powerview

PowerView 2.0

PowerView is a tool that I’ve spoken frequently about on this blog. It debuted as part of the Veil-Framework in March of 2014, and has gone through a huge number of changes over the last year and a half. It is now a part of the PowerTools repository under the PowerShellEmpire GitHub account, and may be integrated soon into the …

PowerView 2.0 Read More »

Domain Trusts: We’re Not Done Yet

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-FindUserTrustGroups  ->  Find-ForeignUser Invoke-FindAllUserTrustGroups  ->  Find-ForeignUser -Recurse Invoke-FindGroupTrustUsers  ->  Find-ForeignGroup Invoke-MapDomainTrusts  ->  Invoke-MapDomainTrust Get-NetDomainControllers  ->  Get-NetDomainController Invoke-EnumerateLocalAdmins  ->  Invoke-EnumerateLocalAdmin Invoke-EnumerateLocalTrustGroups  ->  Invoke-EnumerateLocalAdmin -TrustGroups A few months ago, my colleague @sixdub and I presented our talk “Trusts You Might Have Missed” at BSides Chicago (the slides are posted here). We covered a lot of information that …

Domain Trusts: We’re Not Done Yet Read More »

Identifying Your Prey

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetGroup  ->  Get-NetGroupMember Get-NetGroups ->  Get-NetGroup [Note: This has been cross posted on the Adaptive Threat Division blog] User hunting is one of my favorite phases of an engagement. Whether it’s performed for lateral spread and escalation, or to …

Identifying Your Prey Read More »

PowerQuinsta

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetRDPSessions  ->   Get-NetRDPSession I wanted to do a quick writeup on one of PowerView‘s latest features- the ability to enumerate RDP sessions on remote machines. Qwinsta For those unfamiliar, qwinsta is a built in Windows command that …

PowerQuinsta Read More »

Push it, Push it Real Good

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-StealthUserHunter  ->  Invoke-UserHunter -Stealth Invoke-SearchFiles  ->  Find-InterestingFile Get-NetFileServers  ->  Get-NetFileServer My boss comes from a red teaming background; I do not. When I started to move beyond simple pentests and absorb his more advanced tradecraft, I was amazed that …

Push it, Push it Real Good Read More »

Domain Trusts: Why You Should Care

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetForestDomains  ->  Get-NetForestDomain Get-NetDomainTrusts  ->  Get-NetDomainTrust Get-NetForestTrusts  ->  Get-NetForestTrust Invoke-MapDomainTrusts  ->  Invoke-MapDomainTrust Invoke-FindUserTrustGroups  ->  Find-ForeignUser Get-NetDomainControllers  ->  Get-NetDomainController Red teams have been abusing Windows domain trusts for years with great success, but the topic is still underrepresented in public …

Domain Trusts: Why You Should Care Read More »

“I Hunt Sys Admins”

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetGroups  ->  Get-NetGroup Get-UserProperties  ->  Get-UserProperty Invoke-UserFieldSearch  ->  Find-UserField Get-NetSessions  ->  Get-NetSession Invoke-StealthUserHunter  ->  Invoke-UserHunter -Stealth Invoke-UserProcessHunter  ->  Invoke-ProcessHunter -Username X Get-NetProcesses  ->  Get-NetProcess Get-UserLogonEvents  ->  Get-UserEvent Invoke-UserEventHunter  ->  Invoke-EventHunter [Note] This post is a companion to the Shmoocon …

“I Hunt Sys Admins” Read More »

Targeted Trojanation

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-CopyFile  ->  Copy-ClonedFile Additionally, the -ExcludeIPC and -ExcludePrint flags for Invoke-ShareFinder are no longer needed So you’re on an engagement and everything seems pretty locked down. Group Policy Preferences doesn’t have any deployment passwords left lying around, you’re not a …

Targeted Trojanation Read More »

PowerShell and Win32 API Access

Several functions in PowerView are dependent on the lower-level Windows API. Specifically, Get-NetSession utilizes the NetSessionEnum call, Get-NetShare utilizes the NetShareEnum call, Get-NetLoggedOn utilizes the NetWkstaUserEnum call, and Invoke-CheckLocalAdminAccess utilizes the OpenSCManager call. PowerView has gone through a few iterations of how to access this lower-level functionality. It started with using Add-Type to embed inline C# to compile all functionality in memory. This is what most …

PowerShell and Win32 API Access Read More »

Trusts You Might Have Missed

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Get-NetForestTrusts  ->  Get-NetForestTrusts Get-NetForestDomains  ->  Get-NetForestDomain Get-NetDomainTrust  ->  Get-NetDomainTrust How often do you investigate trust relationships between Windows domains during a penetration test? You may have domain admin or other privileged access on your target and not even …

Trusts You Might Have Missed Read More »