This opens up a new way of interacting with enumeration tools: instead of typing commands manually, you can talk to an AI assistant and have it execute PowerView functions for you \u2014 as long as you understand the risks and use it in a controlled, authorised environment.<\/p>\n\n\n\n
I tested this inside my GOAD lab (Game of Active Directory) and wanted to document the setup for anyone who wants to experiment with it.<\/p>\n\n\n\n
What Is MCP (Model Context Protocol)?<\/h2>\n\n\n\n
Model Context Protocol (MCP) is a local, open protocol that allows applications and tools to expose structured capabilities to AI models. Instead of relying on prompt-guessing or plugins, MCP lets tools communicate with the AI in a clean, safe, and reliable way.<\/p>\n\n\n\n
In simpler terms:<\/p>\n\n\n\n
- \n
- Your tool exposes commands<\/li>\n\n\n\n
- MCP acts as the bridge<\/li>\n\n\n\n
- The AI can call those commands safely<\/li>\n\n\n\n
- Everything stays local and private<\/li>\n<\/ul>\n\n\n\n
This makes AI far more accurate and useful when interacting with local tools.<\/p>\n\n\n\n
Why PowerView.py?<\/h2>\n\n\n\n
PowerView.py is the Python-based reimplementation of the original PowerView PowerShell tool from PowerSploit. It offers:<\/p>\n\n\n\n
- \n
- Cross-platform support (Linux\/macOS\/Windows)<\/li>\n\n\n\n
- No PowerShell dependency<\/li>\n\n\n\n
- Great for red teaming from non-Windows attacker machines<\/li>\n\n\n\n
- Potentially lower detection surface compared to PowerShell scripts<\/li>\n\n\n\n
- Supports MCP, enabling full AI-assisted enumeration<\/li>\n\n\n\n
- This makes it perfect for hybrid \u201cAI + AD Enumeration\u201d workflows.<\/li>\n<\/ul>\n\n\n\n
Installation & Setup<\/h2>\n\n\n\n
- \n
- Install Dependencies<\/li>\n<\/ol>\n\n\n\n
sudo apt install libkrb5-dev
pip3 install powerview<\/pre>\n\n\n\n- \n
- Install Claude Desktop (Linux Build)<\/li>\n<\/ol>\n\n\n\n
git clone https:\/\/github.com\/aaddrick\/claude-desktop-debian.git
cd claude-desktop-debian
.\/build.sh<\/pre>\n\n\n\n- \n
- Install MCP Proxy<\/li>\n<\/ol>\n\n\n\n
pipx install mcp-proxy<\/pre>\n\n\n\n
- \n
- Configuring Claude Desktop<\/li>\n<\/ol>\n\n\n\n
Edit the configuration file:<\/p>\n\n\n\n
~\/.config\/Claude\/claude_desktop_config.json<\/pre>\n\n\n\n
Add the PowerView MCP integration:<\/p>\n\n\n\n
{\"mcpServers\":{\"Powerview\":{\"command\":\"\/home\/kali\/.local\/bin\/mcp-proxy\",\"args\":[\"http:\/\/127.0.0.1:5000\/powerview\",\"--transport=streamablehttp\"]}}}<\/pre>\n\n\n\n- \n
- Running PowerView.py in MCP Mode<\/li>\n<\/ol>\n\n\n\n
powerview north.sevenkingdoms.local\/hodor:hodor@10.8.10.11 --mcp --mcp-host 0.0.0.0 --mcp-port 5000 --mcp-path powerview<\/pre>\n\n\n\n
- \n
- Start the proxy<\/li>\n<\/ol>\n\n\n\n
mcp-proxy http:\/\/127.0.0.1:5000\/powerview --transport=streamablehttp<\/pre>\n\n\n\n
- \n
- Launch Claude Desktop:<\/li>\n<\/ol>\n\n\n\n
claude-desktop<\/pre>\n\n\n\n
AI in Action: Conversational AD Enumeration<\/h2>\n\n\n\n
Once everything is configured, you can interact with PowerView.py simply by talking to your AI assistant. Here are some examples from my GOAD lab.<\/p>\n\n\n\n
Example: Listing Domain Admins Using AI<\/p>\n\n\n\n
The figure below shows Claude using PowerView.py through MCP to enumerate and return all the domain admin users:<\/p>\n\n\n\n
![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/11\/Claude_DA.png\")
<\/figure>\n\n\n\nExample: AI Uncovers Exposed Credentials While Processing a Custom Prompt<\/p>\n\n\n\n
