6064 lines
223 KiB
PowerShell
6064 lines
223 KiB
PowerShell
#requires -version 2
|
|
|
|
<#
|
|
|
|
File: BloodHound.ps1
|
|
Author: Will Schroeder (@harmj0y)
|
|
License: BSD 3-Clause
|
|
Required Dependencies: None
|
|
Optional Dependencies: None
|
|
|
|
#>
|
|
|
|
########################################################
|
|
#
|
|
# PSReflect code for Windows API access
|
|
# Author: @mattifestation
|
|
# https://raw.githubusercontent.com/mattifestation/PSReflect/master/PSReflect.psm1
|
|
#
|
|
########################################################
|
|
|
|
function New-InMemoryModule
|
|
{
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Creates an in-memory assembly and module
|
|
|
|
Author: Matthew Graeber (@mattifestation)
|
|
License: BSD 3-Clause
|
|
Required Dependencies: None
|
|
Optional Dependencies: None
|
|
|
|
.DESCRIPTION
|
|
|
|
When defining custom enums, structs, and unmanaged functions, it is
|
|
necessary to associate to an assembly module. This helper function
|
|
creates an in-memory module that can be passed to the 'enum',
|
|
'struct', and Add-Win32Type functions.
|
|
|
|
.PARAMETER ModuleName
|
|
|
|
Specifies the desired name for the in-memory assembly and module. If
|
|
ModuleName is not provided, it will default to a GUID.
|
|
|
|
.EXAMPLE
|
|
|
|
$Module = New-InMemoryModule -ModuleName Win32
|
|
#>
|
|
|
|
Param
|
|
(
|
|
[Parameter(Position = 0)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[String]
|
|
$ModuleName = [Guid]::NewGuid().ToString()
|
|
)
|
|
|
|
$LoadedAssemblies = [AppDomain]::CurrentDomain.GetAssemblies()
|
|
|
|
ForEach ($Assembly in $LoadedAssemblies) {
|
|
if ($Assembly.FullName -and ($Assembly.FullName.Split(',')[0] -eq $ModuleName)) {
|
|
return $Assembly
|
|
}
|
|
}
|
|
|
|
$DynAssembly = New-Object Reflection.AssemblyName($ModuleName)
|
|
$Domain = [AppDomain]::CurrentDomain
|
|
$AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, 'Run')
|
|
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule($ModuleName, $False)
|
|
|
|
return $ModuleBuilder
|
|
}
|
|
|
|
|
|
# A helper function used to reduce typing while defining function
|
|
# prototypes for Add-Win32Type.
|
|
function func
|
|
{
|
|
Param
|
|
(
|
|
[Parameter(Position = 0, Mandatory = $True)]
|
|
[String]
|
|
$DllName,
|
|
|
|
[Parameter(Position = 1, Mandatory = $True)]
|
|
[String]
|
|
$FunctionName,
|
|
|
|
[Parameter(Position = 2, Mandatory = $True)]
|
|
[Type]
|
|
$ReturnType,
|
|
|
|
[Parameter(Position = 3)]
|
|
[Type[]]
|
|
$ParameterTypes,
|
|
|
|
[Parameter(Position = 4)]
|
|
[Runtime.InteropServices.CallingConvention]
|
|
$NativeCallingConvention,
|
|
|
|
[Parameter(Position = 5)]
|
|
[Runtime.InteropServices.CharSet]
|
|
$Charset,
|
|
|
|
[Switch]
|
|
$SetLastError
|
|
)
|
|
|
|
$Properties = @{
|
|
DllName = $DllName
|
|
FunctionName = $FunctionName
|
|
ReturnType = $ReturnType
|
|
}
|
|
|
|
if ($ParameterTypes) { $Properties['ParameterTypes'] = $ParameterTypes }
|
|
if ($NativeCallingConvention) { $Properties['NativeCallingConvention'] = $NativeCallingConvention }
|
|
if ($Charset) { $Properties['Charset'] = $Charset }
|
|
if ($SetLastError) { $Properties['SetLastError'] = $SetLastError }
|
|
|
|
New-Object PSObject -Property $Properties
|
|
}
|
|
|
|
|
|
function Add-Win32Type
|
|
{
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Creates a .NET type for an unmanaged Win32 function.
|
|
|
|
Author: Matthew Graeber (@mattifestation)
|
|
License: BSD 3-Clause
|
|
Required Dependencies: None
|
|
Optional Dependencies: func
|
|
|
|
.DESCRIPTION
|
|
|
|
Add-Win32Type enables you to easily interact with unmanaged (i.e.
|
|
Win32 unmanaged) functions in PowerShell. After providing
|
|
Add-Win32Type with a function signature, a .NET type is created
|
|
using reflection (i.e. csc.exe is never called like with Add-Type).
|
|
|
|
The 'func' helper function can be used to reduce typing when defining
|
|
multiple function definitions.
|
|
|
|
.PARAMETER DllName
|
|
|
|
The name of the DLL.
|
|
|
|
.PARAMETER FunctionName
|
|
|
|
The name of the target function.
|
|
|
|
.PARAMETER ReturnType
|
|
|
|
The return type of the function.
|
|
|
|
.PARAMETER ParameterTypes
|
|
|
|
The function parameters.
|
|
|
|
.PARAMETER NativeCallingConvention
|
|
|
|
Specifies the native calling convention of the function. Defaults to
|
|
stdcall.
|
|
|
|
.PARAMETER Charset
|
|
|
|
If you need to explicitly call an 'A' or 'W' Win32 function, you can
|
|
specify the character set.
|
|
|
|
.PARAMETER SetLastError
|
|
|
|
Indicates whether the callee calls the SetLastError Win32 API
|
|
function before returning from the attributed method.
|
|
|
|
.PARAMETER Module
|
|
|
|
The in-memory module that will host the functions. Use
|
|
New-InMemoryModule to define an in-memory module.
|
|
|
|
.PARAMETER Namespace
|
|
|
|
An optional namespace to prepend to the type. Add-Win32Type defaults
|
|
to a namespace consisting only of the name of the DLL.
|
|
|
|
.EXAMPLE
|
|
|
|
$Mod = New-InMemoryModule -ModuleName Win32
|
|
|
|
$FunctionDefinitions = @(
|
|
(func kernel32 GetProcAddress ([IntPtr]) @([IntPtr], [String]) -Charset Ansi -SetLastError),
|
|
(func kernel32 GetModuleHandle ([Intptr]) @([String]) -SetLastError),
|
|
(func ntdll RtlGetCurrentPeb ([IntPtr]) @())
|
|
)
|
|
|
|
$Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32'
|
|
$Kernel32 = $Types['kernel32']
|
|
$Ntdll = $Types['ntdll']
|
|
$Ntdll::RtlGetCurrentPeb()
|
|
$ntdllbase = $Kernel32::GetModuleHandle('ntdll')
|
|
$Kernel32::GetProcAddress($ntdllbase, 'RtlGetCurrentPeb')
|
|
|
|
.NOTES
|
|
|
|
Inspired by Lee Holmes' Invoke-WindowsApi http://poshcode.org/2189
|
|
|
|
When defining multiple function prototypes, it is ideal to provide
|
|
Add-Win32Type with an array of function signatures. That way, they
|
|
are all incorporated into the same in-memory module.
|
|
#>
|
|
|
|
[OutputType([Hashtable])]
|
|
Param(
|
|
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
|
|
[String]
|
|
$DllName,
|
|
|
|
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
|
|
[String]
|
|
$FunctionName,
|
|
|
|
[Parameter(Mandatory = $True, ValueFromPipelineByPropertyName = $True)]
|
|
[Type]
|
|
$ReturnType,
|
|
|
|
[Parameter(ValueFromPipelineByPropertyName = $True)]
|
|
[Type[]]
|
|
$ParameterTypes,
|
|
|
|
[Parameter(ValueFromPipelineByPropertyName = $True)]
|
|
[Runtime.InteropServices.CallingConvention]
|
|
$NativeCallingConvention = [Runtime.InteropServices.CallingConvention]::StdCall,
|
|
|
|
[Parameter(ValueFromPipelineByPropertyName = $True)]
|
|
[Runtime.InteropServices.CharSet]
|
|
$Charset = [Runtime.InteropServices.CharSet]::Auto,
|
|
|
|
[Parameter(ValueFromPipelineByPropertyName = $True)]
|
|
[Switch]
|
|
$SetLastError,
|
|
|
|
[Parameter(Mandatory = $True)]
|
|
[ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
|
|
$Module,
|
|
|
|
[ValidateNotNull()]
|
|
[String]
|
|
$Namespace = ''
|
|
)
|
|
|
|
BEGIN
|
|
{
|
|
$TypeHash = @{}
|
|
}
|
|
|
|
PROCESS
|
|
{
|
|
if ($Module -is [Reflection.Assembly])
|
|
{
|
|
if ($Namespace)
|
|
{
|
|
$TypeHash[$DllName] = $Module.GetType("$Namespace.$DllName")
|
|
}
|
|
else
|
|
{
|
|
$TypeHash[$DllName] = $Module.GetType($DllName)
|
|
}
|
|
}
|
|
else
|
|
{
|
|
# Define one type for each DLL
|
|
if (!$TypeHash.ContainsKey($DllName))
|
|
{
|
|
if ($Namespace)
|
|
{
|
|
$TypeHash[$DllName] = $Module.DefineType("$Namespace.$DllName", 'Public,BeforeFieldInit')
|
|
}
|
|
else
|
|
{
|
|
$TypeHash[$DllName] = $Module.DefineType($DllName, 'Public,BeforeFieldInit')
|
|
}
|
|
}
|
|
|
|
$Method = $TypeHash[$DllName].DefineMethod(
|
|
$FunctionName,
|
|
'Public,Static,PinvokeImpl',
|
|
$ReturnType,
|
|
$ParameterTypes)
|
|
|
|
# Make each ByRef parameter an Out parameter
|
|
$i = 1
|
|
ForEach($Parameter in $ParameterTypes)
|
|
{
|
|
if ($Parameter.IsByRef)
|
|
{
|
|
[void] $Method.DefineParameter($i, 'Out', $Null)
|
|
}
|
|
|
|
$i++
|
|
}
|
|
|
|
$DllImport = [Runtime.InteropServices.DllImportAttribute]
|
|
$SetLastErrorField = $DllImport.GetField('SetLastError')
|
|
$CallingConventionField = $DllImport.GetField('CallingConvention')
|
|
$CharsetField = $DllImport.GetField('CharSet')
|
|
if ($SetLastError) { $SLEValue = $True } else { $SLEValue = $False }
|
|
|
|
# Equivalent to C# version of [DllImport(DllName)]
|
|
$Constructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor([String])
|
|
$DllImportAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($Constructor,
|
|
$DllName, [Reflection.PropertyInfo[]] @(), [Object[]] @(),
|
|
[Reflection.FieldInfo[]] @($SetLastErrorField, $CallingConventionField, $CharsetField),
|
|
[Object[]] @($SLEValue, ([Runtime.InteropServices.CallingConvention] $NativeCallingConvention), ([Runtime.InteropServices.CharSet] $Charset)))
|
|
|
|
$Method.SetCustomAttribute($DllImportAttribute)
|
|
}
|
|
}
|
|
|
|
END
|
|
{
|
|
if ($Module -is [Reflection.Assembly])
|
|
{
|
|
return $TypeHash
|
|
}
|
|
|
|
$ReturnTypes = @{}
|
|
|
|
ForEach ($Key in $TypeHash.Keys)
|
|
{
|
|
$Type = $TypeHash[$Key].CreateType()
|
|
|
|
$ReturnTypes[$Key] = $Type
|
|
}
|
|
|
|
return $ReturnTypes
|
|
}
|
|
}
|
|
|
|
|
|
function psenum
|
|
{
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Creates an in-memory enumeration for use in your PowerShell session.
|
|
|
|
Author: Matthew Graeber (@mattifestation)
|
|
License: BSD 3-Clause
|
|
Required Dependencies: None
|
|
Optional Dependencies: None
|
|
|
|
.DESCRIPTION
|
|
|
|
The 'psenum' function facilitates the creation of enums entirely in
|
|
memory using as close to a "C style" as PowerShell will allow.
|
|
|
|
.PARAMETER Module
|
|
|
|
The in-memory module that will host the enum. Use
|
|
New-InMemoryModule to define an in-memory module.
|
|
|
|
.PARAMETER FullName
|
|
|
|
The fully-qualified name of the enum.
|
|
|
|
.PARAMETER Type
|
|
|
|
The type of each enum element.
|
|
|
|
.PARAMETER EnumElements
|
|
|
|
A hashtable of enum elements.
|
|
|
|
.PARAMETER Bitfield
|
|
|
|
Specifies that the enum should be treated as a bitfield.
|
|
|
|
.EXAMPLE
|
|
|
|
$Mod = New-InMemoryModule -ModuleName Win32
|
|
|
|
$ImageSubsystem = psenum $Mod PE.IMAGE_SUBSYSTEM UInt16 @{
|
|
UNKNOWN = 0
|
|
NATIVE = 1 # Image doesn't require a subsystem.
|
|
WINDOWS_GUI = 2 # Image runs in the Windows GUI subsystem.
|
|
WINDOWS_CUI = 3 # Image runs in the Windows character subsystem.
|
|
OS2_CUI = 5 # Image runs in the OS/2 character subsystem.
|
|
POSIX_CUI = 7 # Image runs in the Posix character subsystem.
|
|
NATIVE_WINDOWS = 8 # Image is a native Win9x driver.
|
|
WINDOWS_CE_GUI = 9 # Image runs in the Windows CE subsystem.
|
|
EFI_APPLICATION = 10
|
|
EFI_BOOT_SERVICE_DRIVER = 11
|
|
EFI_RUNTIME_DRIVER = 12
|
|
EFI_ROM = 13
|
|
XBOX = 14
|
|
WINDOWS_BOOT_APPLICATION = 16
|
|
}
|
|
|
|
.NOTES
|
|
|
|
PowerShell purists may disagree with the naming of this function but
|
|
again, this was developed in such a way so as to emulate a "C style"
|
|
definition as closely as possible. Sorry, I'm not going to name it
|
|
New-Enum. :P
|
|
#>
|
|
|
|
[OutputType([Type])]
|
|
Param
|
|
(
|
|
[Parameter(Position = 0, Mandatory = $True)]
|
|
[ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
|
|
$Module,
|
|
|
|
[Parameter(Position = 1, Mandatory = $True)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[String]
|
|
$FullName,
|
|
|
|
[Parameter(Position = 2, Mandatory = $True)]
|
|
[Type]
|
|
$Type,
|
|
|
|
[Parameter(Position = 3, Mandatory = $True)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[Hashtable]
|
|
$EnumElements,
|
|
|
|
[Switch]
|
|
$Bitfield
|
|
)
|
|
|
|
if ($Module -is [Reflection.Assembly])
|
|
{
|
|
return ($Module.GetType($FullName))
|
|
}
|
|
|
|
$EnumType = $Type -as [Type]
|
|
|
|
$EnumBuilder = $Module.DefineEnum($FullName, 'Public', $EnumType)
|
|
|
|
if ($Bitfield)
|
|
{
|
|
$FlagsConstructor = [FlagsAttribute].GetConstructor(@())
|
|
$FlagsCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($FlagsConstructor, @())
|
|
$EnumBuilder.SetCustomAttribute($FlagsCustomAttribute)
|
|
}
|
|
|
|
ForEach ($Key in $EnumElements.Keys)
|
|
{
|
|
# Apply the specified enum type to each element
|
|
$Null = $EnumBuilder.DefineLiteral($Key, $EnumElements[$Key] -as $EnumType)
|
|
}
|
|
|
|
$EnumBuilder.CreateType()
|
|
}
|
|
|
|
|
|
# A helper function used to reduce typing while defining struct
|
|
# fields.
|
|
function field
|
|
{
|
|
Param
|
|
(
|
|
[Parameter(Position = 0, Mandatory = $True)]
|
|
[UInt16]
|
|
$Position,
|
|
|
|
[Parameter(Position = 1, Mandatory = $True)]
|
|
[Type]
|
|
$Type,
|
|
|
|
[Parameter(Position = 2)]
|
|
[UInt16]
|
|
$Offset,
|
|
|
|
[Object[]]
|
|
$MarshalAs
|
|
)
|
|
|
|
@{
|
|
Position = $Position
|
|
Type = $Type -as [Type]
|
|
Offset = $Offset
|
|
MarshalAs = $MarshalAs
|
|
}
|
|
}
|
|
|
|
|
|
function struct
|
|
{
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Creates an in-memory struct for use in your PowerShell session.
|
|
|
|
Author: Matthew Graeber (@mattifestation)
|
|
License: BSD 3-Clause
|
|
Required Dependencies: None
|
|
Optional Dependencies: field
|
|
|
|
.DESCRIPTION
|
|
|
|
The 'struct' function facilitates the creation of structs entirely in
|
|
memory using as close to a "C style" as PowerShell will allow. Struct
|
|
fields are specified using a hashtable where each field of the struct
|
|
is comprosed of the order in which it should be defined, its .NET
|
|
type, and optionally, its offset and special marshaling attributes.
|
|
|
|
One of the features of 'struct' is that after your struct is defined,
|
|
it will come with a built-in GetSize method as well as an explicit
|
|
converter so that you can easily cast an IntPtr to the struct without
|
|
relying upon calling SizeOf and/or PtrToStructure in the Marshal
|
|
class.
|
|
|
|
.PARAMETER Module
|
|
|
|
The in-memory module that will host the struct. Use
|
|
New-InMemoryModule to define an in-memory module.
|
|
|
|
.PARAMETER FullName
|
|
|
|
The fully-qualified name of the struct.
|
|
|
|
.PARAMETER StructFields
|
|
|
|
A hashtable of fields. Use the 'field' helper function to ease
|
|
defining each field.
|
|
|
|
.PARAMETER PackingSize
|
|
|
|
Specifies the memory alignment of fields.
|
|
|
|
.PARAMETER ExplicitLayout
|
|
|
|
Indicates that an explicit offset for each field will be specified.
|
|
|
|
.EXAMPLE
|
|
|
|
$Mod = New-InMemoryModule -ModuleName Win32
|
|
|
|
$ImageDosSignature = psenum $Mod PE.IMAGE_DOS_SIGNATURE UInt16 @{
|
|
DOS_SIGNATURE = 0x5A4D
|
|
OS2_SIGNATURE = 0x454E
|
|
OS2_SIGNATURE_LE = 0x454C
|
|
VXD_SIGNATURE = 0x454C
|
|
}
|
|
|
|
$ImageDosHeader = struct $Mod PE.IMAGE_DOS_HEADER @{
|
|
e_magic = field 0 $ImageDosSignature
|
|
e_cblp = field 1 UInt16
|
|
e_cp = field 2 UInt16
|
|
e_crlc = field 3 UInt16
|
|
e_cparhdr = field 4 UInt16
|
|
e_minalloc = field 5 UInt16
|
|
e_maxalloc = field 6 UInt16
|
|
e_ss = field 7 UInt16
|
|
e_sp = field 8 UInt16
|
|
e_csum = field 9 UInt16
|
|
e_ip = field 10 UInt16
|
|
e_cs = field 11 UInt16
|
|
e_lfarlc = field 12 UInt16
|
|
e_ovno = field 13 UInt16
|
|
e_res = field 14 UInt16[] -MarshalAs @('ByValArray', 4)
|
|
e_oemid = field 15 UInt16
|
|
e_oeminfo = field 16 UInt16
|
|
e_res2 = field 17 UInt16[] -MarshalAs @('ByValArray', 10)
|
|
e_lfanew = field 18 Int32
|
|
}
|
|
|
|
# Example of using an explicit layout in order to create a union.
|
|
$TestUnion = struct $Mod TestUnion @{
|
|
field1 = field 0 UInt32 0
|
|
field2 = field 1 IntPtr 0
|
|
} -ExplicitLayout
|
|
|
|
.NOTES
|
|
|
|
PowerShell purists may disagree with the naming of this function but
|
|
again, this was developed in such a way so as to emulate a "C style"
|
|
definition as closely as possible. Sorry, I'm not going to name it
|
|
New-Struct. :P
|
|
#>
|
|
|
|
[OutputType([Type])]
|
|
Param
|
|
(
|
|
[Parameter(Position = 1, Mandatory = $True)]
|
|
[ValidateScript({($_ -is [Reflection.Emit.ModuleBuilder]) -or ($_ -is [Reflection.Assembly])})]
|
|
$Module,
|
|
|
|
[Parameter(Position = 2, Mandatory = $True)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[String]
|
|
$FullName,
|
|
|
|
[Parameter(Position = 3, Mandatory = $True)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[Hashtable]
|
|
$StructFields,
|
|
|
|
[Reflection.Emit.PackingSize]
|
|
$PackingSize = [Reflection.Emit.PackingSize]::Unspecified,
|
|
|
|
[Switch]
|
|
$ExplicitLayout
|
|
)
|
|
|
|
if ($Module -is [Reflection.Assembly])
|
|
{
|
|
return ($Module.GetType($FullName))
|
|
}
|
|
|
|
[Reflection.TypeAttributes] $StructAttributes = 'AnsiClass,
|
|
Class,
|
|
Public,
|
|
Sealed,
|
|
BeforeFieldInit'
|
|
|
|
if ($ExplicitLayout)
|
|
{
|
|
$StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::ExplicitLayout
|
|
}
|
|
else
|
|
{
|
|
$StructAttributes = $StructAttributes -bor [Reflection.TypeAttributes]::SequentialLayout
|
|
}
|
|
|
|
$StructBuilder = $Module.DefineType($FullName, $StructAttributes, [ValueType], $PackingSize)
|
|
$ConstructorInfo = [Runtime.InteropServices.MarshalAsAttribute].GetConstructors()[0]
|
|
$SizeConst = @([Runtime.InteropServices.MarshalAsAttribute].GetField('SizeConst'))
|
|
|
|
$Fields = New-Object Hashtable[]($StructFields.Count)
|
|
|
|
# Sort each field according to the orders specified
|
|
# Unfortunately, PSv2 doesn't have the luxury of the
|
|
# hashtable [Ordered] accelerator.
|
|
ForEach ($Field in $StructFields.Keys)
|
|
{
|
|
$Index = $StructFields[$Field]['Position']
|
|
$Fields[$Index] = @{FieldName = $Field; Properties = $StructFields[$Field]}
|
|
}
|
|
|
|
ForEach ($Field in $Fields)
|
|
{
|
|
$FieldName = $Field['FieldName']
|
|
$FieldProp = $Field['Properties']
|
|
|
|
$Offset = $FieldProp['Offset']
|
|
$Type = $FieldProp['Type']
|
|
$MarshalAs = $FieldProp['MarshalAs']
|
|
|
|
$NewField = $StructBuilder.DefineField($FieldName, $Type, 'Public')
|
|
|
|
if ($MarshalAs)
|
|
{
|
|
$UnmanagedType = $MarshalAs[0] -as ([Runtime.InteropServices.UnmanagedType])
|
|
if ($MarshalAs[1])
|
|
{
|
|
$Size = $MarshalAs[1]
|
|
$AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo,
|
|
$UnmanagedType, $SizeConst, @($Size))
|
|
}
|
|
else
|
|
{
|
|
$AttribBuilder = New-Object Reflection.Emit.CustomAttributeBuilder($ConstructorInfo, [Object[]] @($UnmanagedType))
|
|
}
|
|
|
|
$NewField.SetCustomAttribute($AttribBuilder)
|
|
}
|
|
|
|
if ($ExplicitLayout) { $NewField.SetOffset($Offset) }
|
|
}
|
|
|
|
# Make the struct aware of its own size.
|
|
# No more having to call [Runtime.InteropServices.Marshal]::SizeOf!
|
|
$SizeMethod = $StructBuilder.DefineMethod('GetSize',
|
|
'Public, Static',
|
|
[Int],
|
|
[Type[]] @())
|
|
$ILGenerator = $SizeMethod.GetILGenerator()
|
|
# Thanks for the help, Jason Shirk!
|
|
$ILGenerator.Emit([Reflection.Emit.OpCodes]::Ldtoken, $StructBuilder)
|
|
$ILGenerator.Emit([Reflection.Emit.OpCodes]::Call,
|
|
[Type].GetMethod('GetTypeFromHandle'))
|
|
$ILGenerator.Emit([Reflection.Emit.OpCodes]::Call,
|
|
[Runtime.InteropServices.Marshal].GetMethod('SizeOf', [Type[]] @([Type])))
|
|
$ILGenerator.Emit([Reflection.Emit.OpCodes]::Ret)
|
|
|
|
# Allow for explicit casting from an IntPtr
|
|
# No more having to call [Runtime.InteropServices.Marshal]::PtrToStructure!
|
|
$ImplicitConverter = $StructBuilder.DefineMethod('op_Implicit',
|
|
'PrivateScope, Public, Static, HideBySig, SpecialName',
|
|
$StructBuilder,
|
|
[Type[]] @([IntPtr]))
|
|
$ILGenerator2 = $ImplicitConverter.GetILGenerator()
|
|
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Nop)
|
|
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ldarg_0)
|
|
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ldtoken, $StructBuilder)
|
|
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Call,
|
|
[Type].GetMethod('GetTypeFromHandle'))
|
|
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Call,
|
|
[Runtime.InteropServices.Marshal].GetMethod('PtrToStructure', [Type[]] @([IntPtr], [Type])))
|
|
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Unbox_Any, $StructBuilder)
|
|
$ILGenerator2.Emit([Reflection.Emit.OpCodes]::Ret)
|
|
|
|
$StructBuilder.CreateType()
|
|
}
|
|
|
|
|
|
########################################################
|
|
#
|
|
# Misc. helpers
|
|
#
|
|
########################################################
|
|
|
|
filter Get-IniContent {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
This helper parses an .ini file into a proper PowerShell object.
|
|
|
|
Author: 'The Scripting Guys'
|
|
Link: https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/20/use-powershell-to-work-with-any-ini-file/
|
|
|
|
.LINK
|
|
|
|
https://blogs.technet.microsoft.com/heyscriptingguy/2011/08/20/use-powershell-to-work-with-any-ini-file/
|
|
#>
|
|
[CmdletBinding()]
|
|
Param(
|
|
[Parameter(Mandatory=$True, ValueFromPipeline=$True, ValueFromPipelineByPropertyName=$True)]
|
|
[Alias('FullName')]
|
|
[ValidateScript({ Test-Path -Path $_ })]
|
|
[String[]]
|
|
$Path
|
|
)
|
|
|
|
ForEach($TargetPath in $Path) {
|
|
$IniObject = @{}
|
|
Switch -Regex -File $TargetPath {
|
|
"^\[(.+)\]" # Section
|
|
{
|
|
$Section = $matches[1].Trim()
|
|
$IniObject[$Section] = @{}
|
|
$CommentCount = 0
|
|
}
|
|
"^(;.*)$" # Comment
|
|
{
|
|
$Value = $matches[1].Trim()
|
|
$CommentCount = $CommentCount + 1
|
|
$Name = 'Comment' + $CommentCount
|
|
$IniObject[$Section][$Name] = $Value
|
|
}
|
|
"(.+?)\s*=(.*)" # Key
|
|
{
|
|
$Name, $Value = $matches[1..2]
|
|
$Name = $Name.Trim()
|
|
$Values = $Value.split(',') | ForEach-Object {$_.Trim()}
|
|
if($Values -isnot [System.Array]) {$Values = @($Values)}
|
|
$IniObject[$Section][$Name] = $Values
|
|
}
|
|
}
|
|
$IniObject
|
|
}
|
|
}
|
|
|
|
|
|
filter Get-IPAddress {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Resolves a given hostename to its associated IPv4 address.
|
|
If no hostname is provided, it defaults to returning
|
|
the IP address of the localhost.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-IPAddress -ComputerName SERVER
|
|
|
|
Return the IPv4 address of 'SERVER'
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-Content .\hostnames.txt | Get-IPAddress
|
|
|
|
Get the IP addresses of all hostnames in an input file.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(Position=0, ValueFromPipeline=$True)]
|
|
[Alias('HostName')]
|
|
[String]
|
|
$ComputerName = $Env:ComputerName
|
|
)
|
|
|
|
try {
|
|
# extract the computer name from whatever object was passed on the pipeline
|
|
$Computer = $ComputerName | Get-NameField
|
|
|
|
# get the IP resolution of this specified hostname
|
|
@(([Net.Dns]::GetHostEntry($Computer)).AddressList) | ForEach-Object {
|
|
if ($_.AddressFamily -eq 'InterNetwork') {
|
|
$Out = New-Object PSObject
|
|
$Out | Add-Member Noteproperty 'ComputerName' $Computer
|
|
$Out | Add-Member Noteproperty 'IPAddress' $_.IPAddressToString
|
|
$Out
|
|
}
|
|
}
|
|
}
|
|
catch {
|
|
Write-Verbose -Message 'Could not resolve host to an IP Address.'
|
|
}
|
|
}
|
|
|
|
|
|
filter Convert-NameToSid {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Converts a given user/group name to a security identifier (SID).
|
|
|
|
.PARAMETER ObjectName
|
|
|
|
The user/group name to convert, can be 'user' or 'DOMAIN\user' format.
|
|
|
|
.PARAMETER Domain
|
|
|
|
Specific domain for the given user account, defaults to the current domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Convert-NameToSid 'DEV\dfm'
|
|
#>
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
|
|
[String]
|
|
[Alias('Name')]
|
|
$ObjectName,
|
|
|
|
[String]
|
|
$Domain
|
|
)
|
|
|
|
$ObjectName = $ObjectName -Replace "/","\"
|
|
|
|
if($ObjectName.Contains("\")) {
|
|
# if we get a DOMAIN\user format, auto convert it
|
|
$Domain = $ObjectName.Split("\")[0]
|
|
$ObjectName = $ObjectName.Split("\")[1]
|
|
}
|
|
elseif(-not $Domain) {
|
|
$Domain = (Get-NetDomain).Name
|
|
}
|
|
|
|
try {
|
|
$Obj = (New-Object System.Security.Principal.NTAccount($Domain, $ObjectName))
|
|
$SID = $Obj.Translate([System.Security.Principal.SecurityIdentifier]).Value
|
|
|
|
$Out = New-Object PSObject
|
|
$Out | Add-Member Noteproperty 'ObjectName' $ObjectName
|
|
$Out | Add-Member Noteproperty 'SID' $SID
|
|
$Out
|
|
}
|
|
catch {
|
|
Write-Verbose "Invalid object/name: $Domain\$ObjectName"
|
|
$Null
|
|
}
|
|
}
|
|
|
|
|
|
filter Convert-SidToName {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Converts a security identifier (SID) to a group/user name.
|
|
|
|
.PARAMETER SID
|
|
|
|
The SID to convert.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Convert-SidToName S-1-5-21-2620891829-2411261497-1773853088-1105
|
|
#>
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
|
|
[String]
|
|
[ValidatePattern('^S-1-.*')]
|
|
$SID
|
|
)
|
|
|
|
try {
|
|
$SID2 = $SID.trim('*')
|
|
|
|
# try to resolve any built-in SIDs first
|
|
# from https://support.microsoft.com/en-us/kb/243330
|
|
Switch ($SID2) {
|
|
'S-1-0' { 'Null Authority' }
|
|
'S-1-0-0' { 'Nobody' }
|
|
'S-1-1' { 'World Authority' }
|
|
'S-1-1-0' { 'Everyone' }
|
|
'S-1-2' { 'Local Authority' }
|
|
'S-1-2-0' { 'Local' }
|
|
'S-1-2-1' { 'Console Logon ' }
|
|
'S-1-3' { 'Creator Authority' }
|
|
'S-1-3-0' { 'Creator Owner' }
|
|
'S-1-3-1' { 'Creator Group' }
|
|
'S-1-3-2' { 'Creator Owner Server' }
|
|
'S-1-3-3' { 'Creator Group Server' }
|
|
'S-1-3-4' { 'Owner Rights' }
|
|
'S-1-4' { 'Non-unique Authority' }
|
|
'S-1-5' { 'NT Authority' }
|
|
'S-1-5-1' { 'Dialup' }
|
|
'S-1-5-2' { 'Network' }
|
|
'S-1-5-3' { 'Batch' }
|
|
'S-1-5-4' { 'Interactive' }
|
|
'S-1-5-6' { 'Service' }
|
|
'S-1-5-7' { 'Anonymous' }
|
|
'S-1-5-8' { 'Proxy' }
|
|
'S-1-5-9' { 'Enterprise Domain Controllers' }
|
|
'S-1-5-10' { 'Principal Self' }
|
|
'S-1-5-11' { 'Authenticated Users' }
|
|
'S-1-5-12' { 'Restricted Code' }
|
|
'S-1-5-13' { 'Terminal Server Users' }
|
|
'S-1-5-14' { 'Remote Interactive Logon' }
|
|
'S-1-5-15' { 'This Organization ' }
|
|
'S-1-5-17' { 'This Organization ' }
|
|
'S-1-5-18' { 'Local System' }
|
|
'S-1-5-19' { 'NT Authority' }
|
|
'S-1-5-20' { 'NT Authority' }
|
|
'S-1-5-80-0' { 'All Services ' }
|
|
'S-1-5-32-544' { 'BUILTIN\Administrators' }
|
|
'S-1-5-32-545' { 'BUILTIN\Users' }
|
|
'S-1-5-32-546' { 'BUILTIN\Guests' }
|
|
'S-1-5-32-547' { 'BUILTIN\Power Users' }
|
|
'S-1-5-32-548' { 'BUILTIN\Account Operators' }
|
|
'S-1-5-32-549' { 'BUILTIN\Server Operators' }
|
|
'S-1-5-32-550' { 'BUILTIN\Print Operators' }
|
|
'S-1-5-32-551' { 'BUILTIN\Backup Operators' }
|
|
'S-1-5-32-552' { 'BUILTIN\Replicators' }
|
|
'S-1-5-32-554' { 'BUILTIN\Pre-Windows 2000 Compatible Access' }
|
|
'S-1-5-32-555' { 'BUILTIN\Remote Desktop Users' }
|
|
'S-1-5-32-556' { 'BUILTIN\Network Configuration Operators' }
|
|
'S-1-5-32-557' { 'BUILTIN\Incoming Forest Trust Builders' }
|
|
'S-1-5-32-558' { 'BUILTIN\Performance Monitor Users' }
|
|
'S-1-5-32-559' { 'BUILTIN\Performance Log Users' }
|
|
'S-1-5-32-560' { 'BUILTIN\Windows Authorization Access Group' }
|
|
'S-1-5-32-561' { 'BUILTIN\Terminal Server License Servers' }
|
|
'S-1-5-32-562' { 'BUILTIN\Distributed COM Users' }
|
|
'S-1-5-32-569' { 'BUILTIN\Cryptographic Operators' }
|
|
'S-1-5-32-573' { 'BUILTIN\Event Log Readers' }
|
|
'S-1-5-32-574' { 'BUILTIN\Certificate Service DCOM Access' }
|
|
'S-1-5-32-575' { 'BUILTIN\RDS Remote Access Servers' }
|
|
'S-1-5-32-576' { 'BUILTIN\RDS Endpoint Servers' }
|
|
'S-1-5-32-577' { 'BUILTIN\RDS Management Servers' }
|
|
'S-1-5-32-578' { 'BUILTIN\Hyper-V Administrators' }
|
|
'S-1-5-32-579' { 'BUILTIN\Access Control Assistance Operators' }
|
|
'S-1-5-32-580' { 'BUILTIN\Access Control Assistance Operators' }
|
|
Default {
|
|
$Obj = (New-Object System.Security.Principal.SecurityIdentifier($SID2))
|
|
$Obj.Translate( [System.Security.Principal.NTAccount]).Value
|
|
}
|
|
}
|
|
}
|
|
catch {
|
|
Write-Verbose "Invalid SID: $SID"
|
|
$SID
|
|
}
|
|
}
|
|
|
|
|
|
filter Convert-ADName {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Converts user/group names from NT4 (DOMAIN\user) or domainSimple (user@domain.com)
|
|
to canonical format (domain.com/Users/user) or NT4.
|
|
|
|
Based on Bill Stewart's code from this article:
|
|
http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
|
|
|
|
.PARAMETER ObjectName
|
|
|
|
The user/group name to convert.
|
|
|
|
.PARAMETER InputType
|
|
|
|
The InputType of the user/group name ("NT4","DN","Simple","Canonical").
|
|
|
|
.PARAMETER OutputType
|
|
|
|
The OutputType of the user/group name ("NT4","DN","Simple","Canonical").
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Convert-ADName -ObjectName "dev\dfm"
|
|
|
|
Returns "dev.testlab.local/Users/Dave"
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Convert-SidToName "S-..." | Convert-ADName
|
|
|
|
Returns the canonical name for the resolved SID.
|
|
|
|
.LINK
|
|
|
|
http://windowsitpro.com/active-directory/translating-active-directory-object-names-between-formats
|
|
#>
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
|
|
[String]
|
|
$ObjectName,
|
|
|
|
[String]
|
|
[ValidateSet("NT4","DN","Simple","Canonical")]
|
|
$InputType,
|
|
|
|
[String]
|
|
[ValidateSet("NT4","DN","Simple","Canonical")]
|
|
$OutputType
|
|
)
|
|
|
|
$NameTypes = @{
|
|
'DN' = 1
|
|
'Canonical' = 2
|
|
'NT4' = 3
|
|
'Simple' = 5
|
|
}
|
|
|
|
if(-not $PSBoundParameters['InputType']) {
|
|
if( ($ObjectName.split('/')).Count -eq 2 ) {
|
|
$ObjectName = $ObjectName.replace('/', '\')
|
|
}
|
|
|
|
if($ObjectName -match "^[A-Za-z]+\\[A-Za-z ]+") {
|
|
$InputType = 'NT4'
|
|
}
|
|
elseif($ObjectName -match "^[A-Za-z ]+@[A-Za-z\.]+") {
|
|
$InputType = 'Simple'
|
|
}
|
|
elseif($ObjectName -match "^[A-Za-z\.]+/[A-Za-z]+/[A-Za-z/ ]+") {
|
|
$InputType = 'Canonical'
|
|
}
|
|
elseif($ObjectName -match '^CN=.*') {
|
|
$InputType = 'DN'
|
|
}
|
|
else {
|
|
Write-Warning "Can not identify InType for $ObjectName"
|
|
}
|
|
}
|
|
elseif($InputType -eq 'NT4') {
|
|
$ObjectName = $ObjectName.replace('/', '\')
|
|
}
|
|
|
|
if(-not $PSBoundParameters['OutputType']) {
|
|
$OutputType = Switch($InputType) {
|
|
'NT4' {'Canonical'}
|
|
'Simple' {'NT4'}
|
|
'DN' {'NT4'}
|
|
'Canonical' {'NT4'}
|
|
}
|
|
}
|
|
|
|
# try to extract the domain from the given format
|
|
$Domain = Switch($InputType) {
|
|
'NT4' { $ObjectName.split("\")[0] }
|
|
'Simple' { $ObjectName.split("@")[1] }
|
|
'Canonical' { $ObjectName.split("/")[0] }
|
|
'DN' {$ObjectName.subString($ObjectName.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'}
|
|
}
|
|
|
|
# Accessor functions to simplify calls to NameTranslate
|
|
function Invoke-Method([__ComObject] $Object, [String] $Method, $Parameters) {
|
|
$Output = $Object.GetType().InvokeMember($Method, "InvokeMethod", $Null, $Object, $Parameters)
|
|
if ( $Output ) { $Output }
|
|
}
|
|
function Set-Property([__ComObject] $Object, [String] $Property, $Parameters) {
|
|
[Void] $Object.GetType().InvokeMember($Property, "SetProperty", $Null, $Object, $Parameters)
|
|
}
|
|
|
|
$Translate = New-Object -ComObject NameTranslate
|
|
|
|
try {
|
|
Invoke-Method $Translate "Init" (1, $Domain)
|
|
}
|
|
catch [System.Management.Automation.MethodInvocationException] {
|
|
# Write-Verbose "Error with translate init in Convert-ADName: $_"
|
|
}
|
|
|
|
Set-Property $Translate "ChaseReferral" (0x60)
|
|
|
|
try {
|
|
Invoke-Method $Translate "Set" ($NameTypes[$InputType], $ObjectName)
|
|
(Invoke-Method $Translate "Get" ($NameTypes[$OutputType]))
|
|
}
|
|
catch [System.Management.Automation.MethodInvocationException] {
|
|
# Write-Verbose "Error with translate Set/Get in Convert-ADName: $_"
|
|
}
|
|
}
|
|
|
|
|
|
filter Get-NameField {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Helper that attempts to extract appropriate field names from
|
|
passed computer objects.
|
|
|
|
.PARAMETER Object
|
|
|
|
The passed object to extract name fields from.
|
|
|
|
.PARAMETER DnsHostName
|
|
|
|
A DnsHostName to extract through ValueFromPipelineByPropertyName.
|
|
|
|
.PARAMETER Name
|
|
|
|
A Name to extract through ValueFromPipelineByPropertyName.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetComputer -FullData | Get-NameField
|
|
#>
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
|
|
[Object]
|
|
$Object,
|
|
|
|
[Parameter(ValueFromPipelineByPropertyName = $True)]
|
|
[String]
|
|
$DnsHostName,
|
|
|
|
[Parameter(ValueFromPipelineByPropertyName = $True)]
|
|
[String]
|
|
$Name
|
|
)
|
|
|
|
if($PSBoundParameters['DnsHostName']) {
|
|
$DnsHostName
|
|
}
|
|
elseif($PSBoundParameters['Name']) {
|
|
$Name
|
|
}
|
|
elseif($Object) {
|
|
if ( [bool]($Object.PSobject.Properties.name -match "dnshostname") ) {
|
|
# objects from Get-NetComputer
|
|
$Object.dnshostname
|
|
}
|
|
elseif ( [bool]($Object.PSobject.Properties.name -match "name") ) {
|
|
# objects from Get-NetDomainController
|
|
$Object.name
|
|
}
|
|
else {
|
|
# strings and catch alls
|
|
$Object
|
|
}
|
|
}
|
|
else {
|
|
return $Null
|
|
}
|
|
}
|
|
|
|
|
|
function Convert-LDAPProperty {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Helper that converts specific LDAP property result fields.
|
|
Used by several of the Get-Net* function.
|
|
|
|
.PARAMETER Properties
|
|
|
|
Properties object to extract out LDAP fields for display.
|
|
#>
|
|
param(
|
|
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
|
|
[ValidateNotNullOrEmpty()]
|
|
$Properties
|
|
)
|
|
|
|
$ObjectProperties = @{}
|
|
|
|
$Properties.PropertyNames | ForEach-Object {
|
|
if (($_ -eq "objectsid") -or ($_ -eq "sidhistory")) {
|
|
# convert the SID to a string
|
|
$ObjectProperties[$_] = (New-Object System.Security.Principal.SecurityIdentifier($Properties[$_][0],0)).Value
|
|
}
|
|
elseif($_ -eq "objectguid") {
|
|
# convert the GUID to a string
|
|
$ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid
|
|
}
|
|
elseif( ($_ -eq "lastlogon") -or ($_ -eq "lastlogontimestamp") -or ($_ -eq "pwdlastset") -or ($_ -eq "lastlogoff") -or ($_ -eq "badPasswordTime") ) {
|
|
# convert timestamps
|
|
if ($Properties[$_][0] -is [System.MarshalByRefObject]) {
|
|
# if we have a System.__ComObject
|
|
$Temp = $Properties[$_][0]
|
|
[Int32]$High = $Temp.GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)
|
|
[Int32]$Low = $Temp.GetType().InvokeMember("LowPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)
|
|
$ObjectProperties[$_] = ([datetime]::FromFileTime([Int64]("0x{0:x8}{1:x8}" -f $High, $Low)))
|
|
}
|
|
else {
|
|
$ObjectProperties[$_] = ([datetime]::FromFileTime(($Properties[$_][0])))
|
|
}
|
|
}
|
|
elseif($Properties[$_][0] -is [System.MarshalByRefObject]) {
|
|
# try to convert misc com objects
|
|
$Prop = $Properties[$_]
|
|
try {
|
|
$Temp = $Prop[$_][0]
|
|
Write-Verbose $_
|
|
[Int32]$High = $Temp.GetType().InvokeMember("HighPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)
|
|
[Int32]$Low = $Temp.GetType().InvokeMember("LowPart", [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null)
|
|
$ObjectProperties[$_] = [Int64]("0x{0:x8}{1:x8}" -f $High, $Low)
|
|
}
|
|
catch {
|
|
$ObjectProperties[$_] = $Prop[$_]
|
|
}
|
|
}
|
|
elseif($Properties[$_].count -eq 1) {
|
|
$ObjectProperties[$_] = $Properties[$_][0]
|
|
}
|
|
else {
|
|
$ObjectProperties[$_] = $Properties[$_]
|
|
}
|
|
}
|
|
|
|
New-Object -TypeName PSObject -Property $ObjectProperties
|
|
}
|
|
|
|
|
|
|
|
########################################################
|
|
#
|
|
# Domain info functions below.
|
|
#
|
|
########################################################
|
|
|
|
filter Get-DomainSearcher {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Helper used by various functions that takes an ADSpath and
|
|
domain specifier and builds the correct ADSI searcher object.
|
|
|
|
.PARAMETER Domain
|
|
|
|
The domain to use for the query, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.PARAMETER ADSpath
|
|
|
|
The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
|
|
Useful for OU queries.
|
|
|
|
.PARAMETER ADSprefix
|
|
|
|
Prefix to set for the searcher (like "CN=Sites,CN=Configuration")
|
|
|
|
.PARAMETER PageSize
|
|
|
|
The PageSize to set for the LDAP searcher object.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-DomainSearcher -Domain testlab.local
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-DomainSearcher -Domain testlab.local -DomainController SECONDARY.dev.testlab.local
|
|
#>
|
|
|
|
param(
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[String]
|
|
$ADSpath,
|
|
|
|
[String]
|
|
$ADSprefix,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
if(-not $Credential) {
|
|
if(-not $Domain) {
|
|
$Domain = (Get-NetDomain).name
|
|
}
|
|
elseif(-not $DomainController) {
|
|
try {
|
|
# if there's no -DomainController specified, try to pull the primary DC to reflect queries through
|
|
$DomainController = ((Get-NetDomain).PdcRoleOwner).Name
|
|
}
|
|
catch {
|
|
throw "Get-DomainSearcher: Error in retrieving PDC for current domain"
|
|
}
|
|
}
|
|
}
|
|
elseif (-not $DomainController) {
|
|
# if a DC isn't specified
|
|
try {
|
|
$DomainController = ((Get-NetDomain -Credential $Credential).PdcRoleOwner).Name
|
|
}
|
|
catch {
|
|
throw "Get-DomainSearcher: Error in retrieving PDC for current domain"
|
|
}
|
|
|
|
if(!$DomainController) {
|
|
throw "Get-DomainSearcher: Error in retrieving PDC for current domain"
|
|
}
|
|
}
|
|
|
|
$SearchString = "LDAP://"
|
|
|
|
if($DomainController) {
|
|
$SearchString += $DomainController
|
|
if($Domain){
|
|
$SearchString += '/'
|
|
}
|
|
}
|
|
|
|
if($ADSprefix) {
|
|
$SearchString += $ADSprefix + ','
|
|
}
|
|
|
|
if($ADSpath) {
|
|
if($ADSpath -Match '^GC://') {
|
|
# if we're searching the global catalog
|
|
$DN = $AdsPath.ToUpper().Trim('/')
|
|
$SearchString = ''
|
|
}
|
|
else {
|
|
if($ADSpath -match '^LDAP://') {
|
|
if($ADSpath -match "LDAP://.+/.+") {
|
|
$SearchString = ''
|
|
}
|
|
else {
|
|
$ADSpath = $ADSpath.Substring(7)
|
|
}
|
|
}
|
|
$DN = $ADSpath
|
|
}
|
|
}
|
|
else {
|
|
if($Domain -and ($Domain.Trim() -ne "")) {
|
|
$DN = "DC=$($Domain.Replace('.', ',DC='))"
|
|
}
|
|
}
|
|
|
|
$SearchString += $DN
|
|
Write-Verbose "Get-DomainSearcher search string: $SearchString"
|
|
|
|
if($Credential) {
|
|
Write-Verbose "Using alternate credentials for LDAP connection"
|
|
$DomainObject = New-Object DirectoryServices.DirectoryEntry($SearchString, $Credential.UserName, $Credential.GetNetworkCredential().Password)
|
|
$Searcher = New-Object System.DirectoryServices.DirectorySearcher($DomainObject)
|
|
}
|
|
else {
|
|
$Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString)
|
|
}
|
|
|
|
$Searcher.PageSize = $PageSize
|
|
$Searcher.CacheResults = $False
|
|
$Searcher
|
|
}
|
|
|
|
|
|
filter Get-NetDomain {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Returns a given domain object.
|
|
|
|
.PARAMETER Domain
|
|
|
|
The domain name to query for, defaults to the current domain.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetDomain -Domain testlab.local
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> "testlab.local" | Get-NetDomain
|
|
|
|
.LINK
|
|
|
|
http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG
|
|
#>
|
|
|
|
param(
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[String]
|
|
$Domain,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
if($Credential) {
|
|
|
|
Write-Verbose "Using alternate credentials for Get-NetDomain"
|
|
|
|
if(!$Domain) {
|
|
# if no domain is supplied, extract the logon domain from the PSCredential passed
|
|
$Domain = $Credential.GetNetworkCredential().Domain
|
|
Write-Verbose "Extracted domain '$Domain' from -Credential"
|
|
}
|
|
|
|
$DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain, $Credential.UserName, $Credential.GetNetworkCredential().Password)
|
|
|
|
try {
|
|
[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
|
|
}
|
|
catch {
|
|
Write-Verbose "The specified domain does '$Domain' not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid."
|
|
$Null
|
|
}
|
|
}
|
|
elseif($Domain) {
|
|
$DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain)
|
|
try {
|
|
[System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext)
|
|
}
|
|
catch {
|
|
Write-Verbose "The specified domain '$Domain' does not exist, could not be contacted, or there isn't an existing trust."
|
|
$Null
|
|
}
|
|
}
|
|
else {
|
|
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
|
|
}
|
|
}
|
|
|
|
|
|
filter Get-NetForest {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Returns a given forest object.
|
|
|
|
.PARAMETER Forest
|
|
|
|
The forest name to query for, defaults to the current domain.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetForest -Forest external.domain
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> "external.domain" | Get-NetForest
|
|
#>
|
|
|
|
param(
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[String]
|
|
$Forest,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
if($Credential) {
|
|
|
|
Write-Verbose "Using alternate credentials for Get-NetForest"
|
|
|
|
if(!$Forest) {
|
|
# if no domain is supplied, extract the logon domain from the PSCredential passed
|
|
$Forest = $Credential.GetNetworkCredential().Domain
|
|
Write-Verbose "Extracted domain '$Forest' from -Credential"
|
|
}
|
|
|
|
$ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Forest, $Credential.UserName, $Credential.GetNetworkCredential().Password)
|
|
|
|
try {
|
|
$ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)
|
|
}
|
|
catch {
|
|
Write-Verbose "The specified forest '$Forest' does not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid."
|
|
$Null
|
|
}
|
|
}
|
|
elseif($Forest) {
|
|
$ForestContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Forest', $Forest)
|
|
try {
|
|
$ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetForest($ForestContext)
|
|
}
|
|
catch {
|
|
Write-Verbose "The specified forest '$Forest' does not exist, could not be contacted, or there isn't an existing trust."
|
|
return $Null
|
|
}
|
|
}
|
|
else {
|
|
# otherwise use the current forest
|
|
$ForestObject = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
|
|
}
|
|
|
|
if($ForestObject) {
|
|
# get the SID of the forest root
|
|
$ForestSid = (New-Object System.Security.Principal.NTAccount($ForestObject.RootDomain,"krbtgt")).Translate([System.Security.Principal.SecurityIdentifier]).Value
|
|
$Parts = $ForestSid -Split "-"
|
|
$ForestSid = $Parts[0..$($Parts.length-2)] -join "-"
|
|
$ForestObject | Add-Member NoteProperty 'RootDomainSid' $ForestSid
|
|
$ForestObject
|
|
}
|
|
}
|
|
|
|
|
|
filter Get-NetForestDomain {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Return all domains for a given forest.
|
|
|
|
.PARAMETER Forest
|
|
|
|
The forest name to query domain for.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetForestDomain
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetForestDomain -Forest external.local
|
|
#>
|
|
|
|
param(
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[String]
|
|
$Forest,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
$ForestObject = Get-NetForest -Forest $Forest -Credential $Credential
|
|
|
|
if($ForestObject) {
|
|
$ForestObject.Domains
|
|
}
|
|
}
|
|
|
|
|
|
filter Get-NetDomainController {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Return the current domain controllers for the active domain.
|
|
|
|
.PARAMETER Domain
|
|
|
|
The domain to query for domain controllers, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.PARAMETER LDAP
|
|
|
|
Switch. Use LDAP queries to determine the domain controllers.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetDomainController -Domain 'test.local'
|
|
|
|
Determine the domain controllers for 'test.local'.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetDomainController -Domain 'test.local' -LDAP
|
|
|
|
Determine the domain controllers for 'test.local' using LDAP queries.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> 'test.local' | Get-NetDomainController
|
|
|
|
Determine the domain controllers for 'test.local'.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[Switch]
|
|
$LDAP,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
if($LDAP -or $DomainController) {
|
|
# filter string to return all domain controllers
|
|
Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -FullData -Filter '(userAccountControl:1.2.840.113556.1.4.803:=8192)'
|
|
}
|
|
else {
|
|
$FoundDomain = Get-NetDomain -Domain $Domain -Credential $Credential
|
|
if($FoundDomain) {
|
|
$Founddomain.DomainControllers
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
########################################################
|
|
#
|
|
# "net *" replacements and other fun start below
|
|
#
|
|
########################################################
|
|
|
|
|
|
function Get-NetComputer {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
This function utilizes adsisearcher to query the current AD context
|
|
for current computer objects. Based off of Carlos Perez's Audit.psm1
|
|
script in Posh-SecMod (link below).
|
|
|
|
.PARAMETER ComputerName
|
|
|
|
Return computers with a specific name, wildcards accepted.
|
|
|
|
.PARAMETER SPN
|
|
|
|
Return computers with a specific service principal name, wildcards accepted.
|
|
|
|
.PARAMETER OperatingSystem
|
|
|
|
Return computers with a specific operating system, wildcards accepted.
|
|
|
|
.PARAMETER ServicePack
|
|
|
|
Return computers with a specific service pack, wildcards accepted.
|
|
|
|
.PARAMETER Filter
|
|
|
|
A customized ldap filter string to use, e.g. "(description=*admin*)"
|
|
|
|
.PARAMETER Printers
|
|
|
|
Switch. Return only printers.
|
|
|
|
.PARAMETER Ping
|
|
|
|
Switch. Ping each host to ensure it's up before enumerating.
|
|
|
|
.PARAMETER FullData
|
|
|
|
Switch. Return full computer objects instead of just system names (the default).
|
|
|
|
.PARAMETER Domain
|
|
|
|
The domain to query for computers, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.PARAMETER ADSpath
|
|
|
|
The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
|
|
Useful for OU queries.
|
|
|
|
.PARAMETER SiteName
|
|
|
|
The AD Site name to search for computers.
|
|
|
|
.PARAMETER Unconstrained
|
|
|
|
Switch. Return computer objects that have unconstrained delegation.
|
|
|
|
.PARAMETER PageSize
|
|
|
|
The PageSize to set for the LDAP searcher object.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetComputer
|
|
|
|
Returns the current computers in current domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetComputer -SPN mssql*
|
|
|
|
Returns all MS SQL servers on the domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetComputer -Domain testing
|
|
|
|
Returns the current computers in 'testing' domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetComputer -Domain testing -FullData
|
|
|
|
Returns full computer objects in the 'testing' domain.
