Skip to content

Commit 8afd4dc

Browse files
Leo4jLeo4j
committed
Removed Pass Spray
1 parent 8a3322d commit 8afd4dc

File tree

1 file changed

+2
-138
lines changed

1 file changed

+2
-138
lines changed

Invoke-ADEnum.ps1

+2-138
Original file line numberDiff line numberDiff line change
@@ -314,8 +314,6 @@ function Invoke-ADEnum {
314314
-RBCD Check for Resource Based Constrained Delegation (may take a long time depending on domain size)
315315

316316
-SaveToDisk Save collection data to disk (Location: c:\Users\Public\Documents\Invoke-ADEnum)
317-
318-
-SprayEmptyPasswords Sprays Empty Passwords - counts towards Bad-Pwd-Count
319317

320318
-TargetsOnly Show Target Domains only (Stay in scope) - Will not create a Report
321319

@@ -343,7 +341,7 @@ function Invoke-ADEnum {
343341
"
344342
Write-Host " [Recommended Coverage]" -ForegroundColor Yellow
345343
Write-Host "
346-
Invoke-ADEnum -SprayEmptyPasswords -FindLocalAdminAccess -RBCD -WeakPermissions -UserCreatedObjects -AllDescriptions
344+
Invoke-ADEnum -FindLocalAdminAccess -RBCD -UserCreatedObjects -GPOsRights -MoreGPOs -AllDescriptions
347345

348346
"
349347

@@ -3965,140 +3963,6 @@ Add-Type -TypeDefinition $code
39653963
}
39663964
}
39673965

