powerview

• use this for enumeration
• alternative: SharpView

installation

• get it from https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

usage

• https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview
• https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993

basic domain information

beacon> powershell Get-Domain
beacon> powershell Get-DomainController | select Forest, Name, OSVersion | fl
beacon> powershell Get-ForestDomain
 
# password policy
beacon> powershell Get-DomainPolicyData | select -expand SystemAccess
 
beacon> powershell Get-DomainOU -Properties Name | sort -Property Name
 
beacon> powershell Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
 
beacon> powershell Get-DomainTrust

user information

PS> Get-DomainUser
PS> Get-DomainUser -Identity studentuser1
PS> Get-DomainUser -Identity jking -Properties DisplayName, MemberOf | fl

Groups

PS> Get-DomaiNGroup -UserName studentuser1
PS> Get-DomainGroup -Domain techcorp.local
PS> Get-DomainGroup -Filter 'Name -like "*admin*"' | select Name
PS> Get-DomainGroup | where Name -like "*Admins*" | select SamAccountName
PS> Get-DomainGroupMember -Identity "Domain Admins" | select MemberDistinguishedName

local groups

PS> Get-NetLocalGroup -ComputerName us-dc
PS> Get-NetLocalGroupMember -ComputerName us-dc -GroupName Administrators
PS> Get-DomainGPOLocalGroup | select GPODisplayName, GroupName

show where users are part of a local group (administrators)

beacon> powershell Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName | fl

computer information

PS> Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
PS> Get-DomainComputer -Ping

OUs

PS> Get-DomainOU | select displayname
PS> Get-DomainGPO -Identity "{...}" # use OU UUID (gplink) here
PS> (Get-DomainOU).distinguishedname | ${Get-DomainComputer -SearchBase $_} | Get-Domain GPOComputerLocalGroupMapping
PS> (Get-DomainOU -Identity 'OU=Mgtm,DC=us,DC=techcorp,DC=local').distinguishedname | ..
PS> Get-DomainGPOComputerLocalGroupMapping -OUIdentity 'OU=..' # but might be bugged

GPOs

PS> Get-DomainGPO
PS> Get-DomainGPO -ComputerIdentity student1.us.techcorp.local
PS> Get-DomainGPO | select displayname
 
# restricted groups that are managed by GPOs
PS> Get-DomainGPOLocalGroups
PS> Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity student1.us.techcorp.local
PS> Get-DomainGPOComputerLocalGroupMapping -Identity studentuser1 -Verbose

ACLs

PS> Get-DomainObjectACL -Identity studentuser1 -ResolveGUIDs
PS> Get-DomainObjectACL -Searchbase "LDAP://CN=Domain Admins,.." -ResolveGUIDs -Verbose
PS> (Get-Acl 'AD:\CN=Administrator,...').Access
PS> Find-InterestingDomainAcl -ResolveGUIDs # lot of results
PS> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "StudentUsers"} # checks the group, maybe do the same with the user
PS> Get-PathACL -Path "\\us-dc\sysvol"

PS> Find-LocalAdminAccess -Verbose
PS> Find-WMILocalAdminAccess.ps1
PS> Find-PSRemotingLocalAdminAccess.ps1
 
# not really working anymore: you need local admin access by now for this
PS> Find-DomainUserLocation -Verbose -UserGroupIdentity "StudentUsers"
PS> Find-DomainUserLocation -CheckAccess
PS> Find-DomainUserLocation -Stealth

Can use NetCease.ps1 to harden against enumeration, or SAMRi10

domain trusts

PS> Get-DomainTrust
PS> Get-DomainTrust -Domain techcorp.local
PS> Get-Forest
PS> Get-ForestDomain
PS> Get-ForestGlobalCatalog # shows DC IPs/servernames
PS> Get-ForestTrust

powerview: find where I am local admin

# this can take some minutes
PS> Find-InterestingDomainAcl -ResolveGUIDs | ?{$_IdentityReferenceName -match 'managers'}
 
PS> Get-DomainObjectAcl -Identity machineadmins -ResolveGUIDs | ForEach-Object { $_ | Add-Member NoteProperty "IdentityName" $(Convert-SidToName $_.SecurityIdentifer) -match 'managers'}