3.3.1 - PowerView

PowerView

PowerView is a versatile PowerShell tool specifically designed for Active Directory reconnaissance. Part of the PowerSploit framework, it allows penetration testers and red teamers to perform in-depth enumeration of AD environments. PowerView provides a comprehensive suite of cmdlets to gather information about users, groups, computers, permissions, trust relationships, and more.

PowerView Usage

  • Start InviShell (using cmd)

    C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
  • Start PowerView (using powershell, if you've run InviShell powershell It's already running)

    . C:\AD\Tools\Powerview.ps1
  • Get Domain Information

    Get-NetDomain

    Retrieves information about the current domain.

  • Enumerate Domain Controllers

    Get-NetDomainController

    Lists all Domain Controllers in the current domain.

  • List Domain Users

    Get-NetUser

    Displays all users in the domain, along with detailed attributes.

  • Find High-Value Targets

    Get-NetUser -AdminCount 1

    Lists all users flagged as administrators.

  • Enumerate Domain Groups

    Get-NetGroup

    Retrieves all domain groups.

    Get-NetGroupMember -GroupName "Domain Admins"

    Lists members of the "Domain Admins" group.

  • Locate Domain Computers

    Get-NetComputer

    Lists all computers in the domain.

  • Analyze Trust Relationships

    Get-NetDomainTrust

    Displays trust relationships between domains.

  • Check ACLs on AD Objects

    Get-ObjectAcl -SamAccountName "Administrator" -ResolveGUIDs

    Shows ACLs for a specific user account, resolving GUIDs to human-readable names.

  • Find Shares on Domain Computers

    Invoke-ShareFinder

    Locates shared folders across domain computers.

  • Identify Delegation Configurations

    Get-NetUser -SPN

    Finds user accounts with Service Principal Names (SPNs), often used in Kerberos-based attacks.


Labs

Last updated