diff options
| -rw-r--r-- | AntivirusBypass/Find-AVSignature.ps1 | 75 | ||||
| -rw-r--r-- | CodeExecution/Invoke-DllInjection.ps1 | 2 | ||||
| -rw-r--r-- | CodeExecution/Invoke-Shellcode.ps1 | 2 | ||||
| -rw-r--r-- | Exfiltration/Get-TimedScreenshot.ps1 | 142 | ||||
| -rw-r--r-- | PETools/Get-DllLoadPath.ps1 | 20 | ||||
| -rw-r--r-- | PETools/Get-PEArchitecture.ps1 | 9 | ||||
| -rw-r--r-- | PETools/Get-PEHeader.ps1 | 7 | ||||
| -rw-r--r-- | Recon/Get-GPPPassword.ps1 | 40 | ||||
| -rw-r--r-- | Recon/Get-HttpStatus.ps1 | 41 | ||||
| -rw-r--r-- | Recon/Invoke-ReverseDnsLookup.ps1 | 86 | ||||
| -rw-r--r-- | ReverseEngineering/Get-ILDisassembly.ps1 | 4 | ||||
| -rw-r--r-- | ReverseEngineering/Get-KernelModuleInfo.ps1 | 2 | ||||
| -rw-r--r-- | ReverseEngineering/Get-Member.ps1 | 2 | ||||
| -rw-r--r-- | ReverseEngineering/Get-MethodAddress.ps1 | 2 | ||||
| -rw-r--r-- | ReverseEngineering/Get-PEB.ps1 | 2 | ||||
| -rw-r--r-- | ReverseEngineering/Get-Strings.ps1 | 2 | ||||
| -rw-r--r-- | ReverseEngineering/Get-StructFromMemory.ps1 | 2 | ||||
| -rw-r--r-- | ScriptModification/Out-CompressedDll.ps1 | 2 | ||||
| -rw-r--r-- | ScriptModification/Out-EncodedCommand.ps1 | 2 | ||||
| -rw-r--r-- | ScriptModification/Out-EncryptedScript.ps1 | 84 | ||||
| -rw-r--r-- | ScriptModification/Remove-Comments.ps1 | 2 |
21 files changed, 296 insertions, 234 deletions
diff --git a/AntivirusBypass/Find-AVSignature.ps1 b/AntivirusBypass/Find-AVSignature.ps1 index aaa68c8..c373c5b 100644 --- a/AntivirusBypass/Find-AVSignature.ps1 +++ b/AntivirusBypass/Find-AVSignature.ps1 @@ -1,69 +1,84 @@ -function Find-AVSignature {
+function Find-AVSignature
+{
<#
.SYNOPSIS
- Find-AVSignature
+Locate tiny AV signatures.
- Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com
-
- Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
- License: BSD 3-Clause
+PowerSploit Function: Find-AVSignature
+Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
.DESCRIPTION
- A script to locate tiny AV signatures.
+Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com.
.PARAMETER Startbyte
- Specifies the first byte to begin splitting on.
+Specifies the first byte to begin splitting on.
.PARAMETER Endbyte
- Specifies the last byte to split on.
+Specifies the last byte to split on.
.PARAMETER Interval
- Specifies the interval size to split with.
+Specifies the interval size to split with.
.PARAMETER Path
- Specifies the path to the binary you want tested.
+Specifies the path to the binary you want tested.
.PARAMETER OutPath
- Optionally specifies the directory to write the binaries to.
+Optionally specifies the directory to write the binaries to.
.PARAMETER Force
- Forces the script to continue without confirmation.
+Forces the script to continue without confirmation.
.EXAMPLE
- PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
- PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
- PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
- PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
- PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
+PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
+PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
+PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
+PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
+PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
.NOTES
- Several of the versions of "DSplit.exe" available on the internet contain malware.
+Several of the versions of "DSplit.exe" available on the internet contain malware.
