PowerView (github.com/PowerShellMafia/PowerSploit) is an offensive PowerShell script that allows you to perform a variety of tasks against an internal domain, including recon, privilege escalation, persistance, and exfiltration. What you may not already know though is that it can be used by a non domain-joined Windows virtual machine which means we don’t have to worry about bypassing any installed antivirus to use Powerview. If you don’t have an Active Directory lab to test PowerView with at home already or don’t know how to set one up I highly recommend you buy the book I made which makes it easy and fast.
In the course of a pentest it is common for an operator to spawn a new Windows virtual machine and connect it to an internal VPN so that there is access to machines on the domain.
Table of Contents
What Is PowerView?
PowerView is part of PowerSploit – A PowerShell Post-Exploitation Framework written by harmj0y. PowerView is now part of the PowerShell Mafia Github repo. The only requirements to run PowerView from a non domain-joined machine is credentials and connectivity to the domain controller.
Why Use PowerView?
Enumerating Active Directory is a widely accepted practice in ethical hacking. AD holds a wealth of information such as who is a domain admin. By combining this info with PowerView we can see in real time where a domain admin is logged in on the network. The idea is then to connect to that machine and dump the domain admin password from memory.
Steps To Run PowerView For Domain Enumeration
These are the steps involved in running PowerView, in this scenario we will run it to do domain enumeration. I am running this scenario in my home lab, don’t have one? Give this a quick read and it will show you how to set up the best home hacking lab possible in a few simple steps no joke, Become An Ethical Hacker book (view on Amazon).
First, get the script project and install it in the current PowerShell session on a non domain-joined Windows machine.
- Download PowerView project from Github
git clone https://github.com/PowerShellMafia/PowerSploit - Copy PowerSploit folder to default PowerShell module directory. I had to create the folder “Modules” in this path,C:\Users\IEUser\Documents\WindowsPowerShell\Modules.
Alternatively you can import the script through dot sourcing, e.g.
Being that we are not on a domain-joned machine we will need to use the parameter -DomainController <ip> every time we issue a command or else it will not work. Find-DomainShare -CheckShareAccess -Domain testlab.local -DomainController 10.0.10.11.
Get all current GPOs for the specified domain.
PowerView Tutorial: How To Use PowerView
One of the obvious goals of pen testing is hunting admins and for this we can use PowerView’s Invoke-UserHunter
function. There is also the Get-NetGroup member function which can tell us which users are part of a group such as Domain Admins.
BONUS! Run MMC Active Directory Snapin
Remember we have to run mmc in an elevated command prompt for this to work correctly. We will run this next command similar to the remote PowerShell command from earlier.
Microsoft Remote Server Administration Tools (RSAT)
Windows 10 will not have this capability installed by default so we have to download it first. Now, beware of the many misleading tutorials online! This is the easiest way by far to get it on Windows 10. Simply open an elevated PowerShell prompt and run
Recommended Reading
Want to learn more about how to become a penetration tester? I highly recommend the book Become An Ethical Hacker written by yours truly.