Overview
PowerView is a PowerShell tool for the enumeration of Windows domains. The script can be downloaded from https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1.
Before running, you need to bypass PowerShell’s execution policy:
powershell -ep bypass
Load the script using
. .\PowerView.ps1Normally, you’d be running these commands through some sort of shell, but for the sake of simplicity, I will show them all run locally.
Get Domain Information
Get-NetDomain
Get Domain Controller Information
Get-NetDomainController
Retrieve Domain Policy Information
Get-DomainPolicy
You can also get information about a specific policy with the following syntax:
(Get-DomainPolicy)."policy name"
Get Users Information
Get-NetUserThe output of this command is rather messy, but you can pull specific information with the following syntax:
Get-NetUser | select <property>
However, there is an even better way to do that.
Get User Property Information
Get a specific properties of all the users:
Get-DomainUser -Properties <property1>,<property2>,...It is useful to always have the samaccountname as the first property selected, so that you can easily match properties with specific users.
Get Domain Machines
Get-DomainComputer | select samaccountname, operatingsystem
Get Groups
Get-NetGroup | select samaccountname, admincount, description
Get Group Policy Information
Get-NetGPO | select <property1>,<property2>,...