| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
-Added "-GroupProperty [Security/Distribution/CreatedBySystem]" to Get-DomainGroup
|
|
-added parsing of the 'accountexpires' property into human readable format
-added parsing of the 'grouptype' property into human readable format
-added parsing of the 'samaccounttype' property into a readable format
|
|
|
|
Get-GPODelegation
|
|
Modified Get-IniContent and Get-GptTmpl to accept '-OutputObject' to output a PSObject instead of a hashtable
|
|
|
|
Fixed null access control entry in results.
|
|
Hi,
I know you guys mentioned this before, but I've not this implemented.
I wrote Get-GPODelegation that finds users with write permissions on Group Policy objects, for a potential privilege escalation path.
As requested, moved into dev branch.
|
|
bug fix for nested OUs with similar starting names.
|
|
Added ConvertFrom-LDAPLogonHours and New-ADObjectAccessControlEntry
|
|
function to accept any policy.
|
|
Fix for impersonation in Get-NetLocalGroup*
|
|
Support for DNs containing commas
|
|
The DFS subfunctions only accept a single $Domain
|
|
Changed the LDAP SecurityMasks settings so that you can change the Owner/DACL if you only have WriteOwner/WriteDacl permissions on the object (Default SecurityMasks is "Owner, Group, Dacl")
|
|
If an object's distinguished name contains a comma then it ends up quoted:
CN=Smith\, John,OU=Admins,DC=example,DC=com
This breaks a number of functions which attempt to identify DOMAIN\name
by matching on a \ anywhere in the specified identity before checking if
the identity was a DN (or SID or GUID).
For example, attempting to list members of "Domain Admins" using
Get-DomainGroupMember gives the following:
VERBOSE: [Convert-ADName] Error initializing translation for 'CN=Smith\, John,OU=Admins,DC=example,DC=com' : Exception calling "InvokeMember" with "5" argument(s): "The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B)"
VERBOSE: [Convert-ADName] Error translating 'CN=Smith\, John,OU=Admins,DC=example,DC=com' : The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B)
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (objectClass=*)
The fix implemented here is to perform more specific pattern matching
prior to falling back to looking for a \. The order is SID, DN, GUID,
qualified name (DOMAIN\name), and then plain name.
|
|
Specifying the type as an array of strings results in an error when
passing on the parameter to Get-DomainSearcher:
C:\> Get-DomainDFSShare -Domain test
Get-DomainSearcher : Cannot process argument transformation on parameter 'Domain'. Cannot convert value to type System.String.
At PowerView.ps1:10242 char:46
|
|
|
|
Removed unnecessary warning about the 'WinNT' method
Fixed Get-NetLocalGroup* to use impersonation - netapi32 functions weren't working.
|
|
|
|
|
|
|
|
Fixed KerberosPreauthNotRequired
|
|
|
|
|
|
|
|
instead of a string
|
|
|
|
|
|
|
|
|
|
hash output.
Added a bit more error handling when requesting the SPN kerberos ticket.
|
|
Pull the SID directly from the 'krbtgt' user to avoid errors in ConvertTo-SID
|
|
|
|
Added -TrustedToAuth to Get-DomainUser
|
|
|
|
-Domain bug fix in Find-DomainUserLocation stealth
|
|
-(More) PSScriptAnalyzering
-Tweaking of synopsis blocks in order to support platyPS
-Code standardization
-Generated docs
|
|
-More error handling
|
|
Modified Convert-LDAPProperty to break out sections of ntsecuritydescriptor
|
|
Reformatted documentation.
|
|
|
|
|
|
|
|
-Lots of function cleanup/code rot removal and standardization
-Additional options added to Get-DomainSearcher in order to support new param sets
-Expanded parameter validation
-XML help format standardized
-PSScriptAnalyzer fixups- passes PS script analyzer now!
-Nearly all functions should tag custom types to output objectsx
-Identity supported by all appropriate functions
-Transformed all filters to functions
-Expanded the formats for Convert-ADName
-Get-SPNTicket returns enc part automatically now, and Hashcat output format added
-Write-Verbose/Write-Warning/Throw messages now have the function name tagged in the message
-Verb-Domain* functions now all include a -FindOne function to return one result
-Get-DomainUserEvent now uses -XPathFilter for a massive speedup
-ALL Verb-Domain* (LDAP) functions now return full data objects (no more -FullData). Use -Properties for paring down.
-Lots of bug fixes
-"Required Dependencies" for each function completed
-Fixed logic bugs for -ComputerIdentity in Get-DomainGPO, now enumerates domain-linked GPOs as well
-Added -UserIdentity to Get-DomainGPO to enumerate GPOs applied to a given user identity
New function naming scheme with proper Verb-PrefixNoun syntax to better match the 'real' AD cmdlets:
Verbs:
Get - retrieve full raw data sets
Find - 'find' specific data entries in a data set or execute threaded computer enumeration
Add - add a new object to a destination
Set - modify a given object
Invoke - lazy catch-all
Prefixes now give an indication of the data source:
Verb-DomainX - LDAP/.NET AD connections (e.g. Get-DomainUser)
Verb-WMIX - Uses WMI for connections/enumeration of a specific host (e.g. Get-WMIRegLastLoggedOn)
Verb-NetX - API access (e.g. Get-NetSession)
Nouns have been renamed to be more descriptive
Big gotcha:
Get-NetLocalGroup - now returns local *groups* themselves
Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup)
-Parameter sets standardized - parameters shared as appropriate across functions
-Identity -> replaces -UserName/-GroupName/etc. Accepts samAccountName, GUID, distinguishedName, SID
-these can be used in tandem -> Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator"
-Properties -> return only the specified properties (i.e. Get-DomainUser -Properties samAccountName,lastLogon
-LDAPFilter replaces -Filter, -SearchBase replaces -ADSPath, -Server replaces -DomainController
-ServerTimeLimit, -SearchScope, -Tombstone, -SecurityMasks added for most functions
All functions (as appropriate) now support -Credential:
-Verb-Domain* (LDAP) functions use alternate creds for a DirectorySearcher through Get-DomainSearcher
-COM methods (i.e. Convert-ADName) use appropriate initializations
-Verb-WMI methods pass the -Credential through as appropriate
-Verb-Net* (API) functions use Invoke-UserImpersonation/Invoke-RevertToSelf implicitly for token impersonation
Removed functions:
Get-ComputerProperty, Get-UserProperty, Find-ComputerField, Find-UserField
Get-NameField (translated to ValueFromPipelineByPropertyName calls)
Invoke-DowngradeAccount - not used
Add-NetUser - split into New-DomainUser/others
Add-NetGroupUser - split into Add-DomainGroupMember/others
New-GPOImmediateTask - inconsistent and better done manually
Invoke-StealthUserHunter - combined into Find-DomainUserLocation
Get-ExploitableSystem
Added helper functions:
Get-PrincipalContext - helper to return a DirectoryServices.AccountManagement.PrincipalContext
Get-ForestSchemaClass - returns the forest schema for a specified object class
Added exported functions:
Add-RemoteConnection - 'mounts' a remote UNC path using WNetAddConnection2W
Remove-RemoteConnection - 'unmounts' a remote UNC path using WNetCancelConnection2
Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token in the current thread
Invoke-RevertToSelf - reverts any token impersonation
Invoke-Kerberoast - automates Kerberoasting
Find-DomainObjectPropertyOutlier - finds user/group/computer objects in AD that have 'outlier' properties sets
New-DomainUser - creates a new domain user
New-DomainGroup - creates a new domain group
Add-DomainGroupMember - adds a domain user (or group) to an existing domain group
Get-NetLocalGroup - now returns local *groups* themselves
Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup)
Renamed functions (aliases created for old functions):
Get-IPAddress -> Resolve-IPAddress
Convert-NameToSid -> ConvertTo-SID
Convert-SidToName -> ConvertFrom-SID
Request-SPNTicket -> Get-DomainSPNTicket
Get-DNSZone -> Get-DomainDNSZone
Get-DNSRecord -> Get-DomainDNSRecord
Get-NetDomain -> Get-Domain
Get-NetDomainController -> Get-DomainController
Get-NetForest -> Get-Forest
Get-NetForestDomain -> Get-ForestDomain
Get-NetForestCatalog -> Get-ForestGlobalCatalog
Get-NetUser -> Get-DomainUser
Get-UserEvent -> Get-DomainUserEvent
Get-NetComputer -> Get-DomainComputer
Get-ADObject -> Get-DomainObject
Set-ADObject -> Set-DomainObject
Get-ObjectAcl -> Get-DomainObjectAcl
Add-ObjectAcl -> Add-DomainObjectAcl
Invoke-ACLScanner -> Find-InterestingDomainAcl
Get-GUIDMap -> Get-DomainGUIDMap
Get-NetOU -> Get-DomainOU
Get-NetSite -> Get-DomainSite
Get-NetSubnet -> Get-DomainSubnet
Get-NetGroup -> Get-DomainGroup
Find-ManagedSecurityGroups -> Get-DomainManagedSecurityGroup
Get-NetGroupMember -> Get-DomainGroupMember
Get-NetFileServer -> Get-DomainFileServer
Get-DFSshare -> Get-DomainDFSShare
Get-NetGPO -> Get-DomainGPO
Get-NetGPOGroup -> Get-DomainGPOLocalGroup
Find-GPOLocation -> Get-DomainGPOUserLocalGroupMapping
Find-GPOComputerAdmin -> Get-DomainGPOComputerLocalGroupMappin
Get-LoggedOnLocal -> Get-RegLoggedOn
Test-AdminAccess -> Invoke-CheckLocalAdminAccess
Get-SiteName -> Get-NetComputerSiteName
Get-Proxy -> Get-WMIRegProxy
Get-LastLoggedOn -> Get-WMIRegLastLoggedOn
Get-CachedRDPConnection -> Get-WMIRegCachedRDPConnection
Get-RegistryMountedDrive -> Get-WMIRegMountedDrive
Get-NetProcess -> Get-WMIProcess
Invoke-ThreadedFunction -> New-ThreadedFunction
Invoke-UserHunter -> Find-DomainUserLocation
Invoke-ProcessHunter -> Find-DomainProcess
Invoke-EventHunter -> Find-DomainUserEvent
Invoke-ShareFinder -> Find-DomainShare
Invoke-FileFinder -> Find-InterestingDomainShareFile
Invoke-EnumerateLocalAdmin -> Find-DomainLocalGroupMember
Get-NetDomainTrust -> Get-DomainTrust
Get-NetForestTrust -> Get-ForestTrust
Find-ForeignUser -> Get-DomainForeignUser
Find-ForeignGroup -> Get-DomainForeignGroupMember
Invoke-MapDomainTrust -> Get-DomainTrustMapping
|
|
Removed *_netapi from Vista/2008 in Get-ExploitableSystem as they are not vulnerable
|
|
Add disabled and present searches to get-netfileservers
|
|
Retrieve Security groups by default
|
|
|