| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
|
|
Modified Convert-LDAPProperty to break out sections of ntsecuritydescriptor
|
|
Reformatted documentation.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-Lots of function cleanup/code rot removal and standardization
-Additional options added to Get-DomainSearcher in order to support new param sets
-Expanded parameter validation
-XML help format standardized
-PSScriptAnalyzer fixups- passes PS script analyzer now!
-Nearly all functions should tag custom types to output objectsx
-Identity supported by all appropriate functions
-Transformed all filters to functions
-Expanded the formats for Convert-ADName
-Get-SPNTicket returns enc part automatically now, and Hashcat output format added
-Write-Verbose/Write-Warning/Throw messages now have the function name tagged in the message
-Verb-Domain* functions now all include a -FindOne function to return one result
-Get-DomainUserEvent now uses -XPathFilter for a massive speedup
-ALL Verb-Domain* (LDAP) functions now return full data objects (no more -FullData). Use -Properties for paring down.
-Lots of bug fixes
-"Required Dependencies" for each function completed
-Fixed logic bugs for -ComputerIdentity in Get-DomainGPO, now enumerates domain-linked GPOs as well
-Added -UserIdentity to Get-DomainGPO to enumerate GPOs applied to a given user identity
New function naming scheme with proper Verb-PrefixNoun syntax to better match the 'real' AD cmdlets:
Verbs:
Get - retrieve full raw data sets
Find - 'find' specific data entries in a data set or execute threaded computer enumeration
Add - add a new object to a destination
Set - modify a given object
Invoke - lazy catch-all
Prefixes now give an indication of the data source:
Verb-DomainX - LDAP/.NET AD connections (e.g. Get-DomainUser)
Verb-WMIX - Uses WMI for connections/enumeration of a specific host (e.g. Get-WMIRegLastLoggedOn)
Verb-NetX - API access (e.g. Get-NetSession)
Nouns have been renamed to be more descriptive
Big gotcha:
Get-NetLocalGroup - now returns local *groups* themselves
Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup)
-Parameter sets standardized - parameters shared as appropriate across functions
-Identity -> replaces -UserName/-GroupName/etc. Accepts samAccountName, GUID, distinguishedName, SID
-these can be used in tandem -> Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator"
-Properties -> return only the specified properties (i.e. Get-DomainUser -Properties samAccountName,lastLogon
-LDAPFilter replaces -Filter, -SearchBase replaces -ADSPath, -Server replaces -DomainController
-ServerTimeLimit, -SearchScope, -Tombstone, -SecurityMasks added for most functions
All functions (as appropriate) now support -Credential:
-Verb-Domain* (LDAP) functions use alternate creds for a DirectorySearcher through Get-DomainSearcher
-COM methods (i.e. Convert-ADName) use appropriate initializations
-Verb-WMI methods pass the -Credential through as appropriate
-Verb-Net* (API) functions use Invoke-UserImpersonation/Invoke-RevertToSelf implicitly for token impersonation
Removed functions:
Get-ComputerProperty, Get-UserProperty, Find-ComputerField, Find-UserField
Get-NameField (translated to ValueFromPipelineByPropertyName calls)
Invoke-DowngradeAccount - not used
Add-NetUser - split into New-DomainUser/others
Add-NetGroupUser - split into Add-DomainGroupMember/others
New-GPOImmediateTask - inconsistent and better done manually
Invoke-StealthUserHunter - combined into Find-DomainUserLocation
Get-ExploitableSystem
Added helper functions:
Get-PrincipalContext - helper to return a DirectoryServices.AccountManagement.PrincipalContext
Get-ForestSchemaClass - returns the forest schema for a specified object class
Added exported functions:
Add-RemoteConnection - 'mounts' a remote UNC path using WNetAddConnection2W
Remove-RemoteConnection - 'unmounts' a remote UNC path using WNetCancelConnection2
Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token in the current thread
Invoke-RevertToSelf - reverts any token impersonation
Invoke-Kerberoast - automates Kerberoasting
Find-DomainObjectPropertyOutlier - finds user/group/computer objects in AD that have 'outlier' properties sets
New-DomainUser - creates a new domain user
New-DomainGroup - creates a new domain group
Add-DomainGroupMember - adds a domain user (or group) to an existing domain group
Get-NetLocalGroup - now returns local *groups* themselves
Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup)
Renamed functions (aliases created for old functions):
Get-IPAddress -> Resolve-IPAddress
Convert-NameToSid -> ConvertTo-SID
Convert-SidToName -> ConvertFrom-SID
Request-SPNTicket -> Get-DomainSPNTicket
Get-DNSZone -> Get-DomainDNSZone
Get-DNSRecord -> Get-DomainDNSRecord
Get-NetDomain -> Get-Domain
Get-NetDomainController -> Get-DomainController
Get-NetForest -> Get-Forest
