# PowerView **PowerView** is a PowerShell toolset for AD enumeration, useful for penetration testing. It helps gather domain info, user/group details, inspect permissions, and identify network shares. Commonly used in Active Directory enumeration. ## Domain Information Retrieves details about the current AD domain (name, domain controller, forest info). ```powershell Get-NetDomain ``` ## Users & Groups Lists all users in the AD domain with usernames and account status. ```powershell Get-NetUser ``` Displays common name, last password set date, and last logon for each user in the domain. ```powershell Get-NetUser | select cn,pwdlastset,lastlogon ``` Lists all groups in the AD domain. ```powershell Get-NetGroup | select cn ``` Retrieves members of a specific group (e.g., Domain Admins). ```powershell Get-NetGroup "" | select -ExpandProperty member ``` Enumerating accounts with Kerberos pre-authentication disabled from inside the network. ```powershell Get-DomainUser -PreauthNotRequired -Verbose ``` ## Computers Retrieves a list of all computers in the domain. ```powershell Get-NetComputer ``` Lists domain computers, showing their operating system and DNS hostname. ```powershell Get-NetComputer | select operatingsystem,dnshostname ``` ## Local Admin Searches for machines where the current user has local administrator access. ```powershell Find-LocalAdminAccess ``` ## SPN Enumerates users with SPNs (Service Principal Names) registered. ```powershell Get-NetUser -SPN | select samaccountname,serviceprincipalname ``` ## AD Objects permissions #### Common Object Permissions: * **`GenericAll`**: Full control and permissions over the object. * **`GenericWrite`**: Allows modification of specific attributes on the object. * **`WriteOwner`**: Grants the ability to change the ownership of an object. * **`WriteDACL`**: Allows modification of the Discretionary Access Control List (ACE's) for the object. * **`AllExtendedRights`**: Grants extended rights like resetting or changing passwords. * **`ForceChangePassword`**: Allows forcing a password change for an object. * **`Self`**: Grants the ability to add oneself to a group or similar actions. **SecurityIdentifier (SID)**: This is the unique identifier for an AD Object which has the permission on the target object. Displays the Access Control List (ACL) for a target AD object. ```powershell Get-ObjectAcl -Identity ``` Filtering the output in order to display the important information. {% code overflow="wrap" %} ```powershell Get-ObjectAcl -Identity "" | select SecurityIdentifier,ActiveDirectoryRights ``` {% endcode %} {% code overflow="wrap" %} ```powershell Get-DomainObjectAcl -ResolveGUIDs -Identity "" | ? {$_.SecurityIdentifier -eq (Convert-NameToSid "")} ``` {% endcode %} Search for interesting ACEs {% code overflow="wrap" %} ```powershell Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match ""} ``` {% endcode %} ## Shares Enumerates shared folders across domain computers. ```powershell Find-DomainShare ``` ## MISC Convert SIDs to Names ```powershell ",,,..." | Convert-SidToName ``` Lists active sessions on a specific machine. ```powershell Get-NetSession -ComputerName ``` ## References {% embed url="" %} PowerView {% endembed %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dudisamarel.gitbook.io/oscp-notes/windows/enumeration/active-directory/powerview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.