PowerView

PowerView is an enumeration tool written in PowerShell.

Usage

beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
beacon> powershell COMMAND # see common commands

Common Commands

• Get-Domain: get information about the domain (e.g. domain name, forest, domain controllers, etc)
• Get-DomainController | select Forest,Name,OSVersion | fl
• Get-ForestDomain: acquire all domains in current forest (or in specific forest given in -Forest option)
• Get-DomainPolicyData: acquire info about default domain policy or DC policy
  • Get-DomainPolicyData | select -expand SystemAccess: acquire Windows password policy
• Get-DomainUser: get all user info (slow!)
  • Get-DomainUser -Identity username -Properties DisplayName, MemberOf | fl: get name and group membership of user
• Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
• Get-DomainOU -Properties Name | sort -Property Name
• Get-DomainGroup: get a list of all groups in domain
  • Get-DomainGroup | ?{$_.Name -like "*Admins*" | select SamAccountName: get all admin-like groups
• Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
• Get-DomainGPO -Properties DisplayName | sort -Property DisplayName; optionally use -ComputerIdentity to list GPOs applied to a specific machine.
• Get-DomainGPOLocalGroup | select GPODisplayName, GroupName: find GPOs that configure local group memberships through restricted group or GPP; to find where the groups are in the network, find which OU these GPOs apply to, and find computers associated with these OUs.
  • The listed GPOs give the AD group names on the right some kind of local membership on certain computers.
• Get-DomainGPOUserLocalGroupMapping: check if some AD users are also a member of a local group
  • Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl: get all domain users that have local administrator access
• Get-DomainTrust: get all related (e.g. to, from, bidirectional) domain trusts for current domain (or specify one)

What to enumerate

• users, groups (esp. admins), computers
• Windows password policy, logon tries/times (if 0 or low - it’s probably a honeypot, if way too many - sysadmin might wanna check that out)
• SMB shares
• GPOs

Resources

• PowerSploit/PowerView.ps1 at master · PowerShellMafia/PowerSploit · GitHub
• PowerView-3.0 tips and tricks · GitHub