OSCP Blog Series – OSCP Cheatsheet – PowerView Commands
OSCP Cheatsheet PowerView Commands 1
The purpose of adding the Powerview commands in the OSCP Blog Series is that Offensive Security have added Active Directory Attacks Module in PWK 2020. Now that sounds very exciting because Active Directory is one of the most interesting area to audit. While doing a Red Team Assessment, AD Environment is like Bread and Butter for the attacker as it gives you all of that what an attacker need to compromise a Corporate Network.
Offensive Security added this in OSCP 2.0 (PWK 2020) including the Labs to practice Active Directory attacks. This is one of the Juicy stuff in PWK 2020 as it adds more value in the OSCP Certification. Apart from this they have also added some new Modules/Exercises/Labs/Enhancement in PWK 2020. In coming posts, I will surely cover those areas which are added in PWK 2020 and have already been made public by Offensive Security
Note: There are lot of Perks in PWK 2020 Course/Lab as well as have Gaps in the same. I will cover all the Perks and Gaps in my future posts.
PowerView is a PowerShell utility to gain network situational awareness on Windows domains which simply utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality. It is full of powerful functions which play a critical role for Penetration Testers/Red Teamers while performing security assessment in AD Environment.
The functions can be broadly categorized as :
- Misc Functions
- Domain Trust Functions
- GPO functions
- net * Functions
- Meta Functions
- User-Hunting Functions
Considering the AD Attacks, PowerView is a ready to go utility for attacker to enumerate the complete environment. I will not cover all the basics here as it may lead to a complete separate blog series. There are already a lot of good blogs available online for the same, so I would just wrap up the things with useful PowerView commands which can be used as a cheat-sheet while doing Red Team assessment or working in your OSCP Labs.
The most updated version of PowerView can be downloaded from their Official GitHub repository.
https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1
Just for short note, Before running any of the PowerView command you need to Import the module using below command in PowerShell :
Import-Module .\PowerView.ps1 or Import-Module PowerView.ps1
Basic Enumeration
#Basic Domain Information
Get-NetDomain
#User Information
Get-NetUser
Get-NetUser | select samaccountname, description, logoncount
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount
Get-NetUser -LDAPFilter '(sidHistory=*)'
Get-NetUser -PreauthNotRequired
Get-NetUser -SPN
#Groups Information
Get-NetGroup | select samaccountname,description
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=EGOTISTICAL-BANK,DC=local' | %{ $_.SecurityIdentifier } | Convert-SidToName
#Computers Information
Get-NetComputer | select samaccountname, operatingsystem
Get-NetComputer -Unconstrained | select samaccountname
Get-NetComputer -TrustedToAuth | select samaccountname
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*
Domain Information
# Domain Info Get-NetDomain #Get info about the current domain Get-NetDomain -Domain mydomain.local Get-DomainSID #Get domain SID # Policy Get-DomainPolicy #Get info about the policy (Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge) (Get-DomainPolicy)."System Access" #Password policy (Get-DomainPolicy).PrivilegeRights #Check your privileges # Domain Controller Get-NetDomainController -Domain mydomain.local #Get Domain Controller
Users, Groups and Computers
# Users
Get-NetUser #Get users with several (not all) properties
Get-NetUser | select -ExpandProperty samaccountname #List all usernames
Get-NetUser -UserName student107 #Get info about a user
Get-NetUser -properties name, description #Get all descriptions
Get-NetUser -properties name, pwdlastset, logoncount, badpwdcount #Get all pwdlastset, logoncount and badpwdcount
Find-UserField -SearchField Description -SearchTerm "built" #Search account with "something" in a parameter
# Users Filters
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE -properties distinguishedname #All enabled users
Get-NetUser -UACFilter ACCOUNTDISABLE #All disabled users
Get-NetUser -UACFilter SMARTCARD_REQUIRED #Users that require a smart card
Get-NetUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname #Not smart card users
Get-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory set
Get-NetUser -PreauthNotRequired #ASREPRoastable users
