Skip to content
This repository was archived by the owner on Jan 21, 2021. It is now read-only.

Commit 50e18ef

Browse files
HarmJ0yHarmJ0y
committed
-changed default enumeration method for Get-DomainTrust to LDAP
-Added WhenCreated/WhenChanged as default output for Get-DomainTrust
1 parent f6e6c09 commit 50e18ef

File tree

1 file changed

+64
-55
lines changed

1 file changed

+64
-55
lines changed

Recon/PowerView.ps1

Lines changed: 64 additions & 55 deletions
Original file line numberDiff line numberDiff line change
@@ -19433,11 +19433,12 @@ Required Dependencies: Get-Domain, Get-DomainSearcher, Get-DomainSID, PSReflect
1943319433
.DESCRIPTION
1943419434

1943519435
This function will enumerate domain trust relationships for the current (or a remote)
19436-
domain using a number of methods. By default, the .NET method GetAllTrustRelationships()
19437-
is used on the System.DirectoryServices.ActiveDirectory.Domain object. If the -LDAP flag
19438-
is specified, or any of the LDAP-appropriate parameters, an LDAP search using the filter
19439-
'(objectClass=trustedDomain)' is used instead. If the -API flag is specified, the
19440-
Win32 API DsEnumerateDomainTrusts() call is used to enumerate instead.
19436+
domain using a number of methods. By default, and LDAP search using the filter
19437+
'(objectClass=trustedDomain)' is used- if any LDAP-appropriate parameters are specified
19438+
LDAP is used as well. If the -NET flag is specified, the .NET method
19439+
GetAllTrustRelationships() is used on the System.DirectoryServices.ActiveDirectory.Domain
19440+
object. If the -API flag is specified, the Win32 API DsEnumerateDomainTrusts() call is
19441+
used to enumerate instead.
1944119442

1944219443
.PARAMETER Domain
1944319444

@@ -19448,9 +19449,9 @@ Specifies the domain to query for trusts, defaults to the current domain.
1944819449
Switch. Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts instead of the built-in
1944919450
.NET methods.
1945019451

19451-
.PARAMETER LDAP
19452+
.PARAMETER NET
1945219453

19453-
Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
19454+
Switch. Use .NET queries to enumerate trusts instead of the default LDAP method.
1945419455

1945519456
.PARAMETER LDAPFilter
1945619457

@@ -19498,19 +19499,19 @@ for connection to the target domain.
1949819499

1949919500
Get-DomainTrust
1950019501

19501-
Return domain trusts for the current domain using built in .NET methods.
19502+
Return domain trusts for the current domain using built in .LDAP methods.
1950219503

1950319504
.EXAMPLE
1950419505

19505-
Get-DomainTrust -Domain "prod.testlab.local"
19506+
Get-DomainTrust -NET -Domain "prod.testlab.local"
1950619507

1950719508
Return domain trusts for the "prod.testlab.local" domain using .NET methods
1950819509

1950919510
.EXAMPLE
1951019511

1951119512
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
1951219513
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
19513-
Get-DomainTrust -LDAP -Domain "prod.testlab.local" -Server "PRIMARY.testlab.local" -Credential $Cred
19514+
Get-DomainTrust -Domain "prod.testlab.local" -Server "PRIMARY.testlab.local" -Credential $Cred
1951419515

1951519516
Return domain trusts for the "prod.testlab.local" domain enumerated through LDAP
1951619517
queries, binding to the PRIMARY.testlab.local server for queries, and using the specified
@@ -19524,13 +19525,13 @@ Return domain trusts for the "prod.testlab.local" domain enumerated through API
1952419525

1952519526
.OUTPUTS
1952619527

19527-
PowerView.DomainTrust.NET
19528+
PowerView.DomainTrust.LDAP
1952819529

19529-
A TrustRelationshipInformationCollection returned when using .NET methods (default).
19530+
Custom PSObject with translated domain LDAP trust result fields (default).
1953019531

19531-
PowerView.DomainTrust.LDAP
19532+
PowerView.DomainTrust.NET
1953219533

19533-
Custom PSObject with translated domain LDAP trust result fields.
19534+
A TrustRelationshipInformationCollection returned when using .NET methods.
1953419535

1953519536
PowerView.DomainTrust.API
1953619537

@@ -19541,7 +19542,7 @@ Custom PSObject with translated domain API trust result fields.
1954119542
[OutputType('PowerView.DomainTrust.NET')]
1954219543
[OutputType('PowerView.DomainTrust.LDAP')]
1954319544
[OutputType('PowerView.DomainTrust.API')]
19544-
[CmdletBinding(DefaultParameterSetName = 'NET')]
19545+
[CmdletBinding(DefaultParameterSetName = 'LDAP')]
1954519546
Param(
1954619547
[Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)]
1954719548
[Alias('Name')]
@@ -19553,9 +19554,9 @@ Custom PSObject with translated domain API trust result fields.
1955319554
[Switch]
1955419555
$API,
1955519556

19556-
[Parameter(ParameterSetName = 'LDAP')]
19557+
[Parameter(ParameterSetName = 'NET')]
1955719558
[Switch]
19558-
$LDAP,
19559+
$NET,
1955919560

1956019561
[Parameter(ParameterSetName = 'LDAP')]
1956119562
[ValidateNotNullOrEmpty()]
@@ -19612,17 +19613,17 @@ Custom PSObject with translated domain API trust result fields.
1961219613

1961319614
BEGIN {
1961419615
$TrustAttributes = @{
19615-
[uint32]'0x00000001' = 'non_transitive'
19616-
[uint32]'0x00000002' = 'uplevel_only'
19617-
[uint32]'0x00000004' = 'quarantined_domain'
19618-
[uint32]'0x00000008' = 'forest_transitive'
19619-
[uint32]'0x00000010' = 'cross_organization'
19620-
[uint32]'0x00000020' = 'within_forest'
19621-
[uint32]'0x00000040' = 'treat_as_external'
19622-
[uint32]'0x00000080' = 'trust_uses_rc4_encryption'
19623-
[uint32]'0x00000100' = 'trust_uses_aes_keys'
19624-
[uint32]'0x00000200' = 'cross_organization_no_tgt_delegation'
19625-
[uint32]'0x00000400' = 'pim_trust'
19616+
[uint32]'0x00000001' = 'NON_TRANSITIVE'
19617+
[uint32]'0x00000002' = 'UPLEVEL_ONLY'
19618+
[uint32]'0x00000004' = 'FILTER_SIDS'
19619+
[uint32]'0x00000008' = 'FOREST_TRANSITIVE'
19620+
[uint32]'0x00000010' = 'CROSS_ORGANIZATION'
19621+
[uint32]'0x00000020' = 'WITHIN_FOREST'
19622+
[uint32]'0x00000040' = 'TREAT_AS_EXTERNAL'
19623+
[uint32]'0x00000080' = 'TRUST_USES_RC4_ENCRYPTION'
19624+
[uint32]'0x00000100' = 'TRUST_USES_AES_KEYS'
19625+
[uint32]'0x00000200' = 'CROSS_ORGANIZATION_NO_TGT_DELEGATION'
19626+
[uint32]'0x00000400' = 'PIM_TRUST'
1962619627
}
1962719628

1962819629
$LdapSearcherArguments = @{}
@@ -19689,16 +19690,25 @@ Custom PSObject with translated domain API trust result fields.
1968919690
3 { 'Bidirectional' }
1969019691
}
1969119692

19693+
$TrustType = Switch ($Props.trusttype) {
19694+
1 { 'WINDOWS_NON_ACTIVE_DIRECTORY' }
19695+
2 { 'WINDOWS_ACTIVE_DIRECTORY' }
19696+
3 { 'MIT' }
19697+
}
19698+
1969219699
$ObjectGuid = New-Object Guid @(,$Props.objectguid[0])
1969319700
$TargetSID = (New-Object System.Security.Principal.SecurityIdentifier($Props.securityidentifier[0],0)).Value
1969419701

