PowerView is an enumeration tool written in PowerShell.

Usage

beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
beacon> powershell COMMAND # see common commands

Common Commands

  • Get-Domain: get information about the domain (e.g. domain name, forest, domain controllers, etc)
  • Get-DomainController | select Forest,Name,OSVersion | fl
  • Get-ForestDomain: acquire all domains in current forest (or in specific forest given in -Forest option)
  • Get-DomainPolicyData: acquire info about default domain policy or DC policy
  • Get-DomainUser: get all user info (slow!)
    • Get-DomainUser -Identity username -Properties DisplayName, MemberOf | fl: get name and group membership of user
  • Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
  • Get-DomainOU -Properties Name | sort -Property Name
  • Get-DomainGroup: get a list of all groups in domain
    • Get-DomainGroup | ?{$_.Name -like "*Admins*" | select SamAccountName: get all admin-like groups
  • Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
  • Get-DomainGPO -Properties DisplayName | sort -Property DisplayName; optionally use -ComputerIdentity to list GPOs applied to a specific machine.
  • Get-DomainGPOLocalGroup | select GPODisplayName, GroupName: find GPOs that configure local group memberships through restricted group or GPP; to find where the groups are in the network, find which OU these GPOs apply to, and find computers associated with these OUs.
    • The listed GPOs give the AD group names on the right some kind of local membership on certain computers.
  • Get-DomainGPOUserLocalGroupMapping: check if some AD users are also a member of a local group
    • Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl: get all domain users that have local administrator access
  • Get-DomainTrust: get all related (e.g. to, from, bidirectional) domain trusts for current domain (or specify one)

What to enumerate

  • users, groups (esp. admins), computers
  • Windows password policy, logon tries/times (if 0 or low - it’s probably a honeypot, if way too many - sysadmin might wanna check that out)
  • SMB shares
  • GPOs

Resources