National Cyber Warfare Foundation (NCWF)

Welcome back, cyberwarriors! Having covered the fundamentals of PowerShell, its filters, and LDAP queries, we’re now ready to approach PowerView. PowerView is a PowerShell tool designed for Active Directory enumeration and reconnaissance, commonly used in offensive security assessments. It helps identify domain users, groups, computers, permissions, trust relationships, and misconfigurations that could be exploited for […]

The post PowerShell for Hackers, Part 3: Exploring PowerView first appeared on Hackers Arise.

Welcome back, cyberwarriors!

Having covered the fundamentals of PowerShell, its filters, and LDAP queries, we’re now ready to approach PowerView. PowerView is a PowerShell tool designed for Active Directory enumeration and reconnaissance, commonly used in offensive security assessments. It helps identify domain users, groups, computers, permissions, trust relationships, and misconfigurations that could be exploited for privilege escalation or lateral movement. PowerView is particularly useful because it doesn’t require the installation of RSAT, making it effective in stealthy or restricted environments. Originally part of the PowerSploit framework, it has become a go-to tool for red team operations and post-exploitation tasks in Windows domain environments.

We’re moving to PowerView after learning manual data retrieval with PowerShell filters and LDAP because external tools may not always be available, especially in environments with active security defenses. Knowing how to extract data discreetly using native Windows commands is a critical skill for any hacker.

Let’s get started with PowerView!

Importing PowerView

To begin, we need to import the PowerView script. Importing a script allows you to call its functions as needed within PowerShell, unlike running a script, which executes all its commands at once. Importing may be restricted by PowerShell’s execution policy, which we learned to bypass in the first part of this series.

PS > powershell -ep bypass

PS > . .\PowerView.ps1

Domain and LDAP Functions

Let’s explore some basic domain and LDAP functions in PowerView. These commands simplify tasks compared to manual PowerShell filters, offering a wide range of capabilities to uncover detailed domain information.

Get-DomainDNSZone

The Get-DomainDNSZone command retrieves DNS zones within an Active Directory domain. This is useful for understanding the network’s internal structure, identifying subdomains, and mapping potential targets. It provides insights into domain trust boundaries and internal name resolution.

PS > Get-DomainDNSZone

List DNS zones in the current domain:

PS > Get-DomainDNSZone | Get-DomainDNSRecord

Query a specific domain or domain controller:

PS > Get-DomainDNSZone -Domain corp.test.local -Server dc01.corp.test.local | Get-DomainDNSRecord -Domain corp.test.local -Server dc01.corp.test.local

For a structured output of DNS zones:

PS > Get-DomainDNSZone | Get-DomainDNSRecord -Properties name,whencreated

Get-Domain

The Get-Domain command retrieves essential information about an Active Directory domain, including its name, Security Identifier (SID), domain controllers, and forest membership. It provides a concise overview of the domain environment.

PS > Get-Domain

Get-Forest

The Get-Forest command gathers details about the Active Directory forest that the domain belongs to. It returns the forest name, SID, member domains, forest mode, global catalogs, and domain controllers. This command helps map out the forest’s topology and trust boundaries, aiding in further enumeration.

PS > Get-Forest

Get-DomainUser

The Get-DomainUser command retrieves user account objects from Active Directory. By default, it lists all users in the domain, but you can filter by username, SID, LDAP filters, or specific attributes. This command is valuable for identifying service accounts, disabled accounts, group memberships, and attributes that could be exploited for privilege escalation or lateral movement. For example, the -SPN flag identifies service accounts with Service Principal Names, which are potential targets for Kerberoasting attacks. The -PreauthNotRequired flag finds accounts vulnerable to AS-REP Roasting, while -AllowDelegation or -TrustedToAuth identifies users trusted for constrained delegation, which can be abused for impersonation. The -Properties parameter lets you specify attributes like description, password last set, last logon, logon count, and group memberships.

List all users:

PS > Get-DomainUser

View detailed information for a specific user:

PS > Get-DomainUser sql_service

Find Kerberoastable users:

PS > Get-DomainUser -SPN -Properties samaccountname,memberof,serviceprincipalname

Find Kerberoastable users with cross-domain authentication:

PS > Get-DomainUser -SPN -Domain domain.local | select samaccountname,memberof,serviceprincipalname | fl

This data is critical for lateral movement and potentially compromising the entire forest.

Find Kerberoastable Domain Admins:

PS > Get-DomainUser -SPN | Where-Object {$_.memberof -match ‘Domain Admins’} | Select Name, ServicePrincipalName

Find AS-REP roastable users:

PS > Get-DomainUser -KerberosPreauthNotRequired

Find users not requiring a password:

PS > Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol

Find users with SID history (indicating account migration):

PS > Get-DomainUser -LDAPFilter ‘(sidHistory=*)’

Find users with unconstrained delegation enabled:

PS > Get-DomainUser -UnconstrainedDelegation -Properties samaccountname,useraccountcontrol,memberof

Retrieve user descriptions:

PS > Get-DomainUser -Properties samaccountname,description | Where($_.description -ne $null)

Export user information to a CSV file:

PS > Get-DomainUser * -Domain domain.local | Select-Object -Property name,samaccountname,description,memberof,whencreated,pwdlastset,lastlogontimestamp,accountexpires,admincount,userprincipalname,serviceprincipalname,mail,useraccountcontrol | Export-Csv .\domain_users.csv -NoTypeInformation

Get-DomainSID

The Get-DomainSID command retrieves the numeric Security Identifier (SID) of the target Active Directory domain. This SID is essential for creating a Golden Ticket which is a forged Kerberos ticket that grants persistent domain-wide access. The SID, combined with the domain’s krbtgt account hash, is used in tools like Mimikatz or Rubeus to craft the ticket.

