Added Set-DomainUserPassword to reset a particular user's password.

Reformatted documentation.

8 files changed, 298 insertions, 184 deletions

diff --git a/README.md b/README.md
index c348b9e..60ac90f 100644
--- a/README.md
+++ b/README.md
@@ -132,7 +132,7 @@ Displays Windows vault credential objects including cleartext web credentials.
 
 Generates a full-memory minidump of a process.
 
-#### 'Get-MicrophoneAudio'
+#### `Get-MicrophoneAudio`
 
 Records audio from system microphone and saves to disk
 
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1
index 32aa10f..5d404f3 100755
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
@@ -4894,6 +4894,119 @@ http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-
 }
 
 
+function Set-DomainUserPassword {
+<#
+.SYNOPSIS
+
+Sets the password for a given user identity and returns the user object.
+
+Author: Will Schroeder (@harmj0y)  
+License: BSD 3-Clause  
+Required Dependencies: Get-PrincipalContext  
+
+.DESCRIPTION
+
+First binds to the specified domain context using Get-PrincipalContext.
+The bound domain context is then used to search for the specified user -Identity,
+which returns a DirectoryServices.AccountManagement.UserPrincipal object. The
+SetPassword() function is then invoked on the user, setting the password to -AccountPassword.
+
+.PARAMETER Identity
+
+A user SamAccountName (e.g. User1), DistinguishedName (e.g. CN=user1,CN=Users,DC=testlab,DC=local),
+SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
+specifying the user to reset the password for.
+
+.PARAMETER AccountPassword
+
+Specifies the password to reset the target user's to. Mandatory.
+
+.PARAMETER Domain
+
+Specifies the domain to use to search for the user identity, defaults to the current domain.
+
+.PARAMETER Credential
+
+A [Management.Automation.PSCredential] object of alternate credentials
+for connection to the target domain.
+
+.EXAMPLE
+
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword
+
+Resets the password for 'andy' to the password specified.
+
+.EXAMPLE
+
+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred
+
+Resets the password for 'andy' usering the alternate credentials specified.
+
+.OUTPUTS
+
+DirectoryServices.AccountManagement.UserPrincipal
+
+.LINK
+
+http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/
+#>
+
+    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
+    [OutputType('DirectoryServices.AccountManagement.UserPrincipal')]
+    Param(
+        [Parameter(Position = 0, Mandatory = $True)]
+        [Alias('UserName', 'UserIdentity', 'User')]
+        [String]
+        $Identity,
+
+        [Parameter(Mandatory = $True)]
+        [ValidateNotNullOrEmpty()]
+        [Alias('Password')]
+        [Security.SecureString]
+        $AccountPassword,
+
+        [ValidateNotNullOrEmpty()]
+        [String]
+        $Domain,
+
+        [Management.Automation.PSCredential]
+        [Management.Automation.CredentialAttribute()]
+        $Credential = [Management.Automation.PSCredential]::Empty
+    )
+
+    $ContextArguments = @{ 'Identity' = $Identity }
+    if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain }
+    if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential }
+    $Context = Get-PrincipalContext @ContextArguments
+
+    if ($Context) {
+        $User = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($Context.Context, $Identity)
+
+        if ($User) {
+            Write-Verbose "[Set-DomainUserPassword] Attempting to set the password for user '$Identity'"
+            try {
+                $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
+                $User.SetPassword($TempCred.GetNetworkCredential().Password)
+
+                $Null = $User.Save()
+                Write-Verbose "[Set-DomainUserPassword] Password for user '$Identity' successfully reset"
+                $User
+            }
+            catch {
+                Write-Warning "[Set-DomainUserPassword] Error setting password for user '$Identity' : $_"
+            }
+        }
+        else {
+            Write-Warning "[Set-DomainUserPassword] Unable to find user '$Identity'"
+        }
+    }
+}
+
+
 function Get-DomainUserEvent {
 <#
 .SYNOPSIS
diff --git a/Recon/README.md b/Recon/README.md
index acc2627..7fcacc5 100644
--- a/Recon/README.md
+++ b/Recon/README.md
@@ -58,6 +58,7 @@ an array of hosts from the pipeline.
     Find-DomainObjectPropertyOutlier-   inds user/group/computer objects in AD that have 'outlier' properties set

     Get-DomainUser                  -   return all users or specific user objects in AD

     New-DomainUser                  -   creates a new domain user (assuming appropriate permissions) and returns the user object

+    Set-DomainUserPassword          -   sets the password for a given user identity and returns the user object

     Get-DomainUserEvent             -   enumerates account logon events (ID 4624) and Logon with explicit credential events

     Get-DomainComputer              -   returns all computers or specific computer objects in AD

     Get-DomainObject                -   returns all (or specified) domain objects in AD

diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1
index 6cdcfba..7e2abcb 100644
--- a/Recon/Recon.psd1
+++ b/Recon/Recon.psd1
@@ -46,6 +46,7 @@ FunctionsToExport = @(
     'Find-DomainObjectPropertyOutlier',

     'Get-DomainUser',

     'New-DomainUser',

+    'Set-DomainUserPassword',

     'Get-DomainUserEvent',

     'Get-DomainComputer',

     'Get-DomainObject',

diff --git a/docs/Recon/Set-DomainUserPassword.md b/docs/Recon/Set-DomainUserPassword.md
new file mode 100755
index 0000000..1712294
--- /dev/null
+++ b/docs/Recon/Set-DomainUserPassword.md
@@ -0,0 +1,127 @@
+# Set-DomainUserPassword

+

+## SYNOPSIS

+Sets the password for a given user identity and returns the user object.

+

+Author: Will Schroeder (@harmj0y)  

+License: BSD 3-Clause  

+Required Dependencies: Get-PrincipalContext

+

+## SYNTAX

+

+```

+Set-DomainUserPassword [-Identity] <String> -AccountPassword <SecureString> [-Domain <String>]

+ [-Credential <PSCredential>]

+```

+

+## DESCRIPTION

+First binds to the specified domain context using Get-PrincipalContext.

+The bound domain context is then used to search for the specified user -Identity,

+which returns a DirectoryServices.AccountManagement.UserPrincipal object.

+The

+SetPassword() function is then invoked on the user, setting the password to -AccountPassword.

+

+## EXAMPLES

+

+### -------------------------- EXAMPLE 1 --------------------------

+```

+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword

+

+Resets the password for 'andy' to the password specified.

+

+### -------------------------- EXAMPLE 2 --------------------------

+```

+$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+```

+

+$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)

+$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force

+Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred

+

+Resets the password for 'andy' usering the alternate credentials specified.

+

+## PARAMETERS

+

+### -Identity

+A user SamAccountName (e.g.

+User1), DistinguishedName (e.g.

+CN=user1,CN=Users,DC=testlab,DC=local),

+SID (e.g.

+S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g.

+4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)

+specifying the user to reset the password for.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: UserName, UserIdentity, User

+

+Required: True

+Position: 1

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -AccountPassword

+Specifies the password to reset the target user's to.

+Mandatory.

+

+```yaml

+Type: SecureString

+Parameter Sets: (All)

+Aliases: Password

+

+Required: True

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Domain

+Specifies the domain to use to search for the user identity, defaults to the current domain.

+

+```yaml

+Type: String

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: None

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+### -Credential

+A \[Management.Automation.PSCredential\] object of alternate credentials

+for connection to the target domain.

+

+```yaml

+Type: PSCredential

+Parameter Sets: (All)

+Aliases: 

+

+Required: False

+Position: Named

+Default value: [Management.Automation.PSCredential]::Empty

+Accept pipeline input: False

+Accept wildcard characters: False

+```

+

+## INPUTS

+

+## OUTPUTS

+

+### DirectoryServices.AccountManagement.UserPrincipal

+

+## NOTES

+

+## RELATED LINKS

+

+[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/)

+

diff --git a/docs/Recon/index.md b/docs/Recon/index.md
index acc2627..b3eca5c 100644
--- a/docs/Recon/index.md
+++ b/docs/Recon/index.md
@@ -1,17 +1,3 @@
-To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.

-

-The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"

-The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"

-

-To use the module, type `Import-Module Recon`

-

-To see the commands imported, type `Get-Command -Module Recon`

-

-For help on each individual command, Get-Help is your friend.

