{"id":384,"date":"2016-02-17T12:09:45","date_gmt":"2016-02-17T11:09:45","guid":{"rendered":"http:\/\/www.michael.tassati.at\/?p=384"},"modified":"2016-02-17T12:16:00","modified_gmt":"2016-02-17T11:16:00","slug":"have-i-been-pwned-test-all-users-of-your-domain","status":"publish","type":"post","link":"https:\/\/www.michael.tassati.at\/?p=384","title":{"rendered":"have i been pwned? Test all users of your domain"},"content":{"rendered":"

Aus einem Powershell-Beispiel von „IT Pro blog“ weiterentwickelt
\nhttps:\/\/infracloud.wordpress.com\/2015\/10\/29\/have-you-been-pwned-use-powershell-to-find-out\/
\nGet-Pwned.ps1<\/a><\/p>\n

Import-Module „C:\\adm\\custom\\BasicTools.psm1“
\n$Global:CheckURI = „https:\/\/haveibeenpwned.com\/api\/v2\/breachedaccount“
\n$global:OutputPath = „C:\\“
\n$global:results = @()
\nFunction ValidateAddress($Emailaddress){
\n try{
\n $Request = Invoke-WebRequest -Uri „$global:CheckURI\/$Emailaddress“
\n $Response = ConvertFrom-Json $Request
\n Return $Response
\n }
\n catch [exception]
\n {
\n Return $null
\n }
\n}
\nFunction IsValidEMail($email){
\n\u00a0 \u00a0 $EmailRegex = ‚^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,4})$‘;
\n\u00a0 \u00a0 return ($email -match $EmailRegex)
\n}
\nFunction IsValidDomain($mailaddress){
\n $domain = $mailaddress.Substring($mailaddress.IndexOf(„@“)+1)
\n $obj = Get-AcceptedDomain -Identity $domain -ErrorAction SilentlyContinue
\n if ($obj -eq $null){
\n $result = $false
\n }else{
\n $result = $true
\n }<\/p>\n

return $result
\n}
\nFunction ConvertHaveibeenpwnedObject($obj,$mailaddress,$username){
\n Set-ToolsLogAddLine -LogTXT „Compromised account $username, $mailaddress“
\n $result = New-Object -TypeName PSObject
\n $result | Add-Member -MemberType NoteProperty -Name username -Value $username
\n $result | Add-Member -MemberType NoteProperty -Name mailaddress -Value $mailaddress
\n $result | Add-Member -MemberType NoteProperty -Name HIBPAddedDate -Value $obj.AddedDate
\n $result | Add-Member -MemberType NoteProperty -Name HIBPBreachDate -Value $obj.BreachDate
\n $result | Add-Member -MemberType NoteProperty -Name HIBPDataClasses -Value ([system.String]::Join(„;“,$obj.DataClasses))
\n $result | Add-Member -MemberType NoteProperty -Name HIBPDescription -Value $obj.Description
\n $result | Add-Member -MemberType NoteProperty -Name HIBPDomain -Value $obj.Domain
\n $result | Add-Member -MemberType NoteProperty -Name HIBPIsSensitive -Value $obj.IsSensitive
\n $result | Add-Member -MemberType NoteProperty -Name HIBPIsVerified -Value $obj.IsVerified
\n $result | Add-Member -MemberType NoteProperty -Name HIBPLogoType -Value $obj.LogoType
\n $result | Add-Member -MemberType NoteProperty -Name HIBPName -Value $obj.Name
\n $result | Add-Member -MemberType NoteProperty -Name HIBPPwnCount -Value $obj.PwnCount
\n $result | Add-Member -MemberType NoteProperty -Name HIBPTitle -Value $obj.Title
\n return $result
\n}
\nFunction main{
\n Set-ToolsLogCreate -LogFilePath „C:\\adm\\custom\\logs\\“ -LogPrefix „CompromisedAccounts“
\n Remove-ToolsLog -olderThenDays 21
\n Set-ToolsLogAddLine -LogTXT „Collect accounts“<\/p>\n

