| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
PowerView: Invoke-UserHunter -Poll
|
|
Added the EncPart param to Request-SPNTicket
|
|
Adds the ability to return the encrypted part of the ticket.
This portion is the encrypted data that can be brute-forced with Kerberoast/Hashcat/JtR
|
|
The PowerShell.BeginInvoke<TInput, TOutput>(PSDataCollection<TInput>,
PSDataCollection<TOutput>) method[1] is used to collect output from
each job into a buffer. This can be read whilst the jobs are still
running. Being able to return partial results is particularly useful for
long running background threads, such as Invoke-UserHunter -Poll.
PowerShell 2.0 doesn't play nicely with generic methods. The technique
described in [2] is used to allow this version of BeginInvoke() to be
used.
[1] https://msdn.microsoft.com/en-us/library/dd182440(v=vs.85).aspx
[2] http://www.leeholmes.com/blog/2007/06/19/invoking-generic-methods-on-non-generic-classes-in-powershell/
|
|
Repeatedly poll a set of target computers for user sessions. This could
be a useful technique for building a much better picture of current
sessions, but without having to communicate with every host.
The -Poll parameter is used to specify the duration for which polling
should occur. Each target computer is dedicated with a thread with
-Delay and -Jitter specifying how long to sleep between each session
enumeration attempt of an individual host.
|
|
Added ability to specify domain controller to search (-Server parameter)
|
|
Added default value to parameter and got rid of value check later in the code.
Added validation of -Server value to ensure it is not $Null or an empty string
|
|
|
|
|
|
|
|
|
|
Invoke-Mimikatz was not not handling functions exported by ordinal.
Thank you @gentilkiwi for the suggested fix!
|
|
PowerUp: Remove badly encoded new lines from .bat output
|
|
PowerUp: Allocate enough space for TOKEN_GROUPS
|
|
PowerView: Fix Groups.xml parsing for multiple <Group>s
|
|
Added the ability for users to specify the domain controller that is searched, using the -Server parameter. The -Server parameter is optional and defaults to the user's current domain if not specified.
|
|
The current implementation results in a .bat like:
@echo off\n
start /b net user john Password123! /add && timeout /t 5 && net localgroup Administrators john /add\n
start /b "" cmd /c del "%~f0"&exit /b
With literal "\n" strings at the end of the first two lines.
A new line in a PowerShell string should be "`n". However, an extra new
line isn't actually necessary in this case.
|
|
Make an initial call to GetTokenInformation() with a NULL buffer to get
the actual buffer size required. Prevents "The data area passed to a system
call is too small" error being thrown.
|
|
|
|
Select all <Group> nodes and iterate through them, not just the root
<Groups> node.
|
|
instead of name
|
|
Invoke-CheckLocalAdminAccess...whoops
|
|
|
|
Fix Get-NetLocalGroup Recursion for LocalGroups
|
|
the current directory location
Fixed other logic bugs in Get-ModifiablePath
Fixed bug in Add-ServiceDacl when the [ServiceProcess.ServiceController] wasn't loaded yet by Get-Service
Error handling for Get-CachedGPPPassword
Changed some Write-Warnings to Write-Verbose
Updated Privesc Pester tests for PowerUp
|
|
|
|
Recurse if localgroup as well as domaingroup
Normalize output values to empty string
|
|
|
|
Changed domain/forest Write-Warning's to Write-Verbose
|
|
ID (i.e. domain users)
Modified Get-DomainSID to simplify
Changed group determination in Get-NetLocalGroup -API
Few optimizations to Find-ForeignUser and Find-ForeignGroup
Changed DNS resolution method for Invoke-UserHunter
Added 'PowerView.GPOLocalGroup' type to Find-GPOLocation
|
|
Fixed thread countdown timer in Invoke-ThreadedFunction, wasn't ever …
|
|
rogue jobs
|
|
Fixed Get-DomainSID to allow for a -DomainController parameter
Fixed Get-NetDomainTrust logic
|
|
Added attempted gpcfilesyspath resolution to Get-NetGPO
Added -ADSPath for Get-NetDomainTrust
|
|
|
|
|
|
Moved GPOType check to Get-NetGPOGroup
Expanded comments and help for GPO location cmdlets
|
|
|
|
Get-GPPPassword.
Added Pester tests for Get-CachedGPPPassword.
|
|
Find-GPOComputerAdmin
Rewrote/corrected logic for Find-GPOLocation
Added Get-IniContent and rewrote Get-GptTmpl to use Get-IniContent to parse GptTmpl.inf files
Rewrote Get-GroupsXML to not resolve SIDs and return the same object type as Get-GptTmpl
|
|
PowerUp PSReflect
|
|
Bug fixes
Corrected PowerUp Pester tests
Changed 'Path' field to 'ModifiablePath' in 'Get-ModifiablePath'
Get-ServiceUnquoted now filters paths through Get-ModifiablePath
|
|
Renamed Find-PathHijack to Find-PathDLLHijack
Fixed exposed functions in PowerSploit.psd1
|
|
|
|
-Additional error checking and documentation
-OpenProcessToken() call now uses TOKEN_QUERY instead of TOKEN_READ
|
|
with SID and attributes fields
|
|
user is a part of, regardless of being disabled.
Replaced 'whoami /groups' local admin + medium integrity check with comparison against Get-CurrentUserTokenGroupSid
|
|
file objects
-Service functions now accept just -Name (instead of -Service/-ServiceName) that accepts has ValueFromPipelineByPropertyName set in order to handle service objects on the pipeline
-Moved PSReflect signatures to the bottom of the script
-Function and help cleanup
|
|
|
|
-Get-VulnSchTask renamed to Get-ModifiableScheduledTaskFile
-Get-VulnAutoRun renamed Get-RegistryAutoRun
-Get-RegAutoLogon renamed Get-RegistryAutoLogon
-Find-DLLHijack renamed to Find-ProcessDLLHijack for clarification, code cleaned up, -Process parameter added, output object detail expanded, and help expanded
-Removed most of the code from Find-PathHijack, replacing it with Get-ModifiablePath
-Cleaned up logic for Write-HijackDll
-Expanded help for the registry enumeration cmdlets
-Added local user creation options to Write-HijackDll to match Write-ServiceBinary
-Increased pause between user creation commands
|