From 26cef85d358a2ac2acc44c1a199ac35b0e1bc17d Mon Sep 17 00:00:00 2001 From: Harmj0y Date: Tue, 3 May 2016 22:52:36 -0400 Subject: Added Get-RegistryMountedDrive --- Recon/PowerView.ps1 | 126 +++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 120 insertions(+), 6 deletions(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 689a28f..0cc4739 100644 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -1938,7 +1938,7 @@ filter Get-DNSZone { ) # $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential -ADSprefix "CN=MicrosoftDNS,DC=DomainDnsZones" - $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential -ADSprefix "DC=DomainDnsZones" + $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential $DNSSearcher.filter="(objectClass=dnsZone)" if($DNSSearcher) { @@ -8594,6 +8594,117 @@ filter Get-CachedRDPConnection { } +filter Get-RegistryMountedDrive { +<# + .SYNOPSIS + + Uses remote registry functionality to query all entries for the + the saved network mounted drive on a machine, separated by + user and target server. + + Note: This function requires administrative rights on the + machine you're enumerating. + + .PARAMETER ComputerName + + The hostname to query for RDP client information. + Defaults to localhost. + + .PARAMETER Credential + + A [Management.Automation.PSCredential] object for the remote connection. + + .EXAMPLE + + PS C:\> Get-RegistryMountedDrive + + Returns the saved network mounted drives for the local machine. + + .EXAMPLE + + PS C:\> Get-RegistryMountedDrive -ComputerName WINDOWS2.testlab.local + + Returns the saved network mounted drives for the WINDOWS2.testlab.local machine + + .EXAMPLE + + PS C:\> Get-RegistryMountedDrive -ComputerName WINDOWS2.testlab.local -Credential $Cred + + Returns the saved network mounted drives for the WINDOWS2.testlab.local machine using alternate credentials. + + .EXAMPLE + + PS C:\> Get-NetComputer | Get-RegistryMountedDrive + + Get the saved network mounted drives for all machines in the domain. +#> + + [CmdletBinding()] + param( + [Parameter(ValueFromPipeline=$True)] + [Alias('HostName')] + [Object[]] + [ValidateNotNullOrEmpty()] + $ComputerName = 'localhost', + + [Management.Automation.PSCredential] + $Credential + ) + + # extract the computer name from whatever object was passed on the pipeline + $Computer = $ComputerName | Get-NameField + + # HKEY_USERS + $HKU = 2147483651 + + try { + if($Credential) { + $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -Credential $Credential -ErrorAction SilentlyContinue + } + else { + $Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -ErrorAction SilentlyContinue + } + + # extract out the SIDs of domain users in this hive + $UserSIDs = ($Reg.EnumKey($HKU, "")).sNames | ? { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } + + foreach ($UserSID in $UserSIDs) { + + try { + $UserName = Convert-SidToName $UserSID + + $DriveLetters = ($Reg.EnumKey($HKU, "$UserSID\Network")).sNames + + ForEach($DriveLetter in $DriveLetters) { + $ProviderName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'ProviderName').sValue + $RemotePath = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'RemotePath').sValue + $DriveUserName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'UserName').sValue + if(-not $UserName) { $UserName = '' } + + if($RemotePath -and ($RemotePath -ne '')) { + $MountedDrive = New-Object PSObject + $MountedDrive | Add-Member Noteproperty 'ComputerName' $Computer + $MountedDrive | Add-Member Noteproperty 'UserName' $UserName + $MountedDrive | Add-Member Noteproperty 'UserSID' $UserSID + $MountedDrive | Add-Member Noteproperty 'DriveLetter' $DriveLetter + $MountedDrive | Add-Member Noteproperty 'ProviderName' $ProviderName + $MountedDrive | Add-Member Noteproperty 'RemotePath' $RemotePath + $MountedDrive | Add-Member Noteproperty 'DriveUserName' $DriveUserName + $MountedDrive + } + } + } + catch { + Write-Debug "Error: $_" + } + } + } + catch { + Write-Warning "Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_" + } +} + + filter Get-NetProcess { <# .SYNOPSIS @@ -10205,7 +10316,7 @@ function Invoke-EventHunter { [String] $TargetServer, - [String] + [String[]] $UserName, [String] @@ -10313,8 +10424,11 @@ function Invoke-EventHunter { } # if we get a specific username, only use that elseif($UserName) { - Write-Verbose "[*] Using target user '$UserName'..." - $TargetUsers = @( $UserName.ToLower() ) + # Write-Verbose "[*] Using target user '$UserName'..." + $TargetUsers = $UserName | ForEach-Object {$_.ToLower()} + if($TargetUsers -isnot [system.array]) { + $TargetUsers = @($TargetUsers) + } } # read in a target user list if we have one elseif($UserFile) { @@ -10353,13 +10467,13 @@ function Invoke-EventHunter { if($Up) { # try to enumerate if($Credential) { - Get-UserEvent -ComputerName $ComputerName -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object { + Get-UserEvent -ComputerName $ComputerName -Credential $Credential -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object { # filter for the target user set $TargetUsers -contains $_.UserName } } else { - Get-UserEvent -ComputerName $ComputerName -Credential $Credential -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object { + Get-UserEvent -ComputerName $ComputerName -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object { # filter for the target user set $TargetUsers -contains $_.UserName } -- cgit v1.2.3