3968-
#################################################################################################
3969-
########### Accounts with Empty Passwords ###############
3970-
#################################################################################################
3971-
3972-
if($SprayEmptyPasswords -OR $AllEnum){
3973-
3974-
Write-Host ""
3975-
Write-Host "User Accounts with empty passwords" -ForegroundColor Cyan
3976-
3977-
$minDelay = 0
3978-
$maxDelay = 200
3979-
$delay = Get-Random -Minimum $minDelay -Maximum $maxDelay
3980-
3981-
$TempTotalEmptyPass = foreach ($AllDomain in $AllDomains) {
3982-
3983-
$PotentialUsersWithEmptyPassword = @($TotalEnabledUsers | Where-Object {$_.domain -eq $AllDomain} | Sort-Object samaccountname)
3984-
$TotalPotentialEmptyPass = New-Object System.Collections.ArrayList
3985-
$null = $TotalPotentialEmptyPass.AddRange($PotentialUsersWithEmptyPassword)
3986-
3987-
Add-Type -AssemblyName "System.DirectoryServices.AccountManagement"
3988-
$EmptyServer = $RIDRoleDCs | Where-Object {$matched = $false;foreach ($Extr in $ExtrDCs) {if ($_.dnshostname -eq "$Extr.$AllDomain") {$matched = $true;break}}$matched} | Select-Object -ExpandProperty dnshostname
3989-
$principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, $EmptyServer, $AllDomain)
3990-
3991-
foreach($EmptyPasswordUser in $TotalPotentialEmptyPass){
3992-
3993-
$EmptyPasswordUserName = $EmptyPasswordUser.samaccountname
3994-
3995-
$EmptyCheck = $principalContext.ValidateCredentials("$EmptyPasswordUserName", "", 1)
3996-
3997-
if ($EmptyCheck){
3998-
$EmptySIDUserName = GetSID-FromBytes -sidBytes $EmptyPasswordUser.objectSID
3999-
[PSCustomObject]@{
4000-
"User Name" = $EmptyPasswordUser.samaccountname
4001-
"Enabled" = if ($EmptyPasswordUser.useraccountcontrol -band 2) { "False" } else { "True" }
4002-
"Active" = if(!$EmptyPasswordUser.lastlogontimestamp){""} elseif ((Convert-LdapTimestamp -timestamp $EmptyPasswordUser.lastlogontimestamp) -ge $inactiveThreshold) { "True" } else { "False" }
4003-
"Adm" = if(($TempBuiltInAdministrators | Where-Object {$_."Group Domain" -eq $AllDomain -AND $_."Member Name"})."Member Name" | Where-Object { $EmptyPasswordUser.samaccountname.Contains($_) }) { "YES" } else { "NO" }
4004-
"DA" = if(($TempDomainAdmins | Where-Object {$_."Group Domain" -eq $AllDomain -AND $_."Member Name"})."Member Name" | Where-Object { $EmptyPasswordUser.samaccountname.Contains($_) }) { "YES" } else { "NO" }
4005-
"EA" = if(($TempEnterpriseAdmins | Where-Object {$_."Group Domain" -eq $AllDomain -AND $_."Member Name"})."Member Name" | Where-Object { $EmptyPasswordUser.samaccountname.Contains($_) }) { "YES" } else { "NO" }
4006-
"Last Logon" = if($EmptyPasswordUser.lastlogontimestamp){Convert-LdapTimestamp -timestamp $EmptyPasswordUser.lastlogontimestamp}else{""}
4007-
"Pwd Last Set" = if($EmptyPasswordUser.pwdlastset){Convert-LdapTimestamp -timestamp $EmptyPasswordUser.pwdlastset}else{""}
4008-
"SID" = $EmptySIDUserName
4009-
"Domain" = $AllDomain
4010-
}
4011-
}
4012-
}
4013-
}
4014-
4015-
if ($TempTotalEmptyPass) {
4016-
