aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2016-12-12first take at platyPS doc generationHarmJ0y77-0/+15823
2016-12-12Added spacing to prep for platyPS doc generation.HarmJ0y1-249/+249
2016-12-12Typo correction and Recon README.md updateHarmJ0y3-91/+87
2016-12-12bug fix in Get-DomainSearcherHarmJ0y1-1/+5
2016-12-12-Complete ground-up rewrite of PowerViewHarmJ0y2-8523/+13338
-Lots of function cleanup/code rot removal and standardization -Additional options added to Get-DomainSearcher in order to support new param sets -Expanded parameter validation -XML help format standardized -PSScriptAnalyzer fixups- passes PS script analyzer now! -Nearly all functions should tag custom types to output objectsx -Identity supported by all appropriate functions -Transformed all filters to functions -Expanded the formats for Convert-ADName -Get-SPNTicket returns enc part automatically now, and Hashcat output format added -Write-Verbose/Write-Warning/Throw messages now have the function name tagged in the message -Verb-Domain* functions now all include a -FindOne function to return one result -Get-DomainUserEvent now uses -XPathFilter for a massive speedup -ALL Verb-Domain* (LDAP) functions now return full data objects (no more -FullData). Use -Properties for paring down. -Lots of bug fixes -"Required Dependencies" for each function completed -Fixed logic bugs for -ComputerIdentity in Get-DomainGPO, now enumerates domain-linked GPOs as well -Added -UserIdentity to Get-DomainGPO to enumerate GPOs applied to a given user identity New function naming scheme with proper Verb-PrefixNoun syntax to better match the 'real' AD cmdlets: Verbs: Get - retrieve full raw data sets Find - 'find' specific data entries in a data set or execute threaded computer enumeration Add - add a new object to a destination Set - modify a given object Invoke - lazy catch-all Prefixes now give an indication of the data source: Verb-DomainX - LDAP/.NET AD connections (e.g. Get-DomainUser) Verb-WMIX - Uses WMI for connections/enumeration of a specific host (e.g. Get-WMIRegLastLoggedOn) Verb-NetX - API access (e.g. Get-NetSession) Nouns have been renamed to be more descriptive Big gotcha: Get-NetLocalGroup - now returns local *groups* themselves Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup) -Parameter sets standardized - parameters shared as appropriate across functions -Identity -> replaces -UserName/-GroupName/etc. Accepts samAccountName, GUID, distinguishedName, SID -these can be used in tandem -> Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator" -Properties -> return only the specified properties (i.e. Get-DomainUser -Properties samAccountName,lastLogon -LDAPFilter replaces -Filter, -SearchBase replaces -ADSPath, -Server replaces -DomainController -ServerTimeLimit, -SearchScope, -Tombstone, -SecurityMasks added for most functions All functions (as appropriate) now support -Credential: -Verb-Domain* (LDAP) functions use alternate creds for a DirectorySearcher through Get-DomainSearcher -COM methods (i.e. Convert-ADName) use appropriate initializations -Verb-WMI methods pass the -Credential through as appropriate -Verb-Net* (API) functions use Invoke-UserImpersonation/Invoke-RevertToSelf implicitly for token impersonation Removed functions: Get-ComputerProperty, Get-UserProperty, Find-ComputerField, Find-UserField Get-NameField (translated to ValueFromPipelineByPropertyName calls) Invoke-DowngradeAccount - not used Add-NetUser - split into New-DomainUser/others Add-NetGroupUser - split into Add-DomainGroupMember/others New-GPOImmediateTask - inconsistent and better done manually Invoke-StealthUserHunter - combined into Find-DomainUserLocation Get-ExploitableSystem Added helper functions: Get-PrincipalContext - helper to return a DirectoryServices.AccountManagement.PrincipalContext Get-ForestSchemaClass - returns the forest schema for a specified object class Added exported functions: Add-RemoteConnection - 'mounts' a remote UNC path using WNetAddConnection2W Remove-RemoteConnection - 'unmounts' a remote UNC path using WNetCancelConnection2 Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token in the current thread Invoke-RevertToSelf - reverts any token impersonation Invoke-Kerberoast - automates Kerberoasting Find-DomainObjectPropertyOutlier - finds user/group/computer objects in AD that have 'outlier' properties sets New-DomainUser - creates a new domain user New-DomainGroup - creates a new domain group Add-DomainGroupMember - adds a domain user (or group) to an existing domain group Get-NetLocalGroup - now returns local *groups* themselves Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup) Renamed functions (aliases created for old functions): Get-IPAddress -> Resolve-IPAddress Convert-NameToSid -> ConvertTo-SID Convert-SidToName -> ConvertFrom-SID Request-SPNTicket -> Get-DomainSPNTicket Get-DNSZone -> Get-DomainDNSZone Get-DNSRecord -> Get-DomainDNSRecord Get-NetDomain -> Get-Domain Get-NetDomainController -> Get-DomainController Get-NetForest -> Get-Forest Get-NetForestDomain -> Get-ForestDomain Get-NetForestCatalog -> Get-ForestGlobalCatalog Get-NetUser -> Get-DomainUser Get-UserEvent -> Get-DomainUserEvent Get-NetComputer -> Get-DomainComputer Get-ADObject -> Get-DomainObject Set-ADObject -> Set-DomainObject Get-ObjectAcl -> Get-DomainObjectAcl Add-ObjectAcl -> Add-DomainObjectAcl Invoke-ACLScanner -> Find-InterestingDomainAcl Get-GUIDMap -> Get-DomainGUIDMap Get-NetOU -> Get-DomainOU Get-NetSite -> Get-DomainSite Get-NetSubnet -> Get-DomainSubnet Get-NetGroup -> Get-DomainGroup Find-ManagedSecurityGroups -> Get-DomainManagedSecurityGroup Get-NetGroupMember -> Get-DomainGroupMember Get-NetFileServer -> Get-DomainFileServer Get-DFSshare -> Get-DomainDFSShare Get-NetGPO -> Get-DomainGPO Get-NetGPOGroup -> Get-DomainGPOLocalGroup Find-GPOLocation -> Get-DomainGPOUserLocalGroupMapping Find-GPOComputerAdmin -> Get-DomainGPOComputerLocalGroupMappin Get-LoggedOnLocal -> Get-RegLoggedOn Test-AdminAccess -> Invoke-CheckLocalAdminAccess Get-SiteName -> Get-NetComputerSiteName Get-Proxy -> Get-WMIRegProxy Get-LastLoggedOn -> Get-WMIRegLastLoggedOn Get-CachedRDPConnection -> Get-WMIRegCachedRDPConnection Get-RegistryMountedDrive -> Get-WMIRegMountedDrive Get-NetProcess -> Get-WMIProcess Invoke-ThreadedFunction -> New-ThreadedFunction Invoke-UserHunter -> Find-DomainUserLocation Invoke-ProcessHunter -> Find-DomainProcess Invoke-EventHunter -> Find-DomainUserEvent Invoke-ShareFinder -> Find-DomainShare Invoke-FileFinder -> Find-InterestingDomainShareFile Invoke-EnumerateLocalAdmin -> Find-DomainLocalGroupMember Get-NetDomainTrust -> Get-DomainTrust Get-NetForestTrust -> Get-ForestTrust Find-ForeignUser -> Get-DomainForeignUser Find-ForeignGroup -> Get-DomainForeignGroupMember Invoke-MapDomainTrust -> Get-DomainTrustMapping
2016-12-12PowerUp update:HarmJ0y3-1165/+2268
-Standardized documentation, including adding output object types and required dependencies to all functions -Added Get-ProcessTokenPrivilege to enumerate the current (or remote) process token privileges, replacing Get-CurrentUserTokenGroupSid -Added Enable-Privilege to enable privileges using RtlAdjustPrivilege -Added @enigma0x3's Invoke-WScriptUACBypass function -Renamed Invoke-AllChecks to Invoke-PrivescAudit, added alias mapping -Added tests for Get-ProcessTokenPrivilege, Enable-Privilege, and Invoke-WScriptUACBypass -Renamed helper functions for consistency -Passes PSScriptAnalyzer!
