├── PowerView.cna └── README.md /PowerView.cna: -------------------------------------------------------------------------------- 1 | # 2 | # PowerView 2.0 Menu for Cobalt Strike 3 | # Requires @harmj0y's PowerView https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 4 | # 5 | # I didn't know of a way to check for currently imported PowerShell script 6 | # and if felt janky importing everytime so it is up to you to manually import PowerView before interaction 7 | # 8 | # By: SF - 0xthirteen 9 | # 10 | # TODO: Add credential object 11 | # TODO: Possibly remove the mass amount of code reuse? Maybe dynamic menus 12 | # TODO: Add more customization to commands 13 | # 14 | # Some functions like Invoke-UserHunter have a lot of options and may take up the whole screen depending on what size monitor...so be aware 15 | # 16 | 17 | 18 | popup beacon_top { 19 | menu "PowerView" { 20 | menu "Misc Functions"{ 21 | item "Get-IPAddress"{ 22 | local('$bid'); 23 | foreach $bid ($1){ 24 | getipaddress($bid); 25 | } 26 | } 27 | item "Find-InterestingFile"{ 28 | local('$bid'); 29 | foreach $bid ($1){ 30 | findinterestingfile($bid); 31 | } 32 | } 33 | item "Convert-NameToSid"{ 34 | local('$bid'); 35 | foreach $bid ($1){ 36 | convertnametosid($bid); 37 | } 38 | } 39 | item "Convert-SidToName"{ 40 | local('$bid'); 41 | foreach $bid ($1){ 42 | convertsidtoname($bid); 43 | } 44 | } 45 | item "Get-Proxy"{ 46 | local('$bid'); 47 | foreach $bid ($1){ 48 | getproxy($bid); 49 | } 50 | } 51 | item "Get-PathAcl"{ 52 | local('$bid'); 53 | foreach $bid ($1){ 54 | getpathacl($bid); 55 | } 56 | } 57 | item "Get-UserProperty"{ 58 | local('$bid'); 59 | foreach $bid ($1){ 60 | getuserproperty($bid); 61 | } 62 | } 63 | item "Get-ComputerProperty"{ 64 | local('$bid'); 65 | foreach $bid ($1){ 66 | getcomputerproperty($bid); 67 | } 68 | } 69 | item "Invoke-CheckLocalAdminAccess"{ 70 | local('$bid'); 71 | foreach $bid ($1){ 72 | invokechecklocaladminaccess($bid); 73 | } 74 | } 75 | item "Get-DomainSearcher"{ 76 | local('$bid'); 77 | foreach $bid ($1){ 78 | getdomainsearcher($bid); 79 | } 80 | } 81 | item "Get-ObjectAcl"{ 82 | local('$bid'); 83 | foreach $bid ($1){ 84 | getobjectacl($bid); 85 | } 86 | } 87 | item "Add-ObjectAcl"{ 88 | local('$bid'); 89 | foreach $bid ($1){ 90 | addobjecctacl($bid); 91 | } 92 | } 93 | item "Get-LastLoggedOn"{ 94 | local('$bid'); 95 | foreach $bid ($1){ 96 | getlastloggedon($bid); 97 | } 98 | } 99 | item "Get-CachedRDPConnection"{ 100 | local('$bid'); 101 | foreach $bid ($1){ 102 | getcachedrdpconnection($bid); 103 | } 104 | } 105 | item "Invoke-ACLScanner"{ 106 | local('$bid'); 107 | foreach $bid ($1){ 108 | invokeaclscanner($bid); 109 | } 110 | } 111 | item "Get-GUIDMap"{ 112 | local('$bid'); 113 | foreach $bid ($1){ 114 | getguidmap($bid); 115 | } 116 | } 117 | item "Get-DomainSID"{ 118 | local('$bid'); 119 | foreach $bid ($1){ 120 | getdomainsid($bid); 121 | } 122 | } 123 | } 124 | menu "net * Functions"{ 125 | item "Get-NetDomain"{ 126 | local('$bid'); 127 | foreach $bid ($1){ 128 | getnetdomain($bid); 129 | } 130 | } 131 | item "Get-NetForest"{ 132 | local('$bid'); 133 | foreach $bid ($1){ 134 | getnetforest($bid); 135 | } 136 | } 137 | item "Get-NetForestDomain"{ 138 | local('$bid'); 139 | foreach $bid ($1){ 140 | getnetforestdomain($bid); 141 | } 142 | } 143 | item "Get-NetDomainController"{ 144 | local('$bid'); 145 | foreach $bid ($1){ 146 | getnetdomaincontroller($bid); 147 | } 148 | } 149 | item "Get-NetUser"{ 150 | local('$bid'); 151 | foreach $bid ($1){ 152 | getnetuser($bid); 153 | } 154 | } 155 | item "Add-NetUser"{ 156 | local('$bid'); 157 | foreach $bid ($1){ 158 | addnetuser($bid); 159 | } 160 | } 161 | item "Get-NetComputer"{ 162 | local('$bid'); 163 | foreach $bid ($1){ 164 | getnetcomputer($bid); 165 | } 166 | } 167 | item "Get-NetOU"{ 168 | local('$bid'); 169 | foreach $bid ($1){ 170 | getnetou($bid); 171 | } 172 | } 173 | item "Get-NetSite"{ 174 | local('$bid'); 175 | foreach $bid ($1){ 176 | getnetsite($bid); 177 | } 178 | } 179 | item "Get-NetSubnet"{ 180 | local('$bid'); 181 | foreach $bid ($1){ 182 | getnetsubnet($bid); 183 | } 184 | } 185 | item "Get-NetGroup"{ 186 | local('$bid'); 187 | foreach $bid ($1){ 188 | getnetgroup($bid); 189 | } 190 | } 191 | item "Get-NetGroupMember"{ 192 | local('$bid'); 193 | foreach $bid ($1){ 194 | getnetgroupmember($bid); 195 | } 196 | } 197 | item "Get-NetLocalGroup"{ 198 | local('$bid'); 199 | foreach $bid ($1){ 200 | getnetlocalgroup($bid); 201 | } 202 | } 203 | item "Add-NetGroupUser"{ 204 | local('$bid'); 205 | foreach $bid ($1){ 206 | addnetgroupuser($bid); 207 | } 208 | } 209 | item "Get-NetFileServer"{ 210 | local('$bid'); 211 | foreach $bid ($1){ 212 | getnetfileserver($bid); 213 | } 214 | } 215 | item "Get-NetShare"{ 216 | local('$bid'); 217 | foreach $bid ($1){ 218 | getnetshare($bid); 219 | } 220 | } 221 | item "Get-NetLoggedon"{ 222 | local('$bid'); 223 | foreach $bid ($1){ 224 | getnetloggedon($bid); 225 | } 226 | } 227 | item "Get-NetSession"{ 228 | local('$bid'); 229 | foreach $bid ($1){ 230 | getnetsession($bid); 231 | } 232 | } 233 | item "Get-NetRDPSession"{ 234 | local('$bid'); 235 | foreach $bid ($1){ 236 | getnetrdpsession($bid); 237 | } 238 | } 239 | item "Get-NetProcess"{ 240 | local('$bid'); 241 | foreach $bid ($1){ 242 | getnetprocess($bid); 243 | } 244 | } 245 | item "Get-UserEvent"{ 246 | local('$bid'); 247 | foreach $bid ($1){ 248 | getuserevent($bid); 249 | } 250 | } 251 | item "Get-ADOject"{ 252 | local('$bid'); 253 | foreach $bid ($1){ 254 | getadobject($bid); 255 | } 256 | } 257 | item "Set-ADObject"{ 258 | local('$bid'); 259 | foreach $bid ($1){ 260 | getadobject($bid); 261 | } 262 | } 263 | } 264 | menu "GPO functions"{ 265 | item "Get-GptTmpl"{ 266 | local('$bid'); 267 | foreach $bid ($1){ 268 | getgpttmpl($bid); 269 | } 270 | } 271 | item "Get-NetGPO"{ 272 | local('$bid'); 273 | foreach $bid ($1){ 274 | getnetgpo($bid); 275 | } 276 | } 277 | item "Get-NetGPOGroup"{ 278 | local('$bid'); 279 | foreach $bid ($1){ 280 | getnetgpogroup($bid); 281 | } 282 | } 283 | item "Find-GPOLocation"{ 284 | local('$bid'); 285 | foreach $bid ($1){ 286 | findgpolocation($bid); 287 | } 288 | } 289 | item "Find-GPOComputerAdmin"{ 290 | local('$bid'); 291 | foreach $bid ($1){ 292 | findgpocomputeradmin($bid); 293 | } 294 | } 295 | item "Get-DomainPolicy"{ 296 | local('$bid'); 297 | foreach $bid ($1){ 298 | getdomainpolicy($bid); 299 | } 300 | } 301 | } 302 | menu "User-Hunting Functions"{ 303 | item "Invoke-UserHunter"{ 304 | local('$bid'); 305 | foreach $bid ($1){ 306 | invokeuserhunter($bid); 307 | } 308 | } 309 | item "Invoke-StealthUserHunter"{ 310 | local('$bid'); 311 | foreach $bid ($1){ 312 | invokestealthuserhunter($bid); 313 | } 314 | } 315 | item "Invoke-ProcessHunter"{ 316 | local('$bid'); 317 | foreach $bid ($1){ 318 | invokeprocesshunter($bid); 319 | } 320 | } 321 | } 322 | menu "Domain Trust Functions"{ 323 | item "Get-NetDomainTrust"{ 324 | local('$bid'); 325 | foreach $bid ($1){ 326 | getnetdomaintrust($bid); 327 | } 328 | } 329 | item "Get-NetForestTrust"{ 330 | local('$bid'); 331 | foreach $bid ($1){ 332 | getnetforesttrust($bid); 333 | } 334 | } 335 | item "Find-ForeignUser"{ 336 | local('$bid'); 337 | foreach $bid ($1){ 338 | findforeignuser($bid); 339 | } 340 | } 341 | item "Find-ForeignGroup"{ 342 | local('$bid'); 343 | foreach $bid ($1){ 344 | findforeigngroup($bid); 345 | } 346 | } 347 | item "Invoke-MapDomainTrust"{ 348 | local('$bid'); 349 | foreach $bid ($1){ 350 | invokemapdomaintrust($bid); 351 | } 352 | } 353 | } 354 | menu "MetaFunctions" { 355 | item "Invoke-ShareFinder"{ 356 | local('$bid'); 357 | foreach $bid ($1){ 358 | invokesharefinder($bid); 359 | } 360 | } 361 | item "Invoke-FileFinder"{ 362 | local('$bid'); 363 | foreach $bid ($1){ 364 | invokefilefinder($bid); 365 | } 366 | } 367 | item "Find-LocalAdminAccess"{ 368 | local('$bid'); 369 | foreach $bid ($1){ 370 | findlocaladminaccess($bid); 371 | } 372 | } 373 | item "Find-ManagedSecurityGroups"{ 374 | local('$bid'); 375 | foreach $bid ($1){ 376 | findmanagedsecuritygroups($bid); 377 | } 378 | } 379 | item "Find-UserField"{ 380 | local('$bid'); 381 | foreach $bid ($1){ 382 | finduserfield($bid); 383 | } 384 | } 385 | item "Find-ComputerField"{ 386 | local('$bid'); 387 | foreach $bid ($1){ 388 | findcomputerfield($bid); 389 | } 390 | } 391 | item "Get-ExploitableSystem"{ 392 | local('$bid'); 393 | foreach $bid ($1){ 394 | getexploitablesystem($bid); 395 | } 396 | } 397 | item "Invoke-EnumerateLocalAdmin"{ 398 | local('$bid'); 399 | foreach $bid ($1){ 400 | invokeenumeratelocaladmin($bid); 401 | } 402 | } 403 | } 404 | } 405 | } 406 | 407 | #--------------- 408 | #Misc Functions 409 | #--------------- 410 | 411 | sub getipaddress{ 412 | $bid = $1; 413 | $cmdargs = ""; 414 | $dialog = dialog("PowerView 2.0 Get-IPAddress", %(execmethod => "PowerPick", computername => ""), lambda({ 415 | foreach $key => $value ($3){ 416 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 417 | $cmdargs .= ' -'; 418 | $cmdargs .= $key; 419 | $cmdargs .= ' '; 420 | $cmdargs .= $value; 421 | } 422 | else if ($value eq "true"){ 423 | $cmdargs .= ' -'; 424 | $cmdargs .= $key; 425 | } 426 | } 427 | if($3["execmethod"] eq "PowerPick"){ 428 | btask($bid, 'Executing PowerView Get-IPAddress via PowerPick'); 429 | bpowerpick($bid, 'Get-IPAddress'.$cmdargs.''); 430 | } 431 | else if ($3["execmethod"] eq "PowerShell"){ 432 | btask($bid, 'Executing PowerView Get-IPAddress via PowerShell'); 433 | bpowershell($bid, 'Get-IPAddress'.$cmdargs.''); 434 | } 435 | })); 436 | dialog_description($dialog, "Resolves a given hostename to its associated IPv4 address. If no hostname is provided, it defaults to returning the IP address of the localhost"); 437 | drow_text($dialog, "computername", "ComputerName"); 438 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 439 | dbutton_action($dialog, "Run"); 440 | dialog_show($dialog); 441 | } 442 | 443 | sub findinterestingfile{ 444 | $bid = $1; 445 | $cmdargs = ""; 446 | $dialog = dialog("PowerView 2.0 Find-InterestingFile", %(execmethod => "PowerPick", path => "", terms => "", lastaccesstime => "", lastwritetime => "", creationtime => "", outfile => "", officedocs => "false", freshexes => "false", excludefolders => "false", excludehidden => "false", checkwriteaccess => "false", usepsdrive => "false"), lambda({ 447 | foreach $key => $value ($3){ 448 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 449 | $cmdargs .= ' -'; 450 | $cmdargs .= $key; 451 | $cmdargs .= ' '; 452 | $cmdargs .= $value; 453 | } 454 | else if ($value eq "true"){ 455 | $cmdargs .= ' -'; 456 | $cmdargs .= $key; 457 | } 458 | } 459 | if($3["execmethod"] eq "PowerPick"){ 460 | btask($bid, 'Executing PowerView Find-InterestingFile via PowerPick'); 461 | bpowerpick($bid, 'Find-InterestingFile'.$cmdargs.''); 462 | } 463 | else if ($3["execmethod"] eq "PowerShell"){ 464 | btask($bid, 'Executing PowerView Find-InterestingFile via PowerShell'); 465 | bpowershell($bid, 'Find-InterestingFile'.$cmdargs.''); 466 | } 467 | })); 468 | dialog_description($dialog, "This function recursively searches a given UNC path for files with specific keywords in the name (default of pass, sensitive, secret, admin, login and unattend*.xml). The output can be piped out to a csv with the -OutFile flag. By default, hidden files/folders are included in search results."); 469 | drow_text($dialog, "path", "Path"); 470 | drow_text($dialog, 'terms', "Terms"); 471 | drow_text($dialog, 'lastaccesstime', 'LastAccessTime'); 472 | drow_text($dialog, 'lastwritetime', 'LastWriteTime'); 473 | drow_text($dialog, 'creationtime', 'CreationTime'); 474 | drow_text($dialog, 'outfile', 'OutFile'); 475 | drow_checkbox($dialog, 'officedocs', 'OfficeDocs'); 476 | drow_checkbox($dialog, 'freshexes', 'FreshEXEs'); 477 | drow_checkbox($dialog, 'excludefolders', 'ExcludeFolders'); 478 | drow_checkbox($dialog, 'excludehidden', 'ExcludeHidden'); 479 | drow_checkbox($dialog, 'checkwriteaccess', 'CheckWriteAccess'); 480 | drow_checkbox($dialog, 'usepsdrive', 'UsePSDrive'); 481 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 482 | dbutton_action($dialog, "Run"); 483 | dialog_show($dialog); 484 | } 485 | sub convertnametosid{ 486 | $bid = $1; 487 | $cmdargs = ""; 488 | $dialog = dialog("PowerView 2.0 Convert-NameToSid", %(execmethod => "PowerPick", computername => "", domain => ""), lambda({ 489 | foreach $key => $value ($3){ 490 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 491 | $cmdargs .= ' -'; 492 | $cmdargs .= $key; 493 | $cmdargs .= ' '; 494 | $cmdargs .= $value; 495 | } 496 | else if ($value eq "true"){ 497 | $cmdargs .= ' -'; 498 | $cmdargs .= $key; 499 | } 500 | } 501 | if($3["execmethod"] eq "PowerPick"){ 502 | btask($bid, 'Executing PowerView Convert-NameToSid via PowerPick'); 503 | bpowerpick($bid, 'Convert-NameToSid'.$cmdargs.''); 504 | } 505 | else if ($3["execmethod"] eq "PowerShell"){ 506 | btask($bid, 'Executing PowerView Convert-NameToSid via PowerShell'); 507 | bpowershell($bid, 'Convert-NameToSid'.$cmdargs.''); 508 | } 509 | })); 510 | dialog_description($dialog, "Converts a given user/group name to a security identifier (SID)"); 511 | drow_text($dialog, "objectname", "ObjectName"); 512 | drow_text($dialog, "domain", "Domain"); 513 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 514 | dbutton_action($dialog, "Run"); 515 | dialog_show($dialog); 516 | } 517 | sub convertsidtoname{ 518 | $bid = $1; 519 | $cmdargs = ""; 520 | $dialog = dialog("PowerView 2.0 Convert-SidToName", %(execmethod => "PowerPick", sid => ""), lambda({ 521 | foreach $key => $value ($3){ 522 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 523 | $cmdargs .= ' -'; 524 | $cmdargs .= $key; 525 | $cmdargs .= ' '; 526 | $cmdargs .= $value; 527 | } 528 | else if ($value eq "true"){ 529 | $cmdargs .= ' -'; 530 | $cmdargs .= $key; 531 | } 532 | } 533 | if($3["execmethod"] eq "PowerPick"){ 534 | btask($bid, 'Executing PowerView Convert-SidToName via PowerPick'); 535 | bpowerpick($bid, 'Convert-SidToName'.$cmdargs.''); 536 | } 537 | else if ($3["execmethod"] eq "PowerShell"){ 538 | btask($bid, 'Executing PowerView Convert-SidToName via PowerShell'); 539 | bpowershell($bid, 'Convert-SidToName'.$cmdargs.''); 540 | } 541 | })); 542 | dialog_description($dialog, "Converts a security identifier (SID) to a group/user name"); 543 | drow_text($dialog, "sid", "SID"); 544 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 545 | dbutton_action($dialog, "Run"); 546 | dialog_show($dialog); 547 | } 548 | sub getproxy{ 549 | $bid = $1; 550 | $cmdargs = ""; 551 | $dialog = dialog("PowerView 2.0 Get-Proxy", %(execmethod => "PowerPick", computername => ""), lambda({ 552 | foreach $key => $value ($3){ 553 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 554 | $cmdargs .= ' -'; 555 | $cmdargs .= $key; 556 | $cmdargs .= ' '; 557 | $cmdargs .= $value; 558 | } 559 | else if ($value eq "true"){ 560 | $cmdargs .= ' -'; 561 | $cmdargs .= $key; 562 | } 563 | } 564 | if($3["execmethod"] eq "PowerPick"){ 565 | btask($bid, 'Executing PowerView Get-Proxy via PowerPick'); 566 | bpowerpick($bid, 'Get-Proxy'.$cmdargs.''); 567 | } 568 | else if ($3["execmethod"] eq "PowerShell"){ 569 | btask($bid, 'Executing PowerView Get-Proxy via PowerShell'); 570 | bpowershell($bid, 'Get-Proxy'.$cmdargs.''); 571 | } 572 | })); 573 | dialog_description($dialog, "Enumerates the proxy server and WPAD conents for the current user"); 574 | drow_text($dialog, "computername", "ComputerName"); 575 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 576 | dbutton_action($dialog, "Run"); 577 | dialog_show($dialog); 578 | } 579 | sub getpathacl{ 580 | $bid = $1; 581 | $cmdargs = ""; 582 | $dialog = dialog("PowerView 2.0 Get-PathAcl", %(execmethod => "PowerPick", path => "", recurse => "false"), lambda({ 583 | foreach $key => $value ($3){ 584 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 585 | $cmdargs .= ' -'; 586 | $cmdargs .= $key; 587 | $cmdargs .= ' '; 588 | $cmdargs .= $value; 589 | } 590 | else if ($value eq "true"){ 591 | $cmdargs .= ' -'; 592 | $cmdargs .= $key; 593 | } 594 | } 595 | if($3["execmethod"] eq "PowerPick"){ 596 | btask($bid, 'Executing PowerView Get-PathAcl via PowerPick'); 597 | bpowerpick($bid, 'Get-PathAcl'.$cmdargs.''); 598 | } 599 | else if ($3["execmethod"] eq "PowerShell"){ 600 | btask($bid, 'Executing PowerView Get-PathAcl via PowerShell'); 601 | bpowershell($bid, 'Get-PathAcl'.$cmdargs.''); 602 | } 603 | })); 604 | dialog_description($dialog, "Enumerates the ACL for a given file path"); 605 | drow_text($dialog, "path", "Path"); 606 | drow_checkbox($dialog, 'recurse', 'Recurse'); 607 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 608 | dbutton_action($dialog, "Run"); 609 | dialog_show($dialog); 610 | } 611 | sub getuserproperty{ 612 | $bid = $1; 613 | $cmdargs = ""; 614 | $dialog = dialog("PowerView 2.0 Get-UserProperty", %(execmethod => "PowerPick", properties => "", domain => "", domaincontroller => "", pagesize => ""), lambda({ 615 | foreach $key => $value ($3){ 616 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 617 | $cmdargs .= ' -'; 618 | $cmdargs .= $key; 619 | $cmdargs .= ' '; 620 | $cmdargs .= $value; 621 | } 622 | else if ($value eq "true"){ 623 | $cmdargs .= ' -'; 624 | $cmdargs .= $key; 625 | } 626 | } 627 | if($3["execmethod"] eq "PowerPick"){ 628 | btask($bid, 'Executing PowerView Get-UserProperty via PowerPick'); 629 | bpowerpick($bid, 'Get-UserProperty'.$cmdargs.''); 630 | } 631 | else if ($3["execmethod"] eq "PowerShell"){ 632 | btask($bid, 'Executing PowerView Get-UserProperty via PowerShell'); 633 | bpowershell($bid, 'Get-UserProperty'.$cmdargs.''); 634 | } 635 | })); 636 | dialog_description($dialog, "Returns a list of all user object properties. If a property name is specified, it returns all [user:property] values"); 637 | drow_text($dialog, 'properties', 'Properties'); 638 | drow_text($dialog, 'domain', 'Domain'); 639 | drow_text($dialog, 'domaincontroller', 'DomainController'); 640 | drow_text($dialog, 'pagesize', 'PageSize'); 641 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 642 | dbutton_action($dialog, "Run"); 643 | dialog_show($dialog); 644 | } 645 | sub getcomputerproperty{ 646 | $bid = $1; 647 | $cmdargs = ""; 648 | $dialog = dialog("PowerView 2.0 Get-ComputerProperty", %(execmethod => "PowerPick", properties => "", domain => "", domaincontroller => "", pagesize => ""), lambda({ 649 | foreach $key => $value ($3){ 650 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 651 | $cmdargs .= ' -'; 652 | $cmdargs .= $key; 653 | $cmdargs .= ' '; 654 | $cmdargs .= $value; 655 | } 656 | else if ($value eq "true"){ 657 | $cmdargs .= ' -'; 658 | $cmdargs .= $key; 659 | } 660 | } 661 | if($3["execmethod"] eq "PowerPick"){ 662 | btask($bid, 'Executing PowerView Get-ComputerProperty via PowerPick'); 663 | bpowerpick($bid, 'Get-ComputerProperty'.$cmdargs.''); 664 | } 665 | else if ($3["execmethod"] eq "PowerShell"){ 666 | btask($bid, 'Executing PowerView Get-ComputerProperty via PowerShell'); 667 | bpowershell($bid, 'Get-ComputerProperty'.$cmdargs.''); 668 | } 669 | })); 670 | dialog_description($dialog, "Returns a list of all computer object properties. If a property name is specified, it returns all [computer:property] values"); 671 | drow_text($dialog, 'properties', 'Properties'); 672 | drow_text($dialog, 'domain', 'Domain'); 673 | drow_text($dialog, 'domaincontroller', 'DomainController'); 674 | drow_text($dialog, 'pagesize', 'PageSize'); 675 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 676 | dbutton_action($dialog, "Run"); 677 | dialog_show($dialog); 678 | } 679 | sub invokechecklocaladminaccess{ 680 | $bid = $1; 681 | $cmdargs = ""; 682 | $dialog = dialog("PowerView 2.0 Invoke-CheckLocalAdminAccess", %(execmethod => "PowerPick", computername => ""), lambda({ 683 | foreach $key => $value ($3){ 684 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 685 | $cmdargs .= ' -'; 686 | $cmdargs .= $key; 687 | $cmdargs .= ' '; 688 | $cmdargs .= $value; 689 | } 690 | else if ($value eq "true"){ 691 | $cmdargs .= ' -'; 692 | $cmdargs .= $key; 693 | } 694 | } 695 | if($3["execmethod"] eq "PowerPick"){ 696 | btask($bid, 'Executing PowerView Invoke-CheckLocalAdminAccess via PowerPick'); 697 | bpowerpick($bid, 'Invoke-CheckLocalAdminAccess'.$cmdargs.''); 698 | } 699 | else if ($3["execmethod"] eq "PowerShell"){ 700 | btask($bid, 'Executing PowerView Invoke-CheckLocalAdminAccess via PowerShell'); 701 | bpowershell($bid, 'Invoke-CheckLocalAdminAccess'.$cmdargs.''); 702 | } 703 | })); 704 | dialog_description($dialog, "This function will use the OpenSCManagerW Win32API call to establish a handle to the remote host. If this succeeds, the current user context has local administrator acess to the target"); 705 | drow_text($dialog, "computername", "ComputerName"); 706 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 707 | dbutton_action($dialog, "Run"); 708 | dialog_show($dialog); 709 | } 710 | sub getdomainseacher{ 711 | $bid = $1; 712 | $cmdargs = ""; 713 | $dialog = dialog("PowerView 2.0 Get-DomainSearcher", %(execmethod => "PowerPick", domain => "", domaincontroller => "", adspath => "", adsprefix => "", pagesize => ""), lambda({ 714 | foreach $key => $value ($3){ 715 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 716 | $cmdargs .= ' -'; 717 | $cmdargs .= $key; 718 | $cmdargs .= ' '; 719 | $cmdargs .= $value; 720 | } 721 | else if ($value eq "true"){ 722 | $cmdargs .= ' -'; 723 | $cmdargs .= $key; 724 | } 725 | } 726 | if($3["execmethod"] eq "PowerPick"){ 727 | btask($bid, 'Executing PowerView Get-DomainSearcher via PowerPick'); 728 | bpowerpick($bid, 'Get-DomainSearcher'.$cmdargs.''); 729 | } 730 | else if ($3["execmethod"] eq "PowerShell"){ 731 | btask($bid, 'Executing PowerView Get-DomainSearcher via PowerShell'); 732 | bpowershell($bid, 'Get-DomainSearcher'.$cmdargs.''); 733 | } 734 | })); 735 | dialog_description($dialog, "Helper used by various functions that takes an ADSpath and domain specifier and builds the correct ADSI searcher object"); 736 | drow_text($dialog, 'domain', 'Domain'); 737 | drow_text($dialog, 'domaincontroller', 'DomainController'); 738 | drow_text($dialog, 'adspath', 'ADSpath'); 739 | drow_text($dialog, 'adsprefix', 'ADSprefix'); 740 | drow_text($dialog, 'pagesize', 'PageSize'); 741 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 742 | dbutton_action($dialog, "Run"); 743 | dialog_show($dialog); 744 | } 745 | sub getobjectacl{ 746 | $bid = $1; 747 | $cmdargs = ""; 748 | $dialog = dialog("PowerView 2.0 Get-ObjectAcl", %(execmethod => "PowerPick", samaccountname => "", name => "", distinguishedname => "", resolveguids => "false", filter => "", adspath => "", adsprefix => "", rightsfilter => "", domain => "", domaincontroller => "", pagesize => ""), lambda({ 749 | foreach $key => $value ($3){ 750 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 751 | $cmdargs .= ' -'; 752 | $cmdargs .= $key; 753 | $cmdargs .= ' '; 754 | $cmdargs .= $value; 755 | } 756 | else if ($value eq "true"){ 757 | $cmdargs .= ' -'; 758 | $cmdargs .= $key; 759 | } 760 | } 761 | if($3["execmethod"] eq "PowerPick"){ 762 | btask($bid, 'Executing PowerView Get-ObjectAcl via PowerPick'); 763 | bpowerpick($bid, 'Get-ObjectAcl'.$cmdargs.''); 764 | } 765 | else if ($3["execmethod"] eq "PowerShell"){ 766 | btask($bid, 'Executing PowerView Get-ObjectAcl via PowerShell'); 767 | bpowershell($bid, 'Get-ObjectAcl'.$cmdargs.''); 768 | } 769 | })); 770 | dialog_description($dialog, "Returns the ACLs associated with a specific active directory object"); 771 | drow_text($dialog, 'samaccountname', 'SamAccountName'); 772 | drow_text($dialog, 'name', 'Name'); 773 | drow_text($dialog, 'distinguishedname', 'DistinguishedName'); 774 | drow_text($dialog, 'filter', 'Filter'); 775 | drow_text($dialog, 'adspath', 'ADSpath'); 776 | drow_text($dialog, 'adsprefix', 'ADSprefix'); 777 | drow_text($dialog, 'rightsfilter', 'RightsFilter'); 778 | drow_text($dialog, 'domain', 'Domain'); 779 | drow_text($dialog, 'domaincontroller', 'DomainController'); 780 | drow_text($dialog, 'pagesize', 'PageSize'); 781 | drow_checkbox($dialog, 'resolveguids', 'ResolveGUIDs'); 782 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 783 | dbutton_action($dialog, "Run"); 784 | dialog_show($dialog); 785 | } 786 | sub addobjecctacl{ 787 | $bid = $1; 788 | $cmdargs = ""; 789 | $dialog = dialog("PowerView 2.0 Add-ObjectAcl", %(execmethod => "PowerPick", targetsamaccountname => "", targetname => "", targetdistinguishedname => "", targetfilter => "", targetadspath => "", targetadsprefix => "", principalsid => "", principalname => "", principalsamaccountname => "", rights => "", domain => "", domaincontroller => "", pagesize => ""), lambda({ 790 | foreach $key => $value ($3){ 791 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 792 | $cmdargs .= ' -'; 793 | $cmdargs .= $key; 794 | $cmdargs .= ' '; 795 | $cmdargs .= $value; 796 | } 797 | else if ($value eq "true"){ 798 | $cmdargs .= ' -'; 799 | $cmdargs .= $key; 800 | } 801 | } 802 | if($3["execmethod"] eq "PowerPick"){ 803 | btask($bid, 'Executing PowerView Add-ObjectAcl via PowerPick'); 804 | bpowerpick($bid, 'Add-ObjectAcl'.$cmdargs.''); 805 | } 806 | else if ($3["execmethod"] eq "PowerShell"){ 807 | btask($bid, 'Executing PowerView Add-ObjectAcl via PowerShell'); 808 | bpowershell($bid, 'Add-ObjectAcl'.$cmdargs.''); 809 | } 810 | })); 811 | dialog_description($dialog, "Adds an ACL for a specific active directory object"); 812 | drow_text($dialog, 'targetsamaccountname', 'TargetSamAccountName'); 813 | drow_text($dialog, 'targetname', 'TargetName'); 814 | drow_text($dialog, 'targetdistinguishedname', 'TargetDistinguishedName'); 815 | drow_text($dialog, 'targetfilter', 'TargetFilter'); 816 | drow_text($dialog, 'targetadspath', 'TargetADSpath'); 817 | drow_text($dialog, 'targetadsprefix', 'TargetADSprefix'); 818 | drow_text($dialog, 'principalsid', 'PrincipalSID'); 819 | drow_text($dialog, 'principalname', 'PrincipalName'); 820 | drow_text($dialog, 'principalsamaccountname', 'PrincipalSamAccountName'); 821 | drow_text($dialog, 'rights', 'Rights'); 822 | drow_text($dialog, 'domain', 'Domain'); 823 | drow_text($dialog, 'domaincontroller', 'DomainController'); 824 | drow_text($dialog, 'pagesize', 'PageSize'); 825 | 826 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 827 | dbutton_action($dialog, "Run"); 828 | dialog_show($dialog); 829 | } 830 | sub getlastloggedon{ 831 | $bid = $1; 832 | $cmdargs = ""; 833 | $dialog = dialog("PowerView 2.0 Get-LastLoggedOn", %(execmethod => "PowerPick", computername => ""), lambda({ 834 | foreach $key => $value ($3){ 835 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 836 | $cmdargs .= ' -'; 837 | $cmdargs .= $key; 838 | $cmdargs .= ' '; 839 | $cmdargs .= $value; 840 | } 841 | else if ($value eq "true"){ 842 | $cmdargs .= ' -'; 843 | $cmdargs .= $key; 844 | } 845 | } 846 | if($3["execmethod"] eq "PowerPick"){ 847 | btask($bid, 'Executing PowerView Get-LastLoggedOn via PowerPick'); 848 | bpowerpick($bid, 'Get-LastLoggedOn'.$cmdargs.''); 849 | } 850 | else if ($3["execmethod"] eq "PowerShell"){ 851 | btask($bid, 'Executing PowerView Get-LastLoggedOn via PowerShell'); 852 | bpowershell($bid, 'Get-LastLoggedOn'.$cmdargs.''); 853 | } 854 | })); 855 | dialog_description($dialog, "This function uses remote registry functionality to return the last user logged onto a target machine - Requires administrative rights of enumerated system"); 856 | drow_text($dialog, "computername", "ComputerName"); 857 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 858 | dbutton_action($dialog, "Run"); 859 | dialog_show($dialog); 860 | } 861 | sub getcachedrdpconnection{ 862 | $bid = $1; 863 | $cmdargs = ""; 864 | $dialog = dialog("PowerView 2.0 Get-CachedRDPConnection", %(execmethod => "PowerPick", computername => ""), lambda({ 865 | foreach $key => $value ($3){ 866 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 867 | $cmdargs .= ' -'; 868 | $cmdargs .= $key; 869 | $cmdargs .= ' '; 870 | $cmdargs .= $value; 871 | } 872 | else if ($value eq "true"){ 873 | $cmdargs .= ' -'; 874 | $cmdargs .= $key; 875 | } 876 | } 877 | if($3["execmethod"] eq "PowerPick"){ 878 | btask($bid, 'Executing PowerView Get-CachedRDPConnection via PowerPick'); 879 | bpowerpick($bid, 'Get-CachedRDPConnection'.$cmdargs.''); 880 | } 881 | else if ($3["execmethod"] eq "PowerShell"){ 882 | btask($bid, 'Executing PowerView Get-CachedRDPConnection via PowerShell'); 883 | bpowershell($bid, 'Get-CachedRDPConnection'.$cmdargs.''); 884 | } 885 | })); 886 | dialog_description($dialog, "Uses remote registry functionality to query all entries for the 'Windows Remote Desktop Connection Client' on a machine, separated by user and target server"); 887 | drow_text($dialog, "computername", "ComputerName"); 888 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 889 | dbutton_action($dialog, "Run"); 890 | dialog_show($dialog); 891 | } 892 | sub invokeaclscanner{ 893 | $bid = $1; 894 | $cmdargs = ""; 895 | $dialog = dialog("PowerView 2.0 Invoke-ACLScanner", %(execmethod => "PowerPick", samaccountname => "", name => "", distinguishedname => "", filter => "", adspath => "", adsprefix => "", domain => "", domaincontroller => "", pagesize => "", resolveguids => "false"), lambda({ 896 | foreach $key => $value ($3){ 897 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 898 | $cmdargs .= ' -'; 899 | $cmdargs .= $key; 900 | $cmdargs .= ' '; 901 | $cmdargs .= $value; 902 | } 903 | else if ($value eq "true"){ 904 | $cmdargs .= ' -'; 905 | $cmdargs .= $key; 906 | } 907 | } 908 | if($3["execmethod"] eq "PowerPick"){ 909 | btask($bid, 'Executing PowerView Invoke-ACLScanner via PowerPick'); 910 | bpowerpick($bid, 'Invoke-ACLScanner'.$cmdargs.''); 911 | } 912 | else if ($3["execmethod"] eq "PowerShell"){ 913 | btask($bid, 'Executing PowerView Invoke-ACLScanner via PowerShell'); 914 | bpowershell($bid, 'Invoke-ACLScanner'.$cmdargs.''); 915 | } 916 | })); 917 | dialog_description($dialog, "Searches for ACLs for specifable AD objects (default to all domain objects) with a domain sid of > -1000, and have modifiable rights"); 918 | drow_text($dialog, 'samaccountname', 'SamAccountName'); 919 | drow_text($dialog, 'name', 'Name'); 920 | drow_text($dialog, 'distinguishedname', 'DistinguishedName'); 921 | drow_text($dialog, 'filter', 'Filter'); 922 | drow_text($dialog, 'adspath', 'ADSpath'); 923 | drow_text($dialog, 'adsprefix', 'ADSprefix'); 924 | drow_text($dialog, 'domain', 'Domain'); 925 | drow_text($dialog, 'domaincontroller', 'DomainController'); 926 | drow_text($dialog, 'pagesize', 'PageSize'); 927 | drow_checkbox($dialog, 'resolveguids', 'ResolveGUIDs'); 928 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 929 | dbutton_action($dialog, "Run"); 930 | dialog_show($dialog); 931 | } 932 | sub getguidmap{ 933 | $bid = $1; 934 | $cmdargs = ""; 935 | $dialog = dialog("PowerView 2.0 Get-GUIDMap", %(execmethod => "PowerPick", domain => "", domaincontroller => "", pagesize => ""), lambda({ 936 | foreach $key => $value ($3){ 937 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 938 | $cmdargs .= ' -'; 939 | $cmdargs .= $key; 940 | $cmdargs .= ' '; 941 | $cmdargs .= $value; 942 | } 943 | else if ($value eq "true"){ 944 | $cmdargs .= ' -'; 945 | $cmdargs .= $key; 946 | } 947 | } 948 | if($3["execmethod"] eq "PowerPick"){ 949 | btask($bid, 'Executing PowerView Get-GUIDMap via PowerPick'); 950 | bpowerpick($bid, 'Get-GUIDMap'.$cmdargs.''); 951 | } 952 | else if ($3["execmethod"] eq "PowerShell"){ 953 | btask($bid, 'Executing PowerView Get-GUIDMap via PowerShell'); 954 | bpowershell($bid, 'Get-GUIDMap'.$cmdargs.''); 955 | } 956 | })); 957 | dialog_description($dialog, "Helper to build a hash table of [GUID] -> resolved names"); 958 | drow_text($dialog, 'domain', 'Domain'); 959 | drow_text($dialog, 'domaincontroller', 'DomainController'); 960 | drow_text($dialog, 'pagesize', 'PageSize'); 961 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 962 | dbutton_action($dialog, "Run"); 963 | dialog_show($dialog); 964 | } 965 | sub getdomainsid{ 966 | $bid = $1; 967 | $cmdargs = ""; 968 | $dialog = dialog("PowerView 2.0 Get-DomainSID", %(execmethod => "PowerPick", domain => "", domaincontroller => ""), lambda({ 969 | foreach $key => $value ($3){ 970 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 971 | $cmdargs .= ' -'; 972 | $cmdargs .= $key; 973 | $cmdargs .= ' '; 974 | $cmdargs .= $value; 975 | } 976 | else if ($value eq "true"){ 977 | $cmdargs .= ' -'; 978 | $cmdargs .= $key; 979 | } 980 | } 981 | if($3["execmethod"] eq "PowerPick"){ 982 | btask($bid, 'Executing PowerView Get-DomainSID via PowerPick'); 983 | bpowerpick($bid, 'Get-DomainSID'.$cmdargs.''); 984 | } 985 | else if ($3["execmethod"] eq "PowerShell"){ 986 | btask($bid, 'Executing PowerView Get-DomainSID via PowerShell'); 987 | bpowershell($bid, 'Get-DomainSID'.$cmdargs.''); 988 | } 989 | })); 990 | dialog_description($dialog, "Gets the SID for the domain"); 991 | drow_text($dialog, 'domain', 'Domain'); 992 | drow_text($dialog, 'domaincontroller', 'DomainController'); 993 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 994 | dbutton_action($dialog, "Run"); 995 | dialog_show($dialog); 996 | } 997 | 998 | 999 | #---------------- 1000 | #net * Functions 1001 | #---------------- 1002 | 1003 | sub getnetdomain{ 1004 | $bid = $1; 1005 | $cmdargs = ""; 1006 | $dialog = dialog("PowerView 2.0 Get-NetDomain", %(execmethod => "PowerPick", domain => ""), lambda({ 1007 | foreach $key => $value ($3){ 1008 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1009 | $cmdargs .= ' -'; 1010 | $cmdargs .= $key; 1011 | $cmdargs .= ' '; 1012 | $cmdargs .= $value; 1013 | } 1014 | else if ($value eq "true"){ 1015 | $cmdargs .= ' -'; 1016 | $cmdargs .= $key; 1017 | } 1018 | } 1019 | if($3["execmethod"] eq "PowerPick"){ 1020 | btask($bid, 'Executing PowerView Get-NetDomain via PowerPick'); 1021 | bpowerpick($bid, 'Get-NetDomain'.$cmdargs.''); 1022 | } 1023 | else if ($3["execmethod"] eq "PowerShell"){ 1024 | btask($bid, 'Executing PowerView Get-NetDomain via PowerShell'); 1025 | bpowershell($bid, 'Get-NetDomain'.$cmdargs.''); 1026 | } 1027 | })); 1028 | dialog_description($dialog, "Returns a given domain object"); 1029 | drow_text($dialog, 'domain', 'Domain'); 1030 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1031 | dbutton_action($dialog, "Run"); 1032 | dialog_show($dialog); 1033 | } 1034 | sub getnetforest{ 1035 | $bid = $1; 1036 | $cmdargs = ""; 1037 | $dialog = dialog("PowerView 2.0 Get-NetForest", %(execmethod => "PowerPick", forest => ""), lambda({ 1038 | foreach $key => $value ($3){ 1039 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1040 | $cmdargs .= ' -'; 1041 | $cmdargs .= $key; 1042 | $cmdargs .= ' '; 1043 | $cmdargs .= $value; 1044 | } 1045 | else if ($value eq "true"){ 1046 | $cmdargs .= ' -'; 1047 | $cmdargs .= $key; 1048 | } 1049 | } 1050 | if($3["execmethod"] eq "PowerPick"){ 1051 | btask($bid, 'Executing PowerView Get-NetForest via PowerPick'); 1052 | bpowerpick($bid, 'Get-NetForest'.$cmdargs.''); 1053 | } 1054 | else if ($3["execmethod"] eq "PowerShell"){ 1055 | btask($bid, 'Executing PowerView Get-NetForest via PowerShell'); 1056 | bpowershell($bid, 'Get-NetForest'.$cmdargs.''); 1057 | } 1058 | })); 1059 | dialog_description($dialog, "Returns a given forest object"); 1060 | drow_text($dialog, 'forest', 'Forest'); 1061 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1062 | dbutton_action($dialog, "Run"); 1063 | dialog_show($dialog); 1064 | } 1065 | sub getnetforestdomain{ 1066 | $bid = $1; 1067 | $cmdargs = ""; 1068 | $dialog = dialog("PowerView 2.0 Get-NetForestDomain", %(execmethod => "PowerPick", forest => ""), lambda({ 1069 | foreach $key => $value ($3){ 1070 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1071 | $cmdargs .= ' -'; 1072 | $cmdargs .= $key; 1073 | $cmdargs .= ' '; 1074 | $cmdargs .= $value; 1075 | } 1076 | else if ($value eq "true"){ 1077 | $cmdargs .= ' -'; 1078 | $cmdargs .= $key; 1079 | } 1080 | } 1081 | if($3["execmethod"] eq "PowerPick"){ 1082 | btask($bid, 'Executing PowerView Get-NetForestDomain via PowerPick'); 1083 | bpowerpick($bid, 'Get-NetForestDomain'.$cmdargs.''); 1084 | } 1085 | else if ($3["execmethod"] eq "PowerShell"){ 1086 | btask($bid, 'Executing PowerView Get-NetForestDomain via PowerShell'); 1087 | bpowershell($bid, 'Get-NetForestDomain'.$cmdargs.''); 1088 | } 1089 | })); 1090 | dialog_description($dialog, "Returns a given forest object"); 1091 | drow_text($dialog, 'forest', 'Forest'); 1092 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1093 | dbutton_action($dialog, "Run"); 1094 | dialog_show($dialog); 1095 | } 1096 | sub getnetdomaincontroller{ 1097 | $bid = $1; 1098 | $cmdargs = ""; 1099 | $dialog = dialog("PowerView 2.0 Get-NetDomainController", %(execmethod => "PowerPick", domain => "", domaincontroller => "", ldap => "false"), lambda({ 1100 | foreach $key => $value ($3){ 1101 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1102 | $cmdargs .= ' -'; 1103 | $cmdargs .= $key; 1104 | $cmdargs .= ' '; 1105 | $cmdargs .= $value; 1106 | } 1107 | else if ($value eq "true"){ 1108 | $cmdargs .= ' -'; 1109 | $cmdargs .= $key; 1110 | } 1111 | } 1112 | if($3["execmethod"] eq "PowerPick"){ 1113 | btask($bid, 'Executing PowerView Get-NetDomainController via PowerPick'); 1114 | bpowerpick($bid, 'Get-NetDomainController'.$cmdargs.''); 1115 | } 1116 | else if ($3["execmethod"] eq "PowerShell"){ 1117 | btask($bid, 'Executing PowerView Get-NetDomainController via PowerShell'); 1118 | bpowershell($bid, 'Get-NetDomainController'.$cmdargs.''); 1119 | } 1120 | })); 1121 | dialog_description($dialog, "Return the current domain controllers for the active domain"); 1122 | drow_text($dialog, 'domain', 'Domain'); 1123 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1124 | drow_checkbox($dialog, 'ldap', 'LDAP'); 1125 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1126 | dbutton_action($dialog, "Run"); 1127 | dialog_show($dialog); 1128 | } 1129 | sub getnetuser{ 1130 | $bid = $1; 1131 | $cmdargs = ""; 1132 | $dialog = dialog("PowerView 2.0 Get-NetUser", %(execmethod => "PowerPick", username => "", domain => "", domaincontroller => "", adspath => "", filter => "", admincount => "false", spn => "false", unconstrained => "false", allowdelegation => "false", pagesize => ""), lambda({ 1133 | foreach $key => $value ($3){ 1134 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1135 | $cmdargs .= ' -'; 1136 | $cmdargs .= $key; 1137 | $cmdargs .= ' '; 1138 | $cmdargs .= $value; 1139 | } 1140 | else if ($value eq "true"){ 1141 | $cmdargs .= ' -'; 1142 | $cmdargs .= $key; 1143 | } 1144 | } 1145 | if($3["execmethod"] eq "PowerPick"){ 1146 | btask($bid, 'Executing PowerView Get-NetUser via PowerPick'); 1147 | bpowerpick($bid, 'Get-NetUser'.$cmdargs.''); 1148 | } 1149 | else if ($3["execmethod"] eq "PowerShell"){ 1150 | btask($bid, 'Executing PowerView Get-NetUser via PowerShell'); 1151 | bpowershell($bid, 'Get-NetUser'.$cmdargs.''); 1152 | } 1153 | })); 1154 | dialog_description($dialog, "Query information for a given user or users in the domain using ADSI and LDAP. Another -Domain can be specified to query for users across a trust. Replacement for 'net users /domain'"); 1155 | drow_text($dialog, 'username', 'UserName'); 1156 | drow_text($dialog, 'domain', 'Domain'); 1157 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1158 | drow_text($dialog, 'adspath', 'ADSpath'); 1159 | drow_text($dialog, 'filter', 'Filter'); 1160 | drow_text($dialog, 'pagesize', 'PageSize'); 1161 | drow_checkbow($dialog, 'admincount', 'AdminCount'); 1162 | drow_checkbox($dialog, 'spn', 'SPN'); 1163 | drow_checkbox($dialog, 'unconstrained', 'Unconstrained'); 1164 | drow_checkbox($dialog, 'allowdelegation', 'AllowDelegation'); 1165 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1166 | dbutton_action($dialog, "Run"); 1167 | dialog_show($dialog); 1168 | } 1169 | sub addnetuser{ 1170 | $bid = $1; 1171 | $cmdargs = ""; 1172 | $dialog = dialog("PowerView 2.0 Add-NetUser", %(execmethod => "PowerPick", username => "", password => "", groupname => "", domain => ""), lambda({ 1173 | foreach $key => $value ($3){ 1174 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1175 | $cmdargs .= ' -'; 1176 | $cmdargs .= $key; 1177 | $cmdargs .= ' '; 1178 | $cmdargs .= $value; 1179 | } 1180 | else if ($value eq "true"){ 1181 | $cmdargs .= ' -'; 1182 | $cmdargs .= $key; 1183 | } 1184 | } 1185 | if($3["execmethod"] eq "PowerPick"){ 1186 | btask($bid, 'Executing PowerView Add-NetUser via PowerPick'); 1187 | bpowerpick($bid, 'Add-NetUser'.$cmdargs.''); 1188 | } 1189 | else if ($3["execmethod"] eq "PowerShell"){ 1190 | btask($bid, 'Executing PowerView Add-NetUser via PowerShell'); 1191 | bpowershell($bid, 'Add-NetUser'.$cmdargs.''); 1192 | } 1193 | })); 1194 | dialog_description($dialog, "Adds a domain user or a local user to the current (or remote) machine, if permissions allow, utilizing the WinNT service provider and DirectoryServices.AccountManagement, respectively. The default behavior is to add a user to the local machine. An optional group name to add the user to can be specified."); 1195 | drow_text($dialog, 'username', 'UserName'); 1196 | drow_text($dialog, 'password', 'Password'); 1197 | drow_text($dialog, 'groupname' 'GroupName'); 1198 | drow_text($dialog, 'domain', 'Domain'); 1199 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1200 | dbutton_action($dialog, "Run"); 1201 | dialog_show($dialog); 1202 | } 1203 | sub getnetcomputer{ 1204 | $bid = $1; 1205 | $cmdargs = ""; 1206 | $dialog = dialog("PowerView 2.0 Get-NetComputer", %(execmethod => "PowerPick", computername => "", spn => "", operatingsystem => "", servicepack => "", filter => "", printers => "false", ping => "false", fulldata => "false", domain => "", domaincontroller => "", adspath => "", sitename => "", unconstrained => "false", pagesize => ""), lambda({ 1207 | foreach $key => $value ($3){ 1208 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1209 | $cmdargs .= ' -'; 1210 | $cmdargs .= $key; 1211 | $cmdargs .= ' '; 1212 | $cmdargs .= $value; 1213 | } 1214 | else if ($value eq "true"){ 1215 | $cmdargs .= ' -'; 1216 | $cmdargs .= $key; 1217 | } 1218 | } 1219 | if($3["execmethod"] eq "PowerPick"){ 1220 | btask($bid, 'Executing PowerView Get-NetComputer via PowerPick'); 1221 | bpowerpick($bid, 'Get-NetComputer'.$cmdargs.''); 1222 | } 1223 | else if ($3["execmethod"] eq "PowerShell"){ 1224 | btask($bid, 'Executing PowerView Get-NetComputer via PowerShell'); 1225 | bpowershell($bid, 'Get-NetComputer'.$cmdargs.''); 1226 | } 1227 | })); 1228 | dialog_description($dialog, "This function utilizes adsisearcher to query the current AD context for current computer objects. Based off of Carlos Perez's Audit.psm1 script in Posh-SecMod"); 1229 | drow_text($dialog, 'computername', 'ComputerName'); 1230 | drow_text($dialog, 'spn', 'SPN'); 1231 | drow_text($dialog, 'operatingsystem', 'OperatingSystem'); 1232 | drow_text($dialog, 'servicepack', 'ServicePack'); 1233 | drow_text($dialog, 'filter', 'Filter'); 1234 | drow_text($dialog, 'domain', 'Domain'); 1235 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1236 | drow_text($dialog, 'adspath', 'ADSpath'); 1237 | drow_text($dialog, 'sitename', 'SiteName'); 1238 | drow_text($dialog, 'pagesize', 'PageSize'); 1239 | drow_checkbox($dialog, 'ping', 'Ping'); 1240 | drow_checkbox($dialog, 'printers', 'Printers'); 1241 | drow_checkbox($dialog, 'fulldata', 'FullData'); 1242 | drow_checkbox($dialog, 'unconstrained', 'Unconstrained'); 1243 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1244 | dbutton_action($dialog, "Run"); 1245 | dialog_show($dialog); 1246 | } 1247 | sub getnetou{ 1248 | $bid = $1; 1249 | $cmdargs = ""; 1250 | $dialog = dialog("PowerView 2.0 Get-NetOU", %(execmethod => "PowerPick", ouname => "", guid => "", domain => "", domaincontroller => "", adspath => "", fulldata => "false", pagesize => ""), lambda({ 1251 | foreach $key => $value ($3){ 1252 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1253 | $cmdargs .= ' -'; 1254 | $cmdargs .= $key; 1255 | $cmdargs .= ' '; 1256 | $cmdargs .= $value; 1257 | } 1258 | else if ($value eq "true"){ 1259 | $cmdargs .= ' -'; 1260 | $cmdargs .= $key; 1261 | } 1262 | } 1263 | if($3["execmethod"] eq "PowerPick"){ 1264 | btask($bid, 'Executing PowerView Get-NetOu via PowerPick'); 1265 | bpowerpick($bid, 'Get-NetOU'.$cmdargs.''); 1266 | } 1267 | else if ($3["execmethod"] eq "PowerShell"){ 1268 | btask($bid, 'Executing PowerView Get-NetOu via PowerShell'); 1269 | bpowershell($bid, 'Get-NetOU'.$cmdargs.''); 1270 | } 1271 | })); 1272 | dialog_description($dialog, "Gets a list of all current OUs in a domain"); 1273 | drow_text($dialog, 'ouname', 'OUName'); 1274 | drow_text($dialog, 'guid', 'GUID'); 1275 | drow_text($dialog, 'domain', 'Domain'); 1276 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1277 | drow_text($dialog, 'adspath', 'ADSpath'); 1278 | drow_text($dialog, 'pagesize', 'PageSize'); 1279 | drow_checkbox($dialog, 'fulldata', 'FullData'); 1280 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1281 | dbutton_action($dialog, "Run"); 1282 | dialog_show($dialog); 1283 | } 1284 | sub getnetsite{ 1285 | $bid = $1; 1286 | $cmdargs = ""; 1287 | $dialog = dialog("PowerView 2.0 Get-NetSite", %(execmethod => "PowerPick", sitename => "", domain => "", domaincontroller => "", adspath => "", guid => "", fulldata => "false", pagesize => ""), lambda({ 1288 | foreach $key => $value ($3){ 1289 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1290 | $cmdargs .= ' -'; 1291 | $cmdargs .= $key; 1292 | $cmdargs .= ' '; 1293 | $cmdargs .= $value; 1294 | } 1295 | else if ($value eq "true"){ 1296 | $cmdargs .= ' -'; 1297 | $cmdargs .= $key; 1298 | } 1299 | } 1300 | if($3["execmethod"] eq "PowerPick"){ 1301 | btask($bid, 'Executing PowerView Get-NetSite via PowerPick'); 1302 | bpowerpick($bid, 'Get-NetSite'.$cmdargs.''); 1303 | } 1304 | else if ($3["execmethod"] eq "PowerShell"){ 1305 | btask($bid, 'Executing PowerView Get-NetSite via PowerShell'); 1306 | bpowershell($bid, 'Get-NetSite'.$cmdargs.''); 1307 | } 1308 | })); 1309 | dialog_description($dialog, "Gets a list of all current sites in a domain"); 1310 | drow_text($dialog, 'sitename', 'SiteName'); 1311 | drow_text($dialog, 'domain', 'Domain'); 1312 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1313 | drow_text($dialog, 'adspath', 'ADSpath'); 1314 | drow_text($dialog, 'guid', 'GUID'); 1315 | drow_text($dialog, 'pagesize', 'PageSize'); 1316 | drow_checkbox($dialog, 'fulldata', 'FullData'); 1317 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1318 | dbutton_action($dialog, "Run"); 1319 | dialog_show($dialog); 1320 | } 1321 | sub getnetsubnet{ 1322 | $bid = $1; 1323 | $cmdargs = ""; 1324 | $dialog = dialog("PowerView 2.0 Get-NetSubnet", %(execmethod => "PowerPick", sitename => "", domain => "", domaincontroller => "", adspath => "", fulldata => "false", pagesize => ""), lambda({ 1325 | foreach $key => $value ($3){ 1326 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1327 | $cmdargs .= ' -'; 1328 | $cmdargs .= $key; 1329 | $cmdargs .= ' '; 1330 | $cmdargs .= $value; 1331 | } 1332 | else if ($value eq "true"){ 1333 | $cmdargs .= ' -'; 1334 | $cmdargs .= $key; 1335 | } 1336 | } 1337 | if($3["execmethod"] eq "PowerPick"){ 1338 | btask($bid, 'Executing PowerView Get-NetSubnet via PowerPick'); 1339 | bpowerpick($bid, 'Get-NetSubnet'.$cmdargs.''); 1340 | } 1341 | else if ($3["execmethod"] eq "PowerShell"){ 1342 | btask($bid, 'Executing PowerView Get-NetSubnet via PowerShell'); 1343 | bpowershell($bid, 'Get-NetSubnet'.$cmdargs.''); 1344 | } 1345 | })); 1346 | dialog_description($dialog, "Gets a list of all current subnets in a domain"); 1347 | drow_text($dialog, 'sitename', 'SiteName'); 1348 | drow_text($dialog, 'domain', 'Domain'); 1349 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1350 | drow_text($dialog, 'adspath', 'ADSpath'); 1351 | drow_text($dialog, 'pagesize', 'PageSize'); 1352 | drow_checkbox($dialog, 'fulldata', 'FullData'); 1353 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1354 | dbutton_action($dialog, "Run"); 1355 | dialog_show($dialog); 1356 | } 1357 | sub getnetgroup{ 1358 | $bid = $1; 1359 | $cmdargs = ""; 1360 | $dialog = dialog("PowerView 2.0 Get-NetGroup", %(execmethod => "PowerPick", groupname => "", sid => "", username => "", filter => "", domain => "", domaincontroller => "", adspath => "", admincount => "false", fulldata => "false", rawsids => "false", pagesize => ""), lambda({ 1361 | foreach $key => $value ($3){ 1362 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1363 | $cmdargs .= ' -'; 1364 | $cmdargs .= $key; 1365 | $cmdargs .= ' '; 1366 | $cmdargs .= $value; 1367 | } 1368 | else if ($value eq "true"){ 1369 | $cmdargs .= ' -'; 1370 | $cmdargs .= $key; 1371 | } 1372 | } 1373 | if($3["execmethod"] eq "PowerPick"){ 1374 | btask($bid, 'Executing PowerView Get-NetGroup via PowerPick'); 1375 | bpowerpick($bid, 'Get-NetGroup'.$cmdargs.''); 1376 | } 1377 | else if ($3["execmethod"] eq "PowerShell"){ 1378 | btask($bid, 'Executing PowerView Get-NetGroup via PowerShell'); 1379 | bpowershell($bid, 'Get-NetGroup'.$cmdargs.''); 1380 | } 1381 | })); 1382 | dialog_description($dialog, "Gets a list of all current groups in a domain, or all the groups a given user/group object belongs to"); 1383 | drow_text($dialog, 'groupname', 'GroupName'); 1384 | drow_text($dialog, 'sid', 'SID'); 1385 | drow_text($dialog, 'username', 'UserName'); 1386 | drow_text($dialog, 'filter', 'Filter'); 1387 | drow_text($dialog, 'domain', 'Domain'); 1388 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1389 | drow_text($dialog, 'adspath', 'ADSpath'); 1390 | drow_text($dialog, 'pagesize', 'PageSize'); 1391 | drow_checkbox($dialog, 'admincount', 'AdminCount'); 1392 | drow_checkbox($dialog, 'rawsids', 'RawSids'); 1393 | drow_checkbox($dialog, 'fulldata', 'FullData'); 1394 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1395 | dbutton_action($dialog, "Run"); 1396 | dialog_show($dialog); 1397 | } 1398 | sub getnetgroupmemeber{ 1399 | $bid = $1; 1400 | $cmdargs = ""; 1401 | $dialog = dialog("PowerView 2.0 Get-NetGroupMember", %(execmethod => "PowerPick", groupname => "", sid => "", filter => "", domain => "", domaincontroller => "", adspath => "", fulldata => "false", recurse => "false", usematchingrule => "false", pagesize => ""), lambda({ 1402 | foreach $key => $value ($3){ 1403 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1404 | $cmdargs .= ' -'; 1405 | $cmdargs .= $key; 1406 | $cmdargs .= ' '; 1407 | $cmdargs .= $value; 1408 | } 1409 | else if ($value eq "true"){ 1410 | $cmdargs .= ' -'; 1411 | $cmdargs .= $key; 1412 | } 1413 | } 1414 | if($3["execmethod"] eq "PowerPick"){ 1415 | btask($bid, 'Executing PowerView Get-NetGroupMember via PowerPick'); 1416 | bpowerpick($bid, 'Get-NetGroupMember'.$cmdargs.''); 1417 | } 1418 | else if ($3["execmethod"] eq "PowerShell"){ 1419 | btask($bid, 'Executing PowerView Get-NetGroupMember via PowerShell'); 1420 | bpowershell($bid, 'Get-NetGroupMember'.$cmdargs.''); 1421 | } 1422 | })); 1423 | dialog_description($dialog, "This function users [ADSI] and LDAP to query the current AD context or trusted domain for users in a specified group. If no GroupName is specified, it defaults to querying the 'Domain Admins' group. This is a replacement for 'net group 'name' /domain'"); 1424 | drow_text($dialog, 'groupname', 'GroupName'); 1425 | drow_text($dialog, 'sid', 'SID'); 1426 | drow_text($dialog, 'filter', 'Filter'); 1427 | drow_text($dialog, 'domain', 'Domain'); 1428 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1429 | drow_text($dialog, 'adspath', 'ADSpath'); 1430 | drow_text($dialog, 'pagesize', 'PageSize'); 1431 | drow_checkbox($dialog, 'recurse', 'Recurse'); 1432 | drow_checkbox($dialog, 'usematchingrule', 'UseMatchingRule') 1433 | drow_checkbox($dialog, 'fulldata', 'FullData'); 1434 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1435 | dbutton_action($dialog, "Run"); 1436 | dialog_show($dialog); 1437 | } 1438 | sub getnetlocalgroup{ 1439 | $bid = $1; 1440 | $cmdargs = ""; 1441 | $dialog = dialog("PowerView 2.0 Get-NetLocalGroup", %(execmethod => "PowerPick", computername => "", computerfile => "", groupname => "", listgroups => "false", recurse => "false", api => "false"), lambda({ 1442 | foreach $key => $value ($3){ 1443 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1444 | $cmdargs .= ' -'; 1445 | $cmdargs .= $key; 1446 | $cmdargs .= ' '; 1447 | $cmdargs .= $value; 1448 | } 1449 | else if ($value eq "true"){ 1450 | $cmdargs .= ' -'; 1451 | $cmdargs .= $key; 1452 | } 1453 | } 1454 | if($3["execmethod"] eq "PowerPick"){ 1455 | btask($bid, 'Executing PowerView Get-NetLocalGroup via PowerPick'); 1456 | bpowerpick($bid, 'Get-NetLocalGroup'.$cmdargs.''); 1457 | } 1458 | else if ($3["execmethod"] eq "PowerShell"){ 1459 | btask($bid, 'Executing PowerView Get-NetLocalGroup via PowerShell'); 1460 | bpowershell($bid, 'Get-NetLocalGroup'.$cmdargs.''); 1461 | } 1462 | })); 1463 | dialog_description($dialog, "Gets a list of all current users in a specified local group, or returns the names of all local groups with -ListGroups"); 1464 | drow_text($dialog, 'computername', 'ComputerName'); 1465 | drow_text($dialog, 'computerfile', 'ComputerFile'); 1466 | drow_text($dialog, 'groupname', 'GroupName'); 1467 | drow_checkbox($dialog, 'listgroups', 'ListGroups'); 1468 | drow_checkbox($dialog, 'recurse', 'Recurse') 1469 | drow_checkbox($dialog, 'api', 'API'); 1470 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1471 | dbutton_action($dialog, "Run"); 1472 | dialog_show($dialog); 1473 | } 1474 | sub addnetgroupuser{ 1475 | $bid = $1; 1476 | $cmdargs = ""; 1477 | $dialog = dialog("PowerView 2.0 Add-NetGroupUser", %(execmethod => "PowerPick", username => "", groupname => "", computername => "", domain => ""), lambda({ 1478 | foreach $key => $value ($3){ 1479 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1480 | $cmdargs .= ' -'; 1481 | $cmdargs .= $key; 1482 | $cmdargs .= ' '; 1483 | $cmdargs .= $value; 1484 | } 1485 | else if ($value eq "true"){ 1486 | $cmdargs .= ' -'; 1487 | $cmdargs .= $key; 1488 | } 1489 | } 1490 | if($3["execmethod"] eq "PowerPick"){ 1491 | btask($bid, 'Executing PowerView Add-NetGroupUser via PowerPick'); 1492 | bpowerpick($bid, 'Add-NetGroupUser'.$cmdargs.''); 1493 | } 1494 | else if ($3["execmethod"] eq "PowerShell"){ 1495 | btask($bid, 'Executing PowerView Add-NetGroupUser via PowerShell'); 1496 | bpowershell($bid, 'Add-NetGroupUser'.$cmdargs.''); 1497 | } 1498 | })); 1499 | dialog_description($dialog, "Adds a user to a domain group or a local group on the current (or remote) machine, if permissions allow, utilizing the WinNT service provider and DirectoryServices.AccountManagement, respectively"); 1500 | drow_text($dialog, 'username', 'UserName'); 1501 | drow_text($dialog, 'groupname', 'GroupName'); 1502 | drow_text($dialog, 'computername', 'ComputerName'); 1503 | drow_text($dialog, 'domain', 'Domain'); 1504 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1505 | dbutton_action($dialog, "Run"); 1506 | dialog_show($dialog); 1507 | } 1508 | sub getnetfileserver{ 1509 | $bid = $1; 1510 | $cmdargs = ""; 1511 | $dialog = dialog("PowerView 2.0 Get-NetFileServer", %(execmethod => "PowerPick", domain => "", domaincontroller => "", targetusers => "", pagesize => ""), lambda({ 1512 | foreach $key => $value ($3){ 1513 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1514 | $cmdargs .= ' -'; 1515 | $cmdargs .= $key; 1516 | $cmdargs .= ' '; 1517 | $cmdargs .= $value; 1518 | } 1519 | else if ($value eq "true"){ 1520 | $cmdargs .= ' -'; 1521 | $cmdargs .= $key; 1522 | } 1523 | } 1524 | if($3["execmethod"] eq "PowerPick"){ 1525 | btask($bid, 'Executing PowerView Get-NetFileServer via PowerPick'); 1526 | bpowerpick($bid, 'Get-NetFileServer'.$cmdargs.''); 1527 | } 1528 | else if ($3["execmethod"] eq "PowerShell"){ 1529 | btask($bid, 'Executing PowerView Get-NetFileServer via PowerShell'); 1530 | bpowershell($bid, 'Get-NetFileServer'.$cmdargs.''); 1531 | } 1532 | })); 1533 | dialog_description($dialog, "Returns a list of all file servers extracted from user homedirectory, scriptpath, and profilepath fields"); 1534 | drow_text($dialog, 'domain', 'UserName'); 1535 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1536 | drow_text($dialog, 'targetusers', 'TargetUsers'); 1537 | drow_text($dialog, 'pagesize', 'PageSize'); 1538 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1539 | dbutton_action($dialog, "Run"); 1540 | dialog_show($dialog); 1541 | } 1542 | sub getnetshare{ 1543 | $bid = $1; 1544 | $cmdargs = ""; 1545 | $dialog = dialog("PowerView 2.0 Get-NetShare", %(execmethod => "PowerPick", computername => ""), lambda({ 1546 | foreach $key => $value ($3){ 1547 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1548 | $cmdargs .= ' -'; 1549 | $cmdargs .= $key; 1550 | $cmdargs .= ' '; 1551 | $cmdargs .= $value; 1552 | } 1553 | else if ($value eq "true"){ 1554 | $cmdargs .= ' -'; 1555 | $cmdargs .= $key; 1556 | } 1557 | } 1558 | if($3["execmethod"] eq "PowerPick"){ 1559 | btask($bid, 'Executing PowerView Get-NetShare via PowerPick'); 1560 | bpowerpick($bid, 'Get-NetShare'.$cmdargs.''); 1561 | } 1562 | else if ($3["execmethod"] eq "PowerShell"){ 1563 | btask($bid, 'Executing PowerView Get-NetShare via PowerShell'); 1564 | bpowershell($bid, 'Get-NetShare'.$cmdargs.''); 1565 | } 1566 | })); 1567 | dialog_description($dialog, "This function will execute the NetShareEnum Win32API call to query a given host for open shares. This is a replacement for 'net share \\hostname'"); 1568 | drow_text($dialog, "computername", "ComputerName"); 1569 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1570 | dbutton_action($dialog, "Run"); 1571 | dialog_show($dialog); 1572 | } 1573 | sub getnetloggedon{ 1574 | $bid = $1; 1575 | $cmdargs = ""; 1576 | $dialog = dialog("PowerView 2.0 Get-NetLoggedon", %(execmethod => "PowerPick", computername => ""), lambda({ 1577 | foreach $key => $value ($3){ 1578 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1579 | $cmdargs .= ' -'; 1580 | $cmdargs .= $key; 1581 | $cmdargs .= ' '; 1582 | $cmdargs .= $value; 1583 | } 1584 | else if ($value eq "true"){ 1585 | $cmdargs .= ' -'; 1586 | $cmdargs .= $key; 1587 | } 1588 | } 1589 | if($3["execmethod"] eq "PowerPick"){ 1590 | btask($bid, 'Executing PowerView Get-NetLoggedon via PowerPick'); 1591 | bpowerpick($bid, 'Get-NetLoggedon'.$cmdargs.''); 1592 | } 1593 | else if ($3["execmethod"] eq "PowerShell"){ 1594 | btask($bid, 'Executing PowerView Get-NetLoggedon via PowerShell'); 1595 | bpowershell($bid, 'Get-NetLoggedon'.$cmdargs.''); 1596 | } 1597 | })); 1598 | dialog_description($dialog, "This function will execute the NetWkstaUserEnum Win32API call to query a given host for actively logged on users"); 1599 | drow_text($dialog, "computername", "ComputerName"); 1600 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1601 | dbutton_action($dialog, "Run"); 1602 | dialog_show($dialog); 1603 | } 1604 | sub getnetsession{ 1605 | $bid = $1; 1606 | $cmdargs = ""; 1607 | $dialog = dialog("PowerView 2.0 Get-NetSession", %(execmethod => "PowerPick", computername => "", username => ""), lambda({ 1608 | foreach $key => $value ($3){ 1609 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1610 | $cmdargs .= ' -'; 1611 | $cmdargs .= $key; 1612 | $cmdargs .= ' '; 1613 | $cmdargs .= $value; 1614 | } 1615 | else if ($value eq "true"){ 1616 | $cmdargs .= ' -'; 1617 | $cmdargs .= $key; 1618 | } 1619 | } 1620 | if($3["execmethod"] eq "PowerPick"){ 1621 | btask($bid, 'Executing PowerView Get-NetSession via PowerPick'); 1622 | bpowerpick($bid, 'Get-NetSession'.$cmdargs.''); 1623 | } 1624 | else if ($3["execmethod"] eq "PowerShell"){ 1625 | btask($bid, 'Executing PowerView Get-NetSession via PowerShell'); 1626 | bpowershell($bid, 'Get-NetSession'.$cmdargs.''); 1627 | } 1628 | })); 1629 | dialog_description($dialog, "This function will execute the NetSessionEnum Win32API call to query a given host for active sessions on the host. Heavily adapted from dunedinite's post on stackoverflow"); 1630 | drow_text($dialog, 'computername', 'ComputerName'); 1631 | drow_text($dialog, 'username', 'UserName'); 1632 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1633 | dbutton_action($dialog, "Run"); 1634 | dialog_show($dialog); 1635 | } 1636 | sub getnetrdpsession{ 1637 | $bid = $1; 1638 | $cmdargs = ""; 1639 | $dialog = dialog("PowerView 2.0 Get-NetRDPSession", %(execmethod => "PowerPick", computername => ""), lambda({ 1640 | foreach $key => $value ($3){ 1641 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1642 | $cmdargs .= ' -'; 1643 | $cmdargs .= $key; 1644 | $cmdargs .= ' '; 1645 | $cmdargs .= $value; 1646 | } 1647 | else if ($value eq "true"){ 1648 | $cmdargs .= ' -'; 1649 | $cmdargs .= $key; 1650 | } 1651 | } 1652 | if($3["execmethod"] eq "PowerPick"){ 1653 | btask($bid, 'Executing PowerView Get-NetRDPSession via PowerPick'); 1654 | bpowerpick($bid, 'Get-NetRDPSession'.$cmdargs.''); 1655 | } 1656 | else if ($3["execmethod"] eq "PowerShell"){ 1657 | btask($bid, 'Executing PowerView Get-NetRDPSession via PowerShell'); 1658 | bpowershell($bid, 'Get-NetRDPSession'.$cmdargs.''); 1659 | } 1660 | })); 1661 | dialog_description($dialog, "This function will execute the WTSEnumerateSessionsEx and WTSQuerySessionInformation Win32API calls to query a given RDP remote service for active sessions and originating IPs. This is a replacement for qwinsta. Note: only members of the Administrators or Account Operators local group can successfully execute this functionality on a remote target."); 1662 | drow_text($dialog, "computername", "ComputerName"); 1663 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1664 | dbutton_action($dialog, "Run"); 1665 | dialog_show($dialog); 1666 | } 1667 | sub getnetprocess{ 1668 | $bid = $1; 1669 | $cmdargs = ""; 1670 | $dialog = dialog("PowerView 2.0 Get-NetProcess", %(execmethod => "PowerPick", computername => ""), lambda({ 1671 | foreach $key => $value ($3){ 1672 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1673 | $cmdargs .= ' -'; 1674 | $cmdargs .= $key; 1675 | $cmdargs .= ' '; 1676 | $cmdargs .= $value; 1677 | } 1678 | else if ($value eq "true"){ 1679 | $cmdargs .= ' -'; 1680 | $cmdargs .= $key; 1681 | } 1682 | } 1683 | if($3["execmethod"] eq "PowerPick"){ 1684 | btask($bid, 'Executing PowerView Get-NetProcess via PowerPick'); 1685 | bpowerpick($bid, 'Get-NetProcess'.$cmdargs.''); 1686 | } 1687 | else if ($3["execmethod"] eq "PowerShell"){ 1688 | btask($bid, 'Executing PowerView Get-Get-NetProcess via PowerShell'); 1689 | bpowershell($bid, 'Get-NetProcess'.$cmdargs.''); 1690 | } 1691 | })); 1692 | dialog_description($dialog, "Gets a list of processes/owners on a remote machine"); 1693 | drow_text($dialog, "computername", "ComputerName"); 1694 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1695 | dbutton_action($dialog, "Run"); 1696 | dialog_show($dialog); 1697 | } 1698 | sub getuserevent{ 1699 | $bid = $1; 1700 | $cmdargs = ""; 1701 | $dialog = dialog("PowerView 2.0 Get-UserEvent", %(execmethod => "PowerPick", computername => "", eventtype => "", datestart => ""), lambda({ 1702 | foreach $key => $value ($3){ 1703 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1704 | $cmdargs .= ' -'; 1705 | $cmdargs .= $key; 1706 | $cmdargs .= ' '; 1707 | $cmdargs .= $value; 1708 | } 1709 | else if ($value eq "true"){ 1710 | $cmdargs .= ' -'; 1711 | $cmdargs .= $key; 1712 | } 1713 | } 1714 | if($3["execmethod"] eq "PowerPick"){ 1715 | btask($bid, 'Executing PowerView Get-UserEvent via PowerPick'); 1716 | bpowerpick($bid, 'Get-UserEvent'.$cmdargs.''); 1717 | } 1718 | else if ($3["execmethod"] eq "PowerShell"){ 1719 | btask($bid, 'Executing PowerView Get-UserEvent via PowerShell'); 1720 | bpowershell($bid, 'Get-UserEvent'.$cmdargs.''); 1721 | } 1722 | })); 1723 | dialog_description($dialog, "Dump and parse security events relating to an account logon (ID 4624) or a TGT request event (ID 4768). Intended to be used and tested on Windows 2008 Domain Controllers. Admin Reqd? YES"); 1724 | drow_text($dialog, 'computername', 'ComputerName'); 1725 | drow_text($dialog, 'eventtype', 'EventType'); 1726 | drow_text($dialog, 'datestart', 'DateStart'); 1727 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1728 | dbutton_action($dialog, "Run"); 1729 | dialog_show($dialog); 1730 | } 1731 | sub getadobject{ 1732 | $bid = $1; 1733 | $cmdargs = ""; 1734 | $dialog = dialog("PowerView 2.0 Get-ADObject", %(execmethod => "PowerPick", sid => "", name => "", samaccountname => "", domain => "", domaincontroller => "", adspath => "", filter => "", returnraw => "false", pagesize => ""), lambda({ 1735 | foreach $key => $value ($3){ 1736 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1737 | $cmdargs .= ' -'; 1738 | $cmdargs .= $key; 1739 | $cmdargs .= ' '; 1740 | $cmdargs .= $value; 1741 | } 1742 | else if ($value eq "true"){ 1743 | $cmdargs .= ' -'; 1744 | $cmdargs .= $key; 1745 | } 1746 | } 1747 | if($3["execmethod"] eq "PowerPick"){ 1748 | btask($bid, 'Executing PowerView Get-ADObject via PowerPick'); 1749 | bpowerpick($bid, 'Get-ADObject'.$cmdargs.''); 1750 | } 1751 | else if ($3["execmethod"] eq "PowerShell"){ 1752 | btask($bid, 'Executing PowerView Get-ADObject via PowerShell'); 1753 | bpowershell($bid, 'Get-ADObject'.$cmdargs.''); 1754 | } 1755 | })); 1756 | dialog_description($dialog, "Takes a domain SID and returns the user, group, or computer object associated with it"); 1757 | drow_text($dialog, 'sid', 'SID'); 1758 | drow_text($dialog, 'name', 'Name'); 1759 | drow_text($dialog, 'samaccountname', 'SamAccountName'); 1760 | drow_text($dialog, 'domain', 'Domain'); 1761 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1762 | drow_text($dialog, 'adspath', 'ADSpath'); 1763 | drow_text($dialog, 'filter', 'Filter'); 1764 | drow_text($dialog, 'pagesize', 'PageSize'); 1765 | drow_checkbox($dialog, 'returnraw', 'ReturnRaw'); 1766 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1767 | dbutton_action($dialog, "Run"); 1768 | dialog_show($dialog); 1769 | } 1770 | sub setadobject{ 1771 | $bid = $1; 1772 | $cmdargs = ""; 1773 | $dialog = dialog("PowerView 2.0 Set-ADObject", %(execmethod => "PowerPick", sid => "", name => "", samaccountname => "", domain => "", domaincontroller => "", filter => "", propertyname => "", propertyvalue => "", propertyxorvalue => "", clearvalue => "false", pagesize => ""), lambda({ 1774 | foreach $key => $value ($3){ 1775 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1776 | $cmdargs .= ' -'; 1777 | $cmdargs .= $key; 1778 | $cmdargs .= ' '; 1779 | $cmdargs .= $value; 1780 | } 1781 | else if ($value eq "true"){ 1782 | $cmdargs .= ' -'; 1783 | $cmdargs .= $key; 1784 | } 1785 | } 1786 | if($3["execmethod"] eq "PowerPick"){ 1787 | btask($bid, 'Executing PowerView Set-ADObject via PowerPick'); 1788 | bpowerpick($bid, 'Set-ADObject'.$cmdargs.''); 1789 | } 1790 | else if ($3["execmethod"] eq "PowerShell"){ 1791 | btask($bid, 'Executing PowerView Set-ADObject via PowerShell'); 1792 | bpowershell($bid, 'Set-ADObject'.$cmdargs.''); 1793 | } 1794 | })); 1795 | dialog_description($dialog, "Takes a SID, name, or SamAccountName to query for a specified domain object, and then sets a specified 'PropertyName' to a specified 'PropertyValue'"); 1796 | drow_text($dialog, 'sid', 'SID'); 1797 | drow_text($dialog, 'name', 'Name'); 1798 | drow_text($dialog, 'samaccountname', 'SamAccountName'); 1799 | drow_text($dialog, 'domain', 'Domain'); 1800 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1801 | drow_text($dialog, 'filter', 'Filter'); 1802 | drow_text($dialog, 'propertyname', 'PropertyName'); 1803 | drow_text($dialog, 'propertyvalue', 'PropertyValue'); 1804 | drow_text($dialog, 'propertyxorvalue', 'PropertyXorValue'); 1805 | drow_text($dialog, 'pagesize', 'PageSize'); 1806 | drow_checkbox($dialog, 'clearvalue', 'ClearValue'); 1807 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1808 | dbutton_action($dialog, "Run"); 1809 | dialog_show($dialog); 1810 | } 1811 | 1812 | #----------------------- 1813 | #User-Hunting Functions 1814 | #----------------------- 1815 | 1816 | sub invokeuserhunter{ 1817 | $bid = $1; 1818 | $cmdargs = ""; 1819 | $dialog = dialog("PowerView 2.0 Invoke-UserHunter", %(execmethod => "PowerPick", computername => "", computerfile => "", computerfilter => "", computeradspath => "", unconstrained => "false", groupname => "", targetserver => "", username => "", userfilter => "", useradspath => "", userfile => "", admincount => "false", allowdelegation => "false", stoponsuccess => "false", noping => "false", checkaccess => "false", delay => "", jitter => "", domain => "", domaincontroller => "", showall => "false", searchforest => "false", stealth => "false", stealthsource => "", foreignusers => "false", threads => "", poll => ""), lambda({ 1820 | foreach $key => $value ($3){ 1821 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1822 | $cmdargs .= ' -'; 1823 | $cmdargs .= $key; 1824 | $cmdargs .= ' '; 1825 | $cmdargs .= $value; 1826 | } 1827 | else if ($value eq "true"){ 1828 | $cmdargs .= ' -'; 1829 | $cmdargs .= $key; 1830 | } 1831 | } 1832 | if($3["execmethod"] eq "PowerPick"){ 1833 | btask($bid, 'Executing PowerView Invoke-UserHunter via PowerPick'); 1834 | bpowerpick($bid, 'Invoke-UserHunter'.$cmdargs.''); 1835 | } 1836 | else if ($3["execmethod"] eq "PowerShell"){ 1837 | btask($bid, 'Executing PowerView Invoke-UserHunter via PowerShell'); 1838 | bpowershell($bid, 'Invoke-UserHunter'.$cmdargs.''); 1839 | } 1840 | })); 1841 | dialog_description($dialog, "Finds which machines users of a specified group are logged into"); 1842 | drow_text($dialog, 'computername', 'ComputerName'); 1843 | drow_text($dialog, 'computerfile', 'ComputerFile'); 1844 | drow_text($dialog, 'computerfilter', 'ComputerFilter'); 1845 | drow_text($dialog, 'computeradspath', 'ComputerADSpath'); 1846 | drow_text($dialog, 'groupname', 'GroupName'); 1847 | drow_text($dialog, 'targetserver', 'TargetServer'); 1848 | drow_text($dialog, 'username', 'UserName'); 1849 | drow_text($dialog, 'userfilter', 'UserFilter'); 1850 | drow_text($dialog, 'useradspath', 'UserADSpath'); 1851 | drow_text($dialog, 'userfile', 'UserFile'); 1852 | drow_text($dialog, 'delay', 'Delay'); 1853 | drow_text($dialog, 'jitter', 'Jitter'); 1854 | drow_text($dialog, 'domain', 'Domain'); 1855 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1856 | drow_text($dialog, 'threads', 'Threads'); 1857 | drow_text($dialog, 'poll', 'Poll'); 1858 | drow_checkbox($dialog, 'unconstrained', 'Unconstrained'); 1859 | drow_checkbox($dialog, 'admincount', 'AdminCount'); 1860 | drow_checkbox($dialog, 'allowdelegation', 'AllowDelegation'); 1861 | drow_checkbox($dialog, 'stoponsuccess', 'StopOnSuccess'); 1862 | drow_checkbox($dialog, 'noping', 'NoPing'); 1863 | drow_checkbox($dialog, 'checkaccess', 'CheckAccess'); 1864 | drow_checkbox($dialog, 'showall', 'ShowAll'); 1865 | drow_checkbox($dialog, 'searchforest', 'SearchForest'); 1866 | drow_checkbox($dialog, 'stealth', 'Stealth'); 1867 | drow_checkbox($dialog, 'foreignusers', 'ForeignUsers'); 1868 | drow_combobox($dialog, "stealthsource", "StealthSource: ", @("", "DFS", "DC", "File", "All")); 1869 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1870 | dbutton_action($dialog, "Run"); 1871 | dialog_show($dialog); 1872 | } 1873 | sub invokestealthuserhunter{ 1874 | $bid = $1; 1875 | $cmdargs = ""; 1876 | $dialog = dialog("PowerView 2.0 Invoke-StealthUserHunter", %(execmethod => "PowerPick", computername => "", computerfile => "", computerfilter => "", computeradspath => "", groupname => "", targetserver => "", username => "", userfilter => "", useradspath => "", userfile => "", stoponsuccess => "false", noping => "false", checkaccess => "false", delay => "", jitter => "", domain => "", showall => "false", searchforest => "false", stealthsource => ""), lambda({ 1877 | foreach $key => $value ($3){ 1878 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1879 | $cmdargs .= ' -'; 1880 | $cmdargs .= $key; 1881 | $cmdargs .= ' '; 1882 | $cmdargs .= $value; 1883 | } 1884 | else if ($value eq "true"){ 1885 | $cmdargs .= ' -'; 1886 | $cmdargs .= $key; 1887 | } 1888 | } 1889 | if($3["execmethod"] eq "PowerPick"){ 1890 | btask($bid, 'Executing PowerView Invoke-StealthUserHunter via PowerPick'); 1891 | bpowerpick($bid, 'Invoke-StealthUserHunter'.$cmdargs.''); 1892 | } 1893 | else if ($3["execmethod"] eq "PowerShell"){ 1894 | btask($bid, 'Executing PowerView Invoke-StealthUserHunter via PowerShell'); 1895 | bpowershell($bid, 'Invoke-StealthUserHunter'.$cmdargs.''); 1896 | } 1897 | })); 1898 | dialog_description($dialog, "Invoke-UserHunter...but stealth"); 1899 | drow_text($dialog, 'computername', 'ComputerName'); 1900 | drow_text($dialog, 'computerfile', 'ComputerFile'); 1901 | drow_text($dialog, 'computerfilter', 'ComputerFilter'); 1902 | drow_text($dialog, 'computeradspath', 'ComputerADSpath'); 1903 | drow_text($dialog, 'groupname', 'GroupName'); 1904 | drow_text($dialog, 'targetserver', 'TargetServer'); 1905 | drow_text($dialog, 'username', 'UserName'); 1906 | drow_text($dialog, 'userfilter', 'UserFilter'); 1907 | drow_text($dialog, 'useradspath', 'UserADSpath'); 1908 | drow_text($dialog, 'userfile', 'UserFile'); 1909 | drow_text($dialog, 'delay', 'Delay'); 1910 | drow_text($dialog, 'jitter', 'Jitter'); 1911 | drow_text($dialog, 'domain', 'Domain'); 1912 | drow_checkbox($dialog, 'stoponsuccess', 'StopOnSuccess'); 1913 | drow_checkbox($dialog, 'noping', 'NoPing'); 1914 | drow_checkbox($dialog, 'checkaccess', 'CheckAccess'); 1915 | drow_checkbox($dialog, 'showall', 'ShowAll'); 1916 | drow_checkbox($dialog, 'searchforest', 'SearchForest'); 1917 | drow_combobox($dialog, "stealthsource", "StealthSource: ", @("", "DFS", "DC", "File", "All")); 1918 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1919 | dbutton_action($dialog, "Run"); 1920 | dialog_show($dialog); 1921 | } 1922 | sub invokeprocesshunter{ 1923 | $bid = $1; 1924 | $cmdargs = ""; 1925 | $dialog = dialog("PowerView 2.0 Invoke-ProcessHunter", %(execmethod => "PowerPick", computername => "", computerfile => "", computerfilter => "", computeradspath => "", processname => "", groupname => "", targetserver => "", username => "", userfilter => "", useradspath => "", userfile => "", stoponsuccess => "false", noping => "false", delay => "", jitter => "", domain => "", domaincontroller => "", showall => "false", searchforest => "false", threads => ""), lambda({ 1926 | foreach $key => $value ($3){ 1927 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1928 | $cmdargs .= ' -'; 1929 | $cmdargs .= $key; 1930 | $cmdargs .= ' '; 1931 | $cmdargs .= $value; 1932 | } 1933 | else if ($value eq "true"){ 1934 | $cmdargs .= ' -'; 1935 | $cmdargs .= $key; 1936 | } 1937 | } 1938 | if($3["execmethod"] eq "PowerPick"){ 1939 | btask($bid, 'Executing PowerView Invoke-ProcessHunter via PowerPick'); 1940 | bpowerpick($bid, 'Invoke-ProcessHunter'.$cmdargs.''); 1941 | } 1942 | else if ($3["execmethod"] eq "PowerShell"){ 1943 | btask($bid, 'Executing PowerView Invoke-ProcessHunter via PowerShell'); 1944 | bpowershell($bid, 'Invoke-ProcessHunter'.$cmdargs.''); 1945 | } 1946 | })); 1947 | dialog_description($dialog, "Query the process lists of remote machines, searching for processes with a specific name or owned by a specific user"); 1948 | drow_text($dialog, 'computername', 'ComputerName'); 1949 | drow_text($dialog, 'computerfile', 'ComputerFile'); 1950 | drow_text($dialog, 'computerfilter', 'ComputerFilter'); 1951 | drow_text($dialog, 'computeradspath', 'ComputerADSpath'); 1952 | drow_text($dialog, 'processname', 'ProcessName'); 1953 | drow_text($dialog, 'groupname', 'GroupName'); 1954 | drow_text($dialog, 'targetserver', 'TargetServer'); 1955 | drow_text($dialog, 'username', 'UserName'); 1956 | drow_text($dialog, 'userfilter', 'UserFilter'); 1957 | drow_text($dialog, 'useradspath', 'UserADSpath'); 1958 | drow_text($dialog, 'userfile', 'UserFile'); 1959 | drow_text($dialog, 'delay', 'Delay'); 1960 | drow_text($dialog, 'jitter', 'Jitter'); 1961 | drow_text($dialog, 'domain', 'Domain'); 1962 | drow_text($dialog, 'domaincontroller', 'DomainController'); 1963 | drow_text($dialog, 'threads', 'Threads'); 1964 | drow_checkbox($dialog, 'stoponsuccess', 'StopOnSuccess'); 1965 | drow_checkbox($dialog, 'noping', 'NoPing'); 1966 | drow_checkbox($dialog, 'showall', 'ShowAll'); 1967 | drow_checkbox($dialog, 'searchforest', 'SearchForest'); 1968 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 1969 | dbutton_action($dialog, "Run"); 1970 | dialog_show($dialog); 1971 | } 1972 | 1973 | #-------------- 1974 | #GPO functions 1975 | #-------------- 1976 | 1977 | sub getgpttmpl{ 1978 | $bid = $1; 1979 | $cmdargs = ""; 1980 | $dialog = dialog("PowerView 2.0 Get-GptTmpl", %(execmethod => "PowerPick", gpttmplpath => "", usepsdrive => "false"), lambda({ 1981 | foreach $key => $value ($3){ 1982 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 1983 | $cmdargs .= ' -'; 1984 | $cmdargs .= $key; 1985 | $cmdargs .= ' '; 1986 | $cmdargs .= $value; 1987 | } 1988 | else if ($value eq "true"){ 1989 | $cmdargs .= ' -'; 1990 | $cmdargs .= $key; 1991 | } 1992 | } 1993 | if($3["execmethod"] eq "PowerPick"){ 1994 | btask($bid, 'Executing PowerView Get-GptTmpl via PowerPick'); 1995 | bpowerpick($bid, 'Get-GptTmpl'.$cmdargs.''); 1996 | } 1997 | else if ($3["execmethod"] eq "PowerShell"){ 1998 | btask($bid, 'Executing PowerView Get-GptTmpl via PowerShell'); 1999 | bpowershell($bid, 'Get-GptTmpl'.$cmdargs.''); 2000 | } 2001 | })); 2002 | dialog_description($dialog, "Helper to parse a GptTmpl.inf policy file path into a custom object"); 2003 | drow_text($dialog, 'gpttmplpath', 'GptTmplPath'); 2004 | drow_checkbox($dialog, 'usepsdrive', 'UsePSDrive'); 2005 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2006 | dbutton_action($dialog, "Run"); 2007 | dialog_show($dialog); 2008 | } 2009 | sub getnetgpo{ 2010 | $bid = $1; 2011 | $cmdargs = ""; 2012 | $dialog = dialog("PowerView 2.0 Get-NetGPO", %(execmethod => "PowerPick", gponame => "", displayname => "", computername => "", domain => "", domaincontroller => "", adspath => "", pagesize => ""), lambda({ 2013 | foreach $key => $value ($3){ 2014 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2015 | $cmdargs .= ' -'; 2016 | $cmdargs .= $key; 2017 | $cmdargs .= ' '; 2018 | $cmdargs .= $value; 2019 | } 2020 | else if ($value eq "true"){ 2021 | $cmdargs .= ' -'; 2022 | $cmdargs .= $key; 2023 | } 2024 | } 2025 | if($3["execmethod"] eq "PowerPick"){ 2026 | btask($bid, 'Executing PowerView Get-NetGPO via PowerPick'); 2027 | bpowerpick($bid, 'Get-NetGPO'.$cmdargs.''); 2028 | } 2029 | else if ($3["execmethod"] eq "PowerShell"){ 2030 | btask($bid, 'Executing PowerView Get-NetGPO via PowerShell'); 2031 | bpowershell($bid, 'Get-NetGPO'.$cmdargs.''); 2032 | } 2033 | })); 2034 | dialog_description($dialog, "Gets a list of all current GPOs in a domain"); 2035 | drow_text($dialog, 'gponame', 'GPOname'); 2036 | drow_text($dialog, 'displayname', 'DisplayName'); 2037 | drow_text($dialog, 'computername', 'ComputerName'); 2038 | drow_text($dialog, 'domain', 'Domain'); 2039 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2040 | drow_text($dialog, 'adspath', 'ADSpath'); 2041 | drow_text($dialog, 'pagesize', 'PageSize'); 2042 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2043 | dbutton_action($dialog, "Run"); 2044 | dialog_show($dialog); 2045 | } 2046 | sub getnetgpogroup{ 2047 | $bid = $1; 2048 | $cmdargs = ""; 2049 | $dialog = dialog("PowerView 2.0 Get-NetGPOGroup", %(execmethod => "PowerPick", gponame => "", displayname => "", domain => "", domaincontroller => "", adspath => "", resolvemembersids => "false", usepsdrive => "false", pagesize => ""), lambda({ 2050 | foreach $key => $value ($3){ 2051 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2052 | $cmdargs .= ' -'; 2053 | $cmdargs .= $key; 2054 | $cmdargs .= ' '; 2055 | $cmdargs .= $value; 2056 | } 2057 | else if ($value eq "true"){ 2058 | $cmdargs .= ' -'; 2059 | $cmdargs .= $key; 2060 | } 2061 | } 2062 | if($3["execmethod"] eq "PowerPick"){ 2063 | btask($bid, 'Executing PowerView Get-NetGPOGroup via PowerPick'); 2064 | bpowerpick($bid, 'Get-NetGPOGroup'.$cmdargs.''); 2065 | } 2066 | else if ($3["execmethod"] eq "PowerShell"){ 2067 | btask($bid, 'Executing PowerView Get-NetGPOGroup via PowerShell'); 2068 | bpowershell($bid, 'Get-NetGPOGroup'.$cmdargs.''); 2069 | } 2070 | })); 2071 | dialog_description($dialog, "Returns all GPOs in a domain that set 'Restricted Groups' or use groups.xml on on target machines"); 2072 | drow_text($dialog, 'gponame', 'GPOname'); 2073 | drow_text($dialog, 'displayname', 'DisplayName'); 2074 | drow_text($dialog, 'domain', 'Domain'); 2075 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2076 | drow_text($dialog, 'adspath', 'ADSpath'); 2077 | drow_text($dialog, 'pagesize', 'PageSize'); 2078 | drow_checkbox($dialog, 'resolvemembersids', 'ResolveMemberSIDs'); 2079 | drow_checkbox($dialog, 'usepsdrive', 'UsePSDrive'); 2080 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2081 | dbutton_action($dialog, "Run"); 2082 | dialog_show($dialog); 2083 | } 2084 | sub findgpolocation{ 2085 | $bid = $1; 2086 | $cmdargs = ""; 2087 | $dialog = dialog("PowerView 2.0 Find-GPOLocation", %(execmethod => "PowerPick", username => "", groupname => "", domain => "", domaincontroller => "", localgroup => "", uspsdrive => "false", pagesize => ""), lambda({ 2088 | foreach $key => $value ($3){ 2089 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2090 | $cmdargs .= ' -'; 2091 | $cmdargs .= $key; 2092 | $cmdargs .= ' '; 2093 | $cmdargs .= $value; 2094 | } 2095 | else if ($value eq "true"){ 2096 | $cmdargs .= ' -'; 2097 | $cmdargs .= $key; 2098 | } 2099 | } 2100 | if($3["execmethod"] eq "PowerPick"){ 2101 | btask($bid, 'Executing PowerView Find-GPOLocation via PowerPick'); 2102 | bpowerpick($bid, 'Find-GPOLocation'.$cmdargs.''); 2103 | } 2104 | else if ($3["execmethod"] eq "PowerShell"){ 2105 | btask($bid, 'Executing PowerView Find-GPOLocation via PowerShell'); 2106 | bpowershell($bid, 'Find-GPOLocation'.$cmdargs.''); 2107 | } 2108 | })); 2109 | dialog_description($dialog, "Enumerates the machines where a specific user/group is a member of a specific local group, all through GPO correlation"); 2110 | drow_text($dialog, 'username', 'UserName'); 2111 | drow_text($dialog, 'groupname', 'GroupName'); 2112 | drow_text($dialog, 'domain', 'Domain'); 2113 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2114 | drow_text($dialog, 'localgroup', 'LocalGroup'); 2115 | drow_text($dialog, 'pagesize', 'PageSize'); 2116 | drow_checkbox($dialog, 'usepsdrive', 'UsePSDrive'); 2117 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2118 | dbutton_action($dialog, "Run"); 2119 | dialog_show($dialog); 2120 | } 2121 | sub findgpocomputeradmin{ 2122 | $bid = $1; 2123 | $cmdargs = ""; 2124 | $dialog = dialog("PowerView 2.0 Find-GPOComputerAdmin", %(execmethod => "PowerPick", computername => "", ouname => "", domain => "", domaincontroller => "", recurse => "false", localgroup => "", usepsdrive => "false", pagesize => ""), lambda({ 2125 | foreach $key => $value ($3){ 2126 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2127 | $cmdargs .= ' -'; 2128 | $cmdargs .= $key; 2129 | $cmdargs .= ' '; 2130 | $cmdargs .= $value; 2131 | } 2132 | else if ($value eq "true"){ 2133 | $cmdargs .= ' -'; 2134 | $cmdargs .= $key; 2135 | } 2136 | } 2137 | if($3["execmethod"] eq "PowerPick"){ 2138 | btask($bid, 'Executing PowerView Find-GPOComputerAdmin via PowerPick'); 2139 | bpowerpick($bid, 'Find-GPOComputerAdmin'.$cmdargs.''); 2140 | } 2141 | else if ($3["execmethod"] eq "PowerShell"){ 2142 | btask($bid, 'Executing PowerView Find-GPOComputerAdmin via PowerShell'); 2143 | bpowershell($bid, 'Find-GPOComputerAdmin'.$cmdargs.''); 2144 | } 2145 | })); 2146 | dialog_description($dialog, "Takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine"); 2147 | drow_text($dialog, 'computername', 'ComputerName'); 2148 | drow_text($dialog, 'ouname', 'OUName'); 2149 | drow_text($dialog, 'domain', 'Domain'); 2150 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2151 | drow_text($dialog, 'localgroup', 'LocalGroup'); 2152 | drow_text($dialog, 'pagesize', 'PageSize'); 2153 | drow_checkbox($dialog, 'recurse', 'Recurse'); 2154 | drow_checkbox($dialog, 'usepsdrive', 'UsePSDrive'); 2155 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2156 | dbutton_action($dialog, "Run"); 2157 | dialog_show($dialog); 2158 | } 2159 | sub getdomainpolicy{ 2160 | $bid = $1; 2161 | $cmdargs = ""; 2162 | $dialog = dialog("PowerView 2.0 Get-DomainPolicy", %(execmethod => "PowerPick", source => "", domain => "", domaincontroller => "", resolvesids => "false", usepsdrive => "false"), lambda({ 2163 | foreach $key => $value ($3){ 2164 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2165 | $cmdargs .= ' -'; 2166 | $cmdargs .= $key; 2167 | $cmdargs .= ' '; 2168 | $cmdargs .= $value; 2169 | } 2170 | else if ($value eq "true"){ 2171 | $cmdargs .= ' -'; 2172 | $cmdargs .= $key; 2173 | } 2174 | } 2175 | if($3["execmethod"] eq "PowerPick"){ 2176 | btask($bid, 'Executing PowerView Get-DomainPolicy via PowerPick'); 2177 | bpowerpick($bid, 'Get-DomainPolicy'.$cmdargs.''); 2178 | } 2179 | else if ($3["execmethod"] eq "PowerShell"){ 2180 | btask($bid, 'Executing PowerView Get-DomainPolicy via PowerShell'); 2181 | bpowershell($bid, 'Get-DomainPolicy'.$cmdargs.''); 2182 | } 2183 | })); 2184 | dialog_description($dialog, "Returns the default domain or DC policy for a given domain or domain controller"); 2185 | drow_text($dialog, 'source', 'Source'); 2186 | drow_text($dialog, 'domain', 'Domain'); 2187 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2188 | drow_checkbox($dialog, 'resolvesids', 'ResolveSids'); 2189 | drow_checkbox($dialog, 'usepsdrive', 'UsePSDrive'); 2190 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2191 | dbutton_action($dialog, "Run"); 2192 | dialog_show($dialog); 2193 | } 2194 | 2195 | #----------------------- 2196 | #Domain Trust Functions 2197 | #----------------------- 2198 | 2199 | sub getnetdomaintrust{ 2200 | $bid = $1; 2201 | $cmdargs = ""; 2202 | $dialog = dialog("PowerView 2.0 Get-NetDomainTrust", %(execmethod => "PowerPick", domain => "", domaincontroller => "", adspath => "", api => "false", ldap => "false", pagesize => ""), lambda({ 2203 | foreach $key => $value ($3){ 2204 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2205 | $cmdargs .= ' -'; 2206 | $cmdargs .= $key; 2207 | $cmdargs .= ' '; 2208 | $cmdargs .= $value; 2209 | } 2210 | else if ($value eq "true"){ 2211 | $cmdargs .= ' -'; 2212 | $cmdargs .= $key; 2213 | } 2214 | } 2215 | if($3["execmethod"] eq "PowerPick"){ 2216 | btask($bid, 'Executing PowerView Get-NetDomainTrust via PowerPick'); 2217 | bpowerpick($bid, 'Get-NetDomainTrust'.$cmdargs.''); 2218 | } 2219 | else if ($3["execmethod"] eq "PowerShell"){ 2220 | btask($bid, 'Executing PowerView Get-NetDomainTrust via PowerShell'); 2221 | bpowershell($bid, 'Get-NetDomainTrust'.$cmdargs.''); 2222 | } 2223 | })); 2224 | dialog_description($dialog, "Return all domain trusts for the current domain or a specified domain"); 2225 | drow_text($dialog, 'domain', 'Domain'); 2226 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2227 | drow_text($dialog, 'adspath', 'ADSpath'); 2228 | drow_text($dialog, 'pagesize', 'PageSize'); 2229 | drow_checkbox($dialog, 'api', 'API'); 2230 | drow_checkbox($dialog, 'ldap', 'LDAP'); 2231 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2232 | dbutton_action($dialog, "Run"); 2233 | dialog_show($dialog); 2234 | } 2235 | sub getnetforesttrust{ 2236 | $bid = $1; 2237 | $cmdargs = ""; 2238 | $dialog = dialog("PowerView 2.0 Get-NetForestTrust", %(execmethod => "PowerPick", forest => ""), lambda({ 2239 | foreach $key => $value ($3){ 2240 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2241 | $cmdargs .= ' -'; 2242 | $cmdargs .= $key; 2243 | $cmdargs .= ' '; 2244 | $cmdargs .= $value; 2245 | } 2246 | else if ($value eq "true"){ 2247 | $cmdargs .= ' -'; 2248 | $cmdargs .= $key; 2249 | } 2250 | } 2251 | if($3["execmethod"] eq "PowerPick"){ 2252 | btask($bid, 'Executing PowerView Get-NetForestTrust via PowerPick'); 2253 | bpowerpick($bid, 'Get-NetForestTrust'.$cmdargs.''); 2254 | } 2255 | else if ($3["execmethod"] eq "PowerShell"){ 2256 | btask($bid, 'Executing PowerView Get-NetForestTrust via PowerShell'); 2257 | bpowershell($bid, 'Get-NetForestTrust'.$cmdargs.''); 2258 | } 2259 | })); 2260 | dialog_description($dialog, "Return all trusts for the current forest"); 2261 | drow_text($dialog, 'forest', 'Forest'); 2262 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2263 | dbutton_action($dialog, "Run"); 2264 | dialog_show($dialog); 2265 | } 2266 | sub findforeignuser{ 2267 | $bid = $1; 2268 | $cmdargs = ""; 2269 | $dialog = dialog("PowerView 2.0 Find-ForeignUser", %(execmethod => "PowerPick", username => "", domain => "", domaincontroller => "", ldap => "false", recurse => "false", pagesize => ""), lambda({ 2270 | foreach $key => $value ($3){ 2271 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2272 | $cmdargs .= ' -'; 2273 | $cmdargs .= $key; 2274 | $cmdargs .= ' '; 2275 | $cmdargs .= $value; 2276 | } 2277 | else if ($value eq "true"){ 2278 | $cmdargs .= ' -'; 2279 | $cmdargs .= $key; 2280 | } 2281 | } 2282 | if($3["execmethod"] eq "PowerPick"){ 2283 | btask($bid, 'Executing PowerView Find-ForeignUser via PowerPick'); 2284 | bpowerpick($bid, 'Find-ForeignUser'.$cmdargs.''); 2285 | } 2286 | else if ($3["execmethod"] eq "PowerShell"){ 2287 | btask($bid, 'Executing PowerView Find-ForeignUser via PowerShell'); 2288 | bpowershell($bid, 'Find-ForeignUser'.$cmdargs.''); 2289 | } 2290 | })); 2291 | dialog_description($dialog, "Enumerates users who are in groups outside of their principal domain. The -Recurse option will try to map all transitive domain trust relationships and enumerate all users who are in groups outside of their principal domain"); 2292 | drow_text($dialog, 'username', 'UserName'); 2293 | drow_text($dialog, 'domain', 'Domain'); 2294 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2295 | drow_text($dialog, 'pagesize', 'PageSize'); 2296 | drow_checkbox($dialog, 'recurse', 'Recurse'); 2297 | drow_checkbox($dialog, 'ldap', 'LDAP'); 2298 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2299 | dbutton_action($dialog, "Run"); 2300 | dialog_show($dialog); 2301 | } 2302 | sub findforeigngroup{ 2303 | $bid = $1; 2304 | $cmdargs = ""; 2305 | $dialog = dialog("PowerView 2.0 Find-ForeignGroup", %(execmethod => "PowerPick", groupname => "", domain => "", domaincontroller => "", ldap => "false", recurse => "false", pagesize => ""), lambda({ 2306 | foreach $key => $value ($3){ 2307 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2308 | $cmdargs .= ' -'; 2309 | $cmdargs .= $key; 2310 | $cmdargs .= ' '; 2311 | $cmdargs .= $value; 2312 | } 2313 | else if ($value eq "true"){ 2314 | $cmdargs .= ' -'; 2315 | $cmdargs .= $key; 2316 | } 2317 | } 2318 | if($3["execmethod"] eq "PowerPick"){ 2319 | btask($bid, 'Executing PowerView Find-ForeignGroup via PowerPick'); 2320 | bpowerpick($bid, 'Find-ForeignGroup'.$cmdargs.''); 2321 | } 2322 | else if ($3["execmethod"] eq "PowerShell"){ 2323 | btask($bid, 'Executing PowerView Find-ForeignGroup via PowerShell'); 2324 | bpowershell($bid, 'Find-ForeignGroup'.$cmdargs.''); 2325 | } 2326 | })); 2327 | dialog_description($dialog, "Enumerates all the members of a given domain's groups and finds users that are not in the queried domain. The -Recurse flag will perform this enumeration for all eachable domain trusts"); 2328 | drow_text($dialog, 'groupname', 'GroupName'); 2329 | drow_text($dialog, 'domain', 'Domain'); 2330 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2331 | drow_text($dialog, 'pagesize', 'PageSize'); 2332 | drow_checkbox($dialog, 'recurse', 'Recurse'); 2333 | drow_checkbox($dialog, 'ldap', 'LDAP'); 2334 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2335 | dbutton_action($dialog, "Run"); 2336 | dialog_show($dialog); 2337 | } 2338 | sub invokemapdomaintrust{ 2339 | $bid = $1; 2340 | $cmdargs = ""; 2341 | $dialog = dialog("PowerView 2.0 Invoke-MapDomainTrust", %(execmethod => "PowerPick", ldap => "false", domaincontroller => "", pagesize => ""), lambda({ 2342 | foreach $key => $value ($3){ 2343 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2344 | $cmdargs .= ' -'; 2345 | $cmdargs .= $key; 2346 | $cmdargs .= ' '; 2347 | $cmdargs .= $value; 2348 | } 2349 | else if ($value eq "true"){ 2350 | $cmdargs .= ' -'; 2351 | $cmdargs .= $key; 2352 | } 2353 | } 2354 | if($3["execmethod"] eq "PowerPick"){ 2355 | btask($bid, 'Executing PowerView Invoke-MapDomainTrust via PowerPick'); 2356 | bpowerpick($bid, 'Invoke-MapDomainTrust'.$cmdargs.''); 2357 | } 2358 | else if ($3["execmethod"] eq "PowerShell"){ 2359 | btask($bid, 'Executing PowerView Invoke-MapDomainTrust via PowerShell'); 2360 | bpowershell($bid, 'Invoke-MapDomainTrust'.$cmdargs.''); 2361 | } 2362 | })); 2363 | dialog_description($dialog, "This function gets all trusts for the current domain, and tries to get all trusts for each domain it finds"); 2364 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2365 | drow_text($dialog, 'pagesize', 'PageSize'); 2366 | drow_checkbox($dialog, 'ldap', 'LDAP'); 2367 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2368 | dbutton_action($dialog, "Run"); 2369 | dialog_show($dialog); 2370 | } 2371 | 2372 | #-------------- 2373 | #MetaFunctions 2374 | #-------------- 2375 | 2376 | sub invokesharefinder{ 2377 | $bid = $1; 2378 | $cmdargs = ""; 2379 | $dialog = dialog("PowerView 2.0 Invoke-ShareFinder", %(execmethod => "PowerPick", computername => "", computerfile => "", computerfilter => "", computeradspath => "", excludestandard => "false", excludeprint => "false", excludeipc => "false", checkshareaccess => "false", checkadmin => "false", noping => "false", delay => "", jitter => "", domain => "", domaincontroller => "", searchforest => "false", threads => ""), lambda({ 2380 | foreach $key => $value ($3){ 2381 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2382 | $cmdargs .= ' -'; 2383 | $cmdargs .= $key; 2384 | $cmdargs .= ' '; 2385 | $cmdargs .= $value; 2386 | } 2387 | else if ($value eq "true"){ 2388 | $cmdargs .= ' -'; 2389 | $cmdargs .= $key; 2390 | } 2391 | } 2392 | if($3["execmethod"] eq "PowerPick"){ 2393 | btask($bid, 'Executing PowerView Invoke-ShareFinder via PowerPick'); 2394 | bpowerpick($bid, 'Invoke-ShareFinder'.$cmdargs.''); 2395 | } 2396 | else if ($3["execmethod"] eq "PowerShell"){ 2397 | btask($bid, 'Executing PowerView Invoke-ShareFinder via PowerShell'); 2398 | bpowershell($bid, 'Invoke-ShareFinder'.$cmdargs.''); 2399 | } 2400 | })); 2401 | dialog_description($dialog, "This function finds the local domain name for a host using Get-NetDomain, queries the domain for all active machines with Get-NetComputer, then for each server it lists of active shares with Get-NetShare. Non-standard shares can be filtered out with -Exclude* flags"); 2402 | drow_text($dialog, 'computername', 'ComputerName'); 2403 | drow_text($dialog, 'computerfile', 'ComputerFile'); 2404 | drow_text($dialog, 'computerfilter', 'ComputerFilter'); 2405 | drow_text($dialog, 'computeradspath', 'ComputerADSpath'); 2406 | drow_text($dialog, 'delay', 'Delay'); 2407 | drow_text($dialog, 'jitter', 'Jitter'); 2408 | drow_text($dialog, 'domain', 'Domain'); 2409 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2410 | drow_text($dialog, 'threads', 'Threads'); 2411 | drow_checkbox($dialog, 'excludestandard', 'ExcludeStandard'); 2412 | drow_checkbox($dialog, 'excludeprint', 'ExcludePrint'); 2413 | drow_checkbox($dialog, 'excludeipc', 'ExcludeIPC'); 2414 | drow_checkbox($dialog, 'checkshareaccess', 'CheckShareAccess'); 2415 | drow_checkbox($dialog, 'checkadmin', 'CheckAdmin'); 2416 | drow_checkbox($dialog, 'noping', 'NoPing'); 2417 | drow_checkbox($dialog, 'searchforest', 'SearchForest'); 2418 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2419 | dbutton_action($dialog, "Run"); 2420 | dialog_show($dialog); 2421 | } 2422 | sub invokefilefinder{ 2423 | $bid = $1; 2424 | $cmdargs = ""; 2425 | $dialog = dialog("PowerView 2.0 Invoke-FileFinder", %(execmethod => "PowerPick", computername => "", computerfile => "", computerfilter => "", computeradspath => "", sharelist => "", terms => "", officedocs => "false", freshexes => "false", lastaccesstime => "", lastwritetime => "", creationtime => "", includedc => "false", includeadmin => "false", excludefolders => "false", excludehidden => "false", checkwriteaccess => "false", outfile => "", noclobber => "false", noping => "false", delay => "", jitter => "", domain => "", domaincontroller => "", searchforest => "false", searchsysvol => "false", threads => "", uspsdrive => "false"), lambda({ 2426 | foreach $key => $value ($3){ 2427 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2428 | $cmdargs .= ' -'; 2429 | $cmdargs .= $key; 2430 | $cmdargs .= ' '; 2431 | $cmdargs .= $value; 2432 | } 2433 | else if ($value eq "true"){ 2434 | $cmdargs .= ' -'; 2435 | $cmdargs .= $key; 2436 | } 2437 | } 2438 | if($3["execmethod"] eq "PowerPick"){ 2439 | btask($bid, 'Executing PowerView Invoke-FileFinder via PowerPick'); 2440 | bpowerpick($bid, 'Invoke-FileFinder'.$cmdargs.''); 2441 | } 2442 | else if ($3["execmethod"] eq "PowerShell"){ 2443 | btask($bid, 'Executing PowerView Invoke-FileFinder via PowerShell'); 2444 | bpowershell($bid, 'Invoke-FileFinder'.$cmdargs.''); 2445 | } 2446 | })); 2447 | dialog_description($dialog, "Finds sensitive files on the domain"); 2448 | drow_text($dialog, 'computername', 'ComputerName'); 2449 | drow_text($dialog, 'computerfile', 'ComputerFile'); 2450 | drow_text($dialog, 'computerfilter', 'ComputerFilter'); 2451 | drow_text($dialog, 'computeradspath', 'ComputerADSpath'); 2452 | drow_text($dialog, 'sharelist', 'ShareList'); 2453 | drow_text($dialog, 'terms', 'Terms'); 2454 | drow_text($dialog, 'lastaccesstime', 'LastAccessTime'); 2455 | drow_text($dialog, 'lastwritetime', 'LastWriteTime'); 2456 | drow_text($dialog, 'creationtime', 'CreationTime'); 2457 | drow_text($dialog, 'outfile', 'OutFile'); 2458 | drow_text($dialog, 'delay', 'Delay'); 2459 | drow_text($dialog, 'jitter', 'Jitter'); 2460 | drow_text($dialog, 'domain', 'Domain'); 2461 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2462 | drow_text($dialog, 'threads', 'Threads'); 2463 | drow_checkbox($dialog, 'officedocs', 'OfficeDocs'); 2464 | drow_checkbox($dialog, 'freshexes', 'FreshEXEs'); 2465 | drow_checkbox($dialog, 'includedc', 'IncludeDC'); 2466 | drow_checkbox($dialog, 'includeadmin', 'IncludeAdmin'); 2467 | drow_checkbox($dialog, 'excludefolders', 'ExcludeFolders'); 2468 | drow_checkbox($dialog, 'excludehidden', 'ExcludeHidden'); 2469 | drow_checkbox($dialog, 'checkwriteaccess', 'CheckWriteAccess'); 2470 | drow_checkbox($dialog, 'noclobber', 'NoClobber'); 2471 | drow_checkbox($dialog, 'noping', 'NoPing'); 2472 | drow_checkbox($dialog, 'searchforest', 'SearchForest'); 2473 | drow_checkbox($dialog, 'searchsysvol', 'SearchSYSVOL'); 2474 | drow_checkbox($dialog, 'uspsdrive', 'UsePSDrive'); 2475 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2476 | dbutton_action($dialog, "Run"); 2477 | dialog_show($dialog); 2478 | } 2479 | sub findlocaladminaccess{ 2480 | $bid = $1; 2481 | $cmdargs = ""; 2482 | $dialog = dialog("PowerView 2.0 Find-LocalAdminAccess", %(execmethod => "PowerPick", computername => "", computerfile => "", computerfilter => "", computeradspath => "", noping => "false", delay => "", jitter => "", domain => "", domaincontroller => "", searchforest => "false", threads => ""), lambda({ 2483 | foreach $key => $value ($3){ 2484 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2485 | $cmdargs .= ' -'; 2486 | $cmdargs .= $key; 2487 | $cmdargs .= ' '; 2488 | $cmdargs .= $value; 2489 | } 2490 | else if ($value eq "true"){ 2491 | $cmdargs .= ' -'; 2492 | $cmdargs .= $key; 2493 | } 2494 | } 2495 | if($3["execmethod"] eq "PowerPick"){ 2496 | btask($bid, 'Executing PowerView Find-LocalAdminAccess via PowerPick'); 2497 | bpowerpick($bid, 'Find-LocalAdminAccess'.$cmdargs.''); 2498 | } 2499 | else if ($3["execmethod"] eq "PowerShell"){ 2500 | btask($bid, 'Executing PowerView Find-LocalAdminAccess via PowerShell'); 2501 | bpowershell($bid, 'Find-LocalAdminAccess'.$cmdargs.''); 2502 | } 2503 | })); 2504 | dialog_description($dialog, "Finds machines on the local domain where the current user has local administrator access. Uses multithreading to speed up enumeration"); 2505 | drow_text($dialog, 'computername', 'ComputerName'); 2506 | drow_text($dialog, 'computerfile', 'ComputerFile'); 2507 | drow_text($dialog, 'computerfilter', 'ComputerFilter'); 2508 | drow_text($dialog, 'computeradspath', 'ComputerADSpath'); 2509 | drow_text($dialog, 'delay', 'Delay'); 2510 | drow_text($dialog, 'jitter', 'Jitter'); 2511 | drow_text($dialog, 'domain', 'Domain'); 2512 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2513 | drow_text($dialog, 'threads', 'Threads'); 2514 | drow_checkbox($dialog, 'noping', 'NoPing'); 2515 | drow_checkbox($dialog, 'searchforest', 'SearchForest'); 2516 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2517 | dbutton_action($dialog, "Run"); 2518 | dialog_show($dialog); 2519 | } 2520 | sub findmanagedsecuritygroups{ 2521 | $bid = $1; 2522 | $cmdargs = ""; 2523 | $dialog = dialog("PowerView 2.0 Find-ManagedSecurityGroups", %(execmethod => "PowerPick"), lambda({ 2524 | if($3["execmethod"] eq "PowerPick"){ 2525 | btask($bid, 'Executing PowerView Find-ManagedSecurityGroups via PowerPick'); 2526 | bpowerpick($bid, 'Find-ManagedSecurityGroups'.$cmdargs.''); 2527 | } 2528 | else if ($3["execmethod"] eq "PowerShell"){ 2529 | btask($bid, 'Executing PowerView Find-ManagedSecurityGroups via PowerShell'); 2530 | bpowershell($bid, 'Find-ManagedSecurityGroups'.$cmdargs.''); 2531 | } 2532 | })); 2533 | dialog_description($dialog, "This function retrieves all security groups in the domain and identifies ones that have a manager set. It also determines whether the manager has the ability to add or remove members from the group"); 2534 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2535 | dbutton_action($dialog, "Run"); 2536 | dialog_show($dialog); 2537 | } 2538 | sub finduserfield{ 2539 | $bid = $1; 2540 | $cmdargs = ""; 2541 | $dialog = dialog("PowerView 2.0 Find-UserField", %(execmethod => "PowerPick", searchterm => "", searchfield => "", adspath => "", domain => "", domaincontroller => "", pagesize => ""), lambda({ 2542 | foreach $key => $value ($3){ 2543 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2544 | $cmdargs .= ' -'; 2545 | $cmdargs .= $key; 2546 | $cmdargs .= ' '; 2547 | $cmdargs .= $value; 2548 | } 2549 | else if ($value eq "true"){ 2550 | $cmdargs .= ' -'; 2551 | $cmdargs .= $key; 2552 | } 2553 | } 2554 | if($3["execmethod"] eq "PowerPick"){ 2555 | btask($bid, 'Executing PowerView Find-UserField via PowerPick'); 2556 | bpowerpick($bid, 'Find-UserField'.$cmdargs.''); 2557 | } 2558 | else if ($3["execmethod"] eq "PowerShell"){ 2559 | btask($bid, 'Executing PowerView Find-UserField via PowerShell'); 2560 | bpowershell($bid, 'Find-UserField'.$cmdargs.''); 2561 | } 2562 | })); 2563 | dialog_description($dialog, "Searches user object fields for a given word (default *pass*). Default field being searched is 'description'"); 2564 | drow_text($dialog, 'searchterm', 'SearchTerm'); 2565 | drow_text($dialog, 'searchfield', 'SearchField'); 2566 | drow_text($dialog, 'adspath', 'ADSpath'); 2567 | drow_text($dialog, 'domain', 'Domain'); 2568 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2569 | drow_text($dialog, 'pagesize', 'PageSize'); 2570 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2571 | dbutton_action($dialog, "Run"); 2572 | dialog_show($dialog); 2573 | } 2574 | sub findcomputerfield{ 2575 | $bid = $1; 2576 | $cmdargs = ""; 2577 | $dialog = dialog("PowerView 2.0 Find-ComputerField", %(execmethod => "PowerPick", searchterm => "", searchfield => "", adspath => "", domain => "", domaincontroller => "", pagesize => ""), lambda({ 2578 | foreach $key => $value ($3){ 2579 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2580 | $cmdargs .= ' -'; 2581 | $cmdargs .= $key; 2582 | $cmdargs .= ' '; 2583 | $cmdargs .= $value; 2584 | } 2585 | else if ($value eq "true"){ 2586 | $cmdargs .= ' -'; 2587 | $cmdargs .= $key; 2588 | } 2589 | } 2590 | if($3["execmethod"] eq "PowerPick"){ 2591 | btask($bid, 'Executing PowerView Find-ComputerField via PowerPick'); 2592 | bpowerpick($bid, 'Find-ComputerField'.$cmdargs.''); 2593 | } 2594 | else if ($3["execmethod"] eq "PowerShell"){ 2595 | btask($bid, 'Executing PowerView Find-ComputerField via PowerShell'); 2596 | bpowershell($bid, 'Find-ComputerField'.$cmdargs.''); 2597 | } 2598 | })); 2599 | dialog_description($dialog, "Searches computer object fields for a given word (default *pass*). Default field being searched is 'description'"); 2600 | drow_text($dialog, 'searchterm', 'SearchTerm'); 2601 | drow_text($dialog, 'searchfield', 'SearchField'); 2602 | drow_text($dialog, 'adspath', 'ADSpath'); 2603 | drow_text($dialog, 'domain', 'Domain'); 2604 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2605 | drow_text($dialog, 'pagesize', 'PageSize'); 2606 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2607 | dbutton_action($dialog, "Run"); 2608 | dialog_show($dialog); 2609 | } 2610 | sub getexploitablesystem{ 2611 | $bid = $1; 2612 | $cmdargs = ""; 2613 | $dialog = dialog("PowerView 2.0 Get-ExploitableSystem", %(execmethod => "PowerPick", computername => "", spn => "", operatingsystem => "", servicepack => "", filter => "", ping => "false", domain => "", domaincontroller => "", adspath => "", unconstrained => "false", pagesize => ""), lambda({ 2614 | foreach $key => $value ($3){ 2615 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2616 | $cmdargs .= ' -'; 2617 | $cmdargs .= $key; 2618 | $cmdargs .= ' '; 2619 | $cmdargs .= $value; 2620 | } 2621 | else if ($value eq "true"){ 2622 | $cmdargs .= ' -'; 2623 | $cmdargs .= $key; 2624 | } 2625 | } 2626 | if($3["execmethod"] eq "PowerPick"){ 2627 | btask($bid, 'Executing PowerView Get-ExploitableSystem via PowerPick'); 2628 | bpowerpick($bid, 'Get-ExploitableSystem'.$cmdargs.''); 2629 | } 2630 | else if ($3["execmethod"] eq "PowerShell"){ 2631 | btask($bid, 'Executing PowerView Get-ExploitableSystem via PowerShell'); 2632 | bpowershell($bid, 'Get-ExploitableSystem'.$cmdargs.''); 2633 | } 2634 | })); 2635 | dialog_description($dialog, "This module will query Active Directory for the hostname, OS version, and service pack level for each computer account. That information is then cross-referenced against a list of common Metasploit exploits that can be used during penetration testing"); 2636 | drow_text($dialog, 'computername', 'ComputerName'); 2637 | drow_text($dialog, 'spn', 'SPN'); 2638 | drow_text($dialog, 'operatingsystem', 'OperatingSystem'); 2639 | drow_text($dialog, 'servicepack', 'ServicePack'); 2640 | drow_text($dialog, 'filter', 'Filter'); 2641 | drow_text($dialog, 'domain', 'Domain'); 2642 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2643 | drow_text($dialog, 'adspath', 'ADSpath'); 2644 | drow_text($dialog, 'pagesize', 'PageSize'); 2645 | drow_checkbox($dialog, 'ping', 'Ping'); 2646 | drow_checkbox($dialog, 'unconstrained', 'Unconstrained'); 2647 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2648 | dbutton_action($dialog, "Run"); 2649 | dialog_show($dialog); 2650 | } 2651 | sub invokeenumeratelocaladmin{ 2652 | $bid = $1; 2653 | $cmdargs = ""; 2654 | $dialog = dialog("PowerView 2.0 Invoke-EnumerateLocalAdmin", %(execmethod => "PowerPick", computername => "", computerfile => "", computerfilter => "", computeradspath => "", noping => "false", delay => "", jitter => "", outfile => "", noclobber => "false", trustgroups => "false", domainonly => "false", domain => "", domaincontroller => "", searchforest => "false", api => "false", threads => "false"), lambda({ 2655 | foreach $key => $value ($3){ 2656 | if ($value ne "" && $value ne "false" && $value ne "true" && $key ne "execmethod"){ 2657 | $cmdargs .= ' -'; 2658 | $cmdargs .= $key; 2659 | $cmdargs .= ' '; 2660 | $cmdargs .= $value; 2661 | } 2662 | else if ($value eq "true"){ 2663 | $cmdargs .= ' -'; 2664 | $cmdargs .= $key; 2665 | } 2666 | } 2667 | if($3["execmethod"] eq "PowerPick"){ 2668 | btask($bid, 'Executing PowerView Invoke-EnumerateLocalAdmin via PowerPick'); 2669 | bpowerpick($bid, 'Invoke-EnumerateLocalAdmin'.$cmdargs.''); 2670 | } 2671 | else if ($3["execmethod"] eq "PowerShell"){ 2672 | btask($bid, 'Executing PowerView Invoke-EnumerateLocalAdmin via PowerShell'); 2673 | bpowershell($bid, 'Invoke-EnumerateLocalAdmin'.$cmdargs.''); 2674 | } 2675 | })); 2676 | dialog_description($dialog, "This function queries the domain for all active machines with Get-NetComputer, then for each server it queries the local Administrators with Get-NetLocalGroup"); 2677 | drow_text($dialog, 'computername', 'ComputerName'); 2678 | drow_text($dialog, 'computerfile', 'ComputerFile'); 2679 | drow_text($dialog, 'computerfilter', 'ComputerFilter'); 2680 | drow_text($dialog, 'computeradspath', 'ComputerADSpath'); 2681 | drow_text($dialog, 'delay', 'Delay'); 2682 | drow_text($dialog, 'jitter', 'Jitter'); 2683 | drow_text($dialog, 'outfile', 'Outfile'); 2684 | drow_text($dialog, 'domain', 'Domain'); 2685 | drow_text($dialog, 'domaincontroller', 'DomainController'); 2686 | drow_text($dialog, 'threads', 'Threads'); 2687 | drow_checkbox($dialog, 'noping', 'NoPing'); 2688 | drow_checkbox($dialog, 'trustgroups', 'TrustGroups'); 2689 | drow_checkbox($dialog, 'domainonly', 'DomainOnly'); 2690 | drow_checkbox($dialog, 'noclobber', 'NoClobber'); 2691 | drow_checkbox($dialog, 'searchforest', 'SearchForest'); 2692 | drow_checkbox($dialog, 'api', 'API'); 2693 | drow_combobox($dialog, "execmethod", "Exec Method ", @("PowerPick", "PowerShell")); 2694 | dbutton_action($dialog, "Run"); 2695 | dialog_show($dialog); 2696 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | ## PowerView Aggressor Script for CobaltStrike 3 | 4 | ### A user menu for [@harmjoy's](https://twitter.com/harmj0y)[PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1) 5 | 6 | All functions listed in the PowerView about page are included in this with all arguments for each function. 7 | 8 | ![powerview1](https://user-images.githubusercontent.com/9096315/37743976-0314a426-2d2a-11e8-8b50-45810220aeb4.png) 9 | 10 | ![powerview2](https://user-images.githubusercontent.com/9096315/37744041-5d39677a-2d2a-11e8-9a04-bec49a40b165.png) 11 | 12 | 13 | Each function allows for the user to specify if they want to use PowerPick or PowerShell inside of the CS beacon. 14 | 15 | ![powerview3](https://user-images.githubusercontent.com/9096315/37744061-7a324810-2d2a-11e8-8647-43a73d50f740.png) 16 | 17 | 18 | The script does not automatically do powershell-import for PowerView you must manually do that first. 19 | 20 | Please note this requires PowerView 2.0 (master) not 3.0 (current dev branch) 21 | --------------------------------------------------------------------------------