From 7c32bf69f334b7c15c644cdb41188bdfe1a0b0e8 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Mon, 12 Dec 2016 14:35:05 -0500 Subject: -Complete ground-up rewrite of PowerView -Lots of function cleanup/code rot removal and standardization -Additional options added to Get-DomainSearcher in order to support new param sets -Expanded parameter validation -XML help format standardized -PSScriptAnalyzer fixups- passes PS script analyzer now! -Nearly all functions should tag custom types to output objectsx -Identity supported by all appropriate functions -Transformed all filters to functions -Expanded the formats for Convert-ADName -Get-SPNTicket returns enc part automatically now, and Hashcat output format added -Write-Verbose/Write-Warning/Throw messages now have the function name tagged in the message -Verb-Domain* functions now all include a -FindOne function to return one result -Get-DomainUserEvent now uses -XPathFilter for a massive speedup -ALL Verb-Domain* (LDAP) functions now return full data objects (no more -FullData). Use -Properties for paring down. -Lots of bug fixes -"Required Dependencies" for each function completed -Fixed logic bugs for -ComputerIdentity in Get-DomainGPO, now enumerates domain-linked GPOs as well -Added -UserIdentity to Get-DomainGPO to enumerate GPOs applied to a given user identity New function naming scheme with proper Verb-PrefixNoun syntax to better match the 'real' AD cmdlets: Verbs: Get - retrieve full raw data sets Find - 'find' specific data entries in a data set or execute threaded computer enumeration Add - add a new object to a destination Set - modify a given object Invoke - lazy catch-all Prefixes now give an indication of the data source: Verb-DomainX - LDAP/.NET AD connections (e.g. Get-DomainUser) Verb-WMIX - Uses WMI for connections/enumeration of a specific host (e.g. Get-WMIRegLastLoggedOn) Verb-NetX - API access (e.g. Get-NetSession) Nouns have been renamed to be more descriptive Big gotcha: Get-NetLocalGroup - now returns local *groups* themselves Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup) -Parameter sets standardized - parameters shared as appropriate across functions -Identity -> replaces -UserName/-GroupName/etc. Accepts samAccountName, GUID, distinguishedName, SID -these can be used in tandem -> Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator" -Properties -> return only the specified properties (i.e. Get-DomainUser -Properties samAccountName,lastLogon -LDAPFilter replaces -Filter, -SearchBase replaces -ADSPath, -Server replaces -DomainController -ServerTimeLimit, -SearchScope, -Tombstone, -SecurityMasks added for most functions All functions (as appropriate) now support -Credential: -Verb-Domain* (LDAP) functions use alternate creds for a DirectorySearcher through Get-DomainSearcher -COM methods (i.e. Convert-ADName) use appropriate initializations -Verb-WMI methods pass the -Credential through as appropriate -Verb-Net* (API) functions use Invoke-UserImpersonation/Invoke-RevertToSelf implicitly for token impersonation Removed functions: Get-ComputerProperty, Get-UserProperty, Find-ComputerField, Find-UserField Get-NameField (translated to ValueFromPipelineByPropertyName calls) Invoke-DowngradeAccount - not used Add-NetUser - split into New-DomainUser/others Add-NetGroupUser - split into Add-DomainGroupMember/others New-GPOImmediateTask - inconsistent and better done manually Invoke-StealthUserHunter - combined into Find-DomainUserLocation Get-ExploitableSystem Added helper functions: Get-PrincipalContext - helper to return a DirectoryServices.AccountManagement.PrincipalContext Get-ForestSchemaClass - returns the forest schema for a specified object class Added exported functions: Add-RemoteConnection - 'mounts' a remote UNC path using WNetAddConnection2W Remove-RemoteConnection - 'unmounts' a remote UNC path using WNetCancelConnection2 Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token in the current thread Invoke-RevertToSelf - reverts any token impersonation Invoke-Kerberoast - automates Kerberoasting Find-DomainObjectPropertyOutlier - finds user/group/computer objects in AD that have 'outlier' properties sets New-DomainUser - creates a new domain user New-DomainGroup - creates a new domain group Add-DomainGroupMember - adds a domain user (or group) to an existing domain group Get-NetLocalGroup - now returns local *groups* themselves Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup) Renamed functions (aliases created for old functions): Get-IPAddress -> Resolve-IPAddress Convert-NameToSid -> ConvertTo-SID Convert-SidToName -> ConvertFrom-SID Request-SPNTicket -> Get-DomainSPNTicket Get-DNSZone -> Get-DomainDNSZone Get-DNSRecord -> Get-DomainDNSRecord Get-NetDomain -> Get-Domain Get-NetDomainController -> Get-DomainController Get-NetForest -> Get-Forest Get-NetForestDomain -> Get-ForestDomain Get-NetForestCatalog -> Get-ForestGlobalCatalog Get-NetUser -> Get-DomainUser Get-UserEvent -> Get-DomainUserEvent Get-NetComputer -> Get-DomainComputer Get-ADObject -> Get-DomainObject Set-ADObject -> Set-DomainObject Get-ObjectAcl -> Get-DomainObjectAcl Add-ObjectAcl -> Add-DomainObjectAcl Invoke-ACLScanner -> Find-InterestingDomainAcl Get-GUIDMap -> Get-DomainGUIDMap Get-NetOU -> Get-DomainOU Get-NetSite -> Get-DomainSite Get-NetSubnet -> Get-DomainSubnet Get-NetGroup -> Get-DomainGroup Find-ManagedSecurityGroups -> Get-DomainManagedSecurityGroup Get-NetGroupMember -> Get-DomainGroupMember Get-NetFileServer -> Get-DomainFileServer Get-DFSshare -> Get-DomainDFSShare Get-NetGPO -> Get-DomainGPO Get-NetGPOGroup -> Get-DomainGPOLocalGroup Find-GPOLocation -> Get-DomainGPOUserLocalGroupMapping Find-GPOComputerAdmin -> Get-DomainGPOComputerLocalGroupMappin Get-LoggedOnLocal -> Get-RegLoggedOn Test-AdminAccess -> Invoke-CheckLocalAdminAccess Get-SiteName -> Get-NetComputerSiteName Get-Proxy -> Get-WMIRegProxy Get-LastLoggedOn -> Get-WMIRegLastLoggedOn Get-CachedRDPConnection -> Get-WMIRegCachedRDPConnection Get-RegistryMountedDrive -> Get-WMIRegMountedDrive Get-NetProcess -> Get-WMIProcess Invoke-ThreadedFunction -> New-ThreadedFunction Invoke-UserHunter -> Find-DomainUserLocation Invoke-ProcessHunter -> Find-DomainProcess Invoke-EventHunter -> Find-DomainUserEvent Invoke-ShareFinder -> Find-DomainShare Invoke-FileFinder -> Find-InterestingDomainShareFile Invoke-EnumerateLocalAdmin -> Find-DomainLocalGroupMember Get-NetDomainTrust -> Get-DomainTrust Get-NetForestTrust -> Get-ForestTrust Find-ForeignUser -> Get-DomainForeignUser Find-ForeignGroup -> Get-DomainForeignGroupMember Invoke-MapDomainTrust -> Get-DomainTrustMapping --- Recon/Recon.psd1 | 140 +++++++++++++++++++++++++++---------------------------- 1 file changed, 70 insertions(+), 70 deletions(-) (limited to 'Recon/Recon.psd1') diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index a170218..64953b0 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -23,83 +23,83 @@ PowerShellVersion = '2.0' # Functions to export from this module FunctionsToExport = @( - 'Add-NetGroupUser', - 