search

tevora-threat / SharpView

C# implementation of harmj0y's PowerView
MIT License
997 stars 188 forks source link

Get-DomainUser Not Filtering on "Name" Argument #3

Open andrewchiles opened 4 years ago

andrewchiles commented 4 years ago

Running Get-DomainUser with the following syntax fails to properly filter on the specified username and instead returns all users in the domain. The result was the same despite specifying -name domadmin, -identity domadmin, or simply Get-DomainUser domadmin

[*] Tasked beacon to run .NET program: SharpView_4.5.exe Get-DomainUser -name "domadmin"
[+] host called home, sent: 840809 bytes
[+] received output:
get-domain
[Get-DomainSearcher] search base: LDAP://DC01.lab.local/DC=lab,DC=local
[Get-DomainUser] filter string: (&(samAccountType=805306368))
objectsid                      : {S-1-5-21-.....-500}
samaccounttype                 : USER_OBJECT
objectguid                     : 019324d8-f17b-45c3-b9a9-adc7e0d3b9b3
useraccountcontrol             : NORMAL_ACCOUNT
accountexpires                 : 12/31/1600 7:00:00 PM
lastlogon                      : 11/21/2014 6:42:49 AM
lastlogontimestamp             : 3/13/2020 10:40:02 AM
pwdlastset                     : 8/15/2019 10:30:55 AM
lastlogoff                     : 12/31/1600 7:00:00 PM
badPasswordTime                : 12/31/1600 7:00:00 PM
name                           : Administrator
distinguishedname              : CN=Administrator,CN=Users,DC=lab,DC=local
whencreated                    : 8/15/2019 2:32:06 PM
whenchanged                    : 3/13/2020 2:40:02 PM
samaccountname                 : Administrator
memberof                       : {CN=Group Policy Creator Owners,CN=Users,DC=lab,DC=local, CN=Domain Admins,CN=Users,DC=lab,DC=local, CN=Enterprise Admins,CN=Users,DC=lab,DC=local, CN=Schema Admins,CN=Users,DC=lab,DC=local, CN=Administrators,CN=Builtin,DC=lab,DC=local}
cn                             : {Administrator}
objectclass                    : {top, person, organizationalPerson, user}
logoncount                     : 3
codepage                       : 0
objectcategory                 : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=local
description                    : Built-in account for administering the computer/domain
usnchanged                     : 22265
instancetype                   : 4
badpwdcount                    : 0
usncreated                     : 8196
countrycode                    : 0
primarygroupid                 : 513
dscorepropagationdata          : {8/15/2019 2:47:54 PM, 8/15/2019 2:47:54 PM, 8/15/2019 2:32:44 PM, 1/1/1601 6:12:16 PM}
logonhours                     : {255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255}
admincount                     : 1
iscriticalsystemobject         : True

objectsid                      : {S-1-5-21-....-502}
samaccounttype                 : USER_OBJECT
objectguid                     : af1a1a57-681f-4d3c-8775-3b922ba9613d
useraccountcontrol             : ACCOUNTDISABLE, NORMAL_ACCOUNT
accountexpires                 : NEVER
lastlogon                      : 12/31/1600 7:00:00 PM
pwdlastset                     : 8/15/2019 10:32:44 AM
lastlogoff                     : 12/31/1600 7:00:00 PM
badPasswordTime                : 12/31/1600 7:00:00 PM
**name                           : krbtgt**
distinguishedname              : CN=krbtgt,CN=Users,DC=lab,DC=local
whencreated                    : 8/15/2019 2:32:44 PM
whenchanged                    : 8/15/2019 2:47:54 PM
samaccountname                 : krbtgt
memberof                       : {CN=Denied RODC Password Replication Group,CN=Users,DC=lab,DC=local}
cn                             : {krbtgt}
objectclass                    : {top, person, organizationalPerson, user}
ServicePrincipalName           : kadmin/changepw
logoncount                     : 0
codepage                       : 0
objectcategory                 : CN=Person,CN=Schema,CN=Configuration,DC=lab,DC=local
description                    : Key Distribution Center Service Account
usnchanged                     : 12731
instancetype                   : 4
showinadvancedviewonly         : True
badpwdcount                    : 0
usncreated                     : 12324
countrycode                    : 0
primarygroupid                 : 513
dscorepropagationdata          : {8/15/2019 2:47:54 PM, 8/15/2019 2:32:44 PM, 1/1/1601 12:04:16 AM}
msds-supportedencryptiontypes  : 0
admincount                     : 1
iscriticalsystemobject         : True

<snip - Remaining domain users were displayed>
coffeegist commented 4 years ago

@andrewchiles the arguments in this version are case sensitive unfortunately :)