Get-NetForestDomain -> Get-ForestDomain
Get-NetForestCatalog -> Get-ForestGlobalCatalog
Get-NetUser -> Get-DomainUser
Get-UserEvent -> Get-DomainUserEvent
Get-NetComputer -> Get-DomainComputer
Get-ADObject -> Get-DomainObject
Set-ADObject -> Set-DomainObject
Get-ObjectAcl -> Get-DomainObjectAcl
Add-ObjectAcl -> Add-DomainObjectAcl
Invoke-ACLScanner -> Find-InterestingDomainAcl
Get-GUIDMap -> Get-DomainGUIDMap
Get-NetOU -> Get-DomainOU
Get-NetSite -> Get-DomainSite
Get-NetSubnet -> Get-DomainSubnet
Get-NetGroup -> Get-DomainGroup
Find-ManagedSecurityGroups -> Get-DomainManagedSecurityGroup
Get-NetGroupMember -> Get-DomainGroupMember
Get-NetFileServer -> Get-DomainFileServer
Get-DFSshare -> Get-DomainDFSShare
Get-NetGPO -> Get-DomainGPO
Get-NetGPOGroup -> Get-DomainGPOLocalGroup
Find-GPOLocation -> Get-DomainGPOUserLocalGroupMapping
Find-GPOComputerAdmin -> Get-DomainGPOComputerLocalGroupMappin
Get-LoggedOnLocal -> Get-RegLoggedOn
Test-AdminAccess -> Invoke-CheckLocalAdminAccess
Get-SiteName -> Get-NetComputerSiteName
Get-Proxy -> Get-WMIRegProxy
Get-LastLoggedOn -> Get-WMIRegLastLoggedOn
Get-CachedRDPConnection -> Get-WMIRegCachedRDPConnection
Get-RegistryMountedDrive -> Get-WMIRegMountedDrive
Get-NetProcess -> Get-WMIProcess
Invoke-ThreadedFunction -> New-ThreadedFunction
Invoke-UserHunter -> Find-DomainUserLocation
Invoke-ProcessHunter -> Find-DomainProcess
Invoke-EventHunter -> Find-DomainUserEvent
Invoke-ShareFinder -> Find-DomainShare
Invoke-FileFinder -> Find-InterestingDomainShareFile
Invoke-EnumerateLocalAdmin -> Find-DomainLocalGroupMember
Get-NetDomainTrust -> Get-DomainTrust
Get-NetForestTrust -> Get-ForestTrust
Find-ForeignUser -> Get-DomainForeignUser
Find-ForeignGroup -> Get-DomainForeignGroupMember
Invoke-MapDomainTrust -> Get-DomainTrustMapping
|
|
-Standardized documentation, including adding output object types and required dependencies to all functions
-Added Get-ProcessTokenPrivilege to enumerate the current (or remote) process token privileges, replacing Get-CurrentUserTokenGroupSid
-Added Enable-Privilege to enable privileges using RtlAdjustPrivilege
-Added @enigma0x3's Invoke-WScriptUACBypass function
-Renamed Invoke-AllChecks to Invoke-PrivescAudit, added alias mapping
-Added tests for Get-ProcessTokenPrivilege, Enable-Privilege, and Invoke-WScriptUACBypass
-Renamed helper functions for consistency
-Passes PSScriptAnalyzer!
|
|
Dev
|
|
|
|
|
|
|
|
|
|
|
|
Updated Get-ExploitableSystem
|
|
Removed *_netapi from Vista/2008 in Get-ExploitableSystem as they are not vulnerable
|
|
This reverts commit 26a891b499df2c2f682c469c887b01dbd286a280, reversing
changes made to 262a260865d408808ab332f972d410d3b861eff1.
|
|
Updated Get-ExploitableSystem
|
|
Add disabled and present searches to get-netfileservers
|
|
Retrieve Security groups by default
|
|
Removed *_netapi from Vista/2008 in Get-ExploitableSystem as they are not vulnerable
|
|
|
|
Address issue #190
|
|
|
|
Service DACL false positive | Request-SPNTicket double hash
|
|
|
|
|
|
PowerView: Invoke-UserHunter -Poll
|
|
Added the EncPart param to Request-SPNTicket
|
|
Adds the ability to return the encrypted part of the ticket.
This portion is the encrypted data that can be brute-forced with Kerberoast/Hashcat/JtR
|
|
|
|
|
|
The PowerShell.BeginInvoke<TInput, TOutput>(PSDataCollection<TInput>,
PSDataCollection<TOutput>) method[1] is used to collect output from
each job into a buffer. This can be read whilst the jobs are still
running. Being able to return partial results is particularly useful for
long running background threads, such as Invoke-UserHunter -Poll.
PowerShell 2.0 doesn't play nicely with generic methods. The technique
described in [2] is used to allow this version of BeginInvoke() to be
used.
[1] https://msdn.microsoft.com/en-us/library/dd182440(v=vs.85).aspx
[2] http://www.leeholmes.com/blog/2007/06/19/invoking-generic-methods-on-non-generic-classes-in-powershell/
|
|
Repeatedly poll a set of target computers for user sessions. This could
be a useful technique for building a much better picture of current
sessions, but without having to communicate with every host.
The -Poll parameter is used to specify the duration for which polling
should occur. Each target computer is dedicated with a thread with
-Delay and -Jitter specifying how long to sleep between each session
enumeration attempt of an individual host.
|
|
Added ability to specify domain controller to search (-Server parameter)
|
|
Added default value to parameter and got rid of value check later in the code.
Added validation of -Server value to ensure it is not $Null or an empty string
|
|
|
|
|
|
|
|
|
|
Invoke-Mimikatz was not not handling functions exported by ordinal.
Thank you @gentilkiwi for the suggested fix!
|
|
PowerUp: Remove badly encoded new lines from .bat output
|
|
PowerUp: Allocate enough space for TOKEN_GROUPS
|