Save this in a notepad as PowerView.ps1 in the windows machine.
This is my cheat sheet for PowerView. These are some PowerView commands that I find useful for Active Directory/Domain enumeration. PowerView is a PowerShell tool to gain network situational awareness on Windows domains.
Open Command Prompt as administrator.
Then Type : powershell -ep bypass
Then go to the directory where you saved the PowerView script then run this command : . .\PowerView.ps1
Now you can begin the enumeration!
Get-NetDomain or Get-Domain : Information about the domain
Get-NetDomain
Get-NetComputer | select operatingsystem same as Get-DomainComputer | select operatingsystem : Show the Operating Systems
Get-NetComputer | select operatingsystem
Get-DomainComputer | select operatingsystem
Get-NetDomainController or Get-DomainController : Get information about the Domain Controller.
Get-NetDomainController
Get-DomainController
Get-DomainPolicy : Shows the Domain Policies
Get-NetUser / Get-DomainUser : Gets information of users in the domain.
Get-NetUser | select cn : cn stands for Common Name
Get-DomainUser | select cn
Get-DomainUser -Properties name,description is same as Get-NetUser | select name, description
Get-DomainUser -Properties name,samaccountname,description : name shows the name of the users, samaccountname shows the logon name used, description shows the description.
Get-NetUser "user" and Get-DomainUser "user" : Shows information about a specific user specified in the "user" in the domain. The user has to be the samaccountname of that particular name of the user.
Get-NetUser "user" is same as Get-DomainUser "user"
Get-NetUser | select name,samaccountname or Get-DomainUser |select name,samaccountname : This command will display the samaccountname related to the user
Get-DomainUser |select name, samaccountname
Get-DomainUser "user"
Get-NetUser | select name, samaccountname
Get-NetUser "user"
Get-NetGroup or Get-DomainGroup : Get all the groups in the domain
Get-NetGroup “Domain Admins"or Get-DomainGroup "Domain Admins” : Gets specific group called Domain Admins
Get-NetGroup “Domain Admins"
Get-DomainGroup "Domain Admins”
Get-DomainGroupMember or Get-NetGroupMember : Get a specific user from a specific group.
Get-NetGroupMember "Domain Admins" same as Get-DomainGroupMember "Domain Admins"
Get-NetGroupMember “Domain Admins"
Get-DomainGroupMember "Domain Admins"
Get-DomainComputer | select cn, dnshostname also same as Get-NetComputer | select cn, dnshostname
Get-DomainComputer | select cn, dnshostname
Get-NetComputer | select cn, dnshostname
Invoke-ShareFinder : Shows all the shares
Get-NetComputer -Properties samaccountname same as Get-DomainComputer -Properties samaccountname
Get-DomainComputer -Properties samaccountname
Get-NetComputer -Properties samaccountname
Net-GPO same as Domain-GPO : Shows the Group Policies.
Get-NetGPO
Get-DomainGPO
Get-DNSZone same as Get-DomainDNSZone : Get DNS information.
Get-DNSZone
Get-DomainDNSZone
Get-NetUser -SPN or Get-DomainUse -SPN : Shows which service instance is associated with a service logon account.
Get-DomainUser -SPN
Get-NetUser -SPN
Get-Forest ,Get-ADForest and Get-NetForest
all are same. They show the forest properties of the domain.
Get-Forest
Get-ADForest
Get-NetForest
Get-ADDomain | select DNSRoot,NetBIOSName,DomainSID : Gets the DNSRoot name, NetBIOS name and the Domain SID
Get-ADUser “user" : Gets information about the domain user user . The user has to be the samaccountname of that user.
Get-adUser -Filter * | select name,samaccountname
Get-ADuser “user”
Get-ADObject -LDAPFilter “objectClass=User” | select name,SamAccountName : Get all the users with their samaccountname in the domain
Get-ADObject -LDAPFilte “objectclass=*” |select name : Get every group, username.
You can change the value of objectclass to Group , User , Domain etc, or simply * to get everything.
Get-ADObject -LDAPFilter “objectClass=User” | select name,SamAccountName
