PowerHungry: PowerShell tools for Penetration Testing / Red Teaming


Experimental PowerShell tools for Penetration Testing / Red Teaming
git clone https://github.com/linuz/PowerHungry.git

Current Scripts:


Get-AllTrusts will list the trusts for the inputted or current domain/forest. Will also output status of SIDFiltering and SelectiveAuthorization

If SIDFiltering is disabled, attackers can perform a SIDHistory attack to gain DA/EA privileges from one Domain/Forest to another Domain/Forest. See more on the attack here: https://adsecurity.org/?p=1640


Will grab the trust information for the domain the current user is a member of

PS C:\> Get-AllTrusts

Will grab the trust information for all the trusts with ABC.LOCAL Domain/Forest. You can pipe the results to Format-Table (ft) for easier reading

PS C:\> Get-AllTrusts -domain ABC.LOCAL | ft


Invoke-AdminAccessFinder is a supplement to PowerView’s Invoke-EnumerateLocalAdmin. Invoke-AdminAccessFinder will search a list of hosts that the specified user/group has administrative access to. Invoke-AdminAccessFinder gets it’s dataset by importing the CSV output from PowerView’s Invoke-EnumerateLocalAdmin function. Invoke-AdminAccessFinder identifies the security group membership for the user/group, recursively (with [TokenGroups] (https://msdn.microsoft.com/en-us/library/ms680275(v=vs.85).aspx)) and will return a list of hosts that the user/group and any of its group memberships have administrative access on.

On first execution of Invoke-AdminAccessFinder, you will be prompted to import the CSV file. Invoke-AdminAccessFinder will only ask for the CSV once per PowerShell session unless the -Clean switch is specified.


Tests a specified username with a password that matches their username. You can specify a username via the
SamAccountName parameter or you can pass this into the pipeline.

User Management

  • Add-LocalAdmin:
    Adds a user to the local administrator group for the specified computer. (Without using net.exe)
  • Delete-LocalUser:
    Deletes a local user from the specified computer (Without using net.exe)

Author: @DennisMald

Source: https://github.com/linuz/