From 0aaa23cd8656f0b92f2fac3cd8e6be68eed7d809 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Mon, 12 Dec 2016 21:05:08 -0500 Subject: first take at platyPS doc generation --- docs/Recon/Invoke-Portscan.md | 430 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 430 insertions(+) create mode 100755 docs/Recon/Invoke-Portscan.md (limited to 'docs/Recon/Invoke-Portscan.md') diff --git a/docs/Recon/Invoke-Portscan.md b/docs/Recon/Invoke-Portscan.md new file mode 100755 index 0000000..49d9e32 --- /dev/null +++ b/docs/Recon/Invoke-Portscan.md @@ -0,0 +1,430 @@ +# Invoke-Portscan + +## SYNOPSIS +Simple portscan module + +PowerSploit Function: Invoke-Portscan +Author: Rich Lundeen (http://webstersProdigy.net) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### cmdHosts +``` +Invoke-Portscan -Hosts [-ExcludeHosts ] [-Ports ] [-PortFile ] + [-TopPorts ] [-ExcludedPorts ] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts ] + [-Threads ] [-nHosts ] [-Timeout ] [-SleepTimer ] [-SyncFreq ] [-T ] + [-GrepOut ] [-XmlOut ] [-ReadableOut ] [-AllformatsOut ] [-noProgressMeter] + [-quiet] [-ForceOverwrite] +``` + +### fHosts +``` +Invoke-Portscan -HostFile [-ExcludeHosts ] [-Ports ] [-PortFile ] + [-TopPorts ] [-ExcludedPorts ] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts ] + [-Threads ] [-nHosts ] [-Timeout ] [-SleepTimer ] [-SyncFreq ] [-T ] + [-GrepOut ] [-XmlOut ] [-ReadableOut ] [-AllformatsOut ] [-noProgressMeter] + [-quiet] [-ForceOverwrite] +``` + +## DESCRIPTION +Does a simple port scan using regular sockets, based (pretty) loosely on nmap + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 +``` + +Description +----------- +Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and microsoft.com + +### -------------------------- EXAMPLE 2 -------------------------- +``` +echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" +``` + +Description +----------- +Does a portscan of "webstersprodigy.net", and writes a greppable output file + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet +``` + +Description +----------- +Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all file formats + +## PARAMETERS + +### -Hosts +Include these comma seperated hosts (supports IPv4 CIDR notation) or pipe them in + +```yaml +Type: String[] +Parameter Sets: cmdHosts +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -HostFile +Input hosts from file rather than commandline + +```yaml +Type: String +Parameter Sets: fHosts +Aliases: iL + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeHosts +Exclude these comma seperated hosts + +```yaml +Type: String +Parameter Sets: (All) +Aliases: exclude + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Ports +Include these comma seperated ports (can also be a range like 80-90) + +```yaml +Type: String +Parameter Sets: (All) +Aliases: p + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PortFile +Input ports from a file + +```yaml +Type: String +Parameter Sets: (All) +Aliases: iP + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -TopPorts +Include the x top ports - only goes to 1000, default is top 50 + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludedPorts +Exclude these comma seperated ports + +```yaml +Type: String +Parameter Sets: (All) +Aliases: xPorts + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SkipDiscovery +Treat all hosts as online, skip host discovery + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Pn + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PingOnly +Ping scan only (disable port scan) + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: sn + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DiscoveryPorts +Comma separated ports used for host discovery. +-1 is a ping + +```yaml +Type: String +Parameter Sets: (All) +Aliases: PS + +Required: False +Position: Named +Default value: -1,445,80,443 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Threads +number of max threads for the thread pool (per host) + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 100 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -nHosts +number of hosts to concurrently scan + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 25 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Timeout +Timeout time on a connection in miliseconds before port is declared filtered + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 2000 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SleepTimer +Wait before thread checking, in miliseconds + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 500 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -SyncFreq +How often (in terms of hosts) to sync threads and flush output + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 1024 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -T +\[0-5\] shortcut performance options. +Default is 3. +higher is more aggressive. +Sets (nhosts, threads,timeout) + 5 {$nHosts=30; $Threads = 1000; $Timeout = 750 } + 4 {$nHosts=25; $Threads = 1000; $Timeout = 1200 } + 3 {$nHosts=20; $Threads = 100; $Timeout = 2500 } + 2 {$nHosts=15; $Threads = 32; $Timeout = 3000 } + 1 {$nHosts=10; $Threads = 32; $Timeout = 5000 } + +```yaml +Type: Int32 +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: 0 +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -GrepOut +Greppable output file + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oG + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -XmlOut +output XML file + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oX + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ReadableOut +output file in 'readable' format + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oN + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AllformatsOut +output in readable (.nmap), xml (.xml), and greppable (.gnmap) formats + +```yaml +Type: String +Parameter Sets: (All) +Aliases: oA + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -noProgressMeter +Suppresses the progress meter + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -quiet +supresses returned output and don't store hosts in memory - useful for very large scans + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: q + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ForceOverwrite +Force Overwrite if output Files exist. +Otherwise it throws exception + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: F + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://webstersprodigy.net](http://webstersprodigy.net) + -- cgit v1.2.3 From ad32d6c75b4e70a6b2e1b56a683a6ba71f1c0683 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 19:23:28 -0500 Subject: For ./Recon/ : -(More) PSScriptAnalyzering -Tweaking of synopsis blocks in order to support platyPS -Code standardization -Generated docs --- Recon/Get-ComputerDetail.ps1 | 574 ++++++++++++++++++++++++++++++++++ Recon/Get-ComputerDetails.ps1 | 574 ---------------------------------- Recon/Get-HttpStatus.ps1 | 62 ++-- Recon/Invoke-Portscan.ps1 | 34 +- Recon/Invoke-ReverseDnsLookup.ps1 | 84 ++--- Recon/PowerView.ps1 | 2 +- Recon/Recon.psd1 | 2 +- docs/Recon/Export-PowerViewCSV.md | 2 +- docs/Recon/Get-ComputerDetail.md | 68 ++++ docs/Recon/Get-ComputerDetails.md | 68 ---- docs/Recon/Get-HttpStatus.md | 8 +- docs/Recon/Invoke-Portscan.md | 8 +- docs/Recon/Invoke-ReverseDnsLookup.md | 14 +- docs/Recon/Set-DomainObject.md | 26 +- docs/Recon/index.md | 0 mkdocs.yml | 2 +- 16 files changed, 758 insertions(+), 770 deletions(-) create mode 100644 Recon/Get-ComputerDetail.ps1 delete mode 100644 Recon/Get-ComputerDetails.ps1 create mode 100755 docs/Recon/Get-ComputerDetail.md delete mode 100755 docs/Recon/Get-ComputerDetails.md mode change 100644 => 100755 docs/Recon/index.md (limited to 'docs/Recon/Invoke-Portscan.md') diff --git a/Recon/Get-ComputerDetail.ps1 b/Recon/Get-ComputerDetail.ps1 new file mode 100644 index 0000000..ef3720c --- /dev/null +++ b/Recon/Get-ComputerDetail.ps1 @@ -0,0 +1,574 @@ +function Get-ComputerDetail +{ +<# +.SYNOPSIS + +This script is used to get useful information from a computer. + +Function: Get-ComputerDetail +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +This script is used to get useful information from a computer. Currently, the script gets the following information: +-Explicit Credential Logons (Event ID 4648) +-Logon events (Event ID 4624) +-AppLocker logs to find what processes are created +-PowerShell logs to find PowerShell scripts which have been executed +-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to + +.PARAMETER ToString + +Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. + +.EXAMPLE + +Get-ComputerDetail +Gets information about the computer and outputs it as PowerShell objects. + +Get-ComputerDetail -ToString +Gets information about the computer and outputs it as raw text. + +.NOTES +This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. +You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell + +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + Param( + [Parameter(Position=0)] + [Switch] + $ToString + ) + + Set-StrictMode -Version 2 + + $SecurityLog = Get-EventLog -LogName Security + $Filtered4624 = Find-4624Logon $SecurityLog + $Filtered4648 = Find-4648Logon $SecurityLog + $AppLockerLogs = Find-AppLockerLog + $PSLogs = Find-PSScriptsInPSAppLog + $RdpClientData = Find-RDPClientConnection + + if ($ToString) + { + Write-Output "Event ID 4624 (Logon):" + Write-Output $Filtered4624.Values | Format-List + Write-Output "Event ID 4648 (Explicit Credential Logon):" + Write-Output $Filtered4648.Values | Format-List + Write-Output "AppLocker Process Starts:" + Write-Output $AppLockerLogs.Values | Format-List + Write-Output "PowerShell Script Executions:" + Write-Output $PSLogs.Values | Format-List + Write-Output "RDP Client Data:" + Write-Output $RdpClientData.Values | Format-List + } + else + { + $Properties = @{ + LogonEvent4624 = $Filtered4624.Values + LogonEvent4648 = $Filtered4648.Values + AppLockerProcessStart = $AppLockerLogs.Values + PowerShellScriptStart = $PSLogs.Values + RdpClientData = $RdpClientData.Values + } + + $ReturnObj = New-Object PSObject -Property $Properties + return $ReturnObj + } +} + + +function Find-4648Logon +{ +<# +.SYNOPSIS + +Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the +the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful +for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. + +Function: Find-4648Logon +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the +the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful +for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. + +.EXAMPLE + +Find-4648Logon +Gets the unique 4648 logon events. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + + Param( + $SecurityLog + ) + + $ExplicitLogons = $SecurityLog | Where-Object {$_.InstanceID -eq 4648} + $ReturnInfo = @{} + + foreach ($ExplicitLogon in $ExplicitLogons) + { + $Subject = $false + $AccountWhosCredsUsed = $false + $TargetServer = $false + $SourceAccountName = "" + $SourceAccountDomain = "" + $TargetAccountName = "" + $TargetAccountDomain = "" + $TargetServer = "" + foreach ($line in $ExplicitLogon.Message -split "\r\n") + { + if ($line -cmatch "^Subject:$") + { + $Subject = $true + } + elseif ($line -cmatch "^Account\sWhose\sCredentials\sWere\sUsed:$") + { + $Subject = $false + $AccountWhosCredsUsed = $true + } + elseif ($line -cmatch "^Target\sServer:") + { + $AccountWhosCredsUsed = $false + $TargetServer = $true + } + elseif ($Subject -eq $true) + { + if ($line -cmatch "\s+Account\sName:\s+(\S.*)") + { + $SourceAccountName = $Matches[1] + } + elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") + { + $SourceAccountDomain = $Matches[1] + } + } + elseif ($AccountWhosCredsUsed -eq $true) + { + if ($line -cmatch "\s+Account\sName:\s+(\S.*)") + { + $TargetAccountName = $Matches[1] + } + elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") + { + $TargetAccountDomain = $Matches[1] + } + } + elseif ($TargetServer -eq $true) + { + if ($line -cmatch "\s+Target\sServer\sName:\s+(\S.*)") + { + $TargetServer = $Matches[1] + } + } + } + + #Filter out logins that don't matter + if (-not ($TargetAccountName -cmatch "^DWM-.