Powerview
AD Enumeration With PowerView/Pywerview
Last updated
Was this helpful?
AD Enumeration With PowerView/Pywerview
Last updated
Was this helpful?
Though the below gives a good representation of the commands that usually come in most useful for me, this only scratches the surface of what PowerView can do. is available here.
# Get all users in the current domain
Get-DomainUser | select -ExpandProperty cn
# Get all computers in the current domain
Get-DomainComputer
# Get all domains in current forest
Get-ForestDomain
# Get domain/forest trusts
Get-DomainTrust
Get-ForestTrust
# Get information for the DA group
Get-DomainGroup "Domain Admins"
# Find members of the DA group
Get-DomainGroupMember "Domain Admins" | select -ExpandProperty membername
# Find interesting shares in the domain, ignore default shares, and check access
Find-DomainShare -ExcludeStandard -ExcludePrint -ExcludeIPC -CheckShareAccess
# Get OUs for current domain
Get-DomainOU -FullData
# Get computers in an OU
# %{} is a looping statement
Get-DomainOU -name Servers | %{ Get-DomainComputer -SearchBase $_.distinguishedname } | select dnshostname
# Get GPOs applied to a specific OU
Get-DomainOU *WS* | select gplink
Get-DomainGPO -Name "{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}"
# Get Restricted Groups set via GPOs, look for interesting group memberships forced via domain
Get-DomainGPOLocalGroup -ResolveMembersToSIDs | select GPODisplayName, GroupName, GroupMemberOf, GroupMembers
# Get the computers where users are part of a local group through a GPO restricted group
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName
# Find principals that can create new GPOs in the domain
Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=targetdomain,DC=com" -ResolveGUIDs | ?{ $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier
# Find principals that can link GPOs to OUs
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match "WriteProperty" } | select ObjectDN, SecurityIdentifier
# Get incoming ACL for a specific object
Get-DomainObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs | Select IdentityReference,ActiveDirectoryRights
# Find interesting ACLs for the entire domain, show in a readable (left-to-right) format
Find-InterestingDomainAcl | select identityreferencename,activedirectoryrights,acetype,objectdn | ?{$_.IdentityReferenceName -NotContains "DnsAdmins"} | ft
# Get interesting outgoing ACLs for a specific user or group
# ?{} is a filter statement
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "Domain Admins"} | select ObjectDN,ActiveDirectoryRights
$ pywerview.py --help
usage: pywerview.py [-h]
{get-adobject,get-adserviceaccount,get-objectacl,get-netuser,get-netgroup,get-netcomputer,get-netdomaincontroller,get-netfileserver,get-dfsshare,get-netou,get-netsite,get-netsubnet,get-netdomaintrust,get-netgpo,get-netpso,get-domainpolicy,get-gpttmpl,get-netgpogroup,find-gpocomputeradmin,find-gpolocation,get-netgroupmember,get-netsession,get-localdisks,get-netdomain,get-netshare,get-netloggedon,get-netlocalgroup,invoke-checklocaladminaccess,get-netprocess,get-userevent,invoke-userhunter,invoke-processhunter,invoke-eventhunter}
...
Rewriting of some PowerView's functionalities in Python
optional arguments:
-h, --help show this help message and exit
Subcommands:
Available subcommands
{get-adobject,get-adserviceaccount,get-objectacl,get-netuser,get-netgroup,get-netcomputer,get-netdomaincontroller,get-netfileserver,get-dfsshare,get-netou,get-netsite,get-netsubnet,get-netdomaintrust,get-netgpo,get-netpso,get-domainpolicy,get-gpttmpl,get-netgpogroup,find-gpocomputeradmin,find-gpolocation,get-netgroupmember,get-netsession,get-localdisks,get-netdomain,get-netshare,get-netloggedon,get-netlocalgroup,invoke-checklocaladminaccess,get-netprocess,get-userevent,invoke-userhunter,invoke-processhunter,invoke-eventhunter}
get-adobject Takes a domain SID, samAccountName or name, and return the associated object
get-adserviceaccount
Returns a list of all the gMSA of the specified domain. To retrieve passwords,
you need a privileged account and a TLS connection to the LDAP server (use the
--tls switch).
get-objectacl Takes a domain SID, samAccountName or name, and return the ACL of the
associated object
get-netuser Queries information about a domain user
get-netgroup Get a list of all current domain groups, or a list of groups a domain user is
member of
get-netcomputer Queries informations about domain computers
get-netdomaincontroller
Get a list of domain controllers for the given domain
get-netfileserver Return a list of file servers, extracted from the domain users' homeDirectory,
scriptPath, and profilePath fields
get-dfsshare Return a list of all fault tolerant distributed file systems for a given domain
get-netou Get a list of all current OUs in the domain
get-netsite Get a list of all current sites in the domain
get-netsubnet Get a list of all current subnets in the domain
get-netdomaintrust Returns a list of all the trusts of the specified domain
get-netgpo Get a list of all current GPOs in the domain
get-netpso Get a list of all current PSOs in the domain
get-domainpolicy Returns the default domain or DC policy for the queried domain or DC
get-gpttmpl Helper to parse a GptTmpl.inf policy file path into a custom object
get-netgpogroup Parses all GPOs in the domain that set "Restricted Group" or "Groups.xml"
find-gpocomputeradmin
Takes a computer (or OU) and determine who has administrative access to it via
GPO
find-gpolocation Takes a username or a group name and determine the computers it has
administrative access to via GPO
get-netgroupmember Return a list of members of a domain group
get-netsession Queries a host to return a list of active sessions on the host (you can use
local credentials instead of domain credentials)
get-localdisks Queries a host to return a list of active disks on the host (you can use local
credentials instead of domain credentials)
get-netdomain Queries a host for available domains
get-netshare Queries a host to return a list of available shares on the host (you can use
local credentials instead of domain credentials)
get-netloggedon This function will execute the NetWkstaUserEnum RPC call to query a given host
for actively logged on users
get-netlocalgroup Gets a list of members of a local group on a machine, or returns every local
group. You can use local credentials instead of domain credentials, however,
domain credentials are needed to resolve domain SIDs.
invoke-checklocaladminaccess
Checks if the given user has local admin access on the given host
get-netprocess This function will execute the 'Select * from Win32_Process' WMI query to a
given host for a list of executed process
get-userevent This function will execute the 'SELECT * from Win32_NTLogEvent' WMI query to a
given host for a list of executed process
invoke-userhunter Finds which machines domain users are logged into
invoke-processhunter
Searches machines for processes with specific name, or ran by specific users
invoke-eventhunter Searches machines for events with specific name, or ran by specific users: rewrite of PowerView's functionalities in Python, using the library.