Added Get-NetOUTree.ps1

2024-11-21 18:11:37 +01:00 · 2018-12-18 20:33:10 +01:00 · 2018-12-18 20:33:10 +01:00 · 42f44fde77
commit 42f44fde77
parent 29fef3f035
2 changed files with 151 additions and 0 deletions
--- a/red-teaming/Get-NetOUTree.ps1
+++ b/red-teaming/Get-NetOUTree.ps1
@ -0,0 +1,121 @@
+#requires -version 2
+
+<#
+    Author: Mariusz B. (@mgeeky)
+    License: BSD 3-Clause
+    Required Dependencies: PowerView.ps1
+    Optional Dependencies: None
+#>
+
+function Get-NetOUTree 
+{
+<#
+	.SYNOPSIS
+
+	    Author: Mariusz B. (@mgeeky)
+    	License: BSD 3-Clause
+   	 	Required Dependencies: PowerView.ps1
+    	Optional Dependencies: None
+
+    	Prints out Organizational Units collected from Get-NetOU as a tree.
+
+	.DESCRIPTION
+
+		Collects OU lines returned from PowerView's Get-NetOU cmdlet,
+		and then prints that structure as a Organizational Units tree.
+
+	.PARAMETER OU
+
+		Parameter passed from pipelined PowerView's Get-NetOU cmdlet.
+		That cmdlet will return list of OUs in form of: "LDAP://OU=...,DC=local,DC=test".
+
+	.EXAMPLE
+
+		PS> Get-NetOU | Get-NetOUTree
+
+#>
+	[CmdletBinding()]
+	Param 
+	(
+		[Parameter(ValueFromPipeline = $True)]
+		$OU
+	)
+
+	begin
+	{
+		$OUlines = @()
+	}
+	
+	process
+	{
+		$OUlines += $OU
+	}
+
+	end 
+	{
+		$OUs = @{}
+		$NetOU = $OUlines
+
+		$NetOU = $NetOU | %{$_ -replace 'LDAP://','' }
+		$NetOU | ForEach-Object {
+			$ousplit = $_.ToString() -split ','
+			[array]::Reverse($ousplit)
+			$ousplit = $ousplit -join ','
+			$ousplit = $ousplit -replace "DC=\w+,", ""
+			$ousplit | ForEach-Object {
+				$str = $_
+				$currPath = ""
+
+				While($str -match '^OU=([\s-\w]+),?.*$') {
+					$thisOU = $matches[1]
+					#Write-Output "Processing: $str / $thisOU ($currPath)"
+
+					$hashRef = $null
+					$fullPath = @()
+					$fullPath += "`$OUs"
+					$currPath -split ',' | ForEach-Object {
+						If ($_) { 
+							$fullPath += "[`"$_`"]"
+						}
+					}
+					$hashPath = $fullPath -join ''
+					$cmd = "If (-not ($hashPath.ContainsKey(`"$thisOU`"))) {"
+					$cmd += $hashPath
+					$cmd += ".Add(`"$thisOU`", @{})"
+					$cmd += "}"
+					#Write-Output "Will IEX: $cmd"
+
+					$cmd | IEX
+
+					$str = $str -replace "OU=$thisOU", ""
+					$currPath += $thisOU + ","
+					If ($str.StartsWith(",")) {
+						$str = $str.Substring(1)
+					}
+				}
+			}
+		}
+
+		pretty $OUs 0
+	}
+}
+
+function pretty {
+	param(
+		[System.Collections.Hashtable]$hash,
+		[Int]$indent
+	)
+
+	$hash.Keys | % {
+		$k = $_
+		$v = $hash.Item($_)
+
+		$tabs = "   " * $indent
+		Write-Output "$tabs+ $k"
+
+		If ($v.GetType().Name -eq "Hashtable") {
+			$i = $indent + 1
+			pretty $v $i
+		} 
+	}
+}
--- a/red-teaming/README.md
+++ b/red-teaming/README.md
@ -137,6 +137,36 @@ C:\Users\IEUser\Desktop\files\video>python generateMSBuildPowershellXML.py Show-
 ------------------------------------------------------------------------------------                              
 ```

+- **`Get-NetOUTree.ps1`** - Collects OU lines returned from **PowerView's** `Get-NetOU` cmdlet, and then prints that structure as a _Organizational Units tree_.
+
+```
+PS E:\PowerSploit\Recon> Get-NetOU | Get-NetOUTree
+ CONTOSO
+   + SharedFolders
+   + Departments
+      + IT
+      + SALES
+      + LAWYERS
+      + CHIEFS
+      + AUDIT
+      + HR
+   + Software
+   + Computers
+      + Workstations
+      + Servers
+         + Data
+         + Infrastructure
+         + SOC
+   + Groups
+   + Users
+      + Partners
+      + Employees
+      + Admins
+ Domain Controllers
+ Microsoft Exchange Security Groups
+```
+
+
 - **`Invoke-Command-Cred-Example.ps1`** - Example of using PSRemoting with credentials passed directly from command line. ([gist](https://gist.github.com/mgeeky/de4ecf952ddce774d241b85cfbf97faf))

 - **`MacroDetectSandbox.vbs`** - Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros. ([gist](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d))