-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathFind-PSRemotingLocalAdminAccess.ps1
88 lines (73 loc) · 2.74 KB
/
Find-PSRemotingLocalAdminAccess.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
function Find-PSRemotingLocalAdminAccess
{
<#
.SYNOPSIS
Use this script to search for local admin access on machines in a domain or local network.
.DESCRIPTION
This function simply runs a PowerShell Remoting command against the sepcified list of computers. Since, by-default,
we need local administrative access on a computer to run WMI commands, a success for this fucntions
means local administrative access.
.PARAMETER ComputerFile
File containing list of target computers.
.PARAMETER StopOnSuccess
Stop on first success.
.EXAMPLE
Find-PSRemotingLocalAdminAccess -ComputerFile C:\test\computers.txt -Verbose
.LINK
https://github.com/samratashok/nishang
http://www.labofapenetrationtester.com/
#>
[CmdletBinding()] Param(
[Parameter (Mandatory=$False, Position = 0, ValueFromPipeline=$true)]
[String]
$ComputerName,
[Parameter (Mandatory=$False, Position = 1, ValueFromPipeline=$true)]
[String]
$ComputerFile,
[Parameter ()]
[Switch]
$StopOnSucess
)
$ErrorActionPreference = "SilentlyContinue"
#read word list (consider pipeline for performance)
if ($Computerfile)
{
$Computers = Get-Content $Computerfile
}
elseif ($ComputerName)
{
$Computers = $ComputerName
}
else
{
# Get a list of all the computers in the domain
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher.Filter = "(&(sAMAccountType=805306369))"
$Computers = $objSearcher.FindAll() | %{$_.properties.dnshostname}
}
#clear error listing
$Error.clear()
#run the test
Write-Verbose 'Trying to run a command parallely on provided computers list using PSRemoting .'
Invoke-Command -ScriptBlock {hostname} -ComputerName $Computers -ErrorAction SilentlyContinue
#put the first error into a variable (best practice)
$ourerror = $error[0]
# if there is no error, then we were successfull, else, was it a username or password error? if it wasn't username/password incorrect, something else is wrong so break the look
if ($ourerror -eq $null)
{
"The current user has Local Admin access on: $Computer"
if ($StopOnSucess)
{
break
}
}
elseif (-not $ourerror.Exception.Message.Contains("Access is denied."))
{
Write-Warning "Something went wrong. Check the settings, confirm hostname etc, $($ourerror.Exception.Message)"
}
else
{
Write-Debug "$($ourerror.Exception.Message)"
}
}