PowerView Active Directory Enumeration Tool Cheat Sheet¶

generieren

Überblick¶

PowerView ist eine Power Shell-Tool entwickelt von Will Schroeder (@harmj0y) im Rahmen des PowerSploit-Rahmens. Es ist für Active Directory-Enumeration und Ausbeutung konzipiert und bietet umfangreiche Funktionalität für Domänenaufklärung, Privileg Escalation Pfad Entdeckung und Angriff Vektor-Identifikation in Windows-Umgebungen.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

Installation¶

PowerSploit Installation¶

```powershell

Download PowerSploit¶

Invoke-WebRequest -Uri "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip" -OutFile "PowerSploit.zip" Expand-Archive -Path "PowerSploit.zip" -DestinationPath "C:\Tools\"

Import PowerView¶

Import-Module C:\Tools\PowerSploit-master\Recon\PowerView.ps1

Alternative direct import¶

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1') ```_

Standalone Power Blick¶

```powershell

Download standalone PowerView¶

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1" -OutFile "PowerView.ps1"

Import PowerView¶

Import-Module .\PowerView.ps1

Or execute directly¶

. .\PowerView.ps1 ```_

Dev Branch (Letzte Funktionen)¶

```powershell

Download dev branch (more features)¶

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1" -OutFile "PowerView-dev.ps1" Import-Module .\PowerView-dev.ps1 ```_

Basisnutzung¶

Modul laden und helfen¶

```powershell

Import PowerView¶

Import-Module PowerView.ps1

Get all PowerView commands¶

Get-Command -Module PowerView

Get help for specific function¶

Get-Help Get-DomainUser -Full

List all PowerView functions¶

Get-Command -Domain Get-Command -Net ```_

Grundlegende Domain Information¶

```powershell

Get current domain¶

Get-Domain

Get domain controllers¶

Get-DomainController

Get domain policy¶

Get-DomainPolicy

Get domain trusts¶

Get-DomainTrust

Get forest information¶

Get-Forest ```_

Domain Enumeration¶

Benutzeraufzählung¶

```powershell

Get all domain users¶

Get-DomainUser

Get specific user¶

Get-DomainUser -Identity administrator

Get users with specific properties¶

Get-DomainUser -Properties samaccountname,description,pwdlastset

Get users with SPN set (Kerberoastable)¶

Get-DomainUser -SPN

Get users with pre-authentication disabled (AS-REP Roastable)¶

Get-DomainUser -PreauthNotRequired

Get privileged users¶

Get-DomainUser -AdminCount

Get users with passwords not required¶

Get-DomainUser -PasswordNotRequired ```_

Gruppenaufzählung¶

```powershell

Get all domain groups¶

Get-DomainGroup

Get specific group¶

Get-DomainGroup -Identity "Domain Admins"

Get group members¶

Get-DomainGroupMember -Identity "Domain Admins"

Get groups for specific user¶

Get-DomainGroup -UserName administrator

Get local groups on machines¶

Get-NetLocalGroup -ComputerName server01

Get local group members¶

Get-NetLocalGroupMember -ComputerName server01 -GroupName Administrators ```_

Computeraufzählung¶

```powershell

Get all domain computers¶

Get-DomainComputer

Get computers with specific OS¶

Get-DomainComputer -OperatingSystem "Server 2019"

Get computer properties¶

Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp

Get computers with unconstrained delegation¶

Get-DomainComputer -UnconstrainedDelegation

Get computers with constrained delegation¶

Get-DomainComputer -TrustedToAuth

Get domain controllers¶

Get-DomainComputer -Properties dnshostname|Where-Object \\{$.dnshostname -like "dc"\\} ```

Service Principal Name (SPN) Enumeration¶

```powershell

Get all SPNs¶

Get-DomainUser -SPN|Select-Object samaccountname,serviceprincipalname

Get specific SPN types¶

Get-DomainUser -SPN|Where-Object \\{$_.serviceprincipalname -like "SQL"\\}

Get SPNs for specific service¶

Get-DomainUser -SPN|Where-Object \\{$_.serviceprincipalname -like "HTTP"\\}

Get unique SPN services¶

Get-DomainUser -SPN|ForEach-Object \\{$_.serviceprincipalname\\\\}|ForEach-Object \\\\{$.split('/')[0]\\}|Sort-Object -Unique ```

Netzwerkaufzählung¶

Sitzungsnummer¶

