diff options
Diffstat (limited to 'Exfiltration')
| -rw-r--r-- | Exfiltration/Get-GPPPassword.ps1 | 5 | ||||
| -rw-r--r-- | Exfiltration/Get-VaultCredential.ps1 | 8 | ||||
| -rw-r--r-- | Exfiltration/Invoke-CredentialInjection.ps1 | 6 |
3 files changed, 10 insertions, 9 deletions
diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index f7be74c..7703508 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -118,6 +118,9 @@ http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html } $Base64Decoded = [Convert]::FromBase64String($Cpassword) + + # Make sure System.Core is loaded + [System.Reflection.Assembly]::LoadWithPartialName("System.Core") |Out-Null #Create a new AES .NET Crypto Object $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider @@ -345,4 +348,4 @@ http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html } catch { Write-Error $Error[0] } -}
\ No newline at end of file +} diff --git a/Exfiltration/Get-VaultCredential.ps1 b/Exfiltration/Get-VaultCredential.ps1 index 57570e8..e37f3fc 100644 --- a/Exfiltration/Get-VaultCredential.ps1 +++ b/Exfiltration/Get-VaultCredential.ps1 @@ -28,8 +28,6 @@ Only web credentials can be displayed in cleartext. [CmdletBinding()] Param() $OSVersion = [Environment]::OSVersion.Version - $OSMajor = $OSVersion.Major - $OSMinor = $OSVersion.Minor #region P/Invoke declarations for vaultcli.dll $DynAssembly = New-Object System.Reflection.AssemblyName('VaultUtil') @@ -79,7 +77,7 @@ Only web credentials can be displayed in cleartext. $null = $TypeBuilder.DefineField('pResourceElement', [IntPtr], 'Public') $null = $TypeBuilder.DefineField('pIdentityElement', [IntPtr], 'Public') $null = $TypeBuilder.DefineField('pAuthenticatorElement', [IntPtr], 'Public') - if ($OSMajor -ge 6 -and $OSMinor -ge 2) + if ($OSVersion -ge '6.2') { $null = $TypeBuilder.DefineField('pPackageSid', [IntPtr], 'Public') } @@ -149,7 +147,7 @@ Only web credentials can be displayed in cleartext. [Runtime.InteropServices.CallingConvention]::Winapi, [Runtime.InteropServices.CharSet]::Auto) - if ($OSMajor -ge 6 -and $OSMinor -ge 2) + if ($OSVersion -ge '6.2') { $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem', 'vaultcli.dll', @@ -317,7 +315,7 @@ Only web credentials can be displayed in cleartext. $PasswordVaultItem = [IntPtr]::Zero - if ($OSMajor -ge 6 -and $OSMinor -ge 2) + if ($OSVersion -ge '6.2') { $Result = $Vaultcli::VaultGetItem($VaultHandle, [Ref] $CurrentItem.SchemaId, diff --git a/Exfiltration/Invoke-CredentialInjection.ps1 b/Exfiltration/Invoke-CredentialInjection.ps1 index d6f3c4c..b025328 100644 --- a/Exfiltration/Invoke-CredentialInjection.ps1 +++ b/Exfiltration/Invoke-CredentialInjection.ps1 @@ -2416,7 +2416,7 @@ function Invoke-CredentialInjection $PEInfo = Get-PEBasicInfo -PEBytes $PEBytes -Win32Types $Win32Types $OriginalImageBase = $PEInfo.OriginalImageBase $NXCompatible = $true - if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) + if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_NX_COMPAT) { Write-Warning "PE is not compatible with DEP, might cause issues" -WarningAction Continue $NXCompatible = $false @@ -2474,7 +2474,7 @@ function Invoke-CredentialInjection Write-Verbose "Allocating memory for the PE and write its headers to memory" [IntPtr]$LoadAddr = [IntPtr]::Zero - if (($PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) + if (([Int] $PEInfo.DllCharacteristics -band $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) -ne $Win32Constants.IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE) { Write-Warning "PE file being reflectively loaded is not ASLR compatible. If the loading fails, try restarting PowerShell and trying again" -WarningAction Continue [IntPtr]$LoadAddr = $OriginalImageBase @@ -3346,7 +3346,7 @@ function Invoke-CredentialInjection } elseif ($PsCmdlet.ParameterSetName -ieq "ExistingWinLogon") { - $WinLogonProcessId = (Get-Process -Name "winlogon")[0].Id + $WinLogonProcessId = (Get-Process -Name "winlogon"| Select-Object -first 1).Id } #Get a ushort representing the logontype |