No way to contact =( - Githubissues

KennyMacCormik commented 5 years ago

Hi,

Your site is down and I cannot find any other way to contact you. I'd like to share some simple code I think will be useful to you

function Get-UserWithJoinPermissions{#Looks for groups that have domain join permissions assigned
    $AllowedJoin = @();
    $AllGPOs = Get-GPO -All | sort DisplayName;
    foreach ($GPO in $AllGPOs){
        $GPOreport = Get-GPOReport -Guid $GPO.id -ReportType Xml;
        $permissionindex = $GPOreport.IndexOf('<q1:Name>SeMachineAccountPrivilege</q1:Name>');
        if($permissionindex -gt 0){
            $xmlreport = [xml]$GPOreport;
            foreach ($member in (($xmlreport.GPO.Computer.ExtensionData.Extension.UserRightsAssignment | ? name -eq 'SeMachineAccountPrivilege').member) ){
                $obj = New-Object -TypeName psobject;
                $obj | Add-Member -MemberType NoteProperty -Name GPO -Value $GPO.DisplayName;
                $obj | Add-Member -MemberType NoteProperty -Name SID -Value $member.sid.'#text';
                $obj | Add-Member -MemberType NoteProperty -Name Name -Value $member.name.'#text';

                $AllowedJoin += $obj;
            }
        }
    }
    foreach($record in $AllowedJoin){
        Write-Both "    [+] GPO [$($record.GPO)] allows object [$($record.Name)] with SID [$($record.SID)] to join computers to domain"
    }
}

function Get-PrivelegedGroupMembership{#List Domain Admins, Enterprise Admins and Schema Admins members
    $SchemaMemebers = Get-ADGroup 'Schema Admins' | Get-ADGroupMember;
    $EnterpriseMemebers = Get-ADGroup 'Enterprise Admins' | Get-ADGroupMember;
    $DomainAdminsMemebers = Get-ADGroup 'Domain Admins' | Get-ADGroupMember;
    if($SchemaMemebers.count -ne 0){
            Write-Both "    [!] Schema Admins not empty!!!"
        foreach($member in $SchemaMemebers){
            Write-Both "        [-] $($member.objectClass) $($member.name)"
        }
    }
    if($EnterpriseMemebers.count -ne 0){
            Write-Both "    [!] Enterprise Admins not empty!!!"
        foreach($member in $EnterpriseMemebers){
            Write-Both "        [-] $($member.objectClass) $($member.name)"
        }
    }
    Write-Both "    [+] Domain Admins members"
    foreach($member in $DomainAdminsMemebers){
        Write-Both "        [-] $($member.objectClass) $($member.name)"
    }
}

phillips321 commented 5 years ago

Hi there,

This looks useful, I'll look to add it to the script. Feel free to make a pull request if you have time?

What country are you coming from to access my website? (I've blocked a few)

KennyMacCormik commented 5 years ago

I'm from Russia. I'll try to make a pull request at some point. In case you've blocked some countries you can tell me one you have not and I will try and check with VPN =)

phillips321 commented 5 years ago

Yep Russia is on the list sorry, come from US VPN and you'll reach me.

KennyMacCormik commented 5 years ago

Yeah, site is opening with VPN, but there is only twitter =)

Btw cannot make a branch to put in new functions. So here are they

function Get-GPOEnum{#Loops GPOs for groups that have domain join permissions assigned and for NTLM settings
    $AllowedJoin = @();
    $DenyNTLM = @();
    $AuditNTLM = @();
    $NTLMAuthExceptions = @();
    $AllGPOs = Get-GPO -All | sort DisplayName;
    foreach ($GPO in $AllGPOs){
        $GPOreport = Get-GPOReport -Guid $GPO.id -ReportType Xml;
        #Look for GPO that allows join PC to domain
        $permissionindex = $GPOreport.IndexOf('<q1:Name>SeMachineAccountPrivilege</q1:Name>');
        if($permissionindex -gt 0){
            $xmlreport = [xml]$GPOreport;
            foreach ($member in (($xmlreport.GPO.Computer.ExtensionData.Extension.UserRightsAssignment | ? name -eq 'SeMachineAccountPrivilege').member) ){
                $obj = New-Object -TypeName psobject;
                $obj | Add-Member -MemberType NoteProperty -Name GPO -Value $GPO.DisplayName;
                $obj | Add-Member -MemberType NoteProperty -Name SID -Value $member.sid.'#text';
                $obj | Add-Member -MemberType NoteProperty -Name Name -Value $member.name.'#text';