if(!$NoOutput){$TempTotalEmptyPass | Sort-Object Domain,"User Name" | Format-Table -AutoSize -Wrap}
4017-
$HTMLTotalEmptyPass = $TempTotalEmptyPass | Sort-Object Domain,"User Name" | ConvertTo-Html -Fragment -PreContent "<h2 data-linked-table='EmptyPasswordUsers'>User Accounts with empty passwords</h2>" | ForEach-Object { $_ -replace "<table>", "<table id='EmptyPasswordUsers'>" }
4018-
4019-
$HTMLTotalEmptyPass = $HTMLTotalEmptyPass -replace '<td>YES</td>','<td class="YesStatus">YES</td>'
4020-
4021-
$TotalEmptyPassTable = [PSCustomObject]@{
4022-
"Risk Rating" = "High - Needs Immediate Attention"
4023-
"Description" = "Empty passwords can be set when password policies allow it or the Password-not-required attribute is enabled. These accounts are extremely easy for an attacker to compromise."
4024-
"Remediation" = "Enforce strong password policies and ensure that all user accounts have a secure and non-empty password."
4025-
}
4026-
4027-
$HTMLTotalEmptyPassTable = $TotalEmptyPassTable | ConvertTo-Html -As List -Fragment
4028-
$HTMLTotalEmptyPassTable = "<div class='report-section' style='display:none;'>$HTMLTotalEmptyPassTable</div>"
4029-
}
4030-
4031-
}
4032-
4033-
#################################################################################################
4034-
########### Computer Accounts with Empty Passwords ###############
4035-
#################################################################################################
4036-
4037-
if($SprayEmptyPasswords -OR $AllEnum){
4038-
4039-
Write-Host ""
4040-
Write-Host "Computer Accounts with empty passwords" -ForegroundColor Cyan
4041-
4042-
$minDelay = 0
4043-
$maxDelay = 200
4044-
$delay = Get-Random -Minimum $minDelay -Maximum $maxDelay
4045-
4046-
$TempTotalCompEmptyPass = foreach ($AllDomain in $AllDomains) {
4047-
4048-
$PotentialComputersWithEmptyPassword = @($TotalEnabledMachines | Where-Object {$_.domain -eq $AllDomain} | Sort-Object samaccountname)
4049-
$TotalPotentialEmptyPass = New-Object System.Collections.ArrayList
4050-
$null = $TotalPotentialEmptyPass.AddRange($PotentialComputersWithEmptyPassword)
4051-
#$ResolveServer = $RIDRoleDCs | Where-Object {$matched = $false;foreach ($Extr in $ExtrDCs) {if ($_.dnshostname -eq "$Extr.$AllDomain") {$matched = $true;break}}$matched} | Select-Object -ExpandProperty dnshostname
4052-
Add-Type -AssemblyName "System.DirectoryServices.AccountManagement"
4053-
$EmptyServer = $RIDRoleDCs | Where-Object {$_.Domain -eq $AllDomain} | Select-Object -ExpandProperty Name
4054-
$principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, $EmptyServer, $AllDomain)
4055-
4056-
foreach($EmptyPasswordComp in $TotalPotentialEmptyPass){
4057-
4058-
$EmptyPasswordCompName = $EmptyPasswordComp.samaccountname
4059-
4060-
$EmptyCheck = $principalContext.ValidateCredentials("$EmptyPasswordCompName", "", 1)
4061-
4062-
if ($EmptyCheck){
4063-
if($EmptyPasswordComp.dnshostname){$IPAddress = (Resolve-DnsName -Name $EmptyPasswordComp.dnshostname -Type A).IPAddress}
4064-
if($IPAddress.count -gt 1){$IPAddress = $IPAddress -join ", "}
4065-
$EmptySIDCompName = GetSID-FromBytes -sidBytes $EmptyPasswordComp.objectSID
4066-
4067-
[PSCustomObject]@{
4068-
"Name" = $EmptyPasswordComp.samaccountname
4069-
"Enabled" = if ($EmptyPasswordComp.useraccountcontrol -band 2) { "False" } else { "True" }
4070-
"Active" = if(!$EmptyPasswordComp.lastlogontimestamp){""} elseif ((Convert-LdapTimestamp -timestamp $EmptyPasswordComp.lastlogontimestamp) -ge $inactiveThreshold) { "True" } else { "False" }
4071-
"IP Address" = $IPAddress
4072-
"Operating System" = $EmptyPasswordComp.operatingsystem
4073-
"SID" = $EmptySIDCompName
4074-
"Domain" = $AllDomain
4075-
}
4076-
4077-
$IPAddress = $null
4078-
}
4079-
4080-
}
4081-
4082-
}
4083-
4084-
if ($TempTotalCompEmptyPass) {
4085-
if(!$NoOutput){$TempTotalCompEmptyPass | Sort-Object Domain,Name | Format-Table -AutoSize -Wrap}
4086-
$HTMLCompTotalEmptyPass = $TempTotalCompEmptyPass | Sort-Object Domain,Name | ConvertTo-Html -Fragment -PreContent "<h2 data-linked-table='EmptyPasswordComp'>Computer Accounts with empty passwords</h2>" | ForEach-Object { $_ -replace "<table>", "<table id='EmptyPasswordComp'>" }
4087-
4088-
$HTMLCompTotalEmptyPass = $HTMLCompTotalEmptyPass -replace '<td>YES</td>','<td class="YesStatus">YES</td>'
4089-
4090-
$TotalCompEmptyPassTable = [PSCustomObject]@{
4091-
"Risk Rating" = "High - Needs Immediate Attention"
4092-
"Description" = "Empty passwords can be set when password policies allow it or the Password-not-required attribute is enabled. These accounts are extremely easy for an attacker to compromise."
4093-
"Remediation" = "Enforce strong password policies and ensure that all computer accounts have a secure and non-empty password."
4094-
}
4095-
4096-
$HTMLCompTotalEmptyPassTable = $TotalCompEmptyPassTable | ConvertTo-Html -As List -Fragment
4097-
$HTMLCompTotalEmptyPassTable = "<div class='report-section' style='display:none;'>$HTMLCompTotalEmptyPassTable</div>"
4098-
}
4099-
4100-
}
4101-
41023966
############################################
41033967
########### Pre-Windows 2000 ###############
41043968
############################################
@@ -7575,7 +7439,7 @@ Add-Type -TypeDefinition $efssource -Language CSharp
75757439
if(!$HTMLCertPublishers -AND !$HTMLVulnCertTemplates -AND !$HTMLExchangeTrustedSubsystem -AND !$HTMLServiceAccounts -AND !$HTMLGMSAs -AND !$HTMLnopreauthset -AND !$HTMLGPPasswords -AND !$HTMLPasswordSetUsers -AND !$HTMLUnixPasswordSet -AND !$HTMLEmptyPasswordUsers -AND !$HTMLEmptyPasswordComputers -AND !$HTMLTotalEmptyPass -AND !$HTMLCompTotalEmptyPass -AND !$HTMLPreWin2kCompatibleAccess -AND !$HTMLWin7AndServer2008 -AND !$HTMLMachineAccountsPriv -AND !$HTMLsidHistoryUsers -AND !$HTMLRevEncUsers -AND !$HTMLUnsupportedHosts){$MisconfigurationsBanner = $null}
75767440
if(!$HTMLFileServers -AND !$HTMLSQLServers -AND !$HTMLSCCMServers -AND !$HTMLWSUSServers -AND !$HTMLSMBSigningDisabled -AND !$HTMLWebDAVStatusResults -AND !$HTMLVNCUnauthAccess -AND !$HTMLPrinters -AND !$HTMLSPNAccounts -AND !$HTMLSharesResultsTable -AND !$HTMLHomeDirectories -AND !$HTMLEmptyGroups){$ExtendedChecksBanner = $null}
75777441