'Add-NetUser', - 'Add-ObjectAcl', - 'Convert-NameToSid', - 'Convert-SidToName', + 'Export-PowerViewCSV', + 'Resolve-IPAddress', + 'ConvertTo-SID', + 'ConvertFrom-SID', 'Convert-ADName', 'ConvertFrom-UACValue', - 'Export-PowerViewCSV', - 'Find-ComputerField', - 'Find-ForeignGroup', - 'Find-ForeignUser', - 'Find-GPOComputerAdmin', - 'Find-GPOLocation', - 'Find-InterestingFile', - 'Find-LocalAdminAccess', - 'Find-ManagedSecurityGroups', - 'Find-UserField', - 'Get-ADObject', - 'Get-CachedRDPConnection', - 'Get-ComputerDetails', - 'Get-ComputerProperty', - 'Get-DFSshare', - 'Get-DNSRecord', - 'Get-DNSZone', - 'Get-DomainPolicy', + 'Add-RemoteConnection', + 'Remove-RemoteConnection', + 'Invoke-UserImpersonation', + 'Invoke-RevertToSelf', + 'Get-DomainSPNTicket', + 'Invoke-Kerberoast', + 'Get-PathAcl', + 'Get-DomainDNSZone', + 'Get-DomainDNSRecord', + 'Get-Domain', + 'Get-DomainController', + 'Get-Forest', + 'Get-ForestDomain', + 'Get-ForestGlobalCatalog', + 'Find-DomainObjectPropertyOutlier', + 'Get-DomainUser', + 'New-DomainUser', + 'Get-DomainUserEvent', + 'Get-DomainComputer', + 'Get-DomainObject', + 'Set-DomainObject', + 'Get-DomainObjectAcl', + 'Add-DomainObjectAcl', + 'Find-InterestingDomainAcl', + 'Get-DomainOU', + 'Get-DomainSite', + 'Get-DomainSubnet', 'Get-DomainSID', - 'Get-ExploitableSystem', - 'Get-GUIDMap', - 'Get-HttpStatus', - 'Get-IPAddress', - 'Get-LastLoggedOn', - 'Get-LoggedOnLocal', - 'Get-NetComputer', - 'Get-NetDomain', - 'Get-NetDomainController', - 'Get-NetDomainTrust', - 'Get-NetFileServer', - 'Get-NetForest', - 'Get-NetForestCatalog', - 'Get-NetForestDomain', - 'Get-NetForestTrust', - 'Get-NetGPO', - 'Get-NetGPOGroup', - 'Get-NetGroup', - 'Get-NetGroupMember', + 'Get-DomainGroup', + 'New-DomainGroup', + 'Get-DomainManagedSecurityGroup', + 'Get-DomainGroupMember', + 'Add-DomainGroupMember', + 'Get-DomainFileServer', + 'Get-DomainDFSShare', + 'Get-DomainGPO', + 'Get-DomainGPOLocalGroup', + 'Get-DomainGPOUserLocalGroupMapping', + 'Get-DomainGPOComputerLocalGroupMapping', + 'Get-DomainPolicy', 'Get-NetLocalGroup', + 'Get-NetLocalGroupMember', + 'Get-NetShare', 'Get-NetLoggedon', - 'Get-NetOU', - 'Get-NetProcess', - 'Get-NetRDPSession', 'Get-NetSession', - 'Get-NetShare', - 'Get-NetSite', - 'Get-NetSubnet', - 'Get-NetUser', - 'Get-ObjectAcl', - 'Get-PathAcl', - 'Get-Proxy', - 'Get-RegistryMountedDrive', - 'Get-SiteName', - 'Get-UserEvent', - 'Get-UserProperty', - 'Invoke-ACLScanner', - 'Invoke-CheckLocalAdminAccess', - 'Invoke-DowngradeAccount', - 'Invoke-EnumerateLocalAdmin', - 'Invoke-EventHunter', - 'Invoke-FileFinder', - 'Invoke-MapDomainTrust', + 'Get-RegLoggedOn', + 'Get-NetRDPSession', + 'Test-AdminAccess', + 'Get-NetComputerSiteName', + 'Get-WMIRegProxy', + 'Get-WMIRegLastLoggedOn', + 'Get-WMIRegCachedRDPConnection', + 'Get-WMIRegMountedDrive', + 'Get-WMIProcess', + 'Find-InterestingFile', + 'Find-DomainUserLocation', + 'Find-DomainProcess', + 'Find-DomainUserEvent', + 'Find-DomainShare', + 'Find-InterestingDomainShareFile', + 'Find-LocalAdminAccess', + 'Get-DomainLocalGroupMember', + 'Get-DomainTrust', + 'Get-ForestTrust', + 'Get-DomainForeignUser', + 'Get-DomainForeignGroupMember', + 'Get-DomainTrustMapping', + 'Get-ComputerDetails', + 'Get-HttpStatus', 'Invoke-Portscan', - 'Invoke-ProcessHunter', - 'Invoke-ReverseDnsLookup', - 'Invoke-ShareFinder', - 'Invoke-UserHunter', - 'New-GPOImmediateTask', - 'Request-SPNTicket', - 'Set-ADObject' + 'Invoke-ReverseDnsLookup' ) # List of all files packaged with this module -- cgit v1.2.3