PowerView
PowerView is a tool written in PowerShell to help us gain situational awareness within an Active Directory environment.
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
Like BloodHound, it provides a way to identify where users are logged in on a network. WE can enumerate domain information such as users, computers, groups, Access-Control Lists (ACLs), trusts, shares, and passwords.
Domain User Information
PS C:\htb> Get-DomainUser -Identity mmorgan -Domain inlanefreight.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,useraccountcontrol
name : Matthew Morgan
samaccountname : mmorgan
description :
memberof : {CN=VPN Users,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=Shared Calendar
Read,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=Printer Access,OU=Security
Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL, CN=File Share H Drive,OU=Security
Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL...}
whencreated : 10/27/2021 5:37:06 PM
pwdlastset : 11/18/2021 10:02:57 AM
lastlogontimestamp : 2/27/2022 6:34:25 PM
accountexpires : NEVER
admincount : 1
userprincipalname : [email protected]
serviceprincipalname :
mail :
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD, DONT_REQ_PREAUTH
Recursive Group Membership
PS C:\htb> Get-DomainGroupMember -Identity "Domain Admins" -Recurse
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : svc_qualys
MemberDistinguishedName : CN=svc_qualys,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3842939050-3880317879-2865463114-5613
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : sp-admin
MemberDistinguishedName : CN=Sharepoint Admin,OU=Service Accounts,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3842939050-3880317879-2865463114-5228
GroupDomain : INLANEFREIGHT.LOCAL
GroupName : Secadmins
GroupDistinguishedName : CN=Secadmins,OU=Security Groups,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberDomain : INLANEFREIGHT.LOCAL
MemberName : spong1990
MemberDistinguishedName : CN=Maggie
Jablonski,OU=Operations,OU=Logistics-HK,OU=Employees,OU=Corp,DC=INLANEFREIGHT,DC=LOCAL
MemberObjectClass : user
MemberSID : S-1-5-21-3842939050-3880317879-2865463114-1965
Trust Enumeration
PS C:\htb> Get-DomainTrustMapping
SourceName : INLANEFREIGHT.LOCAL
TargetName : LOGISTICS.INLANEFREIGHT.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/1/2021 6:20:22 PM
WhenChanged : 2/26/2022 11:55:55 PM
SourceName : INLANEFREIGHT.LOCAL
TargetName : FREIGHTLOGISTICS.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : FOREST_TRANSITIVE
TrustDirection : Bidirectional
WhenCreated : 11/1/2021 8:07:09 PM
WhenChanged : 2/27/2022 12:02:39 AM
SourceName : LOGISTICS.INLANEFREIGHT.LOCAL
TargetName : INLANEFREIGHT.LOCAL
TrustType : WINDOWS_ACTIVE_DIRECTORY
TrustAttributes : WITHIN_FOREST
TrustDirection : Bidirectional
WhenCreated : 11/1/2021 6:20:22 PM
WhenChanged : 2/26/2022 11:55:55 PM
Testing for Local Admin Access
PS C:\htb> Test-AdminAccess -ComputerName ACADEMY-EA-MS01
ComputerName IsAdmin
------------ -------
ACADEMY-EA-MS01 True
Finding Users With SPN Set
PS C:\htb> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
serviceprincipalname samaccountname
-------------------- --------------
adfsconnect/azure01.inlanefreight.local adfs
backupjob/veam001.inlanefreight.local backupagent
d0wngrade/kerberoast.inlanefreight.local d0wngrade
kadmin/changepw krbtgt
MSSQLSvc/DEV-PRE-SQL.inlanefreight.local:1433 sqldev
MSSQLSvc/SPSJDB.inlanefreight.local:1433 sqlprod
MSSQLSvc/SQL-CL01-01inlanefreight.local:49351 sqlqa
sts/inlanefreight.local solarwindsmonitor
testspn/kerberoast.inlanefreight.local testspn
testspn2/kerberoast.inlanefreight.local testspn2
Command
Description
Export-PowerViewCSV
Append results to a CSV file
ConvertTo-SID
Convert a User or group name to its SID value
Get-DomainSPNTicket
Requests the Kerberos ticket for a specified Service Principal Name (SPN) account
Domain/LDAP Functions:
Get-Domain
Will return the AD object for the current (or specified) domain
Get-DomainController
Return a list of the Domain Controllers for the specified domain
Get-DomainUser
Will return all users or specific user objects in AD
Get-DomainComputer
Will return all computers or specific computer objects in AD
Get-DomainGroup
Will return all groups or specific group objects in AD
Get-DomainOU
Search for all or specific OU objects in AD
Find-InterestingDomainAcl
Finds object ACLs in the domain with modification rights set to non-built in objects
Get-DomainGroupMember
Will return the members of a specific domain group
Get-DomainFileServer
Returns a list of servers likely functioning as file servers
Get-DomainDFSShare
Returns a list of all distributed file systems for the current (or specified) domain
GPO Functions:
Get-DomainGPO
Will return all GPOs or specific GPO objects in AD
Get-DomainPolicy
Returns the default domain policy or the domain controller policy for the current domain
Computer Enumeration Functions:
Get-NetLocalGroup
Enumerates local groups on the local or a remote machine
Get-NetLocalGroupMember
Enumerates members of a specific local group
Get-NetShare
Returns open shares on the local (or a remote) machine
Get-NetSession
Will return session information for the local (or a remote) machine
Test-AdminAccess
Tests if the current user has administrative access to the local (or a remote) machine
Threaded 'Meta'-Functions:
Find-DomainUserLocation
Finds machines where specific users are logged in
Find-DomainShare
Finds reachable shares on domain machines
Find-InterestingDomainShareFile
Searches for files matching specific criteria on readable shares in the domain
Find-LocalAdminAccess
Find machines on the local domain where the current user has local administrator access
Domain Trust Functions:
Get-DomainTrust
Returns domain trusts for the current domain or a specified domain
Get-ForestTrust
Returns all forest trusts for the current forest or a specified forest
Get-DomainForeignUser
Enumerates users who are in groups outside of the user's domain
Get-DomainForeignGroupMember
Enumerates groups with users outside of the group's domain and returns each foreign member
Get-DomainTrustMapping
Will enumerate all trusts for the current domain and any others seen.
Last updated