Overview

PowerView is a PowerShell tool for the enumeration of Windows domains. The script can be downloaded from https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1.

Before running, you need to bypass PowerShell's execution policy:

powershell -ep bypass

Load the script using

. .\PowerView.ps1

Normally, you'd be running these commands through some sort of shell, but for the sake of simplicity, I will show them all run locally.

Get Domain Information

Get-NetDomain

Get Domain Controller Information

Get-NetDomainController

Retrieve Domain Policy Information

Get-DomainPolicy

You can also get information about a specific policy with the following syntax:

(Get-DomainPolicy)."policy name"

Get Users Information

Get-NetUser

The output of this command is rather messy, but you can pull specific information with the following syntax:

Get-NetUser | select <property>

However, there is an even better way to do that.

Get User Property Information

Get a specific properties of all the users:

Get-DomainUser -Properties <property1>,<property2>,...

It is useful to always have the samaccountname as the first property selected, so that you can easily match properties with specific users.

Get Domain Machines

Get-DomainComputer | select samaccountname, operatingsystem

Get Groups

Get-NetGroup | select samaccountname, admincount, description

Get Group Policy Information

Get-NetGPO | select <property1>,<property2>,...

Additional Resources

https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview

The Cyberclopaedia