*" -and $TargetAccountDomain -cmatch "^Window\sManager$")) + { + $Key = $SourceAccountName + $SourceAccountDomain + $TargetAccountName + $TargetAccountDomain + $TargetServer + if (-not $ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + LogType = 4648 + LogSource = "Security" + SourceAccountName = $SourceAccountName + SourceDomainName = $SourceAccountDomain + TargetAccountName = $TargetAccountName + TargetDomainName = $TargetAccountDomain + TargetServer = $TargetServer + Count = 1 + Times = @($ExplicitLogon.TimeGenerated) + } + + $ResultObj = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $ResultObj) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$ExplicitLogon.TimeGenerated + } + } + } + + return $ReturnInfo +} + +function Find-4624Logon +{ +<# +.SYNOPSIS + +Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do +network logons in to the server, what accounts RDP in, what accounts log in locally, etc... + +Function: Find-4624Logon +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do +network logons in to the server, what accounts RDP in, what accounts log in locally, etc... + +.EXAMPLE + +Find-4624Logon +Find unique 4624 logon events. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + Param ( + $SecurityLog + ) + + $Logons = $SecurityLog | Where-Object {$_.InstanceID -eq 4624} + $ReturnInfo = @{} + + foreach ($Logon in $Logons) + { + $SubjectSection = $false + $NewLogonSection = $false + $NetworkInformationSection = $false + $AccountName = "" + $AccountDomain = "" + $LogonType = "" + $NewLogonAccountName = "" + $NewLogonAccountDomain = "" + $WorkstationName = "" + $SourceNetworkAddress = "" + $SourcePort = "" + + foreach ($line in $Logon.Message -Split "\r\n") + { + if ($line -cmatch "^Subject:$") + { + $SubjectSection = $true + } + elseif ($line -cmatch "^Logon\sType:\s+(\S.*)") + { + $LogonType = $Matches[1] + } + elseif ($line -cmatch "^New\sLogon:$") + { + $SubjectSection = $false + $NewLogonSection = $true + } + elseif ($line -cmatch "^Network\sInformation:$") + { + $NewLogonSection = $false + $NetworkInformationSection = $true + } + elseif ($SubjectSection) + { + if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") + { + $AccountName = $Matches[1] + } + elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") + { + $AccountDomain = $Matches[1] + } + } + elseif ($NewLogonSection) + { + if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") + { + $NewLogonAccountName = $Matches[1] + } + elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") + { + $NewLogonAccountDomain = $Matches[1] + } + } + elseif ($NetworkInformationSection) + { + if ($line -cmatch "^\s+Workstation\sName:\s+(\S.*)") + { + $WorkstationName = $Matches[1] + } + elseif ($line -cmatch "^\s+Source\sNetwork\sAddress:\s+(\S.*)") + { + $SourceNetworkAddress = $Matches[1] + } + elseif ($line -cmatch "^\s+Source\sPort:\s+(\S.*)") + { + $SourcePort = $Matches[1] + } + } + } + + #Filter out logins that don't matter + if (-not ($NewLogonAccountDomain -cmatch "NT\sAUTHORITY" -or $NewLogonAccountDomain -cmatch "Window\sManager")) + { + $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort + if (-not $ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + LogType = 4624 + LogSource = "Security" + SourceAccountName = $AccountName + SourceDomainName = $AccountDomain + NewLogonAccountName = $NewLogonAccountName + NewLogonAccountDomain = $NewLogonAccountDomain + LogonType = $LogonType + WorkstationName = $WorkstationName + SourceNetworkAddress = $SourceNetworkAddress + SourcePort = $SourcePort + Count = 1 + Times = @($Logon.TimeGenerated) + } + + $ResultObj = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $ResultObj) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated + } + } + } + + return $ReturnInfo +} + + +function Find-AppLockerLog +{ +<# +.SYNOPSIS + +Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). + +Function: Find-AppLockerLog +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). + +.EXAMPLE + +Find-AppLockerLog +Find process creations from AppLocker logs. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + + $ReturnInfo = @{} + + $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 8002} + + foreach ($Log in $AppLockerLogs) + { + $SID = New-Object System.Security.Principal.SecurityIdentifier($Log.Properties[7].Value) + $UserName = $SID.Translate( [System.Security.Principal.NTAccount]) + + $ExeName = $Log.Properties[10].Value + + $Key = $UserName.ToString() + "::::" + $ExeName + + if (!$ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + Exe = $ExeName + User = $UserName.Value + Count = 1 + Times = @($Log.TimeCreated) + } + + $Item = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $Item) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$Log.TimeCreated + } + } + + return $ReturnInfo +} + + +Function Find-PSScriptsInPSAppLog +{ +<# +.SYNOPSIS + +Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). +You can then backdoor these scripts or do other malicious things. + +Function: Find-AppLockerLog +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). +You can then backdoor these scripts or do other malicious things. + +.EXAMPLE + +Find-PSScriptsInPSAppLog +Find unique PowerShell scripts being executed from the PowerShell operational log. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + + $ReturnInfo = @{} + $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 4100} + + foreach ($Log in $Logs) + { + $LogDetails = $Log.Message -split "`r`n" + + $FoundScriptName = $false + foreach($Line in $LogDetails) + { + if ($Line -imatch "^\s*Script\sName\s=\s(.+)") + { + $ScriptName = $Matches[1] + $FoundScriptName = $true + } + elseif ($Line -imatch "^\s*User\s=\s(.*)") + { + $User = $Matches[1] + } + } + + if ($FoundScriptName) + { + $Key = $ScriptName + "::::" + $User + + if (!$ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + ScriptName = $ScriptName + UserName = $User + Count = 1 + Times = @($Log.TimeCreated) + } + + $Item = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $Item) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$Log.TimeCreated + } + } + } + + return $ReturnInfo +} + + +Function Find-RDPClientConnection +{ +<# +.SYNOPSIS + +Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user +usually RDP's to. + +Function: Find-RDPClientConnection +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user usually RDP's to. + +.EXAMPLE + +Find-RDPClientConnection +Find unique saved RDP client connections. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + $ReturnInfo = @{} + + New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null + + #Attempt to enumerate the servers for all users + $Users = Get-ChildItem -Path "HKU:\" + foreach ($UserSid in $Users.PSChildName) + { + $Servers = Get-ChildItem "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue + + foreach ($Server in $Servers) + { + $Server = $Server.PSChildName + $UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint + + $Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint + + if (!$ReturnInfo.ContainsKey($Key)) + { + $SIDObj = New-Object System.Security.Principal.SecurityIdentifier($UserSid) + $User = ($SIDObj.Translate([System.Security.Principal.NTAccount])).Value + + $Properties = @{ + CurrentUser = $User + Server = $Server + UsernameHint = $UsernameHint + } + + $Item = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $Item) + } + } + } + + return $ReturnInfo +} diff --git a/Recon/Get-ComputerDetails.ps1 b/Recon/Get-ComputerDetails.ps1 deleted file mode 100644 index bd00deb..0000000 --- a/Recon/Get-ComputerDetails.ps1 +++ /dev/null @@ -1,574 +0,0 @@ -function Get-ComputerDetails -{ -<# -.SYNOPSIS - -This script is used to get useful information from a computer. - -Function: Get-ComputerDetails -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -This script is used to get useful information from a computer. Currently, the script gets the following information: --Explicit Credential Logons (Event ID 4648) --Logon events (Event ID 4624) --AppLocker logs to find what processes are created --PowerShell logs to find PowerShell scripts which have been executed --RDP Client Saved Servers, which indicates what servers the user typically RDP's in to - -.PARAMETER ToString - -Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. - -.EXAMPLE - -Get-ComputerDetails -Gets information about the computer and outputs it as PowerShell objects. - -Get-ComputerDetails -ToString -Gets information about the computer and outputs it as raw text. - -.NOTES -This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. -You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell - -#> - - Param( - [Parameter(Position=0)] - [Switch] - $ToString - ) - - Set-StrictMode -Version 2 - - - - $SecurityLog = Get-EventLog -LogName Security - $Filtered4624 = Find-4624Logons $SecurityLog - $Filtered4648 = Find-4648Logons $SecurityLog - $AppLockerLogs = Find-AppLockerLogs - $PSLogs = Find-PSScriptsInPSAppLog - $RdpClientData = Find-RDPClientConnections - - if ($ToString) - { - Write-Output "Event ID 4624 (Logon):" - Write-Output $Filtered4624.Values | Format-List - Write-Output "Event ID 4648 (Explicit Credential Logon):" - Write-Output $Filtered4648.Values | Format-List - Write-Output "AppLocker Process Starts:" - Write-Output $AppLockerLogs.Values | Format-List - Write-Output "PowerShell Script Executions:" - Write-Output $PSLogs.Values | Format-List - Write-Output "RDP Client Data:" - Write-Output $RdpClientData.Values | Format-List - } - else - { - $Properties = @{ - LogonEvent4624 = $Filtered4624.Values - LogonEvent4648 = $Filtered4648.Values - AppLockerProcessStart = $AppLockerLogs.Values - PowerShellScriptStart = $PSLogs.Values - RdpClientData = $RdpClientData.Values - } - - $ReturnObj = New-Object PSObject -Property $Properties - return $ReturnObj - } -} - - -function Find-4648Logons -{ -<# -.SYNOPSIS - -Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the -the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful -for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. - -Function: Find-4648Logons -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the -the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful -for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. - -.EXAMPLE - -Find-4648Logons -Gets the unique 4648 logon events. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - Param( - $SecurityLog - ) - - $ExplicitLogons = $SecurityLog | Where {$_.InstanceID -eq 4648} - $ReturnInfo = @{} - - foreach ($ExplicitLogon in $ExplicitLogons) - { - $Subject = $false - $AccountWhosCredsUsed = $false - $TargetServer = $false - $SourceAccountName = "" - $SourceAccountDomain = "" - $TargetAccountName = "" - $TargetAccountDomain = "" - $TargetServer = "" - foreach ($line in $ExplicitLogon.Message -split "\r\n") - { - if ($line -cmatch "^Subject:$") - { - $Subject = $true - } - elseif ($line -cmatch "^Account\sWhose\sCredentials\sWere\sUsed:$") - { - $Subject = $false - $AccountWhosCredsUsed = $true - } - elseif ($line -cmatch "^Target\sServer:") - { - $AccountWhosCredsUsed = $false - $TargetServer = $true - } - elseif ($Subject -eq $true) - { - if ($line -cmatch "\s+Account\sName:\s+(\S.*)") - { - $SourceAccountName = $Matches[1] - } - elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") - { - $SourceAccountDomain = $Matches[1] - } - } - elseif ($AccountWhosCredsUsed -eq $true) - { - if ($line -cmatch "\s+Account\sName:\s+(\S.*)") - { - $TargetAccountName = $Matches[1] - } - elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") - { - $TargetAccountDomain = $Matches[1] - } - } - elseif ($TargetServer -eq $true) - { - if ($line -cmatch "\s+Target\sServer\sName:\s+(\S.*)") - { - $TargetServer = $Matches[1] - } - } - } - - #Filter out logins that don't matter - if (-not ($TargetAccountName -cmatch "^DWM-.*" -and $TargetAccountDomain -cmatch "^Window\sManager$")) - { - $Key = $SourceAccountName + $SourceAccountDomain + $TargetAccountName + $TargetAccountDomain + $TargetServer - if (-not $ReturnInfo.ContainsKey($Key)) - { - $Properties = @{ - LogType = 4648 - LogSource = "Security" - SourceAccountName = $SourceAccountName - SourceDomainName = $SourceAccountDomain - TargetAccountName = $TargetAccountName - TargetDomainName = $TargetAccountDomain - TargetServer = $TargetServer - Count = 1 - Times = @($ExplicitLogon.TimeGenerated) - } - - $ResultObj = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $ResultObj) - } - else - { - $ReturnInfo[$Key].Count++ - $ReturnInfo[$Key].Times += ,$ExplicitLogon.TimeGenerated - } - } - } - - return $ReturnInfo -} - -function Find-4624Logons -{ -<# -.SYNOPSIS - -Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do -network logons in to the server, what accounts RDP in, what accounts log in locally, etc... - -Function: Find-4624Logons -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do -network logons in to the server, what accounts RDP in, what accounts log in locally, etc... - -.EXAMPLE - -Find-4624Logons -Find unique 4624 logon events. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - Param ( - $SecurityLog - ) - - $Logons = $SecurityLog | Where {$_.InstanceID -eq 4624} - $ReturnInfo = @{} - - foreach ($Logon in $Logons) - { - $SubjectSection = $false - $NewLogonSection = $false - $NetworkInformationSection = $false - $AccountName = "" - $AccountDomain = "" - $LogonType = "" - $NewLogonAccountName = "" - $NewLogonAccountDomain = "" - $WorkstationName = "" - $SourceNetworkAddress = "" - $SourcePort = "" - - foreach ($line in $Logon.Message -Split "\r\n") - { - if ($line -cmatch "^Subject:$") - { - $SubjectSection = $true - } - elseif ($line -cmatch "^Logon\sType:\s+(\S.*)") - { - $LogonType = $Matches[1] - } - elseif ($line -cmatch "^New\sLogon:$") - { - $SubjectSection = $false - $NewLogonSection = $true - } - elseif ($line -cmatch "^Network\sInformation:$") - { - $NewLogonSection = $false - $NetworkInformationSection = $true - } - elseif ($SubjectSection) - { - if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") - { - $AccountName = $Matches[1] - } - elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") - { - $AccountDomain = $Matches[1] - } - } - elseif ($NewLogonSection) - { - if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") - { - $NewLogonAccountName = $Matches[1] - } - elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") - { - $NewLogonAccountDomain = $Matches[1] - } - } - elseif ($NetworkInformationSection) - { - if ($line -cmatch "^\s+Workstation\sName:\s+(\S.*)") - { - $WorkstationName = $Matches[1] - } - elseif ($line -cmatch "^\s+Source\sNetwork\sAddress:\s+(\S.*)") - { - $SourceNetworkAddress = $Matches[1] - } - elseif ($line -cmatch "^\s+Source\sPort:\s+(\S.*)") - { - $SourcePort = $Matches[1] - } - } - } - - #Filter out logins that don't matter - if (-not ($NewLogonAccountDomain -cmatch "NT\sAUTHORITY" -or $NewLogonAccountDomain -cmatch "Window\sManager")) - { - $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort - if (-not $ReturnInfo.ContainsKey($Key)) - { - $Properties = @{ - LogType = 4624 - LogSource = "Security" - SourceAccountName = $AccountName - SourceDomainName = $AccountDomain - NewLogonAccountName = $NewLogonAccountName - NewLogonAccountDomain = $NewLogonAccountDomain - LogonType = $LogonType - WorkstationName = $WorkstationName - SourceNetworkAddress = $SourceNetworkAddress - SourcePort = $SourcePort - Count = 1 - Times = @($Logon.TimeGenerated) - } - - $ResultObj = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $ResultObj) - } - else - { - $ReturnInfo[$Key].Count++ - $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated - } - } - } - - return $ReturnInfo -} - - -function Find-AppLockerLogs -{ -<# -.SYNOPSIS - -Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). - -Function: Find-AppLockerLogs -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). - -.EXAMPLE - -Find-AppLockerLogs -Find process creations from AppLocker logs. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - $ReturnInfo = @{} - - $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002} - - foreach ($Log in $AppLockerLogs) - { - $SID = New-Object System.Security.Principal.SecurityIdentifier($Log.Properties[7].Value) - $UserName = $SID.Translate( [System.Security.Principal.NTAccount]) - - $ExeName = $Log.Properties[10].Value - - $Key = $UserName.ToString() + "::::" + $ExeName - - if (!$ReturnInfo.ContainsKey($Key)) - { - $Properties = @{ - Exe = $ExeName - User = $UserName.Value - Count = 1 - Times = @($Log.TimeCreated) - } - - $Item = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $Item) - } - else - { - $ReturnInfo[$Key].Count++ - $ReturnInfo[$Key].Times += ,$Log.TimeCreated - } - } - - return $ReturnInfo -} - - -Function Find-PSScriptsInPSAppLog -{ -<# -.SYNOPSIS - -Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). -You can then backdoor these scripts or do other malicious things. - -Function: Find-AppLockerLogs -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). -You can then backdoor these scripts or do other malicious things. - -.EXAMPLE - -Find-PSScriptsInPSAppLog -Find unique PowerShell scripts being executed from the PowerShell operational log. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - $ReturnInfo = @{} - $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100} - - foreach ($Log in $Logs) - { - $ContainsScriptName = $false - $LogDetails = $Log.Message -split "`r`n" - - $FoundScriptName = $false - foreach($Line in $LogDetails) - { - if ($Line -imatch "^\s*Script\sName\s=\s(.+)") - { - $ScriptName = $Matches[1] - $FoundScriptName = $true - } - elseif ($Line -imatch "^\s*User\s=\s(.*)") - { - $User = $Matches[1] - } - } - - if ($FoundScriptName) - { - $Key = $ScriptName + "::::" + $User - - if (!$ReturnInfo.ContainsKey($Key)) - { - $Properties = @{ - ScriptName = $ScriptName - UserName = $User - Count = 1 - Times = @($Log.TimeCreated) - } - - $Item = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $Item) - } - else - { - $ReturnInfo[$Key].Count++ - $ReturnInfo[$Key].Times += ,$Log.TimeCreated - } - } - } - - return $ReturnInfo -} - - -Function Find-RDPClientConnections -{ -<# -.SYNOPSIS - -Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user -usually RDP's to. - -Function: Find-RDPClientConnections -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user -usually RDP's to. - -.EXAMPLE - -Find-RDPClientConnections -Find unique saved RDP client connections. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - $ReturnInfo = @{} - - New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null - - #Attempt to enumerate the servers for all users - $Users = Get-ChildItem -Path "HKU:\" - foreach ($UserSid in $Users.PSChildName) - { - $Servers = Get-ChildItem "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue - - foreach ($Server in $Servers) - { - $Server = $Server.PSChildName - $UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint - - $Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint - - if (!$ReturnInfo.ContainsKey($Key)) - { - $SIDObj = New-Object System.Security.Principal.SecurityIdentifier($UserSid) - $User = ($SIDObj.Translate([System.Security.Principal.NTAccount])).Value - - $Properties = @{ - CurrentUser = $User - Server = $Server - UsernameHint = $UsernameHint - } - - $Item = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $Item) - } - } - } - - return $ReturnInfo -} diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1 index 8b60306..b271efd 100644 --- a/Recon/Get-HttpStatus.ps1 +++ b/Recon/Get-HttpStatus.ps1 @@ -5,11 +5,11 @@ function Get-HttpStatus Returns the HTTP Status Codes and full URL for specified paths. -PowerSploit Function: Get-HttpStatus -Author: Chris Campbell (@obscuresec) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Get-HttpStatus +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -42,7 +42,7 @@ C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL .NOTES HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error - + .LINK http://obscuresecurity.blogspot.com @@ -64,49 +64,54 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html [Switch] $UseSSL ) - + if (Test-Path $Path) { - + if ($UseSSL -and $Port -eq 0) { # Default to 443 if SSL is specified but no port is specified $Port = 443 - } elseif ($Port -eq 0) { + } + elseif ($Port -eq 0) { # Default to port 80 if no port is specified $Port = 80 } - + $TcpConnection = New-Object System.Net.Sockets.TcpClient Write-Verbose "Path Test Succeeded - Testing Connectivity" - + try { # Validate that the host is listening before scanning $TcpConnection.Connect($Target, $Port) - } catch { + } + catch { Write-Error "Connection Test Failed - Check Target" $Tcpconnection.Close() - Return + Return } - + $Tcpconnection.Close() - } else { + } + else { Write-Error "Path Test Failed - Check Dictionary Path" Return } - + if ($UseSSL) { $SSL = 's' # Ignore invalid SSL certificates [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True } - } else { + } + else { $SSL = '' } - + if (($Port -eq 80) -or ($Port -eq 443)) { $PortNum = '' - } else { + } + else { $PortNum = ":$Port" } - + # Check Http status for each entry in the doctionary file foreach ($Item in Get-Content $Path) { @@ -117,24 +122,23 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html $WebRequest = [System.Net.WebRequest]::Create($URI) $WebResponse = $WebRequest.GetResponse() $WebStatus = $WebResponse.StatusCode - $ResultObject += $ScanObject $WebResponse.Close() - } catch { + } + catch { $WebStatus = $Error[0].Exception.InnerException.Response.StatusCode - - if ($WebStatus -eq $null) { + + if (-not $WebStatus) { # Not every exception returns a StatusCode. # If that is the case, return the Status. $WebStatus = $Error[0].Exception.InnerException.Status } - } - + } + $Result = @{ Status = $WebStatus; URL = $WebTarget} - + $ScanObject = New-Object -TypeName PSObject -Property $Result - + Write-Output $ScanObject - } } diff --git a/Recon/Invoke-Portscan.ps1 b/Recon/Invoke-Portscan.ps1 index 6f059e2..7e28709 100644 --- a/Recon/Invoke-Portscan.ps1 +++ b/Recon/Invoke-Portscan.ps1 @@ -5,11 +5,11 @@ function Invoke-Portscan Simple portscan module -PowerSploit Function: Invoke-Portscan -Author: Rich Lundeen (http://webstersProdigy.net) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Invoke-Portscan +Author: Rich Lundeen (http://webstersProdigy.net) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -114,7 +114,7 @@ Force Overwrite if output Files exist. Otherwise it throws exception .EXAMPLE -C:\PS> Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 +Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 Description ----------- @@ -122,7 +122,7 @@ Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and m .EXAMPLE -C:\PS> echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" +echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" Description ----------- @@ -130,7 +130,7 @@ Does a portscan of "webstersprodigy.net", and writes a greppable output file .EXAMPLE -C:\PS> Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet +Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet Description ----------- @@ -141,7 +141,13 @@ Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all http://webstersprodigy.net #> - [CmdletBinding()]Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseLiteralInitializerForHashtable', '')] + [CmdletBinding()] + Param ( #Host, Ports [Parameter(ParameterSetName="cmdHosts", @@ -748,9 +754,9 @@ http://webstersprodigy.net #TODO deal with output Write-PortscanOut -comment $startMsg -grepStream $grepStream -xmlStream $xmlStream -readableStream $readableStream - #converting back from int array gives some argument error checking - $sPortList = [string]::join(",", $portList) - $sHostPortList = [string]::join(",", $hostPortList) + # #converting back from int array gives some argument error checking + # $sPortList = [string]::join(",", $portList) + # $sHostPortList = [string]::join(",", $hostPortList) ######## #Port Scan Code - run on a per host basis @@ -840,7 +846,6 @@ http://webstersprodigy.net $sockets[$p] = new-object System.Net.Sockets.TcpClient } - $scriptBlockAsString = @" #somewhat of a race condition with the timeout, but I don't think it matters @@ -885,8 +890,7 @@ http://webstersprodigy.net $timeouts[$p].Enabled = $true $myscriptblock = [scriptblock]::Create($scriptBlockAsString) - $x = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null) - + $Null = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null) } function PortScan-Alive diff --git a/Recon/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1 index 5e811ee..36e6398 100644 --- a/Recon/Invoke-ReverseDnsLookup.ps1 +++ b/Recon/Invoke-ReverseDnsLookup.ps1 @@ -5,23 +5,23 @@ function Invoke-ReverseDnsLookup Perform a reverse DNS lookup scan on a range of IP addresses. -PowerSploit Function: Invoke-ReverseDnsLookup -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - +PowerSploit Function: Invoke-ReverseDnsLookup +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION -Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test. - +Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test. + .PARAMETER IPRange Specifies the IP address range. The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be provided. - + .EXAMPLE -C:\PS> Invoke-ReverseDnsLookup 74.125.228.0/29 +Invoke-ReverseDnsLookup 74.125.228.0/29 IP HostName -- -------- @@ -31,29 +31,29 @@ IP HostName 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the CIDR range. - + .EXAMPLE -C:\PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' - +Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' + IP HostName -- -------- 74.125.228.1 iad23s05-in-f1.1e100.net 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the IP range specified. .EXAMPLE -PS C:\> Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup +Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup IP HostName -- -------- @@ -69,13 +69,15 @@ Description ----------- Returns the hostnames of the IP addresses piped from another source. - .LINK http://www.exploit-monday.com https://github.com/mattifestation/PowerSploit #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')] + [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True,ValueFromPipeline=$True)] [String] @@ -83,14 +85,14 @@ https://github.com/mattifestation/PowerSploit ) BEGIN { - + function Parse-IPList ([String] $IpRange) { - + function IPtoInt { Param([String] $IpString) - + $Hexstr = "" $Octets = $IpString.Split(".") foreach ($Octet in $Octets) { @@ -98,7 +100,7 @@ https://github.com/mattifestation/PowerSploit } return [Convert]::ToInt64($Hexstr, 16) } - + function InttoIP { Param([Int64] $IpInt) @@ -110,15 +112,15 @@ https://github.com/mattifestation/PowerSploit } return $IpStr.TrimEnd('.') } - + $Ip = [System.Net.IPAddress]::Parse("127.0.0.1") - + foreach ($Str in $IpRange.Split(",")) { $Item = $Str.Trim() $Result = "" $IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" - + # First, validate the input switch -regex ($Item) { @@ -139,11 +141,11 @@ https://github.com/mattifestation/PowerSploit } default { - Write-Warning "Inproper input" + Write-Warning "Improper input" return } } - + #Now, start processing the IP addresses switch ($Result) { @@ -152,14 +154,14 @@ https://github.com/mattifestation/PowerSploit $CidrRange = $Item.Split("/") $Network = $CidrRange[0] $Mask = $CidrRange[1] - + if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return} if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return} - + $BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0') #Generate lower limit (Excluding network address) $Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1" - #Generate upperr limit (Excluding broadcast address) + #Generate upper limit (Excluding broadcast address) $Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0" $LowerInt = [Convert]::ToInt64($Lower, 2) $UpperInt = [Convert]::ToInt64($Upper, 2) @@ -168,21 +170,21 @@ https://github.com/mattifestation/PowerSploit "range" { $Range = $item.Split("-") - + if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip } else { Write-Warning "Invalid IP address supplied!"; return } - + if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip } else { Write-Warning "Invalid IP address supplied!"; return } - + $Left = (IPtoInt $Temp1.ToString()) $Right = (IPtoInt $Temp2.ToString()) - + if ($Right -gt $Left) { for ($i = $Left; $i -le $Right; $i++) { InttoIP $i } } else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return} - + break } "single" @@ -193,28 +195,30 @@ https://github.com/mattifestation/PowerSploit } default { - Write-Warning "An error occured." + Write-Warning "An error occurred." return } } } - } } - + PROCESS { Parse-IPList $IpRange | ForEach-Object { try { Write-Verbose "Resolving $_" $Temp = [System.Net.Dns]::GetHostEntry($_) - + $Result = @{ IP = $_ HostName = $Temp.HostName } - + New-Object PSObject -Property $Result - } catch [System.Net.Sockets.SocketException] {} + } + catch [System.Net.Sockets.SocketException] { + Write-Verbose "Error: $_" + } } } } diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index eecf62f..49ee9c7 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -859,7 +859,7 @@ function Export-PowerViewCSV { <# .SYNOPSIS -Converts objects into a series of comma-separated (CSV) strings and saves the +Converts objects into a series of comma-separated (CSV) strings and saves the strings in a CSV file in a thread-safe manner. Author: Will Schroeder (@harmj0y) diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 71667c0..d0a4148 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -98,7 +98,7 @@ FunctionsToExport = @( 'Get-DomainForeignUser', 'Get-DomainForeignGroupMember', 'Get-DomainTrustMapping', - 'Get-ComputerDetails', + 'Get-ComputerDetail', 'Get-HttpStatus', 'Invoke-Portscan', 'Invoke-ReverseDnsLookup' diff --git a/docs/Recon/Export-PowerViewCSV.md b/docs/Recon/Export-PowerViewCSV.md index 1597249..d2d2a89 100755 --- a/docs/Recon/Export-PowerViewCSV.md +++ b/docs/Recon/Export-PowerViewCSV.md @@ -1,7 +1,7 @@ # Export-PowerViewCSV ## SYNOPSIS -Converts objects into a series of comma-separated (CSV) strings and saves the +Converts objects into a series of comma-separated (CSV) strings and saves the strings in a CSV file in a thread-safe manner. Author: Will Schroeder (@harmj0y) diff --git a/docs/Recon/Get-ComputerDetail.md b/docs/Recon/Get-ComputerDetail.md new file mode 100755 index 0000000..15a3feb --- /dev/null +++ b/docs/Recon/Get-ComputerDetail.md @@ -0,0 +1,68 @@ +# Get-ComputerDetail + +## SYNOPSIS +This script is used to get useful information from a computer. + +Function: Get-ComputerDetail +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Get-ComputerDetail [-ToString] +``` + +## DESCRIPTION +This script is used to get useful information from a computer. +Currently, the script gets the following information: +-Explicit Credential Logons (Event ID 4648) +-Logon events (Event ID 4624) +-AppLocker logs to find what processes are created +-PowerShell logs to find PowerShell scripts which have been executed +-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ComputerDetail +``` + +Gets information about the computer and outputs it as PowerShell objects. + +Get-ComputerDetail -ToString +Gets information about the computer and outputs it as raw text. + +## PARAMETERS + +### -ToString +Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. +You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. + +## RELATED LINKS + +[Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell) + diff --git a/docs/Recon/Get-ComputerDetails.md b/docs/Recon/Get-ComputerDetails.md deleted file mode 100755 index 6bc3e91..0000000 --- a/docs/Recon/Get-ComputerDetails.md +++ /dev/null @@ -1,68 +0,0 @@ -# Get-ComputerDetails - -## SYNOPSIS -This script is used to get useful information from a computer. - -Function: Get-ComputerDetails -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -## SYNTAX - -``` -Get-ComputerDetails [-ToString] -``` - -## DESCRIPTION -This script is used to get useful information from a computer. -Currently, the script gets the following information: --Explicit Credential Logons (Event ID 4648) --Logon events (Event ID 4624) --AppLocker logs to find what processes are created --PowerShell logs to find PowerShell scripts which have been executed --RDP Client Saved Servers, which indicates what servers the user typically RDP's in to - -## EXAMPLES - -### -------------------------- EXAMPLE 1 -------------------------- -``` -Get-ComputerDetails -``` - -Gets information about the computer and outputs it as PowerShell objects. - -Get-ComputerDetails -ToString -Gets information about the computer and outputs it as raw text. - -## PARAMETERS - -### -ToString -Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. - -```yaml -Type: SwitchParameter -Parameter Sets: (All) -Aliases: - -Required: False -Position: 1 -Default value: False -Accept pipeline input: False -Accept wildcard characters: False -``` - -## INPUTS - -## OUTPUTS - -## NOTES -This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. -You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. - -## RELATED LINKS - -[Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell) - diff --git a/docs/Recon/Get-HttpStatus.md b/docs/Recon/Get-HttpStatus.md index a8a7dbb..4311983 100755 --- a/docs/Recon/Get-HttpStatus.md +++ b/docs/Recon/Get-HttpStatus.md @@ -3,10 +3,10 @@ ## SYNOPSIS Returns the HTTP Status Codes and full URL for specified paths. -PowerSploit Function: Get-HttpStatus -Author: Chris Campbell (@obscuresec) -License: BSD 3-Clause -Required Dependencies: None +PowerSploit Function: Get-HttpStatus +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None Optional Dependencies: None ## SYNTAX diff --git a/docs/Recon/Invoke-Portscan.md b/docs/Recon/Invoke-Portscan.md index 49d9e32..8e1ef27 100755 --- a/docs/Recon/Invoke-Portscan.md +++ b/docs/Recon/Invoke-Portscan.md @@ -3,10 +3,10 @@ ## SYNOPSIS Simple portscan module -PowerSploit Function: Invoke-Portscan -Author: Rich Lundeen (http://webstersProdigy.net) -License: BSD 3-Clause -Required Dependencies: None +PowerSploit Function: Invoke-Portscan +Author: Rich Lundeen (http://webstersProdigy.net) +License: BSD 3-Clause +Required Dependencies: None Optional Dependencies: None ## SYNTAX diff --git a/docs/Recon/Invoke-ReverseDnsLookup.md b/docs/Recon/Invoke-ReverseDnsLookup.md index 348ad91..2c74e3c 100755 --- a/docs/Recon/Invoke-ReverseDnsLookup.md +++ b/docs/Recon/Invoke-ReverseDnsLookup.md @@ -3,10 +3,10 @@ ## SYNOPSIS Perform a reverse DNS lookup scan on a range of IP addresses. -PowerSploit Function: Invoke-ReverseDnsLookup -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None +PowerSploit Function: Invoke-ReverseDnsLookup +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None Optional Dependencies: None ## SYNTAX @@ -17,7 +17,7 @@ Invoke-ReverseDnsLookup [-IpRange] ## DESCRIPTION Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. -This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test. +This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test. ## EXAMPLES @@ -34,7 +34,7 @@ IP HostName 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the CIDR range. @@ -50,7 +50,7 @@ IP HostName 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the IP range specified. diff --git a/docs/Recon/Set-DomainObject.md b/docs/Recon/Set-DomainObject.md index 482d86d..8cb283b 100755 --- a/docs/Recon/Set-DomainObject.md +++ b/docs/Recon/Set-DomainObject.md @@ -12,8 +12,7 @@ Required Dependencies: Get-DomainObject ``` Set-DomainObject [[-Identity] ] [-Set ] [-XOR ] [-Clear ] [-Domain ] [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] - [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] - [-Credential ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] ``` ## DESCRIPTION @@ -281,21 +280,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -SecurityMasks -{{Fill SecurityMasks Description}} - -```yaml -Type: String -Parameter Sets: (All) -Aliases: - -Required: False -Position: Named -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -Tombstone Switch. Specifies that the searcher should also return deleted/tombstoned objects. @@ -332,14 +316,6 @@ Accept wildcard characters: False ## OUTPUTS -### PowerView.ADObject - -Custom PSObject with translated AD object property fields, if -PassThru is enabled. - -PowerView.ADObject.Raw - -The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled. - ## NOTES ## RELATED LINKS diff --git a/docs/Recon/index.md b/docs/Recon/index.md old mode 100644 new mode 100755 diff --git a/mkdocs.yml b/mkdocs.yml index a24f7e4..f4a0608 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -81,7 +81,7 @@ pages: - Get-DomainForeignUser: 'Recon/Get-DomainForeignUser.md' - Get-DomainForeignGroupMember: 'Recon/Get-DomainForeignGroupMember.md' - Get-DomainTrustMapping: 'Recon/Get-DomainTrustMapping.md' - - Get-ComputerDetails: 'Recon/Get-ComputerDetails.md' + - Get-ComputerDetail: 'Recon/Get-ComputerDetail.md' - Get-HttpStatus: 'Recon/Get-HttpStatus.md' - Invoke-Portscan: 'Recon/Invoke-Portscan.md' - Invoke-ReverseDnsLookup: 'Recon/Invoke-ReverseDnsLookup.md' -- cgit v1.2.3