aboutsummaryrefslogtreecommitdiff
path: root/Recon/PowerView.ps1
AgeCommit message (Collapse)AuthorFilesLines
2017-04-26Merge pull request #226 from joncave/dn_commasWill1-115/+80
Support for DNs containing commas
2017-04-26Merge pull request #227 from joncave/dfs_domainWill1-4/+4
The DFS subfunctions only accept a single $Domain
2017-04-17Set explicit LDAP SecurityMask settingsLee Christensen1-0/+2
Changed the LDAP SecurityMasks settings so that you can change the Owner/DACL if you only have WriteOwner/WriteDacl permissions on the object (Default SecurityMasks is "Owner, Group, Dacl")
2017-04-05Support for DNs containing commasJon Cave1-115/+80
If an object's distinguished name contains a comma then it ends up quoted: CN=Smith\, John,OU=Admins,DC=example,DC=com This breaks a number of functions which attempt to identify DOMAIN\name by matching on a \ anywhere in the specified identity before checking if the identity was a DN (or SID or GUID). For example, attempting to list members of "Domain Admins" using Get-DomainGroupMember gives the following: VERBOSE: [Convert-ADName] Error initializing translation for 'CN=Smith\, John,OU=Admins,DC=example,DC=com' : Exception calling "InvokeMember" with "5" argument(s): "The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B)" VERBOSE: [Convert-ADName] Error translating 'CN=Smith\, John,OU=Admins,DC=example,DC=com' : The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B) VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (objectClass=*) The fix implemented here is to perform more specific pattern matching prior to falling back to looking for a \. The order is SID, DN, GUID, qualified name (DOMAIN\name), and then plain name.
2017-04-05The DFS subfunctions only accept a single $DomainJon Cave1-4/+4
Specifying the type as an array of strings results in an error when passing on the parameter to Get-DomainSearcher: C:\> Get-DomainDFSShare -Domain test Get-DomainSearcher : Cannot process argument transformation on parameter 'Domain'. Cannot convert value to type System.String. At PowerView.ps1:10242 char:46
2017-01-16Changed -KerberosPreauthNotRequired to -PreauthNotRequiredHarmJ0y1-3/+4
2017-01-11Standardized output from Find-InterestingDomainAclHarmJ0y1-11/+40
2017-01-11Merge branch 'dev' of github.com:PowerShellMafia/PowerSploit into devHarmJ0y1-1/+1
2017-01-11Added displayname to the default filter set for Get-DomainObject[ACL]HarmJ0y1-2/+2
2017-01-11Merge pull request #210 from leechristensen/patch-3HarmJ0y1-1/+1
Fixed KerberosPreauthNotRequired
2017-01-11Parenthesis for additional LDAP functionsHarmJ0y1-45/+51
2017-01-11Parenthesis escaping for Get-DomainObject DN searchesHarmJ0y1-14/+17
2017-01-11bug fix for Get-DomainObject/Get-DomainObjectACLHarmJ0y1-2/+2
2017-01-11Fixed bug in Convert-ADName that output an array including null values ↵HarmJ0y1-4/+4
instead of a string
2017-01-11Fixed KerberosPreauthNotRequiredLee Christensen1-1/+1
2017-01-10Merge branch 'dev' of github.com:PowerShellMafia/PowerSploit into devHarmJ0y1-1/+1
2017-01-10Couple of fixes for Get-DomainSPNTicketHarmJ0y1-6/+10
2017-01-09Words :PLee Christensen1-1/+1
2017-01-08Get-DomainSPNTicket/Invoke-Kerberoast now include 'real' user data in the ↵HarmJ0y1-5/+19
hash output. Added a bit more error handling when requesting the SPN kerberos ticket.
2017-01-04Fix errors gathering the forest SIDMike Brancato1-2/+2
Pull the SID directly from the 'krbtgt' user to avoid errors in ConvertTo-SID
2016-12-20type correctionHarmJ0y1-3/+3
2016-12-15Type fix.HarmJ0y1-8/+19
Added -TrustedToAuth to Get-DomainUser
2016-12-15Bug fix for the Find-DomainUserLocation bug fix :)HarmJ0y1-2/+3
2016-12-15Logic bug fix in Get-DomainFileServerHarmJ0y1-3/+6
-Domain bug fix in Find-DomainUserLocation stealth
2016-12-14For ./Recon/ :HarmJ0y1-1/+1
-(More) PSScriptAnalyzering -Tweaking of synopsis blocks in order to support platyPS -Code standardization -Generated docs
2016-12-14-Fixes for PSScriptAnalyzer compatibilityHarmJ0y1-18/+114
-More error handling
2016-12-13Added Set-DomainObjectOwner to modify an object's ownerHarmJ0y1-19/+195
Modified Convert-LDAPProperty to break out sections of ntsecuritydescriptor
2016-12-13Added Set-DomainUserPassword to reset a particular user's password.HarmJ0y1-0/+113
Reformatted documentation.
2016-12-12Added spacing to prep for platyPS doc generation.HarmJ0y1-249/+249
2016-12-12Typo correction and Recon README.md updateHarmJ0y1-6/+6
2016-12-12bug fix in Get-DomainSearcherHarmJ0y1-1/+5
2016-12-12-Complete ground-up rewrite of PowerViewHarmJ0y1-8453/+13268
-Lots of function cleanup/code rot removal and standardization -Additional options added to Get-DomainSearcher in order to support new param sets -Expanded parameter validation -XML help format standardized -PSScriptAnalyzer fixups- passes PS script analyzer now! -Nearly all functions should tag custom types to output objectsx -Identity supported by all appropriate functions -Transformed all filters to functions -Expanded the formats for Convert-ADName -Get-SPNTicket returns enc part automatically now, and Hashcat output format added -Write-Verbose/Write-Warning/Throw messages now have the function name tagged in the message -Verb-Domain* functions now all include a -FindOne function to return one result -Get-DomainUserEvent now uses -XPathFilter for a massive speedup -ALL Verb-Domain* (LDAP) functions now return full data objects (no more -FullData). Use -Properties for paring down. -Lots of bug fixes -"Required Dependencies" for each function completed -Fixed logic bugs for -ComputerIdentity in Get-DomainGPO, now enumerates domain-linked GPOs as well -Added -UserIdentity to Get-DomainGPO to enumerate GPOs applied to a given user identity New function naming scheme with proper Verb-PrefixNoun syntax to better match the 'real' AD cmdlets: Verbs: Get - retrieve full raw data sets Find - 'find' specific data entries in a data set or execute threaded computer enumeration Add - add a new object to a destination Set - modify a given object Invoke - lazy catch-all Prefixes now give an indication of the data source: Verb-DomainX - LDAP/.NET AD connections (e.g. Get-DomainUser) Verb-WMIX - Uses WMI for connections/enumeration of a specific host (e.g. Get-WMIRegLastLoggedOn) Verb-NetX - API access (e.g. Get-NetSession) Nouns have been renamed to be more descriptive Big gotcha: Get-NetLocalGroup - now returns local *groups* themselves Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup) -Parameter sets standardized - parameters shared as appropriate across functions -Identity -> replaces -UserName/-GroupName/etc. Accepts samAccountName, GUID, distinguishedName, SID -these can be used in tandem -> Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator" -Properties -> return only the specified properties (i.e. Get-DomainUser -Properties samAccountName,lastLogon -LDAPFilter replaces -Filter, -SearchBase replaces -ADSPath, -Server replaces -DomainController -ServerTimeLimit, -SearchScope, -Tombstone, -SecurityMasks added for most functions All functions (as appropriate) now support -Credential: -Verb-Domain* (LDAP) functions use alternate creds for a DirectorySearcher through Get-DomainSearcher -COM methods (i.e. Convert-ADName) use appropriate initializations -Verb-WMI methods pass the -Credential through as appropriate -Verb-Net* (API) functions use Invoke-UserImpersonation/Invoke-RevertToSelf implicitly for token impersonation Removed functions: Get-ComputerProperty, Get-UserProperty, Find-ComputerField, Find-UserField Get-NameField (translated to ValueFromPipelineByPropertyName calls) Invoke-DowngradeAccount - not used Add-NetUser - split into New-DomainUser/others Add-NetGroupUser - split into Add-DomainGroupMember/others New-GPOImmediateTask - inconsistent and better done manually Invoke-StealthUserHunter - combined into Find-DomainUserLocation Get-ExploitableSystem Added helper functions: Get-PrincipalContext - helper to return a DirectoryServices.AccountManagement.PrincipalContext Get-ForestSchemaClass - returns the forest schema for a specified object class Added exported functions: Add-RemoteConnection - 'mounts' a remote UNC path using WNetAddConnection2W Remove-RemoteConnection - 'unmounts' a remote UNC path using WNetCancelConnection2 Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token in the current thread Invoke-RevertToSelf - reverts any token impersonation Invoke-Kerberoast - automates Kerberoasting Find-DomainObjectPropertyOutlier - finds user/group/computer objects in AD that have 'outlier' properties sets New-DomainUser - creates a new domain user New-DomainGroup - creates a new domain group Add-DomainGroupMember - adds a domain user (or group) to an existing domain group Get-NetLocalGroup - now returns local *groups* themselves Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup) Renamed functions (aliases created for old functions): Get-IPAddress -> Resolve-IPAddress Convert-NameToSid -> ConvertTo-SID Convert-SidToName -> ConvertFrom-SID Request-SPNTicket -> Get-DomainSPNTicket Get-DNSZone -> Get-DomainDNSZone Get-DNSRecord -> Get-DomainDNSRecord Get-NetDomain -> Get-Domain Get-NetDomainController -> Get-DomainController Get-NetForest -> Get-Forest Get-NetForestDomain -> Get-ForestDomain Get-NetForestCatalog -> Get-ForestGlobalCatalog Get-NetUser -> Get-DomainUser Get-UserEvent -> Get-DomainUserEvent Get-NetComputer -> Get-DomainComputer Get-ADObject -> Get-DomainObject Set-ADObject -> Set-DomainObject Get-ObjectAcl -> Get-DomainObjectAcl Add-ObjectAcl -> Add-DomainObjectAcl Invoke-ACLScanner -> Find-InterestingDomainAcl Get-GUIDMap -> Get-DomainGUIDMap Get-NetOU -> Get-DomainOU Get-NetSite -> Get-DomainSite Get-NetSubnet -> Get-DomainSubnet Get-NetGroup -> Get-DomainGroup Find-ManagedSecurityGroups -> Get-DomainManagedSecurityGroup Get-NetGroupMember -> Get-DomainGroupMember Get-NetFileServer -> Get-DomainFileServer Get-DFSshare -> Get-DomainDFSShare Get-NetGPO -> Get-DomainGPO Get-NetGPOGroup -> Get-DomainGPOLocalGroup Find-GPOLocation -> Get-DomainGPOUserLocalGroupMapping Find-GPOComputerAdmin -> Get-DomainGPOComputerLocalGroupMappin Get-LoggedOnLocal -> Get-RegLoggedOn Test-AdminAccess -> Invoke-CheckLocalAdminAccess Get-SiteName -> Get-NetComputerSiteName Get-Proxy -> Get-WMIRegProxy Get-LastLoggedOn -> Get-WMIRegLastLoggedOn Get-CachedRDPConnection -> Get-WMIRegCachedRDPConnection