While performing enumeration, Claude automatically identified that a password was exposed in one of the PowerView.py outputs, even though the original prompt was only asking for privilege analysis:<\/p>\n\n\n\n
![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/11\/Claude_hodor.png\")
<\/figure>\n\n\n\nYou can expand each response box to view the full details. Within the same prompt, Claude also recognised several potential pivoting paths, including:<\/p>\n\n\n\n
- \n
- Accessible SMB shares available to the user Hodor<\/li>\n\n\n\n
- Possible RDP access paths through group membership<\/li>\n\n\n\n
- And a critical finding \u2014 the plaintext password for Samwell Tarly<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/11\/Claude_hodor2.png\")
<\/figure>\n\n\n\nThe figure below confirms that the exposed password can indeed be used to authenticate to a machine within the environment, as verified using NetExec:<\/p>\n\n\n\n
![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/11\/NXC_Samwell.png\")
<\/figure>\n\n\n\nBased on the information gathered from Claude, we can also perform an RDP login using the identified credentials. The screenshot below demonstrates a successful login to a target machine as the user Samwell:<\/p>\n\n\n\n
![\"\"](\"https:\/\/jasveermaan.com\/wp-content\/uploads\/2025\/11\/RDP_Samwell.png\")
<\/figure>\n\n\n\nConclusion<\/h2>\n\n\n\n
PowerView.py + MCP introduces a new way of interacting with common red-team tools.
Instead of running commands manually, you can simply speak naturally to an AI assistant and let it handle the enumeration through structured, safe MCP calls.<\/p>\n\n\n\nThis setup is still new, and I plan to explore more advanced ideas:<\/p>\n\n\n\n
- \n
- AI-generated AD attack path mapping<\/li>\n\n\n\n
- Automating privilege escalation discovery<\/li>\n\n\n\n
- AI-assisted cleanup after engagements<\/li>\n\n\n\n
- Integration with BloodHound data<\/li>\n\n\n\n
- More MCP-enabled red-team tools<\/li>\n<\/ul>\n\n\n\n
If you\u2019re experimenting with MCP in red-team workflows, I\u2019d love to hear your experience.<\/p>\n\n\n\n
Disclaimer<\/h2>\n\n\n\n
If you connect PowerView to cloud-hosted AI models, be aware that any query you submit, including directory output, credentials, or enumeration results, may pass through the provider\u2019s infrastructure. Your Active Directory data could be stored, logged, or reviewed depending on the platform\u2019s data handling policies.<\/em><\/strong><\/p>\n\n\n\n
Use this setup only in non-sensitive, fully authorised lab environments unless you are working with a local or self-hosted model.<\/em><\/strong><\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Hi Readers, In this post, I want to share something interesting I explored recently after a friend recommended that I try PowerView.py with its MCP integration. I\u2019ve been using PowerView.py for Active Directory enumeration in my homelab, and discovering that it has supports the Model Context Protocol (MCP) means you can integrate it directly with … <\/p>\n
- Launch Claude Desktop:<\/li>\n<\/ol>\n\n\n\n
- Start the proxy<\/li>\n<\/ol>\n\n\n\n
- Running PowerView.py in MCP Mode<\/li>\n<\/ol>\n\n\n\n
- Configuring Claude Desktop<\/li>\n<\/ol>\n\n\n\n
- Install MCP Proxy<\/li>\n<\/ol>\n\n\n\n
- Install Claude Desktop (Linux Build)<\/li>\n<\/ol>\n\n\n\n
- Install Dependencies<\/li>\n<\/ol>\n\n\n\n