# Powerview Powerview is a powerful powershell script from powershell empire that can be used for enumerating a domain after you have already gained a shell in the system. Powerview is a script part of PowerSploit, which is not a supported project anymore, but still a powerfull post-exploitation tool. *** Load Powerview module in powershell ```jsx . .\Downloads\PowerView.ps1 ``` Next, we can use powerview to get domain users for example: ```jsx Get-NetUser | select cn ``` By piping the output of Get-NetUser to select cn, we only select the cnames of the users: ```jsx **PS C:\Users\Administrator> Get-NetUser | select cn** cn -- Administrator Guest krbtgt Machine-1 Admin2 Machine-2 SQL Service POST{P0W3RV13W_FTW} sshd ``` We can also find every domain group with the word “Admin” in it: ```jsx **PS C:\Users\Administrator> Get-NetGroup -GroupName *Admin*** Administrators Hyper-V Administrators Storage Replica Administrators Schema Admins Enterprise Admins Domain Admins Key Admins Enterprise Key Admins DnsAdmins ``` List all network shares: ```jsx **PS C:\Users\Administrator> Invoke-ShareFinder** \\Domain-Controller.CONTROLLER.local\ADMIN$ - Remote Admin \\Domain-Controller.CONTROLLER.local\C$ - Default share \\Domain-Controller.CONTROLLER.local\IPC$ - Remote IPC \\Domain-Controller.CONTROLLER.local\NETLOGON - Logon server share \\Domain-Controller.CONTROLLER.local\Share - \\Domain-Controller.CONTROLLER.local\SYSVOL - Logon server share PS C:\Users\Administrator> ``` Find OS in network: ```jsx **PS C:\Users\Administrator> Get-NetComputer -fulldata | select operatingsystem** operatingsystem --------------- Windows Server 2019 Standard Windows 10 Enterprise Evaluation Windows 10 Enterprise Evaluation ``` More commands & cheatsheet: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.incendium.rocks/pentesting-notes/windows-pentesting/tools/powerview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.