Tips-Of-Mine/PowerHuntShares
Tips-Of-Mine/PowerHuntShares
2
0
Fork 0
mirror of https://github.com/NetSPI/PowerHuntShares.git synced 2025-05-04 19:28:42 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added support for the nova file format.

Browse Source 
Added support for the nova file format.
This commit is contained in:
Scott Sutherland 2024-07-23 17:14:02 -05:00 committed by GitHub
parent 4ddc28df72
commit 624e697bfe
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 74 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
PowerHuntShares.psm1
View File

@ -4,7 +4,7 @@
#--------------------------------------
# Author: Scott Sutherland, 2024 NetSPI
# License: 3-clause BSD
# Version: v1.85
# Version: v1.86
# References: This script includes custom code and code taken and modified from the open source projects PowerView, Invoke-Ping, and Invoke-Parrell.
function Invoke-HuntSMBShares
{
@ -156,9 +156,13 @@ function Invoke-HuntSMBShares
[string]$OutputDirectory,
[Parameter(Mandatory = $false,
HelpMessage = 'Creat exported csv for import into other tools.')]
HelpMessage = 'Export to CSV file format to support importing into other tools.')]
[switch]$ExportFindings,
[Parameter(Mandatory = $false,
HelpMessage = 'Convert the export to the NOVA file format.')]
[switch]$ExportNova,
[Parameter(Mandatory = $false,
HelpMessage = 'This is the path to a host list. One per line.')]
[string] $HostList,
@ -239,6 +243,18 @@ function Invoke-HuntSMBShares
$StopWatch = [system.diagnostics.stopwatch]::StartNew()
$Time = Get-Date -UFormat "%m/%d/%Y %R"
Write-Output " [*][$Time] Scan Start"
# Nova format
If ($Nova) {
Write-Verbose " [*][$Time] The results will be export to the NOVA format as well."
$rMasterFindingId = "FindingTemplateSourceIdentifier"
$rFindingName = "FindingName"
$rAssetName = "AssetName" # This could eventually be updated to reflect a different Nova asset, e.g. 'AD Domain'.
}else{
$rMasterFindingId = "MasterFindingSourceIdentifier"
$rFindingName = "InstanceName"
$rAssetName = "AssetName" # R7 only has one option.
}
# ----------------------------------------------------------------------
@ -6447,10 +6463,10 @@ Write-Output ""
# Create new finding object
$object = New-Object psobject
$object | add-member noteproperty MasterFindingSourceIdentifier $ExcessivePrivID
$object | add-member noteproperty InstanceName "Excessive Share ACL"
$object | add-member noteproperty AssetName $ComputerName
$object | add-member noteproperty IssueFirstFoundDate $EndTime
$object | add-member noteproperty $rMasterFindingId $ExcessivePrivID
$object | add-member noteproperty $rFindingName "Excessive Share ACL"
$object | add-member noteproperty $rAssetName $ComputerName
if(-not $Nova){$object | add-member noteproperty IssueFirstFoundDate $EndTime}
$object | add-member noteproperty VerificationCaption01 "$IdentityReference has $FileSystemRights privileges on $SharePath."
$ShareDetails = @"
Computer Name: $ComputerName
@ -6470,14 +6486,18 @@ File Count: $FileCount
File List Sample:
$FileList
"@
$object | add-member noteproperty VerificationText01 $ShareDetails
if($Nova){
$object | add-member noteproperty VerificationText01 "<pre><code>$ShareDetails</code></pre>"
}else{
$object | add-member noteproperty VerificationText01 $ShareDetails
}
$object | add-member noteproperty VerificationCaption02 "caption 2"
$object | add-member noteproperty VerificationText02 "text 2"
$object | add-member noteproperty VerificationText02 ""
$object | add-member noteproperty VerificationCaption03 "caption 3"
$object | add-member noteproperty VerificationText03 "text 3"
$object | add-member noteproperty VerificationText03 ""
$object | add-member noteproperty VerificationCaption04 "caption 4"
$object | add-member noteproperty VerificationText04 "text 4"
$object
$object | add-member noteproperty VerificationText04 ""
$object
}
# Write export file
@ -6485,13 +6505,19 @@ $FileList
# Create record containing verification summary for domain
$object = New-Object psobject
$object | add-member noteproperty MasterFindingSourceIdentifier $ExcessivePrivID
$object | add-member noteproperty InstanceName "Domain ACL Summary"
$object | add-member noteproperty AssetName $TargetDomain
$object | add-member noteproperty IssueFirstFoundDate $EndTime
$object | add-member noteproperty $rMasterFindingId $ExcessivePrivID
$object | add-member noteproperty $rFindingName "Domain ACL Summary"
$object | add-member noteproperty $rAssetName $TargetDomain
if(-not $Nova){
$object | add-member noteproperty IssueFirstFoundDate $EndTime
}
$object | add-member noteproperty VerificationCaption01 "$ExcessiveSharesCount shares across $ComputerWithExcessive systems are configured with $ExcessiveSharePrivsCount potentially excessive ACLs."
$ShareDetails = $ExcessiveSharePrivs | Select-Object SharePath -Unique -ExpandProperty SharePath | Out-String
$object | add-member noteproperty VerificationText01 $ShareDetails
if($Nova){
$object | add-member noteproperty VerificationText01 "<pre><code>$ShareDetails</code></pre>"
}else{
$object | add-member noteproperty VerificationText01 $ShareDetails
}
$object | add-member noteproperty VerificationCaption02 "$TargetDomain SMB Share Scan Summary"
$Summary1 = @"
Target Domain: $TargetDomain
@ -6509,7 +6535,7 @@ $Computers445OpenCount domain computers had TCP port 445 accessible
Share Summary
$AllSMBSharesCount shares were found.
$ExcessiveSharesCount shares across $ComputerWithExcessive systems are configured with $ExcessiveSharePrivsCount potentially excessive ACLs.
$SharesWithWriteCount shares across $ComputerWithWriteCount systems can be written to.</li>
$SharesWithWriteCount shares across $ComputerWithWriteCount systems can be written to.
$SharesHighRiskCount shares across $ComputerwithHighRisk systems are considered high risk.
$Top5ShareCountTotal of $AllAccessibleSharesCount ($DupPercent) shares are associated with the top 5 share names.
@ -6526,11 +6552,15 @@ The 5 most common share names are:
$SummaryFinal = $Summary1 + $Summary2
$object | add-member noteproperty VerificationText02 "$SummaryFinal"
if($Nova){
$object | add-member noteproperty VerificationText02 "<pre><code>$SummaryFinal</code></pre>"
}else{
$object | add-member noteproperty VerificationText02 $SummaryFinal
}
$object | add-member noteproperty VerificationCaption03 "caption 3"
$object | add-member noteproperty VerificationText03 "text 3"
$object | add-member noteproperty VerificationText03 ""
$object | add-member noteproperty VerificationCaption04 "caption 4"
$object | add-member noteproperty VerificationText04 "text 4"
$object | add-member noteproperty VerificationText04 ""
# Write record to file
$object | Export-Csv -NoTypeInformation "$OutputDirectory\$TargetDomain-Excessive-Privileges-EXPORT.csv" -Append
@ -6574,10 +6604,12 @@ The 5 most common share names are:
# Create new finding object
$object = New-Object psobject
$object | add-member noteproperty MasterFindingSourceIdentifier $ExcessivehighRiskID
$object | add-member noteproperty InstanceName "Excessive Share ACL"
$object | add-member noteproperty AssetName $ComputerName
$object | add-member noteproperty IssueFirstFoundDate $EndTime
$object | add-member noteproperty $rMasterFindingId $ExcessivehighRiskID
$object | add-member noteproperty $rFindingName "Excessive Share ACL"
$object | add-member noteproperty $rAssetName $ComputerName
if(-not $Nova){
$object | add-member noteproperty IssueFirstFoundDate $EndTime
}
$object | add-member noteproperty VerificationCaption01 "$IdentityReference has $FileSystemRights privileges on $SharePath."
$ShareDetails = @"
Computer Name: $ComputerName
@ -6613,13 +6645,19 @@ $FileList
# Create record containing verification summary for domain
$object = New-Object psobject
$object | add-member noteproperty MasterFindingSourceIdentifier $ExcessivehighRiskID
$object | add-member noteproperty InstanceName "Domain ACL Summary"
$object | add-member noteproperty AssetName $TargetDomain
$object | add-member noteproperty IssueFirstFoundDate $EndTime
$object | add-member noteproperty $rMasterFindingId $ExcessivehighRiskID
$object | add-member noteproperty $rFindingName "Domain ACL Summary"
$object | add-member noteproperty $rAssetName $TargetDomain
if(-not $Nova){
$object | add-member noteproperty IssueFirstFoundDate $EndTime
}
$object | add-member noteproperty VerificationCaption01 "$SharesHighRiskCount shares across $ComputerwithHighRisk systems are considered high risk."
$ShareDetails = $SharesHighRisk | Select-Object SharePath -Unique -ExpandProperty SharePath | Out-String
$object | add-member noteproperty VerificationText01 $ShareDetails
if($Nova){
$object | add-member noteproperty VerificationText01 "<pre><code>$ShareDetails</code></pre>"
}else{
$object | add-member noteproperty VerificationText01 $ShareDetails
}
$object | add-member noteproperty VerificationCaption02 "$TargetDomain SMB Share Scan Summary"
$Summary1 = @"
Target Domain: $TargetDomain
@ -6654,11 +6692,15 @@ The 5 most common share names are:
$SummaryFinal = $Summary1 + $Summary2
$object | add-member noteproperty VerificationText02 "$SummaryFinal"
if($Nova){
$object | add-member noteproperty VerificationText02 "<pre><code>$SummaryFinal</code></pre>"
}else{
$object | add-member noteproperty VerificationText02 $SummaryFinal
}
$object | add-member noteproperty VerificationCaption03 "caption 3"
$object | add-member noteproperty VerificationText03 "text 3"
$object | add-member noteproperty VerificationText03 ""
$object | add-member noteproperty VerificationCaption04 "caption 4"
$object | add-member noteproperty VerificationText04 "text 4"
$object | add-member noteproperty VerificationText04 ""
# Write record to file
$object | Export-Csv -NoTypeInformation "$OutputDirectory\$TargetDomain-Excessive-Privileges-EXPORT.csv" -Append