter -CheckAccess
  Invoke-UserHunter -Stealth

Loot Hunting

Use Domain Account to download list of all filenames in the network

   Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
   select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] |
   select fullname | out-file -append files.txt}

PowerView Resources

  • https://powersploit.readthedocs.io/en/latest/Recon/

  • https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

  • https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

  • https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView

  • http://www.harmj0y.net/blog/tag/powerview/

  • http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/

  • http://www.harmj0y.net/blog/redteaming/powerview-2-0/

  • http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/

  • http://www.slideshare.net/harmj0y/i-have-the-powerview

  • https://adsecurity.org/?p=2535

  • https://www.youtube.com/watch?v=rpwrKhgMd7E

  • Powerview like program for systems without powershell https://github.com/mubix/netview https://www.hackingarticles.in/active-directory-enumeration-powerview/

  • PowerShell Port Scanner

PreviousNMAPNextActive Directory Enumeration

Last updated

Was this helpful?