3.3.1 - PowerView

PowerView

PowerView is a versatile PowerShell tool specifically designed for Active Directory reconnaissance. Part of the PowerSploit framework, it allows penetration testers and red teamers to perform in-depth enumeration of AD environments. PowerView provides a comprehensive suite of cmdlets to gather information about users, groups, computers, permissions, trust relationships, and more.

PowerView Usage

Get Domain Information
```
Get-NetDomain
```
Retrieves information about the current domain.
Enumerate Domain Controllers
```
Get-NetDomainController
```
Lists all Domain Controllers in the current domain.
List Domain Users
```
Get-NetUser
```
Displays all users in the domain, along with detailed attributes.
Find High-Value Targets
```
Get-NetUser -AdminCount 1
```
Lists all users flagged as administrators.
Enumerate Domain Groups
```
Get-NetGroup
```
Retrieves all domain groups.
```
Get-NetGroupMember -GroupName "Domain Admins"
```
Lists members of the "Domain Admins" group.
Locate Domain Computers
```
Get-NetComputer
```
Lists all computers in the domain.
Analyze Trust Relationships
```
Get-NetDomainTrust
```
Displays trust relationships between domains.
Check ACLs on AD Objects
```
Get-ObjectAcl -SamAccountName "Administrator" -ResolveGUIDs
```
Shows ACLs for a specific user account, resolving GUIDs to human-readable names.
Find Shares on Domain Computers
```
Invoke-ShareFinder
```
Locates shared folders across domain computers.
Identify Delegation Configurations
```
Get-NetUser -SPN
```
Finds user accounts with Service Principal Names (SPNs), often used in Kerberos-based attacks.

Labs

Previous3.3 - Domain Enumeration Next3.3.2 - BloodHound

Last updated 1 month ago