Local admins powershell script

TheFORCE · May 2016

Anyone has a ps script that takes input from .csv file of computer names, and outputs another csv file with the local admins on those computers? My searches returned too many hits, some worked but they did not take input from a file.

636-555-3226 · May 2016

Good question. I could use this in my environment if anybody has one. Wonder if there's a Nessus plug-in for that? Seems like something someone has made something for before

DoubleNNs · May 2016

The "Get-Content" cmdlet reads content from a text file, which seems like it could be abbreviated as "gc."

$servers_list = gc file.txt

Would probably save the contents of your file as a variable, which you could then iterate through, using a For or Foreach loop.

I don't know any Powershell (or much about Windows in general haha) and too lazy to spin up a Windows VM at the moment. But if you show me what you have so far (the scripts you said worked), maybe I could put something together for you tomorrow.

Edit: Or, alternatively, if you have Python available on whatever computer you're going to run the script, maybe I could write a short Python script for you?

NetworkNewb · May 2016

Could try this... did some editing on a function I found online. Will just need to edit the last "import-cvs" line for you csv file path and out-file path (where you want to save it). Also in your csv file that lists the computer names just make sure there is a header called "ComputerName". I ran it on my computer and it worked. Just don't know how it will work on other machines. Or how the formatting will look with multiple machines.

function get-localadmins{
[cmdletbinding()]
Param(
[string]$computerName
)
$group = get-wmiobject win32_group -ComputerName $computerName -Filter "LocalAccount=True AND SID='S-1-5-32-544'"
$query = "GroupComponent = `"Win32_Group.Domain='$($group.domain)'`,Name='$($group.name)'`""
$list = Get-WmiObject win32_groupuser -ComputerName $computerName -Filter $query
$list | %{$_.PartComponent} | % {$_.substring($_.lastindexof("Domain=") + 7).replace("`",Name=`"","\")}
}

import-csv -path C:\input.csv | foreach-object { get-localadmins $_.ComputerName } | out-file C:\output.csv

NetworkNewb · May 2016

Just tried it out at here at work, it does work. But there is was an extra space in the code that was messing it up. Also, it just puts everything into one line... Cleaned it up a tiny bit to make easier to read with multiple computer names as well. Instead of explaining where the one extra space is here is all the code again so you can just copy and paste it. Let me know if that works on your end.

function get-localadmins{
[cmdletbinding()]
Param(
[string]$computerName
)
$group = get-wmiobject win32_group -ComputerName $computerName -Filter "LocalAccount=True AND SID='S-1-5-32-544'"
$query = "GroupComponent = `"Win32_Group.Domain='$($group.domain)'`,Name='$($group.name)'`""
$list = Get-WmiObject win32_groupuser -ComputerName $computerName -Filter $query
$list = $list | %{$_.PartComponent} | % {$_.substring($_.lastindexof("Domain=") + 7).replace("`",Name=`"","\")}
$list = ,("Computer Name: " + $computerName) + $list
$list += " "
return $list
}

import-csv -path C:\input.csv | foreach-object { get-localadmins $_.ComputerName } | out-file C:\output.csv

NetworkNewb · May 2016

Alright, thats weird. Must be something with this text input screen that causes an extra space in that one spot... I can't even edit my post to remove because when I select "edit post" the extra space isnt there.

: Well, the extra space is in the function, the line that starts with $query. Towards the end of the of line where it says $($ group.name) , it should be $($group.name)

TheFORCE · May 2016

Cool, that's nice of you man. I played around a bit more yesterday on my lab with the other scripts i had and got one of them to work this morning. I'll give yours a try later also. Still scanning.

NetworkNewb · May 2016

no worries, I enjoy working on those. Will have to store it away in my script folder for rainy day when it might come in use. Maybe Mr.Plow will find a use for it.

iBrokeIT · May 2016

As a security professional you should definitely look into PowerShell Empire and the PowerView module for enumerating a Windows environment.

Great blog by the co-creator of Empire: harmj0y - security at the misfortune of others

A few of the functions of PowerView:

Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to
Invoke-EnumerateLocalAdmin - enumerates members of the local Administrators groups across all machines in the domain
Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
Invoke-ProcessHunter - hunts for processes with a specific name or owned by a specific user on domain machines
Invoke-UserEventHunter - hunts for user logon events in domain controller event logs

Git: https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

NetworkNewb · May 2016

That Powershell Empire definitely looks interesting. Might have to check that one out after the elearnsecurity PTP course

TheFORCE · May 2016

I'll have to look into that, using my phone now so cant click on those links.

knownhero · June 2016

$Computer = Get-Content "c:\temp\names.csv"foreach ($i in $Computer){net localgroup administrators}

I was looking at you message again and notice you wanted to output the file again. So I went back to the drawing board someone has actually done what I was kinda going to do.

$Computers = Get-Content 'c:\temp\computernames.csv'
$Reult = 'c:\temp\test.csv'
$results = @()
foreach($Computer in $computers)
{
$admins = @()$group =[ADSI]"WinNT://$server/Administrators"
$members = @($group.psbase.Invoke("Members"))$members | foreach {
$obj = new-object psobject -Property @{
Server = $Computer
Admin = $_.GetType().InvokeMember("Name", 'GetProperty', $null, $_, $null)
}
$admins += $obj
}
$results += $admins
}
$results| Export-csv $Result -NoTypeInformation

You don't need to go into the Wmi object to achieve this.

Local admins powershell script

Comments

Categories