tomas.kracmar
27a682a968
Test-ReplicationPermissions now uses the tokenGroups constructed attribute to resolve all effective SIDs in the caller's Kerberos token, including nested group memberships. This replaces the previous MemberOf walk which missed indirect entitlement and could produce false-positive missing-permission errors. All versions bumped to unified v2.2.2.
168 lines
6.5 KiB
PowerShell
168 lines
6.5 KiB
PowerShell
##################################################
|
|
## ____ ___ ____ _____ _ _ _____ _____ ##
|
|
## / ___/ _ \| _ \| ____| | \ | | ____|_ _| ##
|
|
## | | | | | | |_) | _| | \| | _| | | ##
|
|
## | |__| |_| | _ <| |___ _| |\ | |___ | | ##
|
|
## \____\__\_\_| \_\_____(_)_| \_|_____| |_| ##
|
|
##################################################
|
|
## Project: Elysium ##
|
|
## File: Update-LithnetStore.ps1 ##
|
|
## Version: 2.2.2 ##
|
|
## Support: support@cqre.net ##
|
|
##################################################
|
|
|
|
<#
|
|
.SYNOPSIS
|
|
Populates a Lithnet Password Protection store with compromised passwords and banned words.
|
|
|
|
.DESCRIPTION
|
|
Reads configuration from ElysiumSettings.txt (or a provided settings file), opens the Lithnet
|
|
Password Protection store, optionally synchronizes with Have I Been Pwned, imports local NTLM
|
|
hash lists, plaintext password lists, and banned-word files.
|
|
#>
|
|
|
|
[CmdletBinding()]
|
|
param(
|
|
[string]$SettingsPath,
|
|
[string[]]$HashFiles,
|
|
[string[]]$PlaintextFiles,
|
|
[string[]]$BannedWordFiles,
|
|
[switch]$SkipHibpSync
|
|
)
|
|
|
|
$ErrorActionPreference = 'Stop'
|
|
Set-StrictMode -Version Latest
|
|
[string]$commonHelper = Join-Path -Path $PSScriptRoot -ChildPath 'Elysium.Common.ps1'
|
|
if (-not (Test-Path -LiteralPath $commonHelper)) { throw "Common helper not found at $commonHelper" }
|
|
. $commonHelper
|
|
Restart-WithPwshIfAvailable -BoundParameters $PSBoundParameters -UnboundArguments $MyInvocation.UnboundArguments
|
|
|
|
function Read-KeyValueSettings {
|
|
param([string]$Path)
|
|
$result = @{}
|
|
if (-not (Test-Path -LiteralPath $Path)) { throw "Settings file not found at $Path" }
|
|
Get-Content -LiteralPath $Path | ForEach-Object {
|
|
$line = $_
|
|
if (-not $line) { return }
|
|
$trimmed = $line.Trim()
|
|
if (-not $trimmed) { return }
|
|
if ($trimmed.StartsWith('#')) { return }
|
|
$kv = $line -split '=', 2
|
|
if ($kv.Count -ne 2) { return }
|
|
$key = $kv[0].Trim()
|
|
$value = $kv[1].Trim()
|
|
if (-not $key) { return }
|
|
if ($value.StartsWith("'") -and $value.EndsWith("'") -and $value.Length -ge 2) {
|
|
$value = $value.Substring(1, $value.Length - 2)
|
|
}
|
|
$result[$key] = $value
|
|
}
|
|
return $result
|
|
}
|
|
|
|
function Get-BooleanSetting {
|
|
param(
|
|
[string]$Value,
|
|
[bool]$Default = $false
|
|
)
|
|
if ([string]::IsNullOrWhiteSpace($Value)) { return $Default }
|
|
try { return [System.Convert]::ToBoolean($Value) } catch { return $Default }
|
|
}
|
|
|
|
function Get-ListFromSetting {
|
|
param([string]$Value)
|
|
if ([string]::IsNullOrWhiteSpace($Value)) { return @() }
|
|
return ($Value -split '[,;]' | ForEach-Object { $_.Trim() } | Where-Object { $_ })
|
|
}
|
|
|
|
function Resolve-ExistingPath {
|
|
param([string]$PathValue, [string]$Description)
|
|
if ([string]::IsNullOrWhiteSpace($PathValue)) { throw "$Description path was not provided." }
|
|
if (-not (Test-Path -LiteralPath $PathValue)) {
|
|
throw "$Description not found at '$PathValue'."
