Added fix for Get-GPODelegation and Find-GPOLocation

1. Added the -Full switch to Get-GPODelegation to return full list of GPO delegations 2. Added logic to Find-GPOLocation to deal with edgecase where GPO is linked to OU but delegated only to certain computers
2017-06-01 20:45:49 -06:00 · 2017-06-01 20:45:49 -06:00 · 09609f4a43
parent d9e9231755
commit 09609f4a43
1 changed files with 38 additions and 8 deletions
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
@ -11783,7 +11783,7 @@ Enumerates the machines where a specific domain user/group is a member of a spec
 local group, all through GPO correlation. If no user/group is specified, all
 discoverable mappings are returned.

-Author: @harmj0y  
+Author: @harmj0y, @byt3bl33d3r 
 License: BSD 3-Clause  
 Required Dependencies: Get-DomainGPOLocalGroup, Get-DomainObject, Get-DomainComputer, Get-DomainOU, Get-DomainSite, Get-DomainGroup  

@ -12023,11 +12023,24 @@ http://www.harmj0y.net/blog/redteaming/where-my-admins-at-gpo-edition/

            # find any OUs that have this GPO linked through gpLink
            Get-DomainOU @CommonArguments -Raw -Properties 'name,distinguishedname' -GPLink $GPOGuid | ForEach-Object {
-                if ($Filters) {
-                    $OUComputers = Get-DomainComputer @CommonArguments -Properties 'dnshostname,distinguishedname' -SearchBase $_.Path | Where-Object {$_.distinguishedname -match ($Filters.Value)} | Select-Object -ExpandProperty dnshostname
+                $DelegatedComputers = Get-GPODelegation -GPOName $GPOname -Full | Select-Object -ExpandProperty IdentityReference | ? { $_.Value -match "\$"} | Sort | Unique
+                if ($DelegatedComputers) {
+                    $Computers = @()
+                    Write-Verbose "[Get-DomainGPOUserLocalGroupMapping] Delegated Computers: $DelegatedComputers"
+                    ForEach ($Computer in $DelegatedComputers) {
+                        $Computer = [String]$Computer
+                        $Computers += $Computer.split('\')[1].TrimEnd('$')
+
+                    }
+                    $OUComputers = ForEach ($Computer in $Computers) { Get-DomainComputer @CommonArguments -Properties 'dnshostname' -SearchBase $_.Path | where { $_.dnshostname -match $Computer} | Select-Object -ExpandProperty dnshostname }
                } 
                else {
-                    $OUComputers = Get-DomainComputer @CommonArguments -Properties 'dnshostname' -SearchBase $_.Path | Select-Object -ExpandProperty dnshostname
+                    if ($Filters) {
+                        $OUComputers = Get-DomainComputer @CommonArguments -Properties 'dnshostname,distinguishedname' -SearchBase $_.Path | Where-Object {$_.distinguishedname -match ($Filters.Value)} | Select-Object -ExpandProperty dnshostname
+                    }
+                    else {
+                        $OUComputers = Get-DomainComputer @CommonArguments -Properties 'dnshostname' -SearchBase $_.Path | Select-Object -ExpandProperty dnshostname
+                    }
                }

                if ($OUComputers) {
@ -18869,7 +18882,7 @@ function Get-GPODelegation

 Finds users with write permissions on GPO objects which may allow privilege escalation within the domain.

-Author: Itamar Mizrahi (@MrAnde7son)  
+Author: Itamar Mizrahi, Marcello Salvati (@MrAnde7son, @byt3bl33d3r)  
 License: BSD 3-Clause  
 Required Dependencies: None  

@ -18881,6 +18894,10 @@ The GPO display name to query for, wildcards accepted.

 Specifies the PageSize to set for the LDAP searcher object.

+.PARAMETER Full
+
+Switch. Return full GPO delegation list.
+
 .EXAMPLE

 Get-GPODelegation
@ -18892,6 +18909,12 @@ Returns all GPO delegations in current forest.
 Get-GPODelegation -GPOName

 Returns all GPO delegations on a given GPO.
+
+.EXAMPLE
+
+Get-GPODelegation -GPOName -Full
+
+Returns full GPO delegation list on the given GPO
 #>

    [CmdletBinding()]
@ -18901,7 +18924,10 @@ Returns all GPO delegations on a given GPO.

        [ValidateRange(1,10000)] 
        [Int]
-        $PageSize = 200
+        $PageSize = 200,
+
+        [Switch]
+        $Full
    )

    $Exclusions = @("SYSTEM","Domain Admins","Enterprise Admins")
@ -18918,7 +18944,11 @@ Returns all GPO delegations on a given GPO.
        $Searcher.SearchScope = "Subtree"
        $listGPO = $Searcher.FindAll()
        foreach ($gpo in $listGPO){
-            $ACL = ([ADSI]$gpo.path).ObjectSecurity.Access | ? {$_.ActiveDirectoryRights -match "Write" -and $_.AccessControlType -eq "Allow" -and  $Exclusions -notcontains $_.IdentityReference.toString().split("\")[1] -and $_.IdentityReference -ne "CREATOR OWNER"}
+            if ($Full) {
+                $ACL = ([ADSI]$gpo.path).ObjectSecurity.Access 
+            } else {
+                $ACL = ([ADSI]$gpo.path).ObjectSecurity.Access | ? {$_.ActiveDirectoryRights -match "Write" -and $_.AccessControlType -eq "Allow" -and  $Exclusions -notcontains $_.IdentityReference.toString().split("\")[1] -and $_.IdentityReference -ne "CREATOR OWNER"}
+            }
        if ($ACL -ne $null){
            $GpoACL = New-Object psobject
            $GpoACL | Add-Member Noteproperty 'ADSPath' $gpo.Properties.adspath