Skip to content
This repository was archived by the owner on Jan 21, 2021. It is now read-only.

Commit 08b3062

Browse files
author
Jon Cave
committed
Support for DNs containing commas
If an object's distinguished name contains a comma then it ends up quoted: CN=Smith\, John,OU=Admins,DC=example,DC=com This breaks a number of functions which attempt to identify DOMAIN\name by matching on a \ anywhere in the specified identity before checking if the identity was a DN (or SID or GUID). For example, attempting to list members of "Domain Admins" using Get-DomainGroupMember gives the following: VERBOSE: [Convert-ADName] Error initializing translation for 'CN=Smith\, John,OU=Admins,DC=example,DC=com' : Exception calling "InvokeMember" with "5" argument(s): "The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B)" VERBOSE: [Convert-ADName] Error translating 'CN=Smith\, John,OU=Admins,DC=example,DC=com' : The specified domain either does not exist or could not be contacted. (Exception from HRESULT: 0x8007054B) VERBOSE: [Get-DomainObject] Get-DomainObject filter string: (objectClass=*) The fix implemented here is to perform more specific pattern matching prior to falling back to looking for a \. The order is SID, DN, GUID, qualified name (DOMAIN\name), and then plain name.
1 parent bd6fe64 commit 08b3062

File tree

1 file changed

+80
-115
lines changed

1 file changed

+80
-115
lines changed

Recon/PowerView.ps1

Lines changed: 80 additions & 115 deletions
Original file line numberDiff line numberDiff line change
@@ -4706,9 +4706,19 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
47064706
$IdentityFilter = ''
47074707
$Filter = ''
47084708
$Identity | Where-Object {$_} | ForEach-Object {
4709-
$IdentityInstance = $_
4710-
if ($IdentityInstance -match '.+\\.+') {
4711-
$ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical
4709+
$IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
4710+
if ($IdentityInstance -match '^S-1-') {
4711+
$IdentityFilter += "(objectsid=$IdentityInstance)"
4712+
}
4713+
elseif ($IdentityInstance -match '^CN=') {
4714+
$IdentityFilter += "(distinguishedname=$IdentityInstance)"
4715+
}
4716+
elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
4717+
$GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
4718+
$IdentityFilter += "(objectguid=$GuidByteString)"
4719+
}
4720+
elseif ($IdentityInstance.Contains('\')) {
4721+
$ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
47124722
if ($ConvertedIdentityInstance) {
47134723
$UserDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
47144724
$UserName = $IdentityInstance.Split('\')[1]
@@ -4719,26 +4729,10 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
47194729
}
47204730
}
47214731
else {
4722-
$IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29')
4723-
if ($IdentityInstance -match '^S-1-.*') {
4724-
# SID format
4725-
$IdentityFilter += "(objectsid=$IdentityInstance)"
4726-
}
4727-
elseif ($IdentityInstance -match '^CN=.*') {
4728-
# distinguished names
4729-
$IdentityFilter += "(distinguishedname=$IdentityInstance)"
4730-
}
4731-
else {
4732-
try {
4733-
$GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
4734-
$IdentityFilter += "(objectguid=$GuidByteString)"
4735-
}
4736-
catch {
4737-
$IdentityFilter += "(samAccountName=$IdentityInstance)"
4738-
}
4739-
}
4732+
$IdentityFilter += "(samAccountName=$IdentityInstance)"
47404733
}
47414734
}
4735+
47424736
if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
47434737
$Filter += "(|$IdentityFilter)"
47444738
}
@@ -5751,28 +5745,21 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
57515745
$Filter = ''
57525746
$Identity | Where-Object {$_} | ForEach-Object {
57535747
$IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
5754-
if ($IdentityInstance -match '^S-1-.*') {
5748+
if ($IdentityInstance -match '^S-1-') {
57555749
$IdentityFilter += "(objectsid=$IdentityInstance)"
57565750
}
5757-
elseif ($IdentityInstance -match '^CN=.*') {
5751+
elseif ($IdentityInstance -match '^CN=') {
57585752
$IdentityFilter += "(distinguishedname=$IdentityInstance)"
57595753
}
5760-
elseif ($IdentityInstance -match '.*\..*') {
5761-
$IdentityFilter += "(dnshostname=$IdentityInstance)"
5754+
elseif ($IdentityInstance.Contains('.')) {
5755+
$IdentityFilter += "(|(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
5756+
}
5757+
elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
5758+
$GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
5759+
$IdentityFilter += "(objectguid=$GuidByteString)"
57625760
}
57635761
else {
5764-
try {
5765-
$GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
5766-
$IdentityFilter += "(objectguid=$GuidByteString)"
5767-
}
5768-
catch {
5769-
if ($IdentityInstance.Contains('.')) {
5770-
$IdentityFilter += "(|(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
5771-
}
5772-
else {
5773-
$IdentityFilter += "(name=$IdentityInstance)"
5774-
}
5775-
}
5762+
$IdentityFilter += "(name=$IdentityInstance)"
57765763
}
57775764
}
57785765
if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
@@ -6063,40 +6050,33 @@ The raw DirectoryServices.SearchResult object, if -Raw is enabled.
60636050
$IdentityFilter = ''
60646051
$Filter = ''
60656052
$Identity | Where-Object {$_} | ForEach-Object {
6066-
$IdentityInstance = $_
6067-
if ($IdentityInstance -match '.+\\.+') {
6068-
$ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical
6053+
$IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
6054+
if ($IdentityInstance -match '^S-1-') {
6055+
$IdentityFilter += "(objectsid=$IdentityInstance)"
6056+
}
6057+
elseif ($IdentityInstance -match '^(CN|OU|DC)=') {
6058+
$IdentityFilter += "(distinguishedname=$IdentityInstance)"
6059+
}
6060+
elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
6061+
$GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
6062+
$IdentityFilter += "(objectguid=$GuidByteString)"
6063+
}
6064+
elseif ($IdentityInstance.Contains('\')) {
6065+
$ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
60696066
if ($ConvertedIdentityInstance) {
60706067
$ObjectDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
60716068
$ObjectName = $IdentityInstance.Split('\')[1]
60726069
$IdentityFilter += "(samAccountName=$ObjectName)"
60736070
$SearcherArguments['Domain'] = $ObjectDomain
6074-
Write-Verbose "[Get-DomainUser] Extracted domain '$ObjectDomain' from '$IdentityInstance'"
6071+
Write-Verbose "[Get-DomainObject] Extracted domain '$ObjectDomain' from '$IdentityInstance'"
60756072
$ObjectSearcher = Get-DomainSearcher @SearcherArguments
60766073
}
60776074
}
6075+
elseif ($IdentityInstance.Contains('.')) {
6076+
$IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
6077+
}
60786078
else {
6079-
$IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29')
6080-
if ($IdentityInstance -match '^S-1-.*') {
6081-
$IdentityFilter += "(objectsid=$IdentityInstance)"
6082-
}
6083-
elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') {
6084-
$IdentityFilter += "(distinguishedname=$IdentityInstance)"
6085-
}
6086-
else {
6087-
try {
6088-
$GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
6089-
$IdentityFilter += "(objectguid=$GuidByteString)"
6090-
}
6091-
catch {
6092-
if ($IdentityInstance.Contains('.')) {
6093-
$IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
6094-
}
6095-
else {
6096-
$IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))"
6097-
}
6098-
}
6099-
}
6079+
$IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))"
61006080
}
61016081
}
61026082
if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
@@ -6784,19 +6764,15 @@ Custom PSObject with ACL entries.
67846764
elseif ($IdentityInstance -match '^(CN|OU|DC)=.*') {
67856765
$IdentityFilter += "(distinguishedname=$IdentityInstance)"
67866766
}
6767+
elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
6768+
$GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
6769+
$IdentityFilter += "(objectguid=$GuidByteString)"
6770+
}
6771+
elseif ($IdentityInstance.Contains('.')) {
6772+
$IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
6773+
}
67876774
else {
6788-
try {
6789-
$GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
6790-
$IdentityFilter += "(objectguid=$GuidByteString)"
6791-
}
6792-
catch {
6793-
if ($IdentityInstance.Contains('.')) {
6794-
$IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(dnshostname=$IdentityInstance))"
6795-
}
6796-
else {
6797-
$IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))"
6798-
}
6799-
}
6775+
$IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance)(displayname=$IdentityInstance))"
68006776
}
68016777
}
68026778
if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
@@ -8669,11 +8645,19 @@ Custom PSObject with translated group property fields.
86698645
$IdentityFilter = ''
86708646
$Filter = ''
86718647
$Identity | Where-Object {$_} | ForEach-Object {
8672-
$IdentityInstance = $_
8673-
8674-
if ($IdentityInstance -match '.+\\.+') {
8675-
# DOMAIN\groupname
8676-
$ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical
8648+
$IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
8649+
if ($IdentityInstance -match '^S-1-') {
8650+
$IdentityFilter += "(objectsid=$IdentityInstance)"
8651+
}
8652+
elseif ($IdentityInstance -match '^CN=') {
8653+
$IdentityFilter += "(distinguishedname=$IdentityInstance)"
8654+
}
8655+
elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
8656+
$GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
8657+
$IdentityFilter += "(objectguid=$GuidByteString)"
8658+
}
8659+
elseif ($IdentityInstance.Contains('\')) {
8660+
$ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
86778661
if ($ConvertedIdentityInstance) {
86788662
$GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
86798663
$GroupName = $IdentityInstance.Split('\')[1]
@@ -8684,24 +8668,10 @@ Custom PSObject with translated group property fields.
86848668
}
86858669
}
86868670
else {
8687-
$IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29')
8688-
if ($IdentityInstance -match '^S-1-.*') {
8689-
$IdentityFilter += "(objectsid=$IdentityInstance)"
8690-
}
8691-
elseif ($IdentityInstance -match '^CN=.*') {
8692-
$IdentityFilter += "(distinguishedname=$IdentityInstance)"
8693-
}
8694-
else {
8695-
try {
8696-
$GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
8697-
$IdentityFilter += "(objectguid=$GuidByteString)"
8698-
}
8699-
catch {
8700-
$IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))"
8701-
}
8702-
}
8671+
$IdentityFilter += "(|(samAccountName=$IdentityInstance)(name=$IdentityInstance))"
87038672
}
87048673
}
8674+
87058675
if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
87068676
$Filter += "(|$IdentityFilter)"
87078677
}
@@ -9394,10 +9364,19 @@ http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-
93949364
$IdentityFilter = ''
93959365
$Filter = ''
93969366
$Identity | Where-Object {$_} | ForEach-Object {
9397-
$IdentityInstance = $_
9398-
if ($IdentityInstance -match '.+\\.+') {
9399-
# DOMAIN\groupname
9400-
$ConvertedIdentityInstance = $IdentityInstance | Convert-ADName -OutputType Canonical
9367+
$IdentityInstance = $_.Replace('(', '\28').Replace(')', '\29')
9368+
if ($IdentityInstance -match '^S-1-') {
9369+
$IdentityFilter += "(objectsid=$IdentityInstance)"
9370+
}
9371+
elseif ($IdentityInstance -match '^CN=') {
9372+
$IdentityFilter += "(distinguishedname=$IdentityInstance)"
9373+
}
9374+
elseif ($IdentityInstance -imatch '^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$') {
9375+
$GuidByteString = (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object { '\' + $_.ToString('X2') }) -join ''
9376+
$IdentityFilter += "(objectguid=$GuidByteString)"
9377+
}
9378+
elseif ($IdentityInstance.Contains('\')) {
9379+
$ConvertedIdentityInstance = $IdentityInstance.Replace('\28', '(').Replace('\29', ')') | Convert-ADName -OutputType Canonical
94019380
if ($ConvertedIdentityInstance) {
94029381
$GroupDomain = $ConvertedIdentityInstance.SubString(0, $ConvertedIdentityInstance.IndexOf('/'))
94039382
$GroupName = $IdentityInstance.Split('\')[1]
@@ -9408,24 +9387,10 @@ http://www.powershellmagazine.com/2013/05/23/pstip-retrieve-group-membership-of-
94089387
}
94099388
}
94109389
else {
9411-
$IdentityInstance = $IdentityInstance.Replace('(', '\28').Replace(')', '\29')
9412-
if ($IdentityInstance -match '^S-1-.*') {
9413-
$IdentityFilter += "(objectsid=$IdentityInstance)"
9414-
}
9415-
elseif ($IdentityInstance -match '^CN=.*') {
9416-
$IdentityFilter += "(distinguishedname=$IdentityInstance)"
9417-
}
9418-
else {
9419-
try {
9420-
$GuidByteString = (-Join (([Guid]$IdentityInstance).ToByteArray() | ForEach-Object {$_.ToString('X').PadLeft(2,'0')})) -Replace '(..)','\$1'
9421-
$IdentityFilter += "(objectguid=$GuidByteString)"
9422-
}
9423-
catch {
9424-
$IdentityFilter += "(samAccountName=$IdentityInstance)"
9425-
}
9426-
}
9390+
$IdentityFilter += "(samAccountName=$IdentityInstance)"
94279391
}
94289392
}
9393+
94299394
if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) {
94309395
$Filter += "(|$IdentityFilter)"
94319396
}

0 commit comments

Comments
 (0)