# PowerView

<https://powersploit.readthedocs.io/en/latest/Recon/>

## Enumerating AD Users

### Gather Domain Information

```powershell
Get-Domain
```

### Gather Domain SID

```powershell
Get-DomainSID
```

### Gather List DC's

```powershell
Get-DomainController
```

### Gather Domain Users

```powershell
Get-DomainUser
```

### Gather User Count

```powershell
(Get-DomainUserr).count
```

### Gather Most Important Users Information

```powershell
Get-DomainUser -Identity harry.jones -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,mail,useraccountcontrol
```

### Gather List of Users do not require Kerberos pre-authentication

```powershell
Get-DomainUser -KerberosPreauthNotRequired -Properties samaccountname,useraccountcontrol,memberof
```

### Gather Users With Kerberos Constrained Delegation

```powershell
Get-DomainUser -TrustedToAuth -Properties samaccountname,useraccountcontrol,memberof
```

###

### Gather Kerberos Unconstrained Delegation

```powershell
Get-DomainUser -TrustedToAuth -Properties samaccountname,useraccountcontrol,memberof
```

### Gather Domain (User) Descriptions

```powershell
Get-DomainUser -Properties samaccountname,description | Where {$_.description -ne $null}
```

### Gather Account(s) With SPN

```powershell
Get-DomainUser -SPN -Properties samaccountname,memberof,serviceprincipalname
```

### Gather Password Set Times

```powershell
Get-DomainUser -Properties samaccountname,pwdlastset,lastlogon -Domain InlaneFreight.local | select samaccountname, pwdlastset, lastlogon | Sort-Object -Property pwdlastset
```

## Enumerating AD Groups

### Gather Groups

```powershell
Get-DomainGroup -Properties Name
```

### Gather More Information 1 Group

```powershell
Get-DomainGroupMember -Identity '<Group name>'
```

### Gather Security Groups

```powershell
Find-ManagedSecurityGroups | select GroupName
```

### Gather Security Operations Group

```powwershell
Get-DomainManagedSecurityGroup
```

### Gather Local Groups

```powershell

$sid = Convert-NameToSid <username>
$computers = Get-DomainComputer -Properties dnshostname | select -ExpandProperty dnshostname
foreach ($line in $computers) {Get-NetLocalGroupMember -ComputerName $line | ? {$_.SID -eq $sid}}
```

## Enumerating AD Computers

### Gather Most Useful Information

```powershell
Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp,useraccountcontrol
```

## Enumerating Domain ACLs

ForceChangePassword abused with `Set-DomainUserPassword` Add Members abused with `Add-DomainGroupMember` GenericAll abused with `Set-DomainUserPassword` or `Add-DomainGroupMember` GenericWrite abused with `Set-DomainObject` WriteOwner abused with `Set-DomainObjectOwner` WriteDACL abused with `Add-DomainObjectACL` AllExtendedRights abused with `Set-DomainUserPassword` or `Add-DomainGroupMember`

### Gather ACLs With Built-In

```powershell
 (Get-ACL "AD:$((Get-ADUser joe.evans).distinguishedname)").access  | ? {$_.ActiveDirectoryRights -match "WriteProperty" -or $_.Act
Rights -match "GenericAll"} | Select IdentityReference,ActiveDirectoryRights -Unique | ft -W
```

### Gather ACL With PowerView

```powershell
Get-DomainObjectAcl -Identity harry.jones -Domain inlanefreight.local -ResolveGUIDs
```

### Gather ACL File Shares

```powershell
 # list File Shares
Get-NetShare -ComputerName SQL01

# List Inside File Share
Get-PathAcl "\\SQL01\DB_backups"
```

### Gather DCsync ACL

```powershell
$dcsync = Get-ObjectACL "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')} | Select-Object -ExpandProperty SecurityIdentifier | Select -ExpandProperty value

# List Users who can DCSync
Convert-SidToName $dcsync
```

## Enumerating Domain GPOs

### Gather GPO Data

```powershell
Get-DomainGPO | select displayname
```

### Gather GPO of Computer

```powershell
Get-DomainGPO -ComputerName WS01 | select displayname
```

### Gather GPO Permissions

```powershell
Get-DomainGPO | Get-ObjectAcl | ? {$_.SecurityIdentifier -eq 'S-1-5-21-2974783224-3764228556-2640795941-513'}
```

## Enumerating Domain Trusts

### Gather Trusts That Exists

```powershell
Get-DomainTrust
```

### Gather Trusts Current Domain

```powershell
Get-DomainTrustMapping
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://martian1337.gitbook.io/notes/notes/network-security/powerview.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.