DFSv1 Pkt Parsing for Folder Redirections

[Meatballs1]

From a real life environment using DFSv1, each users home directory had a redirection to another file-share, rather than being hosted directly on the namespace server. The Pkt structure contains a list of each of the folders and their targets. I'm not sure if this occurs in DFSv2.

For example \\domain\dfsshare\home\bob is on the dfsshare namespace which is hosted on DC01

The redirection for folder \bob points to \\fileshare01\homes$\bob etc.

Previously Get-DFSShare will just list DC01 as a fileshare.

https://msdn.microsoft.com/en-us/library/cc227146.aspx

This additional code parses the Pkt, grabs each of the unique servername targets under the namespace so that they can be interrogated by Invoke-UserHunter etc.

Testing Environment

• Win2k8 R2
• Create a server with the File Services role
• Create a Namespace
• Browse to File Services > DFS Management > Namespaces > \namespace\ and Action New Folder
• Add a folder target...

Output

PS C:\Users\Administrator> Get-DFSshare

RemoteServerName                                                     Name                                                               
----------------                                                     ----                                                               
parp                                                                 TestNameSpace                                                      
WIN-2DE8F2QP867                                                      TestNameSpace

[Meatballs1]

n.b. The code parses out pretty much all the pieces of data, you dont need to grab all of these bits for what we want, but you need to work out most of the offsets as you go anyway due to variable sized objects. If someone wants to take the code later and output the $prefix value and each of the target $server_name and $share_name they can see where each folder is being redirected.

[Meatballs1]

See https://github.com/PowerShellMafia/PowerSploit/pull/117