Skip to content

Commit b5172c2

Browse files
committed
Fixed a few GC bugs in Get-DomainSearcher
Added attempted gpcfilesyspath resolution to Get-NetGPO Added -ADSPath for Get-NetDomainTrust
1 parent d37ec66 commit b5172c2

File tree

1 file changed

+49
-24
lines changed

1 file changed

+49
-24
lines changed

Recon/PowerView.ps1

Lines changed: 49 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -895,7 +895,7 @@ filter Convert-NameToSid {
895895
$Domain = $ObjectName.Split("\")[0]
896896
$ObjectName = $ObjectName.Split("\")[1]
897897
}
898-
elseif(!$Domain) {
898+
elseif(-not $Domain) {
899899
$Domain = (Get-NetDomain).Name
900900
}
901901

@@ -1698,11 +1698,11 @@ filter Get-DomainSearcher {
16981698
$Credential
16991699
)
17001700

1701-
if(!$Credential) {
1702-
if(!$Domain) {
1701+
if(-not $Credential) {
1702+
if(-not $Domain) {
17031703
$Domain = (Get-NetDomain).name
17041704
}
1705-
elseif(!$DomainController) {
1705+
elseif(-not $DomainController) {
17061706
try {
17071707
# if there's no -DomainController specified, try to pull the primary DC to reflect queries through
17081708
$DomainController = ((Get-NetDomain).PdcRoleOwner).Name
@@ -1712,7 +1712,7 @@ filter Get-DomainSearcher {
17121712
}
17131713
}
17141714
}
1715-
elseif (!$DomainController) {
1715+
elseif (-not $DomainController) {
17161716
try {
17171717
$DomainController = ((Get-NetDomain -Credential $Credential).PdcRoleOwner).Name
17181718
}
@@ -1730,24 +1730,24 @@ filter Get-DomainSearcher {
17301730
if($DomainController) {
17311731
$SearchString += $DomainController
17321732
if($Domain){
1733-
$SearchString += "/"
1733+
$SearchString += '/'
17341734
}
17351735
}
17361736

17371737
if($ADSprefix) {
1738-
$SearchString += $ADSprefix + ","
1738+
$SearchString += $ADSprefix + ','
17391739
}
17401740

17411741
if($ADSpath) {
1742-
if($ADSpath -like "GC://*") {
1742+
if($ADSpath -Match '^GC://') {
17431743
# if we're searching the global catalog
1744-
$DN = $AdsPath
1745-
$SearchString = ""
1744+
$DN = $AdsPath.ToUpper().Trim('/')
1745+
$SearchString = ''
17461746
}
17471747
else {
1748-
if($ADSpath -like "LDAP://*") {
1748+
if($ADSpath -match '^LDAP://') {
17491749
if($ADSpath -match "LDAP://.+/.+") {
1750-
$SearchString = ""
1750+
$SearchString = ''
17511751
}
17521752
else {
17531753
$ADSpath = $ADSpath.Substring(7)
@@ -4851,7 +4851,7 @@ function Get-NetSite {
48514851
$SiteSearcher.dispose()
48524852
}
48534853
catch {
4854-
Write-Warning $_
4854+
Write-Verbose $_
48554855
}
48564856
}
48574857
}
@@ -6351,8 +6351,23 @@ function Get-NetGPO {
63516351
try {
63526352
$Results = $GPOSearcher.FindAll()
63536353
$Results | Where-Object {$_} | ForEach-Object {
6354-
# convert/process the LDAP fields for each result
6355-
Convert-LDAPProperty -Properties $_.Properties
6354+
if($ADSPath -and ($ADSpath -Match '^GC://')) {
6355+
$Properties = Convert-LDAPProperty -Properties $_.Properties
6356+
try {
6357+
$GPODN = $Properties.distinguishedname
6358+
$GPODomain = $GPODN.subString($GPODN.IndexOf("DC=")) -replace 'DC=','' -replace ',','.'
6359+
$gpcfilesyspath = "\\$GPODomain\SysVol\$GPODomain\Policies\$($Properties.cn)"
6360+
$Properties | Add-Member Noteproperty 'gpcfilesyspath' $gpcfilesyspath
6361+
$Properties
6362+
}
6363+
catch {
6364+
$Properties
6365+
}
6366+
}
6367+
else {
6368+
# convert/process the LDAP fields for each result
6369+
Convert-LDAPProperty -Properties $_.Properties
6370+
}
63566371
}
63576372
$Results.dispose()
63586373
$GPOSearcher.dispose()
@@ -6710,7 +6725,7 @@ function Get-NetGPOGroup {
67106725
ForEach($Member in $MembershipValue) {
67116726
if($Member -and ($Member.Trim() -ne '')) {
67126727
if($Member -notmatch '^S-1-.*') {
6713-
$MemberSID = Convert-NameToSid -ObjectName $Member | Select-Object -ExpandProperty SID
6728+
$MemberSID = Convert-NameToSid -Domain $Domain -ObjectName $Member | Select-Object -ExpandProperty SID
67146729
if($MemberSID) {
67156730
$GroupMembers += $MemberSID
67166731
}
@@ -6729,6 +6744,7 @@ function Get-NetGPOGroup {
67296744
if(-not $Memberships[$Group]) {
67306745
$Memberships[$Group] = @{}
67316746
}
6747+
if($MembershipValue -isnot [System.Array]) {$MembershipValue = @($MembershipValue)}
67326748
$Memberships[$Group].Add($Relation, $MembershipValue)
67336749
}
67346750