2016-12-12typo fix for #179HarmJ0y1-1/+1
2016-12-12removed Pester test for non-exported Invoke-ThreadedFunction functionHarmJ0y1-12/+0
2016-12-12fixed little-endian encodingHarmJ0y2-2/+2
2016-12-12removed Set-MacAttribute Pester testsHarmJ0y1-26/+0
2016-12-01merge resolutionHarmJ0y3-1/+144
2016-12-01Merge pull request #200 from st3r30byt3/patch-2HarmJ0y1-3/+0
Updated Get-ExploitableSystem
2016-12-01Updated Get-ExploitableSystemAntonio Quina1-3/+0
Removed *_netapi from Vista/2008 in Get-ExploitableSystem as they are not vulnerable
2016-12-01Merge pull request #187 from Meatballs1/filter_getnetfileserversHarmJ0y1-3/+3
Add disabled and present searches to get-netfileservers
2016-12-01Merge pull request #174 from Meatballs1/securitygroupsHarmJ0y1-12/+23
Retrieve Security groups by default
2016-11-21Added Get-GPPAutologon.ps1Oddvar Moe3-1/+149
2016-11-10Updated to 2.1 20161029 OJ EditionMatt Graeber1-5/+9
Address issue #190
2016-11-01Add disabled and present searches to get-netfileserversMeatballs1-3/+3
2016-09-26Merge pull request #182 from monoxgas/devHarmJ0y2-1/+2
Service DACL false positive | Request-SPNTicket double hash
2016-09-13Break on ticket captureNick Landers1-0/+1
2016-09-13Service DACL false positiveNick Landers1-1/+1
2016-09-06Merge pull request #173 from joncave/user_pollingHarmJ0y1-113/+138
PowerView: Invoke-UserHunter -Poll
2016-09-06Merge pull request #180 from machosec/EncPartParamHarmJ0y1-2/+29
Added the EncPart param to Request-SPNTicket
2016-08-25Add the EncPart param to Request-SPNTicketMatan Hart1-2/+29
Adds the ability to return the encrypted part of the ticket. This portion is the encrypted data that can be brute-forced with Kerberoast/Hashcat/JtR
2016-08-13Modify dependent functionsMeatballs1-4/+4
2016-08-13Retrieve Security groups by defaultMeatballs1-8/+19
2016-08-13Continuously collect output from background threadsJon Cave1-34/+27
The PowerShell.BeginInvoke<TInput, TOutput>(PSDataCollection<TInput>, PSDataCollection<TOutput>) method[1] is used to collect output from each job into a buffer. This can be read whilst the jobs are still running. Being able to return partial results is particularly useful for long running background threads, such as Invoke-UserHunter -Poll. PowerShell 2.0 doesn't play nicely with generic methods. The technique described in [2] is used to allow this version of BeginInvoke() to be used. [1] https://msdn.microsoft.com/en-us/library/dd182440(v=vs.85).aspx [2] http://www.leeholmes.com/blog/2007/06/19/invoking-generic-methods-on-non-generic-classes-in-powershell/
2016-08-13Add a polling mode to Invoke-UserHunterJon Cave1-79/+111
Repeatedly poll a set of target computers for user sessions. This could be a useful technique for building a much better picture of current sessions, but without having to communicate with every host. The -Poll parameter is used to specify the duration for which polling should occur. Each target computer is dedicated with a thread with -Delay and -Jitter specifying how long to sleep between each session enumeration attempt of an individual host.
