From 7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 11:53:29 -0500 Subject: Added documentation for PowerUp --- docs/Privesc/Get-WebConfig.md | 93 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100755 docs/Privesc/Get-WebConfig.md (limited to 'docs/Privesc/Get-WebConfig.md') diff --git a/docs/Privesc/Get-WebConfig.md b/docs/Privesc/Get-WebConfig.md new file mode 100755 index 0000000..78cef7d --- /dev/null +++ b/docs/Privesc/Get-WebConfig.md @@ -0,0 +1,93 @@ +# Get-WebConfig + +## SYNOPSIS +This script will recover cleartext and encrypted connection strings from all web.config +files on the system. +Also, it will decrypt them if needed. + +Author: Scott Sutherland, Antti Rantasaari +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WebConfig +``` + +## DESCRIPTION +This script will identify all of the web.config files on the system and recover the +connection strings used to support authentication to backend databases. +If needed, the +script will also decrypt the connection strings on the fly. +The output supports the +pipeline which can be used to convert all of the results into a pretty table by piping +to format-table. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Return a list of cleartext and decrypted connect strings from web.config files. +``` + +Get-WebConfig + +user : s1admin +pass : s1password +dbserv : 192.168.1.103\server1 +vdir : C:\test2 +path : C:\test2\web.config +encr : No + +user : s1user +pass : s1password +dbserv : 192.168.1.103\server1 +vdir : C:\inetpub\wwwroot +path : C:\inetpub\wwwroot\web.config +encr : Yes + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Return a list of clear text and decrypted connect strings from web.config files. +``` + +Get-WebConfig | Format-Table -Autosize + +user pass dbserv vdir path encr +---- ---- ------ ---- ---- ---- +s1admin s1password 192.168.1.101\server1 C:\App1 C:\App1\web.config No +s1user s1password 192.168.1.101\server1 C:\inetpub\wwwroot C:\inetpub\wwwroot\web.config No +s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\test\web.config No +s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\web.config Yes +s3user s3password 192.168.1.103\server3 D:\App3 D:\App3\web.config No + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### System.Boolean + +System.Data.DataTable + +## NOTES +Below is an alterantive method for grabbing connection strings, but it doesn't support decryption. +for /f "tokens=*" %i in ('%systemroot%\system32\inetsrv\appcmd.exe list sites /text:name') do %systemroot%\system32\inetsrv\appcmd.exe list config "%i" -section:connectionstrings + +Author: Scott Sutherland - 2014, NetSPI +Author: Antti Rantasaari - 2014, NetSPI + +## RELATED LINKS + +[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx) + -- cgit v1.2.3