search
LinkedInGithub
githubEdit

powerview

PowerView.ps1arrow-up-right

Bypass execution policy

powershell -ep bypass

Get all users 

Get-NetUser
net users /domain

Get all users with filter 

Get-NetUser | select cn, memberof

Get information of a particular user 

Get-NetUser -UserName admin

Get all groups 

Get-NetGroup

User description check

#userdescription #checkuserdescription

Get-DomainUser * | Select-Object samaccountname,description |Where-Object {$_.Description -ne $null}
nxc ldap 10.10.11.32 -u '' -p '' --users | grep 'TypeUser'

User info field check

#userdescription #checkuserdescription

bloodyAD -u ldap -p 'nvEfEK16^1aM4$e7AclUf8x$tRWxPWO1%lmz' -d support.htb --host dc.support.htb --dns 10.10.11.174 get search --attr info

Limit groups to a particular domain

Get all admin names

Get all groups a user is member of

Get specific group's users

Get all other computers in the domain

Check all other computers are online

#livehosts #ping #scanhosts

Get other computer OS information

Filter out computer OS information

Domain enumeration (current domain information)

Get SID of the current domain

Get current domain policy

Get domain controller information

Which computer we have admin access (IF you are DC)

Get all local admins

Get domain policies

Get all active sessions/logon users

Get last loggedon users

Get RDP sessions

Check recycle bin

Cheat sheet

hashtag
AD PowerView

Get user info

Get group membership recursive info

Get domain trust info

Testing for local admin/remote admin access

Find users with SPN set (it may be subjected to a kerberoasting attack)

PreviouspowershellNextsecurity-control

Last updated