# Mr.Un1k0d3r RingZer0 Team
function Search-EventForUserByIP{
param(
[Parameter(Mandatory=$True, ValueFromPipeline=$true)]
[string]$IP,
[Parameter(Mandatory=$False)]
[string]$ComputerName = (Get-Item env:COMPUTERNAME).Value,
[Parameter(Mandatory=$False)]
[switch]$FindDC = $False,
[Parameter(Mandatory=$False)]
[switch]$FullMessage = $False,
[Parameter(Mandatory=$False)]
[string]$Username,
[Parameter(Mandatory=$False)]
[string]$Password
)
BEGIN {
if($Username -ne "") {
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
$Creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username, $SecurePassword
}
}
PROCESS {
[System.Collections.ArrayList]$dcs = @()
if($FindDC) {
Write-Output "[+] Enumerating all the DCs"
ForEach($dc in [DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers) {
Write-Output "[+] DC found: $($dc.Name)"
$dcs.Add($dc.Name) | Out-Null
}
} else {
$dcs.Add($ComputerName) | Out-Null
}
ForEach($dc in $dcs) {
ForEach($item in $IP) {
Write-Output "[+] Parsing $($dc) Logs looking for $($item)"
if($Creds) {
Write-Output "[*] Remotely authenticated as $($Username)"
$xmlFilter = "";
$data = Get-WinEvent -FilterXml $xmlFilter -ComputerName $dc -ErrorAction SilentlyContinue -Credential $Creds | Select Message;
} else {
$xmlFilter = "";
$data = Get-WinEvent -FilterXml $xmlFilter -ComputerName $dc -ErrorAction SilentlyContinue | Select Message;
}
if($data) {
ForEach($entry in $data) {
Write-Output "`n[+] Event found"
If($FullMessage) {
Write-Output $entry.Message
} Else {
ForEach($Line in $entry.Message.Split("`n")) {
$Line | Select-String -Pattern "Account Name:"
$Line | Select-String -Pattern "Account Domain:"
$Line | Select-String -Pattern "Security ID:"
$Line | Select-String -Pattern "Source Network Address:"
$Line | Select-String -Pattern "Workstation Name:"
$Line | Select-String -Pattern "Process Name:"
}
}
}
} else {
Write-Output "[-] No event found on $($dc)..."
}
}
}
}
END {
Write-Output "[+] Process completed..."
}
}
function Search-EventForUserByDomain {
param(
[Parameter(Mandatory=$True, ValueFromPipeline=$true)]
[string]$Domain,
[Parameter(Mandatory=$False)]
[string]$ComputerName = (Get-Item env:COMPUTERNAME).Value,
[Parameter(Mandatory=$False)]
[switch]$FindDC = $False,
[Parameter(Mandatory=$False)]
[switch]$FullMessage = $False,
[Parameter(Mandatory=$False)]
[string]$Username,
[Parameter(Mandatory=$False)]
[string]$Password
)
BEGIN {
if($Username -ne "") {
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
$Creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username, $SecurePassword
}
}
PROCESS {
[System.Collections.ArrayList]$dcs = @()
if($FindDC) {
Write-Output "[+] Enumerating all the DCs"
ForEach($dc in [DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers) {
Write-Output "[+] DC found: $($dc.Name)"
$dcs.Add($dc.Name) | Out-Null
}
} else {
$dcs.Add($ComputerName) | Out-Null
}
ForEach($dc in $dcs) {
ForEach($item in $Domain) {
Write-Output "[+] Parsing $($dc) Logs looking for $($item)"
if($Creds) {
Write-Output "[*] Remotely authenticated as $($Username)"
$xmlFilter = "";
$data = Get-WinEvent -FilterXml $xmlFilter -ComputerName $dc -ErrorAction SilentlyContinue -Credential $Creds | Select Message;
} else {
$xmlFilter = "";
$data = Get-WinEvent -FilterXml $xmlFilter -ComputerName $dc -ErrorAction SilentlyContinue | Select Message;
}
if($data) {
ForEach($entry in $data) {
Write-Output "`n[+] Event found"
If($FullMessage) {
Write-Output $entry.Message
} Else {
ForEach($Line in $entry.Message.Split("`n")) {
$Line | Select-String -Pattern "Account Name:"
$Line | Select-String -Pattern "Account Domain:"
$Line | Select-String -Pattern "Security ID:"
$Line | Select-String -Pattern "Source Network Address:"
$Line | Select-String -Pattern "Workstation Name:"
$Line | Select-String -Pattern "Process Name:"
}
}
}
} else {
Write-Output "[-] No event found on $($dc)..."
