From 54971370cfb150e69a0faa064071a4ac0a3283a4 Mon Sep 17 00:00:00 2001 From: webstersprodigy Date: Tue, 22 Oct 2013 21:04:24 -0700 Subject: Fix for hostfiles option in powershell 2 --- Recon/Invoke-Portscan.ps1 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'Recon') diff --git a/Recon/Invoke-Portscan.ps1 b/Recon/Invoke-Portscan.ps1 index 46a5337..ab03734 100644 --- a/Recon/Invoke-Portscan.ps1 +++ b/Recon/Invoke-Portscan.ps1 @@ -647,14 +647,14 @@ http://webstersprodigy.net [Environment]::CurrentDirectory=(Get-Location -PSProvider FileSystem).ProviderPath - if ($Hosts) + if ($PsCmdlet.ParameterSetName -eq "cmdHosts") { foreach($h in $Hosts) { Parse-Hosts($h) | Out-Null } } - elseif ($HostFile) + else { Parse-ILHosts($HostFile) | Out-Null } -- cgit v1.2.3 From 237d362acff8ef134f0ccc9150e6b6ab8a25e768 Mon Sep 17 00:00:00 2001 From: mattifestation Date: Wed, 13 Nov 2013 21:01:02 -0500 Subject: Normalized all scripts to ASCII encoding --- AntivirusBypass/AntivirusBypass.psd1 | 4 ++-- AntivirusBypass/AntivirusBypass.psm1 | 2 +- AntivirusBypass/Find-AVSignature.ps1 | 2 +- CodeExecution/CodeExecution.psd1 | 4 ++-- CodeExecution/CodeExecution.psm1 | 2 +- CodeExecution/Invoke-DllInjection.ps1 | 2 +- CodeExecution/Invoke-ReflectivePEInjection.ps1 | 2 +- CodeExecution/Invoke-ShellcodeMSIL.ps1 | 4 ++-- CodeExecution/Watch-BlueScreen.ps1 | 6 +++--- Exfiltration/Exfiltration.psd1 | 4 ++-- Exfiltration/Exfiltration.psm1 | 2 +- Exfiltration/Get-GPPPassword.ps1 | 2 +- Exfiltration/Get-Keystrokes.ps1 | 4 ++-- Exfiltration/Get-TimedScreenshot.ps1 | 2 +- Exfiltration/Invoke-Mimikatz.ps1 | 2 +- Exfiltration/Invoke-NinjaCopy.ps1 | 2 +- Exfiltration/Invoke-TokenManipulation.ps1 | 2 +- Exfiltration/Out-Minidump.ps1 | 4 ++-- PETools/Get-LibSymbols.format.ps1xml | 4 ++-- PETools/Get-LibSymbols.ps1 | 4 ++-- PETools/Get-ObjDump.format.ps1xml | 4 ++-- PETools/Get-ObjDump.ps1 | 4 ++-- PETools/Get-PEHeader.ps1 | 2 +- PETools/PETools.format.ps1xml | 2 +- PETools/PETools.psd1 | 4 ++-- PETools/PETools.psm1 | 2 +- Persistence/Add-Persistence.ps1 | 4 ++-- Persistence/New-ElevatedPersistenceOptions.ps1 | 4 ++-- Persistence/New-UserPersistenceOptions.ps1 | 4 ++-- Persistence/Persistence.psd1 | 4 ++-- Persistence/Persistence.psm1 | 4 ++-- PowerSploit.psd1 | 4 ++-- PowerSploit.psm1 | 2 +- Recon/Get-HttpStatus.ps1 | 2 +- Recon/Invoke-Portscan.ps1 | 2 +- Recon/Recon.psd1 | 8 ++++---- Recon/Recon.psm1 | 2 +- ReverseEngineering/ConvertTo-String.ps1 | 4 ++-- ReverseEngineering/Get-ILDisassembly.format.ps1xml | 4 ++-- ReverseEngineering/Get-ILDisassembly.ps1 | 2 +- ReverseEngineering/Get-MethodAddress.ps1 | 4 ++-- .../Get-NtSystemInformation.format.ps1xml | 2 +- ReverseEngineering/Get-NtSystemInformation.ps1 | 2 +- ReverseEngineering/Get-PEB.format.ps1xml | 2 +- ReverseEngineering/Get-PEB.ps1 | 4 ++-- ReverseEngineering/Get-Strings.ps1 | 4 ++-- ReverseEngineering/Get-StructFromMemory.ps1 | 4 ++-- ReverseEngineering/New-Object.ps1 | Bin 4376 -> 2189 bytes ReverseEngineering/ProcessModuleTrace.format.ps1xml | 4 ++-- ReverseEngineering/ProcessModuleTrace.ps1 | 4 ++-- ReverseEngineering/ReverseEngineering.psd1 | 2 +- ReverseEngineering/ReverseEngineering.psm1 | 2 +- ScriptModification/Out-CompressedDll.ps1 | 4 ++-- ScriptModification/Out-EncodedCommand.ps1 | 4 ++-- ScriptModification/Out-EncryptedScript.ps1 | 2 +- ScriptModification/Remove-Comments.ps1 | 4 ++-- ScriptModification/ScriptModification.psd1 | 4 ++-- ScriptModification/ScriptModification.psm1 | 2 +- 58 files changed, 91 insertions(+), 91 deletions(-) (limited to 'Recon') diff --git a/AntivirusBypass/AntivirusBypass.psd1 b/AntivirusBypass/AntivirusBypass.psd1 index ab2918b..29949c1 100644 --- a/AntivirusBypass/AntivirusBypass.psd1 +++ b/AntivirusBypass/AntivirusBypass.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'AntivirusBypass.psm1' @@ -84,4 +84,4 @@ FileList = 'AntivirusBypass.psm1', 'AntivirusBypass.psd1', 'Find-AVSignature.ps1 # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/AntivirusBypass/AntivirusBypass.psm1 b/AntivirusBypass/AntivirusBypass.psm1 index e5234fb..81d3818 100644 --- a/AntivirusBypass/AntivirusBypass.psm1 +++ b/AntivirusBypass/AntivirusBypass.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/AntivirusBypass/Find-AVSignature.ps1 b/AntivirusBypass/Find-AVSignature.ps1 index 80e2b1f..d2487b3 100644 --- a/AntivirusBypass/Find-AVSignature.ps1 +++ b/AntivirusBypass/Find-AVSignature.ps1 @@ -183,4 +183,4 @@ http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2 #During testing using large binaries, memory usage was excessive so lets fix that [System.GC]::Collect() Write-Verbose "Completed!" -} \ No newline at end of file +} diff --git a/CodeExecution/CodeExecution.psd1 b/CodeExecution/CodeExecution.psd1 index 394c7de..07963fc 100644 --- a/CodeExecution/CodeExecution.psd1 +++ b/CodeExecution/CodeExecution.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'CodeExecution.psm1' @@ -85,4 +85,4 @@ FileList = 'CodeExecution.psm1', 'CodeExecution.psd1', 'Invoke-Shellcode.ps1', ' # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/CodeExecution/CodeExecution.psm1 b/CodeExecution/CodeExecution.psm1 index e5234fb..81d3818 100644 --- a/CodeExecution/CodeExecution.psm1 +++ b/CodeExecution/CodeExecution.