PowerView is a PowerShell tool to achieve network information
on Windows domains for cyber security services and ethical hacking training
professionals. It implements diverse practical meta-functions, including some
user-hunting functions which will discover where in the network explicit users
are logged in. It can also find which machines in the domain network the user has
local administrator access. It also includes a number of functions for the
enumeration and abuse of domain trusts. You can easily find function
descriptions for suitable usage and accessible options mentions ethical hacking
training professor.
It also includes a set of PowerShell replacements for
diverse windows "net *" commands, which employ PowerShell AD hooks
and essential Win32 API functions to execute useful Windows domain
functionality as per cyber
security services researchers. To run on a machine, start PowerShell with
"powershell -exec bypass" and then load the PowerView component with:
PS> Import-Module .\powerview.psm1 or load the PowerView script by itself:
PS> Import-Module .\powerview.ps1
For comprehensive output of original functionality, add the
-Debug flag to the functions. For functions that enumerate several machines, add
the -Verbose flag to obtain a progress status as each host is enumerated. Most
of the "meta" functions acknowledge an array of hosts.
How to use PowerView
to exploit Active directory
AdminSDHolder is a unique Active Directory object positioned
at “CN=AdminSDHolder,CN=System,DC=domain,DC=com“. The declared intention of
this object is to protect certain privileged accounts from unintentional alteration.
Every one hour, a unique process called
SDProp recursively enumerates association for a specific set of protected
groups, revises the access control lists for all accounts found, and clones the
ACLs of the AdminSDHolder object to any protected objects with a different ACL mentions
ethical hacking
training professor. If we alter the permissions of AdminSDHolder, that
permission template will be removed from all protected accounts automatically
by SDProp. So we can add an unprivileged user even with no group membership to
the ACL of AdminSDHolder, and have a backdoor mechanism implemented that allow
us to alter the membership of groups like Domain and network admin.
Any account/group which is or was a part of a protected
group has their AdminCount property set to 1, even if the object is not any
more in that protected group. With PowerView, we can effortlessly enumerate all
users and groups with AdminCount=1 with Get-UserUser -AdminCount and
Get-NetGroup -AdminCount, respectively. Thus it lets us speedily find all high
value accounts, even if those accounts are not a part of a protected group. With
Invoke-UserHunter we can use AdminCount flag, to effortlessly hunt for all high
valued users in the domain.
Active Directory access rights are a somewhat unexplored
area from an offensive cyber security perspective. Network admins should start
auditing and monitoring the access rights of all privileged domain objects, particularly
the domain root and AdminSDHolder. You can this manually, through PowerView’s
Get-ObjectACL, or through help of cyber security services
and ethical hacking training professionals.
0 comments:
Post a Comment