Skip to main content

Python based PowerView script

Project description

PowerView.py

Installation | Basic Usage | Modules | Logging

PowerView.py is an alternative for the awesome original PowerView.ps1 script. Most of the modules used in PowerView are available here ( some of the flags are changed ). Main goal is to achieve interactive session without having to repeatedly authenticate to ldap.

Installation

Since powerview.py now supports Channel Binding, gssapi is part of the dependencies which requires libkrb5-dev apt package.

  • [EASY] Run install.sh
curl -L powerview.sh | sh

or

  • Manual (pip3)
git clone https://github.com/aniqfakhrul/powerview.py
cd powerview.py
sudo apt install libkrb5-dev
sudo python3 setup.py install

[!TIP] Use pipx to remotely fetch and install locally pipx install 'git+https://github.com/aniqfakhrul/powerview.py

Basic Usage

[!NOTE] Note that some of the kerberos functions are still not functioning well just yet but it'll still do most of the works. Detailed usage can be found in Wiki section

  • Init connection
powerview range.net/lowpriv:Password123@192.168.86.192 [--dc-ip 192.168.86.192] [-k] [--use-ldap | --use-ldaps]
  • Init connection with specific authentication. Note that --use-sign-and-seal and --use-channel-binding is only available if you install ldap3 library directly from this branch
powerview range.net/lowpriv:Password123@192.168.86.192 [--use-channel-binding | --use-sign-and-seal | --use-simple-auth]
  • Init with schannel. --pfx flag accept pfx formatted certificate file.

[!NOTE]
powerview will try to load certificate without password on the first attempt. If it fails, it'll prompt for password. So, no password parameter needed

powerview 10.10.10.10 --pfx administrator.pfx

  • Query for specific user
Get-DomainUser Administrator
Get-DomainUser -Identity Administrator
  • Specify search attributes
Get-DomainUser -Properties samaccountname,description
  • Filter results
Get-DomainUser -Where 'samaccountname [contains][in][eq] admins'
  • Count results
Get-DomainUser -Count
  • Output result to file
Get-DomainUser -OutFile ~/domain_user.txt
  • Set module
Set-DomainObject -Identity "adminuser" -Set 'servicePrincipalname=http/web.ws.local'
Set-DomainObject -Identity "adminuser" -Append 'servicePrincipalname=http/web.ws.local'
Set-DomainObject -Identity "adminuser" -Clear 'servicePrincipalname'

# Reading from local file
Set-DomainObject -Identity "adminuser" -Set 'servicePrincipalname=@/path/to/local/file'
Set-DomainObject -Identity "adminuser" -Append 'servicePrincipalname=@/path/to/local/file'
  • Relay mode
powerview 10.10.10.10 --relay [--relay-host] [--relay-port] [--use-ldap | --use-ldaps]

[!NOTE]
This demonstration shows coerced authentication was made using printerbug.py. You may use other methods that coerce HTTP authentication.

Module available (so far?)

PV >
Add-ADComputer                 Get-Domain                     Get-NamedPipes                 Remove-DomainOU 
Add-ADUser                     Get-DomainCA                   Get-NetComputer                Remove-DomainObject 
Add-CATemplate                 Get-DomainCATemplate           Get-NetDomain                  Remove-DomainObjectAcl 
Add-CATemplateAcl              Get-DomainComputer             Get-NetDomainController        Remove-DomainUser 
Add-DomainCATemplate           Get-DomainController           Get-NetGPO                     Remove-GPLink 
Add-DomainCATemplateAcl        Get-DomainDNSRecord            Get-NetGroup                   Remove-GroupMember 
Add-DomainComputer             Get-DomainDNSZone              Get-NetGroupmember             Remove-OU 
Add-DomainDNSRecord            Get-DomainForeignGroupMember   Get-NetLoggedOn                Remove-ObjectAcl 
Add-DomainGPO                  Get-DomainForeignUser          Get-NetOU                      Set-ADObject 
Add-DomainGroupMember          Get-DomainGMSA                 Get-NetSession                 Set-ADObjectDN 
Add-DomainOU                   Get-DomainGPO                  Get-NetShare                   Set-CATemplate 
Add-DomainObjectAcl            Get-DomainGPOLocalGroup        Get-NetTrust                   Set-DomainCATemplate 
Add-DomainUser                 Get-DomainGroup                Get-NetUser                    Set-DomainComputerPassword 
Add-GPLink                     Get-DomainGroupMember          Get-ObjectAcl                  Set-DomainDNSRecord 
Add-GPO                        Get-DomainOU                   Get-ObjectOwner                Set-DomainObject 
Add-GroupMember                Get-DomainObject               Get-RBCD                       Set-DomainObjectDN 
Add-OU                         Get-DomainObjectAcl            Get-SCCM                       Set-DomainObjectOwner 
Add-ObjectAcl                  Get-DomainObjectOwner          Invoke-Kerberoast              Set-DomainRBCD 
ConvertFrom-SID                Get-DomainRBCD                 Remove-ADComputer              Set-DomainUserPassword 
ConvertFrom-UACValue           Get-DomainSCCM                 Remove-ADObject                Set-ObjectOwner 
Find-ForeignGroup              Get-DomainTrust                Remove-ADUser                  Set-RBCD 
Find-ForeignUser               Get-DomainUser                 Remove-CATemplate              Unlock-ADAccount 
Find-LocalAdminAccess          Get-Exchange                   Remove-DomainCATemplate        clear 
Get-ADObject                   Get-ExchangeServer             Remove-DomainComputer          exit 
Get-CA                         Get-GMSA                       Remove-DomainDNSRecord         
Get-CATemplate                 Get-GPOLocalGroup              Remove-DomainGroupMember       

