Skip to content

Powerview.ps1

Run from powershell.

Download from PowerSploit Github repo: https://github.com/ZeroDayLab/PowerSploit.

1
cd c:\ ; Import-Module .\Powerview.ps1 -Verbose

Enumeration cheat sheet

Module: ActiveDirectory

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
########################
# Domain/LDAP Functions
########################

# Returns the AD object for the current (or specified) domain
Get-Domain  

# Return a list of the Domain Controllers for the specified domain
Get-DomainController    

# Returns all users or specific user objects in AD
Get-DomainUser  
# Example: 
# Get-DomainUser -Identity $username -Domain $domain | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol

# Checks for users with the SPN attribute set
Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

# Returns all computers or specific computer objects in AD
Get-DomainComputer  

# Returns all groups or specific group objects in AD
Get-DomainGroup 

# Searches for all or specific OU objects in AD
Get-DomainOU

# Finds object ACLs in the domain with modification rights set to non-built in objects
Find-InterestingDomainAcl   

# Returns the members of a specific domain group
Get-DomainGroupMember   
# Example: 
# Get-DomainGroupMember -Identity "Domain Admins" -Recurse
# Adding the -Recurse switch tells PowerView that if it finds any groups that are part of the target group (nested group membership) 

# Returns a list of servers likely functioning as file servers
Get-DomainFileServer    

# Returns a list of all distributed file systems for the current (or specified) domain
Get-DomainDFSShare  


########################
# GPO Functions
########################
# Returns all GPOs or specific GPO objects in AD
Get-DomainGPO   

# Returns the default domain policy or the domain controller policy for the current domain
Get-DomainPolicy    


########################
# Computer Enumeration Functions
########################
# Enumerates local groups on the local or a remote machine
Get-NetLocalGroup

# Enumerates members of a specific local group
Get-NetLocalGroupMember 

# Returns open shares on the local (or a remote) machine
Get-NetShare    

# Returns session information for the local (or a remote) machine
Get-NetSession  

# Tests if the current user has administrative access to the local (or a remote) machine
Test-AdminAccess    
# Example: 
# Test-AdminAccess -ComputerName ACADEMY-EA-MS01


########################
# Threaded 'Meta'-Functions:
########################
# Finds machines where specific users are logged in
Find-DomainUserLocation 

# Finds reachable shares on domain machines
Find-DomainShare    

# Searches for files matching specific criteria on readable shares in the domain
Find-InterestingDomainShareFile 

# Finds machines on the local domain where the current user has local administrator access
Find-LocalAdminAccess   


########################
# Domain Trust Functions:
########################
# Returns domain trusts for the current domain or a specified domain
Get-DomainTrust 

# Returns all forest trusts for the current forest or a specified forest
Get-ForestTrust 

# Enumerates users who are in groups outside of the user's domain
Get-DomainForeignUser   

# Enumerates groups with users outside of the group's domain and returns each foreign member
Get-DomainForeignGroupMember    

# Enumerates all trusts for the current domain and any others seen.
Get-DomainTrustMapping  

1
2
3
4
5
6
7
8
# Gets the ID for the current Domain (useful later for crafting Golden tickets)
Get-DomainID

# Displays policies for the Domain and accounts, including for instance LockoutBadAccounts
Get-DomainPolicy

# Requests the Kerberos ticket for a specified Service Principal Name (SPN) account
Get-DomainSPNTicket

Module: NetShare (or related networking modules)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
# Enumerates users
Get-NetUser

# Enumerates computers in the domain
Get-NetComputer 
Get-NetComputer | select name
Get-NetComputer -OperatingSystem "Linux"

# Displays info of current domain. Pay attention to the element forest, to see if there is a bigger structure
Get-NetDomain

# Gets the ID for the current Domain (useful later for crafting Golden tickets)
Get-DomainID

# Displays policies for the Domain and accounts, including for instance LockoutBadAccounts
Get-DomainPolicy

# Displays Domain controller
Get-NetDomainController

# Lists users in the domain. Useful to search for non expiring passwords, groups belonging, what's their SPN, last time they changed their password... 
Get Net-User
Get Net-User john.doe

# Lists users associated to an Service Principal Name (SPN) 
Get Net-User -SPN

# Lists groups in the domain
Get-NetGroup

# Lists Group Policy Objects in domain
Get-NetGPO

# Lists Domain Trusts
Get-NetDomainTrust


# Requests the Kerberos ticket for a specified Service Principal Name (SPN) account
Get-DomainSPNTicket
Last update: 2025-01-02
Created: May 9, 2023 17:16:52