PoshCode Archive  Artifact [b6eed7e02c]

Check-ins Using Download Hex

Artifact b6eed7e02c7beb59dfbe3b9f7a324321f3a29fcad1786a1528b9a400115879c9:

  • File AD-PromiscDetect.ps1 — part of check-in [1ea69a69fa] at 2018-06-10 12:57:03 on branch trunk — Promiscuous Mode Check (user: unknown size: 2748) 
# encoding: ascii
# api: powershell
# title: AD-PromiscDetect
# description: Promiscuous Mode Check
# version: 1.1
# type: script
# license: CC0
# x-poshcode-id: 1417
# x-archived: 2009-10-26T15:25:55
#
# queries Active Directory for all computer objects then checks if the computers’ NICs are in promiscuous mode.
#
<#================================================================================================
  NAME:                 	AD-PromiscDetect.ps1
  AUTHOR:			Marty J. Piccinich
  DATE CREATED: 		9/15/2009
  VERSION:  	          1.1
  HISTORY:         		1.0 9/15/2009 - Created
			1.1 10/23/2009 - Added comment header
  PARAMETERS: None
  
  DESCRIPTION:
    Queries Active Directory (currently logged into) for all computer objects,
    pings the computer first, then queries WMI. The MSNdis_CurrentPackFilter class
    in the root\WMI namespace is used. Next, the NdisCurrentPacketFilter property to
    see if the NDIS_PACKET_TYPE_PROMISCUOUS bit (0x00000020) is set. This determines
    if the NIC is is promiscuous mode.

  REQUIREMENTS:
    Proper rights to query WMI\Root on the remote computers is necessary.

  NOTES:
    For more details, see the blog post:
    http://praetorianprefect.com/archives/2009/09/whos-being-promiscuous-in-your-active-directory/
    Credit to Harlan Carvey who provided information on NdisCurrentPacketFilter in his blog.
	
  IMPORTANT:
	You have a royalty-free right to use, modify, reproduce, and
	distribute this script file in any way you find useful, provided that
	you agree that the creator, owner above has no warranty, obligations,
	or liability for such use.
================================================================================================#> 
$ErrorActionPreference = "SilentlyContinue" 

$PingTest = New-Object System.Net.NetworkInformation.Ping
$Filter = "(&(ObjectCategory=computer))"
$Searcher = New-Object System.DirectoryServices.DirectorySearcher($Filter)
ForEach ($comp in $Searcher.Findall()) {
	$strComputer = $comp.properties.item("Name")
	write-host "Checking: $strComputer"
	if ($PingTest.Send($strComputer).Status -eq "Success") {			
		$colComputer = get-wmiObject -class "MSNdis_CurrentPacketFilter" -namespace "root\WMI" -comp $strComputer
		if ($colComputer -eq $null) {
			write-host "Couldn't connect to WMI" }
		else {
			foreach ($comp in $colcomputer) {
				$val = $comp.NdisCurrentPacketFilter
				if ($val -band 0x00000020) {
					$inst = $comp.InstanceName
					write-host "Interface: $inst"
					write-host "The packetfilter value is above range" -foregroundcolor red -backgroundcolor yellow
				}
			}
		} 
	}
	else { write-host "Could not ping, machine not queried." }
}
Fossil 2.20 [0d61fd2310] 2022-10-28 19:48:33
This page was generated in about 0.011s