.LINK
- http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
- https://github.com/mattifestation/PowerSploit
- http://www.exploit-monday.com/
- http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
+http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
+https://github.com/mattifestation/PowerSploit
+http://www.exploit-monday.com/
+http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
#>
-[CmdletBinding()] Param(
- [Parameter(Mandatory = $True)] [Int32] $StartByte,
- [Parameter(Mandatory = $True)] [String] $EndByte,
- [Parameter(Mandatory = $True)] [Int32] $Interval,
- [Parameter(Mandatory = $False)] [String] $Path = ($pwd.path),
- [Parameter(Mandatory = $False)] [String] $OutPath = ($pwd),
- [Switch] $Force = $False
+ [CmdletBinding()] Param(
+ [Parameter(Mandatory = $True)]
+ [Int32]
+ $StartByte,
+
+ [Parameter(Mandatory = $True)]
+ [String]
+ $EndByte,
+
+ [Parameter(Mandatory = $True)]
+ [Int32]
+ $Interval,
+
+ [String]
+ $Path = ($pwd.path),
+
+ [String]
+ $OutPath = ($pwd),
+
+ [Switch] $Force
)
#test variables
diff --git a/CodeExecution/Invoke-DllInjection.ps1 b/CodeExecution/Invoke-DllInjection.ps1 index b62e7a1..572a911 100644 --- a/CodeExecution/Invoke-DllInjection.ps1 +++ b/CodeExecution/Invoke-DllInjection.ps1 @@ -5,7 +5,7 @@ function Invoke-DllInjection Injects a Dll into the process ID of your choosing.
-PowerSploit Module - Invoke-DllInjection
+PowerSploit Function: Invoke-DllInjection
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
diff --git a/CodeExecution/Invoke-Shellcode.ps1 b/CodeExecution/Invoke-Shellcode.ps1 index e23c0f9..4f59f3b 100644 --- a/CodeExecution/Invoke-Shellcode.ps1 +++ b/CodeExecution/Invoke-Shellcode.ps1 @@ -5,7 +5,7 @@ function Invoke-Shellcode Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
-PowerSploit Module - Invoke-Shellcode
+PowerSploit Function: Invoke-Shellcode
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
diff --git a/Exfiltration/Get-TimedScreenshot.ps1 b/Exfiltration/Get-TimedScreenshot.ps1 index 3a19a7d..e1c44d0 100644 --- a/Exfiltration/Get-TimedScreenshot.ps1 +++ b/Exfiltration/Get-TimedScreenshot.ps1 @@ -1,99 +1,101 @@ -Function Get-TimedScreenshot {
+function Get-TimedScreenshot
+{
<#
.SYNOPSIS
-
- Get-TimedScreenshot
-
- Author: Chris Campbell (@obscuresec)
- License: BSD 3-Clause
+
+Takes screenshots at a regular interval and saves them to disk.
+
+PowerSploit Function: Get-TimedScreenshot
+Author: Chris Campbell (@obscuresec)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
.DESCRIPTION
- A function that takes screenshots and saves them to a folder.
+A function that takes screenshots and saves them to a folder.
-.PARAMETER $Path
+.PARAMETER Path
- Specifies the folder path.
+Specifies the folder path.
-.PARAMETER $Interval
+.PARAMETER Interval
- Specifies the interval in seconds between taking screenshots.
+Specifies the interval in seconds between taking screenshots.
-.PARAMETER $EndTime
+.PARAMETER EndTime
- Specifies when the script should stop running in the format HH-MM
+Specifies when the script should stop running in the format HH-MM
.EXAMPLE
- PS C:\> Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00
+PS C:\> Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00
.LINK
- http://obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html
- https://github.com/obscuresec/random/blob/master/Get-TimedScreenshot
-
+http://obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html
+https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-TimedScreenshot.ps1
#>
[CmdletBinding()] Param(
- [Parameter(Mandatory=$True)]
- [ValidateScript({Test-Path -Path $_ })]
- [string] $Path,
-
- [Parameter(Mandatory=$True)]
- [int32] $Interval,
-
- [Parameter(Mandatory=$True)]
- [string] $EndTime
- )
-
- #Define helper function that generates and saves screenshot
- Function GenScreenshot {
- $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen
- $ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height
- $DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject)
- $DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size)
- $DrawingGraphics.Dispose()
- $ScreenshotObject.Save($FilePath)
- $ScreenshotObject.Dispose()
- }
+ [Parameter(Mandatory=$True)]
+ [ValidateScript({Test-Path -Path $_ })]
+ [String] $Path,
+
+ [Parameter(Mandatory=$True)]
+ [Int32] $Interval,
+
+ [Parameter(Mandatory=$True)]
+ [String] $EndTime
+ )
+
+ #Define helper function that generates and saves screenshot
+ Function GenScreenshot {
+ $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen
+ $ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height
+ $DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject)
+ $DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size)
+ $DrawingGraphics.Dispose()
+ $ScreenshotObject.Save($FilePath)
+ $ScreenshotObject.Dispose()
+ }
+
+ Try {
+
+ #load required assembly
+ Add-Type -Assembly System.Windows.Forms
- Try {
+ Do {
+ #get the current time and build the filename from it
+ $Time = (Get-Date)
- #load required assembly
- Add-Type -Assembly System.Windows.Forms
-
- Do {
- #get the current time and build the filename from it
- $Time = (Get-Date)
-
- [string] $FileName = "$($Time.Month)"
- $FileName += '-'
- $FileName += "$($Time.Day)"
- $FileName += '-'
- $FileName += "$($Time.Year)"
- $FileName += '-'
- $FileName += "$($Time.Hour)"
- $FileName += '-'
- $FileName += "$($Time.Minute)"
- $FileName += '-'
- $FileName += "$($Time.Second)"
- $FileName += '.png'
+ [String] $FileName = "$($Time.Month)"
+ $FileName += '-'
+ $FileName += "$($Time.Day)"
+ $FileName += '-'
+ $FileName += "$($Time.Year)"
+ $FileName += '-'
+ $FileName += "$($Time.Hour)"
+ $FileName += '-'
+ $FileName += "$($Time.Minute)"
+ $FileName += '-'
+ $FileName += "$($Time.Second)"
+ $FileName += '.png'
- #use join-path to add path to filename
- [string] $FilePath = (Join-Path $Path $FileName)
-
- #run screenshot function
- GenScreenshot
-
- Write-Verbose "Saved screenshot to $FilePath. Sleeping for $Interval seconds"
+ #use join-path to add path to filename
+ [String] $FilePath = (Join-Path $Path $FileName)
- Start-Sleep -Seconds $Interval
- }
+ #run screenshot function
+ GenScreenshot
+
+ Write-Verbose "Saved screenshot to $FilePath. Sleeping for $Interval seconds"
- #note that this will run once regardless if the specified time as passed
- While ((Get-Date -Format HH:%m) -lt $EndTime)
+ Start-Sleep -Seconds $Interval
}
- Catch {Write-Warning "$Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage"}
+ #note that this will run once regardless if the specified time as passed
+ While ((Get-Date -Format HH:%m) -lt $EndTime)
+ }
+ Catch {Write-Warning "$Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage"}
}
\ No newline at end of file diff --git a/PETools/Get-DllLoadPath.ps1 b/PETools/Get-DllLoadPath.ps1 index 360c913..97b0210 100644 --- a/PETools/Get-DllLoadPath.ps1 +++ b/PETools/Get-DllLoadPath.ps1 @@ -1,8 +1,11 @@ -function Get-DllLoadPath {
+function Get-DllLoadPath
+{
<#
.SYNOPSIS
-PowerSploit Module - Get-DllLoadPath
+Outputs the order of paths in which a dll would be loaded.
+
+PowerSploit Function: Get-DllLoadPath
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
@@ -14,7 +17,7 @@ Get-DllLoadPath returns the path from which Windows will load a Dll for the give .PARAMETER ExecutablePath
- Path to the executable from which the Dll would be loaded.
+Path to the executable from which the Dll would be loaded.
.PARAMETER DllName
@@ -38,7 +41,7 @@ C:\Windows\SysWOW64\Comctl32.dll .OUTPUTS
-$null, System.Management.Automation.PathInfo
+System.Management.Automation.PathInfo
.NOTES
@@ -51,8 +54,13 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.as #>
Param (
- [Parameter(Position = 0, Mandatory = $True)] [String] $ExecutablePath,
- [Parameter(Position = 1, Mandatory = $True)] [String] $DllName
+ [Parameter(Position = 0, Mandatory = $True)]
+ [String]
+ $ExecutablePath,
+
+ [Parameter(Position = 1, Mandatory = $True)]
+ [String]
+ $DllName
)
if (!(Test-Path $ExecutablePath)) {
diff --git a/PETools/Get-PEArchitecture.ps1 b/PETools/Get-PEArchitecture.ps1 index 6272153..efc80be 100644 --- a/PETools/Get-PEArchitecture.ps1 +++ b/PETools/Get-PEArchitecture.ps1 @@ -1,8 +1,11 @@ -function Get-PEArchitecture {
+function Get-PEArchitecture
+{
<#
.SYNOPSIS
-PowerSploit Module - Get-PEArchitecture
+Outputs the architecture for which a binary was compiled.
+
+PowerSploit Function: Get-PEArchitecture
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
@@ -19,13 +22,11 @@ Path to the executable. .EXAMPLE
C:\PS> Get-PEArchitecture C:\Windows\SysWOW64\calc.exe
-
X86
.EXAMPLE
C:\PS> Get-PEArchitecture C:\Windows\System32\cmd.exe
-
X64
.LINK
diff --git a/PETools/Get-PEHeader.ps1 b/PETools/Get-PEHeader.ps1 index 49bfbd6..f32239c 100644 --- a/PETools/Get-PEHeader.ps1 +++ b/PETools/Get-PEHeader.ps1 @@ -1,8 +1,11 @@ -function Get-PEHeader {
+function Get-PEHeader
+{
<#
.SYNOPSIS
-PowerSploit Module - Get-PEHeader
+Parses and outputs the PE header of a process in memory or a PE file on disk.
+
+PowerSploit Function: Get-PEHeader
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
diff --git a/Recon/Get-GPPPassword.ps1 b/Recon/Get-GPPPassword.ps1 index 99a694b..b22fb74 100644 --- a/Recon/Get-GPPPassword.ps1 +++ b/Recon/Get-GPPPassword.ps1 @@ -1,31 +1,39 @@ -function Get-GPPPassword {
-
+function Get-GPPPassword
+{
<#
-.Synopsis
+.SYNOPSIS
+
+Retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.
- Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.
- Author: Chris Campbell (@obscuresec)
- License: BSD 3-Clause
+PowerSploit Function: Get-GPPPassword
+Author: Chris Campbell (@obscuresec)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
-.Description
+.DESCRIPTION
- Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password.
+Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password.
-.Parameter Path
+.PARAMETER Path
- The path to the targeted groups.xml file.
+The path to the targeted groups.xml file.
-.Example
+.EXAMPLE
- Get-GPPPassword -path c:\demo\groups.xml
+Get-GPPPassword -path c:\demo\groups.xml
-.Link
+.LINK
- http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
- http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
+http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
+http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
#>
-Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path = "$PWD\groups.xml" )
+ Param (
+ [Parameter(Position = 0, Mandatory = $True)]
+ [String]
+ $Path = "$PWD\groups.xml"
+ )
#Function to pull encrypted password string from groups.xml
function Parse-cPassword {
diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1 index 2f4b343..fde3d26 100644 --- a/Recon/Get-HttpStatus.ps1 +++ b/Recon/Get-HttpStatus.ps1 @@ -1,47 +1,68 @@ -function Get-HttpStatus {
+function Get-HttpStatus
+{
<#
.SYNOPSIS
-PowerSploit Module - Get-HttpStatus
Returns the HTTP Status Codes and full URL for specified paths.
+PowerSploit Function: Get-HttpStatus
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
.DESCRIPTION
+
A script to check for the existence of a path or file on a webserver.
.PARAMETER Target
+
Specifies the remote web host either by IP or hostname.
.PARAMETER Path
+
Specifies the remost host.
.PARAMETER Port
+
Specifies the port to connect to.
.PARAMETER UseSSL
+
Use an SSL connection.
.EXAMPLE
-PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
+
+C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
.EXAMPLE
-PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
+
+C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
.NOTES
-HTTP Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
-Status Codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
+
+HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
.LINK
+
http://obscuresecurity.blogspot.com
+http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
#>
[CmdletBinding()] Param(
- [Parameter(Mandatory = $True)] [String] $Target,
- [Parameter()] [String] [ValidateNotNullOrEmpty()] $Path = '.\Dictionaries\admin.txt',
- [Parameter()] [Int] $Port,
- [Parameter()] [Switch] $UseSSL
+ [Parameter(Mandatory = $True)]
+ [String]
+ $Target,
+
+ [String]
+ [ValidateNotNullOrEmpty()]
+ $Path = '.\Dictionaries\admin.txt',
+
+ [Int]
+ $Port,
+
+ [Switch]
+ $UseSSL
)
if (Test-Path $Path) {
diff --git a/Recon/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1 index af45f2e..1346ae6 100644 --- a/Recon/Invoke-ReverseDnsLookup.ps1 +++ b/Recon/Invoke-ReverseDnsLookup.ps1 @@ -1,64 +1,66 @@ function Invoke-ReverseDnsLookup
{
-
<#
-.Synopsis
+.SYNOPSIS
+
+Perform a reverse DNS lookup scan on a range of IP addresses.
- PowerSploit Module - Invoke-ReverseDnsLookup
- Author: Matthew Graeber (@mattifestation)
- License: BSD 3-Clause
+PowerSploit Function: Invoke-ReverseDnsLookup
+Author: Matthew Graeber (@mattifestation)
+License: BSD 3-Clause
+Required Dependencies: None
+Optional Dependencies: None
-.Description
+.DESCRIPTION
- Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script
- is useful for performing DNS reconnaisance prior to conducting an authorized
- penetration test.
+Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test.
-.Parameter IPRange
+.PARAMETER IPRange
- Specifies the IP address range. The range provided can be in the form of a single
- IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be
- provided.
+Specifies the IP address range. The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be provided.
-.Example
+.EXAMPLE
- PS> Invoke-ReverseDnsLookup 74.125.228.0/29
+C:\PS> Invoke-ReverseDnsLookup 74.125.228.0/29
- IP HostName
- -- --------
- 74.125.228.1 iad23s05-in-f1.1e100.net
- 74.125.228.2 iad23s05-in-f2.1e100.net
- 74.125.228.3 iad23s05-in-f3.1e100.net
- 74.125.228.4 iad23s05-in-f4.1e100.net
- 74.125.228.5 iad23s05-in-f5.1e100.net
- 74.125.228.6 iad23s05-in-f6.1e100.net
+IP HostName
+-- --------
+74.125.228.1 iad23s05-in-f1.1e100.net
+74.125.228.2 iad23s05-in-f2.1e100.net
+74.125.228.3 iad23s05-in-f3.1e100.net
+74.125.228.4 iad23s05-in-f4.1e100.net
+74.125.228.5 iad23s05-in-f5.1e100.net
+74.125.228.6 iad23s05-in-f6.1e100.net
- Description
- -----------
- Returns the hostnames of the IP addresses specified by the CIDR range.
+Description
+-----------
+Returns the hostnames of the IP addresses specified by the CIDR range.
-.Example
+.EXAMPLE
- PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'
-
- IP HostName
- -- --------
- 74.125.228.1 iad23s05-in-f1.1e100.net
- 74.125.228.4 iad23s05-in-f4.1e100.net
- 74.125.228.5 iad23s05-in-f5.1e100.net
- 74.125.228.6 iad23s05-in-f6.1e100.net
-
- Description
- -----------
- Returns the hostnames of the IP addresses specified by the IP range specified.
+C:\PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'
+IP HostName
+-- --------
+74.125.228.1 iad23s05-in-f1.1e100.net
+74.125.228.4 iad23s05-in-f4.1e100.net
+74.125.228.5 iad23s05-in-f5.1e100.net
+74.125.228.6 iad23s05-in-f6.1e100.net
-.Link
+Description
+-----------
+Returns the hostnames of the IP addresses specified by the IP range specified.
+
+.LINK
- My blog: http://www.exploit-monday.com
+http://www.exploit-monday.com
#>
-Param( [Parameter(Position = 0, Mandatory = $True)] [String] $IpRange )
+ Param (
+ [Parameter(Position = 0, Mandatory = $True)]
+ [String]
+ $IpRange
+ )
function Parse-IPList ([String] $IpRange)
{
diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index 623d904..b3b615e 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -3,7 +3,9 @@ function Get-ILDisassembly <#
.SYNOPSIS
-PowerSploit Module - Get-ILDisassembly
+A MSIL (Microsoft Intermediate Language) disassembler.
