diff --git a/red-teaming/Get-NetOUTree.ps1 b/red-teaming/Get-NetOUTree.ps1 new file mode 100644 index 0000000..12ecb46 --- /dev/null +++ b/red-teaming/Get-NetOUTree.ps1 @@ -0,0 +1,121 @@ +#requires -version 2 + +<# + Author: Mariusz B. (@mgeeky) + License: BSD 3-Clause + Required Dependencies: PowerView.ps1 + Optional Dependencies: None +#> + +function Get-NetOUTree +{ +<# + .SYNOPSIS + + Author: Mariusz B. (@mgeeky) + License: BSD 3-Clause + Required Dependencies: PowerView.ps1 + Optional Dependencies: None + + Prints out Organizational Units collected from Get-NetOU as a tree. + + .DESCRIPTION + + Collects OU lines returned from PowerView's Get-NetOU cmdlet, + and then prints that structure as a Organizational Units tree. + + .PARAMETER OU + + Parameter passed from pipelined PowerView's Get-NetOU cmdlet. + That cmdlet will return list of OUs in form of: "LDAP://OU=...,DC=local,DC=test". + + .EXAMPLE + + PS> Get-NetOU | Get-NetOUTree + +#> + [CmdletBinding()] + Param + ( + [Parameter(ValueFromPipeline = $True)] + $OU + ) + + begin + { + $OUlines = @() + } + + process + { + $OUlines += $OU + } + + end + { + $OUs = @{} + $NetOU = $OUlines + + $NetOU = $NetOU | %{$_ -replace 'LDAP://','' } + $NetOU | ForEach-Object { + $ousplit = $_.ToString() -split ',' + [array]::Reverse($ousplit) + $ousplit = $ousplit -join ',' + $ousplit = $ousplit -replace "DC=\w+,", "" + $ousplit | ForEach-Object { + $str = $_ + $currPath = "" + + While($str -match '^OU=([\s-\w]+),?.*$') { + $thisOU = $matches[1] + #Write-Output "Processing: $str / $thisOU ($currPath)" + + $hashRef = $null + $fullPath = @() + $fullPath += "`$OUs" + $currPath -split ',' | ForEach-Object { + If ($_) { + $fullPath += "[`"$_`"]" + } + } + $hashPath = $fullPath -join '' + $cmd = "If (-not ($hashPath.ContainsKey(`"$thisOU`"))) {" + $cmd += $hashPath + $cmd += ".Add(`"$thisOU`", @{})" + $cmd += "}" + #Write-Output "Will IEX: $cmd" + + $cmd | IEX + + $str = $str -replace "OU=$thisOU", "" + $currPath += $thisOU + "," + If ($str.StartsWith(",")) { + $str = $str.Substring(1) + } + } + } + } + + pretty $OUs 0 + } +} + +function pretty { + param( + [System.Collections.Hashtable]$hash, + [Int]$indent + ) + + $hash.Keys | % { + $k = $_ + $v = $hash.Item($_) + + $tabs = " " * $indent + Write-Output "$tabs+ $k" + + If ($v.GetType().Name -eq "Hashtable") { + $i = $indent + 1 + pretty $v $i + } + } +} diff --git a/red-teaming/README.md b/red-teaming/README.md index 56954a2..e0dd349 100644 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -137,6 +137,36 @@ C:\Users\IEUser\Desktop\files\video>python generateMSBuildPowershellXML.py Show- ------------------------------------------------------------------------------------ ``` +- **`Get-NetOUTree.ps1`** - Collects OU lines returned from **PowerView's** `Get-NetOU` cmdlet, and then prints that structure as a _Organizational Units tree_. + +``` +PS E:\PowerSploit\Recon> Get-NetOU | Get-NetOUTree ++ CONTOSO + + SharedFolders + + Departments + + IT + + SALES + + LAWYERS + + CHIEFS + + AUDIT + + HR + + Software + + Computers + + Workstations + + Servers + + Data + + Infrastructure + + SOC + + Groups + + Users + + Partners + + Employees + + Admins ++ Domain Controllers ++ Microsoft Exchange Security Groups +``` + + - **`Invoke-Command-Cred-Example.ps1`** - Example of using PSRemoting with credentials passed directly from command line. ([gist](https://gist.github.com/mgeeky/de4ecf952ddce774d241b85cfbf97faf)) - **`MacroDetectSandbox.vbs`** - Visual Basic script responsible for detecting Sandbox environments, as presented in modern Trojan Droppers implemented in Macros. ([gist](https://gist.github.com/mgeeky/61e4dfe305ab719e9874ca442779a91d))