PowerView

PowerView has long been the de-facto tool for domain enumeration. One of its biggest strengths is that the queries return proper PowerShell objects, which can be piped to other cmdlets. This allows you to chain multiple commands together to form complex and powerful queries.

beacon> powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1

\

Get-Domain

Returns a domain object for the current domain or the domain specified with -Domain. Useful information includes the domain name, the forest name and the domain controllers.

beacon> powershell Get-Domain

Forest                  : cyberbotic.io
DomainControllers       : {dc-2.dev.cyberbotic.io}
Children                : {}
DomainMode              : Unknown
DomainModeLevel         : 7
Parent                  : cyberbotic.io
PdcRoleOwner            : dc-2.dev.cyberbotic.io
RidRoleOwner            : dc-2.dev.cyberbotic.io
InfrastructureRoleOwner : dc-2.dev.cyberbotic.io
Name                    : dev.cyberbotic.io

\

Get-DomainController

Returns the domain controllers for the current or specified domain.

\

Get-ForestDomain

Returns all domains for the current forest or the forest specified by -Forest.

\

Get-DomainPolicyData

Returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller. Useful for finding information such as the domain password policy.

\

Get-DomainUser

Return all (or specific) user(s). To only return specific properties, use -Properties. By default, all user objects for the current domain are returned, use -Identity to return a specific user.

This shows that jking is a member of the Support Engineers group. Most privileges in a domain are delegated to domain groups, rather than individual users. So if we can find where this domain group has privileged access, we know that members will also have those privileges.

\

If you run this command without the -Identity parameter, prepare to wait a while for all the data to return.

\

Get-DomainComputer

Return all computers or specific computer objects.

\

Get-DomainOU

Search for all organization units (OUs) or specific OU objects.

\

Get-DomainGroup

Return all domain groups or specific domain group objects.

\

Get-DomainGroupMember

Return the members of a specific domain group.

\

Get-DomainGPO

Return all Group Policy Objects (GPOs) or specific GPO objects. To enumerate all GPOs that are applied to a particular machine, use -ComputerIdentity.

\

Get-DomainGPOLocalGroup

Returns all GPOs that modify local group membership through Restricted Groups or Group Policy Preferences. You can then manually find which OUs, and by extension which computers, these GPOs apply to.

This shows that the Support Engineers group is being assigned some sort of local access to the machines to which these GPOs apply. Although the GPO naming convention suggests this is local admin access, it may also be a different localgroup such as Remote Desktop Users.

\

Get-DomainGPOUserLocalGroupMapping

Enumerates the machines where a specific domain user/group is a member of a specific local group. This is useful for finding where domain groups have local admin access, which is a more automated way to perform the manual cross-referencing described above.

This output confirms that the Support Engineers domain group is a member of the local Administrators group on machines: web, sql-2, fs, wkstn-1 and wkstn-2.

\

Get-DomainTrust

Return all domain trusts for the current or specified domain.

PreviousDomain ReconNextSharpView

Last updated