|
|
|
|
.LINK
|
|
|
|
https://github.com/darkoperator/Posh-SecMod/blob/master/Audit/Audit.psm1
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
Param (
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[Alias('HostName')]
|
|
[String]
|
|
$ComputerName = '*',
|
|
|
|
[String]
|
|
$SPN,
|
|
|
|
[String]
|
|
$OperatingSystem,
|
|
|
|
[String]
|
|
$ServicePack,
|
|
|
|
[String]
|
|
$Filter,
|
|
|
|
[Switch]
|
|
$Printers,
|
|
|
|
[Switch]
|
|
$Ping,
|
|
|
|
[Switch]
|
|
$FullData,
|
|
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[String]
|
|
$ADSpath,
|
|
|
|
[String]
|
|
$SiteName,
|
|
|
|
[Switch]
|
|
$Unconstrained,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
begin {
|
|
# so this isn't repeated if multiple computer names are passed on the pipeline
|
|
$CompSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -ADSpath $ADSpath -PageSize $PageSize -Credential $Credential
|
|
}
|
|
|
|
process {
|
|
|
|
if ($CompSearcher) {
|
|
|
|
# if we're checking for unconstrained delegation
|
|
if($Unconstrained) {
|
|
Write-Verbose "Searching for computers with for unconstrained delegation"
|
|
$Filter += "(userAccountControl:1.2.840.113556.1.4.803:=524288)"
|
|
}
|
|
# set the filters for the seracher if it exists
|
|
if($Printers) {
|
|
Write-Verbose "Searching for printers"
|
|
# $CompSearcher.filter="(&(objectCategory=printQueue)$Filter)"
|
|
$Filter += "(objectCategory=printQueue)"
|
|
}
|
|
if($SPN) {
|
|
Write-Verbose "Searching for computers with SPN: $SPN"
|
|
$Filter += "(servicePrincipalName=$SPN)"
|
|
}
|
|
if($OperatingSystem) {
|
|
$Filter += "(operatingsystem=$OperatingSystem)"
|
|
}
|
|
if($ServicePack) {
|
|
$Filter += "(operatingsystemservicepack=$ServicePack)"
|
|
}
|
|
if($SiteName) {
|
|
$Filter += "(serverreferencebl=$SiteName)"
|
|
}
|
|
|
|
$CompFilter = "(&(sAMAccountType=805306369)(dnshostname=$ComputerName)$Filter)"
|
|
Write-Verbose "Get-NetComputer filter : $CompFilter"
|
|
$CompSearcher.filter = $CompFilter
|
|
if(-not $FullData) {
|
|
$Null = $CompSearcher.PropertiesToLoad.Add('dnshostname')
|
|
}
|
|
|
|
try {
|
|
ForEach($ComputerResult in $CompSearcher.FindAll()) {
|
|
if($ComputerResult) {
|
|
$Up = $True
|
|
if($Ping) {
|
|
$Up = Test-Connection -Count 1 -Quiet -ComputerName $ComputerResult.properties.dnshostname
|
|
}
|
|
if($Up) {
|
|
# return full data objects
|
|
if ($FullData) {
|
|
# convert/process the LDAP fields for each result
|
|
$Computer = Convert-LDAPProperty -Properties $ComputerResult.Properties
|
|
$Computer.PSObject.TypeNames.Add('PowerView.Computer')
|
|
$Computer
|
|
}
|
|
else {
|
|
# otherwise we're just returning the DNS host name
|
|
$ComputerResult.properties.dnshostname
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
$CompSearcher.dispose()
|
|
}
|
|
catch {
|
|
Write-Warning "Error: $_"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
function Get-ADObject {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Takes a domain SID and returns the user, group, or computer object
|
|
associated with it.
|
|
|
|
.PARAMETER SID
|
|
|
|
The SID of the domain object you're querying for.
|
|
|
|
.PARAMETER Name
|
|
|
|
The Name of the domain object you're querying for.
|
|
|
|
.PARAMETER SamAccountName
|
|
|
|
The SamAccountName of the domain object you're querying for.
|
|
|
|
.PARAMETER Domain
|
|
|
|
The domain to query for objects, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.PARAMETER ADSpath
|
|
|
|
The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
|
|
Useful for OU queries.
|
|
|
|
.PARAMETER Filter
|
|
|
|
Additional LDAP filter string for the query.
|
|
|
|
.PARAMETER ReturnRaw
|
|
|
|
Switch. Return the raw object instead of translating its properties.
|
|
Used by Set-ADObject to modify object properties.
|
|
|
|
.PARAMETER PageSize
|
|
|
|
The PageSize to set for the LDAP searcher object.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-ADObject -SID "S-1-5-21-2620891829-2411261497-1773853088-1110"
|
|
|
|
Get the domain object associated with the specified SID.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-ADObject -ADSpath "CN=AdminSDHolder,CN=System,DC=testlab,DC=local"
|
|
|
|
Get the AdminSDHolder object for the testlab.local domain.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
Param (
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[String]
|
|
$SID,
|
|
|
|
[String]
|
|
$Name,
|
|
|
|
[String]
|
|
$SamAccountName,
|
|
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[String]
|
|
$ADSpath,
|
|
|
|
[String]
|
|
$Filter,
|
|
|
|
[Switch]
|
|
$ReturnRaw,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
process {
|
|
if($SID -and (-not $Domain)) {
|
|
# if a SID is passed, try to resolve it to a reachable domain name for the searcher
|
|
try {
|
|
$Name = Convert-SidToName $SID
|
|
if($Name) {
|
|
$Canonical = Convert-ADName -ObjectName $Name -InputType NT4 -OutputType Canonical
|
|
if($Canonical) {
|
|
$Domain = $Canonical.split("/")[0]
|
|
}
|
|
else {
|
|
Write-Verbose "Error resolving SID '$SID'"
|
|
return $Null
|
|
}
|
|
}
|
|
}
|
|
catch {
|
|
Write-Verbose "Error resolving SID '$SID' : $_"
|
|
return $Null
|
|
}
|
|
}
|
|
|
|
$ObjectSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
|
|
|
|
if($ObjectSearcher) {
|
|
if($SID) {
|
|
$ObjectSearcher.filter = "(&(objectsid=$SID)$Filter)"
|
|
}
|
|
elseif($Name) {
|
|
$ObjectSearcher.filter = "(&(name=$Name)$Filter)"
|
|
}
|
|
elseif($SamAccountName) {
|
|
$ObjectSearcher.filter = "(&(samAccountName=$SamAccountName)$Filter)"
|
|
}
|
|
|
|
try {
|
|
$Results = $ObjectSearcher.FindAll()
|
|
$Results | Where-Object {$_} | ForEach-Object {
|
|
if($ReturnRaw) {
|
|
$_
|
|
}
|
|
else {
|
|
# convert/process the LDAP fields for each result
|
|
Convert-LDAPProperty -Properties $_.Properties
|
|
}
|
|
}
|
|
$Results.dispose()
|
|
}
|
|
catch {
|
|
Write-Verbose "Error building the searcher object!"
|
|
}
|
|
$ObjectSearcher.dispose()
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
function Get-NetOU {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Gets a list of all current OUs in a domain.
|
|
|
|
.PARAMETER OUName
|
|
|
|
The OU name to query for, wildcards accepted.
|
|
|
|
.PARAMETER GUID
|
|
|
|
Only return OUs with the specified GUID in their gplink property.
|
|
|
|
.PARAMETER Domain
|
|
|
|
The domain to query for OUs, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.PARAMETER ADSpath
|
|
|
|
The LDAP source to search through.
|
|
|
|
.PARAMETER FullData
|
|
|
|
Switch. Return full OU objects instead of just object names (the default).
|
|
|
|
.PARAMETER PageSize
|
|
|
|
The PageSize to set for the LDAP searcher object.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetOU
|
|
|
|
Returns the current OUs in the domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetOU -OUName *admin* -Domain testlab.local
|
|
|
|
Returns all OUs with "admin" in their name in the testlab.local domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetOU -GUID 123-...
|
|
|
|
Returns all OUs with linked to the specified group policy object.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> "*admin*","*server*" | Get-NetOU
|
|
|
|
Get the full OU names for the given search terms piped on the pipeline.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
Param (
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[String]
|
|
$OUName = '*',
|
|
|
|
[String]
|
|
$GUID,
|
|
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[String]
|
|
$ADSpath,
|
|
|
|
[Switch]
|
|
$FullData,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
begin {
|
|
$OUSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
|
|
}
|
|
process {
|
|
if ($OUSearcher) {
|
|
if ($GUID) {
|
|
# if we're filtering for a GUID in .gplink
|
|
$OUSearcher.filter="(&(objectCategory=organizationalUnit)(name=$OUName)(gplink=*$GUID*))"
|
|
}
|
|
else {
|
|
$OUSearcher.filter="(&(objectCategory=organizationalUnit)(name=$OUName))"
|
|
}
|
|
|
|
try {
|
|
$Results = $OUSearcher.FindAll()
|
|
$Results | Where-Object {$_} | ForEach-Object {
|
|
if ($FullData) {
|
|
# convert/process the LDAP fields for each result
|
|
$OU = Convert-LDAPProperty -Properties $_.Properties
|
|
$OU.PSObject.TypeNames.Add('PowerView.OU')
|
|
$OU
|
|
}
|
|
else {
|
|
# otherwise just returning the ADS paths of the OUs
|
|
$_.properties.adspath
|
|
}
|
|
}
|
|
$Results.dispose()
|
|
$OUSearcher.dispose()
|
|
}
|
|
catch {
|
|
Write-Warning $_
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
function Get-NetSite {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Gets a list of all current sites in a domain.
|
|
|
|
.PARAMETER SiteName
|
|
|
|
Site filter string, wildcards accepted.
|
|
|
|
.PARAMETER Domain
|
|
|
|
The domain to query for sites, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.PARAMETER ADSpath
|
|
|
|
The LDAP source to search through.
|
|
|
|
.PARAMETER GUID
|
|
|
|
Only return site with the specified GUID in their gplink property.
|
|
|
|
.PARAMETER FullData
|
|
|
|
Switch. Return full site objects instead of just object names (the default).
|
|
|
|
.PARAMETER PageSize
|
|
|
|
The PageSize to set for the LDAP searcher object.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetSite -Domain testlab.local -FullData
|
|
|
|
Returns the full data objects for all sites in testlab.local
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
Param (
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[String]
|
|
$SiteName = "*",
|
|
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[String]
|
|
$ADSpath,
|
|
|
|
[String]
|
|
$GUID,
|
|
|
|
[Switch]
|
|
$FullData,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
begin {
|
|
$SiteSearcher = Get-DomainSearcher -ADSpath $ADSpath -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSprefix "CN=Sites,CN=Configuration" -PageSize $PageSize
|
|
}
|
|
process {
|
|
if($SiteSearcher) {
|
|
|
|
if ($GUID) {
|
|
# if we're filtering for a GUID in .gplink
|
|
$SiteSearcher.filter="(&(objectCategory=site)(name=$SiteName)(gplink=*$GUID*))"
|
|
}
|
|
else {
|
|
$SiteSearcher.filter="(&(objectCategory=site)(name=$SiteName))"
|
|
}
|
|
|
|
try {
|
|
$Results = $SiteSearcher.FindAll()
|
|
$Results | Where-Object {$_} | ForEach-Object {
|
|
if ($FullData) {
|
|
# convert/process the LDAP fields for each result
|
|
$Site = Convert-LDAPProperty -Properties $_.Properties
|
|
$Site.PSObject.TypeNames.Add('PowerView.Site')
|
|
$Site
|
|
}
|
|
else {
|
|
# otherwise just return the site name
|
|
$_.properties.name
|
|
}
|
|
}
|
|
$Results.dispose()
|
|
$SiteSearcher.dispose()
|
|
}
|
|
catch {
|
|
Write-Verbose $_
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
function Get-DomainSID {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Gets the SID for the domain.
|
|
|
|
.PARAMETER Domain
|
|
|
|
The domain to query, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.EXAMPLE
|
|
|
|
C:\> Get-DomainSID -Domain TEST
|
|
|
|
Returns SID for the domain 'TEST'
|
|
#>
|
|
|
|
param(
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController
|
|
)
|
|
|
|
$ComputerSearcher = Get-DomainSearcher -Domain $TargetDomain -DomainController $DomainController
|
|
$ComputerSearcher.Filter = '(sAMAccountType=805306369)'
|
|
$Null = $ComputerSearcher.PropertiesToLoad.Add('objectsid')
|
|
$Result = $ComputerSearcher.FindOne()
|
|
|
|
if(-not $Result) {
|
|
Write-Verbose "Get-DomainSID: no results retrieved"
|
|
}
|
|
else {
|
|
$DCObject = Convert-LDAPProperty -Properties $Result.Properties
|
|
$DCSID = $DCObject.objectsid
|
|
$DCSID.Substring(0, $DCSID.LastIndexOf('-'))
|
|
}
|
|
}
|
|
|
|
|
|
function Get-NetFileServer {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Returns a list of all file servers extracted from user
|
|
homedirectory, scriptpath, and profilepath fields.
|
|
|
|
.PARAMETER Domain
|
|
|
|
The domain to query for user file servers, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.PARAMETER PageSize
|
|
|
|
The PageSize to set for the LDAP searcher object.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetFileServer
|
|
|
|
Returns active file servers.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetFileServer -Domain testing
|
|
|
|
Returns active file servers for the 'testing' domain.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
function Split-Path {
|
|
# short internal helper to split UNC server paths
|
|
param([String]$Path)
|
|
|
|
if ($Path -and ($Path.split("\\").Count -ge 3)) {
|
|
$Temp = $Path.split("\\")[2]
|
|
if($Temp -and ($Temp -ne '')) {
|
|
$Temp
|
|
}
|
|
}
|
|
}
|
|
|
|
$UserSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize
|
|
|
|
# only search for user objects that have one of the fields we're interested in set
|
|
$UserSearcher.filter = "(&(samAccountType=805306368)(|(homedirectory=*)(scriptpath=*)(profilepath=*)))"
|
|
|
|
# only return the fields we're interested in
|
|
$UserSearcher.PropertiesToLoad.AddRange(('homedirectory', 'scriptpath', 'profilepath'))
|
|
|
|
# get all results w/o the pipeline and uniquify them (I know it's not pretty)
|
|
Sort-Object -Unique -InputObject $(ForEach($UserResult in $UserSearcher.FindAll()) {if($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}})
|
|
}
|
|
|
|
|
|
function Get-DFSshare {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Returns a list of all fault-tolerant distributed file
|
|
systems for a given domain.
|
|
|
|
.PARAMETER Version
|
|
|
|
The version of DFS to query for servers.
|
|
1/v1, 2/v2, or all
|
|
|
|
.PARAMETER Domain
|
|
|
|
The domain to query for user DFS shares, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.PARAMETER ADSpath
|
|
|
|
The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local"
|
|
Useful for OU queries.
|
|
|
|
.PARAMETER PageSize
|
|
|
|
The PageSize to set for the LDAP searcher object.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-DFSshare
|
|
|
|
Returns all distributed file system shares for the current domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-DFSshare -Domain test
|
|
|
|
Returns all distributed file system shares for the 'test' domain.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[String]
|
|
[ValidateSet("All","V1","1","V2","2")]
|
|
$Version = "All",
|
|
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[String]
|
|
$ADSpath,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
function Parse-Pkt {
|
|
[CmdletBinding()]
|
|
param(
|
|
[byte[]]
|
|
$Pkt
|
|
)
|
|
|
|
$bin = $Pkt
|
|
$blob_version = [bitconverter]::ToUInt32($bin[0..3],0)
|
|
$blob_element_count = [bitconverter]::ToUInt32($bin[4..7],0)
|
|
$offset = 8
|
|
#https://msdn.microsoft.com/en-us/library/cc227147.aspx
|
|
$object_list = @()
|
|
for($i=1; $i -le $blob_element_count; $i++){
|
|
$blob_name_size_start = $offset
|
|
$blob_name_size_end = $offset + 1
|
|
$blob_name_size = [bitconverter]::ToUInt16($bin[$blob_name_size_start..$blob_name_size_end],0)
|
|
|
|
$blob_name_start = $blob_name_size_end + 1
|
|
$blob_name_end = $blob_name_start + $blob_name_size - 1
|
|
$blob_name = [System.Text.Encoding]::Unicode.GetString($bin[$blob_name_start..$blob_name_end])
|
|
|
|
$blob_data_size_start = $blob_name_end + 1
|
|
$blob_data_size_end = $blob_data_size_start + 3
|
|
$blob_data_size = [bitconverter]::ToUInt32($bin[$blob_data_size_start..$blob_data_size_end],0)
|
|
|
|
$blob_data_start = $blob_data_size_end + 1
|
|
$blob_data_end = $blob_data_start + $blob_data_size - 1
|
|
$blob_data = $bin[$blob_data_start..$blob_data_end]
|
|
switch -wildcard ($blob_name) {
|
|
"\siteroot" { }
|
|
"\domainroot*" {
|
|
# Parse DFSNamespaceRootOrLinkBlob object. Starts with variable length DFSRootOrLinkIDBlob which we parse first...
|
|
# DFSRootOrLinkIDBlob
|
|
$root_or_link_guid_start = 0
|
|
$root_or_link_guid_end = 15
|
|
$root_or_link_guid = [byte[]]$blob_data[$root_or_link_guid_start..$root_or_link_guid_end]
|
|
$guid = New-Object Guid(,$root_or_link_guid) # should match $guid_str
|
|
$prefix_size_start = $root_or_link_guid_end + 1
|
|
$prefix_size_end = $prefix_size_start + 1
|
|
$prefix_size = [bitconverter]::ToUInt16($blob_data[$prefix_size_start..$prefix_size_end],0)
|
|
$prefix_start = $prefix_size_end + 1
|
|
$prefix_end = $prefix_start + $prefix_size - 1
|
|
$prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$prefix_start..$prefix_end])
|
|
|
|
$short_prefix_size_start = $prefix_end + 1
|
|
$short_prefix_size_end = $short_prefix_size_start + 1
|
|
$short_prefix_size = [bitconverter]::ToUInt16($blob_data[$short_prefix_size_start..$short_prefix_size_end],0)
|
|
$short_prefix_start = $short_prefix_size_end + 1
|
|
$short_prefix_end = $short_prefix_start + $short_prefix_size - 1
|
|
$short_prefix = [System.Text.Encoding]::Unicode.GetString($blob_data[$short_prefix_start..$short_prefix_end])
|
|
|
|
$type_start = $short_prefix_end + 1
|
|
$type_end = $type_start + 3
|
|
$type = [bitconverter]::ToUInt32($blob_data[$type_start..$type_end],0)
|
|
|
|
$state_start = $type_end + 1
|
|
$state_end = $state_start + 3
|
|
$state = [bitconverter]::ToUInt32($blob_data[$state_start..$state_end],0)
|
|
|
|
$comment_size_start = $state_end + 1
|
|
$comment_size_end = $comment_size_start + 1
|
|
$comment_size = [bitconverter]::ToUInt16($blob_data[$comment_size_start..$comment_size_end],0)
|
|
$comment_start = $comment_size_end + 1
|
|
$comment_end = $comment_start + $comment_size - 1
|
|
if ($comment_size -gt 0) {
|
|
$comment = [System.Text.Encoding]::Unicode.GetString($blob_data[$comment_start..$comment_end])
|
|
}
|
|
$prefix_timestamp_start = $comment_end + 1
|
|
$prefix_timestamp_end = $prefix_timestamp_start + 7
|
|
# https://msdn.microsoft.com/en-us/library/cc230324.aspx FILETIME
|
|
$prefix_timestamp = $blob_data[$prefix_timestamp_start..$prefix_timestamp_end] #dword lowDateTime #dword highdatetime
|
|
$state_timestamp_start = $prefix_timestamp_end + 1
|
|
$state_timestamp_end = $state_timestamp_start + 7
|
|
$state_timestamp = $blob_data[$state_timestamp_start..$state_timestamp_end]
|
|
$comment_timestamp_start = $state_timestamp_end + 1
|
|
$comment_timestamp_end = $comment_timestamp_start + 7
|
|
$comment_timestamp = $blob_data[$comment_timestamp_start..$comment_timestamp_end]
|
|
$version_start = $comment_timestamp_end + 1
|
|
$version_end = $version_start + 3
|
|
$version = [bitconverter]::ToUInt32($blob_data[$version_start..$version_end],0)
|
|
|
|
# Parse rest of DFSNamespaceRootOrLinkBlob here
|
|
$dfs_targetlist_blob_size_start = $version_end + 1
|
|
$dfs_targetlist_blob_size_end = $dfs_targetlist_blob_size_start + 3
|
|
$dfs_targetlist_blob_size = [bitconverter]::ToUInt32($blob_data[$dfs_targetlist_blob_size_start..$dfs_targetlist_blob_size_end],0)
|
|
|
|
$dfs_targetlist_blob_start = $dfs_targetlist_blob_size_end + 1
|
|
$dfs_targetlist_blob_end = $dfs_targetlist_blob_start + $dfs_targetlist_blob_size - 1
|
|
$dfs_targetlist_blob = $blob_data[$dfs_targetlist_blob_start..$dfs_targetlist_blob_end]
|
|
$reserved_blob_size_start = $dfs_targetlist_blob_end + 1
|
|
$reserved_blob_size_end = $reserved_blob_size_start + 3
|
|
$reserved_blob_size = [bitconverter]::ToUInt32($blob_data[$reserved_blob_size_start..$reserved_blob_size_end],0)
|
|
|
|
$reserved_blob_start = $reserved_blob_size_end + 1
|
|
$reserved_blob_end = $reserved_blob_start + $reserved_blob_size - 1
|
|
$reserved_blob = $blob_data[$reserved_blob_start..$reserved_blob_end]
|
|
$referral_ttl_start = $reserved_blob_end + 1
|
|
$referral_ttl_end = $referral_ttl_start + 3
|
|
$referral_ttl = [bitconverter]::ToUInt32($blob_data[$referral_ttl_start..$referral_ttl_end],0)
|
|
|
|
#Parse DFSTargetListBlob
|
|
$target_count_start = 0
|
|
$target_count_end = $target_count_start + 3
|
|
$target_count = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_count_start..$target_count_end],0)
|
|
$t_offset = $target_count_end + 1
|
|
|
|
for($j=1; $j -le $target_count; $j++){
|
|
$target_entry_size_start = $t_offset
|
|
$target_entry_size_end = $target_entry_size_start + 3
|
|
$target_entry_size = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_entry_size_start..$target_entry_size_end],0)
|
|
$target_time_stamp_start = $target_entry_size_end + 1
|
|
$target_time_stamp_end = $target_time_stamp_start + 7
|
|
# FILETIME again or special if priority rank and priority class 0
|
|
$target_time_stamp = $dfs_targetlist_blob[$target_time_stamp_start..$target_time_stamp_end]
|
|
$target_state_start = $target_time_stamp_end + 1
|
|
$target_state_end = $target_state_start + 3
|
|
$target_state = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_state_start..$target_state_end],0)
|
|
|
|
$target_type_start = $target_state_end + 1
|
|
$target_type_end = $target_type_start + 3
|
|
$target_type = [bitconverter]::ToUInt32($dfs_targetlist_blob[$target_type_start..$target_type_end],0)
|
|
|
|
$server_name_size_start = $target_type_end + 1
|
|
$server_name_size_end = $server_name_size_start + 1
|
|
$server_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$server_name_size_start..$server_name_size_end],0)
|
|
|
|
$server_name_start = $server_name_size_end + 1
|
|
$server_name_end = $server_name_start + $server_name_size - 1
|
|
$server_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$server_name_start..$server_name_end])
|
|
|
|
$share_name_size_start = $server_name_end + 1
|
|
$share_name_size_end = $share_name_size_start + 1
|
|
$share_name_size = [bitconverter]::ToUInt16($dfs_targetlist_blob[$share_name_size_start..$share_name_size_end],0)
|
|
$share_name_start = $share_name_size_end + 1
|
|
$share_name_end = $share_name_start + $share_name_size - 1
|
|
$share_name = [System.Text.Encoding]::Unicode.GetString($dfs_targetlist_blob[$share_name_start..$share_name_end])
|
|
|
|
$target_list += "\\$server_name\$share_name"
|
|
$t_offset = $share_name_end + 1
|
|
}
|
|
}
|
|
}
|
|
$offset = $blob_data_end + 1
|
|
$dfs_pkt_properties = @{
|
|
'Name' = $blob_name
|
|
'Prefix' = $prefix
|
|
'TargetList' = $target_list
|
|
}
|
|
$object_list += New-Object -TypeName PSObject -Property $dfs_pkt_properties
|
|
$prefix = $null
|
|
$blob_name = $null
|
|
$target_list = $null
|
|
}
|
|
|
|
$servers = @()
|
|
$object_list | ForEach-Object {
|
|
if ($_.TargetList) {
|
|
$_.TargetList | ForEach-Object {
|
|
$servers += $_.split("\")[2]
|
|
}
|
|
}
|
|
}
|
|
|
|
$servers
|
|
}
|
|
|
|
function Get-DFSshareV1 {
|
|
[CmdletBinding()]
|
|
param(
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[String]
|
|
$ADSpath,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
$DFSsearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
|
|
|
|
if($DFSsearcher) {
|
|
$DFSshares = @()
|
|
$DFSsearcher.filter = "(&(objectClass=fTDfs))"
|
|
|
|
try {
|
|
$Results = $DFSSearcher.FindAll()
|
|
$Results | Where-Object {$_} | ForEach-Object {
|
|
$Properties = $_.Properties
|
|
$RemoteNames = $Properties.remoteservername
|
|
$Pkt = $Properties.pkt
|
|
|
|
$DFSshares += $RemoteNames | ForEach-Object {
|
|
try {
|
|
if ( $_.Contains('\') ) {
|
|
New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_.split("\")[2]}
|
|
}
|
|
}
|
|
catch {
|
|
Write-Verbose "Error in parsing DFS share : $_"
|
|
}
|
|
}
|
|
}
|
|
$Results.dispose()
|
|
$DFSSearcher.dispose()
|
|
|
|
if($pkt -and $pkt[0]) {
|
|
Parse-Pkt $pkt[0] | ForEach-Object {
|
|
# If a folder doesn't have a redirection it will
|
|
# have a target like
|
|
# \\null\TestNameSpace\folder\.DFSFolderLink so we
|
|
# do actually want to match on "null" rather than
|
|
# $null
|
|
if ($_ -ne "null") {
|
|
New-Object -TypeName PSObject -Property @{'Name'=$Properties.name[0];'RemoteServerName'=$_}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
catch {
|
|
Write-Warning "Get-DFSshareV1 error : $_"
|
|
}
|
|
$DFSshares | Sort-Object -Property "RemoteServerName"
|
|
}
|
|
}
|
|
|
|
function Get-DFSshareV2 {
|
|
[CmdletBinding()]
|
|
param(
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[String]
|
|
$ADSpath,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
$DFSsearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
|
|
|
|
if($DFSsearcher) {
|
|
$DFSshares = @()
|
|
$DFSsearcher.filter = "(&(objectClass=msDFS-Linkv2))"
|
|
$DFSSearcher.PropertiesToLoad.AddRange(('msdfs-linkpathv2','msDFS-TargetListv2'))
|
|
|
|
try {
|
|
$Results = $DFSSearcher.FindAll()
|
|
$Results | Where-Object {$_} | ForEach-Object {
|
|
$Properties = $_.Properties
|
|
$target_list = $Properties.'msdfs-targetlistv2'[0]
|
|
$xml = [xml][System.Text.Encoding]::Unicode.GetString($target_list[2..($target_list.Length-1)])
|
|
$DFSshares += $xml.targets.ChildNodes | ForEach-Object {
|
|
try {
|
|
$Target = $_.InnerText
|
|
if ( $Target.Contains('\') ) {
|
|
$DFSroot = $Target.split("\")[3]
|
|
$ShareName = $Properties.'msdfs-linkpathv2'[0]
|
|
New-Object -TypeName PSObject -Property @{'Name'="$DFSroot$ShareName";'RemoteServerName'=$Target.split("\")[2]}
|
|
}
|
|
}
|
|
catch {
|
|
Write-Verbose "Error in parsing target : $_"
|
|
}
|
|
}
|
|
}
|
|
$Results.dispose()
|
|
$DFSSearcher.dispose()
|
|
}
|
|
catch {
|
|
Write-Warning "Get-DFSshareV2 error : $_"
|
|
}
|
|
$DFSshares | Sort-Object -Unique -Property "RemoteServerName"
|
|
}
|
|
}
|
|
|
|
$DFSshares = @()
|
|
|
|
if ( ($Version -eq "all") -or ($Version.endsWith("1")) ) {
|
|
$DFSshares += Get-DFSshareV1 -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
|
|
}
|
|
if ( ($Version -eq "all") -or ($Version.endsWith("2")) ) {
|
|
$DFSshares += Get-DFSshareV2 -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
|
|
}
|
|
|
|
$DFSshares | Sort-Object -Property ("RemoteServerName","Name") -Unique
|
|
}
|
|
|
|
|
|
########################################################
|
|
#
|
|
# GPO related functions.
|
|
#
|
|
########################################################
|
|
|
|
function Get-GptTmpl {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Helper to parse a GptTmpl.inf policy file path into a custom object.
