Skip to content
This repository was archived by the owner on Jan 21, 2021. It is now read-only.

Commit 5690b09

Browse files
HarmJ0yHarmJ0y
committed
Get-NetDomain now not called if -ComputerName or -ComputerFile are passed for meta functions, in order to prevent failure when running on a non-domain joined machine
took out FQDN Pester tests from Recon.tests.ps1 that used $env:userdnsdomain
1 parent e2993b6 commit 5690b09

2 files changed

Lines changed: 173 additions & 228 deletions

File tree

Recon/PowerView.ps1

Lines changed: 122 additions & 108 deletions
Original file line numberDiff line numberDiff line change
@@ -7914,32 +7914,33 @@ function Invoke-UserHunter {
79147914

79157915
Write-Verbose "[*] Running Invoke-UserHunter with delay of $Delay"
79167916

7917-
if($Domain) {
7918-
$TargetDomains = @($Domain)
7919-
}
7920-
elseif($SearchForest) {
7921-
# get ALL the domains in the forest to search
7922-
$TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
7923-
}
7924-
else {
7925-
# use the local domain
7926-
$TargetDomains = @( (Get-NetDomain).name )
7927-
}
7928-
79297917
#####################################################
79307918
#
79317919
# First we build the host target set
79327920
#
79337921
#####################################################
79347922

7923+
if($ComputerFile) {
7924+
# if we're using a host list, read the targets in and add them to the target list
7925+
$ComputerName = Get-Content -Path $ComputerFile
7926+
}
7927+
79357928
if(!$ComputerName) {
79367929
[Array]$ComputerName = @()
7937-
7938-
if($ComputerFile) {
7939-
# if we're using a host list, read the targets in and add them to the target list
7940-
$ComputerName = Get-Content -Path $ComputerFile
7930+
7931+
if($Domain) {
7932+
$TargetDomains = @($Domain)
7933+
}
7934+
elseif($SearchForest) {
7935+
# get ALL the domains in the forest to search
7936+
$TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
79417937
}
7942-
elseif($Stealth) {
7938+
else {
7939+
# use the local domain
7940+
$TargetDomains = @( (Get-NetDomain).name )
7941+
}
7942+
7943+
if($Stealth) {
79437944
Write-Verbose "Stealth mode! Enumerating commonly used servers"
79447945
Write-Verbose "Stealth source: $StealthSource"
79457946

@@ -8020,15 +8021,25 @@ function Invoke-UserHunter {
80208021
elseif($UserName) {
80218022
Write-Verbose "[*] Using target user '$UserName'..."
80228023
$User = New-Object PSObject
8023-
$User | Add-Member Noteproperty 'MemberDomain' $TargetDomains[0]
8024+
if($TargetDomains) {
8025+
$User | Add-Member Noteproperty 'MemberDomain' $TargetDomains[0]
8026+
}
8027+
else {
8028+
$User | Add-Member Noteproperty 'MemberDomain' $Null
8029+
}
80248030
$User | Add-Member Noteproperty 'MemberName' $UserName.ToLower()
80258031
$TargetUsers = @($User)
80268032
}
80278033
# read in a target user list if we have one
80288034
elseif($UserFile) {
80298035
$TargetUsers = Get-Content -Path $UserFile | ForEach-Object {
80308036
$User = New-Object PSObject
8031-
$User | Add-Member Noteproperty 'MemberDomain' $TargetDomains[0]
8037+
if($TargetDomains) {
8038+
$User | Add-Member Noteproperty 'MemberDomain' $TargetDomains[0]
8039+
}
8040+
else {
8041+
$User | Add-Member Noteproperty 'MemberDomain' $Null
8042+
}
80328043
$User | Add-Member Noteproperty 'MemberName' $_
80338044
$User
80348045
} | Where-Object {$_}
@@ -8507,37 +8518,37 @@ function Invoke-ProcessHunter {
85078518

85088519
Write-Verbose "[*] Running Invoke-ProcessHunter with delay of $Delay"
85098520

8510-
if($Domain) {
8511-
$TargetDomains = @($Domain)
8512-
}
8513-
elseif($SearchForest) {
8514-
# get ALL the domains in the forest to search
8515-
$TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
8516-
}
8517-
else {
8518-
# use the local domain
8519-
$TargetDomains = @( (Get-NetDomain).name )
8520-
}
8521-
85228521
#####################################################
85238522
#
85248523
# First we build the host target set
85258524
#
85268525
#####################################################
85278526

8527+
# if we're using a host list, read the targets in and add them to the target list
8528+
if($ComputerFile) {
8529+
$ComputerName = Get-Content -Path $ComputerFile
8530+
}
8531+
85288532
if(!$ComputerName) {
8529-
# if we're using a host list, read the targets in and add them to the target list
8530-
if($ComputerFile) {
8531-
$ComputerName = Get-Content -Path $ComputerFile
8533+
[array]$ComputerName = @()
8534+
8535+
if($Domain) {
8536+
$TargetDomains = @($Domain)
8537+
}
8538+
elseif($SearchForest) {
8539+
# get ALL the domains in the forest to search
8540+
$TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
85328541
}
85338542
else {
8534-
[array]$ComputerName = @()
8535-
ForEach ($Domain in $TargetDomains) {
8536-
Write-Verbose "[*] Querying domain $Domain for hosts"
8537-
$ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Filter $ComputerFilter -ADSpath $ComputerADSpath
8538-
}
8543+
# use the local domain
8544+
$TargetDomains = @( (Get-NetDomain).name )
85398545
}
85408546

8547+
ForEach ($Domain in $TargetDomains) {
8548+
Write-Verbose "[*] Querying domain $Domain for hosts"
8549+
$ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Filter $ComputerFilter -ADSpath $ComputerADSpath
8550+
}
8551+
85418552
# remove any null target hosts, uniquify the list and shuffle it
85428553
$ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
85438554
if($($ComputerName.Count) -eq 0) {
@@ -9178,7 +9189,13 @@ function Invoke-ShareFinder {
91789189
$ExcludedShares = @('', "ADMIN$", "IPC$", "C$", "PRINT$")
91799190
}
91809191

9192+
# if we're using a host file list, read the targets in and add them to the target list
9193+
if($ComputerFile) {
9194+
$ComputerName = Get-Content -Path $ComputerFile
9195+
}
9196+
91819197
if(!$ComputerName) {
9198+
[array]$ComputerName = @()
91829199

91839200
if($Domain) {
91849201
$TargetDomains = @($Domain)
@@ -9191,19 +9208,12 @@ function Invoke-ShareFinder {
91919208
# use the local domain
91929209
$TargetDomains = @( (Get-NetDomain).name )
91939210
}
9194-
9195-
# if we're using a host file list, read the targets in and add them to the target list
9196-
if($ComputerFile) {
9197-
$ComputerName = Get-Content -Path $ComputerFile
9198-
}
9199-
else {
9200-
[array]$ComputerName = @()
9201-
ForEach ($Domain in $TargetDomains) {
9202-
Write-Verbose "[*] Querying domain $Domain for hosts"
9203-
$ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Filter $ComputerFilter -ADSpath $ComputerADSpath
9204-
}
9211+
9212+
ForEach ($Domain in $TargetDomains) {
9213+
Write-Verbose "[*] Querying domain $Domain for hosts"
9214+
$ComputerName += Get-NetComputer -Domain $Domain -DomainController $DomainController -Filter $ComputerFilter -ADSpath $ComputerADSpath
92059215
}
9206-
9216+
92079217
# remove any null target hosts, uniquify the list and shuffle it
92089218
$ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
92099219
if($($ComputerName.count) -eq 0) {
@@ -9621,18 +9631,6 @@ function Invoke-FileFinder {
96219631
}
96229632
}
96239633

9624-
if($Domain) {
9625-
$TargetDomains = @($Domain)
9626-
}
9627-
elseif($SearchForest) {
9628-
# get ALL the domains in the forest to search
9629-
$TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
9630-
}
9631-
else {
9632-
# use the local domain
9633-
$TargetDomains = @( (Get-NetDomain).name )
9634-
}
9635-
96369634
# if we're hard-passed a set of shares
96379635
if($ShareList) {
96389636
ForEach ($Item in Get-Content -Path $ShareList) {
@@ -9643,34 +9641,51 @@ function Invoke-FileFinder {
96439641
}
96449642
}
96459643
}
9646-
if($SearchSYSVOL) {
9647-
ForEach ($Domain in $TargetDomains) {
9648-
$DCSearchPath = "\\$Domain\SYSVOL\"
9649-
Write-Verbose "[*] Adding share search path $DCSearchPath"
9650-
$Shares += $DCSearchPath
9651-
}
9652-
if(!$Terms) {
9653-
# search for interesting scripts on SYSVOL
9654-
$Terms = @('.vbs', '.bat', '.ps1')
9655-
}
9656-
}
96579644
else {
9658-
# if we're using a host list, read the targets in and add them to the target list
9645+
# if we're using a host file list, read the targets in and add them to the target list
96599646
if($ComputerFile) {
96609647
$ComputerName = Get-Content -Path $ComputerFile
96619648
}
9662-
else {
9663-
[array]$ComputerName = @()
9664-
ForEach ($Domain in $TargetDomains) {
9665-
Write-Verbose "[*] Querying domain $Domain for hosts"
9666-
$ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController
9649+
9650+
if(!$ComputerName) {
9651+
9652+
if($Domain) {
9653+
$TargetDomains = @($Domain)
9654+
}
9655+
elseif($SearchForest) {
9656+
# get ALL the domains in the forest to search
9657+
$TargetDomains = Get-NetForestDomain | ForEach-Object { $_.Name }
9658+
}
9659+
else {
9660+
# use the local domain
9661+
$TargetDomains = @( (Get-NetDomain).name )
96679662
}
9668-
}
96699663

9670-
# remove any null target hosts, uniquify the list and shuffle it
9671-
$ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
9672-
if($($ComputerName.Count) -eq 0) {
9673-
throw "No hosts found!"
9664+
if($SearchSYSVOL) {
9665+
ForEach ($Domain in $TargetDomains) {
9666+
$DCSearchPath = "\\$Domain\SYSVOL\"
9667+
Write-Verbose "[*] Adding share search path $DCSearchPath"
9668+
$Shares += $DCSearchPath
9669+
}
9670+
if(!$Terms) {
9671+
# search for interesting scripts on SYSVOL
9672+
$Terms = @('.vbs', '.bat', '.ps1')
9673+
}
9674+
}
9675+
else {
9676+
[array]$ComputerName = @()
9677+
9678+
ForEach ($Domain in $TargetDomains) {
9679+
Write-Verbose "[*] Querying domain $Domain for hosts"
9680+
$ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController
9681+
}
9682+
9683+
# remove any null target hosts, uniquify the list and shuffle it
9684+
$ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
9685+
if($($ComputerName.Count) -eq 0) {
9686+
throw "No hosts found!"
9687+
}
9688+
}
96749689
}
96759690
}
96769691

@@ -9953,8 +9968,15 @@ function Find-LocalAdminAccess {
99539968
$RandNo = New-Object System.Random
99549969

99559970
Write-Verbose "[*] Running Find-LocalAdminAccess with delay of $Delay"
9956-
9971+
9972+
# if we're using a host list, read the targets in and add them to the target list
9973+
if($ComputerFile) {
9974+
$ComputerName = Get-Content -Path $ComputerFile
9975+
}
9976+
99579977
if(!$ComputerName) {
9978+
[array]$ComputerName = @()
9979+
99589980
if($Domain) {
99599981
$TargetDomains = @($Domain)
99609982
}
@@ -9967,18 +9989,11 @@ function Find-LocalAdminAccess {
99679989
$TargetDomains = @( (Get-NetDomain).name )
99689990
}
99699991

9970-
# if we're using a host list, read the targets in and add them to the target list
9971-
if($ComputerFile) {
9972-
$ComputerName = Get-Content -Path $ComputerFile
9973-
}
9974-
else {
9975-
[array]$ComputerName = @()
9976-
ForEach ($Domain in $TargetDomains) {
9977-
Write-Verbose "[*] Querying domain $Domain for hosts"
9978-
$ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController
9979-
}
9992+
ForEach ($Domain in $TargetDomains) {
9993+
Write-Verbose "[*] Querying domain $Domain for hosts"
9994+
$ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController
99809995
}
9981-
9996+
99829997
# remove any null target hosts, uniquify the list and shuffle it
99839998
$ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
99849999
if($($ComputerName.Count) -eq 0) {
@@ -10521,7 +10536,13 @@ function Invoke-EnumerateLocalAdmin {
1052110536

1052210537
Write-Verbose "[*] Running Invoke-EnumerateLocalAdmin with delay of $Delay"
1052310538

10539+
# if we're using a host list, read the targets in and add them to the target list
10540+
if($ComputerFile) {
10541+
$ComputerName = Get-Content -Path $ComputerFile
10542+
}
10543+
1052410544
if(!$ComputerName) {
10545+
[array]$ComputerName = @()
1052510546

1052610547
if($Domain) {
1052710548
$TargetDomains = @($Domain)
@@ -10535,18 +10556,11 @@ function Invoke-EnumerateLocalAdmin {
1053510556
$TargetDomains = @( (Get-NetDomain).name )
1053610557
}
1053710558

10538-
# if we're using a host list, read the targets in and add them to the target list
10539-
if($ComputerFile) {
10540-
$ComputerName = Get-Content -Path $ComputerFile
10541-
}
10542-
else {
10543-
[array]$ComputerName = @()
10544-
ForEach ($Domain in $TargetDomains) {
10545-
Write-Verbose "[*] Querying domain $Domain for hosts"
10546-
$ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController
10547-
}
10559+
ForEach ($Domain in $TargetDomains) {
10560+
Write-Verbose "[*] Querying domain $Domain for hosts"
10561+
$ComputerName += Get-NetComputer -Filter $ComputerFilter -ADSpath $ComputerADSpath -Domain $Domain -DomainController $DomainController
1054810562
}
10549-
10563+
1055010564
# remove any null target hosts, uniquify the list and shuffle it
1055110565
$ComputerName = $ComputerName | Where-Object { $_ } | Sort-Object -Unique | Sort-Object { Get-Random }
1055210566
if($($ComputerName.Count) -eq 0) {

0 commit comments

Comments
 (0)