PowerView
Intro
PowerView has long been the de-facto tool for domain enumeration. It it part of the PowerSploit project:
Any standard user can run PowerView. High-privilege user account is not needed.
Domain Enumeration
Import PowerView
Or:
Get current domain
Get object of another domain
Get domain SID for the current domain
Get the domain password policy
Users Groups and Computers Enumeration
Get Information of domain controller
Get information of users in the domain
Get list of all users
Get list of usernames, last logon and password last set
Get list of usernames and their groups
Get list of all properties for users in the current domain
Get descripton field from the user
Get computer information
Get computers with operating system "Server 2016"
Get list of all computer names and operating systems
List all groups of the domain
Get all the members of the group
Get the group membership of a user
List all the local groups on a machine (needs admin privs on non dc machines)
Get Member of all the local groups on a machine (needs admin privs on non dc machines)
Get actively logged users on a computer (needs local admin privs)
Get locally logged users on a computer (needs remote registry rights on the target)
Get the last logged users on a computer (needs admin rights and remote registary on the target)
Shares Enumeration
Find shared on hosts in the current domain
Find sensitive files on computers in the domain
Get all fileservers of the domain
GPO Enumeration
Get list of GPO's in the current domain
Get GPO's which uses restricteds groups or groups.xml for interesting users
Get users which are in a local group of a machine using GPO
Get machines where the given user is member of a specific group
Get OU's in a domain
Get machines that are part of an OU
Get GPO applied on an OU
ACL Enumeration
Get the ACL's associated with the specified object
Get the ACL's associated with the specified prefix to be used for search
Get the ACL's associated with the specified path
Search for interesting ACL's
Search of interesting ACL's for the current user
Domain Trust Enumeration
Get a list of all the domain trusts for the current domain
Get details about the forest
Get all domains in the forest
Get global catalogs for the current forest
Map trusts of a forest
User Hunting
Find all machines on the current domain where the current user has local admin access
Find local admins on all machines of the domain (needs administrator privs on non-dc machines)
Find Computers where a domain admin (or specified user/group) has session
To confirm admin access:
Find computers where a domain admin is logged-in
This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSesssion / Get-NetLoggedon) from each machine.
Defense
Most of the enumeration mixes really well with the normal traffic to the DC. Hardening can be done on the DC (or other machines) to contain the information provided by the queried machine. Let's have a look at defending against one of the most lethal enumeration techiques: user hunting.
Netcease is a script which changes permissions on the NetSEssionEnum method by removing permission for Authenticated Users group. This fails many of the attacker's session enumeration and hence user hunting capabilities:
Another interesting script from the same author is SAMRi10 which hardens Windows 10 and Server 2016 against enumeration which uses SAMR protocol (like net.exe).
Last updated