$users = Get-ADUser -LDAPFilter „(mail=*)“ -Properties mail, proxyaddresses -ResultSetSize $null<\/p>\n

$i = ($users).Count
\n Set-ToolsLogAddLine -LogTXT „Test $i accounts“
\n $i = 0
\n foreach($user in $users){
\n $i ++
\n if($i\/100 -is [int]){Set-ToolsLogAddLine -LogTXT „$i accounts tested“}
\n $proxymail = „“
\n $usermail = „“
\n $usermail = $user.mail.ToLower()
\n $output = „“
\n if (IsValidEMail($usermail)){
\n if (isValidDomain($usermail)){
\n $obj = ValidateAddress($usermail)
\n if ($obj -ne $null){
\n $global:results += ConvertHaveibeenpwnedObject -obj $obj -mailaddress $usermail -username $user.SamAccountName
\n }
\n }
\n }
\n Foreach($proxyAddress in $user.proxyaddresses){
\n $proxymail = $proxyAddress.ToLower()
\n if ($proxymail.StartsWith(„smtp:“)){
\n $proxymail = $proxymail.Substring($proxymail.IndexOf(„smtp:“)+5)
\n if (IsValidEMail($proxymail)){
\n if ($proxymail -ne $usermail){
\n if (isValidDomain($proxymail)){
\n $obj = ValidateAddress($proxymail)
\n if ($obj -ne $null){
\n $global:results += ConvertHaveibeenpwnedObject -obj $obj -mailaddress $usermail -username $user.SamAccountName
\n }
\n }
\n }
\n }
\n }
\n }
\n }
\n Set-ToolsLogAddLine -LogTXT „Finish“ -foregroundcolor „green“ -backgroundcolor „darkgray“
\n $global:results | Export-csv „$global:OutputPath\\CompromisedAccounts.csv“
\n}<\/p>\n

main<\/p>\n","protected":false},"excerpt":{"rendered":"

Aus einem Powershell-Beispiel von „IT Pro blog“ weiterentwickelt https:\/\/infracloud.wordpress.com\/2015\/10\/29\/have-you-been-pwned-use-powershell-to-find-out\/ Get-Pwned.ps1 Import-Module „C:\\adm\\custom\\BasicTools.psm1“ $Global:CheckURI = „https:\/\/haveibeenpwned.com\/api\/v2\/breachedaccount“ $global:OutputPath = „C:\\“ $global:results = @() Function ValidateAddress($Emailaddress){ try{ $Request = Invoke-WebRequest -Uri „$global:CheckURI\/$Emailaddress“ $Response = ConvertFrom-Json $Request Return $Response } catch [exception] { Return $null } } Function IsValidEMail($email){ \u00a0 \u00a0 $EmailRegex = ‚^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,4})$‘; \u00a0 \u00a0 return ($email -match … have i been pwned? Test all users of your domain<\/span> weiterlesen →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[1,60,117],"tags":[118,120,119],"_links":{"self":[{"href":"https:\/\/www.michael.tassati.at\/index.php?rest_route=\/wp\/v2\/posts\/384"}],"collection":[{"href":"https:\/\/www.michael.tassati.at\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.michael.tassati.at\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.michael.tassati.at\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.michael.tassati.at\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=384"}],"version-history":[{"count":3,"href":"https:\/\/www.michael.tassati.at\/index.php?rest_route=\/wp\/v2\/posts\/384\/revisions"}],"predecessor-version":[{"id":388,"href":"https:\/\/www.michael.tassati.at\/index.php?rest_route=\/wp\/v2\/posts\/384\/revisions\/388"}],"wp:attachment":[{"href":"https:\/\/www.michael.tassati.at\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=384"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.michael.tassati.at\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=384"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.michael.tassati.at\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=384"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}