Unclear on permissions required to run some PowerView modules on domain
Closed this issue · 1 comments
In my lab with several fully patched Windows 7 VMs and a windows server 2008 r2 domain controller, I find that I am either unable to get any output/I receive info only about my user account/or I get access denied messages with several of the PowerView enumeration modules (Invoke-UserHunter, Get-NetLocalGroup, Get-NetSession, etc.) within the context of a standard domain user. I find for these modules to work I need to have local administrator rights on the machines I'm enumerating or I need some sort of administrator level domain access. Is this normal behavior? Perhaps I have failed to configure my domain to mirror a typical enterprise environment, or maybe mitigations been put in place to prevent this type of enumeration by standard users?
As far as I know, the modification of the default SAMR permissions did not happen until one of the newer builds of Windows 10- I have test domain with Win7 and Server 2012 and can run the enumeration from a domain-authenticated user context without any issue.
Try Get-NetLocalGroup in the newest development branch - the default method is now an API call, with the WinNT approach specifiable (
PowerSploit/Recon/PowerView.ps1
Line 13779 in 872f711
- functions just use LDAP, while Verb-Net* uses API calls. Remote session enumeration should work without admin rights, as well as remote SAM (except on the newest Windows 10, as mentioned). Your issue might be due to a firewall rule or something, but otherwise I don't know.