Get-RegistryMountedDrive -> Get-WMIRegMountedDrive Get-NetProcess -> Get-WMIProcess Invoke-ThreadedFunction -> New-ThreadedFunction Invoke-UserHunter -> Find-DomainUserLocation Invoke-ProcessHunter -> Find-DomainProcess Invoke-EventHunter -> Find-DomainUserEvent Invoke-ShareFinder -> Find-DomainShare Invoke-FileFinder -> Find-InterestingDomainShareFile Invoke-EnumerateLocalAdmin -> Find-DomainLocalGroupMember Get-NetDomainTrust -> Get-DomainTrust Get-NetForestTrust -> Get-ForestTrust Find-ForeignUser -> Get-DomainForeignUser Find-ForeignGroup -> Get-DomainForeignGroupMember Invoke-MapDomainTrust -> Get-DomainTrustMapping
2016-12-01Updated Get-ExploitableSystemAntonio Quina1-3/+0
Removed *_netapi from Vista/2008 in Get-ExploitableSystem as they are not vulnerable
2016-12-01Merge pull request #187 from Meatballs1/filter_getnetfileserversHarmJ0y1-3/+3
Add disabled and present searches to get-netfileservers
2016-12-01Merge pull request #174 from Meatballs1/securitygroupsHarmJ0y1-12/+23
Retrieve Security groups by default
2016-11-01Add disabled and present searches to get-netfileserversMeatballs1-3/+3
2016-09-13Break on ticket captureNick Landers1-0/+1
2016-09-06Merge pull request #173 from joncave/user_pollingHarmJ0y1-113/+138
PowerView: Invoke-UserHunter -Poll
2016-08-25Add the EncPart param to Request-SPNTicketMatan Hart1-2/+29
Adds the ability to return the encrypted part of the ticket. This portion is the encrypted data that can be brute-forced with Kerberoast/Hashcat/JtR
2016-08-13Modify dependent functionsMeatballs1-4/+4
2016-08-13Retrieve Security groups by defaultMeatballs1-8/+19
2016-08-13Continuously collect output from background threadsJon Cave1-34/+27
The PowerShell.BeginInvoke<TInput, TOutput>(PSDataCollection<TInput>, PSDataCollection<TOutput>) method[1] is used to collect output from each job into a buffer. This can be read whilst the jobs are still running. Being able to return partial results is particularly useful for long running background threads, such as Invoke-UserHunter -Poll. PowerShell 2.0 doesn't play nicely with generic methods. The technique described in [2] is used to allow this version of BeginInvoke() to be used. [1] https://msdn.microsoft.com/en-us/library/dd182440(v=vs.85).aspx [2] http://www.leeholmes.com/blog/2007/06/19/invoking-generic-methods-on-non-generic-classes-in-powershell/
2016-08-13Add a polling mode to Invoke-UserHunterJon Cave1-79/+111
Repeatedly poll a set of target computers for user sessions. This could be a useful technique for building a much better picture of current sessions, but without having to communicate with every host. The -Poll parameter is used to specify the duration for which polling should occur. Each target computer is dedicated with a thread with -Delay and -Jitter specifying how long to sleep between each session enumeration attempt of an individual host.
2016-07-15typeHarmj0y1-1/+1
2016-07-15Fix for issue #167Harmj0y1-2/+4
2016-06-27Use correct variableJon Cave1-1/+1
2016-06-27Fix Get-GroupsXML for multiple <Group> tagsJon Cave1-6/+6
Select all <Group> nodes and iterate through them, not just the root <Groups> node.
2016-06-24Changed Get-NetGroup and Get-NetGroupMember to search for samaccountname ↵Harmj0y1-6/+6
instead of name
2016-06-24Fixed Find-LocalAdminAccess to properly check for the object output from ↵Harmj0y1-4/+4
Invoke-CheckLocalAdminAccess...whoops
2016-06-24Turned Get-GptTmpl and Get-GroupsXML into filtersHarmj0y1-113/+121
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-26 02:17:54 +0000