7578-
$Report = ConvertTo-HTML -Body "$TopLevelBanner $HTMLEnvironmentTable $HTMLTargetDomain $HTMLAllForests $HTMLKrbtgtAccount $HTMLdc $HTMLParentandChildDomains $HTMLDomainSIDsTable $HTMLForestDomain $HTMLForestGlobalCatalog $HTMLGetDomainTrust $HTMLTrustAccounts $HTMLTrustedDomainObjectGUIDs $HTMLGetDomainForeignGroupMember $AnalysisBanner $HTMLDomainPolicy $HTMLOtherPolicies $HTMLKerberosPolicy $HTMLUserAccountAnalysis $HTMLUserAccountAnalysisTable $HTMLComputerAccountAnalysis $HTMLComputerAccountAnalysisTable $HTMLOperatingSystemsAnalysis $HTMLLLMNR $HTMLMachineQuota $HTMLMachineAccountQuotaTable $HTMLLMCompatibilityLevel $HTMLLMCompatibilityLevelTable $HTMLVulnLMCompLevelComp $HTMLSubnets $AdministratorsBanner $HTMLBuiltInAdministrators $HTMLEnterpriseAdmins $HTMLDomainAdmins $HTMLReplicationUsers $HTMLDCsyncPrincipalsTable $HTMLAdminsProtectedUsersAndSensitive $HTMLAdminsProtectedUsersAndSensitiveTable $HTMLSecurityProtectedUsersAndSensitive $HTMLSecurityProtectedUsersAndSensitiveTable $HTMLAdmCountProtectedUsersAndSensitive $HTMLAdmCountProtectedUsersAndSensitiveTable $HTMLGroupsAdminCount $HTMLAdminCountGroupsTable $HTMLFindLocalAdminAccess $MisconfigurationsBanner $HTMLCertPublishers $HTMLADCSEndpointsTable $HTMLVulnCertTemplates $HTMLCertTemplatesTable $HTMLExchangeTrustedSubsystem $HTMLServiceAccounts $HTMLServiceAccountsTable $HTMLGMSAs $HTMLGMSAServiceAccountsTable $HTMLnopreauthset $HTMLNoPreauthenticationTable $HTMLGPPasswords $HTMLGPPasswordsTable $HTMLPasswordSetUsers $HTMLUserPasswordsSetTable $HTMLUnixPasswordSet $HTMLUnixPasswordSetTable $HTMLEmptyPasswordUsers $HTMLEmptyPasswordsTable $HTMLEmptyPasswordComputers $HTMLEmptyPasswordComputersTable $HTMLTotalEmptyPass $HTMLTotalEmptyPassTable $HTMLCompTotalEmptyPass $HTMLCompTotalEmptyPassTable $HTMLPreWin2kCompatibleAccess $HTMLPreWindows2000Table $HTMLWin7AndServer2008 $HTMLMachineAccountsPriv $HTMLMachineAccountsPrivilegedGroupsTable $HTMLsidHistoryUsers $HTMLSDIHistorysetTable $HTMLRevEncUsers $HTMLReversibleEncryptionTable $HTMLUnsupportedHosts $HTMLUnsupportedOSTable $ExtendedChecksBanner $HTMLFileServers $HTMLSQLServers $HTMLSCCMServers $HTMLWSUSServers $HTMLSMBSigningDisabled $HTMLWebDAVStatusResults $HTMLVNCUnauthAccess $HTMLPrinters $HTMLSPNAccounts $HTMLSharesResultsTable $HTMLHomeDirectories $HTMLEmptyGroups $GroupPolicyChecksBanner $HTMLGPOCreators $HTMLGPOsWhocanmodify $HTMLGpoLinkResults $HTMLLAPSGPOs $HTMLLAPSCanRead $HTMLLAPSExtended $HTMLLapsEnabledComputers $HTMLAppLockerGPOs $HTMLGPOLocalGroupsMembership $DelegationChecksBanner $HTMLUnconstrained $HTMLUnconstrainedTable $HTMLConstrainedDelegationComputers $HTMLConstrainedDelegationComputersTable $HTMLConstrainedDelegationUsers $HTMLConstrainedDelegationUsersTable $HTMLRBACDObjects $HTMLRBCDTable $HTMLAccessAllowedComputers $HTMLAccessAllowedComputersTable $HTMLWeakPermissionsObjects $HTMLWeakPermissionsTable $HTMLADComputersCreated $HTMLADComputersCreatedTable $SecurityGroupsBanner $HTMLAccountOperators $HTMLBackupOperators $HTMLCertPublishersGroup $HTMLDCOMUsers $HTMLDNSAdmins $HTMLEnterpriseKeyAdmins $HTMLEnterpriseRODCs $HTMLGPCreatorOwners $HTMLKeyAdmins $HTMLOrganizationManagement $HTMLPerformanceLogUsers $HTMLPrintOperators $HTMLProtectedUsers $HTMLRODCs $HTMLRDPUsers $HTMLRemManUsers $HTMLSchemaAdmins $HTMLServerOperators $InterestingDataBanner $HTMLInterestingServersEnabled $HTMLKeywordDomainGPOs $HTMLGroupsByKeyword $HTMLDomainOUsByKeyword $DomainObjectsInsightsBanner $HTMLServersEnabled $HTMLServersDisabled $HTMLWorkstationsEnabled $HTMLWorkstationsDisabled $HTMLEnabledUsers $HTMLDisabledUsers $HTMLOtherGroups $HTMLDomainGPOs $HTMLAllDomainOUs $HTMLAllDescriptions" -Title "Active Directory Audit" -Head $header
7442+
