PowEnum icon indicating copy to clipboard operation
PowEnum copied to clipboard

Published 20 hours ago verified publisher icon whitehat-zero

Metadata

Executes common PowerSploit Powerview functions then combines output into a spreadsheet for easy analysis.

PowEnum

Penetration testers commonly enumerate AD data – providing domain situational awareness and helping to identify soft targets. PowEnum helps automate the cartological view of your target domain.

PowEnum executes common PowerSploit Powerview functions and combines the output into a spreadsheet for easy analysis. All network traffic is only sent to the DC(s). PowEnum also leverages PowerSploit Get-GPPPassword and Harmj0y's ASREPRoast.

Syntax Examples:

  • Invoke-PowEnum
  • Invoke-PowEnum -FQDN test.domain.com
  • Invoke-PowEnum -Mode SYSVOL
  • Invoke-PowEnum -Credential test.domain.com\username -FQDN test.domain.com -Mode Special

Running PowEnum From Non-Domain Joined System

There are two choices. The first uses the runas command (this must be executed prior to using PowEnum). The second leverages the Invoke-UserImpersonation function in Powerview.

  1. runas /netonly /user:test.domain.com\username powershell.exe
  2. Invoke-PowEnum -Credential test.domain.com\username -FQDN test.domain.com

Modes

Mode Enumerates
Basic Domain Admins
Enterprise Admins
Built-In Admins
DC Local Admins
Domain Users
Domain Groups
Schema Admin
Account Operators
Backup Operators
Print Operators
Server Operators
Group Policy Creators Owners
Cryptographic Operators
AD Group Managers
AdminCount=1

All [DC Aware] Net Sessions
Domain Controllers
Domain Computer IPs
Domain Computers
Subnets
DNSRecords
WinRM Enabled Hosts
Potential Fileservers
Roasting Kerberoast Service Accounts (Accounts w/ SPN)
ASREPRoast User Accounts (No Preauth Req)
Special Disabled Accounts
Password Not Required
Password Doesn't Expire
Password Doesn't Expire & Not Required
Smartcard Required
SYSVOL Group Policy Passwords
SYSVOL Script Files (potential hardcoded credentials)
All Local Group Membership Modifications (GPO or GPP)
Forest Domain Trusts
Foreign [Domain] Users
Foreign [Domain] Group Members
LargeEnv Basic Enumeration without:
Get-DomainUser
Get-DomainGroup
Get-DomainComputer

*DC Local Admins might be different from built-in Administrators when an RODC is in use or there are replication issues.

Detection

  • This enumeration will generate suspicious traffic between the PowEnum system and the target DC(s). If there are security products watching traffic to the DC(s) (i.e. Microsoft ATA) PowEnum will likely get flagged. For more reading about what ATA is detecting and not detecting:
    https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Chris-Thompson-MS-Just-Gave-The-Blue-Teams-Tactical-Nukes-UPDATED.pdf
  • Kerberoasting detection techniques are highlighted in these articles:
    Detecting Kerberoasting Activity - https://adsecurity.org/?p=3458
    Detecting Kerberoasting Activity Part 2 – Creating a Kerberoast Service Account Honeypot- https://adsecurity.org/?p=3513

Mitigations

Mode Mitigations
Basic Net Cease - Hardening Net Session Enumeration
https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5
SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016
https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b
Active Directory: Controlling Object Visibility
https://social.technet.microsoft.com/wiki/contents/articles/29558.active-directory-controlling-object-visibility-list-object-mode.aspx
http://windowsitpro.com/active-directory/hiding-active-directory-objects-and-attributes
Roasting Kerberoasst mitigations revolve around using strong passwords or GMSA for affected accounts
https://adsecurity.org/?p=2293
ASREPRoast mitigations revolve around using strong passwords or not checking "‘Do Not Require Kerberos Preauthentication"
Special See Basic
SYSVOL GPP Password Files - Install KB2962486 and remove affected xml files (https://adsecurity.org/?p=2288)
SYSVOL Scripts - Monitor for changes to SYSVOL and remove affected files
Forest See Basic
LargeEnv See Basic

Metadata

66
Stars
17
Forks
Watchers

Owner

verified publisher icon whitehat-zero

Metadata

Executes common PowerSploit Powerview functions then combines output into a spreadsheet for easy analysis.

Back