PowerView

Intro

PowerView has long been the de-facto tool for domain enumeration. It it part of the PowerSploit project:

PowerSploit/PowerView.ps1 at master · PowerShellMafia/PowerSploitGitHub

PowerView.ps1

Any standard user can run PowerView. High-privilege user account is not needed.

Domain Enumeration

Import PowerView

Import-Module .\PowerView.ps1

Or:

. .\PowerView.ps1

Get current domain

Get-NetDomain

Get object of another domain

Get-NetDomain -Domain moneycorp.local

Get domain SID for the current domain

Get-DomainSID

Get the domain password policy

Get-DomainPolicy

(Get-DomainPolicy)."System Access"

net accounts

Users Groups and Computers Enumeration

Get Information of domain controller

Get-NetDomainController

Get-NetDomainController | select-object Name

Get information of users in the domain

Get-NetUser

Get-NetUser -Username <username>

Get list of all users

Get-NetUser | select samaccountname

Get list of usernames, last logon and password last set

Get-NetUser | select samaccountname, lastlogon, pwdlastset

Get-NetUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon

Get list of usernames and their groups

Get-NetUser | select samaccountname, memberof

Get list of all properties for users in the current domain

get-userproperty -Properties pwdlastset

Get descripton field from the user

Find-UserField -SearchField Description -SearchTerm "built"
Get-netuser | Select-Object samaccountname,description

Get computer information

Get-NetComputer

Get-NetComputer -FullData

Get-NetComputer -Computername <computername> -FullData

Get computers with operating system "Server 2016"

Get-NetComputer -OperatingSystem "*Server 2016*"

Get list of all computer names and operating systems

Get-NetComputer -fulldata | select samaccountname, operatingsystem, operatingsystemversion

List all groups of the domain

Get-NetGroup

Get-NetGroup -GroupName *admin*

Get-NetGroup -Domain <domain>

Get all the members of the group

Get-NetGroupMember -Groupname "Domain Admins" -Recurse

Get-NetGroupMember -Groupname "Domain Admins" -Recurse | select MemberName

Get the group membership of a user

Get-NetGroup -Username <username>

List all the local groups on a machine (needs admin privs on non dc machines)

Get-NetlocalGroup -Computername <computername> -ListGroups

Get Member of all the local groups on a machine (needs admin privs on non dc machines)

Get-NetlocalGroup -Computername <computername> -Recurse

Get actively logged users on a computer (needs local admin privs)

Get-NetLoggedon -Computername <computername>

Get locally logged users on a computer (needs remote registry rights on the target)

Get-LoggedonLocal -Computername <computername>

Get the last logged users on a computer (needs admin rights and remote registary on the target)

Get-LastLoggedOn -ComputerName <computername>

Shares Enumeration

Find shared on hosts in the current domain

Invoke-ShareFinder -Verbose

Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC

Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all fileservers of the domain

Get-NetFileServer

GPO Enumeration

Get list of GPO's in the current domain

Get-NetGPO

Get-NetGPO -Computername <computername>

Get GPO's which uses restricteds groups or groups.xml for interesting users

Get-NetGPOGroup

Get users which are in a local group of a machine using GPO

Find-GPOComputerAdmin -Computername <computername>

Get machines where the given user is member of a specific group

Find-GPOLocation -Username student244 -Verbose

Get OU's in a domain

Get-NetOU -Fulldata

Get machines that are part of an OU

Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_}

Get GPO applied on an OU

Get-NetGPO -GPOname "{<gplink>}"

ACL Enumeration

Get the ACL's associated with the specified object

Get-ObjectACL -SamAccountName <accountname> -ResolveGUIDS

Get the ACL's associated with the specified prefix to be used for search

Get-ObjectACL -ADSprefix ‘CN=Administrator,CN=Users’ -Verbose

Get the ACL's associated with the specified path

Get-PathAcl -Path \\<Domain controller>\sysvol

Search for interesting ACL's

Invoke-ACLScanner -ResolveGUIDs

Invoke-ACLScanner -ResolveGUIDs | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl

Search of interesting ACL's for the current user

Invoke-ACLScanner | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}

Domain Trust Enumeration

Get a list of all the domain trusts for the current domain

Get-NetDomainTrust

Get details about the forest

Get-NetForest

Get all domains in the forest

Get-NetForestDomain

Get-NetforestDomain -Forest <domain name>

Get global catalogs for the current forest

Get-NetForestCatalog

Get-NetForestCatalog -Forest <domain name>

Map trusts of a forest

Get-NetForestTrust

Get-NetForestTrust -Forest <domain name>

Get-NetForestDomain -Verbose | Get-NetDomainTrust

User Hunting

Find all machines on the current domain where the current user has local admin access

Find-LocalAdminAccess -Verbose

Find local admins on all machines of the domain (needs administrator privs on non-dc machines)

Invoke-EnumerateLocalAdmin -Verbose

Find Computers where a domain admin (or specified user/group) has session

Invoke-UserHunter

Invoke-UserHunter -GroupName "RDPUsers"

To confirm admin access:

Invoke-UserHunter -CheckAccess

Find computers where a domain admin is logged-in

Invoke-UserHunter -Stealth

This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSesssion / Get-NetLoggedon) from each machine.

Defense

Most of the enumeration mixes really well with the normal traffic to the DC. Hardening can be done on the DC (or other machines) to contain the information provided by the queried machine. Let's have a look at defending against one of the most lethal enumeration techiques: user hunting.

Netcease is a script which changes permissions on the NetSEssionEnum method by removing permission for Authenticated Users group. This fails many of the attacker's session enumeration and hence user hunting capabilities:

.\NetCease.ps1

Another interesting script from the same author is SAMRi10 which hardens Windows 10 and Server 2016 against enumeration which uses SAMR protocol (like net.exe).