aboutsummaryrefslogtreecommitdiff
path: root/Recon/PowerView.ps1
diff options
context:
space:
mode:
Diffstat (limited to 'Recon/PowerView.ps1')
-rwxr-xr-xRecon/PowerView.ps1212
1 files changed, 90 insertions, 122 deletions
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
index 142f2a3..c003d8e 100755
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
@@ -4471,7 +4471,7 @@ Switch. Return user accounts that are marked as 'sensitive and not allowed for d
Switch. Return computer objects that are trusted to authenticate for other principals.
-.PARAMETER KerberosPreauthNotRequired
+.PARAMETER PreauthNotRequired
Switch. Return user accounts with "Do not require Kerberos preauthentication" set.
@@ -4628,8 +4628,9 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
[Switch]
$TrustedToAuth,
+ [Alias('KerberosPreauthNotRequired', 'NoPreauth')]
[Switch]
- $KerberosPreauthNotRequired,
+ $PreauthNotRequired,
[ValidateNotNullOrEmpty()]
[String]
@@ -4705,9 +4706,19 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
$IdentityFilter = ''
$Filter = ''
$Identity | Where-Object {$_} | ForEach-Object {
- $IdentityInstance = $_
- if ($IdentityInstance -match '.+\\.+') {
- $ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^S-1-') {
+ $IdentityFilter += "(objectsid=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -match '^CN=') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+ $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ elseif ($IdentityInstance.Contains('\')) {
+ $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
if ($ConvertedIdentityInstance) {
$UserDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
$UserName = $IdentityInstance.Split('\')[1]
@@ -4718,26 +4729,10 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
}
}
else {
- $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29')
- if ($IdentityInstance -match '^S-1-.*') {
- # SID format
- $IdentityFilter += "(objectsid=$IdentityInstance)"
- }
- elseif ($IdentityInstance -match '^CN=.*') {
- # distinguished names
- $IdentityFilter += "(distinguishedname=$IdentityInstance)"
- }
- else {
- try {
- $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
- $IdentityFilter += "(objectguid=$GuidByteString)"
- }
- catch {
- $IdentityFilter += "(samAccountName=$IdentityInstance)"
- }
- }
+ $IdentityFilter += "(samAccountName=$IdentityInstance)"
}
}
+
if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
$Filter += "(|$IdentityFilter)"
}
@@ -4763,7 +4758,7 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
Write-Verbose '[Get-DomainUser] Searching for users that are trusted to authenticate for other principals'
$Filter += '(msds-allowedtodelegateto=*)'
}
- if ($PSBoundParameters['KerberosPreauthNotRequired']) {
+ if ($PSBoundParameters['PreauthNotRequired']) {
Write-Verbose '[Get-DomainUser] Searching for user accounts that do not require kerberos preauthenticate'
$Filter += '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
}
@@ -5750,28 +5745,21 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
$Filter = ''
$Identity | Where-Object {$_} | ForEach-Object {
$IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
- if ($IdentityInstance -match '^S-1-.*') {
+ if ($IdentityInstance -match '^S-1-') {
$IdentityFilter += "(objectsid=$IdentityInstance)"
}
- elseif ($IdentityInstance -match '^CN=.*') {
+ elseif ($IdentityInstance -match '^CN=') {
$IdentityFilter += "(distinguishedname=$IdentityInstance)"
}
- elseif ($IdentityInstance -match '.*\..*') {
- $IdentityFilter += "(dnshostname=$IdentityInstance)"
+ elseif ($IdentityInstance.Contains('.')) {
+ $IdentityFilter += "(|(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
+ }
+ elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+ $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+ $IdentityFilter += "(objectguid=$GuidByteString)"
}
else {
- try {
- $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
- $IdentityFilter += "(objectguid=$GuidByteString)"
- }
- catch {
- if ($IdentityInstance.Contains('.')) {
- $IdentityFilter += "(|(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
- }
- else {
- $IdentityFilter += "(name=$IdentityInstance)"
- }
- }
+ $IdentityFilter += "(name=$IdentityInstance)"
}
}
if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
@@ -6062,40 +6050,33 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
$IdentityFilter = ''
$Filter = ''
$Identity | Where-Object {$_} | ForEach-Object {
- $IdentityInstance = $_
- if ($IdentityInstance -match '.+\\.+') {
- $ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^S-1-') {
+ $IdentityFilter += "(objectsid=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -match '^(CN|OU|DC)=') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+ $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ elseif ($IdentityInstance.Contains('\')) {
+ $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
if ($ConvertedIdentityInstance) {
$ObjectDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
$ObjectName = $IdentityInstance.Split('\')[1]
$IdentityFilter += "(samAccountName=$ObjectName)"
$SearcherArguments['Domain'] = $ObjectDomain
- Write-Verbose "[Get-DomainUser] Extracted domain '$ObjectDomain' from '$IdentityInstance'"
+ Write-Verbose "[Get-DomainObject] Extracted domain '$ObjectDomain' from '$IdentityInstance'"
$ObjectSearcher = Get-DomainSearcher @SearcherArguments
}
}
+ elseif ($IdentityInstance.Contains('.')) {
+ $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
+ }
else {
- $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29')
- if ($IdentityInstance -match '^S-1-.*') {
- $IdentityFilter += "(objectsid=$IdentityInstance)"
- }
- elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') {
- $IdentityFilter += "(distinguishedname=$IdentityInstance)"
- }
- else {
- try {
- $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
- $IdentityFilter += "(objectguid=$GuidByteString)"
- }
- catch {
- if ($IdentityInstance.Contains('.')) {
- $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
- }
- else {
- $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))"
- }
- }
- }
+ $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))"
}
}
if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
@@ -6587,6 +6568,7 @@ Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate cr
try {
Write-Verbose "[Set-DomainObjectOwner] Attempting to set the owner for '$Identity' to '$OwnerIdentity'"
$Entry = $RawObject.GetDirectoryEntry()
+ $Entry.PsBase.Options.SecurityMasks = 'Owner'
$Entry.PsBase.ObjectSecurity.SetOwner($OwnerIdentityReference)
$Entry.PsBase.CommitChanges()
}
@@ -6783,19 +6765,15 @@ Custom PSObject with ACL entries.
elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') {
$IdentityFilter += "(distinguishedname=$IdentityInstance)"
}
+ elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+ $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ elseif ($IdentityInstance.Contains('.')) {
+ $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
+ }
else {
- try {
- $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
- $IdentityFilter += "(objectguid=$GuidByteString)"
- }
- catch {
- if ($IdentityInstance.Contains('.')) {
- $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
- }
- else {
- $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))"
- }
- }
+ $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))"
}
}
if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
@@ -7205,6 +7183,7 @@ https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a
ForEach ($ACE in $ACEs) {
Write-Verbose "[Add-DomainObjectAcl] Granting principal $($PrincipalObject.distinguishedname) rights GUID '$($ACE.ObjectType)' on $($TargetObject.Properties.distinguishedname)"
$TargetEntry = $TargetObject.GetDirectoryEntry()
+ $TargetEntry.PsBase.Options.SecurityMasks = 'Dacl'
$TargetEntry.PsBase.ObjectSecurity.AddAccessRule($ACE)
$TargetEntry.PsBase.CommitChanges()
}
@@ -8668,11 +8647,19 @@ Custom PSObject with translated group property fields.
$IdentityFilter = ''
$Filter = ''
$Identity | Where-Object {$_} | ForEach-Object {
- $IdentityInstance = $_
-
- if ($IdentityInstance -match '.+\\.+') {
- # DOMAIN\groupname
- $ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^S-1-') {
+ $IdentityFilter += "(objectsid=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -match '^CN=') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+ $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ elseif ($IdentityInstance.Contains('\')) {
+ $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
if ($ConvertedIdentityInstance) {
$GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
$GroupName = $IdentityInstance.Split('\')[1]
@@ -8683,24 +8670,10 @@ Custom PSObject with translated group property fields.
}
}
else {
- $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29')
- if ($IdentityInstance -match '^S-1-.*') {
- $IdentityFilter += "(objectsid=$IdentityInstance)"
- }
- elseif ($IdentityInstance -match '^CN=.*') {
- $IdentityFilter += "(distinguishedname=$IdentityInstance)"
- }
- else {
- try {
- $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
- $IdentityFilter += "(objectguid=$GuidByteString)"
- }
- catch {
- $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))"
- }
- }
+ $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))"
}
}
+
if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
$Filter += "(|$IdentityFilter)"
}
@@ -9393,10 +9366,19 @@ http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-
$IdentityFilter = ''
$Filter = ''
$Identity | Where-Object {$_} | ForEach-Object {
- $IdentityInstance = $_
- if ($IdentityInstance -match '.+\\.+') {
- # DOMAIN\groupname
- $ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^S-1-') {
+ $IdentityFilter += "(objectsid=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -match '^CN=') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+ $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ elseif ($IdentityInstance.Contains('\')) {
+ $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
if ($ConvertedIdentityInstance) {
$GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
$GroupName = $IdentityInstance.Split('\')[1]
@@ -9407,24 +9389,10 @@ http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-
}
}
else {
- $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29')
- if ($IdentityInstance -match '^S-1-.*') {
- $IdentityFilter += "(objectsid=$IdentityInstance)"
- }
- elseif ($IdentityInstance -match '^CN=.*') {
- $IdentityFilter += "(distinguishedname=$IdentityInstance)"
- }
- else {
- try {
- $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
- $IdentityFilter += "(objectguid=$GuidByteString)"
- }
- catch {
- $IdentityFilter += "(samAccountName=$IdentityInstance)"
- }
- }
+ $IdentityFilter += "(samAccountName=$IdentityInstance)"
}
}
+
if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
$Filter += "(|$IdentityFilter)"
}
@@ -9914,7 +9882,7 @@ function Get-DomainDFSShare {
.SYNOPSIS
Returns a list of all fault-tolerant distributed file systems
-for the current (or specified) domain.
+for the current (or specified) domains.
Author: Ben Campbell (@meatballs__)
License: BSD 3-Clause
@@ -9929,7 +9897,7 @@ The server data is parsed appropriately and returned.
.PARAMETER Domain
-Specifies the domain to use for the query, defaults to the current domain.
+Specifies the domains to use for the query, defaults to the current domain.
.PARAMETER SearchBase
@@ -10212,7 +10180,7 @@ A custom PSObject describing the distributed file systems.
function Get-DomainDFSShareV1 {
[CmdletBinding()]
Param(
- [String[]]
+ [String]
$Domain,
[String]
@@ -10291,7 +10259,7 @@ A custom PSObject describing the distributed file systems.
function Get-DomainDFSShareV2 {
[CmdletBinding()]
Param(
- [String[]]
+ [String]
$Domain,
[String]
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 21:52:55 +0000