From 3f7a32d6237caa037b870aaa941a35e3761bf13c Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Sun, 8 Jan 2017 22:28:51 -0500 Subject: Get-DomainSPNTicket/Invoke-Kerberoast now include 'real' user data in the hash output. Added a bit more error handling when requesting the SPN kerberos ticket. --- Recon/PowerView.ps1 | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 5598dbe..5e08807 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -2305,7 +2305,12 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and $UserSPN = $UserSPN[0] } - $Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN + try { + $Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN + } + catch { + Write-Warning "[Get-DomainSPNTicket] Error requesting ticket for SPN '$UserSPN' from user '$DistinguishedName'" + } if ($Ticket) { $TicketByteStream = $Ticket.GetRequest() } @@ -2322,11 +2327,13 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and $Out | Add-Member Noteproperty 'ServicePrincipalName' $Ticket.ServicePrincipalName if ($OutputFormat -match 'John') { - $HashFormat = "`$krb5tgs`$unknown:$Hash" + $HashFormat = "`$krb5tgs`$$($Ticket.ServicePrincipalName):$Hash" } else { + $UserDomain = $DistinguishedName.SubString($DistinguishedName.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + # hashcat output format - $HashFormat = '$krb5tgs$23$*ID#124_DISTINGUISHED NAME: CN=fakesvc,OU=Service,OU=Accounts,OU=EnterpriseObjects,DC=asdsa,DC=pf,DC=fakedomain,DC=com SPN: E0518235-4B06-11D1-AB04-00C04FDS3CD2-BADM/aksjdb.asdsa.pf.fakedomain.com:50000 *' + $Hash + $HashFormat = "`$krb5tgs`$23`$*$SamAccountName`$$UserDomain`$$($Ticket.ServicePrincipalName)*`$$Hash" } $Out | Add-Member Noteproperty 'Hash' $HashFormat $Out.PSObject.TypeNames.Insert(0, 'PowerView.SPNTicket') @@ -2413,15 +2420,22 @@ for connection to the target domain. Invoke-Kerberoast | fl +Kerberoasts all found SPNs for the current domain. + .EXAMPLE -Invoke-Kerberoast -Domain dev.testlab.local | fl +Invoke-Kerberoast -Domain dev.testlab.local -OutputFormat HashCat | fl + +Kerberoasts all found SPNs for the testlab.local domain, outputting to HashCat +format instead of John (the default). .EXAMPLE $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -orce $Cred = New-Object System.Management.Automation.PSCredential('TESTLB\dfm.a', $SecPassword) -Invoke-Kerberoast -Credential $Cred -Verbose | fl +Invoke-Kerberoast -Credential $Cred -Verbose -Domain testlab.local | fl + +Kerberoasts all found SPNs for the testlab.local domain using alternate credentials. .OUTPUTS -- cgit v1.2.3 From aecb0b57a46e34efd14757ed5bc3de84c34b0e2f Mon Sep 17 00:00:00 2001 From: Lee Christensen Date: Mon, 9 Jan 2017 22:18:36 -0800 Subject: Words :P --- Recon/PowerView.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 5e08807..0cb20f5 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -3670,7 +3670,7 @@ http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49 [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext) } catch { - Write-Verbose "[Get-Domain] The specified domain does '$TargetDomain' not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid: $_" + Write-Verbose "[Get-Domain] The specified domain '$TargetDomain' does not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid: $_" } } elseif ($PSBoundParameters['Domain']) { -- cgit v1.2.3 From 9ea5c5b7f5b052d6d2cd63174d9f6a8fc48a1b43 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Tue, 10 Jan 2017 18:31:30 -0500 Subject: Couple of fixes for Get-DomainSPNTicket --- Recon/PowerView.ps1 | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 5e08807..c0209d0 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -2296,8 +2296,8 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and } else { $UserSPN = $Object - $SamAccountName = $Null - $DistinguishedName = $Null + $SamAccountName = 'UNKNOWN' + $DistinguishedName = 'UNKNOWN' } # if a user has multiple SPNs we only take the first one otherwise the service ticket request fails miserably :) -@st3r30byt3 @@ -2309,7 +2309,7 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and $Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN } catch { - Write-Warning "[Get-DomainSPNTicket] Error requesting ticket for SPN '$UserSPN' from user '$DistinguishedName'" + Write-Warning "[Get-DomainSPNTicket] Error requesting ticket for SPN '$UserSPN' from user '$DistinguishedName' : $_" } if ($Ticket) { $TicketByteStream = $Ticket.GetRequest() @@ -2330,7 +2330,12 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and $HashFormat = "`$krb5tgs`$$($Ticket.ServicePrincipalName):$Hash" } else { - $UserDomain = $DistinguishedName.SubString($DistinguishedName.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + if ($DistinguishedName -ne 'UNKNOWN') { + $UserDomain = $DistinguishedName.SubString($DistinguishedName.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' + } + else { + $UserDomain = 'UNKNOWN' + } # hashcat output format $HashFormat = "`$krb5tgs`$23`$*$SamAccountName`$$UserDomain`$$($Ticket.ServicePrincipalName)*`$$Hash" @@ -2338,7 +2343,6 @@ Outputs a custom object containing the SamAccountName, ServicePrincipalName, and $Out | Add-Member Noteproperty 'Hash' $HashFormat $Out.PSObject.TypeNames.Insert(0, 'PowerView.SPNTicket') Write-Output $Out - break } } } @@ -5785,7 +5789,7 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. } if ($PSBoundParameters['SPN']) { Write-Verbose "[Get-DomainComputer] Searching for computers with SPN: $SPN" - $Filter += '(servicePrincipalName=$SPN)' + $Filter += "(servicePrincipalName=$SPN)" } if ($PSBoundParameters['OperatingSystem']) { Write-Verbose "[Get-DomainComputer] Searching for computers with operating system: $OperatingSystem" -- cgit v1.2.3 From e08432954e71868e2a32681d8eb257d58f159ecf Mon Sep 17 00:00:00 2001 From: Lee Christensen Date: Wed, 11 Jan 2017 08:09:49 -0800 Subject: Fixed KerberosPreauthNotRequired --- Recon/PowerView.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 212b74e..8d80482 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -4760,7 +4760,7 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. Write-Verbose '[Get-DomainUser] Searching for users that are trusted to authenticate for other principals' $Filter += '(msds-allowedtodelegateto=*)' } - if ($PSBoundParameters['KerberosPreauthNotRequireduthNotRequired']) { + if ($PSBoundParameters['KerberosPreauthNotRequired']) { Write-Verbose '[Get-DomainUser] Searching for user accounts that do not require kerberos preauthenticate' $Filter += '(userAccountControl:1.2.840.113556.1.4.803:=4194304)' } -- cgit v1.2.3 From 6c113b7956f811af66ced410a41b5bf8c6a4981f Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 11 Jan 2017 14:03:46 -0500 Subject: Fixed bug in Convert-ADName that output an array including null values instead of a string --- Recon/PowerView.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 212b74e..a16e066 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -1563,18 +1563,18 @@ https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67 ) } catch { - Write-Verbose "[Convert-ADName] Error initialiting translation for '$Identity' using alternate credentials : $_" + Write-Verbose "[Convert-ADName] Error initializing translation for '$Identity' using alternate credentials : $_" } } else { try { - Invoke-Method $Translate 'Init' ( + $Null = Invoke-Method $Translate 'Init' ( $ADSInitType, $InitName ) } catch { - Write-Verbose "[Convert-ADName] Error initialiting translation for '$Identity' : $_" + Write-Verbose "[Convert-ADName] Error initializing translation for '$Identity' : $_" } } @@ -1583,7 +1583,7 @@ https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67 try { # 8 = Unknown name type -> let the server do the work for us - Invoke-Method $Translate 'Set' (8, $TargetIdentity) + $Null = Invoke-Method $Translate 'Set' (8, $TargetIdentity) Invoke-Method $Translate 'Get' ($ADSOutputType) } catch [System.Management.Automation.MethodInvocationException] { -- cgit v1.2.3 From d4166f80d4153b175a1e8e2a0f69eca58e04d2f9 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 11 Jan 2017 15:55:35 -0500 Subject: bug fix for Get-DomainObject/Get-DomainObjectACL --- Recon/PowerView.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index a16e066..3afa61c 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -6074,7 +6074,7 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. elseif ($IdentityInstance -match '^S-1-.*') { $IdentityFilter += "(objectsid=$IdentityInstance)" } - elseif ($IdentityInstance -match '^(CN|OU)=.*') { + elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') { $IdentityFilter += "(distinguishedname=$IdentityInstance)" } else { @@ -6774,7 +6774,7 @@ Custom PSObject with ACL entries. if ($IdentityInstance -match '^S-1-.*') { $IdentityFilter += "(objectsid=$IdentityInstance)" } - elseif ($IdentityInstance -match '^(CN|OU)=.*') { + elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') { $IdentityFilter += "(distinguishedname=$IdentityInstance)" } else { -- cgit v1.2.3 From fa1baa64a86bfba58a07bd43faf8c9d37b0e0424 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 11 Jan 2017 18:00:27 -0500 Subject: Parenthesis escaping for Get-DomainObject DN searches --- Recon/PowerView.ps1 | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 3afa61c..22970ed 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -6071,23 +6071,26 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. $ObjectSearcher = Get-DomainSearcher @SearcherArguments } } - elseif ($IdentityInstance -match '^S-1-.*') { - $IdentityFilter += "(objectsid=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') { - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" + $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-.*') { + $IdentityFilter += "(objectsid=$IdentityInstance)" } - catch { - if ($IdentityInstance.Contains('.')) { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" + elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + } + else { + try { + $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' + $IdentityFilter += "(objectguid=$GuidByteString)" } - else { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))" + catch { + if ($IdentityInstance.Contains('.')) { + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" + } + else { + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))" + } } } } -- cgit v1.2.3 From 8a2e1daaa3e31106c9eff0454285319d11d50d00 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 11 Jan 2017 19:04:56 -0500 Subject: Parenthesis for additional LDAP functions --- Recon/PowerView.ps1 | 96 ++++++++++++++++++++++++++++------------------------- 1 file changed, 51 insertions(+), 45 deletions(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 22970ed..08f7089 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -4717,21 +4717,24 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. $UserSearcher = Get-DomainSearcher @SearcherArguments } } - elseif ($IdentityInstance -match '^S-1-.*') { - # SID format - $IdentityFilter += "(objectsid=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^CN=.*') { - # distinguished names - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" + $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-.*') { + # SID format + $IdentityFilter += "(objectsid=$IdentityInstance)" } - catch { - $IdentityFilter += "(samAccountName=$IdentityInstance)" + elseif ($IdentityInstance -match '^CN=.*') { + # distinguished names + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + } + else { + try { + $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + catch { + $IdentityFilter += "(samAccountName=$IdentityInstance)" + } } } } @@ -5746,7 +5749,7 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') if ($IdentityInstance -match '^S-1-.*') { $IdentityFilter += "(objectsid=$IdentityInstance)" } @@ -6773,7 +6776,7 @@ Custom PSObject with ACL entries. $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') if ($IdentityInstance -match '^S-1-.*') { $IdentityFilter += "(objectsid=$IdentityInstance)" } @@ -7662,7 +7665,7 @@ Custom PSObject with translated OU property fields. $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') if ($IdentityInstance -match '^OU=.*') { $IdentityFilter += "(distinguishedname=$IdentityInstance)" } @@ -7921,7 +7924,7 @@ Custom PSObject with translated site property fields. $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') if ($IdentityInstance -match '^CN=.*') { $IdentityFilter += "(distinguishedname=$IdentityInstance)" } @@ -8179,7 +8182,7 @@ Custom PSObject with translated subnet property fields. $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') if ($IdentityInstance -match '^CN=.*') { $IdentityFilter += "(distinguishedname=$IdentityInstance)" } @@ -8650,19 +8653,22 @@ Custom PSObject with translated group property fields. $GroupSearcher = Get-DomainSearcher @SearcherArguments } } - elseif ($IdentityInstance -match '^S-1-.*') { - $IdentityFilter += "(objectsid=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^CN=.*') { - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" + $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-.*') { + $IdentityFilter += "(objectsid=$IdentityInstance)" } - catch { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))" + elseif ($IdentityInstance -match '^CN=.*') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + } + else { + try { + $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + catch { + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))" + } } } } @@ -9371,19 +9377,22 @@ http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of- $GroupSearcher = Get-DomainSearcher @SearcherArguments } } - elseif ($IdentityInstance -match '^S-1-.*') { - $IdentityFilter += "(objectsid=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^CN=.*') { - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } else { - try { - $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' - $IdentityFilter += "(objectguid=$GuidByteString)" + $IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match '^S-1-.*') { + $IdentityFilter += "(objectsid=$IdentityInstance)" } - catch { - $IdentityFilter += "(samAccountName=$IdentityInstance)" + elseif ($IdentityInstance -match '^CN=.*') { + $IdentityFilter += "(distinguishedname=$IdentityInstance)" + } + else { + try { + $GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1' + $IdentityFilter += "(objectguid=$GuidByteString)" + } + catch { + $IdentityFilter += "(samAccountName=$IdentityInstance)" + } } } } @@ -10928,11 +10937,8 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. $IdentityFilter = '' $Filter = '' $Identity | Where-Object {$_} | ForEach-Object { - $IdentityInstance = $_ - if ($IdentityInstance -match 'LDAP://') { - $IdentityFilter += "(distinguishedname=$IdentityInstance)" - } - elseif ($IdentityInstance -match '^CN=.*') { + $IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29') + if ($IdentityInstance -match 'LDAP://|^CN=.*') { $IdentityFilter += "(distinguishedname=$IdentityInstance)" } elseif ($IdentityInstance -match '{.*}') { -- cgit v1.2.3 From 510cba8bcd570494eabdc4ab54bb4ba1f5d4cae5 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 11 Jan 2017 20:16:01 -0500 Subject: Added displayname to the default filter set for Get-DomainObject[ACL] --- Recon/PowerView.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 08f7089..53b3d4c 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -6092,7 +6092,7 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled. $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" } else { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))" + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))" } } } @@ -6793,7 +6793,7 @@ Custom PSObject with ACL entries. $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))" } else { - $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))" + $IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))" } } } -- cgit v1.2.3 From 454e04005db7678163a1610080d1dff0782ac35d Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 11 Jan 2017 20:39:57 -0500 Subject: Standardized output from Find-InterestingDomainAcl --- Recon/PowerView.ps1 | 51 ++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 40 insertions(+), 11 deletions(-) (limited to 'Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index a65c884..ef9048a 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -7404,11 +7404,26 @@ Custom PSObject with ACL entries. if ($_.SecurityIdentifier.Value -match '^S-1-5-.*-[1-9]\d{3,}$') { if ($ResolvedSIDs[$_.SecurityIdentifier.Value]) { $IdentityReferenceName, $IdentityReferenceDomain, $IdentityReferenceDN, $IdentityReferenceClass = $ResolvedSIDs[$_.SecurityIdentifier.Value] - $_ | Add-Member NoteProperty 'IdentityReferenceName' $IdentityReferenceName - $_ | Add-Member NoteProperty 'IdentityReferenceDomain' $IdentityReferenceDomain - $_ | Add-Member NoteProperty 'IdentityReferenceDN' $IdentityReferenceDN - $_ | Add-Member NoteProperty 'IdentityReferenceClass' $IdentityReferenceClass - $_ + + $InterestingACL = New-Object PSObject + $InterestingACL | Add-Member NoteProperty 'ObjectDN' $_.ObjectDN + $InterestingACL | Add-Member NoteProperty 'AceQualifier' $_.AceQualifier + $InterestingACL | Add-Member NoteProperty 'ActiveDirectoryRights' $_.ActiveDirectoryRights + if ($_.ObjectAceType) { + $InterestingACL | Add-Member NoteProperty 'ObjectAceType' $_.ObjectAceType + } + else { + $InterestingACL | Add-Member NoteProperty 'ObjectAceType' 'None' + } + $InterestingACL | Add-Member NoteProperty 'AceFlags' $_.AceFlags + $InterestingACL | Add-Member NoteProperty 'AceType' $_.AceType + $InterestingACL | Add-Member NoteProperty 'InheritanceFlags' $_.InheritanceFlags + $InterestingACL | Add-Member NoteProperty 'SecurityIdentifier' $_.SecurityIdentifier + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceName' $IdentityReferenceName + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDomain' $IdentityReferenceDomain + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDN' $IdentityReferenceDN + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceClass' $IdentityReferenceClass + $InterestingACL } else { $IdentityReferenceDN = Convert-ADName -Identity $_.SecurityIdentifier.Value -OutputType DN @ADNameArguments @@ -7421,7 +7436,7 @@ Custom PSObject with ACL entries. $ObjectSearcherArguments['Identity'] = $IdentityReferenceDN # "IdentityReferenceDN: $IdentityReferenceDN" $Object = Get-DomainObject @ObjectSearcherArguments - $ObjectSearcherArguments + if ($Object) { $IdentityReferenceName = $Object.Properties.samaccountname[0] if ($Object.Properties.objectclass -match 'computer') { @@ -7440,11 +7455,25 @@ Custom PSObject with ACL entries. # save so we don't look up more than once $ResolvedSIDs[$_.SecurityIdentifier.Value] = $IdentityReferenceName, $IdentityReferenceDomain, $IdentityReferenceDN, $IdentityReferenceClass - $_ | Add-Member NoteProperty 'IdentityReferenceName' $IdentityReferenceName - $_ | Add-Member NoteProperty 'IdentityReferenceDomain' $IdentityReferenceDomain - $_ | Add-Member NoteProperty 'IdentityReferenceDN' $IdentityReferenceDN - $_ | Add-Member NoteProperty 'IdentityReferenceClass' $IdentityReferenceClass - $_ + $InterestingACL = New-Object PSObject + $InterestingACL | Add-Member NoteProperty 'ObjectDN' $_.ObjectDN + $InterestingACL | Add-Member NoteProperty 'AceQualifier' $_.AceQualifier + $InterestingACL | Add-Member NoteProperty 'ActiveDirectoryRights' $_.ActiveDirectoryRights + if ($_.ObjectAceType) { + $InterestingACL | Add-Member NoteProperty 'ObjectAceType' $_.ObjectAceType + } + else { + $InterestingACL | Add-Member NoteProperty 'ObjectAceType' 'None' + } + $InterestingACL | Add-Member NoteProperty 'AceFlags' $_.AceFlags + $InterestingACL | Add-Member NoteProperty 'AceType' $_.AceType + $InterestingACL | Add-Member NoteProperty 'InheritanceFlags' $_.InheritanceFlags + $InterestingACL | Add-Member NoteProperty 'SecurityIdentifier' $_.SecurityIdentifier + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceName' $IdentityReferenceName + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDomain' $IdentityReferenceDomain + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceDN' $IdentityReferenceDN + $InterestingACL | Add-Member NoteProperty 'IdentityReferenceClass' $IdentityReferenceClass + $InterestingACL } } else { -- cgit v1.2.3