Logic bug fix in Get-DomainFileServer

HarmJ0y · HarmJ0y · commit 601ad0cf3f46 · 2016-12-15T12:32:17.000-05:00
-Domain bug fix in Find-DomainUserLocation stealth
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
@@ -9828,12 +9828,12 @@ One or more strings representing file server names.
                 $SearcherArguments['Domain'] = $TargetDomain
                 $UserSearcher = Get-DomainSearcher @SearcherArguments
                 # get all results w/o the pipeline and uniquify them (I know it's not pretty)
-                Sort-Object -Unique -InputObject $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}})
+                $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}}) | Sort-Object -Unique
             }
         }
         else {
             $UserSearcher = Get-DomainSearcher @SearcherArguments
-            Sort-Object -Unique -InputObject $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}})
+            $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}}) | Sort-Object -Unique
         }
     }
 }
@@ -14796,10 +14796,11 @@ PowerView.UserLocation
         if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone }
         if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential }
 
+        $TargetComputers = @()
 
         # first, build the set of computers to enumerate
         if ($PSBoundParameters['ComputerName']) {
-            $TargetComputers = $ComputerName
+            $TargetComputers = @($ComputerName)
         }
         else {
             if ($PSBoundParameters['Stealth']) {
@@ -14809,6 +14810,7 @@ PowerView.UserLocation
                 if ($StealthSource -match 'File|All') {
                     Write-Verbose '[Find-DomainUserLocation] Querying for file servers'
                     $FileServerSearcherArguments = @{}
+                    if ($PSBoundParameters['Domain']) { $FileServerSearcherArguments['Domain'] = $ComputerDomain }
                     if ($PSBoundParameters['ComputerDomain']) { $FileServerSearcherArguments['Domain'] = $ComputerDomain }
                     if ($PSBoundParameters['ComputerSearchBase']) { $FileServerSearcherArguments['SearchBase'] = $ComputerSearchBase }
                     if ($PSBoundParameters['Server']) { $FileServerSearcherArguments['Server'] = $Server }
@@ -14831,6 +14833,7 @@ PowerView.UserLocation
                     $DCSearcherArguments = @{
                         'LDAP' = $True
                     }
+                    if ($PSBoundParameters['Domain']) { $DCSearcherArguments['Domain'] = $ComputerDomain }
                     if ($PSBoundParameters['ComputerDomain']) { $DCSearcherArguments['Domain'] = $ComputerDomain }
                     if ($PSBoundParameters['Server']) { $DCSearcherArguments['Server'] = $Server }
                     if ($PSBoundParameters['Credential']) { $DCSearcherArguments['Credential'] = $Credential }

Original file line number	Diff line number	Diff line change
`@@ -9828,12 +9828,12 @@ One or more strings representing file server names.`
`9828`	`9828`	`$SearcherArguments['Domain'] = $TargetDomain`
`9829`	`9829`	`$UserSearcher = Get-DomainSearcher @SearcherArguments`
`9830`	`9830`	`# get all results w/o the pipeline and uniquify them (I know it's not pretty)`
`9831`		`- Sort-Object -Unique -InputObject $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}})`
	`9831`	`+ $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}}) \| Sort-Object -Unique`
`9832`	`9832`	`}`
`9833`	`9833`	`}`
`9834`	`9834`	`else {`
`9835`	`9835`	`$UserSearcher = Get-DomainSearcher @SearcherArguments`
`9836`		`- Sort-Object -Unique -InputObject $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}})`
	`9836`	`+ $(ForEach($UserResult in $UserSearcher.FindAll()) {if ($UserResult.Properties['homedirectory']) {Split-Path($UserResult.Properties['homedirectory'])}if ($UserResult.Properties['scriptpath']) {Split-Path($UserResult.Properties['scriptpath'])}if ($UserResult.Properties['profilepath']) {Split-Path($UserResult.Properties['profilepath'])}}) \| Sort-Object -Unique`
`9837`	`9837`	`}`
`9838`	`9838`	`}`
`9839`	`9839`	`}`
`@@ -14796,10 +14796,11 @@ PowerView.UserLocation`
`14796`	`14796`	`if ($PSBoundParameters['Tombstone']) { $UserSearcherArguments['Tombstone'] = $Tombstone }`
`14797`	`14797`	`if ($PSBoundParameters['Credential']) { $UserSearcherArguments['Credential'] = $Credential }`
`14798`	`14798`
	`14799`	`+ $TargetComputers = @()`
`14799`	`14800`
`14800`	`14801`	`# first, build the set of computers to enumerate`
`14801`	`14802`	`if ($PSBoundParameters['ComputerName']) {`
`14802`		`- $TargetComputers = $ComputerName`
	`14803`	`+ $TargetComputers = @($ComputerName)`
`14803`	`14804`	`}`
`14804`	`14805`	`else {`
`14805`	`14806`	`if ($PSBoundParameters['Stealth']) {`
`@@ -14809,6 +14810,7 @@ PowerView.UserLocation`
`14809`	`14810`	`if ($StealthSource -match 'File\|All') {`
`14810`	`14811`	`Write-Verbose '[Find-DomainUserLocation] Querying for file servers'`
`14811`	`14812`	`$FileServerSearcherArguments = @{}`
	`14813`	`+ if ($PSBoundParameters['Domain']) { $FileServerSearcherArguments['Domain'] = $ComputerDomain }`
`14812`	`14814`	`if ($PSBoundParameters['ComputerDomain']) { $FileServerSearcherArguments['Domain'] = $ComputerDomain }`
`14813`	`14815`	`if ($PSBoundParameters['ComputerSearchBase']) { $FileServerSearcherArguments['SearchBase'] = $ComputerSearchBase }`
`14814`	`14816`	`if ($PSBoundParameters['Server']) { $FileServerSearcherArguments['Server'] = $Server }`
`@@ -14831,6 +14833,7 @@ PowerView.UserLocation`
`14831`	`14833`	`$DCSearcherArguments = @{`
`14832`	`14834`	`'LDAP' = $True`
`14833`	`14835`	`}`
	`14836`	`+ if ($PSBoundParameters['Domain']) { $DCSearcherArguments['Domain'] = $ComputerDomain }`
`14834`	`14837`	`if ($PSBoundParameters['ComputerDomain']) { $DCSearcherArguments['Domain'] = $ComputerDomain }`
`14835`	`14838`	`if ($PSBoundParameters['Server']) { $DCSearcherArguments['Server'] = $Server }`
`14836`	`14839`	`if ($PSBoundParameters['Credential']) { $DCSearcherArguments['Credential'] = $Credential }`