$Report = ConvertTo-HTML -Body "$TopLevelBanner $HTMLEnvironmentTable $HTMLTargetDomain $HTMLAllForests $HTMLKrbtgtAccount $HTMLdc $HTMLParentandChildDomains $HTMLDomainSIDsTable $HTMLForestDomain $HTMLForestGlobalCatalog $HTMLGetDomainTrust $HTMLTrustAccounts $HTMLTrustedDomainObjectGUIDs $HTMLGetDomainForeignGroupMember $AnalysisBanner $HTMLDomainPolicy $HTMLOtherPolicies $HTMLKerberosPolicy $HTMLUserAccountAnalysis $HTMLUserAccountAnalysisTable $HTMLComputerAccountAnalysis $HTMLComputerAccountAnalysisTable $HTMLOperatingSystemsAnalysis $HTMLLLMNR $HTMLMachineQuota $HTMLMachineAccountQuotaTable $HTMLLMCompatibilityLevel $HTMLLMCompatibilityLevelTable $HTMLVulnLMCompLevelComp $HTMLSubnets $AdministratorsBanner $HTMLBuiltInAdministrators $HTMLEnterpriseAdmins $HTMLDomainAdmins $HTMLReplicationUsers $HTMLDCsyncPrincipalsTable $HTMLAdminsProtectedUsersAndSensitive $HTMLAdminsProtectedUsersAndSensitiveTable $HTMLSecurityProtectedUsersAndSensitive $HTMLSecurityProtectedUsersAndSensitiveTable $HTMLAdmCountProtectedUsersAndSensitive $HTMLAdmCountProtectedUsersAndSensitiveTable $HTMLGroupsAdminCount $HTMLAdminCountGroupsTable $HTMLFindLocalAdminAccess $MisconfigurationsBanner $HTMLCertPublishers $HTMLADCSEndpointsTable $HTMLVulnCertTemplates $HTMLCertTemplatesTable $HTMLExchangeTrustedSubsystem $HTMLServiceAccounts $HTMLServiceAccountsTable $HTMLGMSAs $HTMLGMSAServiceAccountsTable $HTMLnopreauthset $HTMLNoPreauthenticationTable $HTMLGPPasswords $HTMLGPPasswordsTable $HTMLPasswordSetUsers $HTMLUserPasswordsSetTable $HTMLUnixPasswordSet $HTMLUnixPasswordSetTable $HTMLEmptyPasswordUsers $HTMLEmptyPasswordsTable $HTMLEmptyPasswordComputers $HTMLEmptyPasswordComputersTable $HTMLPreWin2kCompatibleAccess $HTMLPreWindows2000Table $HTMLWin7AndServer2008 $HTMLMachineAccountsPriv $HTMLMachineAccountsPrivilegedGroupsTable $HTMLsidHistoryUsers $HTMLSDIHistorysetTable $HTMLRevEncUsers $HTMLReversibleEncryptionTable $HTMLUnsupportedHosts $HTMLUnsupportedOSTable $ExtendedChecksBanner $HTMLFileServers $HTMLSQLServers $HTMLSCCMServers $HTMLWSUSServers $HTMLSMBSigningDisabled $HTMLWebDAVStatusResults $HTMLVNCUnauthAccess $HTMLPrinters $HTMLSPNAccounts $HTMLSharesResultsTable $HTMLHomeDirectories $HTMLEmptyGroups $GroupPolicyChecksBanner $HTMLGPOCreators $HTMLGPOsWhocanmodify $HTMLGpoLinkResults $HTMLLAPSGPOs $HTMLLAPSCanRead $HTMLLAPSExtended $HTMLLapsEnabledComputers $HTMLAppLockerGPOs $HTMLGPOLocalGroupsMembership $DelegationChecksBanner $HTMLUnconstrained $HTMLUnconstrainedTable $HTMLConstrainedDelegationComputers $HTMLConstrainedDelegationComputersTable $HTMLConstrainedDelegationUsers $HTMLConstrainedDelegationUsersTable $HTMLRBACDObjects $HTMLRBCDTable $HTMLAccessAllowedComputers $HTMLAccessAllowedComputersTable $HTMLWeakPermissionsObjects $HTMLWeakPermissionsTable $HTMLADComputersCreated $HTMLADComputersCreatedTable $SecurityGroupsBanner $HTMLAccountOperators $HTMLBackupOperators $HTMLCertPublishersGroup $HTMLDCOMUsers $HTMLDNSAdmins $HTMLEnterpriseKeyAdmins $HTMLEnterpriseRODCs $HTMLGPCreatorOwners $HTMLKeyAdmins $HTMLOrganizationManagement $HTMLPerformanceLogUsers $HTMLPrintOperators $HTMLProtectedUsers $HTMLRODCs $HTMLRDPUsers $HTMLRemManUsers $HTMLSchemaAdmins $HTMLServerOperators $InterestingDataBanner $HTMLInterestingServersEnabled $HTMLKeywordDomainGPOs $HTMLGroupsByKeyword $HTMLDomainOUsByKeyword $DomainObjectsInsightsBanner $HTMLServersEnabled $HTMLServersDisabled $HTMLWorkstationsEnabled $HTMLWorkstationsDisabled $HTMLEnabledUsers $HTMLDisabledUsers $HTMLOtherGroups $HTMLDomainGPOs $HTMLAllDomainOUs $HTMLAllDescriptions" -Title "Active Directory Audit" -Head $header
75797443

75807444
if($Output){
75817445
$Output = $Output.TrimEnd('\')

0 commit comments

Comments
 (0)