blob: 84eab4eb4c290ee31e309b929cac997c6be0e9d0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
# Test-AdminAccess
## SYNOPSIS
Tests if the current user has administrative access to the local (or a remote) machine.
Idea stolen from the local_admin_search_enum post module in Metasploit written by:
'Brandon McCann "zeknox" \<bmccann\[at\]accuvant.com\>'
'Thomas McCarthy "smilingraccoon" \<smilingraccoon\[at\]gmail.com\>'
'Royce Davis "r3dy" \<rdavis\[at\]accuvant.com\>'
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
## SYNTAX
```
Test-AdminAccess [[-ComputerName] <String[]>] [-Credential <PSCredential>]
```
## DESCRIPTION
This function will use the OpenSCManagerW Win32API call to establish
a handle to the remote host.
If this succeeds, the current user context
has local administrator acess to the target.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Test-AdminAccess -ComputerName sqlserver
```
Returns results indicating whether the current user has admin access to the 'sqlserver' host.
### -------------------------- EXAMPLE 2 --------------------------
```
Get-DomainComputer | Test-AdminAccess
```
Returns what machines in the domain the current user has access to.
### -------------------------- EXAMPLE 3 --------------------------
```
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
```
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Test-AdminAccess -ComputerName sqlserver -Credential $Cred
## PARAMETERS
### -ComputerName
Specifies the hostname to check for local admin access (also accepts IP addresses).
Defaults to 'localhost'.
```yaml
Type: String[]
Parameter Sets: (All)
Aliases: HostName, dnshostname, name
Required: False
Position: 1
Default value: Localhost
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -Credential
A \[Management.Automation.PSCredential\] object of alternate credentials
for connection to the remote system using Invoke-UserImpersonation.
```yaml
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerView.AdminAccess
A PSCustomObject containing the ComputerName and 'IsAdmin' set to whether
the current user has local admin rights, along with the ComputerName added.
## NOTES
## RELATED LINKS
[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb
http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb
http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)
|