```powershell

Get sessions on local machine¶

Get-NetSession

Get sessions on remote machine¶

Get-NetSession -ComputerName server01

Get sessions for all domain computers¶

Get-DomainComputer|ForEach-Object \\{Get-NetSession -ComputerName $_.dnshostname\\}

Get logged on users¶

Get-NetLoggedon -ComputerName server01

Get locally logged on users¶

Get-NetLoggedon -ComputerName server01 -LocalOnly ```_

Aktienzählung¶

```powershell

Get shares on local machine¶

Get-NetShare

Get shares on remote machine¶

Get-NetShare -ComputerName server01

Get shares for all domain computers¶

Get-DomainComputer|ForEach-Object \\{Get-NetShare -ComputerName $_.dnshostname\\}

Find interesting shares¶

Find-DomainShare

Find readable shares¶

Find-DomainShare -CheckShareAccess ```_

Prozesszählung¶

```powershell

Get processes on remote machine¶

Get-NetProcess -ComputerName server01

Get processes for specific user¶

Get-NetProcess -ComputerName server01|Where-Object \\{$_.owner -like "administrator"\\}

Get processes across domain¶

Get-DomainComputer|ForEach-Object \\{Get-NetProcess -ComputerName $.dnshostname\\} ```

Zugriffskontrolle und Berechtigungen¶

ACL Enumeration¶

```powershell

Get ACLs for domain object¶

Get-DomainObjectAcl -Identity "Domain Admins"

Get ACLs with specific rights¶

Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs

Find interesting ACLs¶

Find-InterestingDomainAcl

Get ACLs for specific user¶

Get-DomainObjectAcl -Identity administrator -ResolveGUIDs

Find objects with specific ACE¶

Get-DomainObjectAcl|Where-Object \\{$.SecurityIdentifier -eq "S-1-5-21-..."\\} ```

Genehmigungsanalyse¶

```powershell

Find objects modifiable by current user¶

Find-InterestingDomainAcl -ResolveGUIDs|Where-Object \\{$_.IdentityReferenceName -like "*$env:USERNAME*"\\}

Find GenericAll permissions¶

Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\{$_.ActiveDirectoryRights -like "GenericAll"\\}

Find WriteDacl permissions¶

Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\{$_.ActiveDirectoryRights -like "WriteDacl"\\}

Find WriteOwner permissions¶

Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\{$.ActiveDirectoryRights -like "WriteOwner"\\} ```

Trust und Forest Enumeration¶

Domain Trust Analyse¶

```powershell

Get domain trusts¶

Get-DomainTrust

Get forest trusts¶

Get-ForestTrust

Map domain trusts¶

Get-DomainTrustMapping

Get external trusts¶

Get-DomainTrust -API|Where-Object \\{$_.trust_type -eq "TRUST_TYPE_EXTERNAL"\\}

Get bidirectional trusts¶

Get-DomainTrust|Where-Object \\{$.TrustDirection -eq "Bidirectional"\\} ```

Kreuz-Domain-Enumeration¶

```powershell

Enumerate users in trusted domain¶

Get-DomainUser -Domain trusted.domain.com

Enumerate groups in trusted domain¶

Get-DomainGroup -Domain trusted.domain.com

Get foreign group members¶

Get-DomainForeignGroupMember

Get foreign users¶

Get-DomainForeignUser ```_

Vorrechte Eskalation Pfade¶

Zugang zum Admin¶

```powershell

Find local admin access¶

Find-LocalAdminAccess

Test local admin access on specific machine¶

Test-AdminAccess -ComputerName server01

Find machines where current user has local admin¶

Get-DomainComputer|ForEach-Object \\{Test-AdminAccess -ComputerName $_.dnshostname\\}

Find machines where domain users have local admin¶

Find-DomainLocalGroupMember -GroupName Administrators ```_

Delegationsanalyse¶

```powershell

Find unconstrained delegation¶

Get-DomainComputer -UnconstrainedDelegation

Find constrained delegation¶

Get-DomainUser -TrustedToAuth Get-DomainComputer -TrustedToAuth

Find resource-based constrained delegation¶

Get-DomainComputer|Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\{$.ObjectAceType -eq "ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity"\\} ```