2016-07-19Merge pull request #168 from linuz/masterHarmJ0y1-6/+30
Added ability to specify domain controller to search (-Server parameter)
2016-07-19Added default value to parameterDennis Maldonado1-12/+4
Added default value to parameter and got rid of value check later in the code. Added validation of -Server value to ensure it is not $Null or an empty string
2016-07-15Merge branch 'dev' of https://github.com/PowerShellMafia/PowerSploit into devHarmj0y1-8/+13
2016-07-15typeHarmj0y1-1/+1
2016-07-15Fix for issue #167Harmj0y1-2/+4
2016-07-15Updated Invoke-Mimikatz to "2.1 alpha 20160711 (oe.eo) edition"Matt Graeber1-7/+5
2016-07-15#147 Bugfix: Invoke-MimikatzMatt Graeber1-1/+8
Invoke-Mimikatz was not not handling functions exported by ordinal. Thank you @gentilkiwi for the suggested fix!
2016-07-15Merge pull request #161 from joncave/batnewlinesHarmJ0y1-2/+2
PowerUp: Remove badly encoded new lines from .bat output
2016-07-15Merge pull request #160 from joncave/tokeninfoHarmJ0y1-6/+5
PowerUp: Allocate enough space for TOKEN_GROUPS
2016-07-15Merge pull request #158 from joncave/groupsxmlHarmJ0y1-7/+7
PowerView: Fix Groups.xml parsing for multiple <Group>s
2016-06-30Added ability to specify domain controller to search (-Server parameter)Dennis Maldonado1-5/+37
Added the ability for users to specify the domain controller that is searched, using the -Server parameter. The -Server parameter is optional and defaults to the user's current domain if not specified.
2016-06-30PowerUp: Remove badly encoded new lines from .bat outputJon Cave1-2/+2
The current implementation results in a .bat like: @echo off\n start /b net user john Password123! /add && timeout /t 5 && net localgroup Administrators john /add\n start /b "" cmd /c del "%~f0"&exit /b With literal "\n" strings at the end of the first two lines. A new line in a PowerShell string should be "`n". However, an extra new line isn't actually necessary in this case.
2016-06-30PowerUp: Allocate enough space for TOKEN_GROUPSJon Cave1-6/+5
Make an initial call to GetTokenInformation() with a NULL buffer to get the actual buffer size required. Prevents "The data area passed to a system call is too small" error being thrown.
2016-06-27Use correct variableJon Cave1-1/+1
2016-06-27Fix Get-GroupsXML for multiple <Group> tagsJon Cave1-6/+6
Select all <Group> nodes and iterate through them, not just the root <Groups> node.
2016-06-24Changed Get-NetGroup and Get-NetGroupMember to search for samaccountname ↵Harmj0y1-6/+6
instead of name
2016-06-24Fixed Find-LocalAdminAccess to properly check for the object output from ↵Harmj0y1-4/+4
Invoke-CheckLocalAdminAccess...whoops
2016-06-24Turned Get-GptTmpl and Get-GroupsXML into filtersHarmj0y1-113/+121
2016-06-24Merge pull request #157 from Meatballs1/localgrouprecursionHarmJ0y1-75/+72
Fix Get-NetLocalGroup Recursion for LocalGroups
2016-06-23Fixed bug in Get-ModifiablePath that resulted in spaces being expanded to ↵Harmj0y2-42/+101
the current directory location Fixed other logic bugs in Get-ModifiablePath Fixed bug in Add-ServiceDacl when the [ServiceProcess.ServiceController] wasn't loaded yet by Get-Service Error handling for Get-CachedGPPPassword Changed some Write-Warnings to Write-Verbose Updated Privesc Pester tests for PowerUp
2016-06-21Add missing parenthesisMeatballs1-1/+1
2016-06-21Check class typeMeatballs1-76/+73
Recurse if localgroup as well as domaingroup Normalize output values to empty string
generated by cgit v1.2.3 (git 2.39.1) at 2025-10-31 21:18:18 +0000