PowerView is an enumeration tool written in PowerShell.
Usage
Common Commands
Get-Domain
: get information about the domain (e.g. domain name, forest, domain controllers, etc)Get-DomainController | select Forest,Name,OSVersion | fl
Get-ForestDomain
: acquire all domains in current forest (or in specific forest given in-Forest
option)Get-DomainPolicyData
: acquire info about default domain policy or DC policyGet-DomainPolicyData | select -expand SystemAccess
: acquire Windows password policy
Get-DomainUser
: get all user info (slow!)Get-DomainUser -Identity username -Properties DisplayName, MemberOf | fl
: get name and group membership of user
Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
Get-DomainOU -Properties Name | sort -Property Name
Get-DomainGroup
: get a list of all groups in domainGet-DomainGroup | ?{$_.Name -like "*Admins*" | select SamAccountName
: get all admin-like groups
Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName
Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
; optionally use-ComputerIdentity
to list GPOs applied to a specific machine.Get-DomainGPOLocalGroup | select GPODisplayName, GroupName
: find GPOs that configure local group memberships through restricted group or GPP; to find where the groups are in the network, find which OU these GPOs apply to, and find computers associated with these OUs.- The listed GPOs give the AD group names on the right some kind of local membership on certain computers.
Get-DomainGPOUserLocalGroupMapping
: check if some AD users are also a member of a local groupGet-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl
: get all domain users that have local administrator access
Get-DomainTrust
: get all related (e.g. to, from, bidirectional) domain trusts for current domain (or specify one)
What to enumerate
- users, groups (esp. admins), computers
- Windows password policy, logon tries/times (if 0 or low - it’s probably a honeypot, if way too many - sysadmin might wanna check that out)
- SMB shares
- GPOs