Kerberoasting Ziele¶

```powershell

Find Kerberoastable users¶

Get-DomainUser -SPN

Get detailed Kerberoasting targets¶

Get-DomainUser -SPN|Select-Object samaccountname,serviceprincipalname,pwdlastset,lastlogon

Find high-value Kerberoasting targets¶

Get-DomainUser -SPN -AdminCount

Find Kerberoastable users with old passwords¶

Get-DomainUser -SPN|Where-Object \\{$.pwdlastset -lt (Get-Date).AddDays(-365)\\} ```

Attack Vector Discovery¶

Bluthochdruck Datenerhebung¶

```powershell

Collect data for BloodHound (requires SharpHound)¶

PowerView can supplement BloodHound data collection¶

Get user sessions for BloodHound¶

Get-DomainComputer|ForEach-Object \\{ $computer = $.dnshostname $sessions = Get-NetSession -ComputerName $computer foreach ($session in $sessions) \\{ [PSCustomObject]@\\{ Computer = $computer User = $session.sesi10_username Source = $session.sesi10_cname \\} \\} \\} ```

Seitliche Bewegungswege¶

```powershell

Find computers with sessions from high-value users¶

$highValueUsers = Get-DomainGroupMember -Identity "Domain Admins"|Select-Object -ExpandProperty MemberName Get-DomainComputer|ForEach-Object \\{ $computer = $_.dnshostname $sessions = Get-NetLoggedon -ComputerName $computer foreach ($session in $sessions) \\\\{ if ($highValueUsers -contains $session.wkui1_username) \\{ Write-Output "High-value user $($session.wkui1_username) logged on to $computer" \\} \\} \\}

Find shortest path to Domain Admins¶

Find-DomainUserLocation -UserGroupIdentity "Domain Admins" ```_

Fortgeschrittene Zähltechniken¶

LDAP Quers¶

```powershell

Custom LDAP queries¶

Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))"

Find users with specific attributes¶

Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(description=*))"

Find computers with specific OS¶

Get-DomainComputer -LDAPFilter "(&(objectCategory=computer)(operatingSystem=Server))"

Find groups with specific names¶

Get-DomainGroup -LDAPFilter "(&(objectCategory=group)(name=admin))" ```_

GPO Aufzählung¶

```powershell

Get all GPOs¶

Get-DomainGPO

Get GPOs applied to specific OU¶

Get-DomainGPO -ComputerIdentity "OU=Servers,DC=domain,DC=com"

Find interesting GPO settings¶

Get-DomainGPOLocalGroup

Get GPO computer local group settings¶

Get-DomainGPOComputerLocalGroupMapping

Find GPOs with specific settings¶

Get-DomainGPO|Where-Object \\{$.displayname -like "password"\\} ```

OU und Containeranalyse¶

```powershell

Get all OUs¶

Get-DomainOU

Get objects in specific OU¶

Get-DomainComputer -SearchBase "OU=Servers,DC=domain,DC=com"

Get OU ACLs¶

Get-DomainOU|Get-DomainObjectAcl -ResolveGUIDs

Find interesting OU permissions¶

Get-DomainOU|Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\{$.ActiveDirectoryRights -like "GenericAll"\\} ```

Stealth und Evasion¶

Detection vermeiden¶

```powershell

Use alternate credentials¶

$cred = Get-Credential Get-DomainUser -Credential $cred

Use specific domain controller¶

Get-DomainUser -Server dc02.domain.com

Limit queries to avoid detection¶

Get-DomainUser -ResultPageSize 100

Use LDAPS for encrypted queries¶

Get-DomainUser -Server dc01.domain.com -ServerTimeLimit 30 ```_

Minimaler Footprint Aufzählung¶

```powershell

Essential enumeration with minimal queries¶

$domain = Get-Domain $domainAdmins = Get-DomainGroupMember -Identity "Domain Admins" $spnUsers = Get-DomainUser -SPN $computers = Get-DomainComputer -Properties dnshostname,operatingsystem

Targeted enumeration¶

$targetUsers = @("administrator", "service_account", "backup_admin") foreach ($user in $targetUsers) \\{ Get-DomainUser -Identity $user \\} ```_