1969519702
$DomainTrust | Add-Member Noteproperty 'SourceName' $SourceDomain
1969619703
$DomainTrust | Add-Member Noteproperty 'SourceSID' $SourceSID
1969719704
$DomainTrust | Add-Member Noteproperty 'TargetName' $Props.name[0]
1969819705
$DomainTrust | Add-Member Noteproperty 'TargetSID' $TargetSID
19699-
$DomainTrust | Add-Member Noteproperty 'ObjectGuid' "{$ObjectGuid}"
19700-
$DomainTrust | Add-Member Noteproperty 'TrustType' $($TrustAttrib -join ',')
19706+
# $DomainTrust | Add-Member Noteproperty 'TargetGuid' "{$ObjectGuid}"
19707+
$DomainTrust | Add-Member Noteproperty 'TrustType' $TrustType
19708+
$DomainTrust | Add-Member Noteproperty 'TrustAttributes' $($TrustAttrib -join ',')
1970119709
$DomainTrust | Add-Member Noteproperty 'TrustDirection' "$Direction"
19710+
$DomainTrust | Add-Member Noteproperty 'WhenCreated' $Props.whencreated[0]
19711+
$DomainTrust | Add-Member Noteproperty 'WhenChanged' $Props.whenchanged[0]
1970219712
$DomainTrust.PSObject.TypeNames.Insert(0, 'PowerView.DomainTrust.LDAP')
1970319713
$DomainTrust
1970419714
}
@@ -20308,20 +20318,21 @@ Required Dependencies: Get-Domain, Get-DomainTrust, Get-ForestTrust
2030820318

2030920319
This function will enumerate domain trust relationships for the current domain using
2031020320
a number of methods, and then enumerates all trusts for each found domain, recursively
20311-
mapping all reachable trust relationships. By default, the .NET method GetAllTrustRelationships()
20312-
is used on the System.DirectoryServices.ActiveDirectory.Domain object. If the -LDAP flag
20313-
is specified, or any of the LDAP-appropriate parameters, an LDAP search using the filter
20314-
'(objectClass=trustedDomain)' is used instead. If the -API flag is specified, the
20315-
Win32 API DsEnumerateDomainTrusts() call is used to enumerate instead.
20321+
mapping all reachable trust relationships. By default, and LDAP search using the filter
20322+
'(objectClass=trustedDomain)' is used- if any LDAP-appropriate parameters are specified
20323+
LDAP is used as well. If the -NET flag is specified, the .NET method
20324+
GetAllTrustRelationships() is used on the System.DirectoryServices.ActiveDirectory.Domain
20325+
object. If the -API flag is specified, the Win32 API DsEnumerateDomainTrusts() call is
20326+
used to enumerate instead. If any
2031620327

2031720328
.PARAMETER API
2031820329

20319-
Switch. Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts instead of the built-in
20320-
.NET methods.
20330+
Switch. Use an API call (DsEnumerateDomainTrusts) to enumerate the trusts instead of the
20331+
built-in LDAP method.
2032120332

20322-
.PARAMETER LDAP
20333+
.PARAMETER NET
2032320334

20324-
Switch. Use LDAP queries to enumerate the trusts instead of direct domain connections.
20335+
Switch. Use .NET queries to enumerate trusts instead of the default LDAP method.
2032520336

2032620337
.PARAMETER LDAPFilter
2032720338

@@ -20375,29 +20386,28 @@ Map all reachable domain trusts using Win32 API calls and output everything to a
2037520386

2037620387
.EXAMPLE
2037720388

20378-
Get-DomainTrustMapping -LDAP -Server 'PRIMARY.testlab.local' | Export-CSV -NoTypeInformation trusts.csv
20389+
Get-DomainTrustMapping -NET | Export-CSV -NoTypeInformation trusts.csv
2037920390

20380-
Map all reachable domain trusts using LDAP, binding to the PRIMARY.testlab.local server for queries,
20381-
and output everything to a .csv file.
20391+
Map all reachable domain trusts using .NET methods and output everything to a .csv file.
2038220392

2038320393
.EXAMPLE
2038420394

2038520395
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
2038620396
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
20387-
Get-DomainTrustMapping -LDAP -Server 'PRIMARY.testlab.local' | Export-CSV -NoTypeInformation trusts.csv
20397+
Get-DomainTrustMapping -Server 'PRIMARY.testlab.local' | Export-CSV -NoTypeInformation trusts.csv
2038820398

