{"id":1284,"date":"2020-04-25T10:29:32","date_gmt":"2020-04-25T08:29:32","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=1284"},"modified":"2024-09-08T15:34:21","modified_gmt":"2024-09-08T13:34:21","slug":"powersploit-powerview","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=1284","title":{"rendered":"PowerSploit \/ PowerView"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Col\u00adlec\u00adtion of privsec scripts. To start, upload <a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/dev\/Recon\/PowerView.ps1\">PowerView.ps1<\/a> and:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">powershell -exec bypass\nPS&gt; Import-Module .\\PowerView.ps1<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/tree\/master\/Recon\">See the github site for all commands.<\/a><\/p>\n\n\n\n<h1 class=\"wp-block-heading\">General enumeration<\/h1>\n\n\n\n<pre class=\"wp-block-preformatted\">powershell -exec bypass\nPS&gt; . .\\PowerUp.ps1\nPS&gt; Invoke-AllChecks<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Or:<\/p>\n\n\n\n<pre id=\"block-ed28c5a9-abab-465c-b7fd-240c654fb92a\" class=\"wp-block-preformatted\">powershell.exe -c \"Import-Module .\\PowerUp.ps1; Invoke-AllChecks\"<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">About users<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adates all&nbsp;users.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetUser<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adate all users which does not require Ker\u00adberos preauth.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If there is any user list\u00aded, go AS-REP-roast them!<\/li>\n\n\n\n<li>If there is no user list\u00aded: If you have Gener\u00adicWrite or Gener\u00adi\u00adcAll per\u00admis\u00adsions on anoth\u00ader <span class=\"caps\">AD<\/span> user account, try to use this priv\u00adi\u00adlege to dis\u00adable Ker\u00adberos preau\u00adthen\u00adti\u00adca\u00adtion. Repeat this step afterwards.<\/li>\n<\/ul>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetUser -PreauthNotRequired<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Returns prop\u00ader\u00adties for all users (if some are&nbsp;set)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-UserProperty<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Obtain a list of cur\u00adrent\u00adly logged on&nbsp;users<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetLoggedon [-ComputerName $name]<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get all active ses\u00adsions against the pre\u00advi\u00adous found Domain Con\u00adtroller dc01<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetSession -ComputerName dc01<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Returns the Domain Admins<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetGroupMember<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Get the last login and pass\u00adword change date:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetUser | select cn,pwdlastset,lastlogon<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">About groups<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Returns all local groups<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetLocalGroup<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Returns all groups<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetGroup<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Returns mem\u00adbers of a&nbsp;group<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetGroupMember $groupName<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Returns all orga\u00adni\u00adza\u00adtion\u00adal units. (!= groups)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetOU<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adates local admins on all domain systems<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Invoke-EnumerateLocalAdmin<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">About computers<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adates the forest<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetForest<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">About the <span class=\"caps\">DC<\/span> of this system.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetDomainController<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Returns all com\u00adput\u00aders of this domain<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetComputer<\/pre>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If there are some, try to browse them with\u00adin Pow\u00ader\u00adShell with\u00adout mount\u00ading: <pre>get-childitem \"\\\\$computer\\C$\"<\/pre><\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Enu\u00admer\u00adates all shares in the domain<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Invoke-ShareFinder<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Services<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Shows active <span class=\"caps\">RDP<\/span> sessions<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Get-NetRDPSession<\/pre>\n\n\n\n<h1 class=\"wp-block-heading\">Helpers<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00advert name into&nbsp;<span class=\"caps\">SID<\/span><\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Convert-NameToSid $name<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00advert <span class=\"caps\">SID<\/span> into&nbsp;name<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Convert-SidToName $sid<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00advert CPass\u00adword from Groups.xml in the shared Repli\u00adca\u00adtion direc\u00adto\u00adry: (If this does\u00adn\u2019t work, just <a href=\"https:\/\/github.com\/PowerShellMafia\/PowerSploit\/blob\/dev\/Exfiltration\/Get-GPPPassword.ps1\">copy and past the func\u00adtion from the code <\/a>into the Pow\u00ader\u00adShell con\u00adsole and exe\u00adcute it afterwards.)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">PS&gt; . .\\Get-GPPPassword.ps1\nPS&gt; Get-DecryptedCpassword $cpasswd<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Col\u00adlec\u00adtion of privsec scripts. To start, upload PowerView.ps1 and: pow\u00ader\u00adshell \u2011exec bypass <span class=\"caps\">PS<\/span>&gt; Import-Mod\u00adule .\\PowerView.ps1 See the github site for all com\u00admands. Gen\u00ader\u00adal enu\u00admer\u00ada\u00adtion pow\u00ader\u00adshell \u2011exec bypass <span class=\"caps\">PS<\/span>&gt; . .\\PowerUp.ps1 <span class=\"caps\">PS<\/span>&gt; Invoke-AllChecks Or: powershell.exe \u2011c \u201cImport-Mod\u00adule .\\PowerUp.ps1; Invoke-AllChecks\u201d About users Enu\u00admer\u00adates all&nbsp;users. Get-NetUser Enu\u00admer\u00adate all users which does not require Ker\u00adberos preauth. Get-NetUser \u2011Preau\u00adth\u00adNotRe\u00adquired Returns&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470,471],"tags":[194,50,219,257,24],"class_list":["post-1284","post","type-post","status-publish","format-standard","hentry","category-active-enum","category-privesc","tag-active-directory","tag-enumeration","tag-powersploit","tag-powerview","tag-windows"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1284"}],"version-history":[{"count":17,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1284\/revisions"}],"predecessor-version":[{"id":4324,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/1284\/revisions\/4324"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}