From 40eb187bca6a985ce7d24b19ac54c47ade285858 Mon Sep 17 00:00:00 2001 From: bitform Date: Mon, 21 Jan 2013 08:33:51 -0500 Subject: Consistency improvements in comment-based help --- AntivirusBypass/Find-AVSignature.ps1 | 75 +++++++++------ CodeExecution/Invoke-DllInjection.ps1 | 2 +- CodeExecution/Invoke-Shellcode.ps1 | 2 +- Exfiltration/Get-TimedScreenshot.ps1 | 142 ++++++++++++++-------------- PETools/Get-DllLoadPath.ps1 | 20 ++-- PETools/Get-PEArchitecture.ps1 | 9 +- PETools/Get-PEHeader.ps1 | 7 +- Recon/Get-GPPPassword.ps1 | 40 ++++---- Recon/Get-HttpStatus.ps1 | 41 ++++++-- Recon/Invoke-ReverseDnsLookup.ps1 | 86 +++++++++-------- ReverseEngineering/Get-ILDisassembly.ps1 | 4 +- ReverseEngineering/Get-KernelModuleInfo.ps1 | 2 +- ReverseEngineering/Get-Member.ps1 | 2 +- ReverseEngineering/Get-MethodAddress.ps1 | 2 +- ReverseEngineering/Get-PEB.ps1 | 2 +- ReverseEngineering/Get-Strings.ps1 | 2 +- ReverseEngineering/Get-StructFromMemory.ps1 | 2 +- ScriptModification/Out-CompressedDll.ps1 | 2 +- ScriptModification/Out-EncodedCommand.ps1 | 2 +- ScriptModification/Out-EncryptedScript.ps1 | 84 ++++++++-------- ScriptModification/Remove-Comments.ps1 | 2 +- 21 files changed, 296 insertions(+), 234 deletions(-) diff --git a/AntivirusBypass/Find-AVSignature.ps1 b/AntivirusBypass/Find-AVSignature.ps1 index aaa68c8..c373c5b 100644 --- a/AntivirusBypass/Find-AVSignature.ps1 +++ b/AntivirusBypass/Find-AVSignature.ps1 @@ -1,69 +1,84 @@ -function Find-AVSignature { +function Find-AVSignature +{ <# .SYNOPSIS - Find-AVSignature +Locate tiny AV signatures. - Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com - - Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation) - License: BSD 3-Clause +PowerSploit Function: Find-AVSignature +Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION - A script to locate tiny AV signatures. +Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com. .PARAMETER Startbyte - Specifies the first byte to begin splitting on. +Specifies the first byte to begin splitting on. .PARAMETER Endbyte - Specifies the last byte to split on. +Specifies the last byte to split on. .PARAMETER Interval - Specifies the interval size to split with. +Specifies the interval size to split with. .PARAMETER Path - Specifies the path to the binary you want tested. +Specifies the path to the binary you want tested. .PARAMETER OutPath - Optionally specifies the directory to write the binaries to. +Optionally specifies the directory to write the binaries to. .PARAMETER Force - Forces the script to continue without confirmation. +Forces the script to continue without confirmation. .EXAMPLE - PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe - PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose - PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose - PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose - PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose +PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe +PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose +PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose +PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose +PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose .NOTES - Several of the versions of "DSplit.exe" available on the internet contain malware. +Several of the versions of "DSplit.exe" available on the internet contain malware. .LINK - http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html - https://github.com/mattifestation/PowerSploit - http://www.exploit-monday.com/ - http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 +http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html +https://github.com/mattifestation/PowerSploit +http://www.exploit-monday.com/ +http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 #> -[CmdletBinding()] Param( - [Parameter(Mandatory = $True)] [Int32] $StartByte, - [Parameter(Mandatory = $True)] [String] $EndByte, - [Parameter(Mandatory = $True)] [Int32] $Interval, - [Parameter(Mandatory = $False)] [String] $Path = ($pwd.path), - [Parameter(Mandatory = $False)] [String] $OutPath = ($pwd), - [Switch] $Force = $False + [CmdletBinding()] Param( + [Parameter(Mandatory = $True)] + [Int32] + $StartByte, + + [Parameter(Mandatory = $True)] + [String] + $EndByte, + + [Parameter(Mandatory = $True)] + [Int32] + $Interval, + + [String] + $Path = ($pwd.path), + + [String] + $OutPath = ($pwd), + + [Switch] $Force ) #test variables diff --git a/CodeExecution/Invoke-DllInjection.ps1 b/CodeExecution/Invoke-DllInjection.ps1 index b62e7a1..572a911 100644 --- a/CodeExecution/Invoke-DllInjection.ps1 +++ b/CodeExecution/Invoke-DllInjection.ps1 @@ -5,7 +5,7 @@ function Invoke-DllInjection Injects a Dll into the process ID of your choosing. -PowerSploit Module - Invoke-DllInjection +PowerSploit Function: Invoke-DllInjection Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None diff --git a/CodeExecution/Invoke-Shellcode.ps1 b/CodeExecution/Invoke-Shellcode.ps1 index e23c0f9..4f59f3b 100644 --- a/CodeExecution/Invoke-Shellcode.ps1 +++ b/CodeExecution/Invoke-Shellcode.ps1 @@ -5,7 +5,7 @@ function Invoke-Shellcode Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process. -PowerSploit Module - Invoke-Shellcode +PowerSploit Function: Invoke-Shellcode Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None diff --git a/Exfiltration/Get-TimedScreenshot.ps1 b/Exfiltration/Get-TimedScreenshot.ps1 index 3a19a7d..e1c44d0 100644 --- a/Exfiltration/Get-TimedScreenshot.ps1 +++ b/Exfiltration/Get-TimedScreenshot.ps1 @@ -1,99 +1,101 @@ -Function Get-TimedScreenshot { +function Get-TimedScreenshot +{ <# .SYNOPSIS - - Get-TimedScreenshot - - Author: Chris Campbell (@obscuresec) - License: BSD 3-Clause + +Takes screenshots at a regular interval and saves them to disk. + +PowerSploit Function: Get-TimedScreenshot +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION - A function that takes screenshots and saves them to a folder. +A function that takes screenshots and saves them to a folder. -.PARAMETER $Path +.PARAMETER Path - Specifies the folder path. +Specifies the folder path. -.PARAMETER $Interval +.PARAMETER Interval - Specifies the interval in seconds between taking screenshots. +Specifies the interval in seconds between taking screenshots. -.PARAMETER $EndTime +.PARAMETER EndTime - Specifies when the script should stop running in the format HH-MM +Specifies when the script should stop running in the format HH-MM .EXAMPLE - PS C:\> Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00 +PS C:\> Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00 .LINK - http://obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html - https://github.com/obscuresec/random/blob/master/Get-TimedScreenshot - +http://obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html +https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-TimedScreenshot.ps1 #> [CmdletBinding()] Param( - [Parameter(Mandatory=$True)] - [ValidateScript({Test-Path -Path $_ })] - [string] $Path, - - [Parameter(Mandatory=$True)] - [int32] $Interval, - - [Parameter(Mandatory=$True)] - [string] $EndTime - ) - - #Define helper function that generates and saves screenshot - Function GenScreenshot { - $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen - $ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height - $DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject) - $DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size) - $DrawingGraphics.Dispose() - $ScreenshotObject.Save($FilePath) - $ScreenshotObject.Dispose() - } + [Parameter(Mandatory=$True)] + [ValidateScript({Test-Path -Path $_ })] + [String] $Path, + + [Parameter(Mandatory=$True)] + [Int32] $Interval, + + [Parameter(Mandatory=$True)] + [String] $EndTime + ) + + #Define helper function that generates and saves screenshot + Function GenScreenshot { + $ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen + $ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height + $DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject) + $DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size) + $DrawingGraphics.Dispose() + $ScreenshotObject.Save($FilePath) + $ScreenshotObject.Dispose() + } + + Try { + + #load required assembly + Add-Type -Assembly System.Windows.Forms - Try { + Do { + #get the current time and build the filename from it + $Time = (Get-Date) - #load required assembly - Add-Type -Assembly System.Windows.Forms - - Do { - #get the current time and build the filename from it - $Time = (Get-Date) - - [string] $FileName = "$($Time.Month)" - $FileName += '-' - $FileName += "$($Time.Day)" - $FileName += '-' - $FileName += "$($Time.Year)" - $FileName += '-' - $FileName += "$($Time.Hour)" - $FileName += '-' - $FileName += "$($Time.Minute)" - $FileName += '-' - $FileName += "$($Time.Second)" - $FileName += '.png' + [String] $FileName = "$($Time.Month)" + $FileName += '-' + $FileName += "$($Time.Day)" + $FileName += '-' + $FileName += "$($Time.Year)" + $FileName += '-' + $FileName += "$($Time.Hour)" + $FileName += '-' + $FileName += "$($Time.Minute)" + $FileName += '-' + $FileName += "$($Time.Second)" + $FileName += '.png' - #use join-path to add path to filename - [string] $FilePath = (Join-Path $Path $FileName) - - #run screenshot function - GenScreenshot - - Write-Verbose "Saved screenshot to $FilePath. Sleeping for $Interval seconds" + #use join-path to add path to filename + [String] $FilePath = (Join-Path $Path $FileName) - Start-Sleep -Seconds $Interval - } + #run screenshot function + GenScreenshot + + Write-Verbose "Saved screenshot to $FilePath. Sleeping for $Interval seconds" - #note that this will run once regardless if the specified time as passed - While ((Get-Date -Format HH:%m) -lt $EndTime) + Start-Sleep -Seconds $Interval } - Catch {Write-Warning "$Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage"} + #note that this will run once regardless if the specified time as passed + While ((Get-Date -Format HH:%m) -lt $EndTime) + } + Catch {Write-Warning "$Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage"} } \ No newline at end of file diff --git a/PETools/Get-DllLoadPath.ps1 b/PETools/Get-DllLoadPath.ps1 index 360c913..97b0210 100644 --- a/PETools/Get-DllLoadPath.ps1 +++ b/PETools/Get-DllLoadPath.ps1 @@ -1,8 +1,11 @@ -function Get-DllLoadPath { +function Get-DllLoadPath +{ <# .SYNOPSIS -PowerSploit Module - Get-DllLoadPath +Outputs the order of paths in which a dll would be loaded. + +PowerSploit Function: Get-DllLoadPath Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None @@ -14,7 +17,7 @@ Get-DllLoadPath returns the path from which Windows will load a Dll for the give .PARAMETER ExecutablePath - Path to the executable from which the Dll would be loaded. +Path to the executable from which the Dll would be loaded. .PARAMETER DllName @@ -38,7 +41,7 @@ C:\Windows\SysWOW64\Comctl32.dll .OUTPUTS -$null, System.Management.Automation.PathInfo +System.Management.Automation.PathInfo .NOTES @@ -51,8 +54,13 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.as #> Param ( - [Parameter(Position = 0, Mandatory = $True)] [String] $ExecutablePath, - [Parameter(Position = 1, Mandatory = $True)] [String] $DllName + [Parameter(Position = 0, Mandatory = $True)] + [String] + $ExecutablePath, + + [Parameter(Position = 1, Mandatory = $True)] + [String] + $DllName ) if (!(Test-Path $ExecutablePath)) { diff --git a/PETools/Get-PEArchitecture.ps1 b/PETools/Get-PEArchitecture.ps1 index 6272153..efc80be 100644 --- a/PETools/Get-PEArchitecture.ps1 +++ b/PETools/Get-PEArchitecture.ps1 @@ -1,8 +1,11 @@ -function Get-PEArchitecture { +function Get-PEArchitecture +{ <# .SYNOPSIS -PowerSploit Module - Get-PEArchitecture +Outputs the architecture for which a binary was compiled. + +PowerSploit Function: Get-PEArchitecture Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None @@ -19,13 +22,11 @@ Path to the executable. .EXAMPLE C:\PS> Get-PEArchitecture C:\Windows\SysWOW64\calc.exe - X86 .EXAMPLE C:\PS> Get-PEArchitecture C:\Windows\System32\cmd.exe - X64 .LINK diff --git a/PETools/Get-PEHeader.ps1 b/PETools/Get-PEHeader.ps1 index 49bfbd6..f32239c 100644 --- a/PETools/Get-PEHeader.ps1 +++ b/PETools/Get-PEHeader.ps1 @@ -1,8 +1,11 @@ -function Get-PEHeader { +function Get-PEHeader +{ <# .SYNOPSIS -PowerSploit Module - Get-PEHeader +Parses and outputs the PE header of a process in memory or a PE file on disk. + +PowerSploit Function: Get-PEHeader Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None diff --git a/Recon/Get-GPPPassword.ps1 b/Recon/Get-GPPPassword.ps1 index 99a694b..b22fb74 100644 --- a/Recon/Get-GPPPassword.ps1 +++ b/Recon/Get-GPPPassword.ps1 @@ -1,31 +1,39 @@ -function Get-GPPPassword { - +function Get-GPPPassword +{ <# -.Synopsis +.SYNOPSIS + +Retrieves the plaintext password for accounts pushed through Group Policy in groups.xml. - Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml. - Author: Chris Campbell (@obscuresec) - License: BSD 3-Clause +PowerSploit Function: Get-GPPPassword +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None -.Description +.DESCRIPTION - Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password. +Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password. -.Parameter Path +.PARAMETER Path - The path to the targeted groups.xml file. +The path to the targeted groups.xml file. -.Example +.EXAMPLE - Get-GPPPassword -path c:\demo\groups.xml +Get-GPPPassword -path c:\demo\groups.xml -.Link +.LINK - http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences - http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html +http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences +http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html #> -Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path = "$PWD\groups.xml" ) + Param ( + [Parameter(Position = 0, Mandatory = $True)] + [String] + $Path = "$PWD\groups.xml" + ) #Function to pull encrypted password string from groups.xml function Parse-cPassword { diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1 index 2f4b343..fde3d26 100644 --- a/Recon/Get-HttpStatus.ps1 +++ b/Recon/Get-HttpStatus.ps1 @@ -1,47 +1,68 @@ -function Get-HttpStatus { +function Get-HttpStatus +{ <# .SYNOPSIS -PowerSploit Module - Get-HttpStatus Returns the HTTP Status Codes and full URL for specified paths. +PowerSploit Function: Get-HttpStatus Author: Chris Campbell (@obscuresec) License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION + A script to check for the existence of a path or file on a webserver. .PARAMETER Target + Specifies the remote web host either by IP or hostname. .PARAMETER Path + Specifies the remost host. .PARAMETER Port + Specifies the port to connect to. .PARAMETER UseSSL + Use an SSL connection. .EXAMPLE -PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*} + +C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*} .EXAMPLE -PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL + +C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL .NOTES -HTTP Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error -Status Codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html + +HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error .LINK + http://obscuresecurity.blogspot.com +http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html #> [CmdletBinding()] Param( - [Parameter(Mandatory = $True)] [String] $Target, - [Parameter()] [String] [ValidateNotNullOrEmpty()] $Path = '.\Dictionaries\admin.txt', - [Parameter()] [Int] $Port, - [Parameter()] [Switch] $UseSSL + [Parameter(Mandatory = $True)] + [String] + $Target, + + [String] + [ValidateNotNullOrEmpty()] + $Path = '.\Dictionaries\admin.txt', + + [Int] + $Port, + + [Switch] + $UseSSL ) if (Test-Path $Path) { diff --git a/Recon/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1 index af45f2e..1346ae6 100644 --- a/Recon/Invoke-ReverseDnsLookup.ps1 +++ b/Recon/Invoke-ReverseDnsLookup.ps1 @@ -1,64 +1,66 @@ function Invoke-ReverseDnsLookup { - <# -.Synopsis +.SYNOPSIS + +Perform a reverse DNS lookup scan on a range of IP addresses. - PowerSploit Module - Invoke-ReverseDnsLookup - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause +PowerSploit Function: Invoke-ReverseDnsLookup +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None -.Description +.DESCRIPTION - Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script - is useful for performing DNS reconnaisance prior to conducting an authorized - penetration test. +Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test. -.Parameter IPRange +.PARAMETER IPRange - Specifies the IP address range. The range provided can be in the form of a single - IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be - provided. +Specifies the IP address range. The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be provided. -.Example +.EXAMPLE - PS> Invoke-ReverseDnsLookup 74.125.228.0/29 +C:\PS> Invoke-ReverseDnsLookup 74.125.228.0/29 - IP HostName - -- -------- - 74.125.228.1 iad23s05-in-f1.1e100.net - 74.125.228.2 iad23s05-in-f2.1e100.net - 74.125.228.3 iad23s05-in-f3.1e100.net - 74.125.228.4 iad23s05-in-f4.1e100.net - 74.125.228.5 iad23s05-in-f5.1e100.net - 74.125.228.6 iad23s05-in-f6.1e100.net +IP HostName +-- -------- +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.2 iad23s05-in-f2.1e100.net +74.125.228.3 iad23s05-in-f3.1e100.net +74.125.228.4 iad23s05-in-f4.1e100.net +74.125.228.5 iad23s05-in-f5.1e100.net +74.125.228.6 iad23s05-in-f6.1e100.net - Description - ----------- - Returns the hostnames of the IP addresses specified by the CIDR range. +Description +----------- +Returns the hostnames of the IP addresses specified by the CIDR range. -.Example +.EXAMPLE - PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' - - IP HostName - -- -------- - 74.125.228.1 iad23s05-in-f1.1e100.net - 74.125.228.4 iad23s05-in-f4.1e100.net - 74.125.228.5 iad23s05-in-f5.1e100.net - 74.125.228.6 iad23s05-in-f6.1e100.net - - Description - ----------- - Returns the hostnames of the IP addresses specified by the IP range specified. +C:\PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' +IP HostName +-- -------- +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.4 iad23s05-in-f4.1e100.net +74.125.228.5 iad23s05-in-f5.1e100.net +74.125.228.6 iad23s05-in-f6.1e100.net -.Link +Description +----------- +Returns the hostnames of the IP addresses specified by the IP range specified. + +.LINK - My blog: http://www.exploit-monday.com +http://www.exploit-monday.com #> -Param( [Parameter(Position = 0, Mandatory = $True)] [String] $IpRange ) + Param ( + [Parameter(Position = 0, Mandatory = $True)] + [String] + $IpRange + ) function Parse-IPList ([String] $IpRange) { diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index 623d904..b3b615e 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -3,7 +3,9 @@ function Get-ILDisassembly <# .SYNOPSIS -PowerSploit Module - Get-ILDisassembly +A MSIL (Microsoft Intermediate Language) disassembler. + +PowerSploit Function: Get-ILDisassembly Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None diff --git a/ReverseEngineering/Get-KernelModuleInfo.ps1 b/ReverseEngineering/Get-KernelModuleInfo.ps1 index f6f8221..cb7b73e 100644 --- a/ReverseEngineering/Get-KernelModuleInfo.ps1 +++ b/ReverseEngineering/Get-KernelModuleInfo.ps1 @@ -5,7 +5,7 @@ Returns loaded kernel module information. -PowerSploit Module - Get-KernelModuleInfo +PowerSploit Function: Get-KernelModuleInfo Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None diff --git a/ReverseEngineering/Get-Member.ps1 b/ReverseEngineering/Get-Member.ps1 index 30d29f4..2f04deb 100644 --- a/ReverseEngineering/Get-Member.ps1 +++ b/ReverseEngineering/Get-Member.ps1 @@ -5,7 +5,7 @@ function Get-Member Gets the properties and methods of objects. -PowerSploit Module - Get-Member +PowerSploit Proxy Function: Get-Member Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause (Except for the help documentation derived from the original Get-Member) Required Dependencies: None diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1 index bd6c627..656d1bd 100644 --- a/ReverseEngineering/Get-MethodAddress.ps1 +++ b/ReverseEngineering/Get-MethodAddress.ps1 @@ -5,7 +5,7 @@ Get the unmanaged function address of a .NET method. -PowerSploit Module - Get-MethodAddress +PowerSploit Function: Get-MethodAddress Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index dbb95a0..4985da5 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -5,7 +5,7 @@ Returns the process environment block (PEB) of a process. -PowerSploit Module - Get-PEB +PowerSploit Function: Get-PEB Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1 index 87f5f6a..7acb9f1 100644 --- a/ReverseEngineering/Get-Strings.ps1 +++ b/ReverseEngineering/Get-Strings.ps1 @@ -5,7 +5,7 @@ Gets strings from a file. -PowerSploit Module - Inject-Shellcode +PowerSploit Function: Get-Strings Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1 index 9a265c5..ccf6d5b 100644 --- a/ReverseEngineering/Get-StructFromMemory.ps1 +++ b/ReverseEngineering/Get-StructFromMemory.ps1 @@ -5,7 +5,7 @@ Marshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type. -PowerSploit Module - Get-StructFromMemory +PowerSploit Function: Get-StructFromMemory Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None diff --git a/ScriptModification/Out-CompressedDll.ps1 b/ScriptModification/Out-CompressedDll.ps1 index f781c15..3aa5c2b 100644 --- a/ScriptModification/Out-CompressedDll.ps1 +++ b/ScriptModification/Out-CompressedDll.ps1 @@ -5,7 +5,7 @@ Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. -PowerSploit Module - Out-CompressedDll +PowerSploit Function: Out-CompressedDll Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None diff --git a/ScriptModification/Out-EncodedCommand.ps1 b/ScriptModification/Out-EncodedCommand.ps1 index 99d3f66..cae4715 100644 --- a/ScriptModification/Out-EncodedCommand.ps1 +++ b/ScriptModification/Out-EncodedCommand.ps1 @@ -5,7 +5,7 @@ Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. -PowerSploit Module - Out-EncodedCommand +PowerSploit Function: Out-EncodedCommand Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None diff --git a/ScriptModification/Out-EncryptedScript.ps1 b/ScriptModification/Out-EncryptedScript.ps1 index 1376673..3f09020 100644 --- a/ScriptModification/Out-EncryptedScript.ps1 +++ b/ScriptModification/Out-EncryptedScript.ps1 @@ -1,11 +1,11 @@ -function Out-EncryptedScript { - +function Out-EncryptedScript +{ <# .SYNOPSIS Encrypts text files/scripts. -PowerSploit Module - Out-EncryptedScript +PowerSploit Function: Out-EncryptedScript Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None @@ -55,46 +55,46 @@ This command can be used to encrypt any text-based file/script http://www.exploit-monday.com #> -[CmdletBinding()] Param ( - [Parameter(Position = 0, Mandatory = $True)] - [String] - $ScriptPath, + [CmdletBinding()] Param ( + [Parameter(Position = 0, Mandatory = $True)] + [String] + $ScriptPath, - [Parameter(Position = 1, Mandatory = $True)] - [String] - $Password, + [Parameter(Position = 1, Mandatory = $True)] + [String] + $Password, - [Parameter(Position = 2, Mandatory = $True)] - [String] - $Salt, + [Parameter(Position = 2, Mandatory = $True)] + [String] + $Salt, - [Parameter(Position = 3)] - [String] - $InitializationVector = ( @( foreach ($i in 1..16) { [Char](Get-Random -Min 0x41 -Max 0x5B) } ) -join '' ), # Generate random 16 character IV + [Parameter(Position = 3)] + [String] + $InitializationVector = ( @( foreach ($i in 1..16) { [Char](Get-Random -Min 0x41 -Max 0x5B) } ) -join '' ), # Generate random 16 character IV - [Parameter(Position = 4)] - [String] - $FilePath = '.\evil.ps1' -) - -$AsciiEncoder = New-Object System.Text.ASCIIEncoding -$ivBytes = $AsciiEncoder.GetBytes("CRACKMEIFYOUCAN!") -# While this can be used to encrypt any file, it's primarily designed to encrypt itself. -[Byte[]] $scriptBytes = Get-Content -Encoding byte -Path $ScriptPath -$DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2) -$Key = New-Object System.Security.Cryptography.RijndaelManaged -$Key.Mode = [System.Security.Cryptography.CipherMode]::CBC -[Byte[]] $KeyBytes = $DerivedPass.GetBytes(32) -$Encryptor = $Key.CreateEncryptor($KeyBytes, $ivBytes) -$MemStream = New-Object System.IO.MemoryStream -$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($MemStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write) -$CryptoStream.Write($scriptBytes, 0, $scriptBytes.Length) -$CryptoStream.FlushFinalBlock() -$CipherTextBytes = $MemStream.ToArray() -$MemStream.Close() -$CryptoStream.Close() -$Key.Clear() -$Cipher = [Convert]::ToBase64String($CipherTextBytes) + [Parameter(Position = 4)] + [String] + $FilePath = '.\evil.ps1' + ) + + $AsciiEncoder = New-Object System.Text.ASCIIEncoding + $ivBytes = $AsciiEncoder.GetBytes("CRACKMEIFYOUCAN!") + # While this can be used to encrypt any file, it's primarily designed to encrypt itself. + [Byte[]] $scriptBytes = Get-Content -Encoding byte -Path $ScriptPath + $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2) + $Key = New-Object System.Security.Cryptography.RijndaelManaged + $Key.Mode = [System.Security.Cryptography.CipherMode]::CBC + [Byte[]] $KeyBytes = $DerivedPass.GetBytes(32) + $Encryptor = $Key.CreateEncryptor($KeyBytes, $ivBytes) + $MemStream = New-Object System.IO.MemoryStream + $CryptoStream = New-Object System.Security.Cryptography.CryptoStream($MemStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write) + $CryptoStream.Write($scriptBytes, 0, $scriptBytes.Length) + $CryptoStream.FlushFinalBlock() + $CipherTextBytes = $MemStream.ToArray() + $MemStream.Close() + $CryptoStream.Close() + $Key.Clear() + $Cipher = [Convert]::ToBase64String($CipherTextBytes) # Generate encrypted PS1 file. All that will be included is the base64-encoded ciphertext and a slightly 'obfuscated' decrypt function $Output = 'function de([String] $b, [String] $c) @@ -121,9 +121,9 @@ $f.Clear(); return $encoding.GetString($h,0,$h.Length); }' -# Output decrypt function and ciphertext to evil.ps1 -Out-File -InputObject $Output -Encoding ASCII $FilePath + # Output decrypt function and ciphertext to evil.ps1 + Out-File -InputObject $Output -Encoding ASCII $FilePath -Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)" + Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)" } \ No newline at end of file diff --git a/ScriptModification/Remove-Comments.ps1 b/ScriptModification/Remove-Comments.ps1 index 64c3e31..ec75927 100644 --- a/ScriptModification/Remove-Comments.ps1 +++ b/ScriptModification/Remove-Comments.ps1 @@ -5,7 +5,7 @@ Strips comments and extra whitespace from a script. -PowerSploit Module - Remove-Comments +PowerSploit Function: Remove-Comments Author: Matthew Graeber (@mattifestation) License: BSD 3-Clause Required Dependencies: None -- cgit v1.2.3