From 6aca12a956452ca40168c71303032c8a80ebf0b4 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Mon, 12 Dec 2016 20:36:42 -0500 Subject: Typo correction and Recon README.md update --- Recon/README.md | 164 +++++++++++++++++++++++++++----------------------------- 1 file changed, 80 insertions(+), 84 deletions(-) (limited to 'Recon/README.md') diff --git a/Recon/README.md b/Recon/README.md index 6e28a30..acc2627 100644 --- a/Recon/README.md +++ b/Recon/README.md @@ -34,96 +34,92 @@ an array of hosts from the pipeline. ### Misc Functions: Export-PowerViewCSV - thread-safe CSV append - Set-MacAttribute - Sets MAC attributes for a file based on another file or input (from Powersploit) - Copy-ClonedFile - copies a local file to a remote location, matching MAC properties - Get-IPAddress - resolves a hostname to an IP - Test-Server - tests connectivity to a specified server - Convert-NameToSid - converts a given user/group name to a security identifier (SID) - Convert-SidToName - converts a security identifier (SID) to a group/user name - Convert-NT4toCanonical - converts a user/group NT4 name (i.e. dev/john) to canonical format - Get-Proxy - enumerates local proxy settings + Resolve-IPAddress - resolves a hostname to an IP + ConvertTo-SID - converts a given user/group name to a security identifier (SID) + Convert-ADName - converts object names between a variety of formats + ConvertFrom-UACValue - converts a UAC int value to human readable form + Add-RemoteConnection - pseudo "mounts" a connection to a remote path using the specified credential object + Remove-RemoteConnection - destroys a connection created by New-RemoteConnection + Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token + Invoke-RevertToSelf - reverts any token impersonation + Get-DomainSPNTicket - request the kerberos ticket for a specified service principal name (SPN) + Invoke-Kerberoast - requests service tickets for kerberoast-able accounts and returns extracted ticket hashes Get-PathAcl - get the ACLs for a local/remote file path with optional group recursion - Get-UserProperty - returns all properties specified for users, or a set of user:prop names - Get-ComputerProperty - returns all properties specified for computers, or a set of computer:prop names - Find-InterestingFile - search a local or remote path for files with specific terms in the name - Invoke-CheckLocalAdminAccess - check if the current user context has local administrator access to a specified host - Get-DomainSearcher - builds a proper ADSI searcher object for a given domain - Get-ObjectAcl - returns the ACLs associated with a specific active directory object - Add-ObjectAcl - adds an ACL to a specified active directory object - Get-LastLoggedOn - return the last logged on user for a target host - Get-CachedRDPConnection - queries all saved RDP connection entries on a target host - Invoke-ACLScanner - enumerate -1000+ modifable ACLs on a specified domain - Get-GUIDMap - returns a hash table of current GUIDs -> display names - Get-DomainSID - return the SID for the specified domain - Invoke-ThreadedFunction - helper that wraps threaded invocation for other functions - - -### net * Functions: - Get-NetDomain - gets the name of the current user's domain - Get-NetForest - gets the forest associated with the current user's domain - Get-NetForestDomain - gets all domains for the current forest - Get-NetDomainController - gets the domain controllers for the current computer's domain - Get-NetUser - returns all user objects, or the user specified (wildcard specifiable) - Add-NetUser - adds a local or domain user - Get-NetComputer - gets a list of all current servers in the domain - Get-NetPrinter - gets an array of all current computers objects in a domain - Get-NetOU - gets data for domain organization units - Get-NetSite - gets current sites in a domain - Get-NetSubnet - gets registered subnets for a domain - Get-NetGroup - gets a list of all current groups in a domain - Get-NetGroupMember - gets a list of all current users in a specified domain group - Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts - Add-NetGroupUser - adds a local or domain user to a local or domain group - Get-NetFileServer - get a list of file servers used by current domain users - Get-DFSshare - gets a list of all distribute file system shares on a domain - Get-NetShare - gets share information for a specified server - Get-NetLoggedon - gets users actively logged onto a specified server - Get-NetSession - gets active sessions on a specified server - Get-NetRDPSession - gets active RDP sessions for a specified server (like qwinsta) - Get-NetProcess - gets the remote processes and owners on a remote server - Get-UserEvent - returns logon or TGT events from the event log for a specified host - Get-ADObject - takes a domain SID and returns the user, group, or computer - object associated with it - Set-ADObject - takes a SID, name, or SamAccountName to query for a specified - domain object, and then sets a specified 'PropertyName' to a - specified 'PropertyValue' + + +### Domain/LDAP Functions: + Get-DomainDNSZone - enumerates the Active Directory DNS zones for a given domain + Get-DomainDNSRecord - enumerates the Active Directory DNS records for a given zone + Get-Domain - returns the domain object for the current (or specified) domain + Get-DomainController - return the domain controllers for the current (or specified) domain + Get-Forest - returns the forest object for the current (or specified) forest + Get-ForestDomain - return all domains for the current (or specified) forest + Get-ForestGlobalCatalog - return all global catalogs for the current (or specified) forest + Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set + Get-DomainUser - return all users or specific user objects in AD + New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object + Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events + Get-DomainComputer - returns all computers or specific computer objects in AD + Get-DomainObject - returns all (or specified) domain objects in AD + Set-DomainObject - modifies a gven property for a specified active directory object + Get-DomainObjectAcl - returns the ACLs associated with a specific active directory object + Add-DomainObjectAcl - adds an ACL for a specific active directory object + Find-InterestingDomainAcl - finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects + Get-DomainOU - search for all organization units (OUs) or specific OU objects in AD + Get-DomainSite - search for all sites or specific site objects in AD + Get-DomainSubnet - search for all subnets or specific subnets objects in AD + Get-DomainSID - returns the SID for the current domain or the specified domain + Get-DomainGroup - return all groups or specific group objects in AD + New-DomainGroup - creates a new domain group (assuming appropriate permissions) and returns the group object + Get-DomainManagedSecurityGroup - returns all security groups in the current (or target) domain that have a manager set + Get-DomainGroupMember - return the members of a specific domain group + Add-DomainGroupMember - adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so + Get-DomainFileServer - returns a list of servers likely functioning as file servers + Get-DomainDFSShare - returns a list of all fault-tolerant distributed file systems for the current (or specified) domain ### GPO functions - Get-GptTmpl - parses a GptTmpl.inf to a custom object - Get-NetGPO - gets all current GPOs for a given domain - Get-NetGPOGroup - gets all GPOs in a domain that set "Restricted Groups" - on on target machines - Find-GPOLocation - takes a user/group and makes machines they have effective - rights over through GPO enumeration and correlation - Find-GPOComputerAdmin - takes a computer and determines who has admin rights over it - through GPO enumeration - Get-DomainPolicy - returns the default domain or DC policy + Get-DomainGPO - returns all GPOs or specific GPO objects in AD + Get-DomainGPOLocalGroup - returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences + Get-DomainGPOUserLocalGroupMapping - enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation + Get-DomainGPOComputerLocalGroupMapping - takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation + Get-DomainPolicy - returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller -### User-Hunting Functions: - Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines - Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users - Invoke-ProcessHunter - hunts for processes with a specific name or owned by a specific user on domain machines - Invoke-UserEventHunter - hunts for user logon events in domain controller event logs +### Computer Enumeration Functions + + Get-NetLocalGroup - enumerates the local groups on the local (or remote) machine + Get-NetLocalGroupMember - enumerates members of a specific local group on the local (or remote) machine + Get-NetShare - returns open shares on the local (or a remote) machine + Get-NetLoggedon - returns users logged on the local (or a remote) machine + Get-NetSession - returns session information for the local (or a remote) machine + Get-RegLoggedOn - returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys + Get-NetRDPSession - returns remote desktop/session information for the local (or a remote) machine + Test-AdminAccess - rests if the current user has administrative access to the local (or a remote) machine + Get-NetComputerSiteName - returns the AD site where the local (or a remote) machine resides + Get-WMIRegProxy - enumerates the proxy server and WPAD conents for the current user + Get-WMIRegLastLoggedOn - returns the last user who logged onto the local (or a remote) machine + Get-WMIRegCachedRDPConnection - returns information about RDP connections outgoing from the local (or remote) machine + Get-WMIRegMountedDrive - returns information about saved network mounted drives for the local (or remote) machine + Get-WMIProcess - returns a list of processes and their owners on the local or remote machine + Find-InterestingFile - searches for files on the given path that match a series of specified criteria -### Domain Trust Functions: - Get-NetDomainTrust - gets all trusts for the current user's domain - Get-NetForestTrust - gets all trusts for the forest associated with the current user's domain - Find-ForeignUser - enumerates users who are in groups outside of their principal domain - Find-ForeignGroup - enumerates all the members of a domain's groups and finds users that are outside of the queried domain - Invoke-MapDomainTrust - try to build a relational mapping of all domain trusts - - -### MetaFunctions: - Invoke-ShareFinder - finds (non-standard) shares on hosts in the local domain - Invoke-FileFinder - finds potentially sensitive files on hosts in the local domain - Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to - Find-ManagedSecurityGroups - searches for active directory security groups which are managed and identify users who have write access to - - those groups (i.e. the ability to add or remove members) - Find-UserField - searches a user field for a particular term - Find-ComputerField - searches a computer field for a particular term - Get-ExploitableSystem - finds systems likely vulnerable to common exploits - Invoke-EnumerateLocalAdmin - enumerates members of the local Administrators groups across all machines in the domain +### Threaded 'Meta'-Functions + + Find-DomainUserLocation - finds domain machines where specific users are logged into + Find-DomainProcess - finds domain machines where specific processes are currently running + Find-DomainUserEvent - finds logon events on the current (or remote domain) for the specified users + Find-DomainShare - finds reachable shares on domain machines + Find-InterestingDomainShareFile - searches for files matching specific criteria on readable shares in the domain + Find-LocalAdminAccess - finds machines on the local domain where the current user has local administrator access + Find-DomainLocalGroupMember - enumerates the members of specified local group on machines in the domain + + +### Domain Trust Functions: + Get-DomainTrust - returns all domain trusts for the current domain or a specified domain + Get-ForestTrust - returns all forest trusts for the current forest or a specified forest + Get-DomainForeignUser - enumerates users who are in groups outside of the user's domain + Get-DomainForeignGroupMember - enumerates groups with users outside of the group's domain and returns each foreign member + Get-DomainTrustMapping - this function enumerates all trusts for the current domain and then enumerates all trusts for each domain it finds -- cgit v1.2.3 From f4f5fb1460a8163e333c9e5462df6d3ab27a53a6 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Tue, 13 Dec 2016 16:00:28 -0500 Subject: Added Set-DomainUserPassword to reset a particular user's password. Reformatted documentation. --- README.md | 2 +- Recon/PowerView.ps1 | 113 ++++++++++++++++++ Recon/README.md | 1 + Recon/Recon.psd1 | 1 + docs/Recon/Set-DomainUserPassword.md | 127 ++++++++++++++++++++ docs/Recon/index.md | 14 --- docs/index.md | 223 +++++++++-------------------------- mkdocs.yml | 1 + 8 files changed, 298 insertions(+), 184 deletions(-) create mode 100755 docs/Recon/Set-DomainUserPassword.md (limited to 'Recon/README.md') diff --git a/README.md b/README.md index c348b9e..60ac90f 100644 --- a/README.md +++ b/README.md @@ -132,7 +132,7 @@ Displays Windows vault credential objects including cleartext web credentials. Generates a full-memory minidump of a process. -#### 'Get-MicrophoneAudio' +#### `Get-MicrophoneAudio` Records audio from system microphone and saves to disk diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 32aa10f..5d404f3 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -4894,6 +4894,119 @@ http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices- } +function Set-DomainUserPassword { +<# +.SYNOPSIS + +Sets the password for a given user identity and returns the user