Automatisierung und Reporting¶

Umfassende Domain-Bewertung¶

```powershell

Comprehensive domain assessment script¶

param( [string]$OutputPath = "C:\Temp\DomainAssessment", [string]$Domain = $env:USERDOMAIN )

Create output directory¶

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Starting comprehensive domain assessment for $Domain"

Domain information¶

Write-Host "[+] Gathering domain information..." Get-Domain|Out-File "$OutputPath\domain_info.txt" Get-DomainController|Out-File "$OutputPath\domain_controllers.txt" Get-DomainTrust|Out-File "$OutputPath\domain_trusts.txt"

User enumeration¶

Write-Host "[+] Enumerating users..." Get-DomainUser|Export-Csv "$OutputPath\domain_users.csv" -NoTypeInformation Get-DomainUser -SPN|Export-Csv "$OutputPath\spn_users.csv" -NoTypeInformation Get-DomainUser -AdminCount|Export-Csv "$OutputPath\privileged_users.csv" -NoTypeInformation

Group enumeration¶

Write-Host "[+] Enumerating groups..." Get-DomainGroup|Export-Csv "$OutputPath\domain_groups.csv" -NoTypeInformation Get-DomainGroupMember -Identity "Domain Admins"|Export-Csv "$OutputPath\domain_admins.csv" -NoTypeInformation

Computer enumeration¶

Write-Host "[+] Enumerating computers..." Get-DomainComputer|Export-Csv "$OutputPath\domain_computers.csv" -NoTypeInformation Get-DomainComputer -UnconstrainedDelegation|Export-Csv "$OutputPath\unconstrained_delegation.csv" -NoTypeInformation

Write-Host "[+] Enumerating shares..." Find-DomainShare|Export-Csv "$OutputPath\domain_shares.csv" -NoTypeInformation

ACL analysis¶

Write-Host "[+] Analyzing ACLs..." Find-InterestingDomainAcl -ResolveGUIDs|Export-Csv "$OutputPath\interesting_acls.csv" -NoTypeInformation

Write-Host "[+] Assessment complete. Results saved to $OutputPath" ```_

Vorrechte Eskalation Path Discovery¶

```powershell

Privilege escalation path discovery script¶

param( [string]$TargetUser = "administrator", [string]$OutputPath = "C:\Temp\PrivEscPaths" )

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Discovering privilege escalation paths to $TargetUser"

Find local admin access¶

Write-Host "[+] Finding local admin access..." $localAdminAccess = Find-LocalAdminAccess $localAdminAccess|Out-File "$OutputPath\local_admin_access.txt"

Find user sessions¶

Write-Host "[+] Finding user sessions..." $userSessions = Get-DomainComputer|ForEach-Object \\{ $computer = $_.dnshostname try \\{ $sessions = Get-NetSession -ComputerName $computer -ErrorAction SilentlyContinue foreach ($session in $sessions) \\{ [PSCustomObject]@\\{ Computer = $computer User = $session.sesi10_username Source = $session.sesi10_cname \\} \\} \\} catch \\{\\} \\} $userSessions|Export-Csv "$OutputPath\user_sessions.csv" -NoTypeInformation

Find Kerberoastable users¶

Write-Host "[+] Finding Kerberoastable users..." $kerberoastable = Get-DomainUser -SPN $kerberoastable|Export-Csv "$OutputPath\kerberoastable_users.csv" -NoTypeInformation

Find delegation opportunities¶

Write-Host "[+] Finding delegation opportunities..." $delegation = @() $delegation += Get-DomainComputer -UnconstrainedDelegation|Select-Object @\\\\{Name="Type";Expression=\\\\{"Unconstrained"\\\\}\\\\}, @\\\\{Name="Object";Expression=\\\\{$.dnshostname\\}\\} $delegation += Get-DomainUser -TrustedToAuth|Select-Object @\\\\{Name="Type";Expression=\\\\{"Constrained"\\\\}\\\\}, @\\\\{Name="Object";Expression=\\\\{$.samaccountname\\}\\} $delegation|Export-Csv "$OutputPath\delegation_opportunities.csv" -NoTypeInformation

