# Powerview {% tabs %} {% tab title="Windows" %} Though the below gives a good representation of the commands that usually come in most useful for me, this only scratches the surface of what PowerView can do. [PowerView ](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1)is available here. ```powershell # Get all users in the current domain Get-DomainUser | select -ExpandProperty cn # Get all computers in the current domain Get-DomainComputer # Get all domains in current forest Get-ForestDomain # Get domain/forest trusts Get-DomainTrust Get-ForestTrust # Get information for the DA group Get-DomainGroup "Domain Admins" # Find members of the DA group Get-DomainGroupMember "Domain Admins" | select -ExpandProperty membername # Find interesting shares in the domain, ignore default shares, and check access Find-DomainShare -ExcludeStandard -ExcludePrint -ExcludeIPC -CheckShareAccess # Get OUs for current domain Get-DomainOU -FullData # Get computers in an OU # %{} is a looping statement Get-DomainOU -name Servers | %{ Get-DomainComputer -SearchBase $_.distinguishedname } | select dnshostname # Get GPOs applied to a specific OU Get-DomainOU *WS* | select gplink Get-DomainGPO -Name "{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}" # Get Restricted Groups set via GPOs, look for interesting group memberships forced via domain Get-DomainGPOLocalGroup -ResolveMembersToSIDs | select GPODisplayName, GroupName, GroupMemberOf, GroupMembers # Get the computers where users are part of a local group through a GPO restricted group Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName # Find principals that can create new GPOs in the domain Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=targetdomain,DC=com" -ResolveGUIDs | ?{ $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier # Find principals that can link GPOs to OUs Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, SecurityIdentifier # Get incoming ACL for a specific object Get-DomainObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | Select IdentityReference,ActiveDirectoryRights # Find interesting ACLs for the entire domain, show in a readable (left-to-right) format Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft # Get interesting outgoing ACLs for a specific user or group # ?{} is a filter statement Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "Domain Admins"} | select ObjectDN,ActiveDirectoryRights ```
{% endtab %} {% tab title="UNIX" %} [Pywerview](https://github.com/the-useless-one/pywerview): rewrite of PowerView's functionalities in Python, using the [impacket](https://github.com/SecureAuthCorp/impacket) library. ``` $ pywerview.py --help usage: pywerview.py [-h] {get-adobject,get-adserviceaccount,get-objectacl,get-netuser,get-netgroup,get-netcomputer,get-netdomaincontroller,get-netfileserver,get-dfsshare,get-netou,get-netsite,get-netsubnet,get-netdomaintrust,get-netgpo,get-netpso,get-domainpolicy,get-gpttmpl,get-netgpogroup,find-gpocomputeradmin,find-gpolocation,get-netgroupmember,get-netsession,get-localdisks,get-netdomain,get-netshare,get-netloggedon,get-netlocalgroup,invoke-checklocaladminaccess,get-netprocess,get-userevent,invoke-userhunter,invoke-processhunter,invoke-eventhunter} ... Rewriting of some PowerView's functionalities in Python optional arguments: -h, --help show this help message and exit Subcommands: Available subcommands {get-adobject,get-adserviceaccount,get-objectacl,get-netuser,get-netgroup,get-netcomputer,get-netdomaincontroller,get-netfileserver,get-dfsshare,get-netou,get-netsite,get-netsubnet,get-netdomaintrust,get-netgpo,get-netpso,get-domainpolicy,get-gpttmpl,get-netgpogroup,find-gpocomputeradmin,find-gpolocation,get-netgroupmember,get-netsession,get-localdisks,get-netdomain,get-netshare,get-netloggedon,get-netlocalgroup,invoke-checklocaladminaccess,get-netprocess,get-userevent,invoke-userhunter,invoke-processhunter,invoke-eventhunter} get-adobject Takes a domain SID, samAccountName or name, and return the associated object get-adserviceaccount Returns a list of all the gMSA of the specified domain. To retrieve passwords, you need a privileged account and a TLS connection to the LDAP server (use the --tls switch). get-objectacl Takes a domain SID, samAccountName or name, and return the ACL of the associated object get-netuser Queries information about a domain user get-netgroup Get a list of all current domain groups, or a list of groups a domain user is member of get-netcomputer Queries informations about domain computers get-netdomaincontroller Get a list of domain controllers for the given domain get-netfileserver Return a list of file servers, extracted from the domain users' homeDirectory, scriptPath, and profilePath fields get-dfsshare Return a list of all fault tolerant distributed file systems for a given domain get-netou Get a list of all current OUs in the domain get-netsite Get a list of all current sites in the domain get-netsubnet Get a list of all current subnets in the domain get-netdomaintrust Returns a list of all the trusts of the specified domain get-netgpo Get a list of all current GPOs in the domain get-netpso Get a list of all current PSOs in the domain get-domainpolicy Returns the default domain or DC policy for the queried domain or DC get-gpttmpl Helper to parse a GptTmpl.inf policy file path into a custom object get-netgpogroup Parses all GPOs in the domain that set "Restricted Group" or "Groups.xml" find-gpocomputeradmin Takes a computer (or OU) and determine who has administrative access to it via GPO find-gpolocation Takes a username or a group name and determine the computers it has administrative access to via GPO get-netgroupmember Return a list of members of a domain group get-netsession Queries a host to return a list of active sessions on the host (you can use local credentials instead of domain credentials) get-localdisks Queries a host to return a list of active disks on the host (you can use local credentials instead of domain credentials) get-netdomain Queries a host for available domains get-netshare Queries a host to return a list of available shares on the host (you can use local credentials instead of domain credentials) get-netloggedon This function will execute the NetWkstaUserEnum RPC call to query a given host for actively logged on users get-netlocalgroup Gets a list of members of a local group on a machine, or returns every local group. You can use local credentials instead of domain credentials, however, domain credentials are needed to resolve domain SIDs. invoke-checklocaladminaccess Checks if the given user has local admin access on the given host get-netprocess This function will execute the 'Select * from Win32_Process' WMI query to a given host for a list of executed process get-userevent This function will execute the 'SELECT * from Win32_NTLogEvent' WMI query to a given host for a list of executed process invoke-userhunter Finds which machines domain users are logged into invoke-processhunter Searches machines for processes with specific name, or ran by specific users invoke-eventhunter Searches machines for events with specific name, or ran by specific users ``` {% endtab %} {% endtabs %}