2038920399
Map all reachable domain trusts using LDAP, binding to the PRIMARY.testlab.local server for queries
2039020400
using the specified alternate credentials, and output everything to a .csv file.
2039120401

2039220402
.OUTPUTS
2039320403

20394-
PowerView.DomainTrust.NET
20404+
PowerView.DomainTrust.LDAP
2039520405

20396-
A TrustRelationshipInformationCollection returned when using .NET methods (default).
20406+
Custom PSObject with translated domain LDAP trust result fields (default).
2039720407

20398-
PowerView.DomainTrust.LDAP
20408+
PowerView.DomainTrust.NET
2039920409

20400-
Custom PSObject with translated domain LDAP trust result fields.
20410+
A TrustRelationshipInformationCollection returned when using .NET methods.
2040120411

2040220412
PowerView.DomainTrust.API
2040320413

@@ -20408,15 +20418,15 @@ Custom PSObject with translated domain API trust result fields.
2040820418
[OutputType('PowerView.DomainTrust.NET')]
2040920419
[OutputType('PowerView.DomainTrust.LDAP')]
2041020420
[OutputType('PowerView.DomainTrust.API')]
20411-
[CmdletBinding(DefaultParameterSetName = 'NET')]
20421+
[CmdletBinding(DefaultParameterSetName = 'LDAP')]
2041220422
Param(
2041320423
[Parameter(ParameterSetName = 'API')]
2041420424
[Switch]
2041520425
$API,
2041620426

20417-
[Parameter(ParameterSetName = 'LDAP')]
20427+
[Parameter(ParameterSetName = 'NET')]
2041820428
[Switch]
20419-
$LDAP,
20429+
$NET,
2042020430

2042120431
[Parameter(ParameterSetName = 'LDAP')]
2042220432
[ValidateNotNullOrEmpty()]
@@ -20475,7 +20485,7 @@ Custom PSObject with translated domain API trust result fields.
2047520485

2047620486
$DomainTrustArguments = @{}
2047720487
if ($PSBoundParameters['API']) { $DomainTrustArguments['API'] = $API }
20478-
if ($PSBoundParameters['LDAP']) { $DomainTrustArguments['LDAP'] = $LDAP }
20488+
if ($PSBoundParameters['NET']) { $DomainTrustArguments['NET'] = $NET }
2047920489
if ($PSBoundParameters['LDAPFilter']) { $DomainTrustArguments['LDAPFilter'] = $LDAPFilter }
2048020490
if ($PSBoundParameters['Properties']) { $DomainTrustArguments['Properties'] = $Properties }
2048120491
if ($PSBoundParameters['SearchBase']) { $DomainTrustArguments['SearchBase'] = $SearchBase }
@@ -20517,7 +20527,7 @@ Custom PSObject with translated domain API trust result fields.
2051720527
}
2051820528

2051920529
# get any forest trusts, if they exist
20520-
if ($PsCmdlet.ParameterSetName -eq 'LDAP') {
20530+
if ($PsCmdlet.ParameterSetName -eq 'NET') {
2052120531
$ForestTrustArguments = @{}
2052220532
if ($PSBoundParameters['Forest']) { $ForestTrustArguments['Forest'] = $Forest }
2052320533
if ($PSBoundParameters['Credential']) { $ForestTrustArguments['Credential'] = $Credential }
@@ -20547,8 +20557,7 @@ Custom PSObject with translated domain API trust result fields.
2054720557
}
2054820558

2054920559

20550-
function Get-GPODelegation
20551-
{
20560+
function Get-GPODelegation {
2055220561
<#
2055320562
.SYNOPSIS
2055420563

@@ -20589,7 +20598,7 @@ Returns all GPO delegations on a given GPO.
2058920598
$PageSize = 200
2059020599
)
2059120600

20592-
$Exclusions = @("SYSTEM","Domain Admins","Enterprise Admins")
20601+
$Exclusions = @('SYSTEM','Domain Admins','Enterprise Admins')
2059320602

2059420603
$Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
2059520604
$DomainList = @($Forest.Domains)

0 commit comments

Comments
 (0)