PS > Get-DomainSID

Get-DomainFileServer

The Get-DomainFileServer command identifies domain file servers, which are prime targets for enumeration and compromise. These servers often host home directories, scripts, or shared data, making them valuable for finding sensitive files or paths for lateral movement and data exfiltration.

PS > Get-DomainFileServer

Get-DomainManagedSecurityGroup

This command identifies group managers who can modify membership in privileged security groups, enabling account manipulation or privilege escalation. By finding these groups and their managers, you can detect misconfigured delegation or write permissions that could be exploited to control high-privilege groups.

PS > Get-DomainManagedSecurityGroup

Get-DomainGroupMember

The Get-DomainGroupMember command lists members of a specified Active Directory group. This is useful for identifying members of high-privilege groups like Domain Admins or Enterprise Admins, allowing targeted attacks on valuable accounts.

Let’s list all users in the Help Desk group:

PS > Get-DomainGroupMember “Help Desk”

Get-DomainComputer

The Get-DomainComputer command retrieves Active Directory computer objects, with options to filter by attributes like hostname, operating system, logon count, or delegation flags. It helps map domain computers, identify targets, and flag vulnerable hosts, such as those configured for authentication delegation.

PS > Get-DomainComputer

Find computers with authentication delegation:

PS > Get-DomainComputer -TrustedToAuth | Select -Property dnshostname,useraccountcontrol

Counting Users and Computers

You can count all users and computers in the domain to gauge its size:

PS > (Get-DomainUser).count

PS > (Get-DomainComputer).count

As you can see, the domain is actually big.

Computer Enumeration Functions

Now we focus on commands for enumerating domain computers.

Get-NetLocalGroup

The Get-NetLocalGroup command lists local groups on a remote computer by querying its local accounts database. By default, it retrieves all local groups, but you can customize the query.

List local groups on a remote computer:

PS > Get-NetLocalGroup -ComputerName TARGET-PC -ListGroups

List members of a specific local group:

PS > Get-NetLocalGroupMember -ComputerName TARGET-PC -GroupName Administrators

Get-NetShare

The Get-NetShare command identifies accessible SMB share paths across the network. These shares may contain user home directories, documents, scripts, or configuration files with sensitive information or credentials.

List shares on your own system:

PS > Get-NetShare

List shares on all domain computers:

PS > Get-DomainComputer | Get-NetShare

Or target a remote host:

PS > Get-NetShare -ComputerName SQL-DB-01

Get-NetRDPSession

The Get-NetRDPSession command identifies active RDP sessions on a machine. This is useful for locating high-value sessions (e.g., admin sessions on domain controllers), timing lateral movement, targeting active users, or deploying malware or credential-dumping tools.

List RDP sessions on your host:

PS > Get-NetRDPSession

List RDP sessions on a remote computer:

PS > Get-NetRDPSession -ComputerName SQLSRV01

List RDP sessions on domain controllers:

PS > Get-DomainController | Get-NetRDPSession

Test-AdminAccess

The Test-AdminAccess command checks where your account has high-privilege access, such as the ability to upload payloads or run WMI commands remotely. It supports the Find-LocalAdminAccess function, which automates detecting machines where admin access is possible.

Test a single host:

PS > Test-AdminAccess -ComputerName SQLSRV01

Or test across the domain:

PS > Get-DomainComputer | Test-AdminAccess

Domain Trust Functions

Get-DomainTrust

The Get-DomainTrust command enumerates trust relationships for the current or specified domain. Trust relationships are critical for attackers, as they define boundaries for pivoting access. For example, if Domain A trusts Domain B and SID filtering is disabled, an attacker with control over an account in Domain B could pivot into Domain A using SID history abuse or DCShadow to access sensitive resources.

PS > Get-DomainTrust

Get-DomainTrustMapping

The Get-DomainTrustMapping command maps trust relationships across multiple Active Directory domains. It starts with the current domain’s trusts, then recursively queries trusted domains to build a complete trust graph, including trust types, directions, attributes, and timestamps. This is especially useful in multi-domain or forest environments for identifying trust sources and targets.

PS > Get-DomainTrustMapping

Resources

Our goal was to introduce PowerView’s core commands without overwhelming you with complex concepts. PowerView is a powerful tool, and a single guide cannot cover all its capabilities. We encourage you to experiment with it yourself. Below are resources to help you dive deeper:

Official PowerView Documentation:

https://powersploit.readthedocs.io/en/latest/Recon

PowerView Script: https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1

Keep exploring, and stay sharp in your cybersecurity journey!

Summary

PowerView is a powerful tool for Active Directory enumeration, simplifying reconnaissance and uncovering vulnerabilities for privilege escalation and lateral movement. By mastering its commands, hackers can efficiently map domain environments and identify high-value targets. Continue exploring PowerView’s capabilities to enhance your both offensive and defensive skills.