1
00:00:00,180 --> 00:00:00,730
All right.

2
00:00:00,750 --> 00:00:06,690
So the first thing I want to do is I want you just load up a command prompt and we'll go ahead and do

3
00:00:06,690 --> 00:00:07,590
that.

4
00:00:07,590 --> 00:00:10,780
I'm going to change directory to my downloads folder.

5
00:00:10,830 --> 00:00:12,620
That's where I have power of you.

6
00:00:12,720 --> 00:00:19,260
And then the first command we're going to run is we're going to run power show and then we'll do E.P.

7
00:00:19,290 --> 00:00:21,680
that stands for execution policy.

8
00:00:21,690 --> 00:00:26,190
You can also write it out like like this execution policy.

9
00:00:26,520 --> 00:00:30,570
But I just like doing E.P. because that's shorthand and it still works.

10
00:00:30,570 --> 00:00:37,650
So we're just gonna say execution policy bypass and this bypasses the execution policy.

11
00:00:37,680 --> 00:00:44,870
Now something to note about execution policy is it's not for security purposes right.

12
00:00:44,880 --> 00:00:51,210
The reason the execution policy exists is that it's just there to stop us from executing scripts that

13
00:00:51,240 --> 00:00:52,460
we don't want to do.

14
00:00:52,530 --> 00:00:54,790
You know like accidentally executing a script.

15
00:00:54,840 --> 00:00:58,110
So we're specifically saying hey just go ahead and shut that off.

16
00:00:58,530 --> 00:01:02,030
So we're going to bypass it here with with power shall E.P. bypass.

17
00:01:02,040 --> 00:01:06,830
And this is pretty common you're gonna see this a lot if you utilize power shell.

18
00:01:06,840 --> 00:01:11,490
So the next thing we're going to do is we're going to go ahead and call our program.

19
00:01:11,490 --> 00:01:12,920
So we're going to do that by doing this.

20
00:01:12,930 --> 00:01:19,190
We're going to say dot and then dot backslash like that and you could start typing in power of you.

21
00:01:19,850 --> 00:01:24,360
Yes one auto tab hit enter and now that's going to happen.

22
00:01:24,430 --> 00:01:31,250
Nothing's going to show or tell you OK it's just hey you've loaded it so power view is an incredibly

23
00:01:31,700 --> 00:01:34,330
powerful tool.

24
00:01:34,340 --> 00:01:39,230
We can do so many things and what we're going to do with it in this course is only going to scratch

25
00:01:39,230 --> 00:01:40,320
the surface.

26
00:01:40,340 --> 00:01:44,520
So my recommendation to you is to go and read up on it.

27
00:01:44,570 --> 00:01:49,010
I will put a reference down in the description below where you can find a cheat sheet.

28
00:01:49,010 --> 00:01:54,020
And then the rest is going to be up to you for googling and finding out what more can do at the end

29
00:01:54,050 --> 00:01:55,890
of this course.

30
00:01:55,910 --> 00:02:02,150
The 80 portion of the course I'm going to provide some additional references in terms of active directory

31
00:02:02,150 --> 00:02:08,870
security and blogs and certifications and courses that you can take and all of those will cover power

32
00:02:08,870 --> 00:02:10,750
of you in a much deeper level.

33
00:02:11,030 --> 00:02:15,320
But these are just some of the high level things that you should know when it comes to enumerating a

34
00:02:15,320 --> 00:02:18,520
domain and how power view is powerful.

35
00:02:18,920 --> 00:02:21,310
So let's go ahead and look at our first command.

36
00:02:21,320 --> 00:02:27,110
Our first command is going to just be get net domain and what is this going to do.

37
00:02:27,110 --> 00:02:30,620
This is going to get information for us about the domain.

38
00:02:30,620 --> 00:02:38,770
So go ahead and hit enter on that and you could see that we have a forest in it's Marvel dot local.

39
00:02:38,820 --> 00:02:43,920
We have a domain controller here of Hydra DC Marvel dot local and that's all it tells us.

40
00:02:43,920 --> 00:02:49,410
We have a very simple domain but if we were in a complex domain this would be a little bit more interesting

41
00:02:49,410 --> 00:02:54,150
to us just to kind of know you know what's going on where are the domain controllers.

