PowerView

PowerView is a PowerShell script to perform common Active Directory enumeration and exploitation tasks. This article lists some common PowerView enumeration commands.

You can obtain a copy of PowerView here; https://github.com/ZeroDayLab/PowerSploit/blob/master/Recon/PowerView.ps1.

There is also a .NET port of PowerView, called SharpView in case usage of PowerShell isn’t an option. This can be downloaded here; https://github.com/tevora-threat/SharpView


ADModule

In addition to PowerView commands, I’ve also listed the equivalent commands using Microsoft.ActiveDirectory.Management.dll.

This is a DLL created by Microsoft to query Active Directory, and is normally used as part of the Microsoft Remote Server Administration Tools (RSAT). RSAT typically requires administrator privileges to install, but we can use the DLL on it’s own.

The benefit of this approach over PowerView is we’re using a Microsoft signed executable, which reduces our chance of getting detected on disk. Unfortunately, the DLL can’t perform all the tasks that PowerView can.

A copy of this DLL can be obtained here; https://github.com/samratashok/ADModule

To access it’s cmdlet’s, import it using the following commands;

Import-Module C:\AD\Tools\ADModule-master\Microsoft.ActiveDirectory.Management.dll
Import-Module C:\AD\Tools\ADModule-master\ActiveDirectory\ActiveDirectory.psd1

PowerView Commands

Domain Information

PowerView CommandADModulePurpose
Get-DomainGet-ADDomainFind the current domain
Get-DomainSID(Get-ADDomain).DomainSIDFind the current domain’s SID
Get-DomainPolicyData(Get-DomainPolicyData).systemaccessReturns the default domain policy or the domain controller policy for the current domain
Get-DomainControllerGet-ADDomainControllerFind the current domain controllers
Get-DomainOUGet-ADOrganizationalUnit -Filter * -Properties *List organisational units in the domain

Enumerating Users, Groups & Computers

PowerView CommandADModulePurpose
Get-DomainUser | select samaccountnameGet-ADUser -Filter * -Properties *List users in current domain
Get-DomainComputerGet-ADComputer -Filter * | select NameList computers in the domain
Get-DomainGroup | select NameGet-ADGroup -Filter * | select NameList groups in the domain
Get-DomainGroupMember -Identity “Domain Admins” -RecurseGet-ADGroupMember -Identity “Domain Admins” -RecursiveFind members of the domain admin group
Get-NetLocalGroup -ComputerName Computer1 -ListGroupsList local groups on remote computer (requires admin privileges)

Domain Trust Enumeration

PowerView CommandADModulePurpose
Get-NetDomainTrustGet-ADDomainGet trusts for the current domain
Get-NetForestGet-ADForestList forest details
Get-NetForestDomainList all domains in forest
Get-NetForestTrustMap forest trusts

Share Enumeration

PowerView CommandPurpose
Get-NetShare -ComputerName sqlserverList shares on a machine
Invoke-ShareFinderSearch for shares on the network
Invoke-FileFinderSearch for files on the network
Get-NetFileServerList file servers in the domain

User Hunting

PowerView CommandPurpose
Get-NetLoggedonLocal -ComputerName Computer1Find logged in users using the remote registry service (which is started by default on Windows server). Does not require admin privileges.
Invoke-UserHunter -CheckAccessCheck if domain administrators are logged into workstations

GPO Enumeration

PowerView CommandPurpose
Get-DomainGPOList group policy objects in a domain
Get-DomainGPOLocalGroupReturns all GPOs in a domain that modify local group memberships through ‘Restricted Groups’ or Group Policy preferences

ACL Enumeration

PowerView CommandPurpose
Get-DomainObjectAcl -SamAccountName test -ResolveGUIDsGet an ACL for a specific object
Find-InterestingDomainAcl -ResolveGUIDsFind interesting domain ACL’s

Kerberos Delegation

PowerView CommandPurpose
Get-DomainComputer -UnconstrainedCheck for unconstrained delegation hosts
Get-DomainUser -TrustedToAuthCheck for constrained delegation hosts

Automating PowerView ACL Enumeration

The below PowerShell code can be used to check for exploitable ACL’s from the context of the current user.

Function Invoke-ACLChecks {
Write-Host ("Checking for GenericALL ACL's")
Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq$("$env:UserDomain\$env:Username")) {$_}}

Write-Host ("Checking for WriteDACL's")
Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}

Write-Host ("Checking for unconstrained delegation")
Get-DomainComputer -Unconstrained

Write-Host ("Checking for constrained delegation")
Get-DomainUser -TrustedToAuth

Write-Host ("Checks done")
}