Local admins powershell script

TheFORCE

Anyone has a ps script that takes input from .csv file of computer names, and outputs another csv file with the local admins on those computers? My searches returned too many hits, some worked but they did not take input from a file.

636-555-3226

Good question. I could use this in my environment if anybody has one. Wonder if there's a Nessus plug-in for that? Seems like something someone has made something for before

DoubleNNs

The "Get-Content" cmdlet reads content from a text file, which seems like it could be abbreviated as "gc."

$servers_list = gc file.txt

Would probably save the contents of your file as a variable, which you could then iterate through, using a For or Foreach loop.

I don't know any Powershell (or much about Windows in general haha) and too lazy to spin up a Windows VM at the moment. But if you show me what you have so far (the scripts you said worked), maybe I could put something together for you tomorrow.

Edit: Or, alternatively, if you have Python available on whatever computer you're going to run the script, maybe I could write a short Python script for you?

NetworkNewb

Could try this... did some editing on a function I found online. Will just need to edit the last "import-cvs" line for you csv file path and out-file path (where you want to save it). Also in your csv file that lists the computer names just make sure there is a header called "ComputerName". I ran it on my computer and it worked. Just don't know how it will work on other machines. Or how the formatting will look with multiple machines.



function get-localadmins{
[cmdletbinding()]
Param(
[string]$computerName
)
$group = get-wmiobject win32_group -ComputerName $computerName -Filter "LocalAccount=True AND SID='S-1-5-32-544'"
$query = "GroupComponent = `"Win32_Group.Domain='$($group.domain)'`,Name='$($group.name)'`""
$list = Get-WmiObject win32_groupuser -ComputerName $computerName -Filter $query
$list | %{$_.PartComponent} | % {$_.substring($_.lastindexof("Domain=") + 7).replace("`",Name=`"","\")}
}

import-csv -path C:\input.csv | foreach-object { get-localadmins $_.ComputerName } | out-file C:\output.csv

NetworkNewb

Just tried it out at here at work, it does work. But there is was an extra space in the code that was messing it up. Also, it just puts everything into one line... Cleaned it up a tiny bit to make easier to read with multiple computer names as well. Instead of explaining where the one extra space is here is all the code again so you can just copy and paste it. Let me know if that works on your end.


function get-localadmins{
[cmdletbinding()]
Param(
[string]$computerName
)
$group = get-wmiobject win32_group -ComputerName $computerName -Filter "LocalAccount=True AND SID='S-1-5-32-544'"
$query = "GroupComponent = `"Win32_Group.Domain='$($group.domain)'`,Name='$($group.name)'`""
$list = Get-WmiObject win32_groupuser -ComputerName $computerName -Filter $query
$list = $list | %{$_.PartComponent} | % {$_.substring($_.lastindexof("Domain=") + 7).replace("`",Name=`"","\")}
$list = ,("Computer Name: " + $computerName) + $list
$list += " "
return $list
}


import-csv -path C:\input.csv | foreach-object { get-localadmins $_.ComputerName } | out-file C:\output.csv

NetworkNewb

Alright, thats weird. Must be something with this text input screen that causes an extra space in that one spot... I can't even edit my post to remove because when I select "edit post" the extra space isnt there. : Well, the extra space is in the function, the line that starts with $query. Towards the end of the of line where it says $($ group.name) , it should be $($group.name)

TheFORCE

Cool, that's nice of you man. I played around a bit more yesterday on my lab with the other scripts i had and got one of them to work this morning. I'll give yours a try later also. Still scanning.

NetworkNewb

no worries, I enjoy working on those. Will have to store it away in my script folder for rainy day when it might come in use. Maybe Mr.Plow will find a use for it.

iBrokeIT

As a security professional you should definitely look into PowerShell Empire and the PowerView module for enumerating a Windows environment.

Great blog by the co-creator of Empire: harmj0y - security at the misfortune of others

A few of the functions of PowerView:

• Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to
• Invoke-EnumerateLocalAdmin - enumerates members of the local Administrators groups across all machines in the domain
• Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
• Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
• Invoke-ProcessHunter - hunts for processes with a specific name or owned by a specific user on domain machines
• Invoke-UserEventHunter - hunts for user logon events in domain controller event logs

Git: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

NetworkNewb

That Powershell Empire definitely looks interesting. Might have to check that one out after the elearnsecurity PTP course

TheFORCE

I'll have to look into that, using my phone now so cant click on those links.

knownhero

$Computer = Get-Content "c:\temp\names.csv"foreach ($i in $Computer){net localgroup administrators}

I was looking at you message again and notice you wanted to output the file again. So I went back to the drawing board someone has actually done what I was kinda going to do.

$Computers = Get-Content 'c:\temp\computernames.csv'
$Reult = 'c:\temp\test.csv'
$results = @()
foreach($Computer in $computers)
{
$admins = @()$group =[ADSI]"WinNT://$server/Administrators"
$members = @($group.psbase.Invoke("Members"))$members | foreach {
$obj = new-object psobject -Property @{
Server = $Computer
Admin = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
}
$admins += $obj
}
$results += $admins
}
$results| Export-csv $Result -NoTypeInformation

You don't need to go into the Wmi object to achieve this.