PowerView

Intro

PowerView has long been the de-facto tool for domain enumeration. It it part of the PowerSploit project:

Any standard user can run PowerView. High-privilege user account is not needed.

Domain Enumeration

Import PowerView

Import-Module .\PowerView.ps1

Or:

. .\PowerView.ps1

Get current domain

Get-NetDomain

Get object of another domain

Get-NetDomain -Domain moneycorp.local

Get domain SID for the current domain

Get-DomainSID

Get the domain password policy

Get-DomainPolicy

(Get-DomainPolicy)."System Access"

net accounts

Users Groups and Computers Enumeration

Get Information of domain controller

Get-NetDomainController

Get-NetDomainController | select-object Name

Get information of users in the domain

Get-NetUser

Get-NetUser -Username <username>

Get list of all users

Get-NetUser | select samaccountname

Get list of usernames, last logon and password last set

Get-NetUser | select samaccountname, lastlogon, pwdlastset

Get-NetUser | select samaccountname, lastlogon, pwdlastset | Sort-Object -Property lastlogon

Get list of usernames and their groups

Get-NetUser | select samaccountname, memberof

Get list of all properties for users in the current domain

get-userproperty -Properties pwdlastset

Get descripton field from the user

Find-UserField -SearchField Description -SearchTerm "built"
Get-netuser | Select-Object samaccountname,description

Get computer information

Get-NetComputer

Get-NetComputer -FullData

Get-NetComputer -Computername <computername> -FullData

Get computers with operating system "Server 2016"

Get-NetComputer -OperatingSystem "*Server 2016*"

Get list of all computer names and operating systems

Get-NetComputer -fulldata | select samaccountname, operatingsystem, operatingsystemversion

List all groups of the domain

Get-NetGroup

Get-NetGroup -GroupName *admin*

Get-NetGroup -Domain <domain>

Get all the members of the group

Get-NetGroupMember -Groupname "Domain Admins" -Recurse

Get-NetGroupMember -Groupname "Domain Admins" -Recurse | select MemberName

Get the group membership of a user

Get-NetGroup -Username <username>

List all the local groups on a machine (needs admin privs on non dc machines)

Get-NetlocalGroup -Computername <computername> -ListGroups

Get Member of all the local groups on a machine (needs admin privs on non dc machines)

Get-NetlocalGroup -Computername <computername> -Recurse

Get actively logged users on a computer (needs local admin privs)

Get-NetLoggedon -Computername <computername>

Get locally logged users on a computer (needs remote registry rights on the target)

Get-LoggedonLocal -Computername <computername>

Get the last logged users on a computer (needs admin rights and remote registary on the target)

Get-LastLoggedOn -ComputerName <computername>

Shares Enumeration

Find shared on hosts in the current domain

Invoke-ShareFinder -Verbose

Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC

Find sensitive files on computers in the domain

Invoke-FileFinder -Verbose

Get all fileservers of the domain

Get-NetFileServer

GPO Enumeration

Get list of GPO's in the current domain

Get-NetGPO

Get-NetGPO -Computername <computername>

Get GPO's which uses restricteds groups or groups.xml for interesting users

Get-NetGPOGroup

Get users which are in a local group of a machine using GPO

Find-GPOComputerAdmin -Computername <computername>

Get machines where the given user is member of a specific group

Find-GPOLocation -Username student244 -Verbose

Get OU's in a domain

Get-NetOU -Fulldata

Get machines that are part of an OU

Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_}

Get GPO applied on an OU

Get-NetGPO -GPOname "{<gplink>}"

ACL Enumeration

Get the ACL's associated with the specified object

Get-ObjectACL -SamAccountName <accountname> -ResolveGUIDS

Get the ACL's associated with the specified prefix to be used for search

Get-ObjectACL -ADSprefix ‘CN=Administrator,CN=Users’ -Verbose

Get the ACL's associated with the specified path

Get-PathAcl -Path \\<Domain controller>\sysvol

Search for interesting ACL's

Invoke-ACLScanner -ResolveGUIDs

Invoke-ACLScanner -ResolveGUIDs | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl

Search of interesting ACL's for the current user

Invoke-ACLScanner | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}

Domain Trust Enumeration

Get a list of all the domain trusts for the current domain

Get-NetDomainTrust

Get details about the forest

Get-NetForest

Get all domains in the forest

Get-NetForestDomain

Get-NetforestDomain -Forest <domain name>

Get global catalogs for the current forest

Get-NetForestCatalog

Get-NetForestCatalog -Forest <domain name>

Map trusts of a forest

Get-NetForestTrust

Get-NetForestTrust -Forest <domain name>

Get-NetForestDomain -Verbose | Get-NetDomainTrust

User Hunting

Find all machines on the current domain where the current user has local admin access

Find-LocalAdminAccess -Verbose

Find local admins on all machines of the domain (needs administrator privs on non-dc machines)

Invoke-EnumerateLocalAdmin -Verbose

Find Computers where a domain admin (or specified user/group) has session

Invoke-UserHunter

Invoke-UserHunter -GroupName "RDPUsers"

To confirm admin access:

Invoke-UserHunter -CheckAccess

Find computers where a domain admin is logged-in

Invoke-UserHunter -Stealth

This option queries the DC of the current or provided domain for members of the given group (Domain Admins by default) using Get-NetGroupMember, gets a list of high traffic servers (DC, File Servers and Distributed File servers) for less traffic generation and list sessions and logged on users (Get-NetSesssion / Get-NetLoggedon) from each machine.

Defense

Most of the enumeration mixes really well with the normal traffic to the DC. Hardening can be done on the DC (or other machines) to contain the information provided by the queried machine. Let's have a look at defending against one of the most lethal enumeration techiques: user hunting.

Netcease is a script which changes permissions on the NetSEssionEnum method by removing permission for Authenticated Users group. This fails many of the attacker's session enumeration and hence user hunting capabilities:

.\NetCease.ps1

Another interesting script from the same author is SAMRi10 which hardens Windows 10 and Server 2016 against enumeration which uses SAMR protocol (like net.exe).

PreviousManual Enumeration NextBloodHound

Last updated 3 years ago

hashtagIntro

hashtagDomain Enumeration

hashtagImport PowerView

hashtagGet current domain

hashtagGet object of another domain

hashtagGet domain SID for the current domain

hashtagGet the domain password policy

hashtagUsers Groups and Computers Enumeration

hashtagGet Information of domain controller

hashtagGet information of users in the domain

hashtagGet list of all users

hashtagGet list of usernames, last logon and password last set

hashtagGet list of usernames and their groups

hashtagGet list of all properties for users in the current domain

hashtagGet descripton field from the user

hashtagGet computer information

hashtagGet computers with operating system "Server 2016"

hashtagGet list of all computer names and operating systems

hashtagList all groups of the domain

hashtagGet all the members of the group

hashtagGet the group membership of a user

hashtagList all the local groups on a machine (needs admin privs on non dc machines)

hashtagGet Member of all the local groups on a machine (needs admin privs on non dc machines)

hashtagGet actively logged users on a computer (needs local admin privs)

hashtagGet locally logged users on a computer (needs remote registry rights on the target)

hashtagGet the last logged users on a computer (needs admin rights and remote registary on the target)

hashtagShares Enumeration

hashtagFind shared on hosts in the current domain

hashtagFind sensitive files on computers in the domain

hashtagGet all fileservers of the domain

hashtagGPO Enumeration

hashtagGet list of GPO's in the current domain

hashtagGet GPO's which uses restricteds groups or groups.xml for interesting users

hashtagGet users which are in a local group of a machine using GPO

hashtagGet machines where the given user is member of a specific group

hashtagGet OU's in a domain

hashtagGet machines that are part of an OU

hashtagGet GPO applied on an OU

hashtagACL Enumeration

hashtagGet the ACL's associated with the specified object

hashtagGet the ACL's associated with the specified prefix to be used for search

hashtagGet the ACL's associated with the specified path

hashtagSearch for interesting ACL's

hashtagSearch of interesting ACL's for the current user

hashtagDomain Trust Enumeration

hashtagGet a list of all the domain trusts for the current domain

hashtagGet details about the forest

hashtagGet all domains in the forest

hashtagGet global catalogs for the current forest

hashtagMap trusts of a forest

hashtagUser Hunting

hashtagFind all machines on the current domain where the current user has local admin access

hashtagFind local admins on all machines of the domain (needs administrator privs on non-dc machines)

hashtagFind Computers where a domain admin (or specified user/group) has session

hashtagFind computers where a domain admin is logged-in

hashtagDefense