object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +.DESCRIPTION + +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified user -Identity, +which returns a DirectoryServices.AccountManagement.UserPrincipal object. The +SetPassword() function is then invoked on the user, setting the password to -AccountPassword. + +.PARAMETER Identity + +A user SamAccountName (e.g. User1), DistinguishedName (e.g. CN=user1,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +specifying the user to reset the password for. + +.PARAMETER AccountPassword + +Specifies the password to reset the target user's to. Mandatory. + +.PARAMETER Domain + +Specifies the domain to use to search for the user identity, defaults to the current domain. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword + +Resets the password for 'andy' to the password specified. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred + +Resets the password for 'andy' usering the alternate credentials specified. + +.OUTPUTS + +DirectoryServices.AccountManagement.UserPrincipal + +.LINK + +http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('DirectoryServices.AccountManagement.UserPrincipal')] + Param( + [Parameter(Position = 0, Mandatory = $True)] + [Alias('UserName', 'UserIdentity', 'User')] + [String] + $Identity, + + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [Alias('Password')] + [Security.SecureString] + $AccountPassword, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + $ContextArguments = @{ 'Identity' = $Identity } + if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain } + if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential } + $Context = Get-PrincipalContext @ContextArguments + + if ($Context) { + $User = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($Context.Context, $Identity) + + if ($User) { + Write-Verbose "[Set-DomainUserPassword] Attempting to set the password for user '$Identity'" + try { + $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) + $User.SetPassword($TempCred.GetNetworkCredential().Password) + + $Null = $User.Save() + Write-Verbose "[Set-DomainUserPassword] Password for user '$Identity' successfully reset" + $User + } + catch { + Write-Warning "[Set-DomainUserPassword] Error setting password for user '$Identity' : $_" + } + } + else { + Write-Warning "[Set-DomainUserPassword] Unable to find user '$Identity'" + } + } +} + + function Get-DomainUserEvent { <# .SYNOPSIS diff --git a/Recon/README.md b/Recon/README.md index acc2627..7fcacc5 100644 --- a/Recon/README.md +++ b/Recon/README.md @@ -58,6 +58,7 @@ an array of hosts from the pipeline. Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set Get-DomainUser - return all users or specific user objects in AD New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object + Set-DomainUserPassword - sets the password for a given user identity and returns the user object Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events Get-DomainComputer - returns all computers or specific computer objects in AD Get-DomainObject - returns all (or specified) domain objects in AD diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 6cdcfba..7e2abcb 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -46,6 +46,7 @@ FunctionsToExport = @( 'Find-DomainObjectPropertyOutlier', 'Get-DomainUser', 'New-DomainUser', + 'Set-DomainUserPassword', 'Get-DomainUserEvent', 'Get-DomainComputer', 'Get-DomainObject', diff --git a/docs/Recon/Set-DomainUserPassword.md b/docs/Recon/Set-DomainUserPassword.md new file mode 100755 index 0000000..1712294 --- /dev/null +++ b/docs/Recon/Set-DomainUserPassword.md @@ -0,0 +1,127 @@ +# Set-DomainUserPassword + +## SYNOPSIS +Sets the password for a given user identity and returns the user object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +Set-DomainUserPassword [-Identity] -AccountPassword [-Domain ] + [-Credential ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified user -Identity, +which returns a DirectoryServices.AccountManagement.UserPrincipal object. +The +SetPassword() function is then invoked on the user, setting the password to -AccountPassword. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword + +Resets the password for 'andy' to the password specified. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred + +Resets the password for 'andy' usering the alternate credentials specified. + +## PARAMETERS + +### -Identity +A user SamAccountName (e.g. +User1), DistinguishedName (e.g. +CN=user1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +specifying the user to reset the password for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: UserName, UserIdentity, User + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AccountPassword +Specifies the password to reset the target user's to. +Mandatory. + +```yaml +Type: SecureString +Parameter Sets: (All) +Aliases: Password + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for the user identity, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### DirectoryServices.AccountManagement.UserPrincipal + +## NOTES + +## RELATED LINKS + +[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/) + diff --git a/docs/Recon/index.md b/docs/Recon/index.md index acc2627..b3eca5c 100644 --- a/docs/Recon/index.md +++ b/docs/Recon/index.md @@ -1,17 +1,3 @@ -To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. - -The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" -The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" - -To use the module, type `Import-Module Recon` - -To see the commands imported, type `Get-Command -Module Recon` - -For help on each individual command, Get-Help is your friend. - -Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. - - ## PowerView PowerView is a PowerShell tool to gain network situational awareness on diff --git a/docs/index.md b/docs/index.md index c348b9e..67ddcbc 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,189 +1,74 @@ -### PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: +## Overview +PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. -## CodeExecution +### CodeExecution +Execute code on a target machine. -**Execute code on a target machine.** + Invoke-DllInjection - Injects a Dll into the process ID of your choosing. + Invoke-ReflectivePEInjection - Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. + Invoke-Shellcode - Injects shellcode into the process ID of your choosing or within PowerShell locally. + Invoke-WmiCommand - Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel -#### `Invoke-DllInjection` +### ScriptModification +Modify and/or prepare scripts for execution on a compromised machine. -Injects a Dll into the process ID of your choosing. + Out-EncodedCommand - Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. + Out-CompressedDll - Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + Out-EncryptedScript - Encrypts text files/scripts. + Remove-Comments - Strips comments and extra whitespace from a script. -#### `Invoke-ReflectivePEInjection` +### Persistence -Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. +Add persistence capabilities to a PowerShell script. -#### `Invoke-Shellcode` + New-UserPersistenceOption - Configure user-level persistence options for the Add-Persistence function. + New-ElevatedPersistenceOption - Configure elevated persistence options for the Add-Persistence function. + Add-Persistence - Add persistence capabilities to a script. + Install-SSP - Installs a security support provider (SSP) dll. + Get-SecurityPackages - Enumerates all loaded security packages (SSPs). -Injects shellcode into the process ID of your choosing or within PowerShell locally. +### AntivirusBypass +AV doesn't stand a chance against PowerShell! -#### `Invoke-WmiCommand` + Find-AVSignature - Locates single Byte AV signatures utilizing the same method as DSplit from "class101". -Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel. +### Exfiltration +All your data belong to me! -## ScriptModification + Invoke-TokenManipulation - Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. + Invoke-CredentialInjection - Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). + Invoke-NinjaCopy - Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. + Invoke-Mimikatz - Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. + Get-Keystrokes - Logs keys pressed, time and the active window. + Get-GPPPassword - Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. + Get-GPPAutologon - Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. + Get-TimedScreenshot - A function that takes screenshots at a regular interval and saves them to a folder. + New-VolumeShadowCopy - Creates a new volume shadow copy. + Get-VolumeShadowCopy - Lists the device paths of all local volume shadow copies. + Mount-VolumeShadowCopy - Mounts a volume shadow copy. + Remove-VolumeShadowCopy - Deletes a volume shadow copy. + Get-VaultCredential - Displays Windows vault credential objects including cleartext web credentials. + Out-Minidump - Generates a full-memory minidump of a process. + Get-MicrophoneAudio - Records audio from system microphone and saves to disk. -**Modify and/or prepare scripts for execution on a compromised machine.