PowerView
Intro
PowerView has long been the de-facto tool for domain enumeration. It it part of the PowerSploit project:
Domain Enumeration
Import PowerView
Import-Module .\PowerView.ps1
Or:
. .\PowerView.ps1
Get current domain
Get-NetDomain
Get object of another domain
Get-NetDomain -Domain moneycorp.local
Get domain SID for the current domain
Get-DomainSID
Get the domain password policy
Get-DomainPolicy
(Get-DomainPolicy)."System Access"
net accounts
Users Groups and Computers Enumeration
Get Information of domain controller
Get-NetDomainController
Get-NetDomainController | select-object Name
Get information of users in the domain
Get-NetUser
Get-NetUser -Username <username>
Get list of all users
Get-NetUser | select samaccountname
Get list of usernames, last logon and password last set
Get-NetUser | select samaccountname, lastlogon, pwdlastset
Get-NetUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon
Get list of usernames and their groups
Get-NetUser | select samaccountname, memberof
Get list of all properties for users in the current domain
get-userproperty -Properties pwdlastset
Get descripton field from the user
Find-UserField -SearchField Description -SearchTerm "built"
Get-netuser | Select-Object samaccountname,description
Get computer information
Get-NetComputer
Get-NetComputer -FullData
Get-NetComputer -Computername <computername> -FullData
Get computers with operating system "Server 2016"
Get-NetComputer -OperatingSystem "*Server 2016*"
Get list of all computer names and operating systems
Get-NetComputer -fulldata | select samaccountname, operatingsystem, operatingsystemversion
List all groups of the domain
Get-NetGroup
Get-NetGroup -GroupName *admin*
Get-NetGroup -Domain <domain>
Get all the members of the group
Get-NetGroupMember -Groupname "Domain Admins" -Recurse
Get-NetGroupMember -Groupname "Domain Admins" -Recurse | select MemberName
Get the group membership of a user
Get-NetGroup -Username <username>
List all the local groups on a machine (needs admin privs on non dc machines)
Get-NetlocalGroup -Computername <computername> -ListGroups
Get Member of all the local groups on a machine (needs admin privs on non dc machines)
Get-NetlocalGroup -Computername <computername> -Recurse
Get actively logged users on a computer (needs local admin privs)
Get-NetLoggedon -Computername <computername>
Get locally logged users on a computer (needs remote registry rights on the target)
Get-LoggedonLocal -Computername <computername>
Get the last logged users on a computer (needs admin rights and remote registary on the target)
Get-LastLoggedOn -ComputerName <computername>
Shares Enumeration
Find shared on hosts in the current domain
Invoke-ShareFinder -Verbose
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC
Find sensitive files on computers in the domain
Invoke-FileFinder -Verbose
Get all fileservers of the domain
Get-NetFileServer
GPO Enumeration
Get list of GPO's in the current domain
Get-NetGPO
Get-NetGPO -Computername <computername>
Get GPO's which uses restricteds groups or groups.xml for interesting users
Get-NetGPOGroup
Get users which are in a local group of a machine using GPO
Find-GPOComputerAdmin -Computername <computername>
Get machines where the given user is member of a specific group
Find-GPOLocation -Username student244 -Verbose
Get OU's in a domain
Get-NetOU -Fulldata
Get machines that are part of an OU
Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_}
Get GPO applied on an OU
Get-NetGPO -GPOname "{<gplink>}"
ACL Enumeration
Get the ACL's associated with the specified object
Get-ObjectACL -SamAccountName <accountname> -ResolveGUIDS
Get the ACL's associated with the specified prefix to be used for search
Get-ObjectACL -ADSprefix βCN=Administrator,CN=Usersβ -Verbose
Get the ACL's associated with the specified path
Get-PathAcl -Path \\<Domain controller>\sysvol
Search for interesting ACL's
Invoke-ACLScanner -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl
Search of interesting ACL's for the current user
Invoke-ACLScanner | Where-Object {$_.IdentityReference βeq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}
Domain Trust Enumeration
Get a list of all the domain trusts for the current domain
Get-NetDomainTrust
Get details about the forest
Get-NetForest
Get all domains in the forest
Get-NetForestDomain
Get-NetforestDomain -Forest <domain name>
Get global catalogs for the current forest
Get-NetForestCatalog
Get-NetForestCatalog -Forest <domain name>
Map trusts of a forest
Get-NetForestTrust
Get-NetForestTrust -Forest <domain name>
Get-NetForestDomain -Verbose | Get-NetDomainTrust
User Hunting
Find all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose
Find local admins on all machines of the domain (needs administrator privs on non-dc machines)
Invoke-EnumerateLocalAdmin -Verbose
Find Computers where a domain admin (or specified user/group) has session
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"
To confirm admin access:
Invoke-UserHunter -CheckAccess
Find computers where a domain admin is logged-in
Invoke-UserHunter -Stealth
This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember
, gets a list of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSesssion
/ Get-NetLoggedon
) from each machine.
Defense
Most of the enumeration mixes really well with the normal traffic to the DC. Hardening can be done on the DC (or other machines) to contain the information provided by the queried machine. Let's have a look at defending against one of the most lethal enumeration techiques: user hunting.
Netcease is a script which changes permissions on the NetSEssionEnum method by removing permission for Authenticated Users group. This fails many of the attacker's session enumeration and hence user hunting capabilities:
.\NetCease.ps1
Another interesting script from the same author is SAMRi10 which hardens Windows 10 and Server 2016 against enumeration which uses SAMR protocol (like net.exe).
Last updated
Was this helpful?