|
|
}
|
|
return (Resolve-Path -LiteralPath $PathValue).Path
|
|
}
|
|
|
|
if (-not $SettingsPath) {
|
|
$SettingsPath = Join-Path -Path $PSScriptRoot -ChildPath 'ElysiumSettings.txt'
|
|
}
|
|
$settings = Read-KeyValueSettings -Path $SettingsPath
|
|
|
|
$storePathSetting = $settings['LithnetStorePath']
|
|
$storePath = Resolve-ExistingPath -PathValue $storePathSetting -Description 'Lithnet store'
|
|
|
|
$settingsHashSources = Get-ListFromSetting -Value $settings['LithnetHashSources']
|
|
$settingsPlainSources = Get-ListFromSetting -Value $settings['LithnetPlaintextSources']
|
|
$settingsBannedSources = Get-ListFromSetting -Value $settings['LithnetBannedWordSources']
|
|
|
|
$hashSourcePaths = New-Object System.Collections.Generic.HashSet[string] ([System.StringComparer]::OrdinalIgnoreCase)
|
|
foreach ($path in @($HashFiles) + $settingsHashSources) {
|
|
if ([string]::IsNullOrWhiteSpace($path)) { continue }
|
|
$resolved = Resolve-ExistingPath -PathValue $path -Description 'Hash list'
|
|
[void]$hashSourcePaths.Add($resolved)
|
|
}
|
|
if ($hashSourcePaths.Count -eq 0) {
|
|
$defaultKhdb = Join-Path -Path $PSScriptRoot -ChildPath 'khdb.txt'
|
|
if (Test-Path -LiteralPath $defaultKhdb) {
|
|
[void]$hashSourcePaths.Add((Resolve-Path -LiteralPath $defaultKhdb).Path)
|
|
} else {
|
|
throw 'No hash files were provided via parameters or LithnetHashSources, and khdb.txt was not found.'
|
|
}
|
|
}
|
|
|
|
$plaintextSourcePaths = New-Object System.Collections.Generic.HashSet[string] ([System.StringComparer]::OrdinalIgnoreCase)
|
|
foreach ($path in @($PlaintextFiles) + $settingsPlainSources) {
|
|
if ([string]::IsNullOrWhiteSpace($path)) { continue }
|
|
$resolved = Resolve-ExistingPath -PathValue $path -Description 'Plaintext password list'
|
|
[void]$plaintextSourcePaths.Add($resolved)
|
|
}
|
|
|
|
$bannedWordSourcePaths = New-Object System.Collections.Generic.HashSet[string] ([System.StringComparer]::OrdinalIgnoreCase)
|
|
foreach ($path in @($BannedWordFiles) + $settingsBannedSources) {
|
|
if ([string]::IsNullOrWhiteSpace($path)) { continue }
|
|
$resolved = Resolve-ExistingPath -PathValue $path -Description 'Banned word list'
|
|
[void]$bannedWordSourcePaths.Add($resolved)
|
|
}
|
|
|
|
$syncHibp = Get-BooleanSetting -Value $settings['LithnetSyncHibp'] -Default:$false
|
|
if ($SkipHibpSync) { $syncHibp = $false }
|
|
|
|
Write-Host "Importing LithnetPasswordProtection module..."
|
|
try {
|
|
Import-Module -Name LithnetPasswordProtection -ErrorAction Stop | Out-Null
|
|
} catch {
|
|
throw "LithnetPasswordProtection module not found: $($_.Exception.Message). Install it from https://github.com/lithnet/password-protection."
|
|
}
|
|
|
|
Write-Host ("Opening Lithnet store at '{0}'..." -f $storePath)
|
|
Open-Store -Path $storePath
|
|
$storeOpened = $true
|
|
try {
|
|
if ($syncHibp) {
|
|
Write-Host 'Synchronizing compromised hashes from Have I Been Pwned (this can take a while)...'
|
|
Sync-HashesFromHibp
|
|
}
|
|
|
|
foreach ($hashFile in ($hashSourcePaths.ToArray() | Sort-Object)) {
|
|
Write-Host ("Importing NTLM hash list '{0}'..." -f $hashFile)
|
|
Import-CompromisedPasswordHashes -Filename $hashFile
|
|
}
|
|
|
|
foreach ($plainFile in ($plaintextSourcePaths.ToArray() | Sort-Object)) {
|
|
Write-Host ("Importing plaintext password list '{0}'..." -f $plainFile)
|
|
Import-CompromisedPasswords -Filename $plainFile
|
|
}
|
|
|
|
foreach ($bannedFile in ($bannedWordSourcePaths.ToArray() | Sort-Object)) {
|
|
Write-Host ("Importing banned word list '{0}'..." -f $bannedFile)
|
|
Import-BannedWords -Filename $bannedFile
|
|
}
|
|
|
|
Write-Host 'Lithnet store update completed successfully.'
|
|
} finally {
|
|
if ($storeOpened) {
|
|
try { Close-Store } catch {}
|
|
}
|
|
}
|