-
-
Save EspressoCake/4910a11d4f678da9c46505fda58f582f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ################################# | |
| # Author: @the_bit_diddler # | |
| # Date: January 10, 2021 # | |
| ################################# | |
| beacon_command_register("uac_flag_extract", "Extract values associated with userAccountControl properties found with LDAP.", "uac_flag_extract some_value"); | |
| alias uac_flag_extract { | |
| local('$returnedValue'); | |
| if (size(@_) != 2) { | |
| berror($1, "You must supply an argument to this."); | |
| return; | |
| } | |
| if ($2 !hasmatch '\d+') { | |
| berror($1, "You must supply only an integer here."); | |
| return; | |
| } | |
| $returnedValue = extractUACInteger($2); | |
| blog($1, $returnedValue . "\n"); | |
| } | |
| command help_userac { | |
| println(extractUACInteger($1)); | |
| } | |
| sub extractUACInteger { | |
| if (size(@_) != 1) { | |
| println("I need a number as an argument."); | |
| return; | |
| } | |
| local('$resultString'); | |
| $resultString = @(); | |
| if (($1 & 0x0001) == 1) { | |
| add($resultString, "SCRIPT"); | |
| } | |
| if (($1 & 0x0002) == 2) { | |
| add($resultString, "ACCOUNTDISPOSABLE"); | |
| } | |
| if (($1 & 0x0008) == 8) { | |
| add($resultString, "HOMEDIR_REQUIRED"); | |
| } | |
| if (($1 & 0x0010) == 16) { | |
| add($resultString, "LOCKOUT"); | |
| } | |
| if (($1 & 0x0020) == 32) { | |
| add($resultString, "PASSWD_NOTREQD"); | |
| } | |
| if (($1 & 0x0040) == 64) { | |
| add($resultString, "PASSWD_CANT_CHANGE"); | |
| } | |
| if (($1 & 0x0080) == 128) { | |
| add($resultString, "ENCRYPTED_TEXT_PWD_ALLOWED"); | |
| } | |
| if (($1 & 0x0100) == 256) { | |
| add($resultString, "TEMP_DUPLICATE_ACCOUNT"); | |
| } | |
| if (($1 & 0x0200) == 512) { | |
| add($resultString, "NORMAL_ACCOUNT"); | |
| } | |
| if (($1 & 0x0800) == 2048) { | |
| add($resultString, "INTERDOMAIN_TRUST_ACCOUNT"); | |
| } | |
| if (($1 & 0x1000) == 4096) { | |
| add($resultString, "WORKSTATION_TRUST_ACCOUNT"); | |
| } | |
| if (($1 & 0x2000) == 8192) { | |
| add($resultString, "SERVER_TRUST_ACCOUNT"); | |
| } | |
| if (($1 & 0x10000) == 65536) { | |
| add($resultString, "DONT_EXPIRE_PASSWORD"); | |
| } | |
| if (($1 & 0x20000) == 131072) { | |
| add($resultString, "MNS_LOGON_ACCOUNT"); | |
| } | |
| if (($1 & 0x40000) == 262144) { | |
| add($resultString, "SMARTCARD_REQUIRED"); | |
| } | |
| if (($1 & 0x80000) == 524288) { | |
| add($resultString, "TRUSTED_FOR_DELEGATION"); | |
| } | |
| if (($1 & 0x100000) == 1048576) { | |
| add($resultString, "NOT_DELEGATED"); | |
| } | |
| if (($1 & 0x200000) == 2097152) { | |
| add($resultString, "USE_DES_KEY_ONLY"); | |
| } | |
| if (($1 & 0x400000) == 4194304) { | |
| add($resultString, "DONT_REQ_PREAUTH"); | |
| } | |
| if (($1 & 0x800000) == 8388608) { | |
| add($resultString, "PASSWORD_EXPIRED"); | |
| } | |
| if (($1 & 0x1000000) == 16777216) { | |
| add($resultString, "TRUSTED_TO_AUTH_FOR_DELEGATION"); | |
| } | |
| if (($1 & 0x04000000) == 67108864) { | |
| add($resultString, "PARTIAL_SECRETS_ACCOUNT"); | |
| } | |
| return "UserAccountControl: " . join(", ", sorta($resultString)); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment