powerview.pyって良いですよね。
皆大好きPowerView
これのlinux版的なもの
ただし、powerview.pyはシェルは必要なく、ldap,ldaps,gc,adwsの接続のみでおk
侵入しなくてもpowerviewと同じようなコマンドが使えるのが良い。
インストール
以下実行するだけ、一応venvで環境でインストールしましょう。
python3 -m venv powerview-venv source ./powerview-venv/bin/activate sudo apt install libkrb5-dev pip3 install powerview
実行確認
$ powerview
usage: powerview [-h] [-p PORT] [-d] [--stack-trace] [-q QUERY] [--no-admin-check] [--obfuscate] [--no-cache] [--no-vuln-check] [--raw] [--use-system-nameserver | -ns NAMESERVER] [-v] [--use-ldap | --use-ldaps | --use-gc |
--use-gc-ldaps | --use-adws] [-H LMHASH:NTHASH] [-k] [--use-channel-binding | --use-sign-and-seal | --use-simple-auth | --pfx PFX] [--no-pass] [--aes-key hex key] [--dc-ip IP address] [--relay]
[--relay-host RELAY_HOST] [--relay-port RELAY_PORT] [--web] [--web-host WEB_HOST] [--web-port WEB_PORT] [--web-auth WEB_AUTH] [--mcp] [--mcp-host MCP_HOST] [--mcp-port MCP_PORT] [--mcp-name MCP_NAME]
[--mcp-path MCP_PATH] [--max-connections MAX_CONNECTIONS] [--pool-cleanup-interval POOL_CLEANUP_INTERVAL] [--keepalive-interval KEEPALIVE_INTERVAL]
target
Python alternative to SharpSploit's PowerView script, version 2026.1.6
positional arguments:
target [[domain/]username[:password]@]<targetName or address>
options:
-h, --help show this help message and exit
-p, --port PORT LDAP server port. (Default: 389|636)
-d, --debug Enable debug output
--stack-trace raise exceptions and exit if unhandled errors
-q, --query QUERY PowerView query to be executed one-time
--no-admin-check Skip admin check when first logging in
--obfuscate Obfuscate search filter
--no-cache Disable caching of LDAP queries
--no-vuln-check Disable vulnerability detection
--raw Return raw LDAP entries without formatting
--use-system-nameserver
Use system nameserver to resolve hostname/domain
-ns, --nameserver NAMESERVER
Specify custom nameserver. If not specified, domain controller will be used instead
-v, --version show program's version number and exit
protocol:
--use-ldap [Optional] Use LDAP instead of LDAPS
--use-ldaps [Optional] Use LDAPS instead of LDAP
--use-gc [Optional] Use GlobalCatalog (GC) protocol
--use-gc-ldaps [Optional] Use GlobalCatalog (GC) protocol for LDAPS
--use-adws [Optional] Use ADWS protocol
authentication:
-H, --hashes LMHASH:NTHASH
NTLM hashes, format is LMHASH:NTHASH
-k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the command line
--use-channel-binding
[Optional] Use channel binding if channel binding is required on LDAP server
--use-sign-and-seal [Optional] Use sign and seal if LDAP signing is required on ldap server
--use-simple-auth Authenticate with SIMPLE authentication
--pfx PFX Supply .pfx formatted certificate. Use --cert and --key if no pfx
--no-pass don't ask for password (useful for -k)
--aes-key hex key AES key to use for Kerberos Authentication '(128 or 256 bits)'
--dc-ip IP address IP Address of the domain controller or KDC (Key Distribution Center) for Kerberos. If omitted it will use the domain part (FQDN) specified in the identity parameter
relay:
--relay Enable relay mode
--relay-host RELAY_HOST
Bind interface to expose HTTP server (Default: 0.0.0.0)
--relay-port RELAY_PORT
Relay mode custom HTTP port (Default: 80)
web:
--web Enable web interface for LDAP queries
--web-host WEB_HOST Specify custom bind interface (Default: 127.0.0.1)
--web-port WEB_PORT Specify custom port for web interface (Default: 5000)
--web-auth WEB_AUTH Enable authentication for web interface (format: username:password)
mcp:
--mcp Enable Model Context Protocol mode for AI assistants
--mcp-host MCP_HOST Specify custom bind interface for MCP (Default: 127.0.0.1)
--mcp-port MCP_PORT Specify custom port for MCP server (Default: 8080)
--mcp-name MCP_NAME Specify MCP server name (Default: PowerView MCP)
--mcp-path MCP_PATH Specify MCP server path (Default: /powerview)
connection pool:
--max-connections MAX_CONNECTIONS
Maximum number of pooled domain connections (Default: 10)
--pool-cleanup-interval POOL_CLEANUP_INTERVAL
Connection pool cleanup interval in seconds (Default: Disabled)
--keepalive-interval KEEPALIVE_INTERVAL
Connection keep-alive interval in seconds (Default: Disabled)
使用感
接続
基本的にオリジナルシェルっぽいところで、PowerViewみたいにコマンド実行できる。
$ powerview us.techcorp.local/studentuserXXX:'XXXXXXXXXXXXXXX'@192.168.1.2 Logging directory is set to /home/kali/.powerview/logs/us-studentuserXXX-192.168.1.2 ╭─LDAPS─[US-DC.us.techcorp.local]─[US\studentuserXXX]-[NS:192.168.1.2] ╰─PV ❯ Display all 153 possibilities? (y or n) Add-ADComputer Add-OU Get-DomainCATemplate Get-DomainUser Get-TrustKey Remove-DomainOU Set-DomainObjectDN Add-ADUser Add-ObjectAcl Get-DomainComputer Get-DomainWDS Get-WDS Remove-DomainObject Set-DomainObjectOwner Add-CATemplate Clear-Cache Get-DomainController Get-ExchangeDatabase Invoke-ASREPRoast Remove-DomainObjectAcl Set-DomainRBCD Add-CATemplateAcl ConvertFrom-SID Get-DomainDMSA Get-ExchangeMailbox Invoke-BadSuccessor Remove-DomainUser Set-DomainUserPassword Add-DMSA ConvertFrom-UACValue Get-DomainDNSRecord Get-ExchangeServer Invoke-DFSCoerce Remove-GMSA Set-NetService Add-DomainCATemplate Disable-ADAccount Get-DomainDNSZone Get-GMSA Invoke-Kerberoast Remove-GPLink Set-ObjectOwner Add-DomainCATemplateAcl Disable-DomainDNSRecord Get-DomainForeignGroupMember Get-GPOLocalGroup Invoke-MessageBox Remove-GroupMember Set-RBCD Add-DomainComputer Disable-RDP Get-DomainForeignUser Get-GPOSettings Invoke-PrinterBug Remove-NetService Shutdown-Computer Add-DomainDMSA Dump-Schema Get-DomainGMSA Get-LocalUser Login-As Remove-NetSession Start-NetService Add-DomainDNSRecord Dump-ServerInfo Get-DomainGPO Get-NamedPipes Logoff-Session Remove-NetTerminalSession Stop-Computer Add-DomainGMSA Enable-ADAccount Get-DomainGPOLocalGroup Get-NetComputerInfo Reboot-Computer Remove-OU Stop-NetProcess Add-DomainGPO Enable-EFSRPC Get-DomainGPOSettings Get-NetLoggedOn Remove-ADComputer Remove-ObjectAcl Stop-NetService Add-DomainGroup Enable-RDP Get-DomainGroup Get-NetProcess Remove-ADObject Restart-Computer Unlock-ADAccount Add-DomainGroupMember Find-ForeignGroup Get-DomainGroupMember Get-NetService Remove-ADUser Restore-ADObject clear Add-DomainOU Find-ForeignUser Get-DomainOU Get-NetSession Remove-CATemplate Restore-DomainObject exit Add-DomainObjectAcl Find-LocalAdminAccess Get-DomainObject Get-NetShare Remove-DMSA Set-ADObject get_pool_stats Add-DomainUser Get-ADObject Get-DomainObjectAcl Get-NetTerminalSession Remove-DomainCATemplate Set-ADObjectDN history Add-GMSA Get-CA Get-DomainObjectOwner Get-ObjectAcl Remove-DomainComputer Set-CATemplate qwinsta Add-GPLink Get-CATemplate Get-DomainRBCD Get-ObjectOwner Remove-DomainDMSA Set-DomainCATemplate taskkill Add-GPO Get-DMSA Get-DomainSCCM Get-RBCD Remove-DomainDNSRecord Set-DomainComputerPassword tasklist Add-GroupMember Get-Domain Get-DomainTrust Get-RegLoggedOn Remove-DomainGMSA Set-DomainDNSRecord whoami Add-NetService Get-DomainCA Get-DomainTrustKey Get-SCCM Remove-DomainGroupMember Set-DomainObject
コマンド実行
上記のコマンドは、PowerViewと同じコマンドだけが使用可能なわけではなく、一部オプションも動作する。
-Identity
対象ユーザ指定
╭─LDAPS─[US-DC.us.techcorp.local]─[US\studentuserXXX]-[NS:192.168.1.2]
╰─PV ❯ Get-DomainUser -Identity Administrator
objectClass : top
person
organizationalPerson
user
cn : Administrator
description : Built-in account for administering the computer/domain
distinguishedName : CN=Administrator,CN=Users,DC=us,DC=techcorp,DC=local
memberOf : CN=Group Policy Creator Owners,CN=Users,DC=us,DC=techcorp,DC=local
CN=Domain Admins,CN=Users,DC=us,DC=techcorp,DC=local
CN=Administrators,CN=Builtin,DC=us,DC=techcorp,DC=local
name : Administrator
objectGUID : {6065fe62-0dcb-4a5e-bcad-e99f2dec4cdd}
userAccountControl : NORMAL_ACCOUNT
DONT_EXPIRE_PASSWORD
badPwdCount : 0
badPasswordTime : 15/01/2026 10:50:42 (7 days ago)
lastLogoff : 1601-01-01 00:00:00+00:00
lastLogon : 23/01/2026 08:31:40 (today)
pwdLastSet : 05/07/2019 07:42:09 (6 years, 6 months ago)
primaryGroupID : 513
objectSid : S-1-5-21-210670787-2521448726-163245708-500
adminCount : 1
sAMAccountName : Administrator
sAMAccountType : SAM_USER_OBJECT
objectCategory : CN=Person,CN=Schema,CN=Configuration,DC=techcorp,DC=local
lastLogonTimestamp : 22/01/2026 22:15:11 (today)
vulnerabilities : [VULN-002] User account with password that never expires (LOW)
[VULN-020] Admin account with delegation enabled (HIGH)
-Properties
表示する属性指定
╭─LDAPS─[US-DC.us.techcorp.local]─[US\studentuserXXX]-[NS:192.168.1.2] ╰─PV ❯ Get-DomainComputer -Properties Name,logoncount,operatingsystem,dnshostname -Identity US-DC name : US-DC logonCount : 983 operatingSystem : Windows Server 2019 Standard dNSHostName : US-DC.us.techcorp.local
-LDAPFilterはダメ。でも代わりに-Where
descriptionにbuiltが含まれているのを確認したいとき。
╭─LDAPS─[US-DC.us.techcorp.local]─[US\studentuserXXX]-[NS:192.168.1.2] [CACHED] ╰─PV ❯ Get-DomainUser -Where 'description contains built' -Properties samaccountname,description description : Built-in account for guest access to the computer/domain sAMAccountName : Guest description : Built-in account for administering the computer/domain sAMAccountName : Administrator
-Count
勝手に数えてくれる。
╭─LDAPS─[US-DC.us.techcorp.local]─[US\studentuserXXX]-[NS:192.168.1.2] ╰─PV ❯ Get-DomainUser -Count 75
|selectは動作しないが、代わりに-TableView
|selectは動作しない。
╭─LDAPS─[US-DC.us.techcorp.local]─[US\studentuserXXX]-[NS:192.168.1.2] ╰─PV ❯ Get-DomainComputer | select Name,logoncount,operatingsystem,dnshostname ╭─LDAPS─[US-DC.us.techcorp.local]─[US\studentuserXXX]-[NS:192.168.1.2] ╰─PV ❯
でも代わりに-TableViewと-Propertiesでselectぽく表示
╭─LDAPS─[US-DC.us.techcorp.local]─[US\studentuserXXX]-[NS:192.168.1.2]
╰─PV ❯ Get-DomainUser -Properties samaccountname,memberof -TableView -Where 'samaccountname contain admin'
[2026-01-23 03:48:45] [Formatter] Results from cache. Use 'Clear-Cache' or '-NoCache' to refresh.
samaccountname memberof
---------------- -------------------------------------------------------------------------------------
adconnectadmin
pawadmin
exchangeadmin CN=Organization Management,OU=Microsoft Exchange Security Groups,DC=techcorp,DC=local
helpdeskadmin
mgmtadmin
Administrator CN=Group Policy Creator Owners,CN=Users,DC=us,DC=techcorp,DC=local
CN=Domain Admins,CN=Users,DC=us,DC=techcorp,DC=local
CN=Administrators,CN=Builtin,DC=us,DC=techcorp,DC=local
無いものある-Recurse無
-Recurseできません。
╭─LDAPS─[US-DC.us.techcorp.local]─[US\studentuserXXX]-[NS:192.168.1.2] [CACHED] ╰─PV ❯ Get-DomainGroupMember -Identity "Domain Admins" -Recurse Unrecognized argument: -Recurse ╭─LDAPS─[US-DC.us.techcorp.local]─[US\studentuserXXX]-[NS:192.168.1.2] [CACHED] ╰─PV ❯
--relay???
--relayというcoerceでのリレーを受け取る機能があるらしい。
要チェック->https://github.com/aniqfakhrul/powerview.py?tab=readme-ov-file#:~:text=to/local/file%27-,Relay%20mode,-powerview%2010.10.10.10%20%2D%2Drelay
--obfuscate???
--obfuscateというLDAP難読化オプションも???
要チェック->https://github.com/aniqfakhrul/powerview.py#obfuscation
何だか問題はありそうだが、使える時もあるかもしれない。
????
個人的に一番大事なFind-InterestingDomainAclはありません!!!!残念!!!
webuiがあります!
webuiで操作できる。—webを付けて接続
$ powerview us.techcorp.local/studentuserXXX:'nfd3ZWEsCzrA6H8S'@192.168.1.2 --web Logging directory is set to /home/kali/.powerview/logs/us-studentuserXXX-192.168.1.2 [2026-01-23 04:01:53] Powerview web listening on 127.0.0.1:5000 ╭─LDAPS─[US-DC.us.techcorp.local]─[US\studentuserXXX]-[NS:192.168.1.2] [WEB] ╰─PV ❯
127.0.0.1:5000にアクセスすると
おぉ、ADExplorer的な感じで確認できる。
よくチェックするような設定が一目で分かるDashboardがある。
Usersの画面では、ボタン一つでユーザ追加や権限があれば青い鍵のマークを押すとパスワード変更できる。凄くね?
