> For the complete documentation index, see [llms.txt](https://csbygb.gitbook.io/pentips/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://csbygb.gitbook.io/pentips/windows/post-compromise-enum/powerview-sharpview.md). # Powerview or SharpView (.NET equivalent) * Get it from [here](https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1) and put it in the compromised machine * From a cmd in the target: `powershell -ep bypass` * Launch Powerview: `. .\powerview.ps1` * Get info on the Domain Controller: `Get-NetDomain` * Check policies: `Get-DomainPolicy` * Policies in System Access: `(Get-DomainPolicy)."systemAccess"` (e.g.: we get info about password policy and minimum length so min size if we want to password spray) * Info about the users `Get-NetUser` * Get only usenames `Get-NetUser | select cn` (e.g.: will output Jessica Jones) * Get only sam account name: `Get-NetUser | select samaccountname` (e.g.: will output jjones) * Get only description: `Get-NetUser | select description` (e.g.: will output a description if provided by sysadmn or a default one) * See all the properties a user have: `Get-UserProperty` * Get more details for example password last set: `Get-UserProperty -Properties pwdlastset` * Get more details for example logoncount: `Get-UserProperty -Properties logoncount` * See if users have entered bad passwd: `Get-UserProperty -Properties badpwdcount` * List all the computers in the Domain: `Get-NetComputer` * Same but with much more info: `Get-NetComputer -FullData` * Filter this load of data with specific info: `Get-NetComputer -FullData | select OperatingSystem` * Get info on groups: `Get-NetGroup` * Filter for a specific GroupName: `Get-NetGroup -GroupName "Domain Admins"` * Filter on GroupName with a wildcard: `Get-NetGroup -GroupName *admin*` * Get users from a specific group: `Get-NetGroup -GroupName "Domain Admins"` * Get smb shared in the network: `Invoke-ShareFinder` * Get group policies: `Get-NetGPO` * Filter the info: `Get-NetGroup -GroupName "Domain Admins"` * `.\SharpView.exe ConvertTo-SID -Name first.last` Find SID of a user * `.\SharpView.exe Convert-ADName -ObjectName SID` find user with SID * `Get-DomainPolicy` View the domain password policy (will show passwordhistorysize) * `Get-DomainUser first.last \| ConvertFrom-UACValue -showall` List all UAC values * `.\SharpView.exe Get-Domain` View information about the current domain * `.\SharpView.exe Get-DomainOU` List all OUs * `.\SharpView.exe Get-DomainUser -KerberosPreauthNotRequired` Find ASREPRoastable users * `Get-DomainComputer` Get a listing of domain computers * `.\SharpView.exe Get-DomainGPO \| findstr displayname` List all GPO names * `Get-DomainGPO -ComputerIdentity HOSTNAME` List GPOs on a specific host * `Test-AdminAccess -ComputerName HOSTNAME` Test local admin access on a remote host * `.\SharpView.exe Get-NetShare -ComputerName HOSTNAME` Enumerate open shares on a remote computer * `Find-DomainUserLocation` Find machines where domain users are logged in * `Get-DomainTrust` View a list of domain trusts * `(Get-DomainUser).count` Count all domain users * `.\SharpView.exe Get-DomainUser -Help` Get help about a SharpView function * `Get-DomainUser -Properties samaccountname,description \| Where {$_.description -ne $null}` Find non-blank user description fields * `.\SharpView.exe Get-DomainUser -SPN` Find users with SPNs set * `Find-ForeignGroup` Find foreign domain users * `Get-DomainGroup -Properties Name` List domain groups * `.\SharpView.exe Get-DomainGroupMember -Identity 'Help Desk'` Get members of a domain group * `.\SharpView.exe Get-DomainGroup -AdminCount` List protected groups * `.\SharpView.exe Find-ManagedSecurityGroups` List managed security groups * `Get-NetLocalGroup -ComputerName HOST` Get local groups on a host * `.\SharpView.exe Get-NetLocalGroupMember -ComputerName HOSTNAME` Get members of a local group * `.\SharpView.exe Get-DomainComputer -Unconstrained` Find computers that allow unconstrained delegation * `Get-DomainComputer -TrustedToAuth` Find computers set with constrained delegation * `Get-DomainObjectAcl -Identity first.last` Enumerate ACLs on a user * `Find-InterestingDomainAcl` Find objects in the domain with modification rights over non built-in objects * `Get-PathAcl "\\HOSTNAME\Directory"` Find the ACLs set on a directory * `gpresult /r /S HOSTNAME` Get a report of all GPOs applied to a host * `Get-DomainGPO \| Get-ObjectAcl` Find GPO permissions * `Get-DomainTrustMapping` Enumerate trusts for our domain/reachable domains * `Get-NetShare -ComputerName COMPUTER` List share on computer * `Get-DomainGPO` list all gpo and related info * `Get-DomainGPO | select displayname` list all gpo names * `Get-DomainGPO | select displayname,objectguid` list gpo names with their guid * `Get-DomainTrustMapping` enumerate all trusts for our current domain and other reachable domains * `Get-NetDomain` similar to the ActiveDirectory module’s Get-ADDomain but contains a lot less information. Basic info such as the Forest, Domain Controllers, and Domain Name are enumerated. * `Get-NetDomainController` list all of the Domain Controllers within the network * `Get-NetForest` similar to Get-ADForest, and provides similar output. It provides all the associated Domains, the root domain, as well as the Domain Controllers for the root domain. * `Get-NetDomainTrust` is similar to Get-ADTrust with our SelectObject filter applied to it. ## Enumerating Users * `get-netuser` will output all infos about users in the domain * `get-netuser | select cn` will list all users * `get-netuser | select -expandproperty samaccountname` will list users but only samccountname * `find-userfield -SearchField description "password"` will list description fields of users with a grep on "password" ## Enumerating Groups * `get-netgroup` will list all the different groups in the domain * `get-netgroup -Username "f.lastname"` will show group of user f.lastname * `get-netgroup -GroupName "domain admins" -FullData` will show details of the group ## Enumerating Domain Computers and Shares * `Get-NetComputer -OperatingSystem "*Windows 10*"` Get computer with Win 10 OS * `Get-NetComputer -OperatingSystem "*server*"` Get the server * `Invoke-ShareFinder` will list shares * `Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC` will list sharw without standard print and IPC ## Find interesting files * `Invoke-FileFinder` ## Enumerate Local Admin Users * `Invoke-EnumerateLocalAdmin` ## Enumerating Group Policy Objects * `get-netgpo` ## Enumerating Access Control Lists * `get-objectacl` * `get-objectacl -SamAccountName "name" -ResolveGUIDs` ## Enumerating the domain * `get-netdomain` * `Get-DomainPolicy` * `Get-domainsid` useful for golden tickets *Note: If you do not get result with powerview, you can try this in powershell `Import-Module .\PowerView.ps1`* ## Powerview - Resources * [PowerView Cheat Sheet](https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993) --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://csbygb.gitbook.io/pentips/windows/post-compromise-enum/powerview-sharpview.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.