PowerSploit is now a respectable module!

PowerSploit just got a complete makeover! It is now comprised of a
collection of modules grouped by category.

3 files changed, 150 insertions, 31 deletions

diff --git a/PowerSploit.psd1 b/PowerSploit.psd1
new file mode 100644
index 0000000..2699086
--- /dev/null
+++ b/PowerSploit.psd1
@@ -0,0 +1,95 @@
+@{

+

+# Script module or binary module file associated with this manifest.

+ModuleToProcess = 'PowerSploit.psm1'

+

+# Version number of this module.

+ModuleVersion = '1.0.0.0'

+

+# ID used to uniquely identify this module

+GUID = '6753b496-d842-40a3-924a-0f09e248640c'

+

+# Author of this module

+Author = 'Matthew Graeber'

+

+# Company or vendor of this module

+CompanyName = ''

+

+# Copyright statement for this module

+Copyright = 'BSD 3-Clause'

+

+# Description of the functionality provided by this module

+Description = 'PowerSploit Root Module'

+

+# Minimum version of the Windows PowerShell engine required by this module

+PowerShellVersion = '2.0'

+

+# Name of the Windows PowerShell host required by this module

+# PowerShellHostName = ''

+

+# Minimum version of the Windows PowerShell host required by this module

+# PowerShellHostVersion = ''

+

+# Minimum version of the .NET Framework required by this module

+# DotNetFrameworkVersion = ''

+

+# Minimum version of the common language runtime (CLR) required by this module

+# CLRVersion = ''

+

+# Processor architecture (None, X86, Amd64) required by this module

+# ProcessorArchitecture = ''

+

+# Modules that must be imported into the global environment prior to importing this module

+# RequiredModules = @()

+

+# Assemblies that must be loaded prior to importing this module

+# RequiredAssemblies = @()

+

+# Script files (.ps1) that are run in the caller's environment prior to importing this module.

+# ScriptsToProcess = ''

+

+# Type files (.ps1xml) to be loaded when importing this module

+# TypesToProcess = @()

+

+# Format files (.ps1xml) to be loaded when importing this module

+# FormatsToProcess = @()

+

+# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess

+# NestedModules = @()

+

+# Functions to export from this module

+FunctionsToExport = '*'

+

+# Cmdlets to export from this module

+CmdletsToExport = '*'

+

+# Variables to export from this module

+VariablesToExport = ''

+

+# Aliases to export from this module

+AliasesToExport = ''

+

+# List of all modules packaged with this module.

+ModuleList = @( @{ModuleName = 'PowerSploit'; ModuleVersion = '1.0.0.0'; GUID = '6753b496-d842-40a3-924a-0f09e248640c'},

+                @{ModuleName = 'AntivirusBypass'; ModuleVersion = '1.0.0.0'; GUID = '7cf9de61-2bfc-41b4-a397-9d7cf3a8e66b'},

+                @{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID = 'a8a6780b-e694-4aa4-b28d-646afa66733c'},

+                @{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = '75dafa99-1402-4e29-b5d4-6c87da2b323a'},

+                @{ModuleName = 'PETools'; ModuleVersion = '1.0.0.0'; GUID = 'd15059e2-8bd9-47ff-8bcd-b708ff90e402'},

+                @{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'},

+                @{ModuleName = 'ReverseEngineering'; ModuleVersion = '1.0.0.0'; GUID = 'cbffaf47-c55a-4901-92e7-8d794fbe1fff'},

+                @{ModuleName = 'ScriptModification'; ModuleVersion = '1.0.0.0'; GUID = 'a4d86266-b39b-437a-b5bb-d6f99aa6e610'}

+                )

+

+# List of all files packaged with this module

+FileList = 'PowerSploit.psd1', 'PowerSploit.psm1'

+

+# Private data to pass to the module specified in RootModule/ModuleToProcess

+# PrivateData = ''

+

+# HelpInfo URI of this module

+# HelpInfoURI = ''

+

+# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.

