Leave a Comment / Active-Directory, Uncategorized / By

PowerView Command Cheat Sheet for Pentesters

Basic Enumeration

Get-NetDomain                     # Display the current domain
Get-NetForest                     # List all forests
Get-NetForestDomain              # List all domains in the forest
Get-NetDomainController          # Show Domain Controllers

User & Group Enumeration

Get-NetUser                                # List all domain users
Get-NetUser -Username j.smith              # Get details on a specific user
Get-UserProperty -Properties pwdlastset    # Get 'password last set' info

Get-NetGroup                                # List all groups
Get-NetGroup -GroupName "Domain Admins"     # Show Domain Admin members
Get-NetGroupMember -GroupName "Exchange Trusted Subsystem"   # Group members

Domain Structure & Computers

Get-DomainPolicy                  # Show domain password and Kerberos policies
Get-NetOU                         # List all OUs
Get-NetOU -FullData               # Detailed OU listing

Get-NetComputer                   # List all computers in domain
Get-NetComputer -Ping             # List online domain-joined computers

Trust & GPO Discovery

Get-NetDomainTrust                # Show domain trust relationships
Get-NetGPO                        # List Group Policy Objects
Get-NetGPOGroup                   # Show GPO-based group additions
Find-GPOLocation                  # Discover GPOs linked to users/OUs

Privilege Escalation Recon

Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs     # View ACLs
Find-LocalAdminAccess            # Check where user is local admin
Find-InterestingDomainAcl        # Look for exploitable permissions

Finding Targets & Shares

Invoke-UserHunter                # Find sessions of privileged users
Invoke-UserHunter -Stealth       # Same, but with fewer queries

Invoke-ShareFinder               # Find accessible network shares
Invoke-EnumerateLocalAdmin       # List local admins on all machines

Extract Usernames for Spray Attacks

Get-DomainUser | Select-Object -ExpandProperty cn | Out-File users.txt     
type .\users.txt

OpSec Tip

Prefer Get- and Find- commands for recon. Avoid aggressive Invoke- unless testing in safe environments. Always run in-memory if possible:

powershell -ep bypass
. .\PowerView.ps1

Get-DomainUser | Select-Object -ExpandProperty cn |  Out-File users.txt
type .\users.txt

In the command above, Get-DomainUser fetches a list of all users within the domain. Select-Object -ExpandProperty cn is used to expand the ‘cn’ (common name) property of each user object, which generally represents the username. The output is then piped to Out-File users.txt which writes these usernames to a text file named ‘users.txt’.

The type .\users.txt command is used to display the content of ‘users.txt’ in the console, giving you a view of the list of usernames extracted.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top