So I’ve started doing a few active directory audits recently and noticed that I’m repeating myself over and over again.
As such I’ve decided to write as much of this up as possible in a powershell script to make my life easier. I chose powershell for two reasons; 1. I need to learn powershell, 2. I don’t want to drop an exe on a remote box.
This script doesn’t do everything, there’s still stuff to add, so recommend me things!
It currently does the following:
- Password Policy Findings
- Looking for accounts that dont expire
- Looking for inactive/disabled accounts
- Looking for server 2003/XP machines connected to domain
- AD Findings
- Domain Trust Findings
- GPO Findings
- Trying to find SysVOL xml files containg cpassword
- Trying to save NTDS.dit
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 | PS Microsoft.PowerShell.Core\FileSystem::\\tsclient\Desktop> \\tsclient\Desktop\AdAudit.ps1 _____ ____ _____ _ _ _ | _ | \ | _ |_ _ _| |_| |_ | | | | | | | | . | | _| |__|__|____/ |__|__|___|___|_|_| v1.0 by phillips321 [*] Script start time 04/19/2018 19:29:01 [+] Outputting to \\tsclient\Desktop\2008R2X64SP1 [*] Password Policy Findings [!] Password Complexity not enabled [!] Lockout threshold is less than 5, currently set to 0 [!] Minimum password length is less than 14, currently set to 7 [!] Passwords do not expire [!] Passwords history is less than 12, currently set to 0 [!] 4 accounts with passwords older than 90days, see accounts_with_old_passwords.txt [*] Looking for accounts that dont expire [!] There are 4 accounts that don't expire, see accounts_passdontexpire.txt [*] Looking for inactive/disabled accounts [!] 1 inactive user accounts(180days), see accounts_inactive.txt [!] 2 disabled user accounts, see accounts_disabled.txt [*] Looking for server 2003/XP machines connected to domain [*] AD Findings [!] Domain users can add 10 devices to the domain! [!] SMBv1 is not disabled [*] Domain Trust Findings [!] Bidirectyional trust with domain test.local! [*] GPO Findings [+] GPO Report saved to GPOReport.html [+] Inhertied GPOs saved to ous_inheritedGPOs.txt [*] Trying to find SysVOL xml files containg cpassword... [!] cpassword found in file, copying to output folder \\FRUIT.COM\SYSVOL\fruit.com\Policies\{039AF941-42BE-4D56-A479-A284E3494670}\User\Preferences\ Drives\Drives.xml [!] cpassword found in file, copying to output folder \\FRUIT.COM\SYSVOL\fruit.com\Policies\{750D5660-5AB3-4A33-A776-6F10657A6662}\Machine\Preferenc es\ScheduledTasks\ScheduledTasks.xml [*] Trying to save NTDS.dit, please wait... [+] NTDS.dit, SYSTEM & SAM saved to output folder [+] Use secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile customer [*] Script end time 04/19/2018 19:29:34 |
And finally the link to the code: github.com/phillips321/adaudit
