Changed the LDAP SecurityMasks settings so that you can change the Owner/DACL if you only have WriteOwner/WriteDacl permissions on the object (Default SecurityMasks is "Owner, Group, Dacl")
If an object's distinguished name contains a comma then it ends up quoted:
CN=Smith\, John,OU=Admins,DC=example,DC=com
This breaks a number of functions which attempt to identify DOMAIN\name
by matching on a \ anywhere in the specified identity before checking if
the identity was a DN (or SID or GUID).
For example, attempting to list members of "Domain Admins" using
Get-DomainGroupMember gives the following:
VERBOSE: [Convert-ADName] Error initializing translation for 'CN=Smith\, John,OU=Admins,DC=example,DC=com' : Exception calling "InvokeMember" with "5" argument(s): "The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B)"
VERBOSE: [Convert-ADName] Error translating 'CN=Smith\, John,OU=Admins,DC=example,DC=com' : The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B)
VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (objectClass=*)
The fix implemented here is to perform more specific pattern matching
prior to falling back to looking for a \. The order is SID, DN, GUID,
qualified name (DOMAIN\name), and then plain name.
Specifying the type as an array of strings results in an error when
passing on the parameter to Get-DomainSearcher:
C:\> Get-DomainDFSShare -Domain test
Get-DomainSearcher : Cannot process argument transformation on parameter 'Domain'. Cannot convert value to type System.String.
At PowerView.ps1:10242 char:46
-Lots of function cleanup/code rot removal and standardization
-Additional options added to Get-DomainSearcher in order to support new param sets
-Expanded parameter validation
-XML help format standardized
-PSScriptAnalyzer fixups- passes PS script analyzer now!
-Nearly all functions should tag custom types to output objectsx
-Identity supported by all appropriate functions
-Transformed all filters to functions
-Expanded the formats for Convert-ADName
-Get-SPNTicket returns enc part automatically now, and Hashcat output format added
-Write-Verbose/Write-Warning/Throw messages now have the function name tagged in the message
-Verb-Domain* functions now all include a -FindOne function to return one result
-Get-DomainUserEvent now uses -XPathFilter for a massive speedup
-ALL Verb-Domain* (LDAP) functions now return full data objects (no more -FullData). Use -Properties for paring down.
-Lots of bug fixes
-"Required Dependencies" for each function completed
-Fixed logic bugs for -ComputerIdentity in Get-DomainGPO, now enumerates domain-linked GPOs as well
-Added -UserIdentity to Get-DomainGPO to enumerate GPOs applied to a given user identity
New function naming scheme with proper Verb-PrefixNoun syntax to better match the 'real' AD cmdlets:
Verbs:
Get - retrieve full raw data sets
Find - 'find' specific data entries in a data set or execute threaded computer enumeration
Add - add a new object to a destination
Set - modify a given object
Invoke - lazy catch-all
Prefixes now give an indication of the data source:
Verb-DomainX - LDAP/.NET AD connections (e.g. Get-DomainUser)
Verb-WMIX - Uses WMI for connections/enumeration of a specific host (e.g. Get-WMIRegLastLoggedOn)
Verb-NetX - API access (e.g. Get-NetSession)
Nouns have been renamed to be more descriptive
Big gotcha:
Get-NetLocalGroup - now returns local *groups* themselves
Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup)
-Parameter sets standardized - parameters shared as appropriate across functions
-Identity -> replaces -UserName/-GroupName/etc. Accepts samAccountName, GUID, distinguishedName, SID
-these can be used in tandem -> Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator"
-Properties -> return only the specified properties (i.e. Get-DomainUser -Properties samAccountName,lastLogon
-LDAPFilter replaces -Filter, -SearchBase replaces -ADSPath, -Server replaces -DomainController
-ServerTimeLimit, -SearchScope, -Tombstone, -SecurityMasks added for most functions
All functions (as appropriate) now support -Credential:
-Verb-Domain* (LDAP) functions use alternate creds for a DirectorySearcher through Get-DomainSearcher
-COM methods (i.e. Convert-ADName) use appropriate initializations
-Verb-WMI methods pass the -Credential through as appropriate
-Verb-Net* (API) functions use Invoke-UserImpersonation/Invoke-RevertToSelf implicitly for token impersonation
Removed functions:
Get-ComputerProperty, Get-UserProperty, Find-ComputerField, Find-UserField
Get-NameField (translated to ValueFromPipelineByPropertyName calls)
Invoke-DowngradeAccount - not used
