Closed maaaaz closed 8 years ago
So the functions that utilize API calls (Get-NetShare, Get-NetSession, Get-NetLoggedOn) and the meta functions that wrap them (ShareFinder, FileFinder, UserHunter, etc.) don't accept additional credentials from what I can tell. For example, the NetShareEnum function used by Share/FileFinder.
WMI or WinRM based methods will accept a -Credential option, but those are fewer in PowerView (Get-NetProcess/Invoke-ProcessHunter already accept alternate credentials, I suppose Get-LastLoggedOn could be amended but we rarely really use that function). The other part of FileFinder, the wrapped Get-ChildItem call, doesn't accept alternative credentials either. One option might be to create ps drives for each share we're examining, but repeated modifications to the pivot host tend to make us uncomfortable.
Instead, I recommend using @sixdub's runas /netonly method described here. This will allow you to execute prompts with different credentials, even if you're on a non-domain joined system.
I do understand the limitations, but the runas /netonly might fulfill my needs.
Maybe except when we don't have cleartext creds but only hashes: in that case I already tried to load a cmd with the mimikatz /pth
module, unsuccessfully.
You do need to be local administrator on the machine to utilize Mimikatz' PTH functionality, I believe.
I checked into PSDrive a bit, and there's apparently a bug in PowerShell version 2.0 when using specified credentials to map a PSDrive. A workaround from that post (if you choose to use it) would be to do something like:
$net = new-object -ComObject WScript.Network $net.MapNetworkDrive("u:", "\server\share", $false, "domain\user", "password")
And then run Invoke-SearchFiles on the local drive path. Since we definitely don't want mass numbers of drive mountings by default in the script, we'll likely leave it in its current state.
Thank you for that insight. ps: I was local admin while using mimikatz' pth feature, I don't know why it failed.
UAC?
Obviously granted, as it was on my own laptop.
The version_2.0 branch just got a commit to support this. Find-InterestingFile and Invoke-FileFinder both now support a -Credential option. I wasn't able to test in the field (just in a lab), so let me know if this works and I'll re-close the issue.
Hello there,
Thank you for this awesome framework. To me, it would be even more awesome if you would add a
-Credential
option for (ideally) every function, especiallyInvoke-FileFinder
and its threaded version as it is useful to easily know which sensitive files one can access with different collected credentials. Plus, it is convenient to be able to launch such functions from off-domain workstations (i.e the attacker one)Again, thank you. Cheers.