+# DefaultCommandPrefix = ''

+

+}
\ No newline at end of file
diff --git a/PowerSploit.psm1 b/PowerSploit.psm1
new file mode 100644
index 0000000..430c1b8
--- /dev/null
+++ b/PowerSploit.psm1
@@ -0,0 +1 @@
+Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer } | % { Import-Module $_.FullName }
\ No newline at end of file
diff --git a/README.md b/README.md
index 4650536..7eb60a3 100644
--- a/README.md
+++ b/README.md
@@ -1,30 +1,20 @@
-### PowerSploit is a collection of Microsoft PowerShell modules and scripts that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment. PowerSploit is comprised of the following scripts and modules:

+### PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:

 

-## Root Directory

+## CodeExecution

 

-#### `Inject-Dll`

+**Execute code on a target machine.**

 

-Inject-Dll injects a Dll into the process ID of your choosing.

+#### `Invoke-DllInjection`

 

-#### `Inject-Shellcode`

+Injects a Dll into the process ID of your choosing.

 

-Inject-Shellcode injects shellcode into the process ID of your choosing or within PowerShell locally.

+#### `Invoke-Shellcode`

 

-#### `Find-AVSignature`

-

-Locates single Byte AV signatures utilizing the same method as DSplit from "class101".

-

-#### `Get-GPPPassword`

-

-Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.

-

-#### `Get-TimedScreenshot`

+Injects shellcode into the process ID of your choosing or within PowerShell locally.

 

-A function that takes screenshots at a regular interval and saves them to a folder.

-

-## .\ScriptModification

+## ScriptModification

 

-**A PowerShell module used to modify and/or prepare scripts for execution on a compromised machine.**

+**Modify and/or prepare scripts for execution on a compromised machine.**

 

 #### `Out-EncodedCommand`

 

@@ -42,25 +32,25 @@ Encrypts text files/scripts.
 

 Strips comments and extra whitespace from a script. 

 

-## .\PETools

+## PETools

 

-**A PowerShell module used to parse/manipulate Windows portable executables**

+**Parse/manipulate Windows portable executables.**

 

 #### `Get-PEHeader`

 

-Get-PEHeader is an in-memory and on-disk PE parsing utility.

+An in-memory and on-disk PE parsing utility.

 

 #### `Get-PEArchitecture`

 

-Get-PEArchitecture returns the architecture for which an executable was compiled.

+Returns the architecture for which an executable was compiled.

 

 #### `Get-DllLoadPath`

 

-Get-DllLoadPath returns the path from which Windows will load a Dll for the given executable.

+Returns the path from which Windows will load a Dll for the given executable.

 

-## .\ReverseEngineering

+## ReverseEngineering

 

-**Tools to aid in reverse engineering**

+**Tools to aid in reverse engineering.**

 

 #### `Get-PEB`

 

@@ -90,9 +80,25 @@ Dumps strings from files in both Unicode and Ascii. This cmdlet replicates the f
 

 Get the unmanaged function address of a .NET method.

 

-## .\Recon

+## AntivirusBypass

+

+**AV doesn't stand a chance against PowerShell!**

+

+#### `Find-AVSignature`

+

+Locates single Byte AV signatures utilizing the same method as DSplit from "class101".

+

+## Exfiltration

 

-**Tools to aid in the reconnaissance phase of a penetration test**

+**All your data belong to me!**

+

+#### `Get-TimedScreenshot`

+

+A function that takes screenshots at a regular interval and saves them to a folder.

+

+## Recon

+

+**Tools to aid in the reconnaissance phase of a penetration test.**

 

 #### `Get-HttpStatus`

 

@@ -100,11 +106,15 @@ Returns the HTTP Status Codes and full URL for specified paths when provided wit
 

 #### `Invoke-ReverseDnsLookup`

 

-Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test.

+Scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test.

+

+#### `Get-GPPPassword`

 

-## .\Recon\Dictionaries

+Retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.

 

-**A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources**

+## Recon\Dictionaries

+

+**A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.**

 

 * admin.txt - <http://cirt.net/nikto2/>

 * generic.txt - <http://sourceforge.net/projects/yokoso/files/yokoso-0.1/>

@@ -118,6 +128,19 @@ The PowerSploit project and all individual scripts are under the [BSD 3-Clause l
 

 Refer to the comment-based help in each individual script for detailed usage information.

 

+To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.

+

+The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"

+The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"

+

+To use the module, type `Import-Module PowerSploit`

+

+To see the commands imported, type `Get-Command -Module PowerSploit`

+

+For help on each individual command, Get-Help is your friend.

+

+Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.

+

 ## Script Style Guide

 

 **For all contributors and future contributors to PowerSploit, I ask that you follow this style guide when writing your scripts/modules.**