|
|
|
|
.PARAMETER GptTmplPath
|
|
|
|
The GptTmpl.inf file path name to parse.
|
|
|
|
.PARAMETER UsePSDrive
|
|
|
|
Switch. Mount the target GptTmpl folder path as a temporary PSDrive.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-GptTmpl -GptTmplPath "\\dev.testlab.local\sysvol\dev.testlab.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
|
|
|
|
Parse the default domain policy .inf for dev.testlab.local
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
Param (
|
|
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
|
|
[String]
|
|
$GptTmplPath,
|
|
|
|
[Switch]
|
|
$UsePSDrive
|
|
)
|
|
|
|
begin {
|
|
if($UsePSDrive) {
|
|
# if we're PSDrives, create a temporary mount point
|
|
$Parts = $GptTmplPath.split('\')
|
|
$FolderPath = $Parts[0..($Parts.length-2)] -join '\'
|
|
$FilePath = $Parts[-1]
|
|
$RandDrive = ("abcdefghijklmnopqrstuvwxyz".ToCharArray() | Get-Random -Count 7) -join ''
|
|
|
|
Write-Verbose "Mounting path $GptTmplPath using a temp PSDrive at $RandDrive"
|
|
|
|
try {
|
|
$Null = New-PSDrive -Name $RandDrive -PSProvider FileSystem -Root $FolderPath -ErrorAction Stop
|
|
}
|
|
catch {
|
|
Write-Verbose "Error mounting path $GptTmplPath : $_"
|
|
return $Null
|
|
}
|
|
|
|
# so we can cd/dir the new drive
|
|
$TargetGptTmplPath = $RandDrive + ":\" + $FilePath
|
|
}
|
|
else {
|
|
$TargetGptTmplPath = $GptTmplPath
|
|
}
|
|
}
|
|
|
|
process {
|
|
try {
|
|
Write-Verbose "Attempting to parse GptTmpl: $TargetGptTmplPath"
|
|
$TargetGptTmplPath | Get-IniContent -ErrorAction SilentlyContinue
|
|
}
|
|
catch {
|
|
# Write-Verbose "Error parsing $TargetGptTmplPath : $_"
|
|
}
|
|
}
|
|
|
|
end {
|
|
if($UsePSDrive -and $RandDrive) {
|
|
Write-Verbose "Removing temp PSDrive $RandDrive"
|
|
Get-PSDrive -Name $RandDrive -ErrorAction SilentlyContinue | Remove-PSDrive -Force
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
function Get-GroupsXML {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Helper to parse a groups.xml file path into a custom object.
|
|
|
|
.PARAMETER GroupsXMLpath
|
|
|
|
The groups.xml file path name to parse.
|
|
|
|
.PARAMETER UsePSDrive
|
|
|
|
Switch. Mount the target groups.xml folder path as a temporary PSDrive.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
Param (
|
|
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
|
|
[String]
|
|
$GroupsXMLPath,
|
|
|
|
[Switch]
|
|
$UsePSDrive
|
|
)
|
|
|
|
begin {
|
|
if($UsePSDrive) {
|
|
# if we're PSDrives, create a temporary mount point
|
|
$Parts = $GroupsXMLPath.split('\')
|
|
$FolderPath = $Parts[0..($Parts.length-2)] -join '\'
|
|
$FilePath = $Parts[-1]
|
|
$RandDrive = ("abcdefghijklmnopqrstuvwxyz".ToCharArray() | Get-Random -Count 7) -join ''
|
|
|
|
Write-Verbose "Mounting path $GroupsXMLPath using a temp PSDrive at $RandDrive"
|
|
|
|
try {
|
|
$Null = New-PSDrive -Name $RandDrive -PSProvider FileSystem -Root $FolderPath -ErrorAction Stop
|
|
}
|
|
catch {
|
|
Write-Verbose "Error mounting path $GroupsXMLPath : $_"
|
|
return $Null
|
|
}
|
|
|
|
# so we can cd/dir the new drive
|
|
$TargetGroupsXMLPath = $RandDrive + ":\" + $FilePath
|
|
}
|
|
else {
|
|
$TargetGroupsXMLPath = $GroupsXMLPath
|
|
}
|
|
}
|
|
|
|
process {
|
|
|
|
try {
|
|
Write-Verbose "Attempting to parse Groups.xml: $TargetGroupsXMLPath"
|
|
[XML]$GroupsXMLcontent = Get-Content $TargetGroupsXMLPath -ErrorAction Stop
|
|
|
|
# process all group properties in the XML
|
|
$GroupsXMLcontent | Select-Xml "//Groups" | Select-Object -ExpandProperty node | ForEach-Object {
|
|
|
|
$Groupname = $_.Group.Properties.groupName
|
|
|
|
# extract the localgroup sid for memberof
|
|
$GroupSID = $_.Group.Properties.GroupSid
|
|
if(-not $LocalSid) {
|
|
if($Groupname -match 'Administrators') {
|
|
$GroupSID = 'S-1-5-32-544'
|
|
}
|
|
elseif($Groupname -match 'Remote Desktop') {
|
|
$GroupSID = 'S-1-5-32-555'
|
|
}
|
|
elseif($Groupname -match 'Guests') {
|
|
$GroupSID = 'S-1-5-32-546'
|
|
}
|
|
else {
|
|
$GroupSID = Convert-NameToSid -ObjectName $Groupname | Select-Object -ExpandProperty SID
|
|
}
|
|
}
|
|
|
|
# extract out members added to this group
|
|
$Members = $_.Group.Properties.members | Select-Object -ExpandProperty Member | Where-Object { $_.action -match 'ADD' } | ForEach-Object {
|
|
if($_.sid) { $_.sid }
|
|
else { $_.name }
|
|
}
|
|
|
|
if ($Members) {
|
|
|
|
# extract out any/all filters...I hate you GPP
|
|
if($_.Group.filters) {
|
|
$Filters = $_.Group.filters.GetEnumerator() | ForEach-Object {
|
|
New-Object -TypeName PSObject -Property @{'Type' = $_.LocalName;'Value' = $_.name}
|
|
}
|
|
}
|
|
else {
|
|
$Filters = $Null
|
|
}
|
|
|
|
if($Members -isnot [System.Array]) { $Members = @($Members) }
|
|
|
|
$GPOGroup = New-Object PSObject
|
|
$GPOGroup | Add-Member Noteproperty 'GPOPath' $TargetGroupsXMLPath
|
|
$GPOGroup | Add-Member Noteproperty 'Filters' $Filters
|
|
$GPOGroup | Add-Member Noteproperty 'GroupName' $GroupName
|
|
$GPOGroup | Add-Member Noteproperty 'GroupSID' $GroupSID
|
|
$GPOGroup | Add-Member Noteproperty 'GroupMemberOf' $Null
|
|
$GPOGroup | Add-Member Noteproperty 'GroupMembers' $Members
|
|
$GPOGroup
|
|
}
|
|
}
|
|
}
|
|
catch {
|
|
# Write-Verbose "Error parsing $TargetGroupsXMLPath : $_"
|
|
}
|
|
}
|
|
|
|
end {
|
|
if($UsePSDrive -and $RandDrive) {
|
|
Write-Verbose "Removing temp PSDrive $RandDrive"
|
|
Get-PSDrive -Name $RandDrive -ErrorAction SilentlyContinue | Remove-PSDrive -Force
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
function Get-NetGPOGroup {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Returns all GPOs in a domain that set "Restricted Groups" or use groups.xml on on target machines.
|
|
|
|
Author: @harmj0y
|
|
License: BSD 3-Clause
|
|
Required Dependencies: Get-NetGPO, Get-GptTmpl, Get-GroupsXML, Convert-NameToSid, Convert-SidToName
|
|
Optional Dependencies: None
|
|
|
|
.DESCRIPTION
|
|
|
|
First enumerates all GPOs in the current/target domain using Get-NetGPO with passed
|
|
arguments, and for each GPO checks if 'Restricted Groups' are set with GptTmpl.inf or
|
|
group membership is set through Group Policy Preferences groups.xml files. For any
|
|
GptTmpl.inf files found, the file is parsed with Get-GptTmpl and any 'Group Membership'
|
|
section data is processed if present. Any found Groups.xml files are parsed with
|
|
Get-GroupsXML and those memberships are returned as well.
|
|
|
|
.PARAMETER GPOname
|
|
|
|
The GPO name to query for, wildcards accepted.
|
|
|
|
.PARAMETER DisplayName
|
|
|
|
The GPO display name to query for, wildcards accepted.
|
|
|
|
.PARAMETER Domain
|
|
|
|
The domain to query for GPOs, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.PARAMETER ADSpath
|
|
|
|
The LDAP source to search through for GPOs.
|
|
e.g. "LDAP://cn={8FF59D28-15D7-422A-BCB7-2AE45724125A},cn=policies,cn=system,DC=dev,DC=testlab,DC=local"
|
|
|
|
.PARAMETER ResolveMemberSIDs
|
|
|
|
Switch. Try to resolve the SIDs of all found group members.
|
|
|
|
.PARAMETER UsePSDrive
|
|
|
|
Switch. Mount any found policy files with temporary PSDrives.
|
|
|
|
.PARAMETER PageSize
|
|
|
|
The PageSize to set for the LDAP searcher object.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetGPOGroup
|
|
|
|
Returns all local groups set by GPO along with their members and memberof.
|
|
|
|
.LINK
|
|
|
|
https://morgansimonsenblog.azurewebsites.net/tag/groups/
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
Param (
|
|
[String]
|
|
$GPOname = '*',
|
|
|
|
[String]
|
|
$DisplayName,
|
|
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[String]
|
|
$ADSpath,
|
|
|
|
[Switch]
|
|
$ResolveMemberSIDs,
|
|
|
|
[Switch]
|
|
$UsePSDrive,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200
|
|
)
|
|
|
|
$Option = [System.StringSplitOptions]::RemoveEmptyEntries
|
|
|
|
$GPOSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $ADSpath -PageSize $PageSize
|
|
$GPOSearcher.filter="(&(objectCategory=groupPolicyContainer)(name=*)(gpcfilesyspath=*))"
|
|
$GPOSearcher.PropertiesToLoad.AddRange(('displayname', 'name', 'gpcfilesyspath'))
|
|
|
|
ForEach($GPOResult in $GPOSearcher.FindAll()) {
|
|
|
|
$GPOdisplayName = $GPOResult.Properties['displayname']
|
|
$GPOname = $GPOResult.Properties['name']
|
|
$GPOPath = $GPOResult.Properties['gpcfilesyspath']
|
|
Write-Verbose "Get-NetGPOGroup: enumerating $GPOPath"
|
|
|
|
$ParseArgs = @{
|
|
'GptTmplPath' = "$GPOPath\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf"
|
|
'UsePSDrive' = $UsePSDrive
|
|
}
|
|
|
|
# parse the GptTmpl.inf 'Restricted Groups' file if it exists
|
|
$Inf = Get-GptTmpl @ParseArgs
|
|
|
|
if($Inf -and ($Inf.psbase.Keys -contains 'Group Membership')) {
|
|
|
|
$Memberships = @{}
|
|
|
|
# group the members/memberof fields for each entry
|
|
ForEach ($Membership in $Inf.'Group Membership'.GetEnumerator()) {
|
|
$Group, $Relation = $Membership.Key.Split('__', $Option) | ForEach-Object {$_.Trim()}
|
|
|
|
# extract out ALL members
|
|
$MembershipValue = $Membership.Value | Where-Object {$_} | ForEach-Object { $_.Trim('*') } | Where-Object {$_}
|
|
|
|
if($ResolveMemberSIDs) {
|
|
# if the resulting member is username and not a SID, attempt to resolve it
|
|
$GroupMembers = @()
|
|
ForEach($Member in $MembershipValue) {
|
|
if($Member -and ($Member.Trim() -ne '')) {
|
|
if($Member -notmatch '^S-1-.*') {
|
|
$MemberSID = Convert-NameToSid -Domain $Domain -ObjectName $Member | Select-Object -ExpandProperty SID
|
|
if($MemberSID) {
|
|
$GroupMembers += $MemberSID
|
|
}
|
|
else {
|
|
$GroupMembers += $Member
|
|
}
|
|
}
|
|
else {
|
|
$GroupMembers += $Member
|
|
}
|
|
}
|
|
}
|
|
$MembershipValue = $GroupMembers
|
|
}
|
|
|
|
if(-not $Memberships[$Group]) {
|
|
$Memberships[$Group] = @{}
|
|
}
|
|
if($MembershipValue -isnot [System.Array]) {$MembershipValue = @($MembershipValue)}
|
|
$Memberships[$Group].Add($Relation, $MembershipValue)
|
|
}
|
|
|
|
ForEach ($Membership in $Memberships.GetEnumerator()) {
|
|
if($Membership -and $Membership.Key -and ($Membership.Key -match '^\*')) {
|
|
# if the SID is already resolved (i.e. begins with *) try to resolve SID to a name
|
|
$GroupSID = $Membership.Key.Trim('*')
|
|
if($GroupSID -and ($GroupSID.Trim() -ne '')) {
|
|
$GroupName = Convert-SidToName -SID $GroupSID
|
|
}
|
|
else {
|
|
$GroupName = $False
|
|
}
|
|
}
|
|
else {
|
|
$GroupName = $Membership.Key
|
|
|
|
if($GroupName -and ($GroupName.Trim() -ne '')) {
|
|
if($Groupname -match 'Administrators') {
|
|
$GroupSID = 'S-1-5-32-544'
|
|
}
|
|
elseif($Groupname -match 'Remote Desktop') {
|
|
$GroupSID = 'S-1-5-32-555'
|
|
}
|
|
elseif($Groupname -match 'Guests') {
|
|
$GroupSID = 'S-1-5-32-546'
|
|
}
|
|
elseif($GroupName.Trim() -ne '') {
|
|
$GroupSID = Convert-NameToSid -Domain $Domain -ObjectName $Groupname | Select-Object -ExpandProperty SID
|
|
}
|
|
else {
|
|
$GroupSID = $Null
|
|
}
|
|
}
|
|
}
|
|
|
|
$GPOGroup = New-Object PSObject
|
|
$GPOGroup | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName
|
|
$GPOGroup | Add-Member Noteproperty 'GPOName' $GPOName
|
|
$GPOGroup | Add-Member Noteproperty 'GPOPath' $GPOPath
|
|
$GPOGroup | Add-Member Noteproperty 'GPOType' 'RestrictedGroups'
|
|
$GPOGroup | Add-Member Noteproperty 'Filters' $Null
|
|
$GPOGroup | Add-Member Noteproperty 'GroupName' $GroupName
|
|
$GPOGroup | Add-Member Noteproperty 'GroupSID' $GroupSID
|
|
$GPOGroup | Add-Member Noteproperty 'GroupMemberOf' $Membership.Value.Memberof
|
|
$GPOGroup | Add-Member Noteproperty 'GroupMembers' $Membership.Value.Members
|
|
$GPOGroup
|
|
}
|
|
}
|
|
|
|
$ParseArgs = @{
|
|
'GroupsXMLpath' = "$GPOPath\MACHINE\Preferences\Groups\Groups.xml"
|
|
'UsePSDrive' = $UsePSDrive
|
|
}
|
|
|
|
Get-GroupsXML @ParseArgs | ForEach-Object {
|
|
if($ResolveMemberSIDs) {
|
|
$GroupMembers = @()
|
|
ForEach($Member in $_.GroupMembers) {
|
|
if($Member -and ($Member.Trim() -ne '')) {
|
|
if($Member -notmatch '^S-1-.*') {
|
|
# if the resulting member is username and not a SID, attempt to resolve it
|
|
$MemberSID = Convert-NameToSid -Domain $Domain -ObjectName $Member | Select-Object -ExpandProperty SID
|
|
if($MemberSID) {
|
|
$GroupMembers += $MemberSID
|
|
}
|
|
else {
|
|
$GroupMembers += $Member
|
|
}
|
|
}
|
|
else {
|
|
$GroupMembers += $Member
|
|
}
|
|
}
|
|
}
|
|
$_.GroupMembers = $GroupMembers
|
|
}
|
|
|
|
$_ | Add-Member Noteproperty 'GPODisplayName' $GPODisplayName
|
|
$_ | Add-Member Noteproperty 'GPOName' $GPOName
|
|
$_ | Add-Member Noteproperty 'GPOType' 'GroupPolicyPreferences'
|
|
$_
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
function Find-GPOLocation {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Enumerates the machines where a specific user/group is a member of a specific
|
|
local group, all through GPO correlation.
|
|
|
|
Author: @harmj0y
|
|
License: BSD 3-Clause
|
|
Required Dependencies: Get-NetGPOGroup, Get-NetOU, Get-NetComputer, Get-ADObject, Get-NetSite
|
|
Optional Dependencies: None
|
|
|
|
.DESCRIPTION
|
|
|
|
Takes a user/group name and optional domain, and determines the computers in the domain
|
|
the user/group has local admin (or RDP) rights to.
|
|
|
|
It does this by:
|
|
1. resolving the user/group to its proper SID
|
|
2. enumerating all groups the user/group is a current part of
|
|
and extracting all target SIDs to build a target SID list
|
|
3. pulling all GPOs that set 'Restricted Groups' or Groups.xml by calling
|
|
Get-NetGPOGroup
|
|
4. matching the target SID list to the queried GPO SID list
|
|
to enumerate all GPO the user is effectively applied with
|
|
5. enumerating all OUs and sites and applicable GPO GUIs are
|
|
applied to through gplink enumerating
|
|
6. querying for all computers under the given OUs or sites
|
|
|
|
If no user/group is specified, all user/group -> machine mappings discovered through
|
|
GPO relationships are returned.
|
|
|
|
.PARAMETER Domain
|
|
|
|
Optional domain the user exists in for querying, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.PARAMETER LocalGroup
|
|
|
|
The local group to check access against.
|
|
Can be "Administrators" (S-1-5-32-544), "RDP/Remote Desktop Users" (S-1-5-32-555),
|
|
or a custom local SID. Defaults to local 'Administrators'.
|
|
|
|
.PARAMETER UsePSDrive
|
|
|
|
Switch. Mount any found policy files with temporary PSDrives.
|
|
|
|
.PARAMETER PageSize
|
|
|
|
The PageSize to set for the LDAP searcher object.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Find-GPOLocation
|
|
|
|
Find all user/group -> machine relationships where the user/group is a member
|
|
of the local administrators group on target machines.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Find-GPOLocation -UserName dfm
|
|
|
|
Find all computers that dfm user has local administrator rights to in
|
|
the current domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Find-GPOLocation -UserName dfm -Domain dev.testlab.local
|
|
|
|
Find all computers that dfm user has local administrator rights to in
|
|
the dev.testlab.local domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Find-GPOLocation -UserName jason -LocalGroup RDP
|
|
|
|
Find all computers that jason has local RDP access rights to in the domain.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
Param (
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[String]
|
|
$LocalGroup = 'Administrators',
|
|
|
|
[Switch]
|
|
$UsePSDrive,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200
|
|
)
|
|
|
|
$TargetSIDs = @('*')
|
|
|
|
# figure out what the SID is of the target local group we're checking for membership in
|
|
if($LocalGroup -like "*Admin*") {
|
|
$TargetLocalSID = 'S-1-5-32-544'
|
|
}
|
|
elseif ( ($LocalGroup -like "*RDP*") -or ($LocalGroup -like "*Remote*") ) {
|
|
$TargetLocalSID = 'S-1-5-32-555'
|
|
}
|
|
elseif ($LocalGroup -like "S-1-5-*") {
|
|
$TargetLocalSID = $LocalGroup
|
|
}
|
|
else {
|
|
throw "LocalGroup must be 'Administrators', 'RDP', or a 'S-1-5-X' SID format."
|
|
}
|
|
|
|
if(-not $TargetSIDs) {
|
|
throw "No effective target SIDs!"
|
|
}
|
|
|
|
Write-Verbose "TargetLocalSID: $TargetLocalSID"
|
|
Write-Verbose "Effective target SIDs: $TargetSIDs"
|
|
|
|
$GPOGroupArgs = @{
|
|
'Domain' = $Domain
|
|
'DomainController' = $DomainController
|
|
'UsePSDrive' = $UsePSDrive
|
|
'ResolveMemberSIDs' = $True
|
|
'PageSize' = $PageSize
|
|
}
|
|
|
|
# enumerate all GPO group mappings for the target domain that involve our target SID set
|
|
Sort-Object -Property GPOName -Unique -InputObject $(ForEach($GPOGroup in (Get-NetGPOGroup @GPOGroupArgs)) {
|
|
# if the locally set group is what we're looking for, check the GroupMembers ('members')
|
|
# for our target SID
|
|
if($GPOgroup.GroupSID -match $TargetLocalSID) {
|
|
ForEach($GPOgroupMember in $GPOgroup.GroupMembers) {
|
|
if($GPOgroupMember) {
|
|
if ( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $GPOgroupMember) ) {
|
|
$GPOgroup
|
|
}
|
|
}
|
|
}
|
|
}
|
|
# if the group is a 'memberof' the group we're looking for, check GroupSID against the targt SIDs
|
|
if( ($GPOgroup.GroupMemberOf -contains $TargetLocalSID) ) {
|
|
if( ($TargetSIDs[0] -eq '*') -or ($TargetSIDs -Contains $GPOgroup.GroupSID) ) {
|
|
$GPOgroup
|
|
}
|
|
}
|
|
}) | ForEach-Object {
|
|
|
|
$GPOname = $_.GPODisplayName
|
|
write-verbose "GPOname: $GPOname"
|
|
$GPOguid = $_.GPOName
|
|
$GPOPath = $_.GPOPath
|
|
$GPOType = $_.GPOType
|
|
if($_.GroupMembers) {
|
|
$GPOMembers = $_.GroupMembers
|
|
}
|
|
else {
|
|
$GPOMembers = $_.GroupSID
|
|
}
|
|
|
|
$Filters = $_.Filters
|
|
|
|
if(-not $TargetObject) {
|
|
# if the * wildcard was used, set the ObjectDistName as the GPO member SID set
|
|
# so all relationship mappings are output
|
|
$TargetObjectSIDs = $GPOMembers
|
|
}
|
|
else {
|
|
$TargetObjectSIDs = $TargetObject
|
|
}
|
|
|
|
# find any OUs that have this GUID applied and then retrieve any computers from the OU
|
|
Get-NetOU -Domain $Domain -DomainController $DomainController -GUID $GPOguid -FullData -PageSize $PageSize | ForEach-Object {
|
|
if($Filters) {
|
|
# filter for computer name/org unit if a filter is specified
|
|
# TODO: handle other filters (i.e. OU filters?) again, I hate you GPP...
|
|
$FilterValue = $Filters.Value
|
|
$OUComputers = ForEach($OUComputer in (Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $_.ADSpath -PageSize $PageSize)) {
|
|
if($OUComputer.ToLower() -match $Filters.Value) {
|
|
$OUComputer
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
$OUComputers = Get-NetComputer -Domain $Domain -DomainController $DomainController -Credential $Credential -ADSpath $_.ADSpath -PageSize $PageSize
|
|
}
|
|
|
|
if($OUComputers) {
|
|
if($OUComputers -isnot [System.Array]) {$OUComputers = @($OUComputers)}
|
|
ForEach ($TargetSid in $TargetObjectSIDs) {
|
|
$Object = Get-ADObject -SID $TargetSid
|
|
if (-not $Object) {
|
|
$Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize
|
|
}
|
|
if($Object) {
|
|
$MemberDN = $Object.distinguishedName
|
|
$ObjectDomain = $MemberDN.subString($MemberDN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
|
|
$IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
|
|
|
|
$GPOLocation = New-Object PSObject
|
|
$GPOLocation | Add-Member Noteproperty 'ObjectDomain' $ObjectDomain
|
|
$GPOLocation | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
|
|
$GPOLocation | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
|
|
$GPOLocation | Add-Member Noteproperty 'ObjectSID' $Object.objectsid
|
|
$GPOLocation | Add-Member Noteproperty 'IsGroup' $IsGroup
|
|
$GPOLocation | Add-Member Noteproperty 'GPODomain' $Domain
|
|
$GPOLocation | Add-Member Noteproperty 'GPODisplayName' $GPOname
|
|
$GPOLocation | Add-Member Noteproperty 'GPOGuid' $GPOGuid
|
|
$GPOLocation | Add-Member Noteproperty 'GPOPath' $GPOPath
|
|
$GPOLocation | Add-Member Noteproperty 'GPOType' $GPOType
|
|
$GPOLocation | Add-Member Noteproperty 'ContainerName' $_.distinguishedname
|
|
$GPOLocation | Add-Member Noteproperty 'ComputerName' $OUComputers
|
|
$GPOLocation.PSObject.TypeNames.Add('PowerView.GPOLocalGroup')
|
|
$GPOLocation
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
# find any sites that have this GUID applied
|
|
Get-NetSite -Domain $Domain -DomainController $DomainController -GUID $GPOguid -PageSize $PageSize -FullData | ForEach-Object {
|
|
|
|
ForEach ($TargetSid in $TargetObjectSIDs) {
|
|
# $Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize
|
|
$Object = Get-ADObject -SID $TargetSid
|
|
if (-not $Object) {
|
|
$Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize
|
|
}
|
|
if($Object) {
|
|
$MemberDN = $Object.distinguishedName
|
|
$ObjectDomain = $MemberDN.subString($MemberDN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
|
|
$IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
|
|
|
|
$AppliedSite = New-Object PSObject
|
|
$GPOLocation | Add-Member Noteproperty 'ObjectDomain' $ObjectDomain
|
|
$AppliedSite | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
|
|
$AppliedSite | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
|
|
$AppliedSite | Add-Member Noteproperty 'ObjectSID' $Object.objectsid
|
|
$AppliedSite | Add-Member Noteproperty 'IsGroup' $IsGroup
|
|
$AppliedSite | Add-Member Noteproperty 'GPODomain' $Domain
|
|
$AppliedSite | Add-Member Noteproperty 'GPODisplayName' $GPOname
|
|
$AppliedSite | Add-Member Noteproperty 'GPOGuid' $GPOGuid
|
|
$AppliedSite | Add-Member Noteproperty 'GPOPath' $GPOPath
|
|
$AppliedSite | Add-Member Noteproperty 'GPOType' $GPOType
|
|
$AppliedSite | Add-Member Noteproperty 'ContainerName' $_.distinguishedname
|
|
$AppliedSite | Add-Member Noteproperty 'ComputerName' $_.siteobjectbl
|
|
$AppliedSite.PSObject.TypeNames.Add('PowerView.GPOLocalGroup')
|
|
$AppliedSite
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
########################################################
|
|
#
|
|
# Functions that enumerate a single host, either through
|
|
# WinNT, WMI, remote registry, or API calls
|
|
# (with PSReflect).
|
|
#
|
|
########################################################
|
|
|
|
function Get-NetLocalGroup {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Gets a list of all current users in a specified local group,
|
|
or returns the names of all local groups with -ListGroups.
|
|
|
|
.PARAMETER ComputerName
|
|
|
|
The hostname or IP to query for local group users.
|
|
|
|
.PARAMETER ComputerFile
|
|
|
|
File of hostnames/IPs to query for local group users.
|
|
|
|
.PARAMETER GroupName
|
|
|
|
The local group name to query for users. If not given, it defaults to "Administrators"
|
|
|
|
.PARAMETER Recurse
|
|
|
|
Switch. If the local member member is a domain group, recursively try to resolve its members to get a list of domain users who can access this machine.
|
|
|
|
.PARAMETER API
|
|
|
|
Switch. Use API calls instead of the WinNT service provider. Less information,
|
|
but the results are faster.
|
|
|
|
.PARAMETER IsDomain
|
|
|
|
Switch. Only return results that are domain accounts.
|
|
|
|
.PARAMETER DomainSID
|
|
|
|
The SID of the enumerated machine's domain, used to identify if results are domain
|
|
or local when using the -API flag.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetLocalGroup
|
|
|
|
Returns the usernames that of members of localgroup "Administrators" on the local host.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetLocalGroup -ComputerName WINDOWSXP
|
|
|
|
Returns all the local administrator accounts for WINDOWSXP
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetLocalGroup -ComputerName WINDOWS7 -Recurse
|
|
|
|
Returns all effective local/domain users/groups that can access WINDOWS7 with
|
|
local administrative privileges.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> "WINDOWS7", "WINDOWSSP" | Get-NetLocalGroup -API
|
|
|
|
Returns all local groups on the the passed hosts using API calls instead of the
|
|
WinNT service provider.
|
|
|
|
.LINK
|
|
|
|
http://stackoverflow.com/questions/21288220/get-all-local-members-and-groups-displayed-together
|
|
http://msdn.microsoft.com/en-us/library/aa772211(VS.85).aspx
|
|
#>
|
|
|
|
[CmdletBinding(DefaultParameterSetName = 'WinNT')]
|
|
param(
|
|
[Parameter(ParameterSetName = 'API', Position=0, ValueFromPipeline=$True)]
|
|
[Parameter(ParameterSetName = 'WinNT', Position=0, ValueFromPipeline=$True)]
|
|
[Alias('HostName')]
|
|
[String[]]
|
|
$ComputerName = $Env:ComputerName,
|
|
|
|
[Parameter(ParameterSetName = 'WinNT')]
|
|
[Parameter(ParameterSetName = 'API')]
|
|
[ValidateScript({Test-Path -Path $_ })]
|
|
[Alias('HostList')]
|
|
[String]
|
|
$ComputerFile,
|
|
|
|
[Parameter(ParameterSetName = 'WinNT')]
|
|
[Parameter(ParameterSetName = 'API')]
|
|
[String]
|
|
$GroupName = 'Administrators',
|
|
|
|
[Parameter(ParameterSetName = 'API')]
|
|
[Switch]
|
|
$API,
|
|
|
|
[Switch]
|
|
$IsDomain,
|
|
|
|
[ValidateNotNullOrEmpty()]
|
|
[String]
|
|
$DomainSID
|
|
)
|
|
|
|
process {
|
|
|
|
$Servers = @()
|
|
|
|
# if we have a host list passed, grab it
|
|
if($ComputerFile) {
|
|
$Servers = Get-Content -Path $ComputerFile
|
|
}
|
|
else {
|
|
# otherwise assume a single host name
|
|
$Servers += $ComputerName | Get-NameField
|
|
}
|
|
|
|
# query the specified group using the WINNT provider, and
|
|
# extract fields as appropriate from the results
|
|
ForEach($Server in $Servers) {
|
|
|
|
if($API) {
|
|
# if we're using the Netapi32 NetLocalGroupGetMembers API call to get the local group information
|
|
|
|
# arguments for NetLocalGroupGetMembers
|
|
$QueryLevel = 2
|
|
$PtrInfo = [IntPtr]::Zero
|
|
$EntriesRead = 0
|
|
$TotalRead = 0
|
|
$ResumeHandle = 0
|
|
|
|
# get the local user information
|
|
$Result = $Netapi32::NetLocalGroupGetMembers($Server, $GroupName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
|
|
|
|
# Locate the offset of the initial intPtr
|
|
$Offset = $PtrInfo.ToInt64()
|
|
|
|
$LocalUsers = @()
|
|
|
|
# 0 = success
|
|
if (($Result -eq 0) -and ($Offset -gt 0)) {
|
|
|
|
# Work out how mutch to increment the pointer by finding out the size of the structure
|
|
$Increment = $LOCALGROUP_MEMBERS_INFO_2::GetSize()
|
|
|
|
# parse all the result structures
|
|
for ($i = 0; ($i -lt $EntriesRead); $i++) {
|
|
# create a new int ptr at the given offset and cast the pointer as our result structure
|
|
$NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
|
|
$Info = $NewIntPtr -as $LOCALGROUP_MEMBERS_INFO_2
|
|
|
|
$Offset = $NewIntPtr.ToInt64()
|
|
$Offset += $Increment
|
|
|
|
$SidString = ''
|
|
$Result2 = $Advapi32::ConvertSidToStringSid($Info.lgrmi2_sid, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
|
|
|
|
if($Result2 -eq 0) {
|
|
# error?
|
|
}
|
|
else {
|
|
$IsGroup = $($Info.lgrmi2_sidusage -ne 'SidTypeUser')
|
|
$LocalUsers += @{
|
|
'ComputerName' = $Server
|
|
'AccountName' = $Info.lgrmi2_domainandname
|
|
'SID' = $SidString
|
|
'IsGroup' = $IsGroup
|
|
'Type' = 'LocalUser'
|
|
}
|
|
}
|
|
}
|
|
|
|
# free up the result buffer
|
|
$Null = $Netapi32::NetApiBufferFree($PtrInfo)
|
|
|
|
$MachineSid = ($LocalUsers | Where-Object {$_['SID'] -like '*-500'})['SID']
|
|
$MachineSid = $MachineSid.Substring(0, $MachineSid.LastIndexOf('-'))
|
|
try {
|
|
ForEach($LocalUser in $LocalUsers) {
|
|
if($DomainSID -and ($LocalUser['SID'] -match $DomainSID)) {
|
|
$LocalUser['IsDomain'] = $True
|
|
}
|
|
elseif($LocalUser['SID'] -match $MachineSid) {
|
|
$LocalUser['IsDomain'] = $False
|
|
}
|
|
else {
|
|
$LocalUser['IsDomain'] = $True
|
|
}
|
|
if($IsDomain) {
|
|
if($LocalUser['IsDomain']) {
|
|
$LocalUser
|
|
}
|
|
}
|
|
else {
|
|
$LocalUser
|
|
}
|
|
}
|
|
}
|
|
catch { }
|
|
}
|
|
else {
|
|
# error
|
|
}
|
|
}
|
|
|
|
else {
|
|
# otherwise we're using the WinNT service provider
|
|
try {
|
|
$LocalUsers = @()
|
|
$Members = @($([ADSI]"WinNT://$Server/$GroupName,group").psbase.Invoke('Members'))
|
|
|
|
$Members | ForEach-Object {
|
|
$LocalUser = ([ADSI]$_)
|
|
|
|
$AdsPath = $LocalUser.InvokeGet('AdsPath').Replace('WinNT://', '')
|
|
|
|
if(([regex]::Matches($AdsPath, '/')).count -eq 1) {
|
|
# DOMAIN\user
|
|
$MemberIsDomain = $True
|
|
$Name = $AdsPath.Replace('/', '\')
|
|
}
|
|
else {
|
|
# DOMAIN\machine\user
|
|
$MemberIsDomain = $False
|
|
$Name = $AdsPath.Substring($AdsPath.IndexOf('/')+1).Replace('/', '\')
|
|
}
|
|
|
|
$IsGroup = ($LocalUser.SchemaClassName -like 'group')
|
|
if($IsDomain) {
|
|
if($MemberIsDomain) {
|
|
$LocalUsers += @{
|
|
'ComputerName' = $Server
|
|
'AccountName' = $Name
|
|
'SID' = ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.InvokeGet('ObjectSID'),0)).Value)
|
|
'IsGroup' = $IsGroup
|
|
'IsDomain' = $MemberIsDomain
|
|
'Type' = 'LocalUser'
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
$LocalUsers += @{
|
|
'ComputerName' = $Server
|
|
'AccountName' = $Name
|
|
'SID' = ((New-Object System.Security.Principal.SecurityIdentifier($LocalUser.InvokeGet('ObjectSID'),0)).Value)
|
|
'IsGroup' = $IsGroup
|
|
'IsDomain' = $MemberIsDomain
|
|
'Type' = 'LocalUser'
|
|
}
|
|
}
|
|
}
|
|
$LocalUsers
|
|
}
|
|
catch {
|
|
Write-Verbose "Get-NetLocalGroup error for $Server : $_"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
filter Get-NetLoggedon {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
This function will execute the NetWkstaUserEnum Win32API call to query
|
|
a given host for actively logged on users.
|
|
|
|
.PARAMETER ComputerName
|
|
|
|
The hostname to query for logged on users.
|
|
|
|
.OUTPUTS
|
|
|
|
WKSTA_USER_INFO_1 structure. A representation of the WKSTA_USER_INFO_1
|
|
result structure which includes the username and domain of logged on users,
|
|
with the ComputerName added.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetLoggedon
|
|
|
|
Returns users actively logged onto the local host.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetLoggedon -ComputerName sqlserver
|
|
|
|
Returns users actively logged onto the 'sqlserver' host.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetComputer | Get-NetLoggedon
|
|
|
|
Returns all logged on userse for all computers in the domain.
|
|
|
|
.LINK
|
|
|
|
http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[Alias('HostName')]
|
|
[Object[]]
|
|
[ValidateNotNullOrEmpty()]
|
|
$ComputerName = 'localhost'
|
|
)
|
|
|
|
# extract the computer name from whatever object was passed on the pipeline
|
|
$Computer = $ComputerName | Get-NameField
|
|
|
|
# Declare the reference variables
|
|
$QueryLevel = 1
|
|
$PtrInfo = [IntPtr]::Zero
|
|
$EntriesRead = 0
|
|
$TotalRead = 0
|
|
$ResumeHandle = 0
|
|
|
|
# get logged on user information
|
|
$Result = $Netapi32::NetWkstaUserEnum($Computer, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
|
|
|
|
# Locate the offset of the initial intPtr
|
|
$Offset = $PtrInfo.ToInt64()
|
|
|
|
# 0 = success
|
|
if (($Result -eq 0) -and ($Offset -gt 0)) {
|
|
|
|
# Work out how mutch to increment the pointer by finding out the size of the structure
|
|
$Increment = $WKSTA_USER_INFO_1::GetSize()
|
|
|
|
# parse all the result structures
|
|
for ($i = 0; ($i -lt $EntriesRead); $i++) {
|
|
# create a new int ptr at the given offset and cast the pointer as our result structure
|
|
$NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
|
|
$Info = $NewIntPtr -as $WKSTA_USER_INFO_1
|
|
|
|
# return all the sections of the structure
|
|
$LoggedOn = $Info | Select-Object *
|
|
$LoggedOn | Add-Member Noteproperty 'ComputerName' $Computer
|
|
$Offset = $NewIntPtr.ToInt64()
|
|
$Offset += $Increment
|
|
$LoggedOn
|
|
}
|
|
|
|
# free up the result buffer
|
|
$Null = $Netapi32::NetApiBufferFree($PtrInfo)
|
|
}
|
|
else {
|
|
Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
|
|
}
|
|
}
|
|
|
|
|
|
filter Get-NetSession {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
This function will execute the NetSessionEnum Win32API call to query
|
|
a given host for active sessions on the host.
|
|
Heavily adapted from dunedinite's post on stackoverflow (see LINK below)
|
|
|
|
.PARAMETER ComputerName
|
|
|
|
The ComputerName to query for active sessions.
|
|
|
|
.PARAMETER UserName
|
|
|
|
The user name to filter for active sessions.
|
|
|
|
.OUTPUTS
|
|
|
|
SESSION_INFO_10 structure. A representation of the SESSION_INFO_10
|
|
result structure which includes the host and username associated
|
|
with active sessions, with the ComputerName added.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetSession
|
|
|
|
Returns active sessions on the local host.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetSession -ComputerName sqlserver
|
|
|
|
Returns active sessions on the 'sqlserver' host.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetDomainController | Get-NetSession
|
|
|
|
Returns active sessions on all domain controllers.
|
|
|
|
.LINK
|
|
|
|
http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[Alias('HostName')]
|
|
[Object[]]
|
|
[ValidateNotNullOrEmpty()]
|
|
$ComputerName = 'localhost',
|
|
|
|
[String]
|
|
$UserName = ''
|
|
)
|
|
|
|
# extract the computer name from whatever object was passed on the pipeline
|
|
$Computer = $ComputerName | Get-NameField
|
|
|
|
# arguments for NetSessionEnum
|
|
$QueryLevel = 10
|
|
$PtrInfo = [IntPtr]::Zero
|
|
$EntriesRead = 0
|
|
$TotalRead = 0
|
|
$ResumeHandle = 0
|
|
|
|
# get session information
|
|
$Result = $Netapi32::NetSessionEnum($Computer, '', $UserName, $QueryLevel, [ref]$PtrInfo, -1, [ref]$EntriesRead, [ref]$TotalRead, [ref]$ResumeHandle)
|
|
|
|
# Locate the offset of the initial intPtr
|
|
$Offset = $PtrInfo.ToInt64()
|
|
|
|
# 0 = success
|
|
if (($Result -eq 0) -and ($Offset -gt 0)) {
|
|
|
|
# Work out how mutch to increment the pointer by finding out the size of the structure
|
|
$Increment = $SESSION_INFO_10::GetSize()
|
|
|
|
# parse all the result structures
|
|
for ($i = 0; ($i -lt $EntriesRead); $i++) {
|
|
# create a new int ptr at the given offset and cast the pointer as our result structure
|
|
$NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
|
|
$Info = $NewIntPtr -as $SESSION_INFO_10
|
|
|
|
# return all the sections of the structure
|
|
$Sessions = $Info | Select-Object *
|
|
$Sessions | Add-Member Noteproperty 'ComputerName' $Computer
|
|
$Offset = $NewIntPtr.ToInt64()
|
|
$Offset += $Increment
|
|
$Sessions
|
|
}
|
|
# free up the result buffer
|
|
$Null = $Netapi32::NetApiBufferFree($PtrInfo)
|
|
}
|
|
else {
|
|
Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
|
|
}
|
|
}
|
|
|
|
|
|
filter Get-LoggedOnLocal {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
This function will query the HKU registry values to retrieve the local
|
|
logged on users SID and then attempt and reverse it.
|
|
Adapted technique from Sysinternal's PSLoggedOn script. Benefit over
|
|
using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges
|
|
required (NetWkstaUserEnum requires remote admin access).
|
|
|
|
Note: This function requires only domain user rights on the
|
|
machine you're enumerating, but remote registry must be enabled.
|
|
|
|
Function: Get-LoggedOnLocal
|
|
Author: Matt Kelly, @BreakersAll
|
|
|
|
.PARAMETER ComputerName
|
|
|
|
The ComputerName to query for active sessions.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-LoggedOnLocal
|
|
|
|
Returns active sessions on the local host.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-LoggedOnLocal -ComputerName sqlserver
|
|
|
|
Returns active sessions on the 'sqlserver' host.
|
|
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[Alias('HostName')]
|
|
[Object[]]
|
|
[ValidateNotNullOrEmpty()]
|
|
$ComputerName = 'localhost'
|
|
)
|
|
|
|
# process multiple host object types from the pipeline
|
|
$ComputerName = Get-NameField -Object $ComputerName
|
|
|
|
try {
|
|
# retrieve HKU remote registry values
|
|
$Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', "$ComputerName")
|
|
|
|
# sort out bogus sid's like _class
|
|
$Reg.GetSubKeyNames() | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } | ForEach-Object {
|
|
$UserName = Convert-SidToName $_
|
|
|
|
$Parts = $UserName.Split('\')
|
|
$UserDomain = $Null
|
|
$UserName = $Parts[-1]
|
|
if ($Parts.Length -eq 2) {
|
|
$UserDomain = $Parts[0]
|
|
}
|
|
|
|
$LocalLoggedOnUser = New-Object PSObject
|
|
$LocalLoggedOnUser | Add-Member Noteproperty 'ComputerName' "$ComputerName"
|
|
$LocalLoggedOnUser | Add-Member Noteproperty 'UserDomain' $UserDomain
|
|
$LocalLoggedOnUser | Add-Member Noteproperty 'UserName' $UserName
|
|
$LocalLoggedOnUser | Add-Member Noteproperty 'UserSID' $_
|
|
$LocalLoggedOnUser
|
|
}
|
|
}
|
|
catch { }
|
|
}
|
|
|
|
|
|
########################################################
|
|
#
|
|
# Domain trust functions below.
|
|
#
|
|
########################################################
|
|
|
|
function Get-NetDomainTrust {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Return all domain trusts for the current domain or
|
|
a specified domain.
|
|
|
|
.PARAMETER Domain
|
|
|
|
The domain whose trusts to enumerate, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.PARAMETER ADSpath
|
|
|
|
The LDAP source to search through, e.g. "LDAP://DC=testlab,DC=local".
|
|
Useful for global catalog queries ;)
|
|
|
|
.PARAMETER API
|
|
|
|
Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts.
|
|
|
|
.PARAMETER LDAP
|
|
|
|
Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
|
|
More likely to get around network segmentation, but not as accurate.
|
|
|
|
.PARAMETER PageSize
|
|
|
|
The PageSize to set for the LDAP searcher object.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetDomainTrust
|
|
|
|
Return domain trusts for the current domain using built in .NET methods.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetDomainTrust -Domain "prod.testlab.local"
|
|
|
|
Return domain trusts for the "prod.testlab.local" domain using .NET methods
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetDomainTrust -LDAP -Domain "prod.testlab.local" -DomainController "PRIMARY.testlab.local"
|
|
|
|
Return domain trusts for the "prod.testlab.local" domain enumerated through LDAP
|
|
queries, reflecting queries through the "Primary.testlab.local" domain controller,
|
|
using .NET methods.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetDomainTrust -API -Domain "prod.testlab.local"
|
|
|
|
Return domain trusts for the "prod.testlab.local" domain enumerated through API calls.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetDomainTrust -API -DomainController WINDOWS2.testlab.local
|
|
|
|
Return domain trusts reachable from the WINDOWS2 machine through API calls.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(Position=0, ValueFromPipeline=$True)]
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[String]
|
|
$ADSpath,
|
|
|
|
[Switch]
|
|
$API,
|
|
|
|
[Switch]
|
|
$LDAP,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
begin {
|
|
$TrustAttributes = @{
|
|
[uint32]'0x00000001' = 'non_transitive'
|
|
[uint32]'0x00000002' = 'uplevel_only'
|
|
[uint32]'0x00000004' = 'quarantined_domain'
|
|
[uint32]'0x00000008' = 'forest_transitive'
|
|
[uint32]'0x00000010' = 'cross_organization'
|
|
[uint32]'0x00000020' = 'within_forest'
|
|
[uint32]'0x00000040' = 'treat_as_external'
|
|
[uint32]'0x00000080' = 'trust_uses_rc4_encryption'
|
|
[uint32]'0x00000100' = 'trust_uses_aes_keys'
|
|
[uint32]'0x00000200' = 'cross_organization_no_tgt_delegation'
|
|
[uint32]'0x00000400' = 'pim_trust'
|
|
}
|
|
}
|
|
|
|
process {
|
|
|
|
if(-not $Domain) {
|
|
# if not domain is specified grab the current domain
|
|
$SourceDomain = (Get-NetDomain -Credential $Credential).Name
|
|
}
|
|
else {
|
|
$SourceDomain = $Domain
|
|
}
|
|
|
|
if($LDAP -or $ADSPath) {
|
|
|
|
$TrustSearcher = Get-DomainSearcher -Domain $SourceDomain -DomainController $DomainController -Credential $Credential -PageSize $PageSize -ADSpath $ADSpath
|
|
|
|
$SourceSID = Get-DomainSID -Domain $SourceDomain -DomainController $DomainController
|
|
|
|
if($TrustSearcher) {
|
|
|
|
$TrustSearcher.Filter = '(objectClass=trustedDomain)'
|
|
|
|
$Results = $TrustSearcher.FindAll()
|
|
$Results | Where-Object {$_} | ForEach-Object {
|
|
$Props = $_.Properties
|
|
$DomainTrust = New-Object PSObject
|
|
|
|
$TrustAttrib = @()
|
|
$TrustAttrib += $TrustAttributes.Keys | Where-Object { $Props.trustattributes[0] -band $_ } | ForEach-Object { $TrustAttributes[$_] }
|
|
|
|
$Direction = Switch ($Props.trustdirection) {
|
|
0 { 'Disabled' }
|
|
1 { 'Inbound' }
|
|
2 { 'Outbound' }
|
|
3 { 'Bidirectional' }
|
|
}
|
|
$ObjectGuid = New-Object Guid @(,$Props.objectguid[0])
|
|
$TargetSID = (New-Object System.Security.Principal.SecurityIdentifier($Props.securityidentifier[0],0)).Value
|
|
$DomainTrust | Add-Member Noteproperty 'SourceName' $SourceDomain
|
|
$DomainTrust | Add-Member Noteproperty 'SourceSID' $SourceSID
|
|
$DomainTrust | Add-Member Noteproperty 'TargetName' $Props.name[0]
|
|
$DomainTrust | Add-Member Noteproperty 'TargetSID' $TargetSID
|
|
$DomainTrust | Add-Member Noteproperty 'ObjectGuid' "{$ObjectGuid}"
|
|
$DomainTrust | Add-Member Noteproperty 'TrustType' $($TrustAttrib -join ',')
|
|
$DomainTrust | Add-Member Noteproperty 'TrustDirection' "$Direction"
|
|
$DomainTrust.PSObject.TypeNames.Add('PowerView.DomainTrustLDAP')
|
|
$DomainTrust
|
|
}
|
|
$Results.dispose()
|
|
$TrustSearcher.dispose()
|
|
}
|
|
}
|
|
elseif($API) {
|
|
if(-not $DomainController) {
|
|
$DomainController = Get-NetDomainController -Credential $Credential -Domain $SourceDomain | Select-Object -First 1 | Select-Object -ExpandProperty Name
|
|
}
|
|
|
|
if($DomainController) {
|
|
# arguments for DsEnumerateDomainTrusts
|
|
$PtrInfo = [IntPtr]::Zero
|
|
|
|
# 63 = DS_DOMAIN_IN_FOREST + DS_DOMAIN_DIRECT_OUTBOUND + DS_DOMAIN_TREE_ROOT + DS_DOMAIN_PRIMARY + DS_DOMAIN_NATIVE_MODE + DS_DOMAIN_DIRECT_INBOUND
|
|
$Flags = 63
|
|
$DomainCount = 0
|
|
|
|
# get the trust information from the target server
|
|
$Result = $Netapi32::DsEnumerateDomainTrusts($DomainController, $Flags, [ref]$PtrInfo, [ref]$DomainCount)
|
|
|
|
# Locate the offset of the initial intPtr
|
|
$Offset = $PtrInfo.ToInt64()
|
|
|
|
# 0 = success
|
|
if (($Result -eq 0) -and ($Offset -gt 0)) {
|
|
|
|
# Work out how mutch to increment the pointer by finding out the size of the structure
|
|
$Increment = $DS_DOMAIN_TRUSTS::GetSize()
|
|
|
|
# parse all the result structures
|
|
for ($i = 0; ($i -lt $DomainCount); $i++) {
|
|
# create a new int ptr at the given offset and cast the pointer as our result structure
|
|
$NewIntPtr = New-Object System.Intptr -ArgumentList $Offset
|
|
$Info = $NewIntPtr -as $DS_DOMAIN_TRUSTS
|
|
|
|
$Offset = $NewIntPtr.ToInt64()
|
|
$Offset += $Increment
|
|
|
|
$SidString = ""
|
|
$Result = $Advapi32::ConvertSidToStringSid($Info.DomainSid, [ref]$SidString);$LastError = [Runtime.InteropServices.Marshal]::GetLastWin32Error()
|
|
|
|
if($Result -eq 0) {
|
|
Write-Verbose "Error: $(([ComponentModel.Win32Exception] $LastError).Message)"
|
|
}
|
|
else {
|
|
$DomainTrust = New-Object PSObject
|
|
$DomainTrust | Add-Member Noteproperty 'SourceDomain' $SourceDomain
|
|
$DomainTrust | Add-Member Noteproperty 'SourceDomainController' $DomainController
|
|
$DomainTrust | Add-Member Noteproperty 'NetbiosDomainName' $Info.NetbiosDomainName
|
|
$DomainTrust | Add-Member Noteproperty 'DnsDomainName' $Info.DnsDomainName
|
|
$DomainTrust | Add-Member Noteproperty 'Flags' $Info.Flags
|
|
$DomainTrust | Add-Member Noteproperty 'ParentIndex' $Info.ParentIndex
|
|
$DomainTrust | Add-Member Noteproperty 'TrustType' $Info.TrustType
|
|
$DomainTrust | Add-Member Noteproperty 'TrustAttributes' $Info.TrustAttributes
|
|
$DomainTrust | Add-Member Noteproperty 'DomainSid' $SidString
|
|
$DomainTrust | Add-Member Noteproperty 'DomainGuid' $Info.DomainGuid
|
|
$DomainTrust.PSObject.TypeNames.Add('PowerView.APIDomainTrust')
|
|
$DomainTrust
|
|
}
|
|
}
|
|
# free up the result buffer
|
|
$Null = $Netapi32::NetApiBufferFree($PtrInfo)
|
|
}
|
|
else {
|
|
Write-Verbose "Error: $(([ComponentModel.Win32Exception] $Result).Message)"
|
|
}
|
|
}
|
|
else {
|
|
Write-Verbose "Could not retrieve domain controller for $Domain"
|
|
}
|
|
}
|
|
else {
|
|
# if we're using direct domain connections through .NET
|
|
$FoundDomain = Get-NetDomain -Domain $Domain -Credential $Credential
|
|
if($FoundDomain) {
|
|
$FoundDomain.GetAllTrustRelationships() | ForEach-Object {
|
|
$_.PSObject.TypeNames.Add('PowerView.DomainTrust')
|
|
$_
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
function Get-NetForestTrust {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Return all trusts for the current forest.
|
|
|
|
.PARAMETER Forest
|
|
|
|
Return trusts for the specified forest.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetForestTrust
|
|
|
|
Return current forest trusts.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Get-NetForestTrust -Forest "test"
|
|
|
|
Return trusts for the "test" forest.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[Parameter(Position=0,ValueFromPipeline=$True)]
|
|
[String]
|
|
$Forest,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
process {
|
|
$FoundForest = Get-NetForest -Forest $Forest -Credential $Credential
|
|
|
|
if($FoundForest) {
|
|
$FoundForest.GetAllTrustRelationships() | ForEach-Object {
|
|
$_.PSObject.TypeNames.Add('PowerView.ForestTrust')
|
|
$_
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
function Invoke-MapDomainTrust {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
This function gets all trusts for the current domain,
|
|
and tries to get all trusts for each domain it finds.
|
|
|
|
.PARAMETER LDAP
|
|
|
|
Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
|
|
More likely to get around network segmentation, but not as accurate.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to reflect LDAP queries through.
|
|
|
|
.PARAMETER PageSize
|
|
|
|
The PageSize to set for the LDAP searcher object.
|
|
|
|
.PARAMETER Credential
|
|
|
|
A [Management.Automation.PSCredential] object of alternate credentials
|
|
for connection to the target domain.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Invoke-MapDomainTrust | Export-CSV -NoTypeInformation trusts.csv
|
|
|
|
Map all reachable domain trusts and output everything to a .csv file.
|
|
|
|
.LINK
|
|
|
|
http://blog.harmj0y.net/
|
|
#>
|
|
[CmdletBinding()]
|
|
param(
|
|
[Switch]
|
|
$LDAP,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[ValidateRange(1,10000)]
|
|
[Int]
|
|
$PageSize = 200,
|
|
|
|
[Management.Automation.PSCredential]
|
|
$Credential
|
|
)
|
|
|
|
# keep track of domains seen so we don't hit infinite recursion
|
|
$SeenDomains = @{}
|
|
|
|
# our domain status tracker
|
|
$Domains = New-Object System.Collections.Stack
|
|
|
|
# get the current domain and push it onto the stack
|
|
$CurrentDomain = (Get-NetDomain -Credential $Credential).Name
|
|
$Domains.push($CurrentDomain)
|
|
|
|
while($Domains.Count -ne 0) {
|
|
|
|
$Domain = $Domains.Pop()
|
|
|
|
# if we haven't seen this domain before
|
|
if ($Domain -and ($Domain.Trim() -ne "") -and (-not $SeenDomains.ContainsKey($Domain))) {
|
|
|
|
Write-Verbose "Enumerating trusts for domain '$Domain'"
|
|
|
|
# mark it as seen in our list
|
|
$Null = $SeenDomains.add($Domain, "")
|
|
|
|
try {
|
|
# get all the trusts for this domain
|
|
if($LDAP -or $DomainController) {
|
|
$Trusts = Get-NetDomainTrust -Domain $Domain -LDAP -DomainController $DomainController -PageSize $PageSize -Credential $Credential
|
|
}
|
|
else {
|
|
$Trusts = Get-NetDomainTrust -Domain $Domain -PageSize $PageSize -Credential $Credential
|
|
}
|
|
|
|
if($Trusts -isnot [System.Array]) {
|
|
$Trusts = @($Trusts)
|
|
}
|
|
|
|
# get any forest trusts, if they exist
|
|
if(-not ($LDAP -or $DomainController) ) {
|
|
$Trusts += Get-NetForestTrust -Forest $Domain -Credential $Credential
|
|
}
|
|
|
|
if ($Trusts) {
|
|
if($Trusts -isnot [System.Array]) {
|
|
$Trusts = @($Trusts)
|
|
}
|
|
|
|
# enumerate each trust found
|
|
ForEach ($Trust in $Trusts) {
|
|
if($Trust.SourceName -and $Trust.TargetName) {
|
|
$SourceDomain = $Trust.SourceName
|
|
$TargetDomain = $Trust.TargetName
|
|
$TrustType = $Trust.TrustType
|
|
$TrustDirection = $Trust.TrustDirection
|
|
$ObjectType = $Trust.PSObject.TypeNames | Where-Object {$_ -match 'PowerView'} | Select-Object -First 1
|
|
|
|
# make sure we process the target
|
|
$Null = $Domains.Push($TargetDomain)
|
|
|
|
# build the nicely-parsable custom output object
|
|
$DomainTrust = New-Object PSObject
|
|
$DomainTrust | Add-Member Noteproperty 'SourceDomain' "$SourceDomain"
|
|
$DomainTrust | Add-Member Noteproperty 'SourceSID' $Trust.SourceSID
|
|
$DomainTrust | Add-Member Noteproperty 'TargetDomain' "$TargetDomain"
|
|
$DomainTrust | Add-Member Noteproperty 'TargetSID' $Trust.TargetSID
|
|
$DomainTrust | Add-Member Noteproperty 'TrustType' "$TrustType"
|
|
$DomainTrust | Add-Member Noteproperty 'TrustDirection' "$TrustDirection"
|
|
$DomainTrust.PSObject.TypeNames.Add($ObjectType)
|
|
$DomainTrust
|
|
}
|
|
}
|
|
}
|
|
}
|
|
catch {
|
|
Write-Verbose "[!] Error: $_"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
########################################################
|
|
#
|
|
# BloodHound specific fuctions.
|
|
#
|
|
########################################################
|
|
|
|
function New-ThreadedFunction {
|
|
# Helper used by any threaded host enumeration functions
|
|
[CmdletBinding()]
|
|
Param(
|
|
[Parameter(Position = 0, Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
|
|
[String[]]
|
|
$ComputerName,
|
|
|
|
[Parameter(Position = 1, Mandatory = $True)]
|
|
[System.Management.Automation.ScriptBlock]
|
|
$ScriptBlock,
|
|
|
|
[Parameter(Position = 2)]
|
|
[Hashtable]
|
|
$ScriptParameters,
|
|
|
|
[Int]
|
|
[ValidateRange(1, 100)]
|
|
$Threads = 20,
|
|
|
|
[Switch]
|
|
$NoImports
|
|
)
|
|
|
|
BEGIN {
|
|
# Adapted from:
|
|
# http://powershell.org/wp/forums/topic/invpke-parallel-need-help-to-clone-the-current-runspace/
|
|
$SessionState = [System.Management.Automation.Runspaces.InitialSessionState]::CreateDefault()
|
|
$SessionState.ApartmentState = [System.Threading.Thread]::CurrentThread.GetApartmentState()
|
|
|
|
# import the current session state's variables and functions so the chained PowerView
|
|
# functionality can be used by the threaded blocks
|
|
if (-not $NoImports) {
|
|
# grab all the current variables for this runspace
|
|
$MyVars = Get-Variable -Scope 2
|
|
|
|
# these Variables are added by Runspace.Open() Method and produce Stop errors if you add them twice
|
|
$VorbiddenVars = @('?','args','ConsoleFileName','Error','ExecutionContext','false','HOME','Host','input','InputObject','MaximumAliasCount','MaximumDriveCount','MaximumErrorCount','MaximumFunctionCount','MaximumHistoryCount','MaximumVariableCount','MyInvocation','null','PID','PSBoundParameters','PSCommandPath','PSCulture','PSDefaultParameterValues','PSHOME','PSScriptRoot','PSUICulture','PSVersionTable','PWD','ShellId','SynchronizedHash','true')
|
|
|
|
# add Variables from Parent Scope (current runspace) into the InitialSessionState
|
|
ForEach ($Var in $MyVars) {
|
|
if ($VorbiddenVars -NotContains $Var.Name) {
|
|
$SessionState.Variables.Add((New-Object -TypeName System.Management.Automation.Runspaces.SessionStateVariableEntry -ArgumentList $Var.name,$Var.Value,$Var.description,$Var.options,$Var.attributes))
|
|
}
|
|
}
|
|
|
|
# add Functions from current runspace to the InitialSessionState
|
|
ForEach ($Function in (Get-ChildItem Function:)) {
|
|
$SessionState.Commands.Add((New-Object -TypeName System.Management.Automation.Runspaces.SessionStateFunctionEntry -ArgumentList $Function.Name, $Function.Definition))
|
|
}
|
|
}
|
|
|
|
# threading adapted from
|
|
# https://github.com/darkoperator/Posh-SecMod/blob/master/Discovery/Discovery.psm1#L407
|
|
# Thanks Carlos!
|
|
|
|
# create a pool of maxThread runspaces
|
|
$Pool = [RunspaceFactory]::CreateRunspacePool(1, $Threads, $SessionState, $Host)
|
|
$Pool.Open()
|
|
|
|
# do some trickery to get the proper BeginInvoke() method that allows for an output queue
|
|
$Method = $Null
|
|
ForEach ($M in [PowerShell].GetMethods() | Where-Object { $_.Name -eq 'BeginInvoke' }) {
|
|
$MethodParameters = $M.GetParameters()
|
|
if (($MethodParameters.Count -eq 2) -and $MethodParameters[0].Name -eq 'input' -and $MethodParameters[1].Name -eq 'output') {
|
|
$Method = $M.MakeGenericMethod([Object], [Object])
|
|
break
|
|
}
|
|
}
|
|
|
|
$Jobs = @()
|
|
$ComputerName = $ComputerName | Where-Object { $_ -and ($_ -ne '') }
|
|
Write-Verbose "[New-ThreadedFunction] Total number of hosts: $($ComputerName.count)"
|
|
|
|
# partition all hosts from -ComputerName into $Threads number of groups
|
|
if ($Threads -ge $ComputerName.Length) {
|
|
$Threads = $ComputerName.Length
|
|
}
|
|
$ElementSplitSize = [Int]($ComputerName.Length/$Threads)
|
|
$ComputerNamePartitioned = @()
|
|
$Start = 0
|
|
$End = $ElementSplitSize
|
|
|
|
for($i = 1; $i -le $Threads; $i++) {
|
|
$List = New-Object System.Collections.ArrayList
|
|
if ($i -eq $Threads) {
|
|
$End = $ComputerName.Length
|
|
}
|
|
$List.AddRange($ComputerName[$Start..($End-1)])
|
|
$Start += $ElementSplitSize
|
|
$End += $ElementSplitSize
|
|
$ComputerNamePartitioned += @(,@($List.ToArray()))
|
|
}
|
|
|
|
Write-Verbose "[New-ThreadedFunction] Total number of threads/partitions: $Threads"
|
|
|
|
ForEach ($ComputerNamePartition in $ComputerNamePartitioned) {
|
|
# create a "powershell pipeline runner"
|
|
$PowerShell = [PowerShell]::Create()
|
|
$PowerShell.runspacepool = $Pool
|
|
|
|
# add the script block + arguments with the given computer partition
|
|
$Null = $PowerShell.AddScript($ScriptBlock).AddParameter('ComputerName', $ComputerNamePartition)
|
|
if ($ScriptParameters) {
|
|
ForEach ($Param in $ScriptParameters.GetEnumerator()) {
|
|
$Null = $PowerShell.AddParameter($Param.Name, $Param.Value)
|
|
}
|
|
}
|
|
|
|
# create the output queue
|
|
$Output = New-Object Management.Automation.PSDataCollection[Object]
|
|
|
|
# kick off execution using the BeginInvok() method that allows queues
|
|
$Jobs += @{
|
|
PS = $PowerShell
|
|
Output = $Output
|
|
Result = $Method.Invoke($PowerShell, @($Null, [Management.Automation.PSDataCollection[Object]]$Output))
|
|
}
|
|
}
|
|
}
|
|
|
|
END {
|
|
Write-Verbose "[New-ThreadedFunction] Threads executing"
|
|
|
|
# continuously loop through each job queue, consuming output as appropriate
|
|
Do {
|
|
ForEach ($Job in $Jobs) {
|
|
$Job.Output.ReadAll()
|
|
}
|
|
Start-Sleep -Seconds 1
|
|
}
|
|
While (($Jobs | Where-Object { -not $_.Result.IsCompleted }).Count -gt 0)
|
|
Write-Verbose "[New-ThreadedFunction] Waiting 120 seconds for final cleanup..."
|
|
Start-Sleep -Seconds 120
|
|
|
|
# cleanup- make sure we didn't miss anything
|
|
ForEach ($Job in $Jobs) {
|
|
$Job.Output.ReadAll()
|
|
$Job.PS.Dispose()
|
|
}
|
|
|
|
$Pool.Dispose()
|
|
Write-Verbose "[New-ThreadedFunction] all threads completed"
|
|
}
|
|
}
|
|
|
|
|
|
function Get-GlobalCatalogUserMapping {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Returns a hashtable for all users in the global catalog, format of {username->domain}.
|
|
This is used for user session deconfliction in the Export-BloodHound* functions for
|
|
when a user session doesn't have a login domain.
|
|
|
|
.PARAMETER GlobalCatalog
|
|
|
|
The global catalog location to resole user memberships from, form of GC://global.catalog.
|
|
#>
|
|
[CmdletBinding()]
|
|
param(
|
|
[ValidatePattern('^GC://')]
|
|
[String]
|
|
$GlobalCatalog
|
|
)
|
|
|
|
if(-not $PSBoundParameters['GlobalCatalog']) {
|
|
$GCPath = ([ADSI]'LDAP://RootDSE').dnshostname
|
|
$ADSPath = "GC://$GCPath"
|
|
Write-Verbose "Enumerated global catalog location: $ADSPath"
|
|
}
|
|
else {
|
|
$ADSpath = $GlobalCatalog
|
|
}
|
|
|
|
$UserDomainMappings = @{}
|
|
|
|
$UserSearcher = Get-DomainSearcher -ADSpath $ADSpath
|
|
$UserSearcher.filter = '(samAccountType=805306368)'
|
|
$UserSearcher.PropertiesToLoad.AddRange(('samaccountname','distinguishedname', 'cn', 'objectsid'))
|
|
|
|
ForEach($User in $UserSearcher.FindAll()) {
|
|
$UserName = $User.Properties['samaccountname'][0].ToUpper()
|
|
$UserDN = $User.Properties['distinguishedname'][0]
|
|
|
|
if($UserDN -and ($UserDN -ne '')) {
|
|
if (($UserDN -match 'ForeignSecurityPrincipals') -and ($UserDN -match 'S-1-5-21')) {
|
|
try {
|
|
if(-not $MemberSID) {
|
|
$MemberSID = $User.Properties['cn'][0]
|
|
}
|
|
$UserSid = (New-Object System.Security.Principal.SecurityIdentifier($User.Properties['objectsid'][0],0)).Value
|
|
$MemberSimpleName = Convert-SidToName -SID $UserSid | Convert-ADName -InputType 'NT4' -OutputType 'Canonical'
|
|
if($MemberSimpleName) {
|
|
$UserDomain = $MemberSimpleName.Split('/')[0]
|
|
}
|
|
else {
|
|
Write-Verbose "Error converting $UserDN"
|
|
$UserDomain = $Null
|
|
}
|
|
}
|
|
catch {
|
|
Write-Verbose "Error converting $UserDN"
|
|
$UserDomain = $Null
|
|
}
|
|
}
|
|
else {
|
|
# extract the FQDN from the Distinguished Name
|
|
$UserDomain = ($UserDN.subString($UserDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.').ToUpper()
|
|
}
|
|
if($UserDomain) {
|
|
if(-not $UserDomainMappings[$UserName]) {
|
|
$UserDomainMappings[$UserName] = @($UserDomain)
|
|
}
|
|
elseif($UserDomainMappings[$UserName] -notcontains $UserDomain) {
|
|
$UserDomainMappings[$UserName] += $UserDomain
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
$UserSearcher.dispose()
|
|
$UserDomainMappings
|
|
}
|
|
|
|
|
|
function Invoke-BloodHound {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
This function automates the collection of the data needed for BloodHound.
|
|
|
|
Author: @harmj0y
|
|
License: BSD 3-Clause
|
|
Required Dependencies: None
|
|
Optional Dependencies: None
|
|
|
|
.DESCRIPTION
|
|
|
|
This function collects the information needed to populate the BloodHound graph
|
|
database. It offers a varity of targeting and collection options.
|
|
By default, it will map all domain trusts, enumerate all groups and associated memberships,
|
|
enumerate all computers on the domain and execute session/loggedon/local admin enumeration
|
|
queries against each. Targeting options are modifiable with -CollectionMethod. The
|
|
-SearchForest searches all domains in the forest instead of just the current domain.
|
|
By default, the data is output to CSVs in the current folder location (old Export-BloodHoundCSV functionality).
|
|
To modify this, use -CSVFolder. To export to a neo4j RESTful API interface, specify a
|
|
-URI X and -UserPass "...".
|
|
|
|
.PARAMETER ComputerName
|
|
|
|
Array of one or more computers to enumerate.
|
|
|
|
.PARAMETER ComputerADSpath
|
|
|
|
The LDAP source to search through for computers, e.g. "LDAP://OU=secret,DC=testlab,DC=local".
|
|
|
|
.PARAMETER UserADSpath
|
|
|
|
The LDAP source to search through for users/groups, e.g. "LDAP://OU=secret,DC=testlab,DC=local".
|
|
|
|
.PARAMETER Domain
|
|
|
|
Domain to query for machines, defaults to the current domain.
|
|
|
|
.PARAMETER DomainController
|
|
|
|
Domain controller to bind to for queries.
|
|
|
|
.PARAMETER CollectionMethod
|
|
|
|
The method to collect data. 'Group', 'ComputerOnly', 'LocalGroup', 'GPOLocalGroup', 'Session', 'LoggedOn', 'Trusts, 'Stealth', or 'Default'.
|
|
'Stealth' uses 'Group' collection, stealth user hunting ('Session' on certain servers), 'GPOLocalGroup' enumeration, and trust enumeration.
|
|
'Default' uses 'Group' collection, regular user hunting with 'Session'/'LoggedOn', 'LocalGroup' enumeration, and 'Trusts' enumeration.
|
|
'ComputerOnly' only enumerates computers, not groups/trusts, and executes local admin/session/loggedon on each.
|
|
|
|
.PARAMETER SearchForest
|
|
|
|
Switch. Search all domains in the forest for target users instead of just
|
|
a single domain.
|
|
|
|
.PARAMETER CSVFolder
|
|
|
|
The CSV folder to use for output, defaults to the current folder location.
|
|
|
|
.PARAMETER CSVPrefix
|
|
|
|
A prefix for all CSV files.
|
|
|
|
.PARAMETER URI
|
|
|
|
The BloodHound neo4j URL location (http://host:port/).
|
|
|
|
.PARAMETER UserPass
|
|
|
|
The "user:password" for the BloodHound neo4j instance
|
|
|
|
.PARAMETER GlobalCatalog
|
|
|
|
The global catalog location to resolve user memberships from, form of GC://global.catalog.
|
|
|
|
.PARAMETER SkipGCDeconfliction
|
|
|
|
Switch. Skip global catalog enumeration for session deconfliction.
|
|
|
|
.PARAMETER Threads
|
|
|
|
The maximum concurrent threads to execute, default of 20.
|
|
|
|
.PARAMETER Throttle
|
|
|
|
The number of cypher queries to queue up for neo4j RESTful API ingestion.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Invoke-BloodHound
|
|
|
|
Executes default collection methods and exports the data to a CSVs in the current directory.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Invoke-BloodHound -URI http://SERVER:7474/ -UserPass "user:pass"
|
|
|
|
Executes default collection options and exports the data to a BloodHound neo4j RESTful API endpoint.
|
|
|
|
.EXAMPLE
|
|
|
|
PS C:\> Invoke-BloodHound -CollectionMethod stealth
|
|
|
|
Executes stealth collection and exports the data to a CSVs in the current directory.
|
|
This includes 'stealth' user hunting and GPO object correlation for local admin membership.
|
|
This is significantly faster but the information is not as complete as the default options.
|
|
|
|
.LINK
|
|
|
|
http://neo4j.com/docs/stable/rest-api-batch-ops.html
|
|
http://stackoverflow.com/questions/19839469/optimizing-high-volume-batch-inserts-into-neo4j-using-rest
|
|
#>
|
|
|
|
[CmdletBinding(DefaultParameterSetName = 'CSVExport')]
|
|
param(
|
|
[Parameter(ValueFromPipeline=$True)]
|
|
[Alias('HostName')]
|
|
[String[]]
|
|
[ValidateNotNullOrEmpty()]
|
|
$ComputerName,
|
|
|
|
[String]
|
|
$ComputerADSpath,
|
|
|
|
[String]
|
|
$UserADSpath,
|
|
|
|
[String]
|
|
$Domain,
|
|
|
|
[String]
|
|
$DomainController,
|
|
|
|
[String]
|
|
[ValidateSet('Group', 'ACLs', 'ComputerOnly', 'LocalGroup', 'GPOLocalGroup', 'Session', 'LoggedOn', 'Stealth', 'Trusts', 'Default')]
|
|
$CollectionMethod = 'Default',
|
|
|
|
[Switch]
|
|
$SearchForest,
|
|
|
|
[Parameter(ParameterSetName = 'CSVExport')]
|
|
[ValidateScript({ Test-Path -Path $_ })]
|
|
[String]
|
|
$CSVFolder = $(Get-Location),
|
|
|
|
[Parameter(ParameterSetName = 'CSVExport')]
|
|
[ValidateNotNullOrEmpty()]
|
|
[String]
|
|
$CSVPrefix,
|
|
|
|
[Parameter(ParameterSetName = 'RESTAPI', Mandatory = $True)]
|
|
[URI]
|
|
$URI,
|
|
|
|
[Parameter(ParameterSetName = 'RESTAPI', Mandatory = $True)]
|
|
[String]
|
|
[ValidatePattern('.*:.*')]
|
|
$UserPass,
|
|
|
|
[ValidatePattern('^GC://')]
|
|
[String]
|
|
$GlobalCatalog,
|
|
|
|
[Switch]
|
|
$SkipGCDeconfliction,
|
|
|
|
[ValidateRange(1,50)]
|
|
[Int]
|
|
$Threads = 20,
|
|
|
|
[ValidateRange(1,5000)]
|
|
[Int]
|
|
$Throttle = 1000
|
|
)
|
|
|
|
BEGIN {
|
|
|
|
Switch ($CollectionMethod) {
|
|
'Group' { $UseGroup = $True; $SkipComputerEnumeration = $True; $SkipGCDeconfliction2 = $True }
|
|
'ACLs' { $UseGroup = $False; $SkipComputerEnumeration = $True; $SkipGCDeconfliction2 = $True; $UseACLs = $True }
|
|
'ComputerOnly' { $UseGroup = $False; $UseLocalGroup = $True; $UseSession = $True; $UseLoggedOn = $True; $SkipGCDeconfliction2 = $False }
|
|
'LocalGroup' { $UseLocalGroup = $True; $SkipGCDeconfliction2 = $True }
|
|
'GPOLocalGroup' { $UseGPOGroup = $True; $SkipComputerEnumeration = $True; $SkipGCDeconfliction2 = $True }
|
|
'Session' { $UseSession = $True; $SkipGCDeconfliction2 = $False }
|
|
'LoggedOn' { $UseLoggedOn = $True; $SkipGCDeconfliction2 = $True }
|
|
'Trusts' { $UseDomainTrusts = $True; $SkipComputerEnumeration = $True; $SkipGCDeconfliction2 = $True }
|
|
'Stealth' {
|
|
$UseGroup = $True
|
|
$UseGPOGroup = $True
|
|
$UseSession = $True
|
|
$UseDomainTrusts = $True
|
|
$SkipGCDeconfliction2 = $False
|
|
}
|
|
'Default' {
|
|
$UseGroup = $True
|
|
$UseLocalGroup = $True
|
|
$UseSession = $True
|
|
$UseLoggedOn = $False
|
|
$UseDomainTrusts = $True
|
|
$SkipGCDeconfliction2 = $False
|
|
}
|
|
}
|
|
|
|
if($SkipGCDeconfliction) {
|
|
$SkipGCDeconfliction2 = $True
|
|
}
|
|
|
|
$GCPath = ([ADSI]'LDAP://RootDSE').dnshostname
|
|
$GCADSPath = "GC://$GCPath"
|
|
|
|
# the ActiveDirectoryRights regex we're using for output
|
|
# https://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectoryrights(v=vs.110).aspx
|
|
# $ACLRightsRegex = [regex] 'GenericAll|GenericWrite|WriteProperty|WriteOwner|WriteDacl|ExtendedRight'
|
|
$ACLGeneralRightsRegex = [regex] 'GenericAll|GenericWrite|WriteOwner|WriteDacl'
|
|
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
try {
|
|
$OutputFolder = $CSVFolder | Resolve-Path -ErrorAction Stop | Select-Object -ExpandProperty Path
|
|
}
|
|
catch {
|
|
throw "Error: $_"
|
|
}
|
|
|
|
if($CSVPrefix) {
|
|
$CSVExportPrefix = "$($CSVPrefix)_"
|
|
}
|
|
else {
|
|
$CSVExportPrefix = ''
|
|
}
|
|
|
|
Write-Output "Writing output to CSVs in: $OutputFolder\$CSVExportPrefix"
|
|
|
|
if($UseSession -or $UseLoggedon) {
|
|
$SessionPath = "$OutputFolder\$($CSVExportPrefix)user_sessions.csv"
|
|
$Exists = [System.IO.File]::Exists($SessionPath)
|
|
$SessionFileStream = New-Object IO.FileStream($SessionPath, [System.IO.FileMode]::Append, [System.IO.FileAccess]::Write, [IO.FileShare]::Read)
|
|
$SessionWriter = New-Object System.IO.StreamWriter($SessionFileStream)
|
|
$SessionWriter.AutoFlush = $True
|
|
if (-not $Exists) {
|
|
# add the header if the file doesn't already exist
|
|
$SessionWriter.WriteLine('"ComputerName","UserName","Weight"')
|
|
}
|
|
}
|
|
|
|
if($UseGroup) {
|
|
$GroupPath = "$OutputFolder\$($CSVExportPrefix)group_memberships.csv"
|
|
$Exists = [System.IO.File]::Exists($GroupPath)
|
|
$GroupFileStream = New-Object IO.FileStream($GroupPath, [System.IO.FileMode]::Append, [System.IO.FileAccess]::Write, [IO.FileShare]::Read)
|
|
$GroupWriter = New-Object System.IO.StreamWriter($GroupFileStream)
|
|
$GroupWriter.AutoFlush = $True
|
|
if (-not $Exists) {
|
|
# add the header if the file doesn't already exist
|
|
$GroupWriter.WriteLine('"GroupName","AccountName","AccountType"')
|
|
}
|
|
}
|
|
|
|
if($UseACLs) {
|
|
$ACLPath = "$OutputFolder\$($CSVExportPrefix)acls.csv"
|
|
$Exists = [System.IO.File]::Exists($ACLPath)
|
|
$ACLFileStream = New-Object IO.FileStream($ACLPath, [System.IO.FileMode]::Append, [System.IO.FileAccess]::Write, [IO.FileShare]::Read)
|
|
$ACLWriter = New-Object System.IO.StreamWriter($ACLFileStream)
|
|
$ACLWriter.AutoFlush = $True
|
|
if (-not $Exists) {
|
|
# add the header if the file doesn't already exist
|
|
$ACLWriter.WriteLine('"ObjectName","ObjectType","PrincipalName","PrincipalType","ActiveDirectoryRights","ACEType","AccessControlType","IsInherited"')
|
|
}
|
|
}
|
|
|
|
if($UseLocalGroup -or $UseGPOGroup) {
|
|
$LocalAdminPath = "$OutputFolder\$($CSVExportPrefix)local_admins.csv"
|
|
$Exists = [System.IO.File]::Exists($LocalAdminPath)
|
|
$LocalAdminFileStream = New-Object IO.FileStream($LocalAdminPath, [System.IO.FileMode]::Append, [System.IO.FileAccess]::Write, [IO.FileShare]::Read)
|
|
$LocalAdminWriter = New-Object System.IO.StreamWriter($LocalAdminFileStream)
|
|
$LocalAdminWriter.AutoFlush = $True
|
|
if (-not $Exists) {
|
|
# add the header if the file doesn't already exist
|
|
$LocalAdminWriter.WriteLine('"ComputerName","AccountName","AccountType"')
|
|
}
|
|
}
|
|
|
|
if($UseDomainTrusts) {
|
|
$TrustsPath = "$OutputFolder\$($CSVExportPrefix)trusts.csv"
|
|
$Exists = [System.IO.File]::Exists($TrustsPath)
|
|
$TrustsFileStream = New-Object IO.FileStream($TrustsPath, [System.IO.FileMode]::Append, [System.IO.FileAccess]::Write, [IO.FileShare]::Read)
|
|
$TrustWriter = New-Object System.IO.StreamWriter($TrustsFileStream)
|
|
$TrustWriter.AutoFlush = $True
|
|
if (-not $Exists) {
|
|
# add the header if the file doesn't already exist
|
|
$TrustWriter.WriteLine('"SourceDomain","TargetDomain","TrustDirection","TrustType","Transitive"')
|
|
}
|
|
}
|
|
}
|
|
|
|
else {
|
|
# otherwise we're doing ingestion straight to the neo4j RESTful API interface
|
|
$WebClient = New-Object System.Net.WebClient
|
|
|
|
$Base64UserPass = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($UserPass))
|
|
|
|
# add the auth headers
|
|
$WebClient.Headers.Add('Accept','application/json; charset=UTF-8')
|
|
$WebClient.Headers.Add('Authorization',"Basic $Base64UserPass")
|
|
|
|
# check auth to the BloodHound neo4j server
|
|
try {
|
|
$Null = $WebClient.DownloadString($URI.AbsoluteUri + 'user/neo4j')
|
|
Write-Verbose "Connection established with neo4j ingestion interface at $($URI.AbsoluteUri)"
|
|
$Authorized = $True
|
|
}
|
|
catch {
|
|
$Authorized = $False
|
|
throw "Error connecting to Neo4j rest REST server at '$($URI.AbsoluteUri)'"
|
|
}
|
|
|
|
Write-Output "Sending output to neo4j RESTful API interface at: $($URI.AbsoluteUri)"
|
|
|
|
$Null = [Reflection.Assembly]::LoadWithPartialName("System.Web.Extensions")
|
|
|
|
# from http://stackoverflow.com/questions/28077854/powershell-2-0-convertfrom-json-and-convertto-json-implementation
|
|
function ConvertTo-Json20([object] $Item){
|
|
$ps_js = New-Object System.Web.Script.Serialization.javascriptSerializer
|
|
return $ps_js.Serialize($item)
|
|
}
|
|
|
|
$Authorized = $True
|
|
$Statements = New-Object System.Collections.ArrayList
|
|
|
|
# add in the necessary constraints on nodes
|
|
$Null = $Statements.Add( @{ "statement"="CREATE CONSTRAINT ON (c:User) ASSERT c.UserName IS UNIQUE" } )
|
|
$Null = $Statements.Add( @{ "statement"="CREATE CONSTRAINT ON (c:Computer) ASSERT c.ComputerName IS UNIQUE"} )
|
|
$Null = $Statements.Add( @{ "statement"="CREATE CONSTRAINT ON (c:Group) ASSERT c.GroupName IS UNIQUE" } )
|
|
$Json = @{ "statements"=[System.Collections.Hashtable[]]$Statements }
|
|
$JsonRequest = ConvertTo-Json20 $Json
|
|
$Null = $WebClient.UploadString($URI.AbsoluteUri + "db/data/transaction/commit", $JsonRequest)
|
|
$Statements.Clear()
|
|
}
|
|
|
|
$UserDomainMappings = @{}
|
|
if(-not $SkipGCDeconfliction2) {
|
|
# if we're doing session enumeration, create a {user : @(domain,..)} from a global catalog
|
|
# in order to do user domain deconfliction for sessions
|
|
if($PSBoundParameters['GlobalCatalog']) {
|
|
$UserDomainMappings = Get-GlobalCatalogUserMapping -GlobalCatalog $GlobalCatalog
|
|
}
|
|
else {
|
|
$UserDomainMappings = Get-GlobalCatalogUserMapping
|
|
}
|
|
}
|
|
$DomainShortnameMappings = @{}
|
|
|
|
if($Domain) {
|
|
$TargetDomains = @($Domain)
|
|
}
|
|
elseif($SearchForest) {
|
|
# get ALL the domains in the forest to search
|
|
$TargetDomains = Get-NetForestDomain | Select-Object -ExpandProperty Name
|
|
}
|
|
else {
|
|
# use the local domain
|
|
$TargetDomains = @( (Get-NetDomain).Name )
|
|
}
|
|
|
|
if($UseGroup -and $TargetDomains) {
|
|
$Title = (Get-Culture).TextInfo
|
|
ForEach ($TargetDomain in $TargetDomains) {
|
|
# enumerate all groups and all members of each group
|
|
Write-Verbose "Enumerating group memberships for domain $TargetDomain"
|
|
|
|
# in-line updated hashtable with group DN->SamAccountName mappings
|
|
$GroupDNMappings = @{}
|
|
$PrimaryGroups = @{}
|
|
$DomainSID = Get-DomainSID -Domain $TargetDomain -DomainController $DomainController
|
|
|
|
$ObjectSearcher = Get-DomainSearcher -Domain $TargetDomain -DomainController $DomainController -ADSPath $UserADSpath
|
|
# only return results that have 'memberof' set
|
|
$ObjectSearcher.Filter = '(memberof=*)'
|
|
# only return specific properties in the results
|
|
$Null = $ObjectSearcher.PropertiesToLoad.AddRange(('samaccountname', 'distinguishedname', 'cn', 'dnshostname', 'samaccounttype', 'primarygroupid', 'memberof'))
|
|
$Counter = 0
|
|
$ObjectSearcher.FindAll() | ForEach-Object {
|
|
if($Counter % 1000 -eq 0) {
|
|
Write-Verbose "Group object counter: $Counter"
|
|
if($GroupWriter) {
|
|
$GroupWriter.Flush()
|
|
}
|
|
[GC]::Collect()
|
|
}
|
|
$Properties = $_.Properties
|
|
|
|
$MemberDN = $Null
|
|
$MemberDomain = $Null
|
|
try {
|
|
$MemberDN = $Properties['distinguishedname'][0]
|
|
|
|
if (($MemberDN -match 'ForeignSecurityPrincipals') -and ($MemberDN -match 'S-1-5-21')) {
|
|
try {
|
|
if(-not $MemberSID) {
|
|
$MemberSID = $Properties.cn[0]
|
|
}
|
|
$MemberSimpleName = Convert-SidToName -SID $MemberSID | Convert-ADName -InputType 'NT4' -OutputType 'Canonical'
|
|
if($MemberSimpleName) {
|
|
$MemberDomain = $MemberSimpleName.Split('/')[0]
|
|
}
|
|
else {
|
|
Write-Verbose "Error converting $MemberDN"
|
|
}
|
|
}
|
|
catch {
|
|
Write-Verbose "Error converting $MemberDN"
|
|
}
|
|
}
|
|
else {
|
|
# extract the FQDN from the Distinguished Name
|
|
$MemberDomain = $MemberDN.subString($MemberDN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
|
|
}
|
|
}
|
|
catch {}
|
|
|
|
if (@('268435456','268435457','536870912','536870913') -contains $Properties['samaccounttype']) {
|
|
$ObjectType = 'group'
|
|
if($Properties['samaccountname']) {
|
|
$MemberName = $Properties['samaccountname'][0]
|
|
}
|
|
else {
|
|
# external trust users have a SID, so convert it
|
|
try {
|
|
$MemberName = Convert-SidToName $Properties['cn'][0]
|
|
}
|
|
catch {
|
|
# if there's a problem contacting the domain to resolve the SID
|
|
$MemberName = $Properties['cn'][0]
|
|
}
|
|
}
|
|
if ($MemberName -Match "\\") {
|
|
# if the membername itself contains a backslash, get the trailing section
|
|
# TODO: later preserve this once BloodHound can properly display these characters
|
|
$AccountName = $MemberName.split('\')[1] + '@' + $MemberDomain
|
|
}
|
|
else {
|
|
$AccountName = "$MemberName@$MemberDomain"
|
|
}
|
|
}
|
|
elseif (@('805306369') -contains $Properties['samaccounttype']) {
|
|
$ObjectType = 'computer'
|
|
if ($Properties['dnshostname']) {
|
|
$AccountName = $Properties['dnshostname'][0]
|
|
}
|
|
}
|
|
elseif (@('805306368') -contains $Properties['samaccounttype']) {
|
|
$ObjectType = 'user'
|
|
if($Properties['samaccountname']) {
|
|
$MemberName = $Properties['samaccountname'][0]
|
|
}
|
|
else {
|
|
# external trust users have a SID, so convert it
|
|
try {
|
|
$MemberName = Convert-SidToName $Properties['cn'][0]
|
|
}
|
|
catch {
|
|
# if there's a problem contacting the domain to resolve the SID
|
|
$MemberName = $Properties['cn'][0]
|
|
}
|
|
}
|
|
if ($MemberName -Match "\\") {
|
|
# if the membername itself contains a backslash, get the trailing section
|
|
# TODO: later preserve this once BloodHound can properly display these characters
|
|
$AccountName = $MemberName.split('\')[1] + '@' + $MemberDomain
|
|
}
|
|
else {
|
|
$AccountName = "$MemberName@$MemberDomain"
|
|
}
|
|
}
|
|
else {
|
|
Write-Verbose "Unknown account type for object $($Properties['distinguishedname']) : $($Properties['samaccounttype'])"
|
|
}
|
|
|
|
if($AccountName -and (-not $AccountName.StartsWith('@'))) {
|
|
|
|
# Write-Verbose "AccountName: $AccountName"
|
|
$MemberPrimaryGroupName = $Null
|
|
try {
|
|
if($AccountName -match $TargetDomain) {
|
|
# also retrieve the primary group name for this object, if it exists
|
|
if($Properties['primarygroupid'] -and $Properties['primarygroupid'][0] -and ($Properties['primarygroupid'][0] -ne '')) {
|
|
$PrimaryGroupSID = "$DomainSID-$($Properties['primarygroupid'][0])"
|
|
# Write-Verbose "PrimaryGroupSID: $PrimaryGroupSID"
|
|
if($PrimaryGroups[$PrimaryGroupSID]) {
|
|
$PrimaryGroupName = $PrimaryGroups[$PrimaryGroupSID]
|
|
}
|
|
else {
|
|
$RawName = Convert-SidToName -SID $PrimaryGroupSID
|
|
if ($RawName -notmatch '^S-1-.*') {
|
|
$PrimaryGroupName = $RawName.split('\')[-1]
|
|
$PrimaryGroups[$PrimaryGroupSID] = $PrimaryGroupName
|
|
}
|
|
}
|
|
if ($PrimaryGroupName) {
|
|
$MemberPrimaryGroupName = "$PrimaryGroupName@$TargetDomain"
|
|
}
|
|
}
|
|
else { }
|
|
}
|
|
}
|
|
catch { }
|
|
|
|
if($MemberPrimaryGroupName) {
|
|
# Write-Verbose "MemberPrimaryGroupName: $MemberPrimaryGroupName"
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$GroupWriter.WriteLine("`"$MemberPrimaryGroupName`",`"$AccountName`",`"$ObjectType`"")
|
|
}
|
|
else {
|
|
$ObjectTypeCap = $Title.ToTitleCase($ObjectType)
|
|
$Null = $Statements.Add( @{ "statement"="MERGE ($($ObjectType)1:$ObjectTypeCap { name: UPPER('$AccountName') }) MERGE (group2:Group { name: UPPER('$MemberPrimaryGroupName') }) MERGE ($($ObjectType)1)-[:MemberOf]->(group2)" } )
|
|
}
|
|
}
|
|
|
|
# iterate through each membership for this object
|
|
ForEach($GroupDN in $_.properties['memberof']) {
|
|
$GroupDomain = $GroupDN.subString($GroupDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
|
|
|
|
if($GroupDNMappings[$GroupDN]) {
|
|
$GroupName = $GroupDNMappings[$GroupDN]
|
|
}
|
|
else {
|
|
$GroupName = Convert-ADName -ObjectName $GroupDN
|
|
if($GroupName) {
|
|
$GroupName = $GroupName.Split('\')[-1]
|
|
}
|
|
else {
|
|
$GroupName = $GroupDN.SubString(0, $GroupDN.IndexOf(',')).Split('=')[-1]
|
|
}
|
|
$GroupDNMappings[$GroupDN] = $GroupName
|
|
}
|
|
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$GroupWriter.WriteLine("`"$GroupName@$GroupDomain`",`"$AccountName`",`"$ObjectType`"")
|
|
}
|
|
else {
|
|
# otherwise we're exporting to the neo4j RESTful API
|
|
$ObjectTypeCap = $Title.ToTitleCase($ObjectType)
|
|
|
|
$Null = $Statements.Add( @{ "statement"="MERGE ($($ObjectType)1:$ObjectTypeCap { name: UPPER('$AccountName') }) MERGE (group2:Group { name: UPPER('$GroupName@$GroupDomain') }) MERGE ($($ObjectType)1)-[:MemberOf]->(group2)" } )
|
|
|
|
if ($Statements.Count -ge $Throttle) {
|
|
$Json = @{ "statements"=[System.Collections.Hashtable[]]$Statements }
|
|
$JsonRequest = ConvertTo-Json20 $Json
|
|
$Null = $WebClient.UploadString($URI.AbsoluteUri + "db/data/transaction/commit", $JsonRequest)
|
|
$Statements.Clear()
|
|
}
|
|
}
|
|
}
|
|
$Counter += 1
|
|
}
|
|
}
|
|
$ObjectSearcher.Dispose()
|
|
|
|
if ($PSCmdlet.ParameterSetName -eq 'RESTAPI') {
|
|
$Json = @{ "statements"=[System.Collections.Hashtable[]]$Statements }
|
|
$JsonRequest = ConvertTo-Json20 $Json
|
|
$Null = $WebClient.UploadString($URI.AbsoluteUri + "db/data/transaction/commit", $JsonRequest)
|
|
$Statements.Clear()
|
|
}
|
|
Write-Verbose "Done with group enumeration for domain $TargetDomain"
|
|
}
|
|
[GC]::Collect()
|
|
}
|
|
|
|
if($UseACLs -and $TargetDomains) {
|
|
|
|
# $PrincipalMapping format -> @{ PrincipalSID : @(PrincipalSimpleName, PrincipalObjectClass) }
|
|
$PrincipalMapping = @{}
|
|
$Counter = 0
|
|
|
|
# #CommonSidMapping[SID] = @(name, objectClass)
|
|
$CommonSidMapping = @{
|
|
'S-1-0' = @('Null Authority', 'USER')
|
|
'S-1-0-0' = @('Nobody', 'USER')
|
|
'S-1-1' = @('World Authority', 'USER')
|
|
'S-1-1-0' = @('Everyone', 'GROUP')
|
|
'S-1-2' = @('Local Authority', 'USER')
|
|
'S-1-2-0' = @('Local', 'GROUP')
|
|
'S-1-2-1' = @('Console Logon', 'GROUP')
|
|
'S-1-3' = @('Creator Authority', 'USER')
|
|
'S-1-3-0' = @('Creator Owner', 'USER')
|
|
'S-1-3-1' = @('Creator Group', 'GROUP')
|
|
'S-1-3-2' = @('Creator Owner Server', 'COMPUTER')
|
|
'S-1-3-3' = @('Creator Group Server', 'COMPUTER')
|
|
'S-1-3-4' = @('Owner Rights', 'GROUP')
|
|
'S-1-4' = @('Non-unique Authority', 'USER')
|
|
'S-1-5' = @('NT Authority', 'USER')
|
|
'S-1-5-1' = @('Dialup', 'GROUP')
|
|
'S-1-5-2' = @('Network', 'GROUP')
|
|
'S-1-5-3' = @('Batch', 'GROUP')
|
|
'S-1-5-4' = @('Interactive', 'GROUP')
|
|
'S-1-5-6' = @('Service', 'GROUP')
|
|
'S-1-5-7' = @('Anonymous', 'GROUP')
|
|
'S-1-5-8' = @('Proxy', 'GROUP')
|
|
'S-1-5-9' = @('Enterprise Domain Controllers', 'GROUP')
|
|
'S-1-5-10' = @('Principal Self', 'USER')
|
|
'S-1-5-11' = @('Authenticated Users', 'GROUP')
|
|
'S-1-5-12' = @('Restricted Code', 'GROUP')
|
|
'S-1-5-13' = @('Terminal Server Users', 'GROUP')
|
|
'S-1-5-14' = @('Remote Interactive Logon', 'GROUP')
|
|
'S-1-5-15' = @('This Organization ', 'GROUP')
|
|
'S-1-5-17' = @('This Organization ', 'GROUP')
|
|
'S-1-5-18' = @('Local System', 'USER')
|
|
'S-1-5-19' = @('NT Authority', 'USER')
|
|
'S-1-5-20' = @('NT Authority', 'USER')
|
|
'S-1-5-80-0' = @('All Services ', 'GROUP')
|
|
'S-1-5-32-544' = @('Administrators', 'GROUP')
|
|
'S-1-5-32-545' = @('Users', 'GROUP')
|
|
'S-1-5-32-546' = @('Guests', 'GROUP')
|
|
'S-1-5-32-547' = @('Power Users', 'GROUP')
|
|
'S-1-5-32-548' = @('Account Operators', 'GROUP')
|
|
'S-1-5-32-549' = @('Server Operators', 'GROUP')
|
|
'S-1-5-32-550' = @('Print Operators', 'GROUP')
|
|
'S-1-5-32-551' = @('Backup Operators', 'GROUP')
|
|
'S-1-5-32-552' = @('Replicators', 'GROUP')
|
|
'S-1-5-32-554' = @('Pre-Windows 2000 Compatible Access', 'GROUP')
|
|
'S-1-5-32-555' = @('Remote Desktop Users', 'GROUP')
|
|
'S-1-5-32-556' = @('Network Configuration Operators', 'GROUP')
|
|
'S-1-5-32-557' = @('Incoming Forest Trust Builders', 'GROUP')
|
|
'S-1-5-32-558' = @('Performance Monitor Users', 'GROUP')
|
|
'S-1-5-32-559' = @('Performance Log Users', 'GROUP')
|
|
'S-1-5-32-560' = @('Windows Authorization Access Group', 'GROUP')
|
|
'S-1-5-32-561' = @('Terminal Server License Servers', 'GROUP')
|
|
'S-1-5-32-562' = @('Distributed COM Users', 'GROUP')
|
|
'S-1-5-32-569' = @('Cryptographic Operators', 'GROUP')
|
|
'S-1-5-32-573' = @('Event Log Readers', 'GROUP')
|
|
'S-1-5-32-574' = @('Certificate Service DCOM Access', 'GROUP')
|
|
'S-1-5-32-575' = @('RDS Remote Access Servers', 'GROUP')
|
|
'S-1-5-32-576' = @('RDS Endpoint Servers', 'GROUP')
|
|
'S-1-5-32-577' = @('RDS Management Servers', 'GROUP')
|
|
'S-1-5-32-578' = @('Hyper-V Administrators', 'GROUP')
|
|
'S-1-5-32-579' = @('Access Control Assistance Operators', 'GROUP')
|
|
'S-1-5-32-580' = @('Access Control Assistance Operators', 'GROUP')
|
|
}
|
|
|
|
ForEach ($TargetDomain in $TargetDomains) {
|
|
# enumerate all reachable user/group/computer objects and their associated ACLs
|
|
Write-Verbose "Enumerating ACLs for objects in domain: $TargetDomain"
|
|
|
|
$ObjectSearcher = Get-DomainSearcher -Domain $TargetDomain -DomainController $DomainController -ADSPath $UserADSpath
|
|
$ObjectSearcher.SecurityMasks = [System.DirectoryServices.SecurityMasks]::Dacl
|
|
|
|
# only enumerate user and group objects (for now)
|
|
# 805306368 -> user
|
|
# 805306369 -> computer
|
|
# 268435456|268435457|536870912|536870913 -> groups
|
|
$ObjectSearcher.Filter = '(|(samAccountType=805306368)(samAccountType=805306369)(samAccountType=268435456)(samAccountType=268435457)(samAccountType=536870912)(samAccountType=536870913))'
|
|
$ObjectSearcher.PropertiesToLoad.AddRange(('distinguishedName','samaccountname','dnshostname','objectclass','objectsid','name', 'ntsecuritydescriptor'))
|
|
|
|
$ObjectSearcher.FindAll() | ForEach-Object {
|
|
$Object = $_.Properties
|
|
if($Object -and $Object.distinguishedname -and $Object.distinguishedname[0] -and $Object.objectsid -and $Object.objectsid[0]) {
|
|
|
|
$ObjectSid = (New-Object System.Security.Principal.SecurityIdentifier($Object.objectsid[0],0)).Value
|
|
|
|
try {
|
|
# parse the 'ntsecuritydescriptor' field returned
|
|
New-Object -TypeName Security.AccessControl.RawSecurityDescriptor -ArgumentList $Object['ntsecuritydescriptor'][0], 0 | Select-Object -Expand DiscretionaryAcl | ForEach-Object {
|
|
$Counter += 1
|
|
if($Counter % 10000 -eq 0) {
|
|
Write-Verbose "ACE counter: $Counter"
|
|
if($ACLWriter) {
|
|
$ACLWriter.Flush()
|
|
}
|
|
[GC]::Collect()
|
|
}
|
|
|
|
$RawActiveDirectoryRights = ([Enum]::ToObject([System.DirectoryServices.ActiveDirectoryRights], $_.AccessMask))
|
|
|
|
# check for the following rights:
|
|
# GenericAll - generic fully control of an object
|
|
# GenericWrite - write to any object properties
|
|
# WriteDacl - modify the permissions of the object
|
|
# WriteOwner - modify the owner of an object
|
|
# User-Force-Change-Password - extended attribute (00299570-246d-11d0-a768-00aa006e0529)
|
|
# WriteProperty/Self-Membership - modify group membership (bf9679c0-0de6-11d0-a285-00aa003049e2)
|
|
# WriteProperty/Script-Path - modify a user's script-path (bf9679a8-0de6-11d0-a285-00aa003049e2)
|
|
if (
|
|
( ($RawActiveDirectoryRights -match 'GenericAll|GenericWrite') -and (-not $_.ObjectAceType -or $_.ObjectAceType -eq '00000000-0000-0000-0000-000000000000') ) -or
|
|
($RawActiveDirectoryRights -match 'WriteDacl|WriteOwner') -or
|
|
( ($RawActiveDirectoryRights -match 'ExtendedRight') -and (-not $_.ObjectAceType -or $_.ObjectAceType -eq '00000000-0000-0000-0000-000000000000') ) -or
|
|
(($_.ObjectAceType -eq '00299570-246d-11d0-a768-00aa006e0529') -and ($RawActiveDirectoryRights -match 'ExtendedRight')) -or
|
|
(($_.ObjectAceType -eq 'bf9679c0-0de6-11d0-a285-00aa003049e2') -and ($RawActiveDirectoryRights -match 'WriteProperty')) -or
|
|
(($_.ObjectAceType -eq 'bf9679a8-0de6-11d0-a285-00aa003049e2') -and ($RawActiveDirectoryRights -match 'WriteProperty'))
|
|
) {
|
|
|
|
$PrincipalSid = $_.SecurityIdentifier.ToString()
|
|
$PrincipalSimpleName, $PrincipalObjectClass, $ACEType = $Null
|
|
|
|
# only grab the AD right names we care about
|
|
# 'GenericAll|GenericWrite|WriteOwner|WriteDacl'
|
|
$ActiveDirectoryRights = $ACLGeneralRightsRegex.Matches($RawActiveDirectoryRights) | Select-Object -ExpandProperty Value
|
|
if (-not $ActiveDirectoryRights) {
|
|
if ($RawActiveDirectoryRights -match 'ExtendedRight') {
|
|
$ActiveDirectoryRights = 'ExtendedRight'
|
|
}
|
|
else {
|
|
$ActiveDirectoryRights = 'WriteProperty'
|
|
}
|
|
|
|
# decode the ACE types here
|
|
$ACEType = Switch ($_.ObjectAceType) {
|
|
'00299570-246d-11d0-a768-00aa006e0529' {'User-Force-Change-Password'}
|
|
'bf9679c0-0de6-11d0-a285-00aa003049e2' {'Member'}
|
|
'bf9679a8-0de6-11d0-a285-00aa003049e2' {'Script-Path'}
|
|
Default {'All'}
|
|
}
|
|
}
|
|
|
|
if ($PrincipalMapping[$PrincipalSid]) {
|
|
# Write-Verbose "$PrincipalSid in cache!"
|
|
# $PrincipalMappings format -> @{ SID : @(PrincipalSimpleName, PrincipalObjectClass) }
|
|
$PrincipalSimpleName, $PrincipalObjectClass = $PrincipalMapping[$PrincipalSid]
|
|
}
|
|
elseif ($CommonSidMapping[$PrincipalSid]) {
|
|
# Write-Verbose "$PrincipalSid in common sids!"
|
|
$PrincipalName, $PrincipalObjectClass = $CommonSidMapping[$PrincipalSid]
|
|
$PrincipalSimpleName = "$PrincipalName@$TargetDomain"
|
|
$PrincipalMapping[$PrincipalSid] = $PrincipalSimpleName, $PrincipalObjectClass
|
|
}
|
|
else {
|
|
# Write-Verbose "$PrincipalSid NOT in cache!"
|
|
# first try querying the target domain for this SID
|
|
$SIDSearcher = Get-DomainSearcher -Domain $TargetDomain -DomainController $DomainController
|
|
$SIDSearcher.PropertiesToLoad.AddRange(('samaccountname','distinguishedname','dnshostname','objectclass'))
|
|
$SIDSearcher.Filter = "(objectsid=$PrincipalSid)"
|
|
$PrincipalObject = $SIDSearcher.FindOne()
|
|
|
|
if ((-not $PrincipalObject) -and ((-not $DomainController) -or (-not $DomainController.StartsWith('GC:')))) {
|
|
# if the object didn't resolve from the current domain, attempt to query the global catalog
|
|
$GCSearcher = Get-DomainSearcher -ADSpath $GCADSPath
|
|
$GCSearcher.PropertiesToLoad.AddRange(('samaccountname','distinguishedname','dnshostname','objectclass'))
|
|
$GCSearcher.Filter = "(objectsid=$PrincipalSid)"
|
|
$PrincipalObject = $GCSearcher.FindOne()
|
|
}
|
|
|
|
if ($PrincipalObject) {
|
|
if ($PrincipalObject.Properties.objectclass.contains('computer')) {
|
|
$PrincipalObjectClass = 'COMPUTER'
|
|
$PrincipalSimpleName = $PrincipalObject.Properties.dnshostname[0]
|
|
}
|
|
else {
|
|
$PrincipalSamAccountName = $PrincipalObject.Properties.samaccountname[0]
|
|
$PrincipalDN = $PrincipalObject.Properties.distinguishedname[0]
|
|
$PrincipalDomain = $PrincipalDN.SubString($PrincipalDN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
|
|
$PrincipalSimpleName = "$PrincipalSamAccountName@$PrincipalDomain"
|
|
|
|
if ($PrincipalObject.Properties.objectclass.contains('group')) {
|
|
$PrincipalObjectClass = 'GROUP'
|
|
}
|
|
elseif ($PrincipalObject.Properties.objectclass.contains('user')) {
|
|
$PrincipalObjectClass = 'USER'
|
|
}
|
|
else {
|
|
$PrincipalObjectClass = 'OTHER'
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
Write-Verbose "SID not resolved: $PrincipalSid"
|
|
}
|
|
|
|
$PrincipalMapping[$PrincipalSid] = $PrincipalSimpleName, $PrincipalObjectClass
|
|
}
|
|
|
|
if ($PrincipalSimpleName -and $PrincipalObjectClass) {
|
|
$ObjectName, $ObjectADType = $Null
|
|
|
|
if ($Object.objectclass.contains('computer')) {
|
|
$ObjectADType = 'COMPUTER'
|
|
if ($Object.dnshostname) {
|
|
$ObjectName = $Object.dnshostname[0]
|
|
}
|
|
}
|
|
else {
|
|
if($Object.samaccountname) {
|
|
$ObjectSamAccountName = $Object.samaccountname[0]
|
|
}
|
|
else {
|
|
$ObjectSamAccountName = $Object.name[0]
|
|
}
|
|
$DN = $Object.distinguishedname[0]
|
|
$ObjectDomain = $DN.SubString($DN.IndexOf('DC=')) -replace 'DC=','' -replace ',','.'
|
|
$ObjectName = "$ObjectSamAccountName@$ObjectDomain"
|
|
|
|
if ($Object.objectclass.contains('group')) {
|
|
$ObjectADType = 'GROUP'
|
|
}
|
|
elseif ($Object.objectclass.contains('user')) {
|
|
$ObjectADType = 'USER'
|
|
}
|
|
else {
|
|
$ObjectADType = 'OTHER'
|
|
}
|
|
}
|
|
|
|
if ($ObjectName -and $ObjectADType) {
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$ACLWriter.WriteLine("`"$ObjectName`",`"$ObjectADType`",`"$PrincipalSimpleName`",`"$PrincipalObjectClass`",`"$ActiveDirectoryRights`",`"$ACEType`",`"$($_.AceQualifier)`",`"$($_.IsInherited)`"")
|
|
}
|
|
else {
|
|
Write-Warning 'TODO: implement neo4j RESTful API ingestion for ACLs!'