Write-Host "[+] Privilege escalation path discovery complete" ```_

Netzwerk Mapping Skript¶

```powershell

Network mapping script¶

param( [string]$OutputPath = "C:\Temp\NetworkMapping" )

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Starting network mapping"

Get all computers¶

$computers = Get-DomainComputer -Properties dnshostname,operatingsystem

Map shares¶

Write-Host "[+] Mapping shares..." $allShares = @() foreach ($computer in $computers) \\{ try \\{ $shares = Get-NetShare -ComputerName $computer.dnshostname -ErrorAction SilentlyContinue foreach ($share in $shares) \\{ $allShares += [PSCustomObject]@\\{ Computer = $computer.dnshostname ShareName = $share.shi1_netname ShareType = $share.shi1_type Remark = $share.shi1_remark \\} \\} \\} catch \\{\\} \\} $allShares|Export-Csv "$OutputPath\network_shares.csv" -NoTypeInformation

Map sessions¶

Write-Host "[+] Mapping sessions..." $allSessions = @() foreach ($computer in $computers) \\{ try \\{ $sessions = Get-NetSession -ComputerName $computer.dnshostname -ErrorAction SilentlyContinue foreach ($session in $sessions) \\{ $allSessions += [PSCustomObject]@\\{ Computer = $computer.dnshostname User = $session.sesi10_username Source = $session.sesi10_cname Time = $session.sesi10_time \\} \\} \\} catch \\{\\} \\} $allSessions|Export-Csv "$OutputPath\network_sessions.csv" -NoTypeInformation

Write-Host "[+] Network mapping complete" ```_

Integration mit anderen Tools¶

BlutHound Integration¶

```powershell

Supplement BloodHound data with PowerView¶

Get additional session data¶

$sessions = Get-DomainComputer|ForEach-Object \\{ Get-NetSession -ComputerName $_.dnshostname \\}

Get additional local group data¶

$localGroups = Get-DomainComputer|ForEach-Object \\{ Get-NetLocalGroupMember -ComputerName $_.dnshostname -GroupName Administrators \\}

Export for BloodHound custom queries¶

$sessions|ConvertTo-Json|Out-File "bloodhound_sessions.json" $localGroups|ConvertTo-Json|Out-File "bloodhound_localgroups.json" ```_

Mimikatz Integration¶

```powershell

Find targets for Mimikatz¶

$highValueSessions = Get-DomainComputer|ForEach-Object \\{ $computer = $.dnshostname $sessions = Get-NetLoggedon -ComputerName $computer $sessions|Where-Object \\\\{$.wkui1_username -in @("administrator", "domain admin", "enterprise admin")\\} \\}

Output targets for credential dumping¶

$highValueSessions|Select-Object Computer, User|Export-Csv "mimikatz_targets.csv" -NoTypeInformation ```_

Integrieren der Welt¶

```powershell

Generate target list for Empire¶

$targets = Find-LocalAdminAccess $targets|ForEach-Object \\{ Write-Output "usemodule lateral_movement/invoke_psexec" Write-Output "set ComputerName $" Write-Output "execute" \\} ```

Fehlerbehebung¶

Gemeinsame Themen¶

```powershell

LDAP query failures¶

Check domain connectivity¶

Test-NetConnection -ComputerName (Get-Domain).PdcRoleOwner -Port 389

Permission issues¶

Check current user context¶

whoami /groups

Network connectivity¶

Test WMI access¶

Get-WmiObject -Class Win32_OperatingSystem -ComputerName server01

DNS resolution¶

Test name resolution¶

Resolve-DnsName domain.com ```_

Debug Mode¶

```powershell

Enable verbose output¶

$VerbosePreference = "Continue"

Test specific functions¶

Get-DomainUser -Identity administrator -Verbose

Check LDAP queries¶

Get-DomainUser -LDAPFilter "(samaccountname=administrator)" -Verbose ```_

Best Practices¶

Operationelle Sicherheit¶

** Verwenden Sie legitime Konten*: Vermeiden Sie verdächtige Servicekonten
**Limit-Abfragen*: Fluten Sie Domain-Controller nicht mit Anfragen
** Spezifische Ziele verwenden*: Zielspezifische Objekte anstatt breite Aufzählung
**Clean up*: Entfernen Sie alle erstellten Objekte oder modifizierten ACLs
**Monitor logs*: Bewusstsein für generierte Sicherheitsereignisse

Aufzählungsstrategie¶

```powershell

Phased approach¶

Phase 1: Basic domain information¶

Get-Domain Get-DomainController

Phase 2: User and group enumeration¶

Get-DomainUser -Properties samaccountname,description Get-DomainGroup -Properties samaccountname,description

Phase 3: Privilege analysis¶

Get-DomainUser -AdminCount Find-InterestingDomainAcl

Phase 4: Attack vector identification¶

Get-DomainUser -SPN Find-LocalAdminAccess ```_

Ressourcen¶

[PowerView GitHub Repository](LINK_5_
Harmj0y's Blog
PowerSploit Dokumentation
[Active Directory Security](LINK_5
[SpecterOps Blog](LINK_5_

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Nutzung von PowerView. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von Active Directory Sicherheitsbewertungen haben. *