Created
January 11, 2025 18:31
-
-
Save nikallass/5f6984049b930087e40b2cf413c2e060 to your computer and use it in GitHub Desktop.
SYSVOL enumeration script
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # sudo mount -t cifs //IP_ADDRESS/SYSVOL /mnt/sysvol -o username=USERNAME,password=PASSWORD,domain=DOMAIN.LTD | |
| RED='\033[0;31m' | |
| GREEN='\033[0;32m' | |
| YELLOW='\033[1;33m' | |
| NC='\033[0m' | |
| SYSVOL_PATH="/mnt/sysvol" | |
| echo -e "${GREEN}[+] Starting SYSVOL enumeration...${NC}\n" | |
| # Function to search for sensitive keywords | |
| search_keywords() { | |
| echo -e "${YELLOW}[*] Searching for sensitive keywords...${NC}" | |
| keywords=("password" "cred" "secret" "admin" "login" "key" "certificate" "encrypted" "pwd" "conf") | |
| for keyword in "${keywords[@]}"; do | |
| echo -e "\n${GREEN}[+] Searching for files containing: $keyword${NC}" | |
| find "$SYSVOL_PATH" -type f -exec grep -l -i "$keyword" {} \; 2>/dev/null | |
| done | |
| } | |
| # Function to find interesting file extensions | |
| find_extensions() { | |
| echo -e "\n${YELLOW}[*] Looking for interesting file extensions...${NC}" | |
| extensions=("xml" "conf" "config" "txt" "ini" "bat" "ps1" "vbs" "cmd" "json" "pem" "crt" "cer" "key") | |
| for ext in "${extensions[@]}"; do | |
| echo -e "\n${GREEN}[+] Finding *.$ext files:${NC}" | |
| find "$SYSVOL_PATH" -type f -name "*.$ext" 2>/dev/null | |
| done | |
| } | |
| # Function to check Group Policy files | |
| check_gpo() { | |
| echo -e "\n${YELLOW}[*] Analyzing Group Policy files...${NC}" | |
| find "$SYSVOL_PATH" -type f -name "Groups.xml" -o -name "Services.xml" -o -name "ScheduledTasks.xml" -o -name "DataSources.xml" -o -name "Printers.xml" -o -name "Drives.xml" 2>/dev/null | |
| } | |
| # Main execution | |
| echo -e "${YELLOW}[*] SYSVOL Path: $SYSVOL_PATH${NC}\n" | |
| # Check if SYSVOL is mounted | |
| if [ ! -d "$SYSVOL_PATH" ]; then | |
| echo -e "${RED}[-] SYSVOL is not mounted at $SYSVOL_PATH${NC}" | |
| exit 1 | |
| fi | |
| # List directory structure | |
| echo -e "${YELLOW}[*] Directory structure:${NC}" | |
| tree "$SYSVOL_PATH" 2>/dev/null | |
| # Run searches | |
| search_keywords | |
| find_extensions | |
| check_gpo | |
| # Look specifically for scripts | |
| echo -e "\n${YELLOW}[*] Looking for scripts in SYSVOL:${NC}" | |
| find "$SYSVOL_PATH" -type f -name "*.bat" -o -name "*.ps1" -o -name "*.vbs" -o -name "*.cmd" 2>/dev/null | |
| # Check for potential certificate related files | |
| echo -e "\n${YELLOW}[*] Looking for certificate related files:${NC}" | |
| find "$SYSVOL_PATH" -type f -name "*.cer" -o -name "*.pem" -o -name "*.crt" -o -name "*.p12" -o -name "*.pfx" 2>/dev/null | |
| echo -e "\n${GREEN}[+] Enumeration complete${NC}" |
Author
nikallass
commented
Jan 11, 2025
New more verbose version:
https://gist.github.com/nikallass/5f563e0b733e9d0393fc840cda81875f
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment