The document discusses Veil-PowerView, a PowerShell framework designed for situational awareness in exploited hosts and networks. It includes various functions that replace traditional 'net' commands, allowing users to gather detailed information about domain users, shares, and machines without dropping binaries to disk. The author highlights its utility for penetration testing, especially in environments where 'net' commands are restricted.

1. Veil-PowerView:
Situational Awareness
With Powershell
Will
@harmj0y
Veris Group

2. $ whoami
● Security researcher and penetration tester for
Veris Group
● Co-founder of the Veil-Framework #avlol
○ www.veil-framework.com
○ Shmoocon ‘14: AV Evasion with the Veil Framework
○ co-wrote Veil-Evasion, wrote Veil-Catapult
● BSides ATX ‘14: Wielding a Cortana
● https://github.com/HarmJ0y/

3. tl;dr
● Situational Awareness; redux
● Veil-PowerView
● Net-*
● Run-Netview
● Run-ShareFinder
● Run-FindLocalAdminAccess
● Run-UserHunter
● Run-StealthUserHunter

4. Situational Awareness; redux
● Goal: Gain an understanding of an exploited
host/network to aid in deeper infiltration
● Old schoolz:
○ net group /domain
○ net group “domain admins” /domain
○ net users /domain
○ net user “jsmith” /domain
○ net view //hostname
○ blah blah blah

5. Why Powershell?
● Really need to say anything?
● Whitelisted, trusted execution, full .NET
capabilities, etc.
● It’s the “new hotness”
○ PowerSploit
○ Posh-SecMod

6. Veil-PowerView
● Arose partially because a client banned “net”
commands on domain machines
○ annoying, but only a minor roadblock
● Otherwise initially inspired by Rob Fuller’s
netview.exe tool
● Wanted something a bit more flexible that
also didn’t drop a binary to disk

7. Net-*
● Full-featured replacements for almost all
“net *” commands, utilizing powershell AD
hooks and various API calls
● Net-Users, Net-Group, Net-Servers, Net-
Sessions, Net-Loggedon, etc.
● See README.md for complete list, and
function descriptions for usage options

8. Meta-Functions
now the fun stuff

9. Run-Netview
● Full powershell port of @mubix’s
netview.exe
● Queries the domain for all hosts with Net-
Servers, then runs Net-Sessions, Net-
Share, and Net-Loggedon on targets
● Can take an optional hostlist, has the ability to
exclude common shares, and can utilize a
delay/jitter between host enumerations

10. Run-ShareFinder
● Finds non-standard shares on machines in
the domain
● Queries for all servers using Net-Servers,
then runs Net-Share on each host,
excluding standard shares (C$, IP$,
PRINT$, etc.)
● Also can utilize the delay/jitter between host
enumerations

11. Run-FindLocalAdminAccess
● Port of local_admin_search_enum.rb
Metaspoit module
● Finds machines on the local domain where
the current user has local administrator
access
● Utilizes the OpenSCManagerA API call

12. Run-UserHunter
● Goal: find which domain machines specific
users are logged into
● Accepts a username, userlist, or domain
group, and accepts a host list or queries the
domain for available hosts using
Net-Servers
● Runs Net-Sessions and Net-Loggedon
against every server in the target list

13. Run-UserHunter
● Compares the results against the target user
list, noting when it finds where a target user
is logged into
● Can also check found machines using Net-
CheckLocalAdminAccess
● Option to utilize the delay/jitter

14. Run-StealthUserHunter
● Issues one query to get all users in the
domain, and extracts all servers from
user.HomeDirectories
● Runs one Net-Sessions call against each
file server, comparing the results against the
target user list
● Find users with significantly less traffic than
Run-UserHunter !

15. Demo

16. Questions?
● Contact me:
○ @harmj0y
○ harmj0y@veil-framework.com
● Read more:
○ https://www.veil-framework.com/veil-powerview/
○ https://www.veil-framework.com/hunting-users-veil-
framework/
● Get Veil-PowerView
○ https://github.com/Veil-Framework/Veil-PowerView
○ In PowerSploit soon!