Press "Enter" to skip to content

Tag: powerview

Finding Local Admin with the Veil-Framework

[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-FindLocalAdminAccess  ->  Find-LocalAdminAccess Additionally, the -Ping command for Invoke-ShareFinder is no longer needed Back in 2012 @zeknox wrote a great post on “Finding Local Admin with Metasploit” which I highly recommend everyone read. My team consistently runs into situations similar to what he describes, where the current user context we’re operating under doesn’t have local administrator privileges on the machine where we have our shell. This was actually one of the motivations for PowerUp (which you can read more about here). zeknox then details the Metasploit module…

Pass-the-Hash is Dead: Long Live Pass-the-Hash

[Edit 3/16/17] Many elements of this post, specifically the ones concerning KB2871997, are incorrect. I have an updated post titled “Pass-the-Hash Is Dead: Long Live LocalAccountTokenFilterPolicy” that contains the most up-to-date and accurate information.   [Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0: Invoke-EnumerateLocalAdmins  ->  Invoke-EnumerateLocalAdmin Get-NetLocalGroups  ->  Get-NetLocalGroup -ListGroups You may have heard the word recently about how a recent Microsoft patch has put all of us pentesters out of a job. Pass-the-hash is dead, attackers can no longer spread laterally, and Microsoft has finally secured its authentication mechanisms. Oh wait: This is…

Veil-PowerView: A Usage Guide

[Edit 8/13/15] – Many of the cmdlets listed here have changed. Check out the PowerView 2.0 post to see the new updates. [Note: this topic was cross-posted on the Veil-Framework site] Veil-PowerView is a project that was originally prompted by a client who locked down their corporate machines by disabling all “net *” commands for normal users. While building pure Powershell replacements to easily bypass this protection, I began to explore what else could be done with Powershell from a domain and network situational awareness perspective. Being inspired by my boss @davidpmcguire, and drawing on existing work from @mubix, the offensive Powershell community (@obscuresec, @mattifestation, and DarkOperator), and the authors…