Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added Set-DomainObjectOwner to modify an object's owner 

Modified Convert-LDAPProperty to break out sections of ntsecuritydescriptor
This commit is contained in:
HarmJ0y 2016-12-13 17:21:10 -05:00
parent f4f5fb1460
commit f00e3fc6c4
4 changed files with 431 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

214
Recon/PowerView.ps1
View File

@ -2741,7 +2741,20 @@ A custom PSObject with LDAP hashtable properties translated.
$ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid
}
elseif ($_ -eq 'ntsecuritydescriptor') {
$ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0
# $ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0
$Descriptor = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0
if ($Descriptor.Owner) {
$ObjectProperties['Owner'] = $Descriptor.Owner
}
if ($Descriptor.Group) {
$ObjectProperties['Group'] = $Descriptor.Group
}
if ($Descriptor.DiscretionaryAcl) {
$ObjectProperties['DiscretionaryAcl'] = $Descriptor.DiscretionaryAcl
}
if ($Descriptor.SystemAcl) {
$ObjectProperties['SystemAcl'] = $Descriptor.SystemAcl
}
}
elseif ( ($_ -eq 'lastlogon') -or ($_ -eq 'lastlogontimestamp') -or ($_ -eq 'pwdlastset') -or ($_ -eq 'lastlogoff') -or ($_ -eq 'badPasswordTime') ) {
# convert timestamps
@ -4898,7 +4911,7 @@ function Set-DomainUserPassword {
<#
.SYNOPSIS
Sets the password for a given user identity and returns the user object.
Sets the password for a given user identity.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
@ -4994,7 +5007,6 @@ http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-
$Null = $User.Save()
Write-Verbose "[Set-DomainUserPassword] Password for user '$Identity' successfully reset"
$User
}
catch {
Write-Warning "[Set-DomainUserPassword] Error setting password for user '$Identity' : $_"
@ -6186,22 +6198,10 @@ Get-DomainUser -Identity testuser -Properties scriptpath
scriptpath
----------
\\EVIL\program2.exe
.OUTPUTS
PowerView.ADObject
Custom PSObject with translated AD object property fields, if -PassThru is enabled.
PowerView.ADObject.Raw
The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled.
#>
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[OutputType('PowerView.ADObject')]
[OutputType('PowerView.ADObject.Raw')]
[CmdletBinding()]
Param(
[Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
@ -6253,10 +6253,6 @@ The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled
[Int]
$ServerTimeLimit,
[ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')]
[String]
$SecurityMasks,
[Switch]
$Tombstone,
@ -6336,6 +6332,186 @@ The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled
}
function Set-DomainObjectOwner {
<#
.SYNOPSIS
Modifies the owner for a specified active directory object.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-DomainObject
.DESCRIPTION
Retrieves the Active Directory object specified by -Identity by splatting to
Get-DomainObject, returning the raw searchresult object. Retrieves the raw
directoryentry for the object, and sets the object owner to -OwnerIdentity.
.PARAMETER Identity
A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
of the AD object to set the owner for.
.PARAMETER OwnerIdentity
A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local),
SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
of the owner to set for -Identity.
.PARAMETER Domain
Specifies the domain to use for the query, defaults to the current domain.
.PARAMETER LDAPFilter
Specifies an LDAP query string that is used to filter Active Directory objects.
.PARAMETER SearchBase
The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
Useful for OU queries.
.PARAMETER Server
Specifies an Active Directory server (domain controller) to bind to.
.PARAMETER SearchScope
Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
.PARAMETER ResultPageSize
Specifies the PageSize to set for the LDAP searcher object.
.PARAMETER ServerTimeLimit
Specifies the maximum amount of time the server spends searching. Default of 120 seconds.
.PARAMETER Tombstone
Switch. Specifies that the searcher should also return deleted/tombstoned objects.
.PARAMETER Credential
A [Management.Automation.PSCredential] object of alternate credentials
for connection to the target domain.
.EXAMPLE
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
Set the owner of 'dfm' in the current domain to 'harmj0y'.
.EXAMPLE
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y -Credential $Cred
Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate credentials.
#>
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[CmdletBinding()]
Param(
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
[Alias('DistinguishedName', 'SamAccountName', 'Name')]
[String]
$Identity,
[Parameter(Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[Alias('Owner')]
[String]
$OwnerIdentity,
[ValidateNotNullOrEmpty()]
[String]
$Domain,
[ValidateNotNullOrEmpty()]
[Alias('Filter')]
[String]
$LDAPFilter,
[ValidateNotNullOrEmpty()]
[Alias('ADSPath')]
[String]
$SearchBase,
[ValidateNotNullOrEmpty()]
[Alias('DomainController')]
[String]
$Server,
[ValidateSet('Base', 'OneLevel', 'Subtree')]
[String]
$SearchScope = 'Subtree',
[ValidateRange(1, 10000)]
[Int]
$ResultPageSize = 200,
[ValidateRange(1, 10000)]
[Int]
$ServerTimeLimit,
[Switch]
$Tombstone,
[Management.Automation.PSCredential]
[Management.Automation.CredentialAttribute()]
$Credential = [Management.Automation.PSCredential]::Empty
)
BEGIN {
$SearcherArguments = @{}
if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain }
if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $LDAPFilter }
if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase }
if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server }
if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope }
if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize }
if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit }
if ($PSBoundParameters['Tombstone']) { $SearcherArguments['Tombstone'] = $Tombstone }
if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential }
$OwnerSid = Get-DomainObject @SearcherArguments -Identity $OwnerIdentity -Properties objectsid | Select-Object -ExpandProperty objectsid
if ($OwnerSid) {
$OwnerIdentityReference = [System.Security.Principal.SecurityIdentifier]$OwnerSid
}
else {
Write-Warning "[Set-DomainObjectOwner] Error parsing owner identity '$OwnerIdentity'"
}
}
PROCESS {
if ($OwnerIdentityReference) {
$SearcherArguments['Raw'] = $True
$SearcherArguments['Identity'] = $Identity
# splat the appropriate arguments to Get-DomainObject
$RawObject = Get-DomainObject @SearcherArguments
ForEach ($Object in $RawObject) {
try {
Write-Verbose "[Set-DomainObjectOwner] Attempting to set the owner for '$Identity' to '$OwnerIdentity'"
$Entry = $RawObject.GetDirectoryEntry()
$Entry.PsBase.ObjectSecurity.SetOwner($OwnerIdentityReference)
$Entry.PsBase.CommitChanges()
}
catch {
Write-Warning "[Set-DomainObjectOwner] Error setting owner: $_"
}
}
}
}
}
function Get-DomainObjectAcl {
<#
.SYNOPSIS

1
Recon/Recon.psd1
View File

@ -51,6 +51,7 @@ FunctionsToExport = @(
'Get-DomainComputer',
'Get-DomainObject',
'Set-DomainObject',
'Set-DomainObjectOwner',
'Get-DomainObjectAcl',
'Add-DomainObjectAcl',
'Find-InterestingDomainAcl',

234
docs/Recon/Set-DomainObjectOwner.md Executable file
View File

@ -0,0 +1,234 @@
# Set-DomainObjectOwner
## SYNOPSIS
Modifies the owner for a specified active directory object.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-DomainObject
## SYNTAX
```
Set-DomainObjectOwner [-Identity] <String> -OwnerIdentity <String> [-Domain <String>] [-LDAPFilter <String>]
[-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-ResultPageSize <Int32>]
[-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
```
## DESCRIPTION
Retrieves the Active Directory object specified by -Identity by splatting to
Get-DomainObject, returning the raw searchresult object.
Retrieves the raw
directoryentry for the object, and sets the object owner to -OwnerIdentity.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y
```
Set the owner of 'dfm' in the current domain to 'harmj0y'.
### -------------------------- EXAMPLE 2 --------------------------
```
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
```
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y -Credential $Cred
Set the owner of 'dfm' in the current domain to 'harmj0y' using the alternate credentials.
## PARAMETERS
### -Identity
A SamAccountName (e.g.
harmj0y), DistinguishedName (e.g.
CN=harmj0y,CN=Users,DC=testlab,DC=local),
SID (e.g.
S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
of the AD object to set the owner for.
```yaml
Type: String
Parameter Sets: (All)
Aliases: DistinguishedName, SamAccountName, Name
Required: True
Position: 1
Default value: None
Accept pipeline input: True (ByPropertyName, ByValue)
Accept wildcard characters: False
```
### -OwnerIdentity
A SamAccountName (e.g.
harmj0y), DistinguishedName (e.g.
CN=harmj0y,CN=Users,DC=testlab,DC=local),
SID (e.g.
S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g.
4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
of the owner to set for -Identity.
```yaml
Type: String
Parameter Sets: (All)
Aliases: Owner
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Domain
Specifies the domain to use for the query, defaults to the current domain.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -LDAPFilter
Specifies an LDAP query string that is used to filter Active Directory objects.
```yaml
Type: String
Parameter Sets: (All)
Aliases: Filter
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -SearchBase
The LDAP source to search through, e.g.
"LDAP://OU=secret,DC=testlab,DC=local"
Useful for OU queries.
```yaml
Type: String
Parameter Sets: (All)
Aliases: ADSPath
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Server
Specifies an Active Directory server (domain controller) to bind to.
```yaml
Type: String
Parameter Sets: (All)
Aliases: DomainController
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -SearchScope
Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree).
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: Subtree
Accept pipeline input: False
Accept wildcard characters: False
```
### -ResultPageSize
Specifies the PageSize to set for the LDAP searcher object.
```yaml
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: 200
Accept pipeline input: False
Accept wildcard characters: False
```
### -ServerTimeLimit
Specifies the maximum amount of time the server spends searching.
Default of 120 seconds.
```yaml
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
```
### -Tombstone
Switch.
Specifies that the searcher should also return deleted/tombstoned objects.
```yaml
Type: SwitchParameter
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
```
### -Credential
A \[Management.Automation.PSCredential\] object of alternate credentials
for connection to the target domain.
```yaml
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
## NOTES
## RELATED LINKS

2
docs/Recon/Set-DomainUserPassword.md
View File

@ -1,7 +1,7 @@
# Set-DomainUserPassword
## SYNOPSIS
Sets the password for a given user identity and returns the user object.
Sets the password for a given user identity.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause