├── Disable-CertificateValidation.ps1
├── Disable-NetSSLValidation.ps1
├── Invoke-SelfSignedWebRequest.ps1
└── README.md


/Disable-CertificateValidation.ps1:
--------------------------------------------------------------------------------
 1 | function Disable-CertificateValidation
 2 | {
 3 | <#
 4 | .SYNOPSIS
 5 |     Disables SSL certificate validation through the ServicePointManager
 6 | .DESCRIPTION
 7 |     Disables SSL certificate validation through the System.Net.ServicePointManager endpoint by manually configuring the ServerCertificateValidationCallback to return $true. Allows (New-Object System.Net.WebClient).DownloadFile() to connect to self-signed SSL domains.
 8 |  
 9 |     Author: Matthew Toussain (@0sm0s1z)
10 |     License: BSD 3-Clause
11 | 	
12 | .EXAMPLE
13 | 	 Disable-CertificateValidation
14 | 	
15 | .LINK
16 |     https://github.com/0sm0s1z/Invoke-SelfSignedWebRequest
17 | #>
18 | 	[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
19 | 
20 | }
21 | Disable-CertificateValidation
22 | 


--------------------------------------------------------------------------------
/Disable-NetSSLValidation.ps1:
--------------------------------------------------------------------------------
 1 | function Disable-NetSSLValidation
 2 | {
 3 | <#
 4 | .SYNOPSIS
 5 |     Configures internal .NET settings to disable SSL certificate validation
 6 | .DESCRIPTION
 7 |     Configures internal .NET settings to disable SSL certificate validation via useUnsafeHeaderParsing
 8 |  
 9 |     Author: Matthew Toussain (@0sm0s1z)
10 |     License: BSD 3-Clause
11 | 	
12 | .EXAMPLE
13 | 	 . .\Disable-NetSSLValidation.ps1
14 | 	 Disable-NetSSLValidation
15 | 	
16 | .LINK
17 |     https://github.com/0sm0s1z/Invoke-SelfSignedWebRequest
18 | #>
19 | 	[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
20 | 
21 | 	$netAssembly = [Reflection.Assembly]::GetAssembly([System.Net.Configuration.SettingsSection])
22 | 
23 | 	if($netAssembly)
24 | 	{
25 | 		$bindingFlags = [Reflection.BindingFlags] "Static,GetProperty,NonPublic"
26 | 		$settingsType = $netAssembly.GetType("System.Net.Configuration.SettingsSectionInternal")
27 | 
28 | 		$instance = $settingsType.InvokeMember("Section", $bindingFlags, $null, $null, @())
29 | 
30 | 		if($instance)
31 | 		{
32 | 			$bindingFlags = "NonPublic","Instance"
33 | 			$useUnsafeHeaderParsingField = $settingsType.GetField("useUnsafeHeaderParsing", $bindingFlags)
34 | 
35 | 			if($useUnsafeHeaderParsingField)
36 | 			{
37 | 			  $useUnsafeHeaderParsingField.SetValue($instance, $true)
38 | 			}
39 | 		}
40 | 	}
41 | }
42 | 


--------------------------------------------------------------------------------
/Invoke-SelfSignedWebRequest.ps1:
--------------------------------------------------------------------------------
 1 | function Invoke-SelfSignedWebRequest
 2 | {
 3 | <#
 4 | .SYNOPSIS
 5 |     Performs web requests without certificate validation
 6 | .DESCRIPTION
 7 |     Loads the target URI's SSL certificate into the local certificate store and wraps Invoke-WebRequest. Removes certificate upon completion of insecure WebRequest invocation. Aliased to wget-ss
 8 |  
 9 |     Author: Matthew Toussain (@0sm0s1z)
10 |     License: BSD 3-Clause
11 | 	
12 | .EXAMPLE
13 | 	Invoke-SelfSignedWebRequest https://spectruminfosec.com/nc.exe "-outfile nc.exe"
14 | 	wget-ss https://spectruminfosec.com/index.php
15 | 	
16 | .LINK
17 |     https://github.com/0sm0s1z/Invoke-SelfSignedWebRequest
18 | #>
19 | 
20 | 	[CmdletBinding()]
21 |     param(
22 |         [uri][string]$url,
23 | 		[string]$cmdstr
24 |     )
25 | 
26 | 	Set-StrictMode -Version 3
27 | 
28 | 	if($url.Scheme -ne "https") {
29 | 		#Direct to WebRequest
30 | 		$newWebRequest = "Invoke-WebRequest $url $cmdstr"
31 | 		IEX $newWebRequest
32 | 	} else {
33 | 	
34 | 		[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
35 | 		
36 | 		#Grab target SSL Certificate
37 | 		$webRequest = [System.Net.HttpWebRequest]::Create($url)
38 | 		try { $webRequest.GetResponse().Dispose() } catch {}
39 | 		$cert = $webRequest.ServicePoint.Certificate
40 | 		$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
41 | 		$fname = $url.host
42 | 		$savePath = "$pwd\$fname.key"
43 | 		set-content -value $bytes -encoding byte -path $savePath
44 | 		
45 | 		#Save to disk
46 | 		$importCert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2
47 | 		$importCert.import($savePath)
48 | 		
49 | 		#Load into local CurrentUser Store
50 | 		$store = Get-Item "cert:\CurrentUser\My"
51 | 		$store.open("MaxAllowed")
52 | 		$store.add($importCert)
53 | 		$store.close()
54 | 	
55 | 		#Wrap Invoke-WebRequest
56 | 		$newWebRequest = "Invoke-WebRequest $url $cmdstr"
57 | 		IEX $newWebRequest
58 | 		
59 | 		#Remove Cert & Clear Validation Callback
60 | 		Get-ChildItem -Path "cert:\CurrentUser\My" -DnsName $fname | Remove-Item -force -confirm:0
61 | 		[System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null
62 | 	}
63 | }
64 | New-Alias wget-ss Invoke-SelfSignedWebRequest
65 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | #Invoke-SelfSignedWebRequest
 2 | 
 3 | For InfoSec work, using HTTPS is an incredibly handy mechanism for C2 and maneuver within target network space. Further PowerShell is an amazing productivity tool that can help an operator achieve dynamic results. A natural next conclusion is to combine the C2 channel (HTTPS) with the effects generator (PowerShell). Just spawn up a quick self-signed cert and life is hunky dory, right? Unfortunately, as it turns out Microsoft (and by extension PowerShell) really doesn't like SSL connections secured by certificates that can't be validated. They go out of their way to PREVENT these connections by throwing heinous levels of ERROR messaging.
 4 | This repo exists as a quick and dirty arsenal of methods and scripts to subvert those security focused features and press on with the hack!
 5 | 
 6 | My intent is to add on new methods as the come to mind. Pull requests welcome!
 7 | 
 8 | ##Methods:
 9 | * Invoke-SelfSignedWebRequest - Loads the target URI's SSL certificate into the local certificate store and wraps Invoke-WebRequest. Removes certificate upon completion of insecure WebRequest invocation. Aliased to wget-ss
10 | 
11 | * Disable-CertificateValidation - Disables SSL certificate validation through the System.Net.ServicePointManager endpoint by manually configuring the ServerCertificateValidationCallback to return $true. Allows (New-Object System.Net.WebClient).DownloadFile() to connect to self-signed SSL domains.
12 | 
13 | * Disable-NetSSLValidation - Configures internal .NET settings to disable SSL certificate validation via useUnsafeHeaderParsing
14 | 
15 | 
16 | Author: Matthew Toussain (@0sm0s1z)
17 | License: BSD 3-Clause
18 | 	
19 | 


--------------------------------------------------------------------------------