** +### Mayhem +Cause general mayhem with PowerShell. -#### `Out-EncodedCommand` + Set-MasterBootRecord - Proof of concept code that overwrites the master boot record with the message of your choice. + Set-CriticalProcess - Causes your machine to blue screen upon exiting PowerShell. -Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. +### Privesc +Tools to help with escalating privileges on a target, including PowerUp. -#### `Out-CompressedDll` + PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors. -Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. +### Recon +Tools to aid in the reconnaissance phase of a penetration test, including PowerView. -#### `Out-EncryptedScript` - -Encrypts text files/scripts. - -#### `Remove-Comments` - -Strips comments and extra whitespace from a script. - -## Persistence - -**Add persistence capabilities to a PowerShell script** - -#### `New-UserPersistenceOption` - -Configure user-level persistence options for the Add-Persistence function. - -#### `New-ElevatedPersistenceOption` - -Configure elevated persistence options for the Add-Persistence function. - -#### `Add-Persistence` - -Add persistence capabilities to a script. - -#### `Install-SSP` - -Installs a security support provider (SSP) dll. - -#### `Get-SecurityPackages` - -Enumerates all loaded security packages (SSPs). - -## AntivirusBypass - -**AV doesn't stand a chance against PowerShell!** - -#### `Find-AVSignature` - -Locates single Byte AV signatures utilizing the same method as DSplit from "class101". - -## Exfiltration - -**All your data belong to me!** - -#### `Invoke-TokenManipulation` - -Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. - -#### `Invoke-CredentialInjection` - -Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). - -#### `Invoke-NinjaCopy` - -Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. - -#### `Invoke-Mimikatz` - -Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. - -#### `Get-Keystrokes` - -Logs keys pressed, time and the active window. - -#### `Get-GPPPassword` - -Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. - -#### `Get-GPPAutologon` - -Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. - -#### `Get-TimedScreenshot` - -A function that takes screenshots at a regular interval and saves them to a folder. - -#### `New-VolumeShadowCopy` - -Creates a new volume shadow copy. - -#### `Get-VolumeShadowCopy` - -Lists the device paths of all local volume shadow copies. - -#### `Mount-VolumeShadowCopy` - -Mounts a volume shadow copy. - -#### `Remove-VolumeShadowCopy` - -Deletes a volume shadow copy. - -#### `Get-VaultCredential` - -Displays Windows vault credential objects including cleartext web credentials. - -#### `Out-Minidump` - -Generates a full-memory minidump of a process. - -#### 'Get-MicrophoneAudio' - -Records audio from system microphone and saves to disk - -## Mayhem - -**Cause general mayhem with PowerShell.** - -#### `Set-MasterBootRecord` - -Proof of concept code that overwrites the master boot record with the - message of your choice. - -#### `Set-CriticalProcess` - -Causes your machine to blue screen upon exiting PowerShell. - -## Privesc - -**Tools to help with escalating privileges on a target.** - -#### `PowerUp` - -Clearing house of common privilege escalation checks, along with some weaponization vectors. - -## Recon - -**Tools to aid in the reconnaissance phase of a penetration test.** - -#### `Invoke-Portscan` - -Does a simple port scan using regular sockets, based (pretty) loosely on nmap. - -#### `Get-HttpStatus` - -Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. - -#### `Invoke-ReverseDnsLookup` - -Scans an IP address range for DNS PTR records. - -#### `PowerView` - -PowerView is series of functions that performs network and Windows domain enumeration and exploitation. - -## Recon\Dictionaries - -**A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.** - -* admin.txt - -* generic.txt - -* sharepoint.txt - + Invoke-Portscan - Does a simple port scan using regular sockets, based (pretty) loosely on nmap. + Get-HttpStatus - Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. + Invoke-ReverseDnsLookup - Scans an IP address range for DNS PTR records. + PowerView - PowerView is series of functions that performs network and Windows domain enumeration and exploitation. ## License diff --git a/mkdocs.yml b/mkdocs.yml index fb9ad52..fcaef8d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -29,6 +29,7 @@ pages: - Find-DomainObjectPropertyOutlier: 'Recon/Find-DomainObjectPropertyOutlier.md' - Get-DomainUser: 'Recon/Get-DomainUser.md' - New-DomainUser: 'Recon/New-DomainUser.md' + - Set-DomainUserPassword: 'Recon/Set-DomainUserPassword.md' - Get-DomainUserEvent: 'Recon/Get-DomainUserEvent.md' - Get-DomainComputer: 'Recon/Get-DomainComputer.md' - Get-DomainObject: 'Recon/Get-DomainObject.md' -- cgit v1.2.3