Domain/LDAP Functions

Module Alias Description
Get-DomainUser Get-NetUser Query for all users or specific user objects in AD
Get-DomainComputer Get-NetComputer Query for all computers or specific computer objects in AD
Get-DomainGroup Get-NetGroup Query for all groups or specific group objects in AD
Get-DomainGroupMember Get-NetGroupMember Query the members for specific domain group
Get-DomainOU Get-NetOU Query for all OUs or specific OU objects in AD
Get-Domain Get-NetDomain Query for domain information
Get-DomainController Get-NetDomainController Query for available domain controllers
Get-DomainDNSRecord Query for available records. It will recurse all DNS zones if doesn't specify -ZoneName
Get-DomainDNSZone Query for available DNS zones in the domain
Get-DomainObject Get-ADObject Query for all or specified domain objects in AD
Get-DomainObjectAcl Get-ObjectAcl Query ACLs for specified AD object
Get-DomainSCCM Get-SCCM Query for SCCM
Get-DomainRBCD Get-RBCD Finds accounts that are configured for resource-based constrained delegation
Get-DomainObjectOwner Get-ObjectOwner Query owner of the AD object
Get-DomainGMSA Get-GMSA Query objects with GMSA attributes and decode the password blob
Remove-DomainDNSRecord Remove Domain DNS Record
Remove-DomainComputer Remove-ADComputer Remove Domain Computer
Remove-DomainGroupMember Remove-GroupMember Remove member of a specific Domain Group
Remove-DomainOU Remove-OU Remove OUs or specific OU objects in AD
Remove-DomainObjectAcl Remove-ObjectAcl Remove ACLs for specified AD object
Remove-DomainObject Remove-ADObject Remove specified Domain Object
Remove-DomainUser Remove-ADUser Remove specified Domain User in AD
Set-DomainDNSRecord Set Domain DNS Record
Set-DomainUserPassword Set password for specified Domain User
Set-DomainComputerPassword Set password for specified Domain Computer
Set-DomainObject Set-ADObject Set for specified domain objects in AD
Set-DomainObjectDN Set-ADObjectDN Modify object's distinguishedName attribute as well as changing OU
Set-DomainObjectOwner Set-ObjectOwner Set owner of the AD object
Add-DomainDNSRecord Add Domain DNS Record
Add-DomainUser Add-ADUser Add new Domain User in AD
Add-DomainComputer Add-ADComputer Add new Domain Computer in AD
Add-DomainGroupMember Add-GroupMember Add new member in specified Domain Group in AD
Add-DomainOU Add-OU Add new OU object in AD
Add-DomainGPO Add-GPO Add new GPO object in AD
Add-DomainObjectAcl Add-ObjectAcl Supported rights so far are All, DCsync, RBCD, ShadowCred, WriteMembers

GPO Functions

Module Alias Description
Get-DomainGPO Get-NetGPO Query for domain group policy objects
Get-DomainGPOLocalGroup Get-GPOLocalGroup Query all GPOs in a domain that modify local group memberships through Restricted Groups or Group Policy preferences
Add-GPLink Create new GPO link to an OU
Remove-GPLink Remove GPO link from an OU

Computer Enumeration Functions

Module Alias Description
Get-NetSession Query session information for the local or a remote computer
Get-NetShare Query open shares on the local or a remote computer
Get-NetLoggedOn Query logged on users on the local or a remote computer

ADCS Functions

Module Alias Description
Get-DomainCATemplate Get-CATemplate Query for available CA templates. Supports filtering for vulnerable template
Get-DomainCA Get-CA Query for Certificate Authority(CA)
Remove-DomainCATemplate Remove-CATemplate Remove specified Domain CA Template
Set-DomainCATemplate Set-CATemplate Modify domain object's attributes of a CA Template
Add-DomainCATemplate Add-CATemplate Add new Domain CA Template
Add-DomainCATemplateAcl Add-CATemplateAcl Add ACL to a certificate template. Supported rights so far are All, Enroll, Write

Exchange Functions

Module Alias Description
Get-ExchangeServer Get-Exchange Retrieve list of available exchange servers in the domain

Domain Trust Functions

Module Alias Description
Get-DomainTrust Get-NetTrust Query all Domain Trusts
Get-DomainForeignUser Find-ForeignUser Query users who are in group outside of the user's domain
Get-DomainForeignGroupMember Find-ForeignGroup Query groups with users outside of group's domain and look for foreign member

Misc Functions

Module Alias Description
ConvertFrom-SID Convert a given security identifier (SID) to user/group name
ConvertFrom-UACValue Converts a UAC int value to human readable form
Get-NamedPipes List out Named Pipes for a specific computer
Invoke-Kerberoast Requests kerberos ticket for a specified service principal name (SPN)
Unlock-ADAccount Unlock domain accounts by modifying lockoutTime attribute
Find-LocalAdminAccess Finds computer on the local domain where the current has a Local Administrator access

Logging

We will never miss logging to keep track of the actions done. By default, powerview creates a .powerview folder in current user home directory (~). Each log file is generated based on current date. Example path: /root/.powerview/logs/bionic.local/2024-02-13.log

To-Do

  • Add logging function to track and monitor what have been run.
  • Add cache functionality to minimize network interaction.
  • Support more authentication flexibility.
    • Channel Binding
    • Sign and Seal
    • Simple Authentication
    • Schannel. Authentication with pfx
  • Add ProtectedFromAccidentalDeletion attribute to Get-DomainOU

Credits

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

powerview-2024.6.3.tar.gz (163.4 kB view hashes)

Uploaded Source

Built Distribution

powerview-2024.6.3-py3-none-any.whl (168.3 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page