-

-Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.

-

-

 ## PowerView

 

 PowerView is a PowerShell tool to gain network situational awareness on 

diff --git a/docs/index.md b/docs/index.md
index c348b9e..67ddcbc 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -1,189 +1,74 @@
-### PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:
+## Overview
+PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
 
-## CodeExecution
+### CodeExecution
+Execute code on a target machine.
 
-**Execute code on a target machine.**
+    Invoke-DllInjection - Injects a Dll into the process ID of your choosing.
+    Invoke-ReflectivePEInjection - Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
+    Invoke-Shellcode - Injects shellcode into the process ID of your choosing or within PowerShell locally.
+    Invoke-WmiCommand - Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel
 
-#### `Invoke-DllInjection`
+### ScriptModification
+Modify and/or prepare scripts for execution on a compromised machine.
 
-Injects a Dll into the process ID of your choosing.
+    Out-EncodedCommand - Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
+    Out-CompressedDll - Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
+    Out-EncryptedScript - Encrypts text files/scripts.
+    Remove-Comments - Strips comments and extra whitespace from a script.
 
-#### `Invoke-ReflectivePEInjection`
+### Persistence
 
-Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
+Add persistence capabilities to a PowerShell script.
 
-#### `Invoke-Shellcode`
+    New-UserPersistenceOption - Configure user-level persistence options for the Add-Persistence function.
+    New-ElevatedPersistenceOption - Configure elevated persistence options for the Add-Persistence function.
+    Add-Persistence - Add persistence capabilities to a script.
+    Install-SSP - Installs a security support provider (SSP) dll.
+    Get-SecurityPackages - Enumerates all loaded security packages (SSPs).
 
-Injects shellcode into the process ID of your choosing or within PowerShell locally.
+### AntivirusBypass
+AV doesn't stand a chance against PowerShell!
 
-#### `Invoke-WmiCommand`
+    Find-AVSignature - Locates single Byte AV signatures utilizing the same method as DSplit from "class101".
 
-Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.
+### Exfiltration
+All your data belong to me!
 
-## ScriptModification
+    Invoke-TokenManipulation - Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.
+    Invoke-CredentialInjection - Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
+    Invoke-NinjaCopy - Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
+    Invoke-Mimikatz - Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
+    Get-Keystrokes - Logs keys pressed, time and the active window.
+    Get-GPPPassword - Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
+    Get-GPPAutologon - Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.
+    Get-TimedScreenshot - A function that takes screenshots at a regular interval and saves them to a folder.
+    New-VolumeShadowCopy - Creates a new volume shadow copy.
+    Get-VolumeShadowCopy - Lists the device paths of all local volume shadow copies.
+    Mount-VolumeShadowCopy - Mounts a volume shadow copy.
+    Remove-VolumeShadowCopy - Deletes a volume shadow copy.
+    Get-VaultCredential - Displays Windows vault credential objects including cleartext web credentials.
+    Out-Minidump - Generates a full-memory minidump of a process.
+    Get-MicrophoneAudio - Records audio from system microphone and saves to disk.
 
-**Modify and/or prepare scripts for execution on a compromised machine.**
+### Mayhem
+Cause general mayhem with PowerShell.
 
-#### `Out-EncodedCommand`
+    Set-MasterBootRecord - Proof of concept code that overwrites the master boot record with the message of your choice.
+    Set-CriticalProcess - Causes your machine to blue screen upon exiting PowerShell.
 
-Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
+### Privesc
+Tools to help with escalating privileges on a target, including PowerUp.
 
-#### `Out-CompressedDll`
+    PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors. 
 
-Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
+### Recon
+Tools to aid in the reconnaissance phase of a penetration test, including PowerView.
 
-#### `Out-EncryptedScript`
-
-Encrypts text files/scripts.
-
-#### `Remove-Comments`
-
-Strips comments and extra whitespace from a script. 
-
-## Persistence
-
-**Add persistence capabilities to a PowerShell script**
-
-#### `New-UserPersistenceOption`
-
-Configure user-level persistence options for the Add-Persistence function.
-
-#### `New-ElevatedPersistenceOption`
-
-Configure elevated persistence options for the Add-Persistence function.
-
-#### `Add-Persistence`
-
-Add persistence capabilities to a script.
-
-#### `Install-SSP`
-
-Installs a security support provider (SSP) dll.
-
-#### `Get-SecurityPackages`
-
-Enumerates all loaded security packages (SSPs).
-
-## AntivirusBypass
-
-**AV doesn't stand a chance against PowerShell!**
-
-#### `Find-AVSignature`
-
-Locates single Byte AV signatures utilizing the same method as DSplit from "class101".
-
-## Exfiltration
-
-**All your data belong to me!**
-
-#### `Invoke-TokenManipulation`
-
-Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.
-
-#### `Invoke-CredentialInjection`
-
-Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
-
-#### `Invoke-NinjaCopy`
-
-Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
-
-#### `Invoke-Mimikatz`
-
-Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
-
-#### `Get-Keystrokes`
-
-Logs keys pressed, time and the active window.
-
-#### `Get-GPPPassword`
-
-Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
-
-#### `Get-GPPAutologon`
-
-Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.
-
-#### `Get-TimedScreenshot`
-
-A function that takes screenshots at a regular interval and saves them to a folder.
-
-#### `New-VolumeShadowCopy`
-
-Creates a new volume shadow copy.
-
-#### `Get-VolumeShadowCopy`
-
-Lists the device paths of all local volume shadow copies.
-
-#### `Mount-VolumeShadowCopy`
-
-Mounts a volume shadow copy.
-
-#### `Remove-VolumeShadowCopy`
-
-Deletes a volume shadow copy.
-
-#### `Get-VaultCredential`
-
-Displays Windows vault credential objects including cleartext web credentials.
-
-#### `Out-Minidump`
-
-Generates a full-memory minidump of a process.
-
-#### 'Get-MicrophoneAudio'
-
-Records audio from system microphone and saves to disk
-
-## Mayhem
-
-**Cause general mayhem with PowerShell.**
-
-#### `Set-MasterBootRecord`
-
-Proof of concept code that overwrites the master boot record with the
- message of your choice.
-
-#### `Set-CriticalProcess`
-
-Causes your machine to blue screen upon exiting PowerShell.
-
-## Privesc
-
-**Tools to help with escalating privileges on a target.**
-
-#### `PowerUp`
-
-Clearing house of common privilege escalation checks, along with some weaponization vectors.
-
-## Recon
-
-**Tools to aid in the reconnaissance phase of a penetration test.**
-
-#### `Invoke-Portscan`
-
-Does a simple port scan using regular sockets, based (pretty) loosely on nmap.
-
-#### `Get-HttpStatus`
-
-Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.
-
-#### `Invoke-ReverseDnsLookup`
-
-Scans an IP address range for DNS PTR records.
-
-#### `PowerView`
-
-PowerView is series of functions that performs network and Windows domain enumeration and exploitation.
-
-## Recon\Dictionaries
-
-**A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.**
-
-* admin.txt - <http://cirt.net/nikto2/>
-* generic.txt - <http://sourceforge.net/projects/yokoso/files/yokoso-0.1/>
-* sharepoint.txt - <http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/>
+    Invoke-Portscan - Does a simple port scan using regular sockets, based (pretty) loosely on nmap.
+    Get-HttpStatus - Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.
+    Invoke-ReverseDnsLookup - Scans an IP address range for DNS PTR records.
+    PowerView - PowerView is series of functions that performs network and Windows domain enumeration and exploitation.
 
 ## License
 
diff --git a/mkdocs.yml b/mkdocs.yml
index fb9ad52..fcaef8d 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -29,6 +29,7 @@ pages:
         - Find-DomainObjectPropertyOutlier: 'Recon/Find-DomainObjectPropertyOutlier.md'
         - Get-DomainUser: 'Recon/Get-DomainUser.md'
         - New-DomainUser: 'Recon/New-DomainUser.md'
+        - Set-DomainUserPassword: 'Recon/Set-DomainUserPassword.md'
         - Get-DomainUserEvent: 'Recon/Get-DomainUserEvent.md'
         - Get-DomainComputer: 'Recon/Get-DomainComputer.md'
         - Get-DomainObject: 'Recon/Get-DomainObject.md'