PowerView CheatSheet
Find Local Admin Access
Find all machines on domain where you have local admin access
// Create Credential Object
$passwd = ConvertTo-SecureString "password" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("fakedomain\user", $passwd)
// Gather List of all workstations on domain and store in variable
$comps = Get-NetComputer -Domain msp.local -Credential $creds
// Attempt to issue a command on each machine - any results indicate local admin on that machine
Invoke-Command -ScriptBlock{hostname} -Computer ($comps.dnshostName) -Credential $creds -ErrorAction SilentlyContinue
Get List of Kerbroastable Users
The following will enumerate 'Kerberoastable' users for a given domain and output the results to a csv file for easy review.
Get-NetUser -Domain msp.local | Where-Object {$_.servicePrincipalName} | select name, samaccountname, serviceprincipalname | Export-CSV -NoTypeInformation kerberoastable.csv
Get a list of Computers on the domain
The following will enumerate 'Workstations' for a given domain.
PS C:\Tools\ADModule-master> Get-NetComputer -Properties samaccountname, samaccounttype, operatingsystem
samaccounttype samaccountname operatingsystem
-------------- -------------- ---------------
MACHINE_ACCOUNT UFC-DC1$ Windows Server 2016 Standard
MACHINE_ACCOUNT UFC-WEBPROD$ Windows Server 2016 Standard
MACHINE_ACCOUNT UFC-DBPROD$ Windows Server 2016 Standard
MACHINE_ACCOUNT UFC-SQLDEV$ Windows Server 2016 Standard
MACHINE_ACCOUNT UFC-APP1$ Windows Server 2016 Standard
MACHINE_ACCOUNT UFC-DB1$ Windows Server 2016 Standard
MACHINE_ACCOUNT UFC-JUMPSRV$ Windows Server 2016 Standard
MACHINE_ACCOUNT PA-ADMIN$ Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER40$ Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER41$ Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER42$ Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER43$ Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER44$ Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER45$ Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER46$ Windows Server 2016 Standard
MACHINE_ACCOUNT PA-USER47$ Windows Server 2016 Standar
Get a list of all groups on a domain
Get-NetGroup -Domain internal.msp.local | select name
name
----
Administrators
Users
Guests
Print Operators
Backup Operators
Replicator
Remote Desktop Users
Network Configuration Operators
Performance Monitor Users
Performance Log Users
Distributed COM Users
IIS_IUSRS
Cryptographic Operators
Event Log Readers
Certificate Service DCOM Access
RDS Remote Access Servers
RDS Endpoint Servers
RDS Management Servers
Hyper-V Administrators
Access Control Assistance Operators
Remote Management Users
Storage Replica Administrators
Domain Computers
Domain Controllers
Cert Publishers
Domain Admins
Domain Users
Domain Guests
Group Policy Creator Owners
RAS and IAS Servers
Server Operators
Account Operators
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Terminal Server License Servers
Allowed RODC Password Replicatio...
Denied RODC Password Replication...
Read-only Domain Controllers
Cloneable Domain Controllers
Protected Users
Key Admins
DnsAdmins
DnsUpdateProxy
ForestManagers
InternalAdmins
BatchUsers
List all members of a a given group
Get-DomainGroupMember "Domain Admins" -Recurse
GroupDomain : it.gcb.local
GroupName : Domain Admins
GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=it,DC=gcb,DC=local
MemberDomain : it.gcb.local
MemberName : Administrator
MemberDistinguishedName : CN=Administrator,CN=Users,DC=it,DC=gcb,DC=local
MemberObjectClass : user
MemberSID : S-1-5-21-948911695-1962824894-4291460450-500
Identifying RBCD in active directory
Anyone of the below commands can find RBCD in an Active Directory environment.
# Get all sids, all computer object ACLs, and find RBCD!!!
$usersid = get-domainuser | select -exp objectsid; "Got user SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $usersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }
# Get all SIDS, all computer object ACLs, and find RBCD
$groupsid = $groups = Get-DomainGroup | Where-Object {$_.SamAccountName -ne "Domain Admins" -and $_.SamAccountName -ne "Account Operators" -and $_.SamAccountName -ne "Enterprise Admins" -and $_.SamAccountName -ne "Administrators" -and $_.SamAccountName -ne "DnsAdmins" -and $_.SamAccountName -ne "Schema Admins" -and $_.SamAccountName -ne "Key Admins" -and $_.SamAccountName -ne "Enterprise Key Admins" -and $_.SamAccountName -ne "Storage Replica Administrators"} | select -exp objectsid; "Got group SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $groupsid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and ($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }
# Get all computer object SIDS, all computer object ACLs, and find RBCD
$computersid = get-domaincomputer | select -exp objectsid; "Got computer SIDS"; $computeracls = Get-DomainComputer | select -exp dnshostname | get-domainobjectacl; "Got computer ACLs"; "Search through acls for RBCD..."; foreach ($acl in $computeracls) { foreach($sid in $computersid) { $acl | ?{$_.SecurityIdentifier -eq $sid -and($_.ActiveDirectoryRights -Like '*GenericAll*' -or $_.ActiveDirectoryRights -Like '*GenericWrite*' -or $_.ActiveDirectoryRights -Like '*WriteOwner*')} } }
Last updated