Add-NetUser - split into New-DomainUser/others
Add-NetGroupUser - split into Add-DomainGroupMember/others
New-GPOImmediateTask - inconsistent and better done manually
Invoke-StealthUserHunter - combined into Find-DomainUserLocation
Get-ExploitableSystem
Added helper functions:
Get-PrincipalContext - helper to return a DirectoryServices.AccountManagement.PrincipalContext
Get-ForestSchemaClass - returns the forest schema for a specified object class
Added exported functions:
Add-RemoteConnection - 'mounts' a remote UNC path using WNetAddConnection2W
Remove-RemoteConnection - 'unmounts' a remote UNC path using WNetCancelConnection2
Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token in the current thread
Invoke-RevertToSelf - reverts any token impersonation
Invoke-Kerberoast - automates Kerberoasting
Find-DomainObjectPropertyOutlier - finds user/group/computer objects in AD that have 'outlier' properties sets
New-DomainUser - creates a new domain user
New-DomainGroup - creates a new domain group
Add-DomainGroupMember - adds a domain user (or group) to an existing domain group
Get-NetLocalGroup - now returns local *groups* themselves
Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup)
Renamed functions (aliases created for old functions):
Get-IPAddress -> Resolve-IPAddress
Convert-NameToSid -> ConvertTo-SID
Convert-SidToName -> ConvertFrom-SID
Request-SPNTicket -> Get-DomainSPNTicket
Get-DNSZone -> Get-DomainDNSZone
Get-DNSRecord -> Get-DomainDNSRecord
Get-NetDomain -> Get-Domain
Get-NetDomainController -> Get-DomainController
Get-NetForest -> Get-Forest
Get-NetForestDomain -> Get-ForestDomain
Get-NetForestCatalog -> Get-ForestGlobalCatalog
Get-NetUser -> Get-DomainUser
Get-UserEvent -> Get-DomainUserEvent
Get-NetComputer -> Get-DomainComputer
Get-ADObject -> Get-DomainObject
Set-ADObject -> Set-DomainObject
Get-ObjectAcl -> Get-DomainObjectAcl
Add-ObjectAcl -> Add-DomainObjectAcl
Invoke-ACLScanner -> Find-InterestingDomainAcl
Get-GUIDMap -> Get-DomainGUIDMap
Get-NetOU -> Get-DomainOU
Get-NetSite -> Get-DomainSite
Get-NetSubnet -> Get-DomainSubnet
Get-NetGroup -> Get-DomainGroup
Find-ManagedSecurityGroups -> Get-DomainManagedSecurityGroup
Get-NetGroupMember -> Get-DomainGroupMember
Get-NetFileServer -> Get-DomainFileServer
Get-DFSshare -> Get-DomainDFSShare
Get-NetGPO -> Get-DomainGPO
Get-NetGPOGroup -> Get-DomainGPOLocalGroup
Find-GPOLocation -> Get-DomainGPOUserLocalGroupMapping
Find-GPOComputerAdmin -> Get-DomainGPOComputerLocalGroupMappin
Get-LoggedOnLocal -> Get-RegLoggedOn
Test-AdminAccess -> Invoke-CheckLocalAdminAccess
Get-SiteName -> Get-NetComputerSiteName
Get-Proxy -> Get-WMIRegProxy
Get-LastLoggedOn -> Get-WMIRegLastLoggedOn
Get-CachedRDPConnection -> Get-WMIRegCachedRDPConnection
Get-RegistryMountedDrive -> Get-WMIRegMountedDrive
Get-NetProcess -> Get-WMIProcess
Invoke-ThreadedFunction -> New-ThreadedFunction
Invoke-UserHunter -> Find-DomainUserLocation
Invoke-ProcessHunter -> Find-DomainProcess
Invoke-EventHunter -> Find-DomainUserEvent
Invoke-ShareFinder -> Find-DomainShare
Invoke-FileFinder -> Find-InterestingDomainShareFile
Invoke-EnumerateLocalAdmin -> Find-DomainLocalGroupMember
Get-NetDomainTrust -> Get-DomainTrust
Get-NetForestTrust -> Get-ForestTrust
Find-ForeignUser -> Get-DomainForeignUser
Find-ForeignGroup -> Get-DomainForeignGroupMember
Invoke-MapDomainTrust -> Get-DomainTrustMapping
The PowerShell.BeginInvoke<TInput, TOutput>(PSDataCollection<TInput>,
PSDataCollection<TOutput>) method[1] is used to collect output from
each job into a buffer. This can be read whilst the jobs are still
running. Being able to return partial results is particularly useful for
long running background threads, such as Invoke-UserHunter -Poll.
PowerShell 2.0 doesn't play nicely with generic methods. The technique
described in [2] is used to allow this version of BeginInvoke() to be
used.
[1] https://msdn.microsoft.com/en-us/library/dd182440(v=vs.85).aspx
[2] http://www.leeholmes.com/blog/2007/06/19/invoking-generic-methods-on-non-generic-classes-in-powershell/
Repeatedly poll a set of target computers for user sessions. This could
be a useful technique for building a much better picture of current
sessions, but without having to communicate with every host.
The -Poll parameter is used to specify the duration for which polling
should occur. Each target computer is dedicated with a thread with
-Delay and -Jitter specifying how long to sleep between each session
enumeration attempt of an individual host.
Will
Lee Christensen
Jon Cave
HarmJ0y
Mike Brancato
Antonio Quina
Meatballs
Nick Landers
Matan Hart