-
Notifications
You must be signed in to change notification settings - Fork 118
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
305 additions
and
149 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -87,14 +87,19 @@ Here's the list of available commands: | |
| {get-adobject,get-adserviceaccount,get-objectacl,get-netuser,get-netgroup,get-netcomputer,get-netdomaincontroller,get-netfileserver,get-dfsshare,get-netou,get-netsite,get-netsubnet,get-netdomaintrust,get-netgpo,get-netpso,get-domainpolicy,get-gpttmpl,get-netgpogroup,find-gpocomputeradmin,find-gpolocation,get-netgroupmember,get-netsession,get-localdisks,get-netdomain,get-netshare,get-netloggedon,get-netlocalgroup,invoke-checklocaladminaccess,get-netprocess,get-userevent,invoke-userhunter,invoke-processhunter,invoke-eventhunter} | ||
| get-adobject Takes a domain SID, samAccountName or name, and return the associated object | ||
| get-adserviceaccount | ||
| Returns a list of all the gMSA of the specified domain (you need privileged account to retrieve passwords) | ||
| get-objectacl Takes a domain SID, samAccountName or name, and return the ACL of the associated object | ||
| Returns a list of all the gMSA of the specified domain. To retrieve passwords, | ||
| you need a privileged account and a TLS connection to the LDAP server (use the | ||
| --tls switch). | ||
| get-objectacl Takes a domain SID, samAccountName or name, and return the ACL of the | ||
| associated object | ||
| get-netuser Queries information about a domain user | ||
| get-netgroup Get a list of all current domain groups, or a list of groups a domain user is member of | ||
| get-netgroup Get a list of all current domain groups, or a list of groups a domain user is | ||
| member of | ||
| get-netcomputer Queries informations about domain computers | ||
| get-netdomaincontroller | ||
| Get a list of domain controllers for the given domain | ||
| get-netfileserver Return a list of file servers, extracted from the domain users' homeDirectory, scriptPath, and profilePath fields | ||
| get-netfileserver Return a list of file servers, extracted from the domain users' homeDirectory, | ||
| scriptPath, and profilePath fields | ||
| get-dfsshare Return a list of all fault tolerant distributed file systems for a given domain | ||
| get-netou Get a list of all current OUs in the domain | ||
| get-netsite Get a list of all current sites in the domain | ||
|
|
@@ -106,20 +111,29 @@ Here's the list of available commands: | |
| get-gpttmpl Helper to parse a GptTmpl.inf policy file path into a custom object | ||
| get-netgpogroup Parses all GPOs in the domain that set "Restricted Group" or "Groups.xml" | ||
| find-gpocomputeradmin | ||
| Takes a computer (or OU) and determine who has administrative access to it via GPO | ||
| find-gpolocation Takes a username or a group name and determine the computers it has administrative access to via GPO | ||
| Takes a computer (or OU) and determine who has administrative access to it via | ||
| GPO | ||
| find-gpolocation Takes a username or a group name and determine the computers it has | ||
| administrative access to via GPO | ||
| get-netgroupmember Return a list of members of a domain group | ||
| get-netsession Queries a host to return a list of active sessions on the host (you can use local credentials instead of domain credentials) | ||
| get-localdisks Queries a host to return a list of active disks on the host (you can use local credentials instead of domain credentials) | ||
| get-netsession Queries a host to return a list of active sessions on the host (you can use | ||
| local credentials instead of domain credentials) | ||
| get-localdisks Queries a host to return a list of active disks on the host (you can use local | ||
| credentials instead of domain credentials) | ||
| get-netdomain Queries a host for available domains | ||
| get-netshare Queries a host to return a list of available shares on the host (you can use local credentials instead of domain credentials) | ||
| get-netloggedon This function will execute the NetWkstaUserEnum RPC call to query a given host for actively logged on users | ||
| get-netlocalgroup Gets a list of members of a local group on a machine, or returns every local group. You can use local credentials instead of domain credentials, however, domain credentials are needed | ||
| to resolve domain SIDs. | ||
