Merge branch 'master' of https://github.com/0xJs/domain_audit

README.MD

@@ -1,15 +1,16 @@
 # Domain Audit
-The tool is a wrapper around PowerView, Impacket, PowerUpSQL and BloodHound to execute a lot of checks I normally perform during a AD pentest/assesment. **The tool is still being developed and tested.** Thanks to all the authors of the tools listed above!
+The tool is a wrapper around PowerView, Impacket, PowerUpSQL, BloodHound and Crackmapexec to execute a lot of checks performed during a AD pentest/assesment. Thanks to all the authors of the original tools.
 
-## Installation
-- Make sure that Python and [Impacket](https://github.com/SecureAuthCorp/impacket) are installed for kerberoasting/as-rep roasting.
-- Make sure the path viariables to the following tools are correct, especially impacket.
+## Installation/Requirements
+- Python and [Impacket](https://github.com/SecureAuthCorp/impacket) are required for kerberoasting/as-rep roasting.
+- Crackmapexec command should be known. Next version ill provide the new cme version for python 3.10 probably. Finally got it to work on my Windows VM, had some python dependancy problems which fixed by reinstalling.
+- Make sure the path viariables in the script to the following tools are correct, especially impacket (since it doesn't clone from this repo).
 ```
-$powerview_path = "$PSScriptRoot\import\PowerView.ps1" 
-$impacket_path = "$PSScriptRoot\import\impacket"
-$bloodhound_path = "$PSScriptRoot\import\Sharphound.ps1"
-$sqlchecks_path = "$PSScriptRoot\sql_checks.ps1"
-$gpregisterpolicy_path = "$PSScriptRoot\import\GPRegistryPolicy\GPRegistryPolicy.psd1"
+$script:PowerView_Path = "$PSScriptRoot\import\PowerView.ps1"
+$script:Powerupsql_Path = "$PSScriptRoot\import\PowerUpSQL.ps1"
+$script:Impacket_Path = "$PSScriptRoot\import\impacket"
+$script:BloodHound_Path = "$PSScriptRoot\import\Sharphound.ps1"
+$script:GpRegisteryPolicy_Path = "$PSScriptRoot\import\GPRegistryPolicy\GPRegistryPolicy.psd1"
 ```
 
 ## Running the tool and execute all checks
@@ -90,23 +91,26 @@ Invoke-ADCheckAll will execute the following in order:
 - Check who can add computerobjects to the domain
     - Check if this is the default authenticated users group
     - Check what the ms-ds-machineaccountqouta is, if it is null(good) or not-set(bad) or another value.
+- Check for passwords in the sysvol
+- Check for passwords in netlogon (scripts, programs etc)
 - Check for accessible machines
+- Checks for SMB
+    - Check SMBv1
+    - Check signing requirement
+    - Check for readable shares
+    - Check for writable shares
 
 ## TO-DO
-- A way to enumerate all shares, PowerView is doing weird. Crackmapexec is better but output is not in powershell and my crackmapexec is broken atm.
-- Check for sysvol and netlogon passwords
 - Checks for exchange servers in the domain and checks with (mailsniper)? If that is possible.
 - Check for signing and binding LDAPS port on DC's. (Ldaprelayscan but its kinda broken)
 - Add checks for kerberos password policy?
 - Check if printspooler is enabled on DC's
 - Check if webdav is active on reachable computers
 - Check for admin count on users or groups which are no longer admin
 - Add SQL query to retrieve databases of accessible SQL servers
-
 - Find a way to audit all ACL's (Invoke-ACLScanner doesnt work well from non domain joined perspective)
 - Add ADCS checks, but need to set this up in a LAB environment first.
 - Split invoke-sqlaudit into seperate checks
-- Function to generate a password spray list
 - Add function to skip dns change
 - Fix dependancy options
 

domain_audit.ps1

@@ -891,14 +891,35 @@ Start all SQL checks but skip prompt asking if the process is running as the dom
 
 		Write-Host "---Checking MSSQL instances---"
 		$data = Get-DomainComputer -Server $Server -Credential $Creds -Domain $Domain | Where-Object serviceprincipalname -Match MSSQL | Select-Object -ExpandProperty serviceprincipalname | Select-String MSSQL
-		$data = $data -replace 'MSSQLSvc/', ''
 		$count = $data | Measure-Object | Select-Object -expand Count
 		if ($data){ 
 			Write-Host "[+] Found $count MSSQL instances"
 
+			$TblSQLServerSpns = New-Object -TypeName System.Data.DataTable
+			$null = $TblSQLServerSpns.Columns.Add('Instance')
+
+			foreach($instance in $data) {
+
+				$sqlpart = $instance.line.split('/')[1].split(':')[1]
+
+				# Check if the instance is a number and use the relevent delim
+				$Value = 0
+				if([int32]::TryParse($sqlpart,[ref]$Value)) {
+					$sqlinstance = $instance -replace ':', ','
+				}
+				else { 
+					$sqlinstance = $instance -replace ':', '\'
+				}
+
+				$sqlinstance = $sqlinstance -replace 'MSSQLSvc/', ''
+
+				$null = $TblSQLServerSpns.Rows.Add($sqlinstance)
+
+			}
+
 			# Checking connection to MSSQL instances
 			Write-Host "[+] Checking connection to each MSSQL instance"
-			$results = ForEach ($sqlserver in $data){
+			$results = ForEach ($sqlserver in $TblSQLServerSpns.Instance){
 				Get-SQLConnectionTest -Instance $sqlserver
 			}
 			$Accessible_SQLServers = $results | Where-Object -Property status -Like Accessible