Added Get-NetOUTree.ps1

This commit is contained in:
mb 2018-12-18 20:33:10 +01:00
parent 29fef3f035
commit 42f44fde77
2 changed files with 151 additions and 0 deletions

View File

@ -0,0 +1,121 @@
#requires -version 2
<#
Author: Mariusz B. (@mgeeky)
License: BSD 3-Clause
Required Dependencies: PowerView.ps1
Optional Dependencies: None
#>
function Get-NetOUTree
{
<#
.SYNOPSIS
Author: Mariusz B. (@mgeeky)
License: BSD 3-Clause
Required Dependencies: PowerView.ps1
Optional Dependencies: None
Prints out Organizational Units collected from Get-NetOU as a tree.
.DESCRIPTION
Collects OU lines returned from PowerView's Get-NetOU cmdlet,
and then prints that structure as a Organizational Units tree.
.PARAMETER OU
Parameter passed from pipelined PowerView's Get-NetOU cmdlet.
That cmdlet will return list of OUs in form of: "LDAP://OU=...,DC=local,DC=test".
.EXAMPLE
PS> Get-NetOU | Get-NetOUTree
#>
[CmdletBinding()]
Param
(
[Parameter(ValueFromPipeline = $True)]
$OU
)
begin
{
$OUlines = @()
}
process
{
$OUlines += $OU
}
end
{
$OUs = @{}
$NetOU = $OUlines
$NetOU = $NetOU | %{$_ -replace 'LDAP://','' }
$NetOU | ForEach-Object {
$ousplit = $_.ToString() -split ','
[array]::Reverse($ousplit)
$ousplit = $ousplit -join ','
$ousplit = $ousplit -replace "DC=\w+,", ""
$ousplit | ForEach-Object {
$str = $_
$currPath = ""
While($str -match '^OU=([\s-\w]+),?.*$') {
$thisOU = $matches[1]
#Write-Output "Processing: $str / $thisOU ($currPath)"
$hashRef = $null
$fullPath = @()
$fullPath += "`$OUs"
$currPath -split ',' | ForEach-Object {
If ($_) {
$fullPath += "[`"$_`"]"
}
}
$hashPath = $fullPath -join ''
$cmd = "If (-not ($hashPath.ContainsKey(`"$thisOU`"))) {"
$cmd += $hashPath
$cmd += ".Add(`"$thisOU`", @{})"
$cmd += "}"
#Write-Output "Will IEX: $cmd"
$cmd | IEX
$str = $str -replace "OU=$thisOU", ""
$currPath += $thisOU + ","
If ($str.StartsWith(",")) {
$str = $str.Substring(1)
}
}
}
}
pretty $OUs 0
}
}
function pretty {
param(
[System.Collections.Hashtable]$hash,
[Int]$indent
)
$hash.Keys | % {
$k = $_
$v = $hash.Item($_)
$tabs = " " * $indent
Write-Output "$tabs+ $k"
If ($v.GetType().Name -eq "Hashtable") {
$i = $indent + 1
pretty $v $i
}
}
}

View File

@ -137,6 +137,36 @@ C:\Users\IEUser\Desktop\files\video>python generateMSBuildPowershellXML.py Show-
------------------------------------------------------------------------------------
```
- **`Get-NetOUTree.ps1`** - Collects OU lines returned from **PowerView's** `Get-NetOU` cmdlet, and then prints that structure as a _Organizational Units tree_.
```
PS E:\PowerSploit\Recon> Get-NetOU | Get-NetOUTree
+ CONTOSO
+ SharedFolders
+ Departments
+ IT
+ SALES
+ LAWYERS
+ CHIEFS
+ AUDIT
+ HR
+ Software
+ Computers
+ Workstations
+ Servers
+ Data
+ Infrastructure
+ SOC
+ Groups
+ Users
+ Partners
+ Employees
+ Admins
+ Domain Controllers
+ Microsoft Exchange Security Groups
```
- **`Invoke-Command-Cred-Example.ps1`** - Example of using PSRemoting with credentials passed directly from command line. ([gist](https://gist.github.com/mgeeky/de4ecf952ddce774d241b85cfbf97faf))
- **`MacroDetectSandbox.vbs`** - Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros. ([gist](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d))