@@ -230,7 +230,7 @@ function Invoke-HuntSMBShares
230230 Write-Output " o Filter for computers that have TCP 445 open and accessible "
231231 Write-Output " o Enumerate SMB shares "
232232 Write-Output " o Enumerate SMB share permissions "
233- Write-Output " o Identify shares with potentially excessive privielges "
233+ Write-Output " o Identify shares with potentially excessive privileges "
234234 Write-Output " o Identify shares that provide read or write access "
235235 Write-Output " o Identify shares thare are high risk "
236236 Write-Output " o Identify common share owners, names, & directory listings "
@@ -1484,6 +1484,7 @@ function Invoke-HuntSMBShares
14841484 $FileNamePatternsAll.Rows.Add("httpd.conf*","","None.","Secret","") | Out-Null
14851485 $FileNamePatternsAll.Rows.Add("hudson.security.HudsonPrivateSecurityRealm.*","","None.","Secret","Get-PwJenkinsConfig") | Out-Null
14861486 $FileNamePatternsAll.Rows.Add("config.xml*","","None.","Secret","Get-PwJenkinsConfig") | Out-Null
1487+ $FileNamePatternsAll.Rows.Add("*preInst.bds*","","None.","Secret","Get-PwBaramundiPreInst") | Out-Null
14871488 $FileNamePatternsAll.Rows.Add("jboss-cli.xml*","","None.","Secret","Get-PwJbossCliConfig") | Out-Null
14881489 $FileNamePatternsAll.Rows.Add("jboss-logmanager.properties*","","None.","Secret","") | Out-Null
14891490 $FileNamePatternsAll.Rows.Add("jenkins.model.JenkinsLocationConfiguration.*","","None.","Secret","") | Out-Null
@@ -26402,6 +26403,63 @@ function Get-PwJenkinsConfig {
2640226403# Get-PwJenkinsConfig -FilePath "C:\tools\Sample Configuration Files\configs\config.xml" -ComputerName 'computer' -ShareName 'sharename' -UncFilePath '\\computer\sharename\file.txt' -FileName 'file.txt'
2640326404
2640426405
26406+ # Author: Raphael Kuhn, DriveByte GmbH (@_Raeph)
26407+ # Intended input: preInst.bds (Baramundi Files that often contain credentials)
26408+
26409+ function Get-PwBaramundiPreInst {
26410+ param (
26411+ [string]$ComputerName = $null, # Optional
26412+ [string]$ShareName = $null, # Optional
26413+ [string]$UncFilePath = $null, # Optional
26414+ [string]$FileName = $null, # Optional
26415+ [string]$FilePath # Required
26416+ )
26417+
26418+ # Ensure the file exists
26419+ if (-Not (Test-Path $FilePath)) {
26420+ Write-Error "File not found: $FilePath"
26421+ return
26422+ }
26423+
26424+ # Read the BDS/XML content as plain text
26425+ $xmlText = Get-Content -Path $FilePath -Raw
26426+
26427+ # Alternative Way:
26428+ #$userPattern = "<VALUE>/User=(?<uname>.*)</VALUE>"
26429+ #$PwPattern = "<VALUE>/PWD=(?<passw>.*)</VALUE>"
26430+ #$username = [Regex]::Matches($xmlText,$userPattern)[0].Groups["uname"].value
26431+ #$password = [Regex]::Matches($xmlText,$PwPattern)[0].Groups["passw"].value
26432+
26433+ $userPattern = "<VALUE>/User=(.*)</VALUE>"
26434+ $PwPattern = "<VALUE>/PWD=(.*)</VALUE>"
26435+
26436+ $username = [Regex]::Matches($xmlText,$userPattern).Groups[1].value
26437+ $password = [Regex]::Matches($xmlText,$PwPattern).Groups[1].value
26438+
26439+ # Create and return the result as a PowerShell object
26440+ $result = [PSCustomObject]@{
26441+
26442+ ComputerName = $ComputerName
26443+ ShareName = $ShareName
26444+ UncFilePath = $UncFilePath
26445+ FileName = $FileName
26446+ Section = "NA"
26447+ ObjectName = "NA"
26448+ TargetURL = "NA"
26449+ TargetServer = "NA"
26450+ TargetPort = "NA"
26451+ Database = "NA"
26452+ Domain = "NA"
26453+ Username = $username
26454+ Password = $password
26455+ PasswordEnc = "NA"
26456+ KeyFilePath = "NA"
26457+ }
26458+
26459+ return $result
26460+ }
26461+ # Get-PwBaramundiPreInst -ComputerName "testserver.test.domain" -ShareName "DIP$" -FileName "template.preInst.bds" -FilePath "\\testserver.test.domain\DIP$\ManagedSoftware\customer\BaramundiSoftwareAG\LicenseManagement\template.preInst.bds"
26462+
2640526463# Author: Scott Sutherland, NetSPI (@_nullbind / nullbind)
2640626464# Intended input: bootstrap.ini
2640726465function Get-PwBootstrapConfig {
0 commit comments