|
| 1 | +To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. |
| 2 | + |
| 3 | +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" |
| 4 | +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" |
| 5 | + |
| 6 | +To use the module, type `Import-Module Recon` |
| 7 | + |
| 8 | +To see the commands imported, type `Get-Command -Module Recon` |
| 9 | + |
| 10 | +For help on each individual command, Get-Help is your friend. |
| 11 | + |
| 12 | +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. |
| 13 | + |
| 14 | + |
| 15 | +## PowerView |
| 16 | + |
| 17 | +PowerView is a PowerShell tool to gain network situational awareness on |
| 18 | +Windows domains. It contains a set of pure-PowerShell replacements for various |
| 19 | +windows "net *" commands, which utilize PowerShell AD hooks and underlying |
| 20 | +Win32 API functions to perform useful Windows domain functionality. |
| 21 | + |
| 22 | +It also implements various useful metafunctions, including some custom-written |
| 23 | +user-hunting functions which will identify where on the network specific users |
| 24 | +are logged into. It can also check which machines on the domain the current |
| 25 | +user has local administrator access on. Several functions for the enumeration |
| 26 | +and abuse of domain trusts also exist. See function descriptions for appropriate |
| 27 | +usage and available options. For detailed output of underlying functionality, pass |
| 28 | +the -Verbose or -Debug flags. |
| 29 | + |
| 30 | +For functions that enumerate multiple machines, pass the -Verbose flag to get a |
| 31 | +progress status as each host is enumerated. Most of the "meta" functions accept |
| 32 | +an array of hosts from the pipeline. |
| 33 | + |
| 34 | + |
| 35 | +### Misc Functions: |
| 36 | + Export-PowerViewCSV - thread-safe CSV append |
| 37 | + Resolve-IPAddress - resolves a hostname to an IP |
| 38 | + ConvertTo-SID - converts a given user/group name to a security identifier (SID) |
| 39 | + Convert-ADName - converts object names between a variety of formats |
| 40 | + ConvertFrom-UACValue - converts a UAC int value to human readable form |
| 41 | + Add-RemoteConnection - pseudo "mounts" a connection to a remote path using the specified credential object |
| 42 | + Remove-RemoteConnection - destroys a connection created by New-RemoteConnection |
| 43 | + Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token |
| 44 | + Invoke-RevertToSelf - reverts any token impersonation |
| 45 | + Get-DomainSPNTicket - request the kerberos ticket for a specified service principal name (SPN) |
| 46 | + Invoke-Kerberoast - requests service tickets for kerberoast-able accounts and returns extracted ticket hashes |
| 47 | + Get-PathAcl - get the ACLs for a local/remote file path with optional group recursion |
| 48 | + |
| 49 | + |
| 50 | +### Domain/LDAP Functions: |
| 51 | + Get-DomainDNSZone - enumerates the Active Directory DNS zones for a given domain |
| 52 | + Get-DomainDNSRecord - enumerates the Active Directory DNS records for a given zone |
| 53 | + Get-Domain - returns the domain object for the current (or specified) domain |
| 54 | + Get-DomainController - return the domain controllers for the current (or specified) domain |
| 55 | + Get-Forest - returns the forest object for the current (or specified) forest |
| 56 | + Get-ForestDomain - return all domains for the current (or specified) forest |
| 57 | + Get-ForestGlobalCatalog - return all global catalogs for the current (or specified) forest |
| 58 | + Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set |
| 59 | + Get-DomainUser - return all users or specific user objects in AD |
| 60 | + New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object |
| 61 | + Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events |
| 62 | + Get-DomainComputer - returns all computers or specific computer objects in AD |
| 63 | + Get-DomainObject - returns all (or specified) domain objects in AD |
| 64 | + Set-DomainObject - modifies a gven property for a specified active directory object |
| 65 | + Get-DomainObjectAcl - returns the ACLs associated with a specific active directory object |
| 66 | + Add-DomainObjectAcl - adds an ACL for a specific active directory object |
| 67 | + Find-InterestingDomainAcl - finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects |
| 68 | + Get-DomainOU - search for all organization units (OUs) or specific OU objects in AD |
| 69 | + Get-DomainSite - search for all sites or specific site objects in AD |
| 70 | + Get-DomainSubnet - search for all subnets or specific subnets objects in AD |
| 71 | + Get-DomainSID - returns the SID for the current domain or the specified domain |
| 72 | + Get-DomainGroup - return all groups or specific group objects in AD |
| 73 | + New-DomainGroup - creates a new domain group (assuming appropriate permissions) and returns the group object |
| 74 | + Get-DomainManagedSecurityGroup - returns all security groups in the current (or target) domain that have a manager set |
| 75 | + Get-DomainGroupMember - return the members of a specific domain group |
| 76 | + Add-DomainGroupMember - adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so |
| 77 | + Get-DomainFileServer - returns a list of servers likely functioning as file servers |
| 78 | + Get-DomainDFSShare - returns a list of all fault-tolerant distributed file systems for the current (or specified) domain |
| 79 | + |
| 80 | + |
| 81 | +### GPO functions |
| 82 | + |
| 83 | + Get-DomainGPO - returns all GPOs or specific GPO objects in AD |
| 84 | + Get-DomainGPOLocalGroup - returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences |
| 85 | + Get-DomainGPOUserLocalGroupMapping - enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation |
| 86 | + Get-DomainGPOComputerLocalGroupMapping - takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation |
| 87 | + Get-DomainPolicy - returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller |
| 88 | + |
| 89 | + |
| 90 | +### Computer Enumeration Functions |
| 91 | + |
| 92 | + Get-NetLocalGroup - enumerates the local groups on the local (or remote) machine |
| 93 | + Get-NetLocalGroupMember - enumerates members of a specific local group on the local (or remote) machine |
| 94 | + Get-NetShare - returns open shares on the local (or a remote) machine |
| 95 | + Get-NetLoggedon - returns users logged on the local (or a remote) machine |
| 96 | + Get-NetSession - returns session information for the local (or a remote) machine |
| 97 | + Get-RegLoggedOn - returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys |
| 98 | + Get-NetRDPSession - returns remote desktop/session information for the local (or a remote) machine |
| 99 | + Test-AdminAccess - rests if the current user has administrative access to the local (or a remote) machine |
| 100 | + Get-NetComputerSiteName - returns the AD site where the local (or a remote) machine resides |
| 101 | + Get-WMIRegProxy - enumerates the proxy server and WPAD conents for the current user |
| 102 | + Get-WMIRegLastLoggedOn - returns the last user who logged onto the local (or a remote) machine |
| 103 | + Get-WMIRegCachedRDPConnection - returns information about RDP connections outgoing from the local (or remote) machine |
| 104 | + Get-WMIRegMountedDrive - returns information about saved network mounted drives for the local (or remote) machine |
| 105 | + Get-WMIProcess - returns a list of processes and their owners on the local or remote machine |
| 106 | + Find-InterestingFile - searches for files on the given path that match a series of specified criteria |
| 107 | + |
| 108 | + |
| 109 | +### Threaded 'Meta'-Functions |
| 110 | + |
| 111 | + Find-DomainUserLocation - finds domain machines where specific users are logged into |
| 112 | + Find-DomainProcess - finds domain machines where specific processes are currently running |
| 113 | + Find-DomainUserEvent - finds logon events on the current (or remote domain) for the specified users |
| 114 | + Find-DomainShare - finds reachable shares on domain machines |
| 115 | + Find-InterestingDomainShareFile - searches for files matching specific criteria on readable shares in the domain |
| 116 | + Find-LocalAdminAccess - finds machines on the local domain where the current user has local administrator access |
| 117 | + Find-DomainLocalGroupMember - enumerates the members of specified local group on machines in the domain |
| 118 | + |
| 119 | + |
| 120 | +### Domain Trust Functions: |
| 121 | + Get-DomainTrust - returns all domain trusts for the current domain or a specified domain |
| 122 | + Get-ForestTrust - returns all forest trusts for the current forest or a specified forest |
| 123 | + Get-DomainForeignUser - enumerates users who are in groups outside of the user's domain |
| 124 | + Get-DomainForeignGroupMember - enumerates groups with users outside of the group's domain and returns each foreign member |
| 125 | + Get-DomainTrustMapping - this function enumerates all trusts for the current domain and then enumerates all trusts for each domain it finds |
0 commit comments