42
00:02:54,150 --> 00:03:00,210
And if we want to see specifically what domain controllers are there we can say get net domain controllers

43
00:03:00,510 --> 00:03:06,630
like this or a controller I should say and hit enter and then it will tell you hey the domain controller

44
00:03:06,630 --> 00:03:14,550
is right here at 1 9 2 1 6 8 fifty seven dot one forty and the domain controllers name is Hydra dash

45
00:03:14,550 --> 00:03:17,230
DC dot Marvel dot local.

46
00:03:17,280 --> 00:03:22,260
So it gives you information specifically about the domain controller and some networks have multiple

47
00:03:22,260 --> 00:03:27,570
domain controllers and this would provide all that information about those to make a choice but you

48
00:03:27,570 --> 00:03:32,910
now know say before you had no idea where the domain controller was in your network you've done some

49
00:03:32,910 --> 00:03:35,330
scanning but you really weren't able to identify it.

50
00:03:35,430 --> 00:03:40,400
You got your exploit in on a machine you logged in and you dumped power of you on that machine.

51
00:03:40,410 --> 00:03:45,720
Now you know the domain controller you know where to target next or where your end goal might be.

52
00:03:46,590 --> 00:03:55,130
So that's just two quick examples more examples we could say hey let's get the domain policy and this

53
00:03:55,140 --> 00:04:02,420
will show you all the different policies in the domain for example we can look at B cover us policy

54
00:04:02,420 --> 00:04:05,140
the system access etc..

55
00:04:05,170 --> 00:04:09,790
So let's take a look at like the let's take a look at the system access.

56
00:04:09,800 --> 00:04:11,180
We can do something like this.

57
00:04:11,240 --> 00:04:15,890
So in parentheses go ahead and just type and get domain policy like that and you should be on the auto

58
00:04:15,890 --> 00:04:16,310
tab.

59
00:04:17,060 --> 00:04:25,470
And then put a dot and just say system access like this and then hit enter and what is this telling

60
00:04:25,470 --> 00:04:25,770
us.

61
00:04:25,770 --> 00:04:28,740
Well this tells us a little bit about the policy here.

62
00:04:28,900 --> 00:04:36,450
So we can see that the minimum password age is one day the maximum password age is forty two.

63
00:04:36,480 --> 00:04:41,270
We have lockout counts of zero meaning it's not set password complexity of one.

64
00:04:41,370 --> 00:04:46,310
So you can look through here and you see like what's the minimum pass your password length seven.

65
00:04:46,820 --> 00:04:47,310
OK.

66
00:04:47,310 --> 00:04:51,030
So now I know that the minimum password length is seven.

67
00:04:51,030 --> 00:04:56,730
I'm going to go ahead and just spray seven character passwords or you know I should be pretty easy to

68
00:04:56,730 --> 00:05:01,440
crack a lot of passwords in the network where it's seven but you should be able to spray passwords across

69
00:05:01,440 --> 00:05:05,990
that network that are pretty weak and probably gain access to some user accounts.

70
00:05:06,000 --> 00:05:09,290
So this is a very good indicator of what you're up against.

71
00:05:09,360 --> 00:05:14,880
And you know it's super nice just to have access to these these different policies and what to look

72
00:05:14,880 --> 00:05:15,090
at.

73
00:05:15,090 --> 00:05:16,330
Same thing with cobras.

74
00:05:16,440 --> 00:05:22,420
You can look at the ticketing age and you know just see how long a curve gross ticket lasts.

75
00:05:22,530 --> 00:05:25,620
And you will get more into that when we get into golden tickets.

76
00:05:25,740 --> 00:05:32,700
But just something to keep in mind on the curb road side as well so from here we could also look at

77
00:05:32,700 --> 00:05:39,300
users one command that you can run just for the sake of showing it to you is get net user.

78
00:05:39,300 --> 00:05:46,540
Now this one's gonna be a little dirty OK so now we're here and we just dump this big long list of all

79
00:05:46,540 --> 00:05:51,970
the users and it looks dirty like we can pull down all the users here and it's interesting if we want

80
00:05:51,970 --> 00:05:57,280
to take our time and kind of read through this you could see OK well here's Frank Castle and it's Frank

81
00:05:57,280 --> 00:06:04,780
Castle marveled out local here's his name here's the same account name right here which is f Castle

82
00:06:05,120 --> 00:06:09,100
you kind of read through these and maybe if you look through these you might be able to look at the

83
00:06:09,100 --> 00:06:14,920
descriptions and find an interesting description here with a password in it which we do have like this

84
00:06:14,920 --> 00:06:18,760
one here a description password is my password wanted to pound.

85
00:06:18,760 --> 00:06:25,890
So this is another way to compromise an account by you know just viewing the descriptions here.

86
00:06:25,930 --> 00:06:28,950
We did that with the man in Middlesex but this is just another way to do it.

87
00:06:28,960 --> 00:06:30,940
Now we could do something like this.

88
00:06:30,940 --> 00:06:38,110
We could say because like you see how how dirty this output is with just just like seven or eight users

89
00:06:38,410 --> 00:06:44,050
imagine a enterprise network where there's hundreds of users that would take forever so he could say

90
00:06:44,050 --> 00:06:51,340
something like SELECT CNN and that will just pull down all the user names or all the users or we could

91
00:06:51,340 --> 00:06:59,380
do Sam account name instead like Sam account name and just pull down the account names here if you wanted

92
00:06:59,380 --> 00:07:05,890
to try to get the descriptions we could do description and you could see the my passwords my password

93
00:07:05,890 --> 00:07:06,470
one two three.

94
00:07:06,470 --> 00:07:09,250
We'd be like Where did that belong.

95
00:07:09,340 --> 00:07:15,280
So quick dirty way just to kind of sort through these these users and find out a little bit of information

96
00:07:15,280 --> 00:07:21,160
about them and we could look at certain things on here too like what was the last user log in.

97
00:07:21,160 --> 00:07:23,760
How many bad password accounts do they have.

98
00:07:23,830 --> 00:07:29,100
What is their user account control or there are I.D. number which five hundred would be the advent.

99
00:07:29,110 --> 00:07:30,400
Right.

100
00:07:30,550 --> 00:07:35,140
And we just can go through all this information and kind of look through it and pick apart anything

101
00:07:35,140 --> 00:07:39,920
that might be of interest to us and we'll talk about some of these features here in just a second or

102
00:07:39,910 --> 00:07:46,000
why they might be interesting so let's talk about and shift actually on this to user properties so we

103
00:07:46,000 --> 00:07:52,050
could say get user property and this is going to show you all the properties that a user might have.

104
00:07:52,420 --> 00:07:56,920
And we wish we just covered all of these these are exactly what's through through and through on these

105
00:07:56,920 --> 00:07:57,640
user accounts.

106
00:07:57,640 --> 00:07:58,000
Right.

107
00:07:58,630 --> 00:08:03,730
But let's say for example go ahead and just tab up but let's just say we want to get the properties

108
00:08:04,270 --> 00:08:07,150
of the password last set

109
00:08:11,130 --> 00:08:11,400
OK.

110
00:08:11,410 --> 00:08:16,890
We can look at the different users and when their password was last set and that might be useful we

111
00:08:16,890 --> 00:08:17,360
can know.

112
00:08:17,370 --> 00:08:17,640
OK.

113
00:08:17,640 --> 00:08:23,730
There's an old stale password out in the network or these password accounts are new like you see the

114
00:08:23,760 --> 00:08:29,990
administrator password was the last one changed on eleven thirty and then the newer users from the man

115
00:08:30,010 --> 00:08:32,610
the middle attack was on twelve nine.

116
00:08:32,640 --> 00:08:38,330
And you can kind just look through this same thing like you could look at for example log on account.

117
00:08:40,260 --> 00:08:43,430
And this is a good way to actually identify honeypot accounts.

118
00:08:43,830 --> 00:08:49,350
So you want to be able to see how many times this user has logged in and if you see an account that

119
00:08:49,350 --> 00:08:53,150
has never logged in before that might be a honeypot account.

120
00:08:53,220 --> 00:08:57,330
You might not want to try to attack that account you might want to avoid that completely because they

121
00:08:57,330 --> 00:09:01,740
might just be letting that sit there for you to capture and then once you capture it it's going to alert

122
00:09:01,740 --> 00:09:02,820
their system.

123
00:09:02,820 --> 00:09:07,010
So think about that as well these properties can be incredibly useful.

124
00:09:07,020 --> 00:09:09,300
You could also look at like the bad password account

125
00:09:12,180 --> 00:09:17,610
and just see who's been entering in bad passwords and if there is one there that has like hundreds of

126
00:09:17,610 --> 00:09:18,270
them.

127
00:09:18,330 --> 00:09:21,360
You know you could see that if it's maybe been under attack.

128
00:09:21,360 --> 00:09:25,110
If you're an administrator for example so there's all kinds of useful information.

