Local admins powershell script
TheFORCE
Member Posts: 2,297 ■■■■■■■■□□
Anyone has a ps script that takes input from .csv file of computer names, and outputs another csv file with the local admins on those computers? My searches returned too many hits, some worked but they did not take input from a file.
Comments
-
636-555-3226 Member Posts: 975 ■■■■■□□□□□Good question. I could use this in my environment if anybody has one. Wonder if there's a Nessus plug-in for that? Seems like something someone has made something for before
-
DoubleNNs Member Posts: 2,015 ■■■■■□□□□□The "Get-Content" cmdlet reads content from a text file, which seems like it could be abbreviated as "gc."$servers_list = gc file.txt
I don't know any Powershell (or much about Windows in general haha) and too lazy to spin up a Windows VM at the moment. But if you show me what you have so far (the scripts you said worked), maybe I could put something together for you tomorrow.
Edit: Or, alternatively, if you have Python available on whatever computer you're going to run the script, maybe I could write a short Python script for you?Goals for 2018:
Certs: RHCSA, LFCS: Ubuntu, CNCF CKA, CNCF CKAD | AWS Certified DevOps Engineer, AWS Solutions Architect Pro, AWS Certified Security Specialist, GCP Professional Cloud Architect
Learn: Terraform, Kubernetes, Prometheus & Golang | Improve: Docker, Python Programming
To-do | In Progress | Completed -
NetworkNewb Member Posts: 3,298 ■■■■■■■■■□Could try this... did some editing on a function I found online. Will just need to edit the last "import-cvs" line for you csv file path and out-file path (where you want to save it). Also in your csv file that lists the computer names just make sure there is a header called "ComputerName". I ran it on my computer and it worked. Just don't know how it will work on other machines. Or how the formatting will look with multiple machines.
function get-localadmins{
[cmdletbinding()]
Param(
[string]$computerName
)
$group = get-wmiobject win32_group -ComputerName $computerName -Filter "LocalAccount=True AND SID='S-1-5-32-544'"
$query = "GroupComponent = `"Win32_Group.Domain='$($group.domain)'`,Name='$($group.name)'`""
$list = Get-WmiObject win32_groupuser -ComputerName $computerName -Filter $query
$list | %{$_.PartComponent} | % {$_.substring($_.lastindexof("Domain=") + 7).replace("`",Name=`"","\")}
}
import-csv -path C:\input.csv | foreach-object { get-localadmins $_.ComputerName } | out-file C:\output.csv -
NetworkNewb Member Posts: 3,298 ■■■■■■■■■□Just tried it out at here at work, it does work. But there is was an extra space in the code that was messing it up. Also, it just puts everything into one line... Cleaned it up a tiny bit to make easier to read with multiple computer names as well. Instead of explaining where the one extra space is here is all the code again so you can just copy and paste it. Let me know if that works on your end.
function get-localadmins{
[cmdletbinding()]
Param(
[string]$computerName
)
$group = get-wmiobject win32_group -ComputerName $computerName -Filter "LocalAccount=True AND SID='S-1-5-32-544'"
$query = "GroupComponent = `"Win32_Group.Domain='$($group.domain)'`,Name='$($group.name)'`""
$list = Get-WmiObject win32_groupuser -ComputerName $computerName -Filter $query
$list = $list | %{$_.PartComponent} | % {$_.substring($_.lastindexof("Domain=") + 7).replace("`",Name=`"","\")}
$list = ,("Computer Name: " + $computerName) + $list
$list += " "
return $list
}
import-csv -path C:\input.csv | foreach-object { get-localadmins $_.ComputerName } | out-file C:\output.csv -
NetworkNewb Member Posts: 3,298 ■■■■■■■■■□Alright, thats weird. Must be something with this text input screen that causes an extra space in that one spot... I can't even edit my post to remove because when I select "edit post" the extra space isnt there. : Well, the extra space is in the function, the line that starts with $query. Towards the end of the of line where it says $($ group.name) , it should be $($group.name)
-
TheFORCE Member Posts: 2,297 ■■■■■■■■□□Cool, that's nice of you man. I played around a bit more yesterday on my lab with the other scripts i had and got one of them to work this morning. I'll give yours a try later also. Still scanning.
-
NetworkNewb Member Posts: 3,298 ■■■■■■■■■□no worries, I enjoy working on those. Will have to store it away in my script folder for rainy day when it might come in use. Maybe Mr.Plow will find a use for it.
-
iBrokeIT Member Posts: 1,318 ■■■■■■■■■□As a security professional you should definitely look into PowerShell Empire and the PowerView module for enumerating a Windows environment.
Great blog by the co-creator of Empire: harmj0y - security at the misfortune of others
A few of the functions of PowerView:- Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to
- Invoke-EnumerateLocalAdmin - enumerates members of the local Administrators groups across all machines in the domain
- Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
- Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
- Invoke-ProcessHunter - hunts for processes with a specific name or owned by a specific user on domain machines
- Invoke-UserEventHunter - hunts for user logon events in domain controller event logs
Git: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon2019: GPEN | GCFE | GXPN | GICSP | CySA+
2020: GCIP | GCIA
2021: GRID | GDSA | Pentest+
2022: GMON | GDAT
2023: GREM | GSE | GCFA
WGU BS IT-NA | SANS Grad Cert: PT&EH | SANS Grad Cert: ICS Security | SANS Grad Cert: Cyber Defense Ops | SANS Grad Cert: Incident Response -
NetworkNewb Member Posts: 3,298 ■■■■■■■■■□That Powershell Empire definitely looks interesting. Might have to check that one out after the elearnsecurity PTP course
-
TheFORCE Member Posts: 2,297 ■■■■■■■■□□I'll have to look into that, using my phone now so cant click on those links.
-
knownhero Member Posts: 450$Computer = Get-Content "c:\temp\names.csv"foreach ($i in $Computer){net localgroup administrators}
$Computers = Get-Content 'c:\temp\computernames.csv'
$Reult = 'c:\temp\test.csv'
$results = @()
foreach($Computer in $computers)
{
$admins = @()$group =[ADSI]"WinNT://$server/Administrators"
$members = @($group.psbase.Invoke("Members"))$members | foreach {
$obj = new-object psobject -Property @{
Server = $Computer
Admin = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
}
$admins += $obj
}
$results += $admins
}
$results| Export-csv $Result -NoTypeInformation
You don't need to go into the Wmi object to achieve this.70-410 [x] 70-411 [x] 70-462[x] 70-331[x] 70-332[x]
MCSE - SharePoint 2013 :thumbup:
Road map 2017: JavaScript and modern web development