Skip to main content

Get-ADInfo Powershell Module

With the competition season mostly over, I've been able to spend some time catching up on write-ups, classwork, and projects. I'm also able to start releasing the materials I created for my team this year. Starting with Get-ADInfo, the first (sort of) Powershell module I've created. You can find it here https://www.powershellgallery.com/packages/Get-ADInfo/1.0.0. Additionally, you can also find it on my GitHub.

Module Information

Get-ADInfo is a module that was created to help facilitate Active Directory object enumeration. I spent a lot of time last year developing security tools for Windows servers, but I hadn't really done anything neat with basic enumeration stuff. So I wanted to create some enumeration tools for our Windows people this year. Get-ADInfo was the first tool I started working on, and probably the one that turned out the best, as I was quickly overwhelmed with relearning bash and some of the more advanced Linux skills I had forgotten after focusing on Windows for so long. Essentially, Get-ADInfo works by pulling critical information out of certain AD object cmdlets. In some cases, I had to make some custom objects, but in general, the cmdlets provided in the module are re-skins of the AD object cmdlets ordered in a slightly easier-to-understand way.

By default, all the commands will enumerate all objects. However, for each cmdlet, the object name can be specified with the -Name property. For example, Get-ADGroupInfo -Name Administrators will list all information about the Administrators group. I designed it to run through all objects if no property was given to speed up the enumeration process, as this module was originally designed for a competition environment. 

Function Get-UserInfo

The Get-UserInfo function provides critical information about the specified user (or all users) including membership status. For example, if user 'Test' is a member of the group 'Test-Group', this cmdlet will pull that information and display the membership. Additionally, it grabs logon information, display info, and other useful details. I personally find it more useful than Get-ADUser in terms of getting an overview of users.

Example Output of Get-UserInfo

Function Get-OUInfo

Unlike Get-UserInfo, Get-OUInfo has quite a bit of custom properties. When I was first writing this module, I had never done any kind of custom object creation or module creation, and this was the first cmdlet I started working on. I certainly learned a good bit while making this one. 

Get-OUInfo lists information about the specified (or all) organizational units. This information includes the linked users, groups, and computers. Aside from the linked objects, it also displays management and display information. 

Example Output of Get-OUInfo

Function Get-GroupInfo

This is the simplest of the cmdlets in this module. For every specified (or all) group, the group's members and the owners are listed alongside creation and display information. 

Example Output of Get-GroupInfo

Function Get-ADComputerInfo

This is the most complex cmdlet in the module. It provides a wealth of information on each connected computer in the domain. For example, it shows networking information such as DNS hostname, IPv4, and v6 address. It also displays the logon information like last logon date, password change dates, and expiration dates. Of course, it also gives the AD management information as well, like created dates, enabled status, and distinguished names. It will also show linked members and owners. 

Example Output of Get-ADComputerInfo



Comments

Post a Comment

Popular posts from this blog

Using PGPy to encrypt and decrypt files and messages

 PGPy is a library for python that enables the creation, storage, and encryption/decryption of PGP keys and files in python. Recently, in a small project to reacquaint myself with python, I used PGPy for key generation and encryption and decryption. That project can be found in my github at  https://github.com/lpowell . The goal of the project was to use command-line switches to control the program, and to provide basic encryption and decryption capabilities, along with rot13 and base64 encoding.  First, to load in a key use key, _ = pgpy.PGPKey.from_file(keyfilename) . This loads the key from either a binary or ASCII armored file. You can swap out .from_file for .from_blob , if you plan on using a key stored in a string or bytes object rather than a file. In my example code, I pull the key from a file, as I found it to be the simpler method.  Next, you'll need to open a file or create a string or bytes object that contains the message you wish to encrypt. We'll cal...
3 comments
Read more

Huntress CTF Challenge Writeups: HumanTwo: MoveIt IoC Analysis Challenge

HumanTwo: MoveIT IoC Analysis Challenge The HumanTwo challenge is a malware CTF from the 2023 Huntress CTF. This write-up walks through the initial discovery, de-obfuscation, and solving of the challenge. The actual flag will be redacted from the document, but interested parties should be able to follow the steps and derive it themselves. While the write-up assumes a base level of knowledge regarding the command line and Linux. Most tools and commands will be accompanied by short explanations. Step 1: Initial Analysis To start off, we are given an archive with 1000 files named after their file hash. The hint we are given is that there are minor differences between each file. We also know that HumanTwo relates to the MoveIT vulnerability and exploit. The easy way to progress is to look up articles that tell you about the vulnerability and what stands out in each exploit script. However, I didn’t do that, so I’ll put the process I followed down instead. First, because I knew that...
Post a Comment
Read more

Huntress CTF Challenge Writeups: VeeBeeeee & Fetch

  VeeBeeeee: A Microsoft Script Forensics Challenge VeeBeeeee starts with an extensionless file. When attempting to open this file, we get a bunch of random junk. I used PowerShell to display the content of the file and then dropped the output into CyberChef to decode it. Using the “Magic” function on CyberChef told me that it was a Microsoft Script, and CyberChef applied the Microsoft Script Decoder function to the text blob. Copy/Pasting the cleartext code into VSCode lets us use the find and replace function to get rid of some of this junk data. While going through the script and getting rid of the tacked-on strings and characters, we can see that there is an array being built called Request. If we follow the link in this array, we get to a Pastebin file with the flag.   Fetch: A Prefetch and WIM File Analysis Challenge Fetch provided an unknown file with no extension. Like previous challenges, we can use the “file” command to determine the file type. Using ...
Post a Comment
Read more