Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added Get-RegistryMountedDrive

This commit is contained in:
Harmj0y 2016-05-03 22:52:36 -04:00
parent fbf6f30833
commit 26cef85d35
1 changed files with 120 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
Recon/PowerView.ps1
View File

@ -1938,7 +1938,7 @@ filter Get-DNSZone {
)
# $DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential -ADSprefix "CN=MicrosoftDNS,DC=DomainDnsZones"
$DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential -ADSprefix "DC=DomainDnsZones"
$DNSSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -PageSize $PageSize -Credential $Credential
$DNSSearcher.filter="(objectClass=dnsZone)"
if($DNSSearcher) {
@ -8594,6 +8594,117 @@ filter Get-CachedRDPConnection {
}
filter Get-RegistryMountedDrive {
<#
.SYNOPSIS
Uses remote registry functionality to query all entries for the
the saved network mounted drive on a machine, separated by
user and target server.
Note: This function requires administrative rights on the
machine you're enumerating.
.PARAMETER ComputerName
The hostname to query for RDP client information.
Defaults to localhost.
.PARAMETER Credential
A [Management.Automation.PSCredential] object for the remote connection.
.EXAMPLE
PS C:\> Get-RegistryMountedDrive
Returns the saved network mounted drives for the local machine.
.EXAMPLE
PS C:\> Get-RegistryMountedDrive -ComputerName WINDOWS2.testlab.local
Returns the saved network mounted drives for the WINDOWS2.testlab.local machine
.EXAMPLE
PS C:\> Get-RegistryMountedDrive -ComputerName WINDOWS2.testlab.local -Credential $Cred
Returns the saved network mounted drives for the WINDOWS2.testlab.local machine using alternate credentials.
.EXAMPLE
PS C:\> Get-NetComputer | Get-RegistryMountedDrive
Get the saved network mounted drives for all machines in the domain.
#>
[CmdletBinding()]
param(
[Parameter(ValueFromPipeline=$True)]
[Alias('HostName')]
[Object[]]
[ValidateNotNullOrEmpty()]
$ComputerName = 'localhost',
[Management.Automation.PSCredential]
$Credential
)
# extract the computer name from whatever object was passed on the pipeline
$Computer = $ComputerName | Get-NameField
# HKEY_USERS
$HKU = 2147483651
try {
if($Credential) {
$Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -Credential $Credential -ErrorAction SilentlyContinue
}
else {
$Reg = Get-WmiObject -List 'StdRegProv' -Namespace root\default -Computername $Computer -ErrorAction SilentlyContinue
}
# extract out the SIDs of domain users in this hive
$UserSIDs = ($Reg.EnumKey($HKU, "")).sNames | ? { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
foreach ($UserSID in $UserSIDs) {
try {
$UserName = Convert-SidToName $UserSID
$DriveLetters = ($Reg.EnumKey($HKU, "$UserSID\Network")).sNames
ForEach($DriveLetter in $DriveLetters) {
$ProviderName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'ProviderName').sValue
$RemotePath = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'RemotePath').sValue
$DriveUserName = $Reg.GetStringValue($HKU, "$UserSID\Network\$DriveLetter", 'UserName').sValue
if(-not $UserName) { $UserName = '' }
if($RemotePath -and ($RemotePath -ne '')) {
$MountedDrive = New-Object PSObject
$MountedDrive | Add-Member Noteproperty 'ComputerName' $Computer
$MountedDrive | Add-Member Noteproperty 'UserName' $UserName
$MountedDrive | Add-Member Noteproperty 'UserSID' $UserSID
$MountedDrive | Add-Member Noteproperty 'DriveLetter' $DriveLetter
$MountedDrive | Add-Member Noteproperty 'ProviderName' $ProviderName
$MountedDrive | Add-Member Noteproperty 'RemotePath' $RemotePath
$MountedDrive | Add-Member Noteproperty 'DriveUserName' $DriveUserName
$MountedDrive
}
}
}
catch {
Write-Debug "Error: $_"
}
}
}
catch {
Write-Warning "Error accessing $Computer, likely insufficient permissions or firewall rules on host: $_"
}
}
filter Get-NetProcess {
<#
.SYNOPSIS
@ -10205,7 +10316,7 @@ function Invoke-EventHunter {
[String]
$TargetServer,
[String]
[String[]]
$UserName,
[String]
@ -10313,8 +10424,11 @@ function Invoke-EventHunter {
}
# if we get a specific username, only use that
elseif($UserName) {
Write-Verbose "[*] Using target user '$UserName'..."
$TargetUsers = @( $UserName.ToLower() )
# Write-Verbose "[*] Using target user '$UserName'..."
$TargetUsers = $UserName | ForEach-Object {$_.ToLower()}
if($TargetUsers -isnot [system.array]) {
$TargetUsers = @($TargetUsers)
}
}
# read in a target user list if we have one
elseif($UserFile) {
@ -10353,13 +10467,13 @@ function Invoke-EventHunter {
if($Up) {
# try to enumerate
if($Credential) {
Get-UserEvent -ComputerName $ComputerName -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object {
Get-UserEvent -ComputerName $ComputerName -Credential $Credential -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object {
# filter for the target user set
$TargetUsers -contains $_.UserName
}
}
else {
Get-UserEvent -ComputerName $ComputerName -Credential $Credential -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object {
Get-UserEvent -ComputerName $ComputerName -EventType 'all' -DateStart ([DateTime]::Today.AddDays(-$SearchDays)) | Where-Object {
# filter for the target user set
$TargetUsers -contains $_.UserName
}