So I’ve started doing a few active directory audits recently and noticed that I’m repeating myself over and over again.

As such I’ve decided to write as much of this up as possible in a powershell script to make my life easier. I chose powershell for two reasons; 1. I need to learn powershell, 2. I don’t want to drop an exe on a remote box.

This script doesn’t do everything, there’s still stuff to add, so recommend me things!

It currently does the following:

  • Password Policy Findings
  • Looking for accounts that dont expire
  • Looking for inactive/disabled accounts
  • Looking for server 2003/XP machines connected to domain
  • AD Findings
  • Domain Trust Findings
  • GPO Findings
  • Trying to find SysVOL xml files containg cpassword
  • Trying to save NTDS.dit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
PS Microsoft.PowerShell.Core\FileSystem::\\tsclient\Desktop> \\tsclient\Desktop\AdAudit.ps1
 _____ ____     _____       _ _ _
|  _  |    \   |  _  |_ _ _| |_| |_
|     |  |  |  |     | | | . | |  _|
|__|__|____/   |__|__|___|___|_|_|
v1.0                  by phillips321

[*] Script start time 04/19/2018 19:29:01
[+] Outputting to \\tsclient\Desktop\2008R2X64SP1
[*] Password Policy Findings
    [!] Password Complexity not enabled
    [!] Lockout threshold is less than 5, currently set to 0
    [!] Minimum password length is less than 14, currently set to 7
    [!] Passwords do not expire
    [!] Passwords history is less than 12, currently set to 0
    [!] 4 accounts with passwords older than 90days, see accounts_with_old_passwords.txt
[*] Looking for accounts that dont expire
    [!] There are 4 accounts that don't expire, see accounts_passdontexpire.txt
[*] Looking for inactive/disabled accounts
    [!] 1 inactive user accounts(180days), see accounts_inactive.txt
    [!] 2 disabled user accounts, see accounts_disabled.txt
[*] Looking for server 2003/XP machines connected to domain
[*] AD Findings
    [!] Domain users can add 10 devices to the domain!
    [!] SMBv1 is not disabled
[*] Domain Trust Findings
    [!] Bidirectyional trust with domain test.local!
[*] GPO Findings
    [+] GPO Report saved to GPOReport.html
    [+] Inhertied GPOs saved to ous_inheritedGPOs.txt
[*] Trying to find SysVOL xml files containg cpassword...
    [!] cpassword found in file, copying to output folder
        \\FRUIT.COM\SYSVOL\fruit.com\Policies\{039AF941-42BE-4D56-A479-A284E3494670}\User\Preferences\
Drives\Drives.xml
    [!] cpassword found in file, copying to output folder
        \\FRUIT.COM\SYSVOL\fruit.com\Policies\{750D5660-5AB3-4A33-A776-6F10657A6662}\Machine\Preferenc
es\ScheduledTasks\ScheduledTasks.xml
[*] Trying to save NTDS.dit, please wait...
    [+] NTDS.dit, SYSTEM & SAM saved to output folder
    [+] Use secretsdump.py -system registry/SYSTEM -ntds Active\ Directory/ntds.dit LOCAL -outputfile
customer
[*] Script end time 04/19/2018 19:29:34

And finally the link to the code: github.com/phillips321/adaudit

Comments are closed.