Computersではボタン一つで、コンピュータアカウント追加、SMB接続、起動再起動まで。
Utilには、ありがたいSID Convert機能が。
オフラインでもwebuiを使えるようにするチューニング
この面白いwebui、jsとかcssとかオンラインで拾ってくる使用のため、インターネット繋がらない環境だと使えない。
じゃあ、オフラインでも使えるようにダウンロードしておこう。
git clone
git clone https://github.com/aniqfakhrul/powerview.py.git cd powerview.py
必要ファイルのダウンロード
# 静的ファイル配置先 mkdir -p powerview/web/front-end/static/vendor # Tailwind CSS (ビルド済みスタンドアロン版) curl -L -o powerview/web/front-end/static/vendor/tailwind.min.js "https://cdn.tailwindcss.com/3.4.1" # Alpine.js curl -o powerview/web/front-end/static/vendor/alpine.min.js "https://cdn.jsdelivr.net/npm/alpinejs@3.14.9/dist/cdn.min.js" curl -o powerview/web/front-end/static/vendor/alpine-focus.min.js "https://cdn.jsdelivr.net/npm/@alpinejs/focus@3.14.9/dist/cdn.min.js" curl -o powerview/web/front-end/static/vendor/alpine-collapse.min.js "https://cdn.jsdelivr.net/npm/@alpinejs/collapse@3.14.9/dist/cdn.min.js" curl -o powerview/web/front-end/static/vendor/alpine-mask.min.js "https://cdn.jsdelivr.net/npm/@alpinejs/mask@3.14.9/dist/cdn.min.js" # Font Awesome (CSS版) curl -o powerview/web/front-end/static/vendor/fontawesome.min.css "https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/css/all.min.css" # Font Awesomeのwebfonts mkdir -p powerview/web/front-end/static/webfonts curl -o powerview/web/front-end/static/webfonts/fa-solid-900.woff2 "https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/webfonts/fa-solid-900.woff2" curl -o powerview/web/front-end/static/webfonts/fa-regular-400.woff2 "https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/webfonts/fa-regular-400.woff2" curl -o powerview/web/front-end/static/webfonts/fa-brands-400.woff2 "https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/webfonts/fa-brands-400.woff2" # ttfファイル curl -o powerview/web/front-end/static/webfonts/fa-solid-900.ttf "https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/webfonts/fa-solid-900.ttf" curl -o powerview/web/front-end/static/webfonts/fa-regular-400.ttf "https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/webfonts/fa-regular-400.ttf" curl -o powerview/web/front-end/static/webfonts/fa-brands-400.ttf "https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.5.1/webfonts/fa-brands-400.ttf"
絶対パスに置き換え
sed -i 's|../webfonts/|/static/webfonts/|g' powerview/web/front-end/static/vendor/fontawesome.min.css
headerの書き換え
$ cat powerview/web/front-end/templates/base/header.html
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>{{ title or 'PowerView.py' }}</title>
<link rel="apple-touch-icon" sizes="180x180" href="{{ url_for('static', filename='images/apple-touch-icon.png') }}">
<link rel="icon" type="image/png" sizes="32x32" href="{{ url_for('static', filename='images/favicon-32x32.png') }}">
<link rel="icon" type="image/png" sizes="16x16" href="{{ url_for('static', filename='images/favicon-16x16.png') }}">
<link rel="manifest" href="{{ url_for('static', filename='site.webmanifest') }}">
<script src="{{ url_for('static', filename='js/main.js') }}"></script>
<script src="{{ url_for('static', filename='js/static.js') }}"></script>
<script src="{{ url_for('static', filename='js/icon.js') }}"></script>
<link rel="stylesheet" href="{{ url_for('static', filename='css/style.css') }}">
<!-- local version -->
<script src="{{ url_for('static', filename='vendor/tailwind.min.js') }}"></script>
<link rel="stylesheet" href="{{ url_for('static', filename='vendor/fontawesome.min.css') }}">
<!-- Alpine Plugins (local) -->
<script defer src="{{ url_for('static', filename='vendor/alpine-focus.min.js') }}"></script>
<script defer src="{{ url_for('static', filename='vendor/alpine-collapse.min.js') }}"></script>
<script defer src="{{ url_for('static', filename='vendor/alpine-mask.min.js') }}"></script>
<!-- Alpine Core (local) -->
<script defer src="{{ url_for('static', filename='vendor/alpine.min.js') }}"></script>
pipxでインストール
$ pipx install .
installed package powerview 2025.1.8, installed using Python 3.13.9
These apps are now globally available
- powerview
done! ✨ 🌟 ✨
これで動きまっせ
GUIよりもCLIが良いという気持ちは分かるが、GUIの方が気持ちいい時だってある
powerview.pyの一番いいところは、powershell無くても使えるようになったところ。
しかし、webuiが使いたくなる時だってあるんです。
