PowerView is a PowerShell tool for the enumeration of Windows domains. The script can be downloaded from https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1.
Before running, you need to bypass PowerShell's execution policy:
powershell -ep bypass
Load the script using
. .\PowerView.ps1
Normally, you'd be running these commands through some sort of shell, but for the sake of simplicity, I will show them all run locally.
Get-NetDomain
Get-NetDomainController
Get-DomainPolicy
You can also get information about a specific policy with the following syntax:
(Get-DomainPolicy)."policy name"
Get-NetUser
The output of this command is rather messy, but you can pull specific information with the following syntax:
Get-NetUser | select <property>
However, there is an even better way to do that.
Get a specific properties of all the users:
Get-DomainUser -Properties <property1>,<property2>,...
It is useful to always have the samaccountname
as the first property selected, so that you can easily match properties with specific users.
Get-DomainComputer | select samaccountname, operatingsystem
Get-NetGroup | select samaccountname, admincount, description
Get-NetGPO | select <property1>,<property2>,...