Closed Meatballs1 closed 8 years ago
diff --git a/PowerView/powerview.ps1 b/PowerView/powerview.ps1
index cb8191a..6efeac2 100755
--- a/PowerView/powerview.ps1
+++ b/PowerView/powerview.ps1
@@ -3759,31 +3750,61 @@ function Get-NetFileServers {
[CmdletBinding()]
param(
[string]
- $Domain
+ $Domain,
+
+ [string[]]
+ $TargetUsers
)
$Servers = @()
- Get-NetUser -Domain $Domain | % {
- if($_.homedirectory){
- $temp = $_.homedirectory.split("\\")[2]
- if($temp -and ($temp -ne '')){
- $Servers += $temp
- }
- }
- if($_.scriptpath){
- $temp = $_.scriptpath.split("\\")[2]
- if($temp -and ($temp -ne '')){
- $Servers += $temp
- }
- }
- if($_.profilepath){
- $temp = $_.profilepath.split("\\")[2]
- if($temp -and ($temp -ne '')){
- $Servers += $temp
- }
- }
- }
+ if ($TargetUsers)
+ {
+ foreach ($user in $TargetUsers)
+ {
+ Get-NetUser -UserName $user -Domain $Domain | % {
+ if($_.homedirectory){
+ $temp = $_.homedirectory.split("\\")[2]
+ if($temp -and ($temp -ne '')){
+ $Servers += $temp
+ }
+ }
+ if($_.scriptpath){
+ $temp = $_.scriptpath.split("\\")[2]
+ if($temp -and ($temp -ne '')){
+ $Servers += $temp
+ }
+ }
+ if($_.profilepath){
+ $temp = $_.profilepath.split("\\")[2]
+ if($temp -and ($temp -ne '')){
+ $Servers += $temp
+ }
+ }
+ }
+ }
+ } else {
+ Get-NetUser -Domain $Domain | % {
+ if($_.homedirectory){
+ $temp = $_.homedirectory.split("\\")[2]
+ if($temp -and ($temp -ne '')){
+ $Servers += $temp
+ }
+ }
+ if($_.scriptpath){
+ $temp = $_.scriptpath.split("\\")[2]
+ if($temp -and ($temp -ne '')){
+ $Servers += $temp
+ }
+ }
+ if($_.profilepath){
+ $temp = $_.profilepath.split("\\")[2]
+ if($temp -and ($temp -ne '')){
+ $Servers += $temp
+ }
+ }
+ }
+ }
# uniquify the fileserver list and return it
$($Servers | Sort-Object -Unique)
@@ -6867,7 +6888,7 @@ function Invoke-StealthUserHunter {
if ($Source -eq "File"){
Write-Verbose "[*] Querying domain $targetDomain for File Serve
rs..."
- [Array]$Hosts = Get-NetFileServers -Domain $targetDomain
+ [Array]$Hosts = Get-NetFileServers -TargetUsers $TargetUsers -D
omain $targetDomain
}
elseif ($Source -eq "DC"){
@@ -6876,7 +6897,7 @@ function Invoke-StealthUserHunter {
}
elseif ($Source -eq "All") {
Write-Verbose "[*] Querying domain $targetDomain for hosts..."
- [Array]$Hosts = Get-NetFileServers -Domain $targetDomain
+ [Array]$Hosts = Get-NetFileServers -TargetUsers $TargetUsers
-Domain $targetDomain
$Hosts += Get-NetDomainControllers -Domain $targetDomain | % {$
_.Name}
}
}
The StealthUserHunter calls Get-NetFileServers and by default calls Get-NetUser with just the domain flag.
Get-NetFileServers should take a $TargetUsers array. Invoke-StealthUserHunter should pass this to Get-NetFileServers...