PowerView CheatSheet

Find Local Admin Access

Find all machines on domain where you have local admin access

//  Create Credential Object
$passwd = ConvertTo-SecureString "password" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("fakedomain\user", $passwd)

// Gather List of all workstations on domain and store in variable
$comps = Get-NetComputer -Domain msp.local -Credential $creds

// Attempt to issue a command on each machine - any results indicate local admin on that machine
Invoke-Command -ScriptBlock{hostname} -Computer ($comps.dnshostName) -Credential $creds -ErrorAction SilentlyContinue

Get List of Kerbroastable Users

The following will enumerate 'Kerberoastable' users for a given domain and output the results to a csv file for easy review.

Get-NetUser -Domain msp.local | Where-Object {$_.servicePrincipalName} | select name, samaccountname, serviceprincipalname | Export-CSV -NoTypeInformation kerberoastable.csv

Get a list of Computers on the domain

The following will enumerate 'Workstations' for a given domain.

PS C:\Tools\ADModule-master> Get-NetComputer -Properties samaccountname, samaccounttype, operatingsystem

 samaccounttype samaccountname operatingsystem
 -------------- -------------- ---------------
MACHINE_ACCOUNT UFC-DC1$       Windows Server 2016 Standard
MACHINE_ACCOUNT UFC-WEBPROD$   Windows Server 2016 Standard
MACHINE_ACCOUNT UFC-DBPROD$    Windows Server 2016 Standard
MACHINE_ACCOUNT UFC-SQLDEV$    Windows Server 2016 Standard
MACHINE_ACCOUNT UFC-APP1$      Windows Server 2016 Standard
MACHINE_ACCOUNT UFC-DB1$       Windows Server 2016 Standard
MACHINE_ACCOUNT UFC-JUMPSRV$   Windows Server 2016 Standard
MACHINE_ACCOUNT PA-ADMIN$      Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER40$     Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER41$     Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER42$     Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER43$     Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER44$     Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER45$     Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER46$     Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER47$     Windows Server 2016 Standar

Get a list of all groups on a domain

Get-NetGroup -Domain internal.msp.local | select name
 
name                               
----                               
Administrators                     
Users                              
Guests                             
Print Operators                    
Backup Operators                   
Replicator                         
Remote Desktop Users               
Network Configuration Operators    
Performance Monitor Users          
Performance Log Users              
Distributed COM Users              
IIS_IUSRS                          
Cryptographic Operators            
Event Log Readers                  
Certificate Service DCOM Access    
RDS Remote Access Servers          
RDS Endpoint Servers               
RDS Management Servers             
Hyper-V Administrators             
Access Control Assistance Operators
Remote Management Users            
Storage Replica Administrators     
Domain Computers                   
Domain Controllers                 
Cert Publishers                    
Domain Admins                      
Domain Users                       
Domain Guests                      
Group Policy Creator Owners        
RAS and IAS Servers                
Server Operators                   
Account Operators                  
Pre-Windows 2000 Compatible Access 
Windows Authorization Access Group 
Terminal Server License Servers    
Allowed RODC Password Replicatio...
Denied RODC Password Replication...
Read-only Domain Controllers       
Cloneable Domain Controllers       
Protected Users                    
Key Admins                         
DnsAdmins                          
DnsUpdateProxy                     
ForestManagers                     
InternalAdmins                     
BatchUsers

List all members of a a given group

Get-DomainGroupMember "Domain Admins" -Recurse


GroupDomain             : it.gcb.local
GroupName               : Domain Admins
GroupDistinguishedName  : CN=Domain Admins,CN=Users,DC=it,DC=gcb,DC=local
MemberDomain            : it.gcb.local
MemberName              : Administrator
MemberDistinguishedName : CN=Administrator,CN=Users,DC=it,DC=gcb,DC=local
MemberObjectClass       : user
MemberSID               : S-1-5-21-948911695-1962824894-4291460450-500

Identifying RBCD in active directory

Anyone of the below commands can find RBCD in an Active Directory environment.

# Get all sids, all computer object ACLs, and find RBCD!!!
$usersid = get-domainuser | select -exp objectsid; "Got user SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $usersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }

# Get all SIDS, all computer object ACLs, and find RBCD
$groupsid = $groups = Get-DomainGroup | Where-Object {$_.SamAccountName -ne "Domain Admins" -and $_.SamAccountName -ne "Account Operators" -and $_.SamAccountName -ne "Enterprise Admins" -and $_.SamAccountName -ne "Administrators" -and $_.SamAccountName -ne "DnsAdmins" -and $_.SamAccountName -ne "Schema Admins" -and $_.SamAccountName -ne "Key Admins" -and $_.SamAccountName -ne "Enterprise Key Admins" -and $_.SamAccountName -ne "Storage Replica Administrators"} | select -exp objectsid; "Got group SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $groupsid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }

# Get all computer object SIDS, all computer object ACLs, and find RBCD
$computersid = get-domaincomputer | select -exp objectsid; "Got computer SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $computersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }

PreviousHack The Box - Sauna NextWriteOwner Exploit

Last updated 5 years ago

hashtagFind Local Admin Access

hashtagGet List of Kerbroastable Users

hashtagGet a list of Computers on the domain

hashtagGet a list of all groups on a domain

hashtagList all members of a a given group

hashtagIdentifying RBCD in active directory