Press "Enter" to skip to content

Tag: powerview

The PowerView PowerUsage Series #1

PowerView is probably my favorite bit of code I’ve written, and definitely the one I most regularly use (as evidenced by my recent posts). My team also heavily utilizes the toolkit, and we’ve come up with some cool uses for it over the past several years. For a long time I’ve wanted to share some of the real “power” uses of PowerView, like the PowerView “tricks” highlighted here. My intention for this series is to demonstrate how you can use PowerView to solve interesting problems and the thought process we put behind each solution. These posts should be short-and-sweet, less…

A Pentester’s Guide to Group Scoping

Scopes for Active Directory groups were always a bit murky for me. For anyone with an AD sysadmin background, this topic is probably second nature, but it wasn’t until I read this SS64 entry that everything started to fall into place. I wanted to document some relevant notes on the topic (as I understand it) in case anyone else had the same confusion I did. I’ll also cover how these group scopes interact with the forest global catalog and domain trusts, sprinkling in new PowerView functionality along the way. Active Directory Groups Active Directory groups can have one of two types:…

Targeted Kerberoasting

This is a short followup demonstrating a technique that dawned on me after posting about decrypting AS-REPs earlier this week. As mentioned previously, @_wald0, @cptjesus, and I are currently working Active Directory ACL integration for BloodHound. One of the control relationships we’re interested in is GenericAll/GenericWrite over a target user object, say victimuser in this instance. If we want to utilize the user’s access, we could force a password reset, but this is fairly ‘destructive’ in that the target user would notice. We’ve been brainstorming another method to abuse these types of relationships with the target remaining unaware, and we…

The Most Dangerous User Right You (Probably) Have Never Heard Of

I find Windows user rights pretty interesting. Separate from machine/domain object DACLs, user rights govern things like “by what method can specific users log into a particular system” and are managed under User Rights Assignment in Group Policy. Sidenote: I recently integrated privilege enumeration into PowerUp in the Get-ProcessTokenPrivilege function, with -Special returning ‘privileged’ privileges. SeEnableDelegationPrivilege One user right I overlooked, until Ben Campbell’s post on constrained delegation, was SeEnableDelegationPrivilege. This right governs whether a user account can “Enable computer and user accounts to be trusted for delegation.” Part of the reason I overlooked it is stated right in the…

S4U2Pwnage

Several weeks ago my workmate Lee Christensen (who helped develop this post and material) and I spent some time diving into Active Directory’s S4U2Self and S4U2Proxy protocol extensions. Then, just recently, Benjamin Delpy and Ben Campbell had an interesting public conversation about the same topic on Twitter. This culminated with Benjamin releasing a modification to Kekeo that allows for easy abuse of S4U misconfigurations. As I was writing this, Ben also published an excellent post on this very topic, which everyone should read before continuing. No, seriously, go read Ben’s post first. Lee and I wanted to write out our understanding…

Make PowerView Great Again

Yesterday’s commit to the PowerSploit dev branch is the biggest set of changes to PowerView since its inception. I’ve spent the last month or so rewriting PowerView from the ground up, squashing a number of bugs, adding a chunk of features, and standardizing the code base’s behavior. The commit message summarizes the modifications, but I wanted to spend some time detailing the massive set of changes. The previous PowerSploit Dev branch was merged into Master, and we will do a tagged release at some point next week. Note: this new PowerView code is definitely beta, but should be usable. I guarantee there are new bugs…

Where My Admins At? (GPO Edition)

[Edit 6/14/16] I was mistaken on a few points in the Local Account Management – Restricted Groups section, which I have now corrected. Thanks to @DougSec for the question/catch. Enumerating the membership of the Administrators local group on various computers is something we do on most of our engagements. This post will cover how to do this with Group Policy Object (GPO) correlation and without sending packets to every machine we’re enumerating these memberships for. I touched on this briefly in the Tracking Local Administrators by Group Policy Objects section of my “Local Group Enumeration” post back in March, but with a number of recent bug fixes…

Running LAPS with PowerView

A year ago, Microsoft released the Local Administrator Password Solution (LAPS) which aims to prevent the reuse of local administrator passwords by setting, “…a different, random password for the common local administrator account on every computer in the domain.” This post will cover a brief background on LAPS and how to use PowerView to perform some specific LAPS-specific enumeration. Sean Metcalf has a detailed post about LAPS here with much more information for anyone interested. Note: this functionality is in the dev branch of PowerSploit. LAPS Overview LAPS accomplishes its approach by first extending the Active Directory schema to include two new fields, ms-MCS-AdmPwd (the password itself) and ms-MCS-AdmPwdExpirationTime (when the password expires).…

Abusing GPO Permissions

A friend (@piffd0s) recently ran into a specific situation I hadn’t encountered before: the domain controllers and domain admins of the environment he was assessing were extremely locked down, but he was able to determine that a few users had edit rights on a few specific group policy objects (GPOs). After a bit of back and forth, he was able to abuse this to take down his target, and we were able to integrate some new functionality into PowerView that facilitates this process. This post will cover these new features and demonstrate how to enumerate and abuse misconfigured GPOs in case you encounter…

Local Group Enumeration

I’ve found that one of the most useful features of PowerView (outside of its user hunting capabilities) is its ability to enumerate local group membership on remote machines. I’ve spoken about this briefly before, and gave some details on its utilization of the ADSI WinNT Provider in the “Pass-the-Hash is Dead: Long Live Pass-the-Hash” post. My colleague @sixdub wrote an excellent post titled “Derivative Local Admin” that shows the power this functionality can give attackers, and fellow ATD member @_wald0 expanded on this with his “Automated Derivative Administrator Search” post. This functionality has been indispensable on both our pentests and longer-term red-team engagements. I wanted…