Get-NetUser -SPN | select serviceprincipalname #Kerberoastable users
Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'} #Domain admins kerberostable
Get-Netuser -TrustedToAuth #Useful for Kerberos constrain delegation
Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marked as sensitive/not for delegation
#Groups
Get-NetGroup #Get groups
Get-NetGroup -Domain mydomain.local #Get groups of an specific domain
Get-NetGroup 'Domain Admins' #Get all data of a group
Get-NetGroup -AdminCount #Search admin grups
Get-NetGroup -UserName "myusername" #Get groups of a user
Get-NetGroupMember -Identity "Administrators" -Recurse #Get users inside "Administrators" group. If there are groups inside of this grup, the -Recurse option will print the users inside the others groups also
Get-NetGroupMember -Identity "Enterprise Admins" -Domain mydomain.local #Remember that "Enterprise Admins" group only exists in the rootdomain of the forest
Get-NetLocalGroup -ComputerName dc.mydomain.local -ListGroups #Get Local groups of a machine (you need admin rights in no DC hosts)
Get-NetLocalGroupMember -computername dcorp-dc.dollarcorp.moneycorp.local #Get users of localgroups in computer
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs #Check AdminSDHolder users
Get-NetGPOGroup #Get restricted groups
# Computers
Get-NetComputer #Get all computer objects
Get-NetComputer -Ping #Send a ping to check if the computers are working
Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
Get-NetComputer -TrustedToAuth #Find computers with Constrined Delegation
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*
Logon and Sessions
Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target) Get-NetSession -ComputerName <servername> #Get active sessions on the host Get-LoggedOnLocal -ComputerName <servername> #Get locally logon users at the moment (need remote registry (default in server OS)) Get-LastLoggedon -ComputerName <servername> #Get last user logged on (needs admin rigths in host) Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)
Shared Files and Folders
Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers Find-DomainShare -CheckShareAccess #Search readable shares Find-InterestingDomainShareFile #Find interesting files, can use filters
GPOs & OUs
#GPO
Get-NetGPO #Get all policies with details
Get-NetGPO | select displayname #Get the names of the policies
Get-NetGPO -ComputerName <servername> #Get the policy applied in a computer
gpresult /V #Get current policy
# Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}
ACL
Get-ObjectAcl -SamAccountName <username> -ResolveGUIDs #Get ACLs of an object (permissions of other objects over the indicated one)
Get-PathAcl -Path "\\dc.mydomain.local\sysvol" #Get permissions of a file
Find-InterestingDomainAcl -ResolveGUIDs #Find intresting ACEs (Interesting permisions of "unexpected objects" (RID>1000 and modify permissions) over other objects
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"} #Check if any of the interesting permissions founds is realated to a username/group
Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "false"} | %{Get-ObjectACL -SamAccountName $_.MemberName -ResolveGUIDs} | select ObjectDN, IdentityReference, ActiveDirectoryRights #Get special rights over All administrators in domain
Domain Trust
Get-NetDomainTrust #Get all domain trusts (parent, children and external) Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found Get-DomainTrustMapping #Enumerate also all the trusts Get-ForestGlobalCatalog #Get info of current forest (no external) Get-ForestGlobalCatalog -Forest external.domain #Get info about the external forest (if possible) Get-DomainTrust -SearchBase "GC://$($ENV:USERDNSDOMAIN)" Get-NetForestTrust #Get forest trusts (it must be between 2 roots, trust between a child and a root is just an external trust) Get-DomainForeingUser #Get users with privileges in other domains inside the forest Get-DomainForeignGroupMember #Get groups with privileges in other domains inside the forest
Note: Most of the above commands are compiled from the below 2 resources. All the credit goes to them as I just compiled the list which worked for me and helped in the OSCP and other Penetration Testing or Red Teaming scenarios.
References:
- https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
- https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters/powerview
Author: Yogesh Prasad
Information Security Professional | Cyber Security Expert | Ethical Hacker | Founder – Hackers Interview
