diff options
| author | b33f <ru.boonen@gmail.com> | 2017-07-22 14:33:20 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-07-22 14:33:20 +0100 |
| commit | 7a3e16ace550fb335182960576aab236a0a00219 (patch) | |
| tree | e12e32726b1235e1eab5f8c7b298442045fd6c17 | |
| parent | 41cad0ee9fa8a18a77d68b696c2cc24d14e95352 (diff) | |
| download | PowerSploit-7a3e16ace550fb335182960576aab236a0a00219.tar.gz PowerSploit-7a3e16ace550fb335182960576aab236a0a00219.zip | |
+Region check on Find-DomainLocalGroupMember
If a user does not manually specify $GroupName it defaults to "Administrators" which may not be valid in specific regions. I added a check to pull out the Group Name from the Admin SID, see:
https://github.com/PowerShellMafia/PowerSploit/issues/176
| -rwxr-xr-x | Recon/PowerView.ps1 | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 40b060c..9c0c810 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -18911,6 +18911,12 @@ Custom PSObject with translated group property fields from WinNT results. $HostEnumBlock = { Param($ComputerName, $GroupName, $Method, $TokenHandle) + # Add check if user defaults to/selects "Administrators" + if ($GroupName -eq "Administrators") { + $AdminSecurityIdentifier = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::BuiltinAdministratorsSid,$null) + $GroupName = ($SecurityIdentifier.Translate([System.Security.Principal.NTAccount]).Value -split "\\")[-1] + } + if ($TokenHandle) { # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet |