Skip to content

Home

Jump to bottom
Your Name edited this page Mar 6, 2026 · 13 revisions

Powerview.py

Welcome to the Powerview.py wiki!

What is Powerview.py?

PowerView.py is a Python implementation of the awesome PowerView.ps1 script. Most of the modules used in PowerView are available here ( some of the flags are changed ). Main goal is to achieve interactive session without having to repeatedly authenticate to ldap.

Interesting features

  • Embedded user session
  • Binding with multiple protocols (ldap, ldaps, gc, gc-ssl, adws), trial and error approach. SSL connection is prioritized.
  • Mini Powerview.py console to make you feel like home when using PowerView.ps1
  • Auto-completer, so no more remembering commands
  • Cross-Domain interactions
  • Check if current user has Domain Admin or adminCount attribute set to 1
  • Table format feature mirroring the output style of PowerShell's Format-Table
  • LDAP query obfuscation to vary observable patterns
  • Integrated vulnerability detection with user-defined rules
  • Web UI for browser-based LDAP querying
  • MCP server for AI assistant integration
  • Remote computer enumeration (sessions, shares, services, processes, event logs)
  • Shadow Credentials management (msDS-KeyCredentialLink)
  • gMSA and dMSA (Delegated Managed Service Account) support
  • Relay mode for NTLM authentication relay
  • Unlock locked AD accounts
  • Certificate Authority (CA) template enumeration and modification

Why not stick with the .ps1 script?

  1. Detections

As most of yall know, PowerView.ps1 is highly likely to get detected by Defender or AV vendors once downloaded onto the PC. An offensive tool to get detected by AV is a red flag during engagement. Maybe some of you thinking, why not just bypass AMSI and import the script undetected? Well, some of the big companies normally have EDR installed on most endpoints and EDRs are normally hook amsi patching and also most likely would get detected during AMSI patching. So, PowerView.py FTW!

  1. Proxy with ease

Running LDAP query tools through proxies (i.e. SOCKS) is quite overwhelming since it requires a lot of stuffs needed to be installed (i.e. Proxyfier). I dont think windows can support proxychains just yet (at least not on top of my head). Since powerview.py is just a python tool, wrapping it with proxychains is definitely possible. Used it most of the time and it worked like a charm!

Quick Start

# Install
uv tool install git+https://github.com/aniqfakhrul/powerview.py

# Connect
powerview domain.local/user:Password123@10.10.10.10

# Start querying
PV > Get-DomainUser -Identity Administrator
PV > Get-DomainComputer -Properties dnshostname,operatingsystem -TableView
PV > Get-DomainGroup "Domain Admins"

Common Flags

Flag Description
-Properties Specify attributes to return
-Identity Filter by specific object identity
-LDAPFilter Custom LDAP filter
-Where Filter results (e.g., 'samaccountname contains admin')
-Select Select specific output fields
-TableView Format output as table (options: md, csv)
-SortBy Sort results by attribute
-OutFile Write output to file
-Count Return count of results
-NoWrap Disable line wrapping
-Server Specify target server for cross-domain queries
-NoCache Bypass query cache
-NoVulnCheck Disable vulnerability detection
-Raw Return raw LDAP entries

Powerview.py

Getting Started

Use Cases

Available Modules

LDAP Operations
GPO
Computer Enumeration
ADCS
Exchange
Domain Trust
Service Accounts
Shadow Credentials
Misc

Web UI

Usage
API Documentation

Integrations

Sponsor

Clone this wiki locally