🔭PowerView

PowerView is a tool written in PowerShell to help us gain situational awareness within an AD environment

PowerView

Enumerating & Retrieving Password Policies

Code

import-module .\PowerView.ps1

Get-DomainPolicy

Example

Unicode        : @{Unicode=yes}
SystemAccess   : @{MinimumPasswordAge=1; MaximumPasswordAge=-1; MinimumPasswordLength=8; PasswordComplexity=1;
                 PasswordHistorySize=24; LockoutBadCount=5; ResetLockoutCount=30; LockoutDuration=30;
                 RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
                 LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
Version        : @{signature="$CHICAGO$"; Revision=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Path           : \\example.LOCAL\sysvol\example.LOCAL\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHI
                 NE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName        : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy

Useful Functions

Export-PowerViewCSV

Append results to a CSV file

ConvertTo-SID

Convert a User or group name to its SID value

Get-DomainSPNTicket

Requests the Kerberos ticket for a specified Service Principal Name (SPN) account

Resolve-IPAddress

Resolves a hostname to an IP

Convert-ADName

Converts object names between a variety of formats

ConvertFrom-UACValue

Converts a UAC int value to human readable form

Add-RemoteConnection

Pseudo "mounts" a connection to a remote path using the specified credential object

Remove-RemoteConnection

Destroys a connection created by New-RemoteConnection

Invoke-UserImpersonation

Creates a new "runas /netonly" type logon and impersonates the token

Invoke-RevertToSelf

Reverts any token impersonation

Invoke-Kerberoast

Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes

Get-PathAcl

Get the ACLs for a local/remote file path with optional group recursion

Domain/LDAP Functions

Get-Domain

Will return the AD object for the current (or specified) domain

Get-DomainController

Return a list of the Domain Controllers for the specified domain

Get-DomainUser

Will return all users or specific user objects in AD

Get-DomainComputer

Will return all computers or specific computer objects in AD

Get-DomainGroup

Will return all groups or specific group objects in AD

Get-DomainOU

Search for all or specific OU objects in AD

Find-InterestingDomainAcl

Finds object ACLs in the domain with modification rights set to non-built in objects

Get-DomainGroupMember

Will return the members of a specific domain group

Get-DomainFileServer

Returns a list of servers likely functioning as file servers

Get-DomainDFSShare

Returns a list of all distributed file systems for the current (or specified) domain

GPO Functions

Get-DomainGPO

Will return all GPOs or specific GPO objects in AD

Get-DomainPolicy

Returns the default domain policy or the domain controller policy for the current domain

Computer Enumeration Functions

Get-NetLocalGroup

Enumerates local groups on the local or a remote machine

Get-NetLocalGroupMember

Enumerates members of a specific local group

Get-NetShare

Returns open shares on the local (or a remote) machine

Get-NetSession

Will return session information for the local (or a remote) machine

Test-AdminAccess

Tests if the current user has administrative access to the local (or a remote) machine

Threaded 'Meta'-Functions

Find-DomainUserLocation

Finds machines where specific users are logged in

Find-DomainShare

Finds reachable shares on domain machines

Find-InterestingDomainShareFile

Searches for files matching specific criteria on readable shares in the domain

Find-LocalAdminAccess

Find machines on the local domain where the current user has local administrator access

Domain Trust Functions

Get-DomainTrust

Returns domain trusts for the current domain or a specified domain

Get-ForestTrust

Returns all forest trusts for the current forest or a specified forest

Get-DomainForeignUser

Enumerates users who are in groups outside of the user's domain

Get-DomainForeignGroupMember

Enumerates groups with users outside of the group's domain and returns each foreign member

Get-DomainTrustMapping

Will enumerate all trusts for the current domain and any others seen.

Cheatsheet

https://book.hacktricks.xyz/windows-hardening/basic-powershell-for-pentesters/powerview

PreviousBloodhound NextAD Users

Last updated 3 years ago

hashtagPowerViewarrow-up-right

hashtagEnumerating & Retrieving Password Policies

hashtagUseful Functions

hashtagDomain/LDAP Functions

hashtagGPO Functions

hashtagComputer Enumeration Functions

hashtagThreaded 'Meta'-Functions

hashtagDomain Trust Functions

hashtagCheatsheet