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
catch {
|
|
Write-Verbose "ACL ingestion error: $_"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if($UseDomainTrusts -and $TargetDomains) {
|
|
Write-Verbose "Mapping domain trusts"
|
|
Invoke-MapDomainTrust | ForEach-Object {
|
|
if($_.SourceDomain) {
|
|
$SourceDomain = $_.SourceDomain
|
|
}
|
|
else {
|
|
$SourceDomain = $_.SourceName
|
|
}
|
|
if($_.TargetDomain) {
|
|
$TargetDomain = $_.TargetDomain
|
|
}
|
|
else {
|
|
$TargetDomain = $_.TargetName
|
|
}
|
|
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$TrustWriter.WriteLine("`"$SourceDomain`",`"$TargetDomain`",`"$($_.TrustDirection)`",`"$($_.TrustType)`",`"$True`"")
|
|
}
|
|
else {
|
|
$Null = $Statements.Add( @{ "statement"="MERGE (SourceDomain:Domain { name: UPPER('$SourceDomain') }) MERGE (TargetDomain:Domain { name: UPPER('$TargetDomain') })" } )
|
|
|
|
$TrustType = $_.TrustType
|
|
$Transitive = $True
|
|
|
|
Switch ($_.TrustDirection) {
|
|
'Inbound' {
|
|
$Null = $Statements.Add( @{ "statement"="MERGE (SourceDomain)-[:TrustedBy{ TrustType: UPPER('$TrustType'), Transitive: UPPER('$Transitive')}]->(TargetDomain)" } )
|
|
}
|
|
'Outbound' {
|
|
$Null = $Statements.Add( @{ "statement"="MERGE (TargetDomain)-[:TrustedBy{ TrustType: UPPER('$TrustType'), Transitive: UPPER('$Transitive')}]->(SourceDomain)" } )
|
|
}
|
|
'Bidirectional' {
|
|
$Null = $Statements.Add( @{ "statement"="MERGE (TargetDomain)-[:TrustedBy{ TrustType: UPPER('$TrustType'), Transitive: UPPER('$Transitive')}]->(SourceDomain) MERGE (SourceDomain)-[:TrustedBy{ TrustType: UPPER('$TrustType'), Transitive: UPPER('$Transitive')}]->(TargetDomain)" } )
|
|
}
|
|
}
|
|
|
|
}
|
|
}
|
|
if ($PSCmdlet.ParameterSetName -eq 'RESTAPI') {
|
|
$Json = @{ "statements"=[System.Collections.Hashtable[]]$Statements }
|
|
$JsonRequest = ConvertTo-Json20 $Json
|
|
$Null = $WebClient.UploadString($URI.AbsoluteUri + "db/data/transaction/commit", $JsonRequest)
|
|
$Statements.Clear()
|
|
}
|
|
Write-Verbose "Done mapping domain trusts"
|
|
}
|
|
|
|
if($UseGPOGroup -and $TargetDomains) {
|
|
ForEach ($TargetDomain in $TargetDomains) {
|
|
|
|
Write-Verbose "Enumerating GPO local group memberships for domain $TargetDomain"
|
|
Find-GPOLocation -Domain $TargetDomain -DomainController $DomainController | ForEach-Object {
|
|
$AccountName = "$($_.ObjectName)@$($_.ObjectDomain)"
|
|
ForEach($Computer in $_.ComputerName) {
|
|
if($_.IsGroup) {
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$LocalAdminWriter.WriteLine("`"$Computer`",`"$AccountName`",`"group`"")
|
|
}
|
|
else {
|
|
$Null = $Statements.Add( @{"statement"="MERGE (group:Group { name: UPPER('$AccountName') }) MERGE (computer:Computer { name: UPPER('$Computer') }) MERGE (group)-[:AdminTo]->(computer)" } )
|
|
}
|
|
}
|
|
else {
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$LocalAdminWriter.WriteLine("`"$Computer`",`"$AccountName`",`"user`"")
|
|
}
|
|
else {
|
|
$Null = $Statements.Add( @{"statement"="MERGE (user:User { name: UPPER('$AccountName') }) MERGE (computer:Computer { name: UPPER('$Computer') }) MERGE (user)-[:AdminTo]->(computer)" } )
|
|
}
|
|
}
|
|
}
|
|
}
|
|
Write-Verbose "Done enumerating GPO local group memberships for domain $TargetDomain"
|
|
}
|
|
Write-Verbose "Done enumerating GPO local group"
|
|
# TODO: cypher query to add 'domain admins' to every found machine
|
|
}
|
|
|
|
# get the current user so we can ignore it in the results
|
|
$CurrentUser = ([Environment]::UserName).toLower()
|
|
|
|
# script block that enumerates a server
|
|
$HostEnumBlock = {
|
|
Param($ComputerName, $CurrentUser2, $UseLocalGroup2, $UseSession2, $UseLoggedon2, $DomainSID2)
|
|
|
|
ForEach ($TargetComputer in $ComputerName) {
|
|
$Up = Test-Connection -Count 1 -Quiet -ComputerName $TargetComputer
|
|
if($Up) {
|
|
if($UseLocalGroup2) {
|
|
# grab the users for the local admins on this server
|
|
$Results = Get-NetLocalGroup -ComputerName $TargetComputer -API -IsDomain -DomainSID $DomainSID2
|
|
if($Results) {
|
|
$Results
|
|
}
|
|
else {
|
|
Get-NetLocalGroup -ComputerName $TargetComputer -IsDomain -DomainSID $DomainSID2
|
|
}
|
|
}
|
|
|
|
$IPAddress = @(Get-IPAddress -ComputerName $TargetComputer)[0].IPAddress
|
|
|
|
if($UseSession2) {
|
|
ForEach ($Session in $(Get-NetSession -ComputerName $TargetComputer)) {
|
|
$UserName = $Session.sesi10_username
|
|
$CName = $Session.sesi10_cname
|
|
|
|
if($CName -and $CName.StartsWith("\\")) {
|
|
$CName = $CName.TrimStart("\")
|
|
}
|
|
|
|
# make sure we have a result
|
|
if (($UserName) -and ($UserName.trim() -ne '') -and ($UserName -notmatch '\$') -and ($UserName -notmatch $CurrentUser2)) {
|
|
# Try to resolve the DNS hostname of $Cname
|
|
try {
|
|
$CNameDNSName = [System.Net.Dns]::GetHostEntry($CName) | Select-Object -ExpandProperty HostName
|
|
}
|
|
catch {
|
|
$CNameDNSName = $CName
|
|
}
|
|
@{
|
|
'UserDomain' = $Null
|
|
'UserName' = $UserName
|
|
'ComputerName' = $TargetComputer
|
|
'IPAddress' = $IPAddress
|
|
'SessionFrom' = $CName
|
|
'SessionFromName' = $CNameDNSName
|
|
'LocalAdmin' = $Null
|
|
'Type' = 'UserSession'
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
if($UseLoggedon2) {
|
|
ForEach ($User in $(Get-NetLoggedon -ComputerName $TargetComputer)) {
|
|
$UserName = $User.wkui1_username
|
|
$UserDomain = $User.wkui1_logon_domain
|
|
|
|
# ignore local account logons
|
|
if($TargetComputer -notmatch "^$UserDomain") {
|
|
if (($UserName) -and ($UserName.trim() -ne '') -and ($UserName -notmatch '\$')) {
|
|
@{
|
|
'UserDomain' = $UserDomain
|
|
'UserName' = $UserName
|
|
'ComputerName' = $TargetComputer
|
|
'IPAddress' = $IPAddress
|
|
'SessionFrom' = $Null
|
|
'SessionFromName' = $Null
|
|
'LocalAdmin' = $Null
|
|
'Type' = 'UserSession'
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
ForEach ($User in $(Get-LoggedOnLocal -ComputerName $TargetComputer)) {
|
|
$UserName = $User.UserName
|
|
$UserDomain = $User.UserDomain
|
|
|
|
# ignore local account logons ?
|
|
if($TargetComputer -notmatch "^$UserDomain") {
|
|
@{
|
|
'UserDomain' = $UserDomain
|
|
'UserName' = $UserName
|
|
'ComputerName' = $TargetComputer
|
|
'IPAddress' = $IPAddress
|
|
'SessionFrom' = $Null
|
|
'SessionFromName' = $Null
|
|
'LocalAdmin' = $Null
|
|
'Type' = 'UserSession'
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
PROCESS {
|
|
if ($TargetDomains -and (-not $SkipComputerEnumeration)) {
|
|
|
|
if($Statements) {
|
|
$Statements.Clear()
|
|
}
|
|
[Array]$TargetComputers = @()
|
|
|
|
ForEach ($TargetDomain in $TargetDomains) {
|
|
|
|
$DomainSID = Get-DomainSid -Domain $TargetDomain
|
|
|
|
$ScriptParameters = @{
|
|
'CurrentUser2' = $CurrentUser
|
|
'UseLocalGroup2' = $UseLocalGroup
|
|
'UseSession2' = $UseSession
|
|
'UseLoggedon2' = $UseLoggedon
|
|
'DomainSID2' = $DomainSID
|
|
}
|
|
|
|
if($CollectionMethod -eq 'Stealth') {
|
|
Write-Verbose "Executing stealth computer enumeration of domain $TargetDomain"
|
|
|
|
Write-Verbose "Querying domain $TargetDomain for File Servers"
|
|
$TargetComputers += Get-NetFileServer -Domain $TargetDomain -DomainController $DomainController
|
|
|
|
Write-Verbose "Querying domain $TargetDomain for DFS Servers"
|
|
$TargetComputers += ForEach($DFSServer in $(Get-DFSshare -Domain $TargetDomain -DomainController $DomainController)) {
|
|
$DFSServer.RemoteServerName
|
|
}
|
|
|
|
Write-Verbose "Querying domain $TargetDomain for Domain Controllers"
|
|
$TargetComputers += ForEach($DomainController in $(Get-NetDomainController -LDAP -DomainController $DomainController -Domain $TargetDomain)) {
|
|
$DomainController.dnshostname
|
|
}
|
|
|
|
$TargetComputers = $TargetComputers | Where-Object {$_ -and ($_.Trim() -ne '')} | Sort-Object -Unique
|
|
}
|
|
else {
|
|
if($ComputerName) {
|
|
Write-Verbose "Using specified -ComputerName target set"
|
|
if($ComputerName -isnot [System.Array]) {$ComputerName = @($ComputerName)}
|
|
$TargetComputers = $ComputerName
|
|
}
|
|
else {
|
|
Write-Verbose "Enumerating all machines in domain $TargetDomain"
|
|
$ComputerSearcher = Get-DomainSearcher -Domain $TargetDomain -DomainController $DomainController -ADSPath $ComputerADSpath
|
|
$ComputerSearcher.filter = '(sAMAccountType=805306369)'
|
|
$Null = $ComputerSearcher.PropertiesToLoad.Add('dnshostname')
|
|
$TargetComputers = $ComputerSearcher.FindAll() | ForEach-Object {$_.Properties.dnshostname}
|
|
$ComputerSearcher.Dispose()
|
|
}
|
|
}
|
|
$TargetComputers = $TargetComputers | Where-Object { $_ }
|
|
|
|
New-ThreadedFunction -ComputerName $TargetComputers -ScriptBlock $HostEnumBlock -ScriptParameters $ScriptParameters -Threads $Threads | ForEach-Object {
|
|
if($_['Type'] -eq 'UserSession') {
|
|
if($_['SessionFromName']) {
|
|
try {
|
|
$SessionFromName = $_['SessionFromName']
|
|
$UserName = $_['UserName'].ToUpper()
|
|
$ComputerDomain = $_['SessionFromName'].SubString($_['SessionFromName'].IndexOf('.')+1).ToUpper()
|
|
|
|
if($UserDomainMappings) {
|
|
$UserDomain = $Null
|
|
if($UserDomainMappings[$UserName]) {
|
|
if($UserDomainMappings[$UserName].Count -eq 1) {
|
|
$UserDomain = $UserDomainMappings[$UserName]
|
|
$LoggedOnUser = "$UserName@$UserDomain"
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$SessionWriter.WriteLine("`"$SessionFromName`",`"$LoggedOnUser`",`"1`"")
|
|
}
|
|
else {
|
|
$Null = $Statements.Add( @{"statement"="MERGE (user:User { name: UPPER('$LoggedOnUser') }) MERGE (computer:Computer { name: UPPER('$SessionFromName') }) MERGE (computer)-[:HasSession {Weight: '1'}]->(user)" } )
|
|
}
|
|
}
|
|
else {
|
|
$ComputerDomain = $_['SessionFromName'].SubString($_['SessionFromName'].IndexOf('.')+1).ToUpper()
|
|
|
|
$UserDomainMappings[$UserName] | ForEach-Object {
|
|
# for multiple GC results, set a weight of 1 for the same domain as the target computer
|
|
if($_ -eq $ComputerDomain) {
|
|
$UserDomain = $_
|
|
$LoggedOnUser = "$UserName@$UserDomain"
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$SessionWriter.WriteLine("`"$SessionFromName`",`"$LoggedOnUser`",`"1`"")
|
|
}
|
|
else {
|
|
$Null = $Statements.Add( @{"statement"="MERGE (user:User { name: UPPER('$LoggedOnUser') }) MERGE (computer:Computer { name: UPPER('$SessionFromName') }) MERGE (computer)-[:HasSession {Weight: '1'}]->(user)" } )
|
|
}
|
|
}
|
|
# and set a weight of 2 for all other users in additional domains
|
|
else {
|
|
$UserDomain = $_
|
|
$LoggedOnUser = "$UserName@$UserDomain"
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$SessionWriter.WriteLine("`"$SessionFromName`",`"$LoggedOnUser`",`"2`"")
|
|
}
|
|
else {
|
|
$Null = $Statements.Add( @{"statement"="MERGE (user:User { name: UPPER('$LoggedOnUser') }) MERGE (computer:Computer { name: UPPER('$SessionFromName') }) MERGE (computer)-[:HasSession {Weight: '2'}]->(user)" } )
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
# no user object in the GC with this username, so set the domain to "UNKNOWN"
|
|
$LoggedOnUser = "$UserName@UNKNOWN"
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$SessionWriter.WriteLine("`"$SessionFromName`",`"$LoggedOnUser`",`"2`"")
|
|
}
|
|
else {
|
|
$Null = $Statements.Add( @{"statement"="MERGE (user:User { name: UPPER('$LoggedOnUser') }) MERGE (computer:Computer { name: UPPER('$SessionFromName') }) MERGE (computer)-[:HasSession {Weight: '2'}]->(user)" } )
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
# if not using GC mappings, set the weight to 2
|
|
$LoggedOnUser = "$UserName@$ComputerDomain"
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$SessionWriter.WriteLine("`"$SessionFromName`",`"$LoggedOnUser`",`"2`"")
|
|
}
|
|
else {
|
|
$Null = $Statements.Add( @{"statement"="MERGE (user:User { name: UPPER('$LoggedOnUser') }) MERGE (computer:Computer { name: UPPER('$SessionFromName') }) MERGE (computer)-[:HasSession {Weight: '2'}]->(user)"} )
|
|
}
|
|
}
|
|
}
|
|
catch {
|
|
Write-Warning "Error extracting domain from $SessionFromName"
|
|
}
|
|
}
|
|
elseif($_['SessionFrom']) {
|
|
$SessionFromName = $_['SessionFrom']
|
|
$LoggedOnUser = "$($_['UserName'])@UNKNOWN"
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$SessionWriter.WriteLine("`"$SessionFromName`",`"$LoggedOnUser`",`"2`"")
|
|
}
|
|
else {
|
|
$Null = $Statements.Add( @{"statement"="MERGE (user:User { name: UPPER(`"$LoggedOnUser`") }) MERGE (computer:Computer { name: UPPER(`"$SessionFromName`") }) MERGE (computer)-[:HasSession {Weight: '2'}]->(user)"} )
|
|
}
|
|
}
|
|
else {
|
|
# assume Get-NetLoggedOn result
|
|
$UserDomain = $_['UserDomain']
|
|
$UserName = $_['UserName']
|
|
try {
|
|
if($DomainShortnameMappings[$UserDomain]) {
|
|
# in case the short name mapping is 'cached'
|
|
$AccountName = "$UserName@$($DomainShortnameMappings[$UserDomain])"
|
|
}
|
|
else {
|
|
$MemberSimpleName = "$UserDomain\$UserName" | Convert-ADName -InputType 'NT4' -OutputType 'Canonical'
|
|
|
|
if($MemberSimpleName) {
|
|
$MemberDomain = $MemberSimpleName.Split('/')[0]
|
|
$AccountName = "$UserName@$MemberDomain"
|
|
$DomainShortnameMappings[$UserDomain] = $MemberDomain
|
|
}
|
|
else {
|
|
$AccountName = "$UserName@UNKNOWN"
|
|
}
|
|
}
|
|
|
|
$SessionFromName = $_['ComputerName']
|
|
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$SessionWriter.WriteLine("`"$SessionFromName`",`"$AccountName`",`"1`"")
|
|
}
|
|
else {
|
|
$Null = $Statements.Add( @{"statement"="MERGE (user:User { name: UPPER('$AccountName') }) MERGE (computer:Computer { name: UPPER('$SessionFromName') }) MERGE (computer)-[:HasSession {Weight: '1'}]->(user)" } )
|
|
}
|
|
}
|
|
catch {
|
|
Write-Verbose "Error converting $UserDomain\$UserName : $_"
|
|
}
|
|
}
|
|
}
|
|
elseif($_['Type'] -eq 'LocalUser') {
|
|
$Parts = $_['AccountName'].split('\')
|
|
$UserDomain = $Parts[0]
|
|
$UserName = $Parts[-1]
|
|
|
|
if($DomainShortnameMappings[$UserDomain]) {
|
|
# in case the short name mapping is 'cached'
|
|
$AccountName = "$UserName@$($DomainShortnameMappings[$UserDomain])"
|
|
}
|
|
else {
|
|
$MemberSimpleName = "$UserDomain\$UserName" | Convert-ADName -InputType 'NT4' -OutputType 'Canonical'
|
|
|
|
if($MemberSimpleName) {
|
|
$MemberDomain = $MemberSimpleName.Split('/')[0]
|
|
$AccountName = "$UserName@$MemberDomain"
|
|
$DomainShortnameMappings[$UserDomain] = $MemberDomain
|
|
}
|
|
else {
|
|
$AccountName = "$UserName@UNKNOWN"
|
|
}
|
|
}
|
|
|
|
$ComputerName = $_['ComputerName']
|
|
if($_['IsGroup']) {
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$LocalAdminWriter.WriteLine("`"$ComputerName`",`"$AccountName`",`"group`"")
|
|
}
|
|
else {
|
|
$Null = $Statements.Add( @{ "statement"="MERGE (group:Group { name: UPPER('$AccountName') }) MERGE (computer:Computer { name: UPPER('$ComputerName') }) MERGE (group)-[:AdminTo]->(computer)" } )
|
|
}
|
|
}
|
|
else {
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
$LocalAdminWriter.WriteLine("`"$ComputerName`",`"$AccountName`",`"user`"")
|
|
}
|
|
else {
|
|
$Null = $Statements.Add( @{"statement"="MERGE (user:User { name: UPPER('$AccountName') }) MERGE (computer:Computer { name: UPPER('$ComputerName') }) MERGE (user)-[:AdminTo]->(computer)" } )
|
|
}
|
|
}
|
|
}
|
|
|
|
if (($PSCmdlet.ParameterSetName -eq 'RESTAPI') -and ($Statements.Count -ge $Throttle)) {
|
|
$Json = @{ "statements"=[System.Collections.Hashtable[]]$Statements }
|
|
$JsonRequest = ConvertTo-Json20 $Json
|
|
$Null = $WebClient.UploadString($URI.AbsoluteUri + "db/data/transaction/commit", $JsonRequest)
|
|
$Statements.Clear()
|
|
[GC]::Collect()
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
END {
|
|
|
|
if ($PSCmdlet.ParameterSetName -eq 'CSVExport') {
|
|
Write-Output "!-!"
|
|
if($SessionWriter) {
|
|
$SessionWriter.Dispose()
|
|
$SessionFileStream.Dispose()
|
|
Get-Content "$OutputFolder\$($CSVExportPrefix)user_sessions.csv"
|
|
Write-Output "!-!"
|
|
Remove-Item "$OutputFolder\$($CSVExportPrefix)user_sessions.csv"
|
|
}
|
|
if($GroupWriter) {
|
|
$GroupWriter.Dispose()
|
|
$GroupFileStream.Dispose()
|
|
Get-Content "$OutputFolder\$($CSVExportPrefix)group_memberships.csv"
|
|
Write-Output "!-!"
|
|
Remove-Item "$OutputFolder\$($CSVExportPrefix)group_memberships.csv"
|
|
}
|
|
if($ACLWriter) {
|
|
$ACLWriter.Dispose()
|
|
$ACLFileStream.Dispose()
|
|
Get-Content "$OutputFolder\$($CSVExportPrefix)acls.csv"
|
|
Write-Output "!-!"
|
|
Remove-Item "$OutputFolder\$($CSVExportPrefix)acls.csv"
|
|
}
|
|
if($LocalAdminWriter) {
|
|
$LocalAdminWriter.Dispose()
|
|
$LocalAdminFileStream.Dispose()
|
|
Get-Content "$OutputFolder\$($CSVExportPrefix)local_admins.csv"
|
|
Write-Output "!-!"
|
|
Remove-Item "$OutputFolder\$($CSVExportPrefix)local_admins.csv"
|
|
}
|
|
if($TrustWriter) {
|
|
$TrustWriter.Dispose()
|
|
$TrustsFileStream.Dispose()
|
|
Get-Content "$OutputFolder\$($CSVExportPrefix)trusts.csv"
|
|
Write-Output "!-!"
|
|
Remove-Item "$OutputFolder\$($CSVExportPrefix)trusts.csv"
|
|
}
|
|
|
|
Write-Output "Done writing output to CSVs in: $OutputFolder\$CSVExportPrefix"
|
|
}
|
|
else {
|
|
$Json = @{ "statements"=[System.Collections.Hashtable[]]$Statements }
|
|
$JsonRequest = ConvertTo-Json20 $Json
|
|
$Null = $WebClient.UploadString($URI.AbsoluteUri + "db/data/transaction/commit", $JsonRequest)
|
|
$Statements.Clear()
|
|
Write-Output "Done sending output to neo4j RESTful API interface at: $($URI.AbsoluteUri)"
|
|
}
|
|
|
|
[GC]::Collect()
|
|
}
|
|
}
|
|
|
|
|
|
########################################################
|
|
#
|
|
# Expose the Win32API functions and datastructures below
|
|
# using PSReflect.
|
|
# Warning: Once these are executed, they are baked in
|
|
# and can't be changed while the script is running!
|
|
#
|
|
########################################################
|
|
|
|
$Mod = New-InMemoryModule -ModuleName Win32
|
|
|
|
# all of the Win32 API functions we need
|
|
$FunctionDefinitions = @(
|
|
(func netapi32 NetWkstaUserEnum ([Int]) @([String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
|
|
(func netapi32 NetSessionEnum ([Int]) @([String], [String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
|
|
(func netapi32 NetLocalGroupGetMembers ([Int]) @([String], [String], [Int], [IntPtr].MakeByRefType(), [Int], [Int32].MakeByRefType(), [Int32].MakeByRefType(), [Int32].MakeByRefType())),
|
|
(func netapi32 DsEnumerateDomainTrusts ([Int]) @([String], [UInt32], [IntPtr].MakeByRefType(), [IntPtr].MakeByRefType())),
|
|
(func netapi32 NetApiBufferFree ([Int]) @([IntPtr])),
|
|
(func advapi32 ConvertSidToStringSid ([Int]) @([IntPtr], [String].MakeByRefType()) -SetLastError)
|
|
)
|
|
|
|
|
|
# the NetWkstaUserEnum result structure
|
|
$WKSTA_USER_INFO_1 = struct $Mod WKSTA_USER_INFO_1 @{
|
|
wkui1_username = field 0 String -MarshalAs @('LPWStr')
|
|
wkui1_logon_domain = field 1 String -MarshalAs @('LPWStr')
|
|
wkui1_oth_domains = field 2 String -MarshalAs @('LPWStr')
|
|
wkui1_logon_server = field 3 String -MarshalAs @('LPWStr')
|
|
}
|
|
|
|
# the NetSessionEnum result structure
|
|
$SESSION_INFO_10 = struct $Mod SESSION_INFO_10 @{
|
|
sesi10_cname = field 0 String -MarshalAs @('LPWStr')
|
|
sesi10_username = field 1 String -MarshalAs @('LPWStr')
|
|
sesi10_time = field 2 UInt32
|
|
sesi10_idle_time = field 3 UInt32
|
|
}
|
|
|
|
# enum used by $LOCALGROUP_MEMBERS_INFO_2 below
|
|
$SID_NAME_USE = psenum $Mod SID_NAME_USE UInt16 @{
|
|
SidTypeUser = 1
|
|
SidTypeGroup = 2
|
|
SidTypeDomain = 3
|
|
SidTypeAlias = 4
|
|
SidTypeWellKnownGroup = 5
|
|
SidTypeDeletedAccount = 6
|
|
SidTypeInvalid = 7
|
|
SidTypeUnknown = 8
|
|
SidTypeComputer = 9
|
|
}
|
|
|
|
# the NetLocalGroupGetMembers result structure
|
|
$LOCALGROUP_MEMBERS_INFO_2 = struct $Mod LOCALGROUP_MEMBERS_INFO_2 @{
|
|
lgrmi2_sid = field 0 IntPtr
|
|
lgrmi2_sidusage = field 1 $SID_NAME_USE
|
|
lgrmi2_domainandname = field 2 String -MarshalAs @('LPWStr')
|
|
}
|
|
|
|
# enums used in DS_DOMAIN_TRUSTS
|
|
$DsDomainFlag = psenum $Mod DsDomain.Flags UInt32 @{
|
|
IN_FOREST = 1
|
|
DIRECT_OUTBOUND = 2
|
|
TREE_ROOT = 4
|
|
PRIMARY = 8
|
|
NATIVE_MODE = 16
|
|
DIRECT_INBOUND = 32
|
|
} -Bitfield
|
|
$DsDomainTrustType = psenum $Mod DsDomain.TrustType UInt32 @{
|
|
DOWNLEVEL = 1
|
|
UPLEVEL = 2
|
|
MIT = 3
|
|
DCE = 4
|
|
}
|
|
$DsDomainTrustAttributes = psenum $Mod DsDomain.TrustAttributes UInt32 @{
|
|
NON_TRANSITIVE = 1
|
|
UPLEVEL_ONLY = 2
|
|
FILTER_SIDS = 4
|
|
FOREST_TRANSITIVE = 8
|
|
CROSS_ORGANIZATION = 16
|
|
WITHIN_FOREST = 32
|
|
TREAT_AS_EXTERNAL = 64
|
|
}
|
|
|
|
# the DsEnumerateDomainTrusts result structure
|
|
$DS_DOMAIN_TRUSTS = struct $Mod DS_DOMAIN_TRUSTS @{
|
|
NetbiosDomainName = field 0 String -MarshalAs @('LPWStr')
|
|
DnsDomainName = field 1 String -MarshalAs @('LPWStr')
|
|
Flags = field 2 $DsDomainFlag
|
|
ParentIndex = field 3 UInt32
|
|
TrustType = field 4 $DsDomainTrustType
|
|
TrustAttributes = field 5 $DsDomainTrustAttributes
|
|
DomainSid = field 6 IntPtr
|
|
DomainGuid = field 7 Guid
|
|
}
|
|
|
|
$Types = $FunctionDefinitions | Add-Win32Type -Module $Mod -Namespace 'Win32'
|
|
$Netapi32 = $Types['netapi32']
|
|
$Advapi32 = $Types['advapi32']
|
|
|
|
Set-Alias Get-BloodHoundData Invoke-BloodHound
|