Overview#

PowerView is a PowerShell tool for the enumeration of Windows domains. The script can be downloaded from https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1.

Before running, you need to bypass PowerShell's execution policy:

powershell -ep bypass

![[res/powershell-ep-bypass.png]]

Load the script using

. .\PowerView.ps1

Normally, you'd be running these commands through some sort of shell, but for the sake of simplicity, I will show them all run locally.

Get Domain Information#

Get-NetDomain

![[res/getnetdomain.png]]

Get Domain Controller Information#

Get-NetDomainController

![[res/getnetdomaincontroller.png]]

Retrieve Domain Policy Information#

Get-DomainPolicy

![[res/getdomainpolicy.png]]

You can also get information about a specific policy with the following syntax:

(Get-DomainPolicy)."policy name"

![[res/getsystemaccessdomainpolicy.png]]

Get Users Information#

Get-NetUser

The output of this command is rather messy, but you can pull specific information with the following syntax:

Get-NetUser | select <property>

![[res/getnetusersamaccname.png]]

However, there is an even better way to do that.

Get User Property Information#

Get a specific properties of all the users:

Get-DomainUser -Properties <property1>,<property2>,...

It is useful to always have the samaccountname as the first property selected, so that you can easily match properties with specific users.

![[res/getdomainuserproperty.png]]

Get Domain Machines#

Get-DomainComputer | select samaccountname, operatingsystem

![[res/getdomaincomputers.png]]

Get Groups#

Get-NetGroup | select samaccountname, admincount, description

![[res/getdomaingroups.png]]

Get Group Policy Information#

Get-NetGPO | select <property1>,<property2>,...

![[res/getnetgpo.png]]