}
}
}
}
END {
Write-Output "[+] Process completed..."
}
}
function Search-EventForUser {
param(
[Parameter(Mandatory=$True, ValueFromPipeline=$true)]
[string]$TargetUser,
[Parameter(Mandatory=$False)]
[string]$ComputerName = (Get-Item env:COMPUTERNAME).Value,
[Parameter(Mandatory=$False)]
[switch]$FindDC = $False,
[Parameter(Mandatory=$False)]
[switch]$FullMessage = $False,
[Parameter(Mandatory=$False)]
[string]$Username,
[Parameter(Mandatory=$False)]
[string]$Password
)
BEGIN {
if($Username -ne "") {
$SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
$Creds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username, $SecurePassword
}
}
PROCESS {
[System.Collections.ArrayList]$dcs = @()
if($FindDC) {
Write-Output "[+] Enumerating all the DCs"
ForEach($dc in [DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers) {
Write-Output "[+] DC found: $($dc.Name)"
$dcs.Add($dc.Name) | Out-Null
}
} else {
$dcs.Add($ComputerName) | Out-Null
}
ForEach($dc in $dcs) {
ForEach($item in $TargetUser) {
Write-Output "[+] Parsing $($dc) Logs looking for $($item)"
if($Creds) {
Write-Output "[*] Remotely authenticated as $($Username)"
$xmlFilter = "";
$data = Get-WinEvent -FilterXml $xmlFilter -ComputerName $dc -ErrorAction SilentlyContinue -Credential $Creds | Select Message;
} else {
$xmlFilter = "";
$data = Get-WinEvent -FilterXml $xmlFilter -ComputerName $dc -ErrorAction SilentlyContinue | Select Message;
}
if($data) {
ForEach($entry in $data) {
Write-Output "`n[+] Event found"
If($FullMessage) {
Write-Output $entry.Message
} Else {
ForEach($Line in $entry.Message.Split("`n")) {
$Line | Select-String -Pattern "Account Name:"
$Line | Select-String -Pattern "Account Domain:"
$Line | Select-String -Pattern "Security ID:"
$Line | Select-String -Pattern "Source Network Address:"
$Line | Select-String -Pattern "Workstation Name:"
$Line | Select-String -Pattern "Process Name:"
}
}
}
} else {
Write-Output "[-] No event found on $($dc)..."
}
}
}
}
END {
Write-Output "[+] Process completed..."
}
}
function Search-FullNameToSamAccount {
param(
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
[string]$Filter,
[Parameter(Mandatory=$False)]
[switch]$SamOnly = $False
)
BEGIN {
$Users = @()
}
PROCESS {
ForEach($User in $Filter) {
Write-Output "[*] Searching for $($User)"
$Query = "(&(objectCategory=User)(displayName=*$($User)*))"
$Domain = New-Object System.DirectoryServices.DirectoryEntry
$DirSearch = New-Object System.DirectoryServices.DirectorySearcher
$DirSearch.SearchRoot = $Domain
$DirSearch.PageSize = 100
$DirSearch.Filter = $Query
$DirSearch.SearchScope = "Subtree"
ForEach($Item in $DirSearch.FindAll()) {
$Data = $Item.Properties
If($SamOnly) {
$Output = New-Object -TypeName PSObject -Property @{
Name = $Data.givenname[0]
SamAccount = $Data.samaccountname[0]
}
} Else {
$Output = New-Object -TypeName PSObject -Property @{
Name = $Data.givenname[0]
SamAccount = $Data.samaccountname[0]
Department = $Data.department[0]
Description = $Data.description[0]
}
}
$Users += $Output
}
$Users | Format-Table -Wrap -AutoSize
$Users = @()
}
}
END {
Write-Output "[*] Process completed..."
