🦹Powerview

To work with Powerview, it is needed to import it using powershell.

Import-Module .\Powerview.ps1

Information about the domain

Get-NetDomain

Users

To get a list of all users on the domain.

Get-NetUser | select cn

Groups

To get a list of all groups on the domain.

Get-NetGroup | select cn

To get members of a group.

Get-NetGroup $GROUP$ | select member

OS

To get information about the device.

Get-NetComputer

Administrative privileges

To find if the current user has administrative privileges on any computers on the domain.

Find-LocalAdminAccess

Logged on users

To know who is logged on a computer.

Get-NetSession -ComputerName $COMPUTER$ -Verbose

Service Principal Names

To list SPN on the domain.

Get-NetUser -SPN | select samaccountname,serviceprincipalname

Object Permissions

Permissions definitions

GenericAll: Full permissions on object
GenericWrite: Edit certain attributes on the object
WriteOwner: Change ownership of the object
WriteDACL: Edit ACE's applied to object
AllExtendedRights: Change password, reset password, etc.
ForceChangePassword: Password change for object
Self (Self-Membership): Add ourselves to for example a group

Permissions

Basics

Get-ObjectAcl -Identity $USER$ | select ObjectSID,ActiveDirectoryRights,SecurityIndentifier

ObjectSID is the user affected by the permission.

ActiveDirectoryRights is the permission.

SecurityIndentifier is the user that can use the permission.

To sum up: SecurityIndentifier can ActiveDirectoryRights ObjectSID. (For example: Alice can read Bob)

SID values

SID values can be converted to be readable.

Convert-SidToName $SID$

Multiple SIDs can be converted in a row.

$SID1$,$SID2$,$SID3$ | Convert-SidToName

Specific permissions

To show only objects with GenericAll permissions.

Get-ObjectAcl -Identity $OBJECT$ | ? {$_.ActiveDirectoryRights -eq "GenericAll"} | select SecurityIdentifier,ActiveDirectoryRights

Domains Shares

To list all domain shares.

Find-DomainShares

To list only shares available to the current user.

Find-DomainShare -CheckShareAccess

PreviousWindows legacy tools NextSharpHound/BloodHound

Last updated 1 year ago

hashtagInformation about the domain

hashtagUsers

hashtagGroups

hashtagOS

hashtagAdministrative privileges

hashtagLogged on users

hashtagService Principal Names

hashtagObject Permissions

hashtagPermissions definitions

hashtagPermissions

hashtagBasics

hashtagSID values

hashtagSpecific permissions

hashtagDomains Shares