Skip to Main Content
January 22, 2014

Powershell Reconnaissance

Written by Larry Spohn
This post is a simple introduction to Powershell and a demonstration of a couple of useful ways it can be utilized during the information gathering stages of a pentest. All of the examples are demonstrated using Powershell version 3.0, so unless you are running Windows 8/2012 or above, you will most likely need to download the latest version from Microsoft. To check what version you are currently running, simply run the following command.
PS C:UsersTrustedSec> $PSVersionTable

Name                           Value

PSVersion                      3.0
WSManStackVersion              3.0
CLRVersion                     4.0.30319.18408
BuildVersion                   6.2.9200.16398
PSCompatibleVersions           {1.0, 2.0, 3.0}
PSRemotingProtocolVersion      2.2
Edit: @obscuresec pointed out that you must also have the "Active Directory Module for Windows Powershell" installed/enabled to utilize the following cmdlets. You can find this module in the "Remote Server Administration Tools", which is a separate download from Microsoft. The module is enabled through the "Programs and Features" Control Panel item. Assuming that you will be running these commands from a local machine that isn't joined to the domain, the first requirement for enumerating Active Directory is valid domain credentials, because any valid domain user has full "read" access to Active Directory. If your lucky, these are usually attained via brute force or possibly a compromised host on the domain. This is often the first step towards the fall of the "Domain Admin". However you attain these credentials, use them to connect to the Active Directory service.
PS C:UsersTrustedSec> $cred = Get-Credential
When prompted, enter the credentials, which will be saved in the "$cred" variable. Now we can simply call the "$cred" variable when we want to query the domain service. The first command that I like to run is a query for the list of "Domain Admins".
PS C:UsersTrustedSec> Get-ADGroupMember -Credential $cred -server "Domain Admins"

distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com
name              : Administrator
objectClass       : user
objectGUID        : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db
SamAccountName    : Administrator
SID               : S-1-5-21-2027135834-1792351174-2509185371-500

distinguishedName : CN=Larry Spohn,CN=Users,DC=pwnt,DC=com
name              : Larry Spohn
objectClass       : user
objectGUID        : 73cf7cc6-121a-42dd-b3db-1d4ed99a081b
SamAccountName    : Spoonman
SID               : S-1-5-21-2027135834-1792351174-2509185371-1105

distinguishedName : CN=Scott White,CN=Users,DC=pwnt,DC=com
name              : Scott White
objectClass       : user
objectGUID        : 3e28c37b-3c2d-44da-97aa-1a2dc49d10fc
SamAccountName    : sasquatch
SID               : S-1-5-21-2027135834-1792351174-2509185371-1106

distinguishedName : CN=Paul Koblitz,CN=Users,DC=pwnt,DC=com
name              : Paul Koblitz
objectClass       : user
objectGUID        : a064e92b-3f4b-4b99-ba4e-37bdb4c52378
SamAccountName    : ph4que
SID               : S-1-5-21-2027135834-1792351174-2509185371-1107

distinguishedName : CN=Nick Hitchcock,CN=Users,DC=pwnt,DC=com
name              : Nick Hitchcock
objectClass       : user
objectGUID        : 47ce17ad-6f10-4ba1-9a3a-1e23ebe0d308
SamAccountName    : nich8ch
SID               : S-1-5-21-2027135834-1792351174-2509185371-1108

distinguishedName : CN=David Kennedy,CN=Users,DC=pwnt,DC=com
name              : David Kennedy
objectClass       : user
objectGUID        : ba51b393-2ea7-424f-9bd9-f114dcf25b4d
SamAccountName    : rel1k
SID               : S-1-5-21-2027135834-1792351174-2509185371-1109

distinguishedName : CN=Tristan Jones,CN=Users,DC=pwnt,DC=com
name              : Tristan Jones
objectClass       : user
objectGUID        : f5799e28-d357-4ecd-b225-7ff9305d3549
SamAccountName    : AIM_9X
SID               : S-1-5-21-2027135834-1792351174-2509185371-1110
Now, the only field important to us is the "SamAccountName", so lets filter the rest out.
PS C:UsersTrustedSec> Get-ADGroupMember -Credential $cred -server "Domain Admins" |select samaccountname


Another useful query might be to enumerate all servers on the domain.
PS C:UsersTrustedSec> Get-ADComputer -Credential $cred -server -LDAPFilter "(&(objectCategory=computer)(opera
tingSystem=*Server*))" |select name


What if we want to search for any computers that are named according to users, such as specific "Domain Admins"?
PS C:UsersTrustedSec> Get-ADComputer -Credential $cred -server -LDAPFilter "(name=*Spoonman*)" |select name


Or maybe we want to search for unix or database admin users...
PS C:UsersTrustedSec> Get-ADUser -Credential $cred -server -Properties Title -LDAPFilter "(title=*database*)"
 |select SamAccountName,Title

SamAccountName                                                  Title

sasquatch                                                       Database Admin
Hopefully this sparks your interest in Powershell and helps you on your next pentest. If you haven't already, you should also check out Matt Graeber's PowerSploit cmdlets. There are many incredibly useful scripts that he maintains and provides to the community for free. Happy PowerSploiting! This article was written by Larry Spohn @spoonman1091 - Senior Security Consultant