}
}
function Ldap-Query {
param(
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
[string]$Filter
)
BEGIN {
}
PROCESS {
$Domain = New-Object System.DirectoryServices.DirectoryEntry
$DirSearch = New-Object System.DirectoryServices.DirectorySearcher
$DirSearch.SearchRoot = $Domain
$DirSearch.PageSize = 100
$DirSearch.Filter = $Filter
$DirSearch.SearchScope = "Subtree"
ForEach($Item in $DirSearch.FindAll()) {
$Data = $Item.Properties
Write-Output $Data
}
}
}
function Ldap-GetProperty {
param(
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
[string]$Filter,
[Parameter(Mandatory=$True)]
[string]$Property,
[Parameter(Mandatory=$False)]
[switch]$NoErrorReport = $False
)
BEGIN {
$Output = @()
}
PROCESS {
$Domain = New-Object System.DirectoryServices.DirectoryEntry
$DirSearch = New-Object System.DirectoryServices.DirectorySearcher
$DirSearch.SearchRoot = $Domain
$DirSearch.PageSize = 100
$DirSearch.Filter = $Filter
$DirSearch.SearchScope = "Subtree"
ForEach($Item in $DirSearch.FindAll()) {
$Data = $Item.Properties
$Element = New-Object -TypeName PSObject
ForEach($Attribute in $Property.Split(",")) {
Try {
$Element | Add-Member -MemberType NoteProperty -Name $Attribute -Value ([string]$Data.$Attribute)
} Catch {
$Element | Add-Member -MemberType NoteProperty -Name $Attribute -Value ""
if(!$NoErrorReport) {
Write-Output "[-] Property not found"
}
}
}
$Output += $Element
}
return $Output
}
}
function DumpAll-UserInfo {
param(
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
[string]$UserName
)
BEGIN {
}
PROCESS {
ForEach($User in $UserName) {
Write-Output "Dumping $($User)"
Write-Output "-----------------------------------------------"
Ldap-Query -Filter "(&(objectCategory=User)(samaccountname=$($User)))"
}
}
END {
Write-Output "[+] Process completed..."
}
}
function Dump-UserGroup {
param(
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
[string]$UserName
)
BEGIN {
}
PROCESS {
ForEach($User in $UserName) {
Write-Output "Dumping $($User) Groups"
Write-Output "-----------------------------------------------"
Ldap-GetProperty -Filter "(&(objectCategory=User)(samaccountname=$($User)))" -Property memberof | fl
}
}
END {
Write-Output "[+] Process completed..."
}
}
function Search-UserPassword {
param(
[Parameter(Mandatory=$True, ValueFromPipeline=$True)]
[string]$UserName
)
PROCESS {
ForEach($User in $UserName) {
Write-Output "[*] $($User)"
Ldap-GetProperty -Filter "(&(objectCategory=User)(samaccountname=*$($User)*))" -Property "userpassword" | Format-Table -Wrap -AutoSize
}
}
END {
Write-Output "[+] Process completed..."
}
}
function Dump-UserEmail {
PROCESS {
Ldap-GetProperty -Filter "(&(objectCategory=User))" -Property "mail" -NoErrorReport | Format-Table -Wrap -AutoSize
}
END {
Write-Output "[+] Process completed..."
}
}
function Dump-Computers {
PROCESS {
Ldap-GetProperty -Filter "(&(objectCategory=Computer))" -Property "name" -NoErrorReport | Format-Table -Wrap -AutoSize
}
END {
Write-Output "[+] Process completed..."
}
}
function Dump-UserName {
param(
[Parameter(Mandatory=$False)]
[switch]$More = $False,
[Parameter(Mandatory=$False, ValueFromPipeline=$true)]
[string]$TargetUser = ""
)
PROCESS {
if($TargetUser -ne "") {
if($More) {
Ldap-GetProperty -Filter "(&(objectCategory=User)(samaccountname=*$($TargetUser)*))" -Property "givenname,samaccountname,description,lastlogon,mail" -NoErrorReport | Format-Table -Wrap -AutoSize
} else {
Ldap-GetProperty -Filter "(&(objectCategory=User)(samaccountname=*$($TargetUser)*))" -Property "samaccountname" -NoErrorReport | Format-Table -Wrap -AutoSize
}
} else {
if($More) {
Ldap-GetProperty -Filter "(&(objectCategory=User))" -Property "givenname,samaccountname,description,lastlogon,mail" -NoErrorReport | Format-Table -Wrap -AutoSize
} else {
Ldap-GetProperty -Filter "(&(objectCategory=User))" -Property "samaccountname" -NoErrorReport | Format-Table -Wrap -AutoSize
}
}
}
END {
Write-Output "[+] Process completed..."
}
}
function Resolve-DCtoIP {
PROCESS {
Write-Output "[+] Enumerating all the DCs"
ForEach($dc in [DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers) {
Write-Output "[+] DC found: $($dc.Name):$($dc.IPAddress)"
}
}
}