All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Admin Module
- Added
get_credscommand to pull credential blobs from SCCM - Added
get_azurecredscommand to pull Azure co-management application blobs - Added
get_azuretenantcommant to pull Azure tenant info - Added
get_pxepasswordcommand to pull PXE boot blobs if configured - Added
get_forestkeycommand to pull forest discovery session key blobs - Added
decryptcommand to decrypt passed credential blob - Added
decryptExcommand to decrypt forest discovery credential blobs- You've got to be "interactive" with the SCCM primary site server for decryption to work
- This means the site server must be a client
- Uses script execution
- Updates thanks to Parzel:
- Added
list_scriptcommand to list scripts published to SCCM - Added
delete_scriptcommmand to delete a target script from SCCM
- Added
- HTTP Module
- Fixed a bug where
-mpflag wasn't correctly setting the policy request target
- Fixed a bug where
- Find module
- Channel binding is now supported when using NTLM auth
- MSSQL module
- Channel binding is now supported when using NTLM auth
- Fixed a bug where site servers weren't being added to the computers table causing further profiling to fail
- Fixed a bug in
MSSQLwhere SID translation failed when using Kerberos authentication
- Find module
- Added distribution point check in LDAP
- SMB module
- Added distribution point profiling to determine if the found host is SCCM or WDS related
- Admin module
- Added "approver credentials" check to ensure credentials are valid when script approval is required for the hierarchy
- Fixed a bug where an arbitrary security group would get removed when running the
delete_admincommand in the Admin module - Fixed a bug where an existing admin account would not be located due to a displayname vs logonname conflict
- Updated
MSSQLmodule's stacked query to check if the account already exists by @_Mayyhem
- Additional DPAPI module features added by @s1zzzz
- Fixed bug where
findwould hard fail if a computer object did not have a dNSHostName attribute
- Fixed bug where the
SMBmodule would fail while spidering the "REMINST" share if the "SMSTemp" directory did not exist
- Fixed Kerberos auth bug where LDAP parsing failed
- Find module
- Site servers and Management Points are broken out to their own table
- Added
-resolveflag to handle unrolling group membership. - Added CAS, SMSprovider, and Config columns to Site Servers table
- Added SMSProvider to Computers Table
- SMB module
- Added SMS Provider check
- Added Management Point check
- Added Active/Passive config check
- Added Central Administration Site check
- HTTP module
- Added "stop on success" logic if credentials are recovered
- Added
-sleepflag to set time to wait until requesting policies following registration - Added
-uuidand-mpflags to allow the operator to manually request policies
- MSSQL module
- Added
-stackedflag to provide a stacked MSSQL query for relaying rather than individual queries
- Added
- Admin module
- Added
show_adminscommand to list current admin accounts
- Added
- Show module
- Added
-jsonand-csvflags to export tables - Added
-credsflag to show recovered credentials from HTTP or DPAPI
- Added
- Updated all data storage methods to SQLite
- Changed banner
- Find module
- Refactored code and fixed bug to not properly perform LDAP searches
- SMB module
- Fixed a bug where discovered site servers and management points weren't being added for service checks
- HTTP module
- Fixed a bug where errors weren't properly handled if the database was missing (caused by not running the find module)
- Fixed a bug where Management Points weren't being pulled from the Computers table
- Added admin module