+
+PowerSploit Function: Get-ILDisassembly
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
diff --git a/ReverseEngineering/Get-KernelModuleInfo.ps1 b/ReverseEngineering/Get-KernelModuleInfo.ps1 index f6f8221..cb7b73e 100644 --- a/ReverseEngineering/Get-KernelModuleInfo.ps1 +++ b/ReverseEngineering/Get-KernelModuleInfo.ps1 @@ -5,7 +5,7 @@ Returns loaded kernel module information.
-PowerSploit Module - Get-KernelModuleInfo
+PowerSploit Function: Get-KernelModuleInfo
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
diff --git a/ReverseEngineering/Get-Member.ps1 b/ReverseEngineering/Get-Member.ps1 index 30d29f4..2f04deb 100644 --- a/ReverseEngineering/Get-Member.ps1 +++ b/ReverseEngineering/Get-Member.ps1 @@ -5,7 +5,7 @@ function Get-Member Gets the properties and methods of objects.
-PowerSploit Module - Get-Member
+PowerSploit Proxy Function: Get-Member
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause (Except for the help documentation derived from the original Get-Member)
Required Dependencies: None
diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1 index bd6c627..656d1bd 100644 --- a/ReverseEngineering/Get-MethodAddress.ps1 +++ b/ReverseEngineering/Get-MethodAddress.ps1 @@ -5,7 +5,7 @@ Get the unmanaged function address of a .NET method.
-PowerSploit Module - Get-MethodAddress
+PowerSploit Function: Get-MethodAddress
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index dbb95a0..4985da5 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -5,7 +5,7 @@ Returns the process environment block (PEB) of a process.
-PowerSploit Module - Get-PEB
+PowerSploit Function: Get-PEB
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1 index 87f5f6a..7acb9f1 100644 --- a/ReverseEngineering/Get-Strings.ps1 +++ b/ReverseEngineering/Get-Strings.ps1 @@ -5,7 +5,7 @@ Gets strings from a file.
-PowerSploit Module - Inject-Shellcode
+PowerSploit Function: Get-Strings
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1 index 9a265c5..ccf6d5b 100644 --- a/ReverseEngineering/Get-StructFromMemory.ps1 +++ b/ReverseEngineering/Get-StructFromMemory.ps1 @@ -5,7 +5,7 @@ Marshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.
-PowerSploit Module - Get-StructFromMemory
+PowerSploit Function: Get-StructFromMemory
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
diff --git a/ScriptModification/Out-CompressedDll.ps1 b/ScriptModification/Out-CompressedDll.ps1 index f781c15..3aa5c2b 100644 --- a/ScriptModification/Out-CompressedDll.ps1 +++ b/ScriptModification/Out-CompressedDll.ps1 @@ -5,7 +5,7 @@ Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
-PowerSploit Module - Out-CompressedDll
+PowerSploit Function: Out-CompressedDll
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
diff --git a/ScriptModification/Out-EncodedCommand.ps1 b/ScriptModification/Out-EncodedCommand.ps1 index 99d3f66..cae4715 100644 --- a/ScriptModification/Out-EncodedCommand.ps1 +++ b/ScriptModification/Out-EncodedCommand.ps1 @@ -5,7 +5,7 @@ Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
-PowerSploit Module - Out-EncodedCommand
+PowerSploit Function: Out-EncodedCommand
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
diff --git a/ScriptModification/Out-EncryptedScript.ps1 b/ScriptModification/Out-EncryptedScript.ps1 index 1376673..3f09020 100644 --- a/ScriptModification/Out-EncryptedScript.ps1 +++ b/ScriptModification/Out-EncryptedScript.ps1 @@ -1,11 +1,11 @@ -function Out-EncryptedScript {
-
+function Out-EncryptedScript
+{
<#
.SYNOPSIS
Encrypts text files/scripts.
-PowerSploit Module - Out-EncryptedScript
+PowerSploit Function: Out-EncryptedScript
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
@@ -55,46 +55,46 @@ This command can be used to encrypt any text-based file/script http://www.exploit-monday.com
#>
-[CmdletBinding()] Param (
- [Parameter(Position = 0, Mandatory = $True)]
- [String]
- $ScriptPath,
+ [CmdletBinding()] Param (
+ [Parameter(Position = 0, Mandatory = $True)]
+ [String]
+ $ScriptPath,
- [Parameter(Position = 1, Mandatory = $True)]
- [String]
- $Password,
+ [Parameter(Position = 1, Mandatory = $True)]
+ [String]
+ $Password,
- [Parameter(Position = 2, Mandatory = $True)]
- [String]
- $Salt,
+ [Parameter(Position = 2, Mandatory = $True)]
+ [String]
+ $Salt,
- [Parameter(Position = 3)]
- [String]
- $InitializationVector = ( @( foreach ($i in 1..16) { [Char](Get-Random -Min 0x41 -Max 0x5B) } ) -join '' ), # Generate random 16 character IV
+ [Parameter(Position = 3)]
+ [String]
+ $InitializationVector = ( @( foreach ($i in 1..16) { [Char](Get-Random -Min 0x41 -Max 0x5B) } ) -join '' ), # Generate random 16 character IV
- [Parameter(Position = 4)]
- [String]
- $FilePath = '.\evil.ps1'
-)
-
-$AsciiEncoder = New-Object System.Text.ASCIIEncoding
-$ivBytes = $AsciiEncoder.GetBytes("CRACKMEIFYOUCAN!")
-# While this can be used to encrypt any file, it's primarily designed to encrypt itself.
-[Byte[]] $scriptBytes = Get-Content -Encoding byte -Path $ScriptPath
-$DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)
-$Key = New-Object System.Security.Cryptography.RijndaelManaged
-$Key.Mode = [System.Security.Cryptography.CipherMode]::CBC
-[Byte[]] $KeyBytes = $DerivedPass.GetBytes(32)
-$Encryptor = $Key.CreateEncryptor($KeyBytes, $ivBytes)
-$MemStream = New-Object System.IO.MemoryStream
-$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($MemStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
-$CryptoStream.Write($scriptBytes, 0, $scriptBytes.Length)
-$CryptoStream.FlushFinalBlock()
-$CipherTextBytes = $MemStream.ToArray()
-$MemStream.Close()
-$CryptoStream.Close()
-$Key.Clear()
-$Cipher = [Convert]::ToBase64String($CipherTextBytes)
+ [Parameter(Position = 4)]
+ [String]
+ $FilePath = '.\evil.ps1'
+ )
+
+ $AsciiEncoder = New-Object System.Text.ASCIIEncoding
+ $ivBytes = $AsciiEncoder.GetBytes("CRACKMEIFYOUCAN!")
+ # While this can be used to encrypt any file, it's primarily designed to encrypt itself.
+ [Byte[]] $scriptBytes = Get-Content -Encoding byte -Path $ScriptPath
+ $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)
+ $Key = New-Object System.Security.Cryptography.RijndaelManaged
+ $Key.Mode = [System.Security.Cryptography.CipherMode]::CBC
+ [Byte[]] $KeyBytes = $DerivedPass.GetBytes(32)
+ $Encryptor = $Key.CreateEncryptor($KeyBytes, $ivBytes)
+ $MemStream = New-Object System.IO.MemoryStream
+ $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($MemStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
+ $CryptoStream.Write($scriptBytes, 0, $scriptBytes.Length)
+ $CryptoStream.FlushFinalBlock()
+ $CipherTextBytes = $MemStream.ToArray()
+ $MemStream.Close()
+ $CryptoStream.Close()
+ $Key.Clear()
+ $Cipher = [Convert]::ToBase64String($CipherTextBytes)
# Generate encrypted PS1 file. All that will be included is the base64-encoded ciphertext and a slightly 'obfuscated' decrypt function
$Output = 'function de([String] $b, [String] $c)
@@ -121,9 +121,9 @@ $f.Clear(); return $encoding.GetString($h,0,$h.Length);
}'
-# Output decrypt function and ciphertext to evil.ps1
-Out-File -InputObject $Output -Encoding ASCII $FilePath
+ # Output decrypt function and ciphertext to evil.ps1
+ Out-File -InputObject $Output -Encoding ASCII $FilePath
-Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"
+ Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"
}
\ No newline at end of file diff --git a/ScriptModification/Remove-Comments.ps1 b/ScriptModification/Remove-Comments.ps1 index 64c3e31..ec75927 100644 --- a/ScriptModification/Remove-Comments.ps1 +++ b/ScriptModification/Remove-Comments.ps1 @@ -5,7 +5,7 @@ Strips comments and extra whitespace from a script.
-PowerSploit Module - Remove-Comments
+PowerSploit Function: Remove-Comments
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
|