@@ -6757,7 +6773,7 @@ function Get-NetGPOGroup {
67576773
$GroupSID = 'S-1-5-32-546'
67586774
}
67596775
elseif($GroupName.Trim() -ne '') {
6760-
$GroupSID = Convert-NameToSid -ObjectName $Groupname | Select-Object -ExpandProperty SID
6776+
$GroupSID = Convert-NameToSid -Domain $Domain -ObjectName $Groupname | Select-Object -ExpandProperty SID
67616777
}
67626778
else {
67636779
$GroupSID = $Null
@@ -6791,7 +6807,7 @@ function Get-NetGPOGroup {
67916807
if($Member -and ($Member.Trim() -ne '')) {
67926808
if($Member -notmatch '^S-1-.*') {
67936809
# if the resulting member is username and not a SID, attempt to resolve it
6794-
$MemberSID = Convert-NameToSid -ObjectName $Member | Select-Object -ExpandProperty SID
6810+
$MemberSID = Convert-NameToSid -Domain $Domain -ObjectName $Member | Select-Object -ExpandProperty SID
67956811
if($MemberSID) {
67966812
$GroupMembers += $MemberSID
67976813
}
@@ -6933,7 +6949,7 @@ function Find-GPOLocation {
69336949

69346950
if($UserName) {
69356951
# if a group name is specified, get that user object so we can extract the target SID
6936-
$User = Get-NetUser -UserName $UserName -Domain $Domain -DomainController $DomainController -PageSize $PageSize
6952+
$User = Get-NetUser -UserName $UserName -Domain $Domain -DomainController $DomainController -PageSize $PageSize | Select-Object -First 1
69376953
$UserSid = $User.objectsid
69386954

69396955
if(-not $UserSid) {
@@ -6946,7 +6962,7 @@ function Find-GPOLocation {
69466962
}
69476963
elseif($GroupName) {
69486964
# if a group name is specified, get that group object so we can extract the target SID
6949-
$Group = Get-NetGroup -GroupName $GroupName -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize
6965+
$Group = Get-NetGroup -GroupName $GroupName -Domain $Domain -DomainController $DomainController -FullData -PageSize $PageSize | Select-Object -First 1
69506966
$GroupSid = $Group.objectsid
69516967

69526968
if(-not $GroupSid) {
@@ -7046,15 +7062,15 @@ function Find-GPOLocation {
70467062
if($OUComputers -isnot [System.Array]) {$OUComputers = @($OUComputers)}
70477063

70487064
ForEach ($TargetSid in $TargetObjectSIDs) {
7049-
7050-
$Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController $_ -PageSize $PageSize
7065+
$Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize
70517066

70527067
$IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
70537068

70547069
$GPOLocation = New-Object PSObject
70557070
$GPOLocation | Add-Member Noteproperty 'ObjectName' $Object.samaccountname
70567071
$GPOLocation | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
70577072
$GPOLocation | Add-Member Noteproperty 'ObjectSID' $Object.objectsid
7073+
$GPOLocation | Add-Member Noteproperty 'Domain' $Domain
70587074
$GPOLocation | Add-Member Noteproperty 'IsGroup' $IsGroup
70597075
$GPOLocation | Add-Member Noteproperty 'GPODisplayName' $GPOname
70607076
$GPOLocation | Add-Member Noteproperty 'GPOGuid' $GPOGuid
@@ -7070,7 +7086,7 @@ function Find-GPOLocation {
70707086
Get-NetSite -Domain $Domain -DomainController $DomainController -GUID $GPOguid -PageSize $PageSize -FullData | ForEach-Object {
70717087

70727088
ForEach ($TargetSid in $TargetObjectSIDs) {
7073-
$Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController $_ -PageSize $PageSize
7089+
$Object = Get-ADObject -SID $TargetSid -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize
70747090

70757091
$IsGroup = @('268435456','268435457','536870912','536870913') -contains $Object.samaccounttype
70767092

@@ -7079,6 +7095,7 @@ function Find-GPOLocation {
70797095
$AppliedSite | Add-Member Noteproperty 'ObjectDN' $Object.distinguishedname
70807096
$AppliedSite | Add-Member Noteproperty 'ObjectSID' $Object.objectsid
70817097
$AppliedSite | Add-Member Noteproperty 'IsGroup' $IsGroup
7098+
$AppliedSite | Add-Member Noteproperty 'Domain' $Domain
70827099
$AppliedSite | Add-Member Noteproperty 'GPODisplayName' $GPOname
70837100
$AppliedSite | Add-Member Noteproperty 'GPOGuid' $GPOGuid
70847101
$AppliedSite | Add-Member Noteproperty 'GPOPath' $GPOPath
@@ -12396,6 +12413,11 @@ function Get-NetDomainTrust {
1239612413
1239712414
Domain controller to reflect LDAP queries through.
1239812415
12416+
.PARAMETER ADSpath
12417+
12418+
The LDAP source to search through, e.g. "LDAP://DC=testlab,DC=local".
12419+
Useful for global catalog queries ;)
12420+
1239912421
.PARAMETER API
1240012422
1240112423
Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts.
@@ -12451,6 +12473,9 @@ function Get-NetDomainTrust {
1245112473
[String]
1245212474
$DomainController,
1245312475

12476+
[String]
12477+
$ADSpath,
12478+
1245412479
[Switch]
1245512480
$API,
1245612481

@@ -12473,7 +12498,7 @@ function Get-NetDomainTrust {
1247312498

1247412499
if($LDAP) {
1247512500

12476-
$TrustSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize
12501+
$TrustSearcher = Get-DomainSearcher -Domain $Domain -DomainController $DomainController -Credential $Credential -PageSize $PageSize -ADSpath $ADSpath
1247712502
$SourceSID = Get-DomainSID -Domain $Domain -DomainController $DomainController
1247812503

1247912504
if($TrustSearcher) {

0 commit comments

Comments
 (0)