# PowerView ## Intro **PowerView** has long been the de-facto tool for domain enumeration. It it part of the PowerSploit project: {% embed url="" %} PowerView\.ps1 {% endembed %} {% hint style="info" %} Any standard user can run PowerView. High-privilege user account is not needed. {% endhint %} ## Domain Enumeration ### Import PowerView ```powershell Import-Module .\PowerView.ps1 ``` Or: ```powershell . .\PowerView.ps1 ``` ### Get current domain ```powershell Get-NetDomain ``` ### Get object of another domain ```powershell Get-NetDomain -Domain moneycorp.local ``` ### Get domain SID for the current domain ```powershell Get-DomainSID ``` ### Get the domain password policy ```powershell Get-DomainPolicy (Get-DomainPolicy)."System Access" net accounts ``` ## Users Groups and Computers Enumeration ### Get Information of domain controller ```powershell Get-NetDomainController Get-NetDomainController | select-object Name ``` ### Get information of users in the domain ```powershell Get-NetUser Get-NetUser -Username ``` ### Get list of all users ```powershell Get-NetUser | select samaccountname ``` ### Get list of usernames, last logon and password last set ```powershell Get-NetUser | select samaccountname, lastlogon, pwdlastset Get-NetUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon ``` ### Get list of usernames and their groups ```powershell Get-NetUser | select samaccountname, memberof ``` ### Get list of all properties for users in the current domain ```powershell get-userproperty -Properties pwdlastset ``` ### Get descripton field from the user ```powershell Find-UserField -SearchField Description -SearchTerm "built" Get-netuser | Select-Object samaccountname,description ``` ### Get computer information ```powershell Get-NetComputer Get-NetComputer -FullData Get-NetComputer -Computername -FullData ``` ### Get computers with operating system "Server 2016" ```powershell Get-NetComputer -OperatingSystem "*Server 2016*" ``` ### Get list of all computer names and operating systems ```powershell Get-NetComputer -fulldata | select samaccountname, operatingsystem, operatingsystemversion ``` ### List all groups of the domain ```powershell Get-NetGroup Get-NetGroup -GroupName *admin* Get-NetGroup -Domain ``` ### Get all the members of the group ```powershell Get-NetGroupMember -Groupname "Domain Admins" -Recurse Get-NetGroupMember -Groupname "Domain Admins" -Recurse | select MemberName ``` ### Get the group membership of a user ```powershell Get-NetGroup -Username ``` ### List all the local groups on a machine (needs admin privs on non dc machines) ```powershell Get-NetlocalGroup -Computername -ListGroups ``` ### Get Member of all the local groups on a machine (needs admin privs on non dc machines) ```powershell Get-NetlocalGroup -Computername -Recurse ``` ### Get actively logged users on a computer (needs local admin privs) ```powershell Get-NetLoggedon -Computername ``` ### Get locally logged users on a computer (needs remote registry rights on the target) ```powershell Get-LoggedonLocal -Computername ``` ### Get the last logged users on a computer (needs admin rights and remote registary on the target) ```powershell Get-LastLoggedOn -ComputerName ``` ## Shares Enumeration ### Find shared on hosts in the current domain ```powershell Invoke-ShareFinder -Verbose Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC ``` ### Find sensitive files on computers in the domain ```powershell Invoke-FileFinder -Verbose ``` ### Get all fileservers of the domain ```powershell Get-NetFileServer ``` ## GPO Enumeration ### Get list of GPO's in the current domain ```powershell Get-NetGPO Get-NetGPO -Computername ``` ### Get GPO's which uses restricteds groups or groups.xml for interesting users ```powershell Get-NetGPOGroup ``` ### Get users which are in a local group of a machine using GPO ```powershell Find-GPOComputerAdmin -Computername ``` ### Get machines where the given user is member of a specific group ```powershell Find-GPOLocation -Username student244 -Verbose ``` ### Get OU's in a domain ```powershell Get-NetOU -Fulldata ``` ### Get machines that are part of an OU ```powershell Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} ``` ### Get GPO applied on an OU ```powershell Get-NetGPO -GPOname "{}" ``` ## ACL Enumeration ### Get the ACL's associated with the specified object ```powershell Get-ObjectACL -SamAccountName -ResolveGUIDS ``` ### Get the ACL's associated with the specified prefix to be used for search ```powershell Get-ObjectACL -ADSprefix ‘CN=Administrator,CN=Users’ -Verbose ``` ### Get the ACL's associated with the specified path ```powershell Get-PathAcl -Path \\\sysvol ``` ### Search for interesting ACL's ```powershell Invoke-ACLScanner -ResolveGUIDs Invoke-ACLScanner -ResolveGUIDs | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl ``` ### Search of interesting ACL's for the current user ```powershell Invoke-ACLScanner | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name} ``` ## Domain Trust Enumeration ### Get a list of all the domain trusts for the current domain ```powershell Get-NetDomainTrust ``` ### Get details about the forest ```powershell Get-NetForest ``` ### Get all domains in the forest ```powershell Get-NetForestDomain Get-NetforestDomain -Forest ``` ### Get global catalogs for the current forest ```powershell Get-NetForestCatalog Get-NetForestCatalog -Forest ``` ### Map trusts of a forest ```powershell Get-NetForestTrust Get-NetForestTrust -Forest Get-NetForestDomain -Verbose | Get-NetDomainTrust ``` ## User Hunting ### Find all machines on the current domain where the current user has local admin access ```powershell Find-LocalAdminAccess -Verbose ``` ### Find local admins on all machines of the domain (needs administrator privs on non-dc machines) ```powershell Invoke-EnumerateLocalAdmin -Verbose ``` ### Find Computers where a domain admin (or specified user/group) has session ```powershell Invoke-UserHunter Invoke-UserHunter -GroupName "RDPUsers" ``` To confirm admin access: ```powershell Invoke-UserHunter -CheckAccess ``` ### Find computers where a domain admin is logged-in ```powershell Invoke-UserHunter -Stealth ``` This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using `Get-NetGroupMember`, gets a list of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (`Get-NetSesssion` / `Get-NetLoggedon`) from each machine. ## Defense Most of the enumeration mixes really well with the normal traffic to the DC. Hardening can be done on the DC (or other machines) to contain the information provided by the queried machine. Let's have a look at defending against one of the most lethal enumeration techiques: user hunting. **Netcease** is a script which changes permissions on the NetSEssionEnum method by removing permission for Authenticated Users group. This fails many of the attacker's session enumeration and hence user hunting capabilities: ```powershell .\NetCease.ps1 ``` Another interesting script from the same author is **SAMRi10** which hardens Windows 10 and Server 2016 against enumeration which uses SAMR protocol (like net.exe). --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ret2basic.gitbook.io/ctfnote/red-teaming/active-directory-ad/domain-enumeration/powerview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.