Thursday, March 22, 2012

Find domain users who changed their passwords today

Wrote this one up just to see if I could. Thought it might make for a good post exploit drop in case you wanted to monitor which users changed their passwords, maybe have it trigger a fresh dump of the domain hashes and mail them to you or post them somewhere. Whatever.

Spits out some errors about user names not found sometimes but it seems to get the job done.

-=The Script=-

@echo off
Echo +Getting User List

for /f "tokens=1,2,3 skip=6" %%a in ('net user /domain') do echo %%a >> C:\people.txt && echo %%b >> C:\people.txt && echo %%c >> C:\people.txt

Echo +Cleaning User List

for /f "tokens=*" %%d in (C:\people.txt) do if not "%%d" == "ECHO is on." if not "%%d" == "ECHO is off." if not "%%d" == "The  " if not "%%d" == "command  " if not "%%d" == "completed " echo %%d >> C:\cleanpeople.txt

del /f /q C:\people.txt

Echo +Setting Time Variables

if 0 == %date:~4,1% set mn=%date:~5,1%
if not 0 == %date:~4,1% set mn=%date:~4,2%

if 0 == %date:~7,1% set dy=%date:~8,1%
if not 0 == %date:~7,1% set dy=%date:~7,2%

set now=%mn%/%dy%/%date:~10,4%

Echo +Finding Active Accounts

for /f %%g in (C:\cleanpeople.txt) do for /f "tokens=3" %%h in ('net user %%g /domain ^| find /i "Account Active"') do if %%h == Yes echo %%g >> C:\activecleanpeople.txt

del /f /q C:\cleanpeople.txt


Echo +Finding Users Who Changed Their Passords Today

for /f %%e in (C:\activecleanpeople.txt) do for /f "tokens=4" %%f in ('net user %%e /domain ^| find /i "Password last set"') do if %%f == %now% echo %%e changed their password today

del /f /q C:\activecleanpeople.txt

Echo Finished.
pause > nul

No comments:

Post a Comment

All comments moderated.
Comments like "sweet dude" or "this is awesome" or "thanks" will be denied,
if you've got something genuinely interesting to say, say it. Other than that just sit back and bask in the glory.