I hereby claim:
- I am rvazarkar on github.
- I am cptjesus (https://keybase.io/cptjesus) on keybase.
- I have a public key whose fingerprint is 309B 57DD A097 7565 6792 5796 6A61 8F77 5207 56E5
To claim this, I am signing this object:
I hereby claim:
To claim this, I am signing this object:
#requires -version 2 | |
<# | |
PowerSploit File: PowerView.ps1 | |
Author: Will Schroeder (@harmj0y) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
#> |
{ | |
"name": "Users with Foreign Domain Group Membership", | |
"queryList": [ | |
{ | |
"final": false, | |
"title": "Select source domain...", | |
"query": "MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": true, |
{ | |
"name": "Shortest Path from SPN User", | |
"queryList":[ | |
{ | |
"final": false, | |
"title":"Select a domain...", | |
"query":"MATCH (n:Domain) RETURN n.name ORDER BY n.name DESC" | |
}, | |
{ | |
"final": false, |
API Call | MSDN Link | Protocol | Port | RPC Interface UUID | Named Pipe | RPC Method | RPC MSDN Link | |
---|---|---|---|---|---|---|---|---|
NetSessionEnum | https://msdn.microsoft.com/en-us/library/windows/desktop/bb525382(v=vs.85).aspx | [MS-SRVS]: Server Service Remote Protocol | TCP 445 | 4B324FC8-1670-01D3-1278-5A47BF6EE188 | \PIPE\srvsvc | NetrSessionEnum | https://msdn.microsoft.com/en-us/library/cc247273.aspx | |
NetWkstaUserEnum | https://msdn.microsoft.com/en-us/library/windows/desktop/aa370669(v=vs.85).aspx | [MS-WKST]: Workstation Service Remote Protocol | TCP 445 | 6BFFD098-A112-3610-9833-46C3F87E345A | \PIPE\wkssvc | NetrWkstaUserEnum | https://msdn.microsoft.com/en-us/library/cc250349.aspx |
Collection Method | API Call | MSDN Link | Default Targets | Stealth Targets | |
---|---|---|---|---|---|
Session | NetSessionEnum | https://msdn.microsoft.com/en-us/library/windows/desktop/bb525382(v=vs.85).aspx | All Computers | Domain Controllers + 'Share Servers' | |
LocalGroup | Modified NetLocalGroupGetMembers | https://msdn.microsoft.com/en-us/library/windows/desktop/aa370601(v=vs.85).aspx | All Computers | GPO Files | |
Group | Ldap | N/A | All User Group and Computer Objects | All User Group and Computer Objects | |
Trusts | DsEnumerateDomainTrusts | https://msdn.microsoft.com/en-us/library/ms675976(v=vs.85).aspx | All Domain and TrustedDomain objects | All Domain and TrustedDomain objects | |
LoggedOn | Remote Registry + NetWkstaUserEnum | https://msdn.microsoft.com/en-us/library/windows/desktop/aa370669(v=vs.85).aspx | All Computers | Domain Controllers + 'Share Servers' | |
ACL | Ldap | N/A | All user group computer and domain objects | All user group computer and domain objects | |
ObjectProps | Ldap | N/A | All user and computer objects | All user and computer objects |
{ | |
"statements" : [ | |
{ | |
"statement" : "MERGE (n:Group {name:{props.name}})", | |
"parameters" : { | |
"props" : { | |
"name" : "DOMAIN ADMINS@TESTLAB.LOCAL" | |
} | |
} | |
} |
{ | |
"statements" : [ | |
{ | |
"statement" : "MERGE (n:User {name:'DOMAIN ADMINS@TESTLAB.LOCAL'})-[r:AdminTo]-(m:Computer {name:'PRIMARY.TESTLAB.LOCAL'})" | |
}, | |
{ | |
"statement" : "MERGE (n:User {name:'DOMAIN ADMINS@TESTLAB.LOCAL'})-[r:AdminTo]-(m:Computer {name:'SECONDARY.TESTLAB.LOCAL'})" | |
} | |
] | |
} |
internal bool DoPing(string hostname) | |
{ | |
try | |
{ | |
using (var client = new TcpClient()) | |
{ | |
var result = client.BeginConnect(hostname, 445, null, null); | |
var success = result.AsyncWaitHandle.WaitOne(_pingTimeout); | |
if (!success) | |
{ |
namespace Sharphound2 | |
{ | |
//This class exists because of a memory leak in BlockingCollection. By setting the reference to Item to null after enumerating it, | |
//we can force garbage collection of the internal item, while the Wrapper is held by the collection. | |
//This is highly preferable because the internal item consumes a lot of memory while the wrapper barely uses any | |
class Wrapper<T> | |
{ | |
public T Item { get; set; } | |
} | |
} |