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/CodeExecution/Invoke-DllInjection.ps1 b/CodeExecution/Invoke-DllInjection.ps1 index 572a911..8395ab8 100644 --- a/CodeExecution/Invoke-DllInjection.ps1 +++ b/CodeExecution/Invoke-DllInjection.ps1 @@ -325,4 +325,4 @@ http://www.exploit-monday.com } Write-Verbose "Injected DLL information:$($DllInfo)" -} \ No newline at end of file +} diff --git a/CodeExecution/Invoke-ReflectivePEInjection.ps1 b/CodeExecution/Invoke-ReflectivePEInjection.ps1 index ccc1dd6..599212b 100644 --- a/CodeExecution/Invoke-ReflectivePEInjection.ps1 +++ b/CodeExecution/Invoke-ReflectivePEInjection.ps1 @@ -2840,4 +2840,4 @@ Function Main } Main -} \ No newline at end of file +} diff --git a/CodeExecution/Invoke-ShellcodeMSIL.ps1 b/CodeExecution/Invoke-ShellcodeMSIL.ps1 index 4123d06..158a643 100644 --- a/CodeExecution/Invoke-ShellcodeMSIL.ps1 +++ b/CodeExecution/Invoke-ShellcodeMSIL.ps1 @@ -1,4 +1,4 @@ -function Invoke-ShellcodeMSIL +function Invoke-ShellcodeMSIL { <# .SYNOPSIS @@ -264,4 +264,4 @@ { Write-Verbose 'Shellcode executed successfully!' } -} \ No newline at end of file +} diff --git a/CodeExecution/Watch-BlueScreen.ps1 b/CodeExecution/Watch-BlueScreen.ps1 index 2fa317e..0a12a91 100644 --- a/CodeExecution/Watch-BlueScreen.ps1 +++ b/CodeExecution/Watch-BlueScreen.ps1 @@ -1,4 +1,4 @@ -function Watch-BlueScreen +function Watch-BlueScreen { <# .SYNOPSIS @@ -15,7 +15,7 @@ .NOTES Tavis Ormandy documented this technique on 2/3/2013 and Nikita Tarakanov - ‏tweeted this technique on 5/13/2013. + ?tweeted this technique on 5/13/2013. .LINK @@ -75,4 +75,4 @@ $Gdi32::SetLayout($DC, $LAYOUT_RTL) | Out-Null $Gdi32::ScaleWindowExtEx($DC, [Int32]::MinValue, -1, 1, 1, [IntPtr]::Zero) | Out-Null } -} \ No newline at end of file +} diff --git a/Exfiltration/Exfiltration.psd1 b/Exfiltration/Exfiltration.psd1 index 5268eb2..89359ef 100644 --- a/Exfiltration/Exfiltration.psd1 +++ b/Exfiltration/Exfiltration.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'Exfiltration.psm1' @@ -86,4 +86,4 @@ FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/Exfiltration/Exfiltration.psm1 b/Exfiltration/Exfiltration.psm1 index e5234fb..81d3818 100644 --- a/Exfiltration/Exfiltration.psm1 +++ b/Exfiltration/Exfiltration.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/Exfiltration/Get-GPPPassword.ps1 b/Exfiltration/Get-GPPPassword.ps1 index 7dbd23d..12d2785 100644 --- a/Exfiltration/Get-GPPPassword.ps1 +++ b/Exfiltration/Get-GPPPassword.ps1 @@ -1,4 +1,4 @@ -function Get-GPPPassword { +function Get-GPPPassword { <# .SYNOPSIS diff --git a/Exfiltration/Get-Keystrokes.ps1 b/Exfiltration/Get-Keystrokes.ps1 index 48b7df6..75400a1 100644 --- a/Exfiltration/Get-Keystrokes.ps1 +++ b/Exfiltration/Get-Keystrokes.ps1 @@ -1,4 +1,4 @@ -function Get-Keystrokes { +function Get-Keystrokes { <# .SYNOPSIS @@ -246,4 +246,4 @@ } | Out-Null } -} \ No newline at end of file +} diff --git a/Exfiltration/Get-TimedScreenshot.ps1 b/Exfiltration/Get-TimedScreenshot.ps1 index c14c723..e1ca823 100644 --- a/Exfiltration/Get-TimedScreenshot.ps1 +++ b/Exfiltration/Get-TimedScreenshot.ps1 @@ -1,4 +1,4 @@ -function Get-TimedScreenshot +function Get-TimedScreenshot { <# .SYNOPSIS diff --git a/Exfiltration/Invoke-Mimikatz.ps1 b/Exfiltration/Invoke-Mimikatz.ps1 index 289652c..6eff83c 100644 --- a/Exfiltration/Invoke-Mimikatz.ps1 +++ b/Exfiltration/Invoke-Mimikatz.ps1 @@ -2710,4 +2710,4 @@ Function Main } Main -} \ No newline at end of file +} diff --git a/Exfiltration/Invoke-NinjaCopy.ps1 b/Exfiltration/Invoke-NinjaCopy.ps1 index cfa763f..7ff5bfa 100644 --- a/Exfiltration/Invoke-NinjaCopy.ps1 +++ b/Exfiltration/Invoke-NinjaCopy.ps1 @@ -2845,4 +2845,4 @@ Main [GC]::Collect() [GC]::Collect() -} \ No newline at end of file +} diff --git a/Exfiltration/Invoke-TokenManipulation.ps1 b/Exfiltration/Invoke-TokenManipulation.ps1 index c692299..7e56ef0 100644 --- a/Exfiltration/Invoke-TokenManipulation.ps1 +++ b/Exfiltration/Invoke-TokenManipulation.ps1 @@ -1,4 +1,4 @@ -function Invoke-TokenManipulation +function Invoke-TokenManipulation { <# .SYNOPSIS diff --git a/Exfiltration/Out-Minidump.ps1 b/Exfiltration/Out-Minidump.ps1 index afb7dc9..a43ee0f 100644 --- a/Exfiltration/Out-Minidump.ps1 +++ b/Exfiltration/Out-Minidump.ps1 @@ -1,4 +1,4 @@ -function Out-Minidump +function Out-Minidump { <# .SYNOPSIS @@ -127,4 +127,4 @@ } END {} -} \ No newline at end of file +} diff --git a/PETools/Get-LibSymbols.format.ps1xml b/PETools/Get-LibSymbols.format.ps1xml index 41747cb..5d4d848 100644 --- a/PETools/Get-LibSymbols.format.ps1xml +++ b/PETools/Get-LibSymbols.format.ps1xml @@ -1,4 +1,4 @@ - + @@ -28,4 +28,4 @@ - \ No newline at end of file + diff --git a/PETools/Get-LibSymbols.ps1 b/PETools/Get-LibSymbols.ps1 index 414454f..9864676 100644 --- a/PETools/Get-LibSymbols.ps1 +++ b/PETools/Get-LibSymbols.ps1 @@ -1,4 +1,4 @@ -function Get-LibSymbols +function Get-LibSymbols { <# .SYNOPSIS @@ -279,4 +279,4 @@ } END {} -} \ No newline at end of file +} diff --git a/PETools/Get-ObjDump.format.ps1xml b/PETools/Get-ObjDump.format.ps1xml index d44ade0..25e13b8 100644 --- a/PETools/Get-ObjDump.format.ps1xml +++ b/PETools/Get-ObjDump.format.ps1xml @@ -1,4 +1,4 @@ - + @@ -289,4 +289,4 @@ - \ No newline at end of file + diff --git a/PETools/Get-ObjDump.ps1 b/PETools/Get-ObjDump.ps1 index 3df8235..2a8ebcb 100644 --- a/PETools/Get-ObjDump.ps1 +++ b/PETools/Get-ObjDump.ps1 @@ -1,4 +1,4 @@ -function Get-ObjDump +function Get-ObjDump { <# .SYNOPSIS @@ -705,4 +705,4 @@ } END {} -} \ No newline at end of file +} diff --git a/PETools/Get-PEHeader.ps1 b/PETools/Get-PEHeader.ps1 index 2f35292..0021377 100644 --- a/PETools/Get-PEHeader.ps1 +++ b/PETools/Get-PEHeader.ps1 @@ -957,4 +957,4 @@ PROCESS { } -} \ No newline at end of file +} diff --git a/PETools/PETools.format.ps1xml b/PETools/PETools.format.ps1xml index 17d2c56..c510281 100644 --- a/PETools/PETools.format.ps1xml +++ b/PETools/PETools.format.ps1xml @@ -371,4 +371,4 @@ - \ No newline at end of file + diff --git a/PETools/PETools.psd1 b/PETools/PETools.psd1 index 28a60b9..ef470a7 100644 --- a/PETools/PETools.psd1 +++ b/PETools/PETools.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'PETools.psm1' @@ -86,4 +86,4 @@ FileList = 'PETools.psm1', 'PETools.psd1', 'PETools.format.ps1xml', 'Get-DllLoad # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/PETools/PETools.psm1 b/PETools/PETools.psm1 index e5234fb..81d3818 100644 --- a/PETools/PETools.psm1 +++ b/PETools/PETools.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/Persistence/Add-Persistence.ps1 b/Persistence/Add-Persistence.ps1 index cd04fbf..27d7ba7 100644 --- a/Persistence/Add-Persistence.ps1 +++ b/Persistence/Add-Persistence.ps1 @@ -1,4 +1,4 @@ -function Add-Persistence +function Add-Persistence { <# .SYNOPSIS @@ -397,4 +397,4 @@ $UserTriggerRemoval } #endregion -} \ No newline at end of file +} diff --git a/Persistence/New-ElevatedPersistenceOptions.ps1 b/Persistence/New-ElevatedPersistenceOptions.ps1 index 4e11dee..5e04286 100644 --- a/Persistence/New-ElevatedPersistenceOptions.ps1 +++ b/Persistence/New-ElevatedPersistenceOptions.ps1 @@ -1,4 +1,4 @@ -function New-ElevatedPersistenceOptions +function New-ElevatedPersistenceOptions { <# .SYNOPSIS @@ -167,4 +167,4 @@ $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.ElevatedPersistenceOptions' Write-Output $PersistenceOptions -} \ No newline at end of file +} diff --git a/Persistence/New-UserPersistenceOptions.ps1 b/Persistence/New-UserPersistenceOptions.ps1 index 9672c2e..3b33ffa 100644 --- a/Persistence/New-UserPersistenceOptions.ps1 +++ b/Persistence/New-UserPersistenceOptions.ps1 @@ -1,4 +1,4 @@ -function New-UserPersistenceOptions +function New-UserPersistenceOptions { <# .SYNOPSIS @@ -125,4 +125,4 @@ $PersistenceOptions.PSObject.TypeNames[0] = 'PowerSploit.Persistence.UserPersistenceOptions' Write-Output $PersistenceOptions -} \ No newline at end of file +} diff --git a/Persistence/Persistence.psd1 b/Persistence/Persistence.psd1 index 21a7871..de97697 100644 --- a/Persistence/Persistence.psd1 +++ b/Persistence/Persistence.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'Persistence.psm1' @@ -34,4 +34,4 @@ ModuleList = @(@{ModuleName = 'Persistence'; ModuleVersion = '1.0.0.0'; GUID = ' FileList = 'Persistence.psm1', 'Persistence.psd1', 'Add-Persistence.ps1', 'New-ElevatedPersistenceOptions.ps1', 'New-UserPersistenceOptions.ps1', 'Usage.md' -} \ No newline at end of file +} diff --git a/Persistence/Persistence.psm1 b/Persistence/Persistence.psm1 index 4478ee1..04f36be 100644 --- a/Persistence/Persistence.psm1 +++ b/Persistence/Persistence.psm1 @@ -1,3 +1,3 @@ -. (Join-Path $PSScriptRoot New-ElevatedPersistenceOptions.ps1) +. (Join-Path $PSScriptRoot New-ElevatedPersistenceOptions.ps1) . (Join-Path $PSScriptRoot New-UserPersistenceOptions.ps1) -. (Join-Path $PSScriptRoot Add-Persistence.ps1) \ No newline at end of file +. (Join-Path $PSScriptRoot Add-Persistence.ps1) diff --git a/PowerSploit.psd1 b/PowerSploit.psd1 index 8c7f939..54156d2 100644 --- a/PowerSploit.psd1 +++ b/PowerSploit.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'PowerSploit.psm1' @@ -93,4 +93,4 @@ FileList = 'PowerSploit.psd1', 'PowerSploit.psm1' # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/PowerSploit.psm1 b/PowerSploit.psm1 index 430c1b8..5ea3b62 100644 --- a/PowerSploit.psm1 +++ b/PowerSploit.psm1 @@ -1 +1 @@ -Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer } | % { Import-Module $_.FullName } \ No newline at end of file +Get-ChildItem $PSScriptRoot | ? { $_.PSIsContainer } | % { Import-Module $_.FullName } diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1 index fde3d26..8b60306 100644 --- a/Recon/Get-HttpStatus.ps1 +++ b/Recon/Get-HttpStatus.ps1 @@ -137,4 +137,4 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html Write-Output $ScanObject } -} \ No newline at end of file +} diff --git a/Recon/Invoke-Portscan.ps1 b/Recon/Invoke-Portscan.ps1 index ab03734..99bbb89 100644 --- a/Recon/Invoke-Portscan.ps1 +++ b/Recon/Invoke-Portscan.ps1 @@ -1,4 +1,4 @@ -function Invoke-Portscan +function Invoke-Portscan { <# .SYNOPSIS diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 43ba3a1..88287ef 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'Recon.psm1' @@ -72,9 +72,9 @@ AliasesToExport = '' # List of all modules packaged with this module. ModuleList = @(@{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'}) -# List of all files packaged with this module +# List of all files packaged with this module FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsLookup.ps1', - 'Invoke-Portscan.ps1', 'Usage.md' + 'Invoke-Portscan.ps1', 'Usage.md' # Private data to pass to the module specified in RootModule/ModuleToProcess # PrivateData = '' @@ -85,4 +85,4 @@ FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsL # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/Recon/Recon.psm1 b/Recon/Recon.psm1 index e5234fb..81d3818 100644 --- a/Recon/Recon.psm1 +++ b/Recon/Recon.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/ReverseEngineering/ConvertTo-String.ps1 b/ReverseEngineering/ConvertTo-String.ps1 index ab46c74..1c030b4 100644 --- a/ReverseEngineering/ConvertTo-String.ps1 +++ b/ReverseEngineering/ConvertTo-String.ps1 @@ -1,4 +1,4 @@ -filter ConvertTo-String +filter ConvertTo-String { <# .SYNOPSIS @@ -67,4 +67,4 @@ http://www.exploit-monday.com $FileStream.Close() Write-Output $BinaryText -} \ No newline at end of file +} diff --git a/ReverseEngineering/Get-ILDisassembly.format.ps1xml b/ReverseEngineering/Get-ILDisassembly.format.ps1xml index 3c610cc..21115d6 100644 --- a/ReverseEngineering/Get-ILDisassembly.format.ps1xml +++ b/ReverseEngineering/Get-ILDisassembly.format.ps1xml @@ -1,4 +1,4 @@ - + @@ -43,4 +43,4 @@ - \ No newline at end of file + diff --git a/ReverseEngineering/Get-ILDisassembly.ps1 b/ReverseEngineering/Get-ILDisassembly.ps1 index af0c2a1..f2022e3 100644 --- a/ReverseEngineering/Get-ILDisassembly.ps1 +++ b/ReverseEngineering/Get-ILDisassembly.ps1 @@ -212,4 +212,4 @@ http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-335.pdf # Adjust the position in the opcode array accordingly $Position += $OperandLength } -} \ No newline at end of file +} diff --git a/ReverseEngineering/Get-MethodAddress.ps1 b/ReverseEngineering/Get-MethodAddress.ps1 index 4a488cf..1ab0d41 100644 --- a/ReverseEngineering/Get-MethodAddress.ps1 +++ b/ReverseEngineering/Get-MethodAddress.ps1 @@ -1,4 +1,4 @@ -function Get-MethodAddress +function Get-MethodAddress { <# .SYNOPSIS @@ -117,4 +117,4 @@ http://www.exploit-monday.com/2012/11/Get-MethodAddress.html { Write-Error "$($MethodInfo.Name) cannot return an unmanaged address." } -} \ No newline at end of file +} diff --git a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml index 41b5280..fa3ed41 100644 --- a/ReverseEngineering/Get-NtSystemInformation.format.ps1xml +++ b/ReverseEngineering/Get-NtSystemInformation.format.ps1xml @@ -437,4 +437,4 @@ - \ No newline at end of file + diff --git a/ReverseEngineering/Get-NtSystemInformation.ps1 b/ReverseEngineering/Get-NtSystemInformation.ps1 index bb0871a..2bde8f6 100644 --- a/ReverseEngineering/Get-NtSystemInformation.ps1 +++ b/ReverseEngineering/Get-NtSystemInformation.ps1 @@ -1,4 +1,4 @@ -function Get-NtSystemInformation +function Get-NtSystemInformation { <# .SYNOPSIS diff --git a/ReverseEngineering/Get-PEB.format.ps1xml b/ReverseEngineering/Get-PEB.format.ps1xml index 3d075eb..59b5362 100644 --- a/ReverseEngineering/Get-PEB.format.ps1xml +++ b/ReverseEngineering/Get-PEB.format.ps1xml @@ -1207,4 +1207,4 @@ - \ No newline at end of file + diff --git a/ReverseEngineering/Get-PEB.ps1 b/ReverseEngineering/Get-PEB.ps1 index 86e064d..7ec5089 100644 --- a/ReverseEngineering/Get-PEB.ps1 +++ b/ReverseEngineering/Get-PEB.ps1 @@ -1,4 +1,4 @@ -function Get-PEB +function Get-PEB { <# .SYNOPSIS @@ -1089,4 +1089,4 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa813706(v=vs.85).aspx END{} -} \ No newline at end of file +} diff --git a/ReverseEngineering/Get-Strings.ps1 b/ReverseEngineering/Get-Strings.ps1 index 7acb9f1..2cb971c 100644 --- a/ReverseEngineering/Get-Strings.ps1 +++ b/ReverseEngineering/Get-Strings.ps1 @@ -1,4 +1,4 @@ -function Get-Strings +function Get-Strings { <# .SYNOPSIS @@ -95,4 +95,4 @@ http://www.exploit-monday.com } } END {} -} \ No newline at end of file +} diff --git a/ReverseEngineering/Get-StructFromMemory.ps1 b/ReverseEngineering/Get-StructFromMemory.ps1 index c32c190..68f7651 100644 --- a/ReverseEngineering/Get-StructFromMemory.ps1 +++ b/ReverseEngineering/Get-StructFromMemory.ps1 @@ -1,4 +1,4 @@ -function Get-StructFromMemory +function Get-StructFromMemory { <# .SYNOPSIS @@ -200,4 +200,4 @@ http://www.exploit-monday.com $SafeHandle.Close() Write-Output $ParsedStruct -} \ No newline at end of file +} diff --git a/ReverseEngineering/New-Object.ps1 b/ReverseEngineering/New-Object.ps1 index 77b24f6..52c38c8 100644 Binary files a/ReverseEngineering/New-Object.ps1 and b/ReverseEngineering/New-Object.ps1 differ diff --git a/ReverseEngineering/ProcessModuleTrace.format.ps1xml b/ReverseEngineering/ProcessModuleTrace.format.ps1xml index fbad0b9..ffb6761 100644 --- a/ReverseEngineering/ProcessModuleTrace.format.ps1xml +++ b/ReverseEngineering/ProcessModuleTrace.format.ps1xml @@ -1,4 +1,4 @@ - + @@ -33,4 +33,4 @@ - \ No newline at end of file + diff --git a/ReverseEngineering/ProcessModuleTrace.ps1 b/ReverseEngineering/ProcessModuleTrace.ps1 index 3eb57a7..85f7105 100644 --- a/ReverseEngineering/ProcessModuleTrace.ps1 +++ b/ReverseEngineering/ProcessModuleTrace.ps1 @@ -1,4 +1,4 @@ -function Register-ProcessModuleTrace +function Register-ProcessModuleTrace { <# .SYNOPSIS @@ -100,4 +100,4 @@ function Unregister-ProcessModuleTrace #> Unregister-Event -SourceIdentifier 'ModuleLoaded' -} \ No newline at end of file +} diff --git a/ReverseEngineering/ReverseEngineering.psd1 b/ReverseEngineering/ReverseEngineering.psd1 index b7da355..de364e1 100644 --- a/ReverseEngineering/ReverseEngineering.psd1 +++ b/ReverseEngineering/ReverseEngineering.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'ReverseEngineering.psm1' diff --git a/ReverseEngineering/ReverseEngineering.psm1 b/ReverseEngineering/ReverseEngineering.psm1 index 5bb81d3..81d3818 100644 --- a/ReverseEngineering/ReverseEngineering.psm1 +++ b/ReverseEngineering/ReverseEngineering.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} diff --git a/ScriptModification/Out-CompressedDll.ps1 b/ScriptModification/Out-CompressedDll.ps1 index 3aa5c2b..5e6897d 100644 --- a/ScriptModification/Out-CompressedDll.ps1 +++ b/ScriptModification/Out-CompressedDll.ps1 @@ -1,4 +1,4 @@ -function Out-CompressedDll +function Out-CompressedDll { <# .SYNOPSIS @@ -78,4 +78,4 @@ $EncodedCompressedFile "@ Write-Output $Output -} \ No newline at end of file +} diff --git a/ScriptModification/Out-EncodedCommand.ps1 b/ScriptModification/Out-EncodedCommand.ps1 index cae4715..04e8c12 100644 --- a/ScriptModification/Out-EncodedCommand.ps1 +++ b/ScriptModification/Out-EncodedCommand.ps1 @@ -1,4 +1,4 @@ -function Out-EncodedCommand +function Out-EncodedCommand { <# .SYNOPSIS @@ -181,4 +181,4 @@ http://www.exploit-monday.com } Write-Output $CommandLineOutput -} \ No newline at end of file +} diff --git a/ScriptModification/Out-EncryptedScript.ps1 b/ScriptModification/Out-EncryptedScript.ps1 index 3f09020..4fc69cf 100644 --- a/ScriptModification/Out-EncryptedScript.ps1 +++ b/ScriptModification/Out-EncryptedScript.ps1 @@ -126,4 +126,4 @@ return $encoding.GetString($h,0,$h.Length); Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)" -} \ No newline at end of file +} diff --git a/ScriptModification/Remove-Comments.ps1 b/ScriptModification/Remove-Comments.ps1 index ec75927..45a9746 100644 --- a/ScriptModification/Remove-Comments.ps1 +++ b/ScriptModification/Remove-Comments.ps1 @@ -1,4 +1,4 @@ -function Remove-Comments +function Remove-Comments { <# .SYNOPSIS @@ -153,4 +153,4 @@ http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/ } Write-Output ([ScriptBlock]::Create($StringBuilder.ToString())) -} \ No newline at end of file +} diff --git a/ScriptModification/ScriptModification.psd1 b/ScriptModification/ScriptModification.psd1 index 7393c29..d326c12 100644 --- a/ScriptModification/ScriptModification.psd1 +++ b/ScriptModification/ScriptModification.psd1 @@ -1,4 +1,4 @@ -@{ +@{ # Script module or binary module file associated with this manifest. ModuleToProcess = 'ScriptModification.psm1' @@ -85,4 +85,4 @@ FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-Compressed # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix. # DefaultCommandPrefix = '' -} \ No newline at end of file +} diff --git a/ScriptModification/ScriptModification.psm1 b/ScriptModification/ScriptModification.psm1 index 5bb81d3..81d3818 100644 --- a/ScriptModification/ScriptModification.psm1 +++ b/ScriptModification/ScriptModification.psm1 @@ -1 +1 @@ -Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} \ No newline at end of file +Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName} -- cgit v1.2.3 From 14780a567874934c49af5f097462ed4953d5a738 Mon Sep 17 00:00:00 2001 From: Chris Campbell Date: Thu, 30 Jan 2014 17:13:25 -0500 Subject: Update Invoke-ReverseDnsLookup.ps1 Added pipeline support and verbose statement. --- Recon/Invoke-ReverseDnsLookup.ps1 | 235 +++++++++++++++++++++----------------- 1 file changed, 130 insertions(+), 105 deletions(-) (limited to 'Recon') diff --git a/Recon/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1 index 1346ae6..5e811ee 100644 --- a/Recon/Invoke-ReverseDnsLookup.ps1 +++ b/Recon/Invoke-ReverseDnsLookup.ps1 @@ -50,146 +50,171 @@ IP HostName Description ----------- Returns the hostnames of the IP addresses specified by the IP range specified. + +.EXAMPLE + +PS C:\> Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup + +IP HostName +-- -------- +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.1 iad23s05-in-f1.1e100.net +74.125.228.2 iad23s05-in-f2.1e100.net +74.125.228.3 iad23s05-in-f3.1e100.net +74.125.228.4 iad23s05-in-f4.1e100.net +74.125.228.5 iad23s05-in-f5.1e100.net +74.125.228.6 iad23s05-in-f6.1e100.net + +Description +----------- +Returns the hostnames of the IP addresses piped from another source. + .LINK http://www.exploit-monday.com +https://github.com/mattifestation/PowerSploit #> Param ( - [Parameter(Position = 0, Mandatory = $True)] + [Parameter(Position = 0, Mandatory = $True,ValueFromPipeline=$True)] [String] $IpRange ) - function Parse-IPList ([String] $IpRange) - { - - function IPtoInt + BEGIN { + + function Parse-IPList ([String] $IpRange) { - Param([String] $IpString) + + function IPtoInt + { + Param([String] $IpString) - $Hexstr = "" - $Octets = $IpString.Split(".") - foreach ($Octet in $Octets) { - $Hexstr += "{0:X2}" -f [Int] $Octet + $Hexstr = "" + $Octets = $IpString.Split(".") + foreach ($Octet in $Octets) { + $Hexstr += "{0:X2}" -f [Int] $Octet + } + return [Convert]::ToInt64($Hexstr, 16) } - return [Convert]::ToInt64($Hexstr, 16) - } - function InttoIP - { - Param([Int64] $IpInt) - $Hexstr = $IpInt.ToString("X8") - $IpStr = "" - for ($i=0; $i -lt 8; $i += 2) { - $IpStr += [Convert]::ToInt64($Hexstr.SubString($i,2), 16) - $IpStr += '.' + function InttoIP + { + Param([Int64] $IpInt) + $Hexstr = $IpInt.ToString("X8") + $IpStr = "" + for ($i=0; $i -lt 8; $i += 2) { + $IpStr += [Convert]::ToInt64($Hexstr.SubString($i,2), 16) + $IpStr += '.' + } + return $IpStr.TrimEnd('.') } - return $IpStr.TrimEnd('.') - } - $Ip = [System.Net.IPAddress]::Parse("127.0.0.1") + $Ip = [System.Net.IPAddress]::Parse("127.0.0.1") - foreach ($Str in $IpRange.Split(",")) - { - $Item = $Str.Trim() - $Result = "" - $IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" - - # First, validate the input - switch -regex ($Item) + foreach ($Str in $IpRange.Split(",")) { - "^$IpRegex/\d{1,2}$" - { - $Result = "cidrRange" - break - } - "^$IpRegex-$IpRegex$" - { - $Result = "range" - break - } - "^$IpRegex$" - { - $Result = "single" - break - } - default + $Item = $Str.Trim() + $Result = "" + $IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" + + # First, validate the input + switch -regex ($Item) { - Write-Warning "Inproper input" - return + "^$IpRegex/\d{1,2}$" + { + $Result = "cidrRange" + break + } + "^$IpRegex-$IpRegex$" + { + $Result = "range" + break + } + "^$IpRegex$" + { + $Result = "single" + break + } + default + { + Write-Warning "Inproper input" + return + } } - } - #Now, start processing the IP addresses - switch ($Result) - { - "cidrRange" + #Now, start processing the IP addresses + switch ($Result) { - $CidrRange = $Item.Split("/") - $Network = $CidrRange[0] - $Mask = $CidrRange[1] + "cidrRange" + { + $CidrRange = $Item.Split("/") + $Network = $CidrRange[0] + $Mask = $CidrRange[1] - if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return} - if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return} + if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return} + if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return} - $BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0') - #Generate lower limit (Excluding network address) - $Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1" - #Generate upperr limit (Excluding broadcast address) - $Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0" - $LowerInt = [Convert]::ToInt64($Lower, 2) - $UpperInt = [Convert]::ToInt64($Upper, 2) - for ($i = $LowerInt; $i -le $UpperInt; $i++) { InttoIP $i } - } - "range" - { - $Range = $item.Split("-") + $BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0') + #Generate lower limit (Excluding network address) + $Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1" + #Generate upperr limit (Excluding broadcast address) + $Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0" + $LowerInt = [Convert]::ToInt64($Lower, 2) + $UpperInt = [Convert]::ToInt64($Upper, 2) + for ($i = $LowerInt; $i -le $UpperInt; $i++) { InttoIP $i } + } + "range" + { + $Range = $item.Split("-") - if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip } - else { Write-Warning "Invalid IP address supplied!"; return } + if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip } + else { Write-Warning "Invalid IP address supplied!"; return } - if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip } - else { Write-Warning "Invalid IP address supplied!"; return } + if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip } + else { Write-Warning "Invalid IP address supplied!"; return } - $Left = (IPtoInt $Temp1.ToString()) - $Right = (IPtoInt $Temp2.ToString()) + $Left = (IPtoInt $Temp1.ToString()) + $Right = (IPtoInt $Temp2.ToString()) - if ($Right -gt $Left) { - for ($i = $Left; $i -le $Right; $i++) { InttoIP $i } - } - else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return} + if ($Right -gt $Left) { + for ($i = $Left; $i -le $Right; $i++) { InttoIP $i } + } + else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return} - break - } - "single" - { - if ([System.Net.IPAddress]::TryParse($Item,[ref]$Ip)) { $Ip.IPAddressToString } - else { Write-Warning "Invalid IP address supplied!"; return } - break - } - default - { - Write-Warning "An error occured." - return + break + } + "single" + { + if ([System.Net.IPAddress]::TryParse($Item,[ref]$Ip)) { $Ip.IPAddressToString } + else { Write-Warning "Invalid IP address supplied!"; return } + break + } + default + { + Write-Warning "An error occured." + return + } } } - } + } } - - Parse-IPList $IpRange | ForEach-Object { - try { - $Temp = [System.Net.Dns]::GetHostEntry($_) + + PROCESS { + Parse-IPList $IpRange | ForEach-Object { + try { + Write-Verbose "Resolving $_" + $Temp = [System.Net.Dns]::GetHostEntry($_) - $Result = @{ - IP = $_ - HostName = $Temp.HostName - } + $Result = @{ + IP = $_ + HostName = $Temp.HostName + } - New-Object PSObject -Property $Result - } catch [System.Net.Sockets.SocketException] {} + New-Object PSObject -Property $Result + } catch [System.Net.Sockets.SocketException] {} + } } - } -- cgit v1.2.3 From 202e8f4b367397cabf0cfc39f279e7ba5d7d793b Mon Sep 17 00:00:00 2001 From: mattifestation Date: Sun, 16 Mar 2014 10:02:37 -0400 Subject: Adding internal recon/privesc privesc functions #40 Added the following recon functions written by Joe Bialek (@JosephBialek): - Find-4648Logons - Find-4624Logons - Find-AppLockerLogs - Find-PSScriptsInPSAppLog - Find-RDPClientConnections - Get-ComputerDetails (Combines all of the above functions into a single function) --- Recon/Get-ComputerDetails.ps1 | 582 ++++++++++++++++++++++++++++++++++++++++++ Recon/Recon.psd1 | 2 +- 2 files changed, 583 insertions(+), 1 deletion(-) create mode 100644 Recon/Get-ComputerDetails.ps1 (limited to 'Recon') diff --git a/Recon/Get-ComputerDetails.ps1 b/Recon/Get-ComputerDetails.ps1 new file mode 100644 index 0000000..d40e88f --- /dev/null +++ b/Recon/Get-ComputerDetails.ps1 @@ -0,0 +1,582 @@ +function Get-ComputerDetails +{ +<# +.SYNOPSIS + +This script is used to get useful information from a computer. + +Function: Get-ComputerDetails +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None +Version: 1.1 + +.DESCRIPTION + +This script is used to get useful information from a computer. Currently, the script gets the following information: +-Explicit Credential Logons (Event ID 4648) +-Logon events (Event ID 4624) +-AppLocker logs to find what processes are created +-PowerShell logs to find PowerShell scripts which have been executed +-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to + +.PARAMETER ToString + +Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. + +.EXAMPLE + +Get-ComputerDetails +Gets information about the computer and outputs it as PowerShell objects. + +Get-ComputerDetails -ToString +Gets information about the computer and outputs it as raw text. + +.NOTES +This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. +You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell + +#> + + Param( + [Parameter(Position=0)] + [Switch] + $ToString + ) + + Set-StrictMode -Version 2 + + + + $SecurityLog = Get-EventLog -LogName Security + $Filtered4624 = Find-4624Logons $SecurityLog + $Filtered4648 = Find-4648Logons $SecurityLog + $AppLockerLogs = Find-AppLockerLogs + $PSLogs = Find-PSScriptsInPSAppLog + $RdpClientData = Find-RDPClientConnections + + if ($ToString) + { + Write-Output "Event ID 4624 (Logon):" + Write-Output $Filtered4624.Values | Format-List + Write-Output "Event ID 4648 (Explicit Credential Logon):" + Write-Output $Filtered4648.Values | Format-List + Write-Output "AppLocker Process Starts:" + Write-Output $AppLockerLogs.Values | Format-List + Write-Output "PowerShell Script Executions:" + Write-Output $PSLogs.Values | Format-List + Write-Output "RDP Client Data:" + Write-Output $RdpClientData.Values | Format-List + } + else + { + $Properties = @{ + LogonEvent4624 = $Filtered4624.Values + LogonEvent4648 = $Filtered4648.Values + AppLockerProcessStart = $AppLockerLogs.Values + PowerShellScriptStart = $PSLogs.Values + RdpClientData = $RdpClientData.Values + } + + $ReturnObj = New-Object PSObject -Property $Properties + return $ReturnObj + } +} + + +function Find-4648Logons +{ +<# +.SYNOPSIS + +Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the +the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful +for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. + +Function: Find-4648Logons +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None +Version: 1.1 + +.DESCRIPTION + +Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the +the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful +for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. + +.EXAMPLE + +Find-4648Logons +Gets the unique 4648 logon events. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + Param( + $SecurityLog + ) + + $ExplicitLogons = $SecurityLog | Where {$_.InstanceID -eq 4648} + $ReturnInfo = @{} + + foreach ($ExplicitLogon in $ExplicitLogons) + { + $Subject = $false + $AccountWhosCredsUsed = $false + $TargetServer = $false + $SourceAccountName = "" + $SourceAccountDomain = "" + $TargetAccountName = "" + $TargetAccountDomain = "" + $TargetServer = "" + foreach ($line in $ExplicitLogon.Message -split "\r\n") + { + if ($line -cmatch "^Subject:$") + { + $Subject = $true + } + elseif ($line -cmatch "^Account\sWhose\sCredentials\sWere\sUsed:$") + { + $Subject = $false + $AccountWhosCredsUsed = $true + } + elseif ($line -cmatch "^Target\sServer:") + { + $AccountWhosCredsUsed = $false + $TargetServer = $true + } + elseif ($Subject -eq $true) + { + if ($line -cmatch "\s+Account\sName:\s+(\S.*)") + { + $SourceAccountName = $Matches[1] + } + elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") + { + $SourceAccountDomain = $Matches[1] + } + } + elseif ($AccountWhosCredsUsed -eq $true) + { + if ($line -cmatch "\s+Account\sName:\s+(\S.*)") + { + $TargetAccountName = $Matches[1] + } + elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") + { + $TargetAccountDomain = $Matches[1] + } + } + elseif ($TargetServer -eq $true) + { + if ($line -cmatch "\s+Target\sServer\sName:\s+(\S.*)") + { + $TargetServer = $Matches[1] + } + } + } + + #Filter out logins that don't matter + if (-not ($TargetAccountName -cmatch "^DWM-.*" -and $TargetAccountDomain -cmatch "^Window\sManager$")) + { + $Key = $SourceAccountName + $SourceAccountDomain + $TargetAccountName + $TargetAccountDomain + $TargetServer + if (-not $ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + LogType = 4648 + LogSource = "Security" + SourceAccountName = $SourceAccountName + SourceDomainName = $SourceAccountDomain + TargetAccountName = $TargetAccountName + TargetDomainName = $TargetAccountDomain + TargetServer = $TargetServer + Count = 1 + Times = @($ExplicitLogon.TimeGenerated) + } + + $ResultObj = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $ResultObj) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$ExplicitLogon.TimeGenerated + } + } + } + + return $ReturnInfo +} + + +function Find-4624Logons +{ +<# +.SYNOPSIS + +Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do +network logons in to the server, what accounts RDP in, what accounts log in locally, etc... + +Function: Find-4624Logons +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None +Version: 1.1 + +.DESCRIPTION + +Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do +network logons in to the server, what accounts RDP in, what accounts log in locally, etc... + +.EXAMPLE + +Find-4624Logons +Find unique 4624 logon events. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + + Param ( + $SecurityLog + ) + + $Logons = $SecurityLog | Where {$_.InstanceID -eq 4624} + $ReturnInfo = @{} + + foreach ($Logon in $Logons) + { + $SubjectSection = $false + $NewLogonSection = $false + $NetworkInformationSection = $false + $AccountName = "" + $AccountDomain = "" + $LogonType = "" + $NewLogonAccountName = "" + $NewLogonAccountDomain = "" + $WorkstationName = "" + $SourceNetworkAddress = "" + $SourcePort = "" + + foreach ($line in $Logon.Message -Split "\r\n") + { + if ($line -cmatch "^Subject:$") + { + $SubjectSection = $true + } + elseif ($line -cmatch "^Logon\sType:\s+(\S.*)") + { + $LogonType = $Matches[1] + } + elseif ($line -cmatch "^New\sLogon:$") + { + $SubjectSection = $false + $NewLogonSection = $true + } + elseif ($line -cmatch "^Network\sInformation:$") + { + $NewLogonSection = $false + $NetworkInformationSection = $true + } + elseif ($SubjectSection) + { + if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") + { + $AccountName = $Matches[1] + } + elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") + { + $AccountDomain = $Matches[1] + } + } + elseif ($NewLogonSection) + { + if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") + { + $NewLogonAccountName = $Matches[1] + } + elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") + { + $NewLogonAccountDomain = $Matches[1] + } + } + elseif ($NetworkInformationSection) + { + if ($line -cmatch "^\s+Workstation\sName:\s+(\S.*)") + { + $WorkstationName = $Matches[1] + } + elseif ($line -cmatch "^\s+Source\sNetwork\sAddress:\s+(\S.*)") + { + $SourceNetworkAddress = $Matches[1] + } + elseif ($line -cmatch "^\s+Source\sPort:\s+(\S.*)") + { + $SourcePort = $Matches[1] + } + } + } + + #Filter out logins that don't matter + if (-not ($NewLogonAccountDomain -cmatch "NT\sAUTHORITY" -or $NewLogonAccountDomain -cmatch "Window\sManager")) + { + $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort + if (-not $ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + LogType = 4624 + LogSource = "Security" + SourceAccountName = $AccountName + SourceDomainName = $AccountDomain + NewLogonAccountName = $NewLogonAccountName + NewLogonAccountDomain = $NewLogonAccountDomain + LogonType = $LogonType + WorkstationName = $WorkstationName + SourceNetworkAddress = $SourceNetworkAddress + SourcePort = $SourcePort + Count = 1 + Times = @($Logon.TimeGenerated) + } + + $ResultObj = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $ResultObj) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated + } + } + } + + return $ReturnInfo +} + + +function Find-AppLockerLogs +{ +<# +.SYNOPSIS + +Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). + +Function: Find-AppLockerLogs +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None +Version: 1.1 + +.DESCRIPTION + +Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). + +.EXAMPLE + +Find-AppLockerLogs +Find process creations from AppLocker logs. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + $ReturnInfo = @{} + + $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002} + + foreach ($Log in $AppLockerLogs) + { + $SID = New-Object System.Security.Principal.SecurityIdentifier($Log.Properties[7].Value) + $UserName = $SID.Translate( [System.Security.Principal.NTAccount]) + + $ExeName = $Log.Properties[10].Value + + $Key = $UserName.ToString() + "::::" + $ExeName + + if (!$ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + Exe = $ExeName + User = $UserName.Value + Count = 1 + Times = @($Log.TimeCreated) + } + + $Item = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $Item) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$Log.TimeCreated + } + } + + return $ReturnInfo +} + + +Function Find-PSScriptsInPSAppLog +{ +<# +.SYNOPSIS + +Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). +You can then backdoor these scripts or do other malicious things. + +Function: Find-AppLockerLogs +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None +Version: 1.1 + +.DESCRIPTION + +Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). +You can then backdoor these scripts or do other malicious things. + +.EXAMPLE + +Find-PSScriptsInPSAppLog +Find unique PowerShell scripts being executed from the PowerShell operational log. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + $ReturnInfo = @{} + $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100} + + foreach ($Log in $Logs) + { + $ContainsScriptName = $false + $LogDetails = $Log.Message -split "`r`n" + + $FoundScriptName = $false + foreach($Line in $LogDetails) + { + if ($Line -imatch "^\s*Script\sName\s=\s(.+)") + { + $ScriptName = $Matches[1] + $FoundScriptName = $true + } + elseif ($Line -imatch "^\s*User\s=\s(.*)") + { + $User = $Matches[1] + } + } + + if ($FoundScriptName) + { + $Key = $ScriptName + "::::" + $User + + if (!$ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + ScriptName = $ScriptName + UserName = $User + Count = 1 + Times = @($Log.TimeCreated) + } + + $Item = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $Item) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$Log.TimeCreated + } + } + } + + return $ReturnInfo +} + + +Function Find-RDPClientConnections +{ +<# +.SYNOPSIS + +Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user +usually RDP's to. + +Function: Find-RDPClientConnections +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None +Version: 1.1 + +.DESCRIPTION + +Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user +usually RDP's to. + +.EXAMPLE + +Find-RDPClientConnections +Find unique saved RDP client connections. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + $ReturnInfo = @{} + + New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null + + #Attempt to enumerate the servers for all users + $Users = Get-ChildItem -Path "HKU:\" + foreach ($UserSid in $Users.PSChildName) + { + $Servers = Get-ChildItem "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue + + foreach ($Server in $Servers) + { + $Server = $Server.PSChildName + $UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint + + $Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint + + if (!$ReturnInfo.ContainsKey($Key)) + { + $SIDObj = New-Object System.Security.Principal.SecurityIdentifier($UserSid) + $User = ($SIDObj.Translate([System.Security.Principal.NTAccount])).Value + + $Properties = @{ + CurrentUser = $User + Server = $Server + UsernameHint = $UsernameHint + } + + $Item = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $Item) + } + } + } + + return $ReturnInfo +} \ No newline at end of file diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 88287ef..f30ff2e 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -74,7 +74,7 @@ ModuleList = @(@{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775a # List of all files packaged with this module FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsLookup.ps1', - 'Invoke-Portscan.ps1', 'Usage.md' + 'Invoke-Portscan.ps1', 'Get-ComputerDetails.ps1', 'Usage.md' # Private data to pass to the module specified in RootModule/ModuleToProcess # PrivateData = '' -- cgit v1.2.3