Coerchck - PowerShell Script For Listing Local Admins

(Presumptuous Commoner) #1

Hey, everybody! Last year I wrote a simple little script to iterate through a user-supplied /24 subnet and pull a list of all local administrators from each Windows machine in the subnet. I’ve been poking away to upgrade it for a while now, and tonight I finally finished it.

It took me six months because I have been trying to write a subnet calculator that ties into the gathering component by hand. It was an amazing learning experience, and I am 98% of the way there, but that last 2% is murdering my confidence and free time. As a result, I elected to find a function with a license that would allow me to adopt it in my own project, and I did just that.

You can download the latest version of Coerchck here. Let’s go through it a bit; it’ll be quick, I promise.

After downloading the script, run it. You’ll be prompted to enter an IP on the target network, then a CIDR mask for the network (I’ll include the ability to supply decimal subnet masks eventually). After that, the script will get to work polling all the machines in the network:


While the script does the heavy lifting, let’s examine the core component of the script:

$admins = Gwmi win32_groupuser –computer

WMI is used to query the computer specified by -computer; however, if we take the raw output, we’ll be bombarded with information:


To filter our results, we’ll use the below line:

$admins = $admins |? {$_.groupcomponent –like '*"Administrators"'}

Let’s break this down. We are re-assigning the value of our $admins variable to it’s current output piped to ?. For the uninitiated, ? is an alias for Where-Object. The remainder of the line should be evident; we are only interested in results where groupcomponent ($_ indicates an array, by the way) is like “*Administrators”.

If we’ve done everything correctly, after a length of time (I’m working to make things faster, if possible) we’ll be presented with a list of local administrators per machine:


And that’s it! I created this tool (read: I glued two other people’s functions together) because I like to include local administrators in my risk assessments, and I wanted a way for onsite personnel to quickly kick off a scan of such accounts while they perform other tasks. Red teamers could potentially use this for locating juicy accounts to target, though because this script requires elevated privileges on the target machines that use case may be extremely unlikely. Blue teamers could use this to help them gain insight to overassignment of elevated privileges within their purview.

Please let me know if you have any feedback, including issues, feature requests, or success stories. It’s a simple tool, but I want it to be the best it can be.

Thanks for stopping by!


(Presumptuous Commoner) #2

So everyone knows, I’ve already made a handful of improvements. Command-line parameter passing is now a thing, as is the ability to specify .txt, .csv, or .html for output file formats (although the formatting is atrocious right now.) I also re-added the bit that lists the scanned IP above the accounts for that machine; that was an oversight on my part, but it’s fixed.

I’ve got a few more things to test and polish, then I’ll commit the changes, probably this evening.

There will be more changes after that, of course. Reddit feedback has been helpful; that, in addition to my pre-existing wishlist, should ensure I have plenty of work to do on this script for the near future.


(system) closed #3

This topic was automatically closed after 30 days. New replies are no longer allowed.