                $AllowedJoin += $obj;
            }
        }
        #Look for GPO that denies NTLM
        $permissionindex = $GPOreport.IndexOf('RestrictNTLMInDomain</q1:KeyName>');
        if($permissionindex -gt 0){
            $xmlreport = [xml]$GPOreport;
            $value = $xmlreport.gpo.Computer.ExtensionData.Extension.SecurityOptions | ? keyname -Match 'RestrictNTLMInDomain';
            $obj = New-Object -TypeName psobject;
            $obj | Add-Member -MemberType NoteProperty -Name GPO -Value $GPO.DisplayName;
            $obj | Add-Member -MemberType NoteProperty -Name Value -Value $value.Display.DisplayString;
            $DenyNTLM += $obj;
        }
        #Look for GPO that audits NTLM
        $permissionindex = $GPOreport.IndexOf('AuditNTLMInDomain</q1:KeyName>');
        if($permissionindex -gt 0){
            $xmlreport = [xml]$GPOreport;
            $value = $xmlreport.gpo.Computer.ExtensionData.Extension.SecurityOptions | ? keyname -Match 'AuditNTLMInDomain';
            $obj = New-Object -TypeName psobject;
            $obj | Add-Member -MemberType NoteProperty -Name GPO -Value $GPO.DisplayName;
            $obj | Add-Member -MemberType NoteProperty -Name Value -Value $value.Display.DisplayString;
            $AuditNTLM += $obj;
        }
        #Look for GPO that allows NTLM exclusions
        $permissionindex = $GPOreport.IndexOf('DCAllowedNTLMServers</q1:KeyName>');
        if($permissionindex -gt 0){
            $xmlreport = [xml]$GPOreport;
            foreach ($member in (($xmlreport.gpo.Computer.ExtensionData.Extension.SecurityOptions | ? keyname -Match 'DCAllowedNTLMServers').SettingStrings.Value) ){
                $NTLMAuthExceptions += $member;
            }
        }
    }
    #Output for join PC to domain
    foreach($record in $AllowedJoin){
        Write-Both "    [+] GPO [$($record.GPO)] allows object [$($record.Name)] with SID [$($record.SID)] to join computers to domain"
    }
    #Output for deny NTLM
    if($DenyNTLM.count -eq 0){
        Write-Both "    [!] NTLM authentication allowed in the domain"
    }else{
        foreach($record in $DenyNTLM){
            Write-Both "    [+] NTLM authentication restricted by GPO [$($record.gpo)] with value [$($record.value)]"
        }
    }
    #Output for NTLM exceptions
    if($NTLMAuthExceptions.count -ne 0){
        Write-Both "    [+] List of NTLM auth exceptions"
        foreach($record in $NTLMAuthExceptions){
            Write-Both "        [-] $($record)"
        }
    }
    #Output for NTLM audit
    if($AuditNTLM.count -eq 0){
        Write-Both "    [!] NTLM audit is not enabled in the domain"
    }else{
        foreach($record in $DenyNTLM){
            Write-Both "    [+] NTLM audit enabled by GPO [$($record.gpo)] with value [$($record.value)]"
        }
    }

}
function Get-PrivelegedGroupMembership{#List Domain Admins, Enterprise Admins and Schema Admins members
    $SchemaMemebers = Get-ADGroup 'Schema Admins' | Get-ADGroupMember;
    $EnterpriseMemebers = Get-ADGroup 'Enterprise Admins' | Get-ADGroupMember;
    $DomainAdminsMemebers = Get-ADGroup 'Domain Admins' | Get-ADGroupMember;
    if($SchemaMemebers.count -ne 0){
            Write-Both "    [!] Schema Admins not empty!!!"
        foreach($member in $SchemaMemebers){
            Write-Both "        [-] $($member.objectClass) $($member.name)"
        }
    }
    if($EnterpriseMemebers.count -ne 0){
            Write-Both "    [!] Enterprise Admins not empty!!!"
        foreach($member in $EnterpriseMemebers){
            Write-Both "        [-] $($member.objectClass) $($member.name)"
        }
    }
    Write-Both "    [+] Domain Admins members"
    foreach($member in $DomainAdminsMemebers){
        Write-Both "        [-] $($member.objectClass) $($member.name)"
    }
}

KennyMacCormik commented 5 years ago

Found out the way to do it correctly. Closing issue. Thanks

phillips321 / adaudit

No way to contact =( #5