129
00:09:25,110 --> 00:09:29,700
I recommend that you just kind of play through this as well and see you know go back and look at some

130
00:09:29,700 --> 00:09:31,510
of these in here and say OK.

131
00:09:31,800 --> 00:09:34,930
How can I sort through this and what might be interesting to me.

132
00:09:35,040 --> 00:09:40,380
Again reading the the reference guides that I put in the references that are going to be super important

133
00:09:40,380 --> 00:09:41,710
as well.

134
00:09:41,730 --> 00:09:42,560
So from here.

135
00:09:42,570 --> 00:09:45,300
Let's talk about computers just like getting the users.

136
00:09:45,300 --> 00:09:51,480
We can also get the computers in the domain so we can just say get net computer like this.

137
00:09:51,480 --> 00:09:53,210
You can be able to auto tab.

138
00:09:53,310 --> 00:09:57,830
I screwed up computer and hit enter and okay.

139
00:09:57,850 --> 00:10:01,710
It'll it'll list out here all the computers in the domain.

140
00:10:01,720 --> 00:10:03,540
We only have three which is useful.

141
00:10:03,540 --> 00:10:06,520
If this were a bigger domain be much more.

142
00:10:06,630 --> 00:10:09,030
Now that's not a lot of information there.

143
00:10:09,060 --> 00:10:16,440
So if we want more information we could say full data like this hit enter and then we get probably too

144
00:10:16,440 --> 00:10:18,140
much information.

145
00:10:18,390 --> 00:10:22,110
But we can come through here and look at it like here Spider Man's machine.

146
00:10:22,110 --> 00:10:28,890
You can see the last bad password time you could see a log on count you could see a lot of information

147
00:10:28,890 --> 00:10:29,320
here.

148
00:10:29,320 --> 00:10:31,550
Like what's the operating system.

149
00:10:31,710 --> 00:10:36,900
And you can start to identify operating systems if you want or you could just sort these out like for

150
00:10:36,900 --> 00:10:43,000
example if you tab up you could say select operating system and sort.

151
00:10:43,020 --> 00:10:48,540
So select just just like grab right you're just pulling down specific information so select operating

152
00:10:48,540 --> 00:10:54,810
system and then you could see OK well I've got one server 20 19 and Windows 10 machines in here so that

153
00:10:54,820 --> 00:10:56,770
we could start picking and pulling apart.

154
00:10:56,850 --> 00:11:02,430
What are the servers in the domain and what are the windows 10 machines or what are the user machines

155
00:11:02,430 --> 00:11:06,480
and kind of start separating them out and getting that information.

156
00:11:06,480 --> 00:11:09,960
So from here we can also look at groups.

157
00:11:09,960 --> 00:11:17,140
So for example we could say getting that group which is going to output quite a bit and these are all

158
00:11:17,140 --> 00:11:17,880
built in groups.

159
00:11:17,890 --> 00:11:19,210
We haven't made anything new.

160
00:11:19,210 --> 00:11:23,230
So but we can look through here and see if there's any interesting groups for us because we haven't

161
00:11:23,230 --> 00:11:27,910
done anything new it's really not going to be interesting but we can sort through this and say what

162
00:11:27,910 --> 00:11:30,160
about getting that group by group name.

163
00:11:30,160 --> 00:11:34,790
And we just say domain admins OK.

164
00:11:34,800 --> 00:11:39,330
And then we'll we'll pull down any of the any of the domain admins this way.

165
00:11:40,480 --> 00:11:46,570
Or we can actually sought to buy just a wild card instead of specifying all the admin here.

166
00:11:46,570 --> 00:11:47,730
What if we just say.

167
00:11:47,770 --> 00:11:53,530
Or just domain Edmonds what do we say we want to know specifically what avenues are out there.

168
00:11:53,530 --> 00:11:59,200
So there's administrators hyper v administrators enterprise domain key Edmonds so you can look for all

169
00:11:59,200 --> 00:12:06,310
the ad and group names as well and we can get the members of these groups if we want so we can say get

170
00:12:06,400 --> 00:12:13,330
net group member and then we're just gonna go ahead and say group name and we can pick one of these

171
00:12:13,330 --> 00:12:14,230
groups.

172
00:12:14,590 --> 00:12:17,780
We could just say domain advertise again.

173
00:12:17,830 --> 00:12:20,050
So this will this out all of our domain admins.

174
00:12:20,590 --> 00:12:26,150
So we know that sequel service to start an administrator are all domain admins in our network.

175
00:12:26,290 --> 00:12:29,540
So useful information to have here as well.

176
00:12:29,620 --> 00:12:32,030
So a couple more things I want to point out.

177
00:12:32,200 --> 00:12:35,350
There is a tool in here called invoke share finder.

178
00:12:35,350 --> 00:12:40,870
This is a nice one because you can look and find all the S&amp;P shares in the network.

179
00:12:40,870 --> 00:12:44,740
You can see what files are being shared and where they're being shared.

180
00:12:44,860 --> 00:12:48,870
So we know about admin see IPC on every machine.

181
00:12:48,880 --> 00:12:52,330
But what about this share here that we have and then Hackney came up.

182
00:12:52,330 --> 00:12:53,120
Right.

183
00:12:53,170 --> 00:12:59,140
So it's good to look through these shares and see if there's anything of interest and identify potential

184
00:12:59,260 --> 00:13:01,570
interesting shares for us.

185
00:13:01,570 --> 00:13:05,130
And then two more I want to show you we're really one more in two different ways.

186
00:13:05,140 --> 00:13:06,340
So let's look at this.

187
00:13:07,390 --> 00:13:10,310
We're going to get net GPO.

188
00:13:10,330 --> 00:13:13,840
So this is going to show us all the group policies.

189
00:13:13,840 --> 00:13:19,030
Now I added a special one in here just to show you that we can pull down a bunch of them but so look

190
00:13:19,390 --> 00:13:20,700
it's going to look interesting.

191
00:13:20,710 --> 00:13:24,570
It's going to pull down that heavy data again and sometimes it's overwhelming.

192
00:13:24,580 --> 00:13:26,500
But we can see like disable Windows Defender.

193
00:13:26,500 --> 00:13:28,320
That's when we added in there right.

194
00:13:28,360 --> 00:13:30,410
And then I added and disable S&amp;P signing.

195
00:13:30,430 --> 00:13:36,760
Even though we didn't have to do that I just added that one and to show you a few more in here so let's

196
00:13:36,760 --> 00:13:39,600
say we want to select something on here.

197
00:13:39,610 --> 00:13:40,540
I like to do this.

198
00:13:40,540 --> 00:13:42,930
I like a select display name.

199
00:13:43,240 --> 00:13:46,930
And I also like to select when changed and that'll show us.

200
00:13:48,430 --> 00:13:53,400
OK here's the display names so it gives us an idea of what's going on.

201
00:13:53,560 --> 00:13:58,270
So we know that there is default domain policies and then we've got to disable Windows Defender disable

202
00:13:58,290 --> 00:14:04,030
SMB signing so we know that that's going on in the network and we can learn about their policies that

203
00:14:04,030 --> 00:14:08,350
are going on and just collect more information and then we can we can learn when these were changed

204
00:14:08,350 --> 00:14:09,020
in the network.

205
00:14:09,020 --> 00:14:09,810
Right.

206
00:14:09,850 --> 00:14:17,490
So it's important to just dig in and get as much information as possible now this may have been overwhelming

207
00:14:17,610 --> 00:14:20,030
this may have been a lot and it may have went really quick.

208
00:14:20,040 --> 00:14:25,770
My advice probably to go back and watch this one more time play around with this or just look at your

209
00:14:25,770 --> 00:14:31,890
notes play around in here and take good notes on what you did and you can go to the references and pull

210
00:14:31,890 --> 00:14:36,420
down more information and see how you can utilize that in the future.

211
00:14:36,420 --> 00:14:39,800
I think this is one of the greatest tools you can use for enumeration.

212
00:14:39,810 --> 00:14:42,900
So once or on a machine we want to enumerate the network.

213
00:14:42,900 --> 00:14:48,600
This is a great way to do so and you can see how quick we can get information about the domain the domain

214
00:14:48,600 --> 00:14:56,040
policies users user properties computers groups group policy it could do so much more than what I showed

215
00:14:56,040 --> 00:14:56,180
you.

216
00:14:56,190 --> 00:15:00,360
But this is a really good baseline for you to understand and know about.

217
00:15:00,360 --> 00:15:06,540
So that is it for power view from here we're going to go ahead and move onto a tool called bloodhound

218
00:15:06,570 --> 00:15:11,220
which is incredibly fun to use and you're gonna see how beneficial it can be.

219
00:15:11,220 --> 00:15:16,140
So we'll have a high level overview of bloodhound and then we'll move on into our next section.