-
Notifications
You must be signed in to change notification settings - Fork 818
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support -Credential option for Invoke-FileFinder #55
Comments
-Credential
for Invoke-FileFinder
So the functions that utilize API calls (Get-NetShare, Get-NetSession, Get-NetLoggedOn) and the meta functions that wrap them (ShareFinder, FileFinder, UserHunter, etc.) don't accept additional credentials from what I can tell. For example, the NetShareEnum function used by Share/FileFinder. WMI or WinRM based methods will accept a -Credential option, but those are fewer in PowerView (Get-NetProcess/Invoke-ProcessHunter already accept alternate credentials, I suppose Get-LastLoggedOn could be amended but we rarely really use that function). The other part of FileFinder, the wrapped Get-ChildItem call, doesn't accept alternative credentials either. One option might be to create ps drives for each share we're examining, but repeated modifications to the pivot host tend to make us uncomfortable. Instead, I recommend using @sixdub's runas /netonly method described here. This will allow you to execute prompts with different credentials, even if you're on a non-domain joined system. |
I do understand the limitations, but the runas /netonly might fulfill my needs. |
You do need to be local administrator on the machine to utilize Mimikatz' PTH functionality, I believe. I checked into PSDrive a bit, and there's apparently a bug in PowerShell version 2.0 when using specified credentials to map a PSDrive. A workaround from that post (if you choose to use it) would be to do something like: $net = new-object -ComObject WScript.Network And then run Invoke-SearchFiles on the local drive path. Since we definitely don't want mass numbers of drive mountings by default in the script, we'll likely leave it in its current state. |
Thank you for that insight. |
UAC? |
Obviously granted, as it was on my own laptop. |
The version_2.0 branch just got a commit to support this. Find-InterestingFile and Invoke-FileFinder both now support a -Credential option. I wasn't able to test in the field (just in a lab), so let me know if this works and I'll re-close the issue. |
Hello there,
Thank you for this awesome framework.
To me, it would be even more awesome if you would add a
-Credential
option for (ideally) every function, especiallyInvoke-FileFinder
and its threaded version as it is useful to easily know which sensitive files one can access with different collected credentials.Plus, it is convenient to be able to launch such functions from off-domain workstations (i.e the attacker one)
Again, thank you.
Cheers.
The text was updated successfully, but these errors were encountered: