3.3.1 - PowerView

PowerView

PowerView is a versatile PowerShell tool specifically designed for Active Directory reconnaissance. Part of the PowerSploit framework, it allows penetration testers and red teamers to perform in-depth enumeration of AD environments. PowerView provides a comprehensive suite of cmdlets to gather information about users, groups, computers, permissions, trust relationships, and more.

PowerView Usage

• Start InviShell (using cmd)

  C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

• Start PowerView (using powershell, if you've run InviShell powershell It's already running)

  . C:\AD\Tools\Powerview.ps1

• Get Domain Information

  Get-NetDomain

  Retrieves information about the current domain.

• Enumerate Domain Controllers

  Get-NetDomainController

  Lists all Domain Controllers in the current domain.

• List Domain Users

  Get-NetUser

  Displays all users in the domain, along with detailed attributes.

• Find High-Value Targets

  Get-NetUser -AdminCount 1

  Lists all users flagged as administrators.

• Enumerate Domain Groups

  Get-NetGroup

  Retrieves all domain groups.

  Get-NetGroupMember -GroupName "Domain Admins"

  Lists members of the "Domain Admins" group.

• Locate Domain Computers

  Get-NetComputer

  Lists all computers in the domain.

• Analyze Trust Relationships

  Get-NetDomainTrust

  Displays trust relationships between domains.

• Check ACLs on AD Objects

  Get-ObjectAcl -SamAccountName "Administrator" -ResolveGUIDs

  Shows ACLs for a specific user account, resolving GUIDs to human-readable names.

• Find Shares on Domain Computers

  Invoke-ShareFinder

  Locates shared folders across domain computers.

• Identify Delegation Configurations

  Get-NetUser -SPN

  Finds user accounts with Service Principal Names (SPNs), often used in Kerberos-based attacks.

---

Labs

• Domain Enumeration (Video Lab)

• Post-Exploitation Basics THM Lab