PowerSploit
PowerSploit (11.5k β, 2017 πͺ¦) is the latest version of PowerTools and PowerUp which are dead too since 2014/2015.
PowerView
PowerView is a module part of PowerSploit.
PS> Import-Module .\PowerView.ps1
PowerView β Domain Enumeration
Get information on the domain:
PS> Get-DomainSID
PS> Get-DomainPolicy
PS> Get-DomainUser -Identity username
OS> Get-DomainGroup -Identity "XXX" | select memberof
PS> Get-DomainGroupMember -Identity "Domain Admins" -Recurse
PS> Get-DomainTrustMapping
PS> Test-AdminAccess -ComputerName TARGET_HOST
PS> Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName
PS> Get-DomainUser cn -Properties samaccountname,serviceprincipalname,msds-supportedencryptiontypes # encryption scheme
PS> Get-DomainUser -Identity cn | Get-DomainSPNTicket -Format Hashcat | Export-Csv .\xxx.csv -NoTypeInformation
PS> Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*XXX*'} | select samaccountname,useraccountcontrol
PS> Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl
PS> Get-DomainUser -UACFilter PASSWD_NOTREQD | Select-Object samaccountname,useraccountcontrol
π You can explicitly query a domain using -Domain example.com
.
PowerView β Trust Relationships
PS> Get-DomainTrust
PS> Get-DomainTrustMapping
PS> Get-DomainUser -Domain dev.example.com | select SamAccountName
PowerView β ACE-related commands
PS> Find-InterestingDomainAcl
PS> $sid = Convert-NameToSid username
PS> $username = Convert-SidToName $sid
PS> Get-DomainObjectACL -Identity cn | ? {$_.SecurityIdentifier -eq $sid}
PS> Get-DomainObjectACL -ResolveGUIDs -Identity cn | ? {$_.SecurityIdentifier -eq $sid}
PS> Get-ObjectAcl "DC=example,DC=com" -ResolveGUIDs
PowerView β PS1 Alternatives
There is a C# port called SharpView (0.9k β, 2018 πͺ¦).
PS> .\SharpView.exe Get-DomainUser -Identity username
There is a Python port called powerview.py (0.3k β).