| get-netshare Queries a host to return a list of available shares on the host (you can use | ||
| local credentials instead of domain credentials) | ||
| get-netloggedon This function will execute the NetWkstaUserEnum RPC call to query a given host | ||
| for actively logged on users | ||
| get-netlocalgroup Gets a list of members of a local group on a machine, or returns every local | ||
| group. You can use local credentials instead of domain credentials, however, | ||
| domain credentials are needed to resolve domain SIDs. | ||
| invoke-checklocaladminaccess | ||
| Checks if the given user has local admin access on the given host | ||
| get-netprocess This function will execute the 'Select * from Win32_Process' WMI query to a given host for a list of executed process | ||
| get-userevent This function will execute the 'SELECT * from Win32_NTLogEvent' WMI query to a given host for a list of executed process | ||
| get-netprocess This function will execute the 'Select * from Win32_Process' WMI query to a | ||
| given host for a list of executed process | ||
| get-userevent This function will execute the 'SELECT * from Win32_NTLogEvent' WMI query to a | ||
| given host for a list of executed process | ||
| invoke-userhunter Finds which machines domain users are logged into | ||
| invoke-processhunter | ||
| Searches machines for processes with specific name, or ran by specific users | ||
|
|
@@ -137,7 +151,7 @@ an argument, and __not__ `USELESSDOMAIN`. | |
|
|
||
| ## GLOBAL ARGUMENTS | ||
|
|
||
| ### LOGGING | ||
| ### Logging | ||
|
|
||
| You can provide a logging level to `pywerview` modules by using `-l` or `--logging-level` options. Supported levels are: | ||
|
|
||
|
|
@@ -220,10 +234,49 @@ To recap: | |
| | SPN in the ticket | Can be used with LDAP functions | Can be used with SMB/RPC functions | | ||
| | :-----------------------------------: | :-----------------------------: | :--------------------------------: | | ||
| | `ldap/[email protected]` | ✔️ | ✔️ | | ||
| | `cifs/srv-ad.contoso.com@CONTOSO.COm` | ✔️ | ✔️ | | ||
| | `cifs/srv-ad.contoso.com@CONTOSO.COM` | ✔️ | ✔️ | | ||
| | `ldap/[email protected]` | ❌ | ✔️ | | ||
|
|
||
| ### TLS CONNECTION | ||
| *NOTE:* The same limitation exists for TGT in your cache credential file: `krbtgt/[email protected]` will work | ||
| but not `krbtgt/[email protected]`. | ||
|
|
||
| ### LDAP SChannel authentication | ||
|
|
||
| SChannel authentication is supported for a subset of the submodules. Functions that support SChannel authentication are: | ||
|
|
||
| * get-adobject | ||
| * get-adserviceaccount | ||
| * get-objectacl | ||
| * get-netuser | ||
| * get-netgroup | ||
| * get-netcomputer | ||
| * get-netdomaincontroller | ||
| * get-netfileserver | ||
| * get-netou | ||
| * get-netsite | ||
| * get-netsubnet | ||
| * get-netdomaintrust | ||
| * get-netpso | ||
| * get-netgpo | ||
| * get-netgroupmember | ||
|
|
||
| To authenticate via SChannel: | ||
|
|
||
| 1. Retrieve the certificate and the key with your favorite tool ([ntlmrelayx.py](https://github.com/fortra/impacket), [certipy](https://github.com/ly4k/Certipy),...) | ||
| 2. `pywerview` needs a certificate file and a key file, so you need to extract them from the `.pfx`. | ||
| 3. Use `--cert` and `--key` as in the following example: | ||
|
|
||
| ```console | ||
| $ python3 pywerview.py get-netuser -w contoso.com --dc-ip 172.16.0.55 --cert stormtroopers.crt --key stormtroopers.key --username administrator --attributes distinguishedname useraccountcontrol --tls | ||
| distinguishedname: CN=Administrator,CN=Users,DC=contoso,DC=com | ||
| useraccountcontrol: NORMAL_ACCOUNT | ||
|
|
||
| ``` | ||
|
|
||
| If you don't specify the `--tls` flag when using certificate authentication, `pywerview` will try to use StartTLS and an `EXTERNAL SASL` bind | ||
| as described in the [Microsoft documentation](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/8e73932f-70cf-46d6-88b1-8d9f86235e81) | ||
|
|
||
| ### TLS connection | ||
|
|
||
| You can force a connection to the LDAPS port by using the `--tls` switch. It | ||
| can be necessary with some functions, for example when retrieving gMSA | ||
|
|
@@ -247,7 +300,7 @@ description: | |
| enabled: True | ||
| ``` | ||
|
|
||
| ### JSON OUTPUT | ||
| ### JSON output | ||
|
|
||
| Pywerview can print results in json format by using the `--json` switch. | ||
|
|
||
|
|
||
Oops, something went wrong.