-
Notifications
You must be signed in to change notification settings - Fork 8
/
Get-Powerviewhelp.ps1
125 lines (108 loc) · 8.89 KB
/
Get-Powerviewhelp.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
function Get-Powerviewhelp
{
$powerviewhelp = "#PowerView
PowerView is a PowerShell tool to gain network situational awareness on
Windows domains. It contains a set of pure-PowerShell replacements for various
windows 'net *' commands, which utilize PowerShell AD hooks and underlying
Win32 API functions to perform useful Windows domain functionality.
It also impements various useful metafunctions, including a port
of [Rob Fuller's](https://twitter.com/mubix) [netview.exe](https://github.com/mubix/netview) tool,
and some custom-written 'UserHunter' functions which will identify where on the
network specific users are logged into. It can also check which machines
on the domain the current user has local administrator access on. See function
descriptions for appropriate usage and available options.
For detailed output of underlying functionality, pass the -Debug flag to most functions.
For functions that enumerate multiple machines, pass the -Verbose flag to get a
progress status as each host is enumerated.
Developed by [@harmj0y](https://twitter.com/harmj0y)
Part of Veil's [PowerTools](https://github.com/Veil-Framework/PowerTools)
Thanks to:
[@davidpmcguire](https://twitter.com/davidpmcguire) for inspiration,
[@mubix](https://twitter.com/mubix) for building netview.exe and open sourcing it,
[@obscuresec](https://twitter.com/obscuresec), [@mattifestation](https://twitter.com/mattifestation) and [darkoperator](https://twitter.com/Carlos_Perez) for examples and how to write proper PowerShell modules,
zeknox, smilingraccoon, and r3dy for the [local_admin_search_enum](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb) idea in Metasploit,
dunedinite, normanj, and powershellmagazine.com, for some (cited) examples to adapt and draw from
## Misc Functions:
Get-HostIP - resolves a hostname to an IP
Check-Write - checks if the current user can write to the specified file
Set-MacAttribute - Sets MAC attributes for a file based on another file or input (from Powersploit)
Invoke-CopyFile - copies a local file to a remote location, matching MAC properties
Test-Server - tests connectivity to a specified server
Get-UserProperties - returns all properties specified for users, or a set of user:prop names
Get-ComputerProperties - returns all properties specified for computers, or a set of computer:prop names
Get-LastLoggedOn - return the last logged on user for a target host
Get-UserLogonEvents - returns logon events from the event log for a specified host
Get-UserTGTEvents - returns TGT request events for a specified host
Invoke-CheckLocalAdminAccess - check if the current user context has local administrator access
to a specified host
Invoke-SearchFiles - search a local or remote path for files with specific terms in the name
## net * Functions:
Get-NetDomain - gets the name of the current user's domain
Get-NetForest - gets the forest associated with the current user's domain
Get-NetForestDomains - gets all domains for the current forest
Get-NetDomainControllers - gets the domain controllers for the current computer's domain
Get-NetCurrentUser - gets the current [domain\\]username
Get-NetUser - returns all user objects, or the user specified (wildcard specifiable)
Get-NetUserSPNs - gets all user ServicePrincipalNames
Get-NetOUs - gets data for domain organization units
Invoke-NetUserAdd - adds a local or domain user
Get-NetGroups - gets a list of all current groups in the domain
Get-NetGroup - gets data for each user in a specified domain group
Get-NetLocalGroups - gets a list of localgroups on a remote host or hosts
Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts
Get-NetLocalServices - gets a list of running services/paths on a remote host or hosts
Invoke-NetGroupUserAdd - adds a user to a specified local or domain group
Get-NetComputers - gets a list of all current servers in the domain
Get-NetFileServers - get a list of file servers used by current domain users
Get-NetShare - gets share information for a specified server
Get-NetLoggedon - gets users actively logged onto a specified server
Get-NetSessions - gets active sessions on a specified server
Get-NetFileSessions - returned combined Get-NetSessions and Get-NetFiles
Get-NetConnections - gets active connections to a specific server resource (share)
Get-NetFiles - gets open files on a server
Get-NetProcesses - gets the remote processes and owners on a remote server
## User-Hunting Functions:
Invoke-UserHunter - finds machines on the local domain where specified users are
logged into, and can optionally check if the current user has
local admin access to found machines
Invoke-UserHunterThreaded - threaded version of Invoke-UserHunter
Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks
the sessions one each file server, hunting for particular users
Invoke-UserProcessHunter - hunts for processes on domain machines running under specific
target user accounts
Invoke-ProcessHunter - hunts for processes with a specific name on domain machines
Invoke-UserEventHunter - hunts for user logon events in domain controller event logs
## Domain Trust Functions:
Get-NetDomainTrusts - gets all trusts for the current user's domain
Get-NetDomainTrustsLDAP - gets all trusts for the current user's domain using just LDAP
queries. This is less accurate than Get-NetDomainTrusts but
allows you to relay all traffic through your primary DC.
Get-NetForestTrusts - gets all trusts for the forest associated with the current user's domain
Invoke-FindUserTrustGroups - enumerates users who are in groups outside of their principal domain
Invoke-FindAllUserTrustGroups - map all domain trusts and enumerate all users who are in groups outside
of their principal domain
Invoke-MapDomainTrusts - try to build a relational mapping of all domain trusts
Invoke-MapDomainTrustsLDAP - try to build a relational mapping of all domain trusts using
Get-NetDomainTrustsLDAP
## MetaFunctions:
Invoke-Netview - a port of @mubix's netview.exe tool using Get-Net* functionality
finds all machines on the local domain and runs various enumeration
methods on what it finds
Invoke-NetviewThreaded - threaded version of Invoke-NetView
Invoke-UserView - returns parsable session/loggedon user data for a given domain
Invoke-ShareFinder - finds (non-standard) shares on hosts in the local domain
Invoke-ShareFinderThreaded - threaded version if Invoke-ShareFinder
Invoke-FileFinder - finds potentially sensitive files on hosts in the local domain
Invoke-FileFinderThreaded - threaded version of Invoke-FileFinder
Invoke-FindLocalAdminAccess - finds machines on the domain that the current user has local admin
access to
Invoke-FindLocalAdminAccesThreaded- threaded version of Invoke-FindLocalAdminAccess
Invoke-UserFieldSearch - searches a user field for a particular term
Invoke-ComputerFieldSearch - searches a computer field for a particular term
Invoke-FindVulnSystems - finds systems likely vulnerable to MS08-067
Invoke-HostEnum - run all available enumeration checks on a single host
Invoke-EnumerateLocalAdmins - enumerates members of the local Administrators groups across all
machines in the domain
Invoke-EnumerateLocalAdminsThreaded-threaded version of Invoke-EnumerateLocalAdmins"
Write-Output -InputObject $powerviewhelp
}