Skip to content

Instantly share code, notes, and snippets.

@neKuehn
neKuehn / Audit-CriticalADGroups.ps1
Created September 9, 2021 02:26
Finds the members of the common Privileged Active Directory groups (adminCount = 1), the members of those groups, and if those accounts suffer from common security concerns.
View Audit-CriticalADGroups.ps1
#//////Functions
FUNCTION Get-AdminGroupMembers($Group, $DomainName){
$Mems = Get-ADGroupMember -Identity $Group -Server $DomainName -Recursive
Foreach ($mem in $Mems){
if ($mem.objectClass -eq "user"){
$adobj = $mem | Get-ADUser -Properties AllowReversiblePasswordEncryption,DoesNotRequirePreAuth,mail,MemberOf,PasswordNotRequired,SamAccountName,ServicePrincipalNames,canonicalName
$act = ($adobj.canonicalName.split("."))[0] + "\" + $adobj.SamAccountName
} elseif ($mem.objectClass -eq "computer"){
@neKuehn
neKuehn / Audit-ADwriters.ps1
Created September 9, 2021 02:20
Finds all OUs in a Forest and lists groups and users that have some level of privileged access assigned to those OUs
View Audit-ADwriters.ps1
#//////Functions
Function Get-OUacl ($ACLlist){
$MyOUAclArray = New-Object System.Collections.ArrayList
Foreach ($ACL in $ACLlist){
$ACLobjectType = if($ACL.ObjectType -eq '00000000-0000-0000-0000-000000000000'){
"All"
}ELSE{
$RawGUID = ([guid]$ACL.ObjectType).ToByteArray()
(Get-ADObject -Searchbase (Get-ADRootDSE).schemaNamingContext -Filter {schemaIDGUID -eq $RawGuid}).Name
@neKuehn
neKuehn / Clean-DCshadow.ps1
Created March 29, 2019 17:23
Removes the SPNs created when using the DC Shadow functionality of mimikatz
View Clean-DCshadow.ps1
#Requires -RunAsAdministrator
#search for accounts that have the sync SPN that aren't a Domain Controller
$shadowcomps = Get-ADObject -LDAPFilter '(&(ServicePrincipalName=E3514235-4B06-11D1-AB04-00C04FC2DCD2/*)(!(userAccountControl:1.2.840.113556.1.4.803:=8192)))' -Properties ServicePrincipalName
foreach ($scomp in $shadowcomps){
$sSpns = $scomp.ServicePrincipalName | where {$_ -like "E3514235-4B06-11D1-AB04-00C04FC2DCD2/*"}
foreach ($sSpn in $sSpns){
@neKuehn
neKuehn / RootChromebookAndroid.sh
Created February 27, 2019 20:29
#This script was modified from the one created by Nolirium to create the new image file but not include the extra utilities (https://nolirium.blogspot.com/2016/12/android-on-chrome-os-rooting-shell.html)
View RootChromebookAndroid.sh
#!/bin/sh
#This script was modified from the one created by Nolirium to create the new image file but not include the extra utilities
#https://nolirium.blogspot.com/2016/12/android-on-chrome-os-rooting-shell.html
# Main functions:
check_if_root() {
if [ $(id -u) != 0 ]; then
@neKuehn
neKuehn / FindOUpermissions.ps1
Last active November 2, 2022 16:47
A different PowerShell script that finds permissions assigned to OUs. This one must be run from a windows system joined to the domain to be queried.
View FindOUpermissions.ps1
<#
.SYNOPSIS
FindOuPermissions is a Windows PowerShell script that finds all of the different OUs in a domain,
determins the permissions assigned to different users and groups, and reports back which are different
from their parent; including what those permissions are.
This script does require that the device be joined to the domain being queried and RSAT is installed.
Author: Eric Kuehn
@neKuehn
neKuehn / Invoke-FindOUpermissions.ps1
Last active November 2, 2022 16:50
PowerShell Script to be used to find permissions assigned to Active Directory OUs.
View Invoke-FindOUpermissions.ps1
$MysIDArray = New-Object System.Collections.ArrayList
FUNCTION Invoke-FindOuPermissions{
<#
.SYNOPSIS
Invoke-FindOuPermissions is a Windows PowerShell script that finds all of the different OUs in a domain, determins the permissions assigned to different users and groups, and reports back which are different from their parent; including what those permissions are.This script does require the Active Directory Modules.
Author: Eric Kuehn
.DESCRIPTION
This script is designed to help during the Mapping phase of a penetration test. It does require a valid set of credentials from the Active Directory Domain being searched. Once it connects, it goes through the following process: