diff options
| author | Will <HarmJ0y@users.noreply.github.com> | 2017-04-26 14:08:32 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-04-26 14:08:32 -0700 |
| commit | 97382c215d193f5474510dedcf421ce0d1ff2daf (patch) | |
| tree | 86aab4d756db2fdd01b62c8fde8c75d3afc17f77 /Recon | |
| parent | 0bbc9db5abe3e6bc2fda7377c2e427d153b70f9c (diff) | |
| parent | 08b30627d99592876790aa855b039f0090a2dbf2 (diff) | |
| download | PowerSploit-97382c215d193f5474510dedcf421ce0d1ff2daf.tar.gz PowerSploit-97382c215d193f5474510dedcf421ce0d1ff2daf.zip | |
Merge pull request #226 from joncave/dn_commas
Support for DNs containing commas
Diffstat (limited to 'Recon')
| -rwxr-xr-x | Recon/PowerView.ps1 | 195 |
1 files changed, 80 insertions, 115 deletions
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index d87ac3f..83c1ae2 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -4706,9 +4706,19 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ - if ($IdentityInstance -match '.+\\.+') { - $ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^CN=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('\')) { + $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical if ($ConvertedIdentityInstance) { $UserDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/')) $UserName = $IdentityInstance.Split('\')[1] @@ -4719,26 +4729,10 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. } } else { - $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29') - if ($IdentityInstance -match '^S-1-.*') { - # SID format - $IdentityFilter += "(objectsid=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^CN=.*') { - # distinguished names - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } - else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" - } - catch { - $IdentityFilter += "(samAccountName=$IdentityInstance)" - } - } + $IdentityFilter += "(samAccountName=$IdentityInstance)" } } + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { $Filter += "(|$IdentityFilter)" } @@ -5751,28 +5745,21 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') - if ($IdentityInstance -match '^S-1-.*') { + if ($IdentityInstance -match '^S-1-') { $IdentityFilter += "(objectsid=$IdentityInstance)" } - elseif ($IdentityInstance -match '^CN=.*') { + elseif ($IdentityInstance -match '^CN=') { $IdentityFilter += "(distinguishedname=$IdentityInstance)" } - elseif ($IdentityInstance -match '.*\..*') { - $IdentityFilter += "(dnshostname=$IdentityInstance)" + elseif ($IdentityInstance.Contains('.')) { + $IdentityFilter += "(|(name=$IdentityInstance)(dnshostname=$IdentityInstance))" + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" } else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" - } - catch { - if ($IdentityInstance.Contains('.')) { - $IdentityFilter += "(|(name=$IdentityInstance)(dnshostname=$IdentityInstance))" - } - else { - $IdentityFilter += "(name=$IdentityInstance)" - } - } + $IdentityFilter += "(name=$IdentityInstance)" } } if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { @@ -6063,40 +6050,33 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ - if ($IdentityInstance -match '.+\\.+') { - $ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^(CN|OU|DC)=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('\')) { + $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical if ($ConvertedIdentityInstance) { $ObjectDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/')) $ObjectName = $IdentityInstance.Split('\')[1] $IdentityFilter += "(samAccountName=$ObjectName)" $SearcherArguments['Domain'] = $ObjectDomain - Write-Verbose "[Get-DomainUser] Extracted domain '$ObjectDomain' from '$IdentityInstance'" + Write-Verbose "[Get-DomainObject] Extracted domain '$ObjectDomain' from '$IdentityInstance'" $ObjectSearcher = Get-DomainSearcher @SearcherArguments } } + elseif ($IdentityInstance.Contains('.')) { + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" + } else { - $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29') - if ($IdentityInstance -match '^S-1-.*') { - $IdentityFilter += "(objectsid=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') { - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } - else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" - } - catch { - if ($IdentityInstance.Contains('.')) { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" - } - else { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))" - } - } - } + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))" } } if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { @@ -6785,19 +6765,15 @@ Custom PSObject with ACL entries. elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') { $IdentityFilter += "(distinguishedname=$IdentityInstance)" } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('.')) { + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" + } else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" - } - catch { - if ($IdentityInstance.Contains('.')) { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" - } - else { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))" - } - } + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))" } } if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { @@ -8671,11 +8647,19 @@ Custom PSObject with translated group property fields. $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ - - if ($IdentityInstance -match '.+\\.+') { - # DOMAIN\groupname - $ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^CN=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('\')) { + $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical if ($ConvertedIdentityInstance) { $GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/')) $GroupName = $IdentityInstance.Split('\')[1] @@ -8686,24 +8670,10 @@ Custom PSObject with translated group property fields. } } else { - $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29') - if ($IdentityInstance -match '^S-1-.*') { - $IdentityFilter += "(objectsid=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^CN=.*') { - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } - else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" - } - catch { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))" - } - } + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))" } } + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { $Filter += "(|$IdentityFilter)" } @@ -9396,10 +9366,19 @@ http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of- $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ - if ($IdentityInstance -match '.+\\.+') { - # DOMAIN\groupname - $ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-') { + $IdentityFilter += "(objectsid=$IdentityInstance)" + } + elseif ($IdentityInstance -match '^CN=') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + } + elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') { + $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join '' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + elseif ($IdentityInstance.Contains('\')) { + $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical if ($ConvertedIdentityInstance) { $GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/')) $GroupName = $IdentityInstance.Split('\')[1] @@ -9410,24 +9389,10 @@ http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of- } } else { - $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29') - if ($IdentityInstance -match '^S-1-.*') { - $IdentityFilter += "(objectsid=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^CN=.*') { - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } - else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" - } - catch { - $IdentityFilter += "(samAccountName=$IdentityInstance)" - } - } + $IdentityFilter += "(samAccountName=$IdentityInstance)" } } + if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { $Filter += "(|$IdentityFilter)" } |