From 9033f2f544785573f5924e6843d709193321c644 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Mon, 12 Dec 2016 21:58:50 -0500 Subject: Another try at getting readthedocs.io working --- docs/Recon/index.md | 125 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 docs/Recon/index.md (limited to 'docs/Recon/index.md') diff --git a/docs/Recon/index.md b/docs/Recon/index.md new file mode 100644 index 0000000..acc2627 --- /dev/null +++ b/docs/Recon/index.md @@ -0,0 +1,125 @@ +To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module Recon` + +To see the commands imported, type `Get-Command -Module Recon` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. + + +## PowerView + +PowerView is a PowerShell tool to gain network situational awareness on +Windows domains. It contains a set of pure-PowerShell replacements for various +windows "net *" commands, which utilize PowerShell AD hooks and underlying +Win32 API functions to perform useful Windows domain functionality. + +It also implements various useful metafunctions, including some custom-written +user-hunting functions which will identify where on the network specific users +are logged into. It can also check which machines on the domain the current +user has local administrator access on. Several functions for the enumeration +and abuse of domain trusts also exist. See function descriptions for appropriate +usage and available options. For detailed output of underlying functionality, pass +the -Verbose or -Debug flags. + +For functions that enumerate multiple machines, pass the -Verbose flag to get a +progress status as each host is enumerated. Most of the "meta" functions accept +an array of hosts from the pipeline. + + +### Misc Functions: + Export-PowerViewCSV - thread-safe CSV append + Resolve-IPAddress - resolves a hostname to an IP + ConvertTo-SID - converts a given user/group name to a security identifier (SID) + Convert-ADName - converts object names between a variety of formats + ConvertFrom-UACValue - converts a UAC int value to human readable form + Add-RemoteConnection - pseudo "mounts" a connection to a remote path using the specified credential object + Remove-RemoteConnection - destroys a connection created by New-RemoteConnection + Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token + Invoke-RevertToSelf - reverts any token impersonation + Get-DomainSPNTicket - request the kerberos ticket for a specified service principal name (SPN) + Invoke-Kerberoast - requests service tickets for kerberoast-able accounts and returns extracted ticket hashes + Get-PathAcl - get the ACLs for a local/remote file path with optional group recursion + + +### Domain/LDAP Functions: + Get-DomainDNSZone - enumerates the Active Directory DNS zones for a given domain + Get-DomainDNSRecord - enumerates the Active Directory DNS records for a given zone + Get-Domain - returns the domain object for the current (or specified) domain + Get-DomainController - return the domain controllers for the current (or specified) domain + Get-Forest - returns the forest object for the current (or specified) forest + Get-ForestDomain - return all domains for the current (or specified) forest + Get-ForestGlobalCatalog - return all global catalogs for the current (or specified) forest + Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set + Get-DomainUser - return all users or specific user objects in AD + New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object + Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events + Get-DomainComputer - returns all computers or specific computer objects in AD + Get-DomainObject - returns all (or specified) domain objects in AD + Set-DomainObject - modifies a gven property for a specified active directory object + Get-DomainObjectAcl - returns the ACLs associated with a specific active directory object + Add-DomainObjectAcl - adds an ACL for a specific active directory object + Find-InterestingDomainAcl - finds object ACLs in the current (or specified) domain with modification rights set to non-built in objects + Get-DomainOU - search for all organization units (OUs) or specific OU objects in AD + Get-DomainSite - search for all sites or specific site objects in AD + Get-DomainSubnet - search for all subnets or specific subnets objects in AD + Get-DomainSID - returns the SID for the current domain or the specified domain + Get-DomainGroup - return all groups or specific group objects in AD + New-DomainGroup - creates a new domain group (assuming appropriate permissions) and returns the group object + Get-DomainManagedSecurityGroup - returns all security groups in the current (or target) domain that have a manager set + Get-DomainGroupMember - return the members of a specific domain group + Add-DomainGroupMember - adds a domain user (or group) to an existing domain group, assuming appropriate permissions to do so + Get-DomainFileServer - returns a list of servers likely functioning as file servers + Get-DomainDFSShare - returns a list of all fault-tolerant distributed file systems for the current (or specified) domain + + +### GPO functions + + Get-DomainGPO - returns all GPOs or specific GPO objects in AD + Get-DomainGPOLocalGroup - returns all GPOs in a domain that modify local group memberships through 'Restricted Groups' or Group Policy preferences + Get-DomainGPOUserLocalGroupMapping - enumerates the machines where a specific domain user/group is a member of a specific local group, all through GPO correlation + Get-DomainGPOComputerLocalGroupMapping - takes a computer (or GPO) object and determines what users/groups are in the specified local group for the machine through GPO correlation + Get-DomainPolicy - returns the default domain policy or the domain controller policy for the current domain or a specified domain/domain controller + + +### Computer Enumeration Functions + + Get-NetLocalGroup - enumerates the local groups on the local (or remote) machine + Get-NetLocalGroupMember - enumerates members of a specific local group on the local (or remote) machine + Get-NetShare - returns open shares on the local (or a remote) machine + Get-NetLoggedon - returns users logged on the local (or a remote) machine + Get-NetSession - returns session information for the local (or a remote) machine + Get-RegLoggedOn - returns who is logged onto the local (or a remote) machine through enumeration of remote registry keys + Get-NetRDPSession - returns remote desktop/session information for the local (or a remote) machine + Test-AdminAccess - rests if the current user has administrative access to the local (or a remote) machine + Get-NetComputerSiteName - returns the AD site where the local (or a remote) machine resides + Get-WMIRegProxy - enumerates the proxy server and WPAD conents for the current user + Get-WMIRegLastLoggedOn - returns the last user who logged onto the local (or a remote) machine + Get-WMIRegCachedRDPConnection - returns information about RDP connections outgoing from the local (or remote) machine + Get-WMIRegMountedDrive - returns information about saved network mounted drives for the local (or remote) machine + Get-WMIProcess - returns a list of processes and their owners on the local or remote machine + Find-InterestingFile - searches for files on the given path that match a series of specified criteria + + +### Threaded 'Meta'-Functions + + Find-DomainUserLocation - finds domain machines where specific users are logged into + Find-DomainProcess - finds domain machines where specific processes are currently running + Find-DomainUserEvent - finds logon events on the current (or remote domain) for the specified users + Find-DomainShare - finds reachable shares on domain machines + Find-InterestingDomainShareFile - searches for files matching specific criteria on readable shares in the domain + Find-LocalAdminAccess - finds machines on the local domain where the current user has local administrator access + Find-DomainLocalGroupMember - enumerates the members of specified local group on machines in the domain + + +### Domain Trust Functions: + Get-DomainTrust - returns all domain trusts for the current domain or a specified domain + Get-ForestTrust - returns all forest trusts for the current forest or a specified forest + Get-DomainForeignUser - enumerates users who are in groups outside of the user's domain + Get-DomainForeignGroupMember - enumerates groups with users outside of the group's domain and returns each foreign member + Get-DomainTrustMapping - this function enumerates all trusts for the current domain and then enumerates all trusts for each domain it finds -- cgit v1.2.3 From f4f5fb1460a8163e333c9e5462df6d3ab27a53a6 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Tue, 13 Dec 2016 16:00:28 -0500 Subject: Added Set-DomainUserPassword to reset a particular user's password. Reformatted documentation. --- README.md | 2 +- Recon/PowerView.ps1 | 113 ++++++++++++++++++ Recon/README.md | 1 + Recon/Recon.psd1 | 1 + docs/Recon/Set-DomainUserPassword.md | 127 ++++++++++++++++++++ docs/Recon/index.md | 14 --- docs/index.md | 223 +++++++++-------------------------- mkdocs.yml | 1 + 8 files changed, 298 insertions(+), 184 deletions(-) create mode 100755 docs/Recon/Set-DomainUserPassword.md (limited to 'docs/Recon/index.md') diff --git a/README.md b/README.md index c348b9e..60ac90f 100644 --- a/README.md +++ b/README.md @@ -132,7 +132,7 @@ Displays Windows vault credential objects including cleartext web credentials. Generates a full-memory minidump of a process. -#### 'Get-MicrophoneAudio' +#### `Get-MicrophoneAudio` Records audio from system microphone and saves to disk diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 32aa10f..5d404f3 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -4894,6 +4894,119 @@ http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices- } +function Set-DomainUserPassword { +<# +.SYNOPSIS + +Sets the password for a given user identity and returns the user object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +.DESCRIPTION + +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified user -Identity, +which returns a DirectoryServices.AccountManagement.UserPrincipal object. The +SetPassword() function is then invoked on the user, setting the password to -AccountPassword. + +.PARAMETER Identity + +A user SamAccountName (e.g. User1), DistinguishedName (e.g. CN=user1,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +specifying the user to reset the password for. + +.PARAMETER AccountPassword + +Specifies the password to reset the target user's to. Mandatory. + +.PARAMETER Domain + +Specifies the domain to use to search for the user identity, defaults to the current domain. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword + +Resets the password for 'andy' to the password specified. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred + +Resets the password for 'andy' usering the alternate credentials specified. + +.OUTPUTS + +DirectoryServices.AccountManagement.UserPrincipal + +.LINK + +http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('DirectoryServices.AccountManagement.UserPrincipal')] + Param( + [Parameter(Position = 0, Mandatory = $True)] + [Alias('UserName', 'UserIdentity', 'User')] + [String] + $Identity, + + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [Alias('Password')] + [Security.SecureString] + $AccountPassword, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + $ContextArguments = @{ 'Identity' = $Identity } + if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain } + if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential } + $Context = Get-PrincipalContext @ContextArguments + + if ($Context) { + $User = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($Context.Context, $Identity) + + if ($User) { + Write-Verbose "[Set-DomainUserPassword] Attempting to set the password for user '$Identity'" + try { + $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) + $User.SetPassword($TempCred.GetNetworkCredential().Password) + + $Null = $User.Save() + Write-Verbose "[Set-DomainUserPassword] Password for user '$Identity' successfully reset" + $User + } + catch { + Write-Warning "[Set-DomainUserPassword] Error setting password for user '$Identity' : $_" + } + } + else { + Write-Warning "[Set-DomainUserPassword] Unable to find user '$Identity'" + } + } +} + + function Get-DomainUserEvent { <# .SYNOPSIS diff --git a/Recon/README.md b/Recon/README.md index acc2627..7fcacc5 100644 --- a/Recon/README.md +++ b/Recon/README.md @@ -58,6 +58,7 @@ an array of hosts from the pipeline. Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set Get-DomainUser - return all users or specific user objects in AD New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object + Set-DomainUserPassword - sets the password for a given user identity and returns the user object Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events Get-DomainComputer - returns all computers or specific computer objects in AD Get-DomainObject - returns all (or specified) domain objects in AD diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 6cdcfba..7e2abcb 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -46,6 +46,7 @@ FunctionsToExport = @( 'Find-DomainObjectPropertyOutlier', 'Get-DomainUser', 'New-DomainUser', + 'Set-DomainUserPassword', 'Get-DomainUserEvent', 'Get-DomainComputer', 'Get-DomainObject', diff --git a/docs/Recon/Set-DomainUserPassword.md b/docs/Recon/Set-DomainUserPassword.md new file mode 100755 index 0000000..1712294 --- /dev/null +++ b/docs/Recon/Set-DomainUserPassword.md @@ -0,0 +1,127 @@ +# Set-DomainUserPassword + +## SYNOPSIS +Sets the password for a given user identity and returns the user object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +Set-DomainUserPassword [-Identity] -AccountPassword [-Domain ] + [-Credential ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified user -Identity, +which returns a DirectoryServices.AccountManagement.UserPrincipal object. +The +SetPassword() function is then invoked on the user, setting the password to -AccountPassword. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword + +Resets the password for 'andy' to the password specified. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred + +Resets the password for 'andy' usering the alternate credentials specified. + +## PARAMETERS + +### -Identity +A user SamAccountName (e.g. +User1), DistinguishedName (e.g. +CN=user1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +specifying the user to reset the password for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: UserName, UserIdentity, User + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AccountPassword +Specifies the password to reset the target user's to. +Mandatory. + +```yaml +Type: SecureString +Parameter Sets: (All) +Aliases: Password + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for the user identity, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### DirectoryServices.AccountManagement.UserPrincipal + +## NOTES + +## RELATED LINKS + +[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/) + diff --git a/docs/Recon/index.md b/docs/Recon/index.md index acc2627..b3eca5c 100644 --- a/docs/Recon/index.md +++ b/docs/Recon/index.md @@ -1,17 +1,3 @@ -To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. - -The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" -The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" - -To use the module, type `Import-Module Recon` - -To see the commands imported, type `Get-Command -Module Recon` - -For help on each individual command, Get-Help is your friend. - -Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. - - ## PowerView PowerView is a PowerShell tool to gain network situational awareness on diff --git a/docs/index.md b/docs/index.md index c348b9e..67ddcbc 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,189 +1,74 @@ -### PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: +## Overview +PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. -## CodeExecution +### CodeExecution +Execute code on a target machine. -**Execute code on a target machine.** + Invoke-DllInjection - Injects a Dll into the process ID of your choosing. + Invoke-ReflectivePEInjection - Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. + Invoke-Shellcode - Injects shellcode into the process ID of your choosing or within PowerShell locally. + Invoke-WmiCommand - Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel -#### `Invoke-DllInjection` +### ScriptModification +Modify and/or prepare scripts for execution on a compromised machine. -Injects a Dll into the process ID of your choosing. + Out-EncodedCommand - Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. + Out-CompressedDll - Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + Out-EncryptedScript - Encrypts text files/scripts. + Remove-Comments - Strips comments and extra whitespace from a script. -#### `Invoke-ReflectivePEInjection` +### Persistence -Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. +Add persistence capabilities to a PowerShell script. -#### `Invoke-Shellcode` + New-UserPersistenceOption - Configure user-level persistence options for the Add-Persistence function. + New-ElevatedPersistenceOption - Configure elevated persistence options for the Add-Persistence function. + Add-Persistence - Add persistence capabilities to a script. + Install-SSP - Installs a security support provider (SSP) dll. + Get-SecurityPackages - Enumerates all loaded security packages (SSPs). -Injects shellcode into the process ID of your choosing or within PowerShell locally. +### AntivirusBypass +AV doesn't stand a chance against PowerShell! -#### `Invoke-WmiCommand` + Find-AVSignature - Locates single Byte AV signatures utilizing the same method as DSplit from "class101". -Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel. +### Exfiltration +All your data belong to me! -## ScriptModification + Invoke-TokenManipulation - Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. + Invoke-CredentialInjection - Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). + Invoke-NinjaCopy - Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. + Invoke-Mimikatz - Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. + Get-Keystrokes - Logs keys pressed, time and the active window. + Get-GPPPassword - Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. + Get-GPPAutologon - Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. + Get-TimedScreenshot - A function that takes screenshots at a regular interval and saves them to a folder. + New-VolumeShadowCopy - Creates a new volume shadow copy. + Get-VolumeShadowCopy - Lists the device paths of all local volume shadow copies. + Mount-VolumeShadowCopy - Mounts a volume shadow copy. + Remove-VolumeShadowCopy - Deletes a volume shadow copy. + Get-VaultCredential - Displays Windows vault credential objects including cleartext web credentials. + Out-Minidump - Generates a full-memory minidump of a process. + Get-MicrophoneAudio - Records audio from system microphone and saves to disk. -**Modify and/or prepare scripts for execution on a compromised machine.** +### Mayhem +Cause general mayhem with PowerShell. -#### `Out-EncodedCommand` + Set-MasterBootRecord - Proof of concept code that overwrites the master boot record with the message of your choice. + Set-CriticalProcess - Causes your machine to blue screen upon exiting PowerShell. -Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. +### Privesc +Tools to help with escalating privileges on a target, including PowerUp. -#### `Out-CompressedDll` + PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors. -Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. +### Recon +Tools to aid in the reconnaissance phase of a penetration test, including PowerView. -#### `Out-EncryptedScript` - -Encrypts text files/scripts. - -#### `Remove-Comments` - -Strips comments and extra whitespace from a script. - -## Persistence - -**Add persistence capabilities to a PowerShell script** - -#### `New-UserPersistenceOption` - -Configure user-level persistence options for the Add-Persistence function. - -#### `New-ElevatedPersistenceOption` - -Configure elevated persistence options for the Add-Persistence function. - -#### `Add-Persistence` - -Add persistence capabilities to a script. - -#### `Install-SSP` - -Installs a security support provider (SSP) dll. - -#### `Get-SecurityPackages` - -Enumerates all loaded security packages (SSPs). - -## AntivirusBypass - -**AV doesn't stand a chance against PowerShell!** - -#### `Find-AVSignature` - -Locates single Byte AV signatures utilizing the same method as DSplit from "class101". - -## Exfiltration - -**All your data belong to me!** - -#### `Invoke-TokenManipulation` - -Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. - -#### `Invoke-CredentialInjection` - -Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). - -#### `Invoke-NinjaCopy` - -Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. - -#### `Invoke-Mimikatz` - -Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. - -#### `Get-Keystrokes` - -Logs keys pressed, time and the active window. - -#### `Get-GPPPassword` - -Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. - -#### `Get-GPPAutologon` - -Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. - -#### `Get-TimedScreenshot` - -A function that takes screenshots at a regular interval and saves them to a folder. - -#### `New-VolumeShadowCopy` - -Creates a new volume shadow copy. - -#### `Get-VolumeShadowCopy` - -Lists the device paths of all local volume shadow copies. - -#### `Mount-VolumeShadowCopy` - -Mounts a volume shadow copy. - -#### `Remove-VolumeShadowCopy` - -Deletes a volume shadow copy. - -#### `Get-VaultCredential` - -Displays Windows vault credential objects including cleartext web credentials. - -#### `Out-Minidump` - -Generates a full-memory minidump of a process. - -#### 'Get-MicrophoneAudio' - -Records audio from system microphone and saves to disk - -## Mayhem - -**Cause general mayhem with PowerShell.** - -#### `Set-MasterBootRecord` - -Proof of concept code that overwrites the master boot record with the - message of your choice. - -#### `Set-CriticalProcess` - -Causes your machine to blue screen upon exiting PowerShell. - -## Privesc - -**Tools to help with escalating privileges on a target.** - -#### `PowerUp` - -Clearing house of common privilege escalation checks, along with some weaponization vectors. - -## Recon - -**Tools to aid in the reconnaissance phase of a penetration test.** - -#### `Invoke-Portscan` - -Does a simple port scan using regular sockets, based (pretty) loosely on nmap. - -#### `Get-HttpStatus` - -Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. - -#### `Invoke-ReverseDnsLookup` - -Scans an IP address range for DNS PTR records. - -#### `PowerView` - -PowerView is series of functions that performs network and Windows domain enumeration and exploitation. - -## Recon\Dictionaries - -**A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.** - -* admin.txt - -* generic.txt - -* sharepoint.txt - + Invoke-Portscan - Does a simple port scan using regular sockets, based (pretty) loosely on nmap. + Get-HttpStatus - Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. + Invoke-ReverseDnsLookup - Scans an IP address range for DNS PTR records. + PowerView - PowerView is series of functions that performs network and Windows domain enumeration and exploitation. ## License diff --git a/mkdocs.yml b/mkdocs.yml index fb9ad52..fcaef8d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -29,6 +29,7 @@ pages: - Find-DomainObjectPropertyOutlier: 'Recon/Find-DomainObjectPropertyOutlier.md' - Get-DomainUser: 'Recon/Get-DomainUser.md' - New-DomainUser: 'Recon/New-DomainUser.md' + - Set-DomainUserPassword: 'Recon/Set-DomainUserPassword.md' - Get-DomainUserEvent: 'Recon/Get-DomainUserEvent.md' - Get-DomainComputer: 'Recon/Get-DomainComputer.md' - Get-DomainObject: 'Recon/Get-DomainObject.md' -- cgit v1.2.3 From ad32d6c75b4e70a6b2e1b56a683a6ba71f1c0683 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 19:23:28 -0500 Subject: For ./Recon/ : -(More) PSScriptAnalyzering -Tweaking of synopsis blocks in order to support platyPS -Code standardization -Generated docs --- Recon/Get-ComputerDetail.ps1 | 574 ++++++++++++++++++++++++++++++++++ Recon/Get-ComputerDetails.ps1 | 574 ---------------------------------- Recon/Get-HttpStatus.ps1 | 62 ++-- Recon/Invoke-Portscan.ps1 | 34 +- Recon/Invoke-ReverseDnsLookup.ps1 | 84 ++--- Recon/PowerView.ps1 | 2 +- Recon/Recon.psd1 | 2 +- docs/Recon/Export-PowerViewCSV.md | 2 +- docs/Recon/Get-ComputerDetail.md | 68 ++++ docs/Recon/Get-ComputerDetails.md | 68 ---- docs/Recon/Get-HttpStatus.md | 8 +- docs/Recon/Invoke-Portscan.md | 8 +- docs/Recon/Invoke-ReverseDnsLookup.md | 14 +- docs/Recon/Set-DomainObject.md | 26 +- docs/Recon/index.md | 0 mkdocs.yml | 2 +- 16 files changed, 758 insertions(+), 770 deletions(-) create mode 100644 Recon/Get-ComputerDetail.ps1 delete mode 100644 Recon/Get-ComputerDetails.ps1 create mode 100755 docs/Recon/Get-ComputerDetail.md delete mode 100755 docs/Recon/Get-ComputerDetails.md mode change 100644 => 100755 docs/Recon/index.md (limited to 'docs/Recon/index.md') diff --git a/Recon/Get-ComputerDetail.ps1 b/Recon/Get-ComputerDetail.ps1 new file mode 100644 index 0000000..ef3720c --- /dev/null +++ b/Recon/Get-ComputerDetail.ps1 @@ -0,0 +1,574 @@ +function Get-ComputerDetail +{ +<# +.SYNOPSIS + +This script is used to get useful information from a computer. + +Function: Get-ComputerDetail +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +This script is used to get useful information from a computer. Currently, the script gets the following information: +-Explicit Credential Logons (Event ID 4648) +-Logon events (Event ID 4624) +-AppLocker logs to find what processes are created +-PowerShell logs to find PowerShell scripts which have been executed +-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to + +.PARAMETER ToString + +Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. + +.EXAMPLE + +Get-ComputerDetail +Gets information about the computer and outputs it as PowerShell objects. + +Get-ComputerDetail -ToString +Gets information about the computer and outputs it as raw text. + +.NOTES +This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. +You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell + +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + Param( + [Parameter(Position=0)] + [Switch] + $ToString + ) + + Set-StrictMode -Version 2 + + $SecurityLog = Get-EventLog -LogName Security + $Filtered4624 = Find-4624Logon $SecurityLog + $Filtered4648 = Find-4648Logon $SecurityLog + $AppLockerLogs = Find-AppLockerLog + $PSLogs = Find-PSScriptsInPSAppLog + $RdpClientData = Find-RDPClientConnection + + if ($ToString) + { + Write-Output "Event ID 4624 (Logon):" + Write-Output $Filtered4624.Values | Format-List + Write-Output "Event ID 4648 (Explicit Credential Logon):" + Write-Output $Filtered4648.Values | Format-List + Write-Output "AppLocker Process Starts:" + Write-Output $AppLockerLogs.Values | Format-List + Write-Output "PowerShell Script Executions:" + Write-Output $PSLogs.Values | Format-List + Write-Output "RDP Client Data:" + Write-Output $RdpClientData.Values | Format-List + } + else + { + $Properties = @{ + LogonEvent4624 = $Filtered4624.Values + LogonEvent4648 = $Filtered4648.Values + AppLockerProcessStart = $AppLockerLogs.Values + PowerShellScriptStart = $PSLogs.Values + RdpClientData = $RdpClientData.Values + } + + $ReturnObj = New-Object PSObject -Property $Properties + return $ReturnObj + } +} + + +function Find-4648Logon +{ +<# +.SYNOPSIS + +Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the +the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful +for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. + +Function: Find-4648Logon +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the +the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful +for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. + +.EXAMPLE + +Find-4648Logon +Gets the unique 4648 logon events. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + + Param( + $SecurityLog + ) + + $ExplicitLogons = $SecurityLog | Where-Object {$_.InstanceID -eq 4648} + $ReturnInfo = @{} + + foreach ($ExplicitLogon in $ExplicitLogons) + { + $Subject = $false + $AccountWhosCredsUsed = $false + $TargetServer = $false + $SourceAccountName = "" + $SourceAccountDomain = "" + $TargetAccountName = "" + $TargetAccountDomain = "" + $TargetServer = "" + foreach ($line in $ExplicitLogon.Message -split "\r\n") + { + if ($line -cmatch "^Subject:$") + { + $Subject = $true + } + elseif ($line -cmatch "^Account\sWhose\sCredentials\sWere\sUsed:$") + { + $Subject = $false + $AccountWhosCredsUsed = $true + } + elseif ($line -cmatch "^Target\sServer:") + { + $AccountWhosCredsUsed = $false + $TargetServer = $true + } + elseif ($Subject -eq $true) + { + if ($line -cmatch "\s+Account\sName:\s+(\S.*)") + { + $SourceAccountName = $Matches[1] + } + elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") + { + $SourceAccountDomain = $Matches[1] + } + } + elseif ($AccountWhosCredsUsed -eq $true) + { + if ($line -cmatch "\s+Account\sName:\s+(\S.*)") + { + $TargetAccountName = $Matches[1] + } + elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") + { + $TargetAccountDomain = $Matches[1] + } + } + elseif ($TargetServer -eq $true) + { + if ($line -cmatch "\s+Target\sServer\sName:\s+(\S.*)") + { + $TargetServer = $Matches[1] + } + } + } + + #Filter out logins that don't matter + if (-not ($TargetAccountName -cmatch "^DWM-.*" -and $TargetAccountDomain -cmatch "^Window\sManager$")) + { + $Key = $SourceAccountName + $SourceAccountDomain + $TargetAccountName + $TargetAccountDomain + $TargetServer + if (-not $ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + LogType = 4648 + LogSource = "Security" + SourceAccountName = $SourceAccountName + SourceDomainName = $SourceAccountDomain + TargetAccountName = $TargetAccountName + TargetDomainName = $TargetAccountDomain + TargetServer = $TargetServer + Count = 1 + Times = @($ExplicitLogon.TimeGenerated) + } + + $ResultObj = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $ResultObj) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$ExplicitLogon.TimeGenerated + } + } + } + + return $ReturnInfo +} + +function Find-4624Logon +{ +<# +.SYNOPSIS + +Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do +network logons in to the server, what accounts RDP in, what accounts log in locally, etc... + +Function: Find-4624Logon +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do +network logons in to the server, what accounts RDP in, what accounts log in locally, etc... + +.EXAMPLE + +Find-4624Logon +Find unique 4624 logon events. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + Param ( + $SecurityLog + ) + + $Logons = $SecurityLog | Where-Object {$_.InstanceID -eq 4624} + $ReturnInfo = @{} + + foreach ($Logon in $Logons) + { + $SubjectSection = $false + $NewLogonSection = $false + $NetworkInformationSection = $false + $AccountName = "" + $AccountDomain = "" + $LogonType = "" + $NewLogonAccountName = "" + $NewLogonAccountDomain = "" + $WorkstationName = "" + $SourceNetworkAddress = "" + $SourcePort = "" + + foreach ($line in $Logon.Message -Split "\r\n") + { + if ($line -cmatch "^Subject:$") + { + $SubjectSection = $true + } + elseif ($line -cmatch "^Logon\sType:\s+(\S.*)") + { + $LogonType = $Matches[1] + } + elseif ($line -cmatch "^New\sLogon:$") + { + $SubjectSection = $false + $NewLogonSection = $true + } + elseif ($line -cmatch "^Network\sInformation:$") + { + $NewLogonSection = $false + $NetworkInformationSection = $true + } + elseif ($SubjectSection) + { + if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") + { + $AccountName = $Matches[1] + } + elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") + { + $AccountDomain = $Matches[1] + } + } + elseif ($NewLogonSection) + { + if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") + { + $NewLogonAccountName = $Matches[1] + } + elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") + { + $NewLogonAccountDomain = $Matches[1] + } + } + elseif ($NetworkInformationSection) + { + if ($line -cmatch "^\s+Workstation\sName:\s+(\S.*)") + { + $WorkstationName = $Matches[1] + } + elseif ($line -cmatch "^\s+Source\sNetwork\sAddress:\s+(\S.*)") + { + $SourceNetworkAddress = $Matches[1] + } + elseif ($line -cmatch "^\s+Source\sPort:\s+(\S.*)") + { + $SourcePort = $Matches[1] + } + } + } + + #Filter out logins that don't matter + if (-not ($NewLogonAccountDomain -cmatch "NT\sAUTHORITY" -or $NewLogonAccountDomain -cmatch "Window\sManager")) + { + $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort + if (-not $ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + LogType = 4624 + LogSource = "Security" + SourceAccountName = $AccountName + SourceDomainName = $AccountDomain + NewLogonAccountName = $NewLogonAccountName + NewLogonAccountDomain = $NewLogonAccountDomain + LogonType = $LogonType + WorkstationName = $WorkstationName + SourceNetworkAddress = $SourceNetworkAddress + SourcePort = $SourcePort + Count = 1 + Times = @($Logon.TimeGenerated) + } + + $ResultObj = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $ResultObj) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated + } + } + } + + return $ReturnInfo +} + + +function Find-AppLockerLog +{ +<# +.SYNOPSIS + +Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). + +Function: Find-AppLockerLog +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). + +.EXAMPLE + +Find-AppLockerLog +Find process creations from AppLocker logs. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + + $ReturnInfo = @{} + + $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 8002} + + foreach ($Log in $AppLockerLogs) + { + $SID = New-Object System.Security.Principal.SecurityIdentifier($Log.Properties[7].Value) + $UserName = $SID.Translate( [System.Security.Principal.NTAccount]) + + $ExeName = $Log.Properties[10].Value + + $Key = $UserName.ToString() + "::::" + $ExeName + + if (!$ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + Exe = $ExeName + User = $UserName.Value + Count = 1 + Times = @($Log.TimeCreated) + } + + $Item = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $Item) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$Log.TimeCreated + } + } + + return $ReturnInfo +} + + +Function Find-PSScriptsInPSAppLog +{ +<# +.SYNOPSIS + +Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). +You can then backdoor these scripts or do other malicious things. + +Function: Find-AppLockerLog +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). +You can then backdoor these scripts or do other malicious things. + +.EXAMPLE + +Find-PSScriptsInPSAppLog +Find unique PowerShell scripts being executed from the PowerShell operational log. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + + $ReturnInfo = @{} + $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 4100} + + foreach ($Log in $Logs) + { + $LogDetails = $Log.Message -split "`r`n" + + $FoundScriptName = $false + foreach($Line in $LogDetails) + { + if ($Line -imatch "^\s*Script\sName\s=\s(.+)") + { + $ScriptName = $Matches[1] + $FoundScriptName = $true + } + elseif ($Line -imatch "^\s*User\s=\s(.*)") + { + $User = $Matches[1] + } + } + + if ($FoundScriptName) + { + $Key = $ScriptName + "::::" + $User + + if (!$ReturnInfo.ContainsKey($Key)) + { + $Properties = @{ + ScriptName = $ScriptName + UserName = $User + Count = 1 + Times = @($Log.TimeCreated) + } + + $Item = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $Item) + } + else + { + $ReturnInfo[$Key].Count++ + $ReturnInfo[$Key].Times += ,$Log.TimeCreated + } + } + } + + return $ReturnInfo +} + + +Function Find-RDPClientConnection +{ +<# +.SYNOPSIS + +Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user +usually RDP's to. + +Function: Find-RDPClientConnection +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user usually RDP's to. + +.EXAMPLE + +Find-RDPClientConnection +Find unique saved RDP client connections. + +.NOTES + +.LINK + +Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell +#> + $ReturnInfo = @{} + + New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null + + #Attempt to enumerate the servers for all users + $Users = Get-ChildItem -Path "HKU:\" + foreach ($UserSid in $Users.PSChildName) + { + $Servers = Get-ChildItem "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue + + foreach ($Server in $Servers) + { + $Server = $Server.PSChildName + $UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint + + $Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint + + if (!$ReturnInfo.ContainsKey($Key)) + { + $SIDObj = New-Object System.Security.Principal.SecurityIdentifier($UserSid) + $User = ($SIDObj.Translate([System.Security.Principal.NTAccount])).Value + + $Properties = @{ + CurrentUser = $User + Server = $Server + UsernameHint = $UsernameHint + } + + $Item = New-Object PSObject -Property $Properties + $ReturnInfo.Add($Key, $Item) + } + } + } + + return $ReturnInfo +} diff --git a/Recon/Get-ComputerDetails.ps1 b/Recon/Get-ComputerDetails.ps1 deleted file mode 100644 index bd00deb..0000000 --- a/Recon/Get-ComputerDetails.ps1 +++ /dev/null @@ -1,574 +0,0 @@ -function Get-ComputerDetails -{ -<# -.SYNOPSIS - -This script is used to get useful information from a computer. - -Function: Get-ComputerDetails -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -This script is used to get useful information from a computer. Currently, the script gets the following information: --Explicit Credential Logons (Event ID 4648) --Logon events (Event ID 4624) --AppLocker logs to find what processes are created --PowerShell logs to find PowerShell scripts which have been executed --RDP Client Saved Servers, which indicates what servers the user typically RDP's in to - -.PARAMETER ToString - -Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. - -.EXAMPLE - -Get-ComputerDetails -Gets information about the computer and outputs it as PowerShell objects. - -Get-ComputerDetails -ToString -Gets information about the computer and outputs it as raw text. - -.NOTES -This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. -You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell - -#> - - Param( - [Parameter(Position=0)] - [Switch] - $ToString - ) - - Set-StrictMode -Version 2 - - - - $SecurityLog = Get-EventLog -LogName Security - $Filtered4624 = Find-4624Logons $SecurityLog - $Filtered4648 = Find-4648Logons $SecurityLog - $AppLockerLogs = Find-AppLockerLogs - $PSLogs = Find-PSScriptsInPSAppLog - $RdpClientData = Find-RDPClientConnections - - if ($ToString) - { - Write-Output "Event ID 4624 (Logon):" - Write-Output $Filtered4624.Values | Format-List - Write-Output "Event ID 4648 (Explicit Credential Logon):" - Write-Output $Filtered4648.Values | Format-List - Write-Output "AppLocker Process Starts:" - Write-Output $AppLockerLogs.Values | Format-List - Write-Output "PowerShell Script Executions:" - Write-Output $PSLogs.Values | Format-List - Write-Output "RDP Client Data:" - Write-Output $RdpClientData.Values | Format-List - } - else - { - $Properties = @{ - LogonEvent4624 = $Filtered4624.Values - LogonEvent4648 = $Filtered4648.Values - AppLockerProcessStart = $AppLockerLogs.Values - PowerShellScriptStart = $PSLogs.Values - RdpClientData = $RdpClientData.Values - } - - $ReturnObj = New-Object PSObject -Property $Properties - return $ReturnObj - } -} - - -function Find-4648Logons -{ -<# -.SYNOPSIS - -Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the -the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful -for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. - -Function: Find-4648Logons -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the -the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful -for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. - -.EXAMPLE - -Find-4648Logons -Gets the unique 4648 logon events. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - Param( - $SecurityLog - ) - - $ExplicitLogons = $SecurityLog | Where {$_.InstanceID -eq 4648} - $ReturnInfo = @{} - - foreach ($ExplicitLogon in $ExplicitLogons) - { - $Subject = $false - $AccountWhosCredsUsed = $false - $TargetServer = $false - $SourceAccountName = "" - $SourceAccountDomain = "" - $TargetAccountName = "" - $TargetAccountDomain = "" - $TargetServer = "" - foreach ($line in $ExplicitLogon.Message -split "\r\n") - { - if ($line -cmatch "^Subject:$") - { - $Subject = $true - } - elseif ($line -cmatch "^Account\sWhose\sCredentials\sWere\sUsed:$") - { - $Subject = $false - $AccountWhosCredsUsed = $true - } - elseif ($line -cmatch "^Target\sServer:") - { - $AccountWhosCredsUsed = $false - $TargetServer = $true - } - elseif ($Subject -eq $true) - { - if ($line -cmatch "\s+Account\sName:\s+(\S.*)") - { - $SourceAccountName = $Matches[1] - } - elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") - { - $SourceAccountDomain = $Matches[1] - } - } - elseif ($AccountWhosCredsUsed -eq $true) - { - if ($line -cmatch "\s+Account\sName:\s+(\S.*)") - { - $TargetAccountName = $Matches[1] - } - elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)") - { - $TargetAccountDomain = $Matches[1] - } - } - elseif ($TargetServer -eq $true) - { - if ($line -cmatch "\s+Target\sServer\sName:\s+(\S.*)") - { - $TargetServer = $Matches[1] - } - } - } - - #Filter out logins that don't matter - if (-not ($TargetAccountName -cmatch "^DWM-.*" -and $TargetAccountDomain -cmatch "^Window\sManager$")) - { - $Key = $SourceAccountName + $SourceAccountDomain + $TargetAccountName + $TargetAccountDomain + $TargetServer - if (-not $ReturnInfo.ContainsKey($Key)) - { - $Properties = @{ - LogType = 4648 - LogSource = "Security" - SourceAccountName = $SourceAccountName - SourceDomainName = $SourceAccountDomain - TargetAccountName = $TargetAccountName - TargetDomainName = $TargetAccountDomain - TargetServer = $TargetServer - Count = 1 - Times = @($ExplicitLogon.TimeGenerated) - } - - $ResultObj = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $ResultObj) - } - else - { - $ReturnInfo[$Key].Count++ - $ReturnInfo[$Key].Times += ,$ExplicitLogon.TimeGenerated - } - } - } - - return $ReturnInfo -} - -function Find-4624Logons -{ -<# -.SYNOPSIS - -Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do -network logons in to the server, what accounts RDP in, what accounts log in locally, etc... - -Function: Find-4624Logons -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do -network logons in to the server, what accounts RDP in, what accounts log in locally, etc... - -.EXAMPLE - -Find-4624Logons -Find unique 4624 logon events. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - Param ( - $SecurityLog - ) - - $Logons = $SecurityLog | Where {$_.InstanceID -eq 4624} - $ReturnInfo = @{} - - foreach ($Logon in $Logons) - { - $SubjectSection = $false - $NewLogonSection = $false - $NetworkInformationSection = $false - $AccountName = "" - $AccountDomain = "" - $LogonType = "" - $NewLogonAccountName = "" - $NewLogonAccountDomain = "" - $WorkstationName = "" - $SourceNetworkAddress = "" - $SourcePort = "" - - foreach ($line in $Logon.Message -Split "\r\n") - { - if ($line -cmatch "^Subject:$") - { - $SubjectSection = $true - } - elseif ($line -cmatch "^Logon\sType:\s+(\S.*)") - { - $LogonType = $Matches[1] - } - elseif ($line -cmatch "^New\sLogon:$") - { - $SubjectSection = $false - $NewLogonSection = $true - } - elseif ($line -cmatch "^Network\sInformation:$") - { - $NewLogonSection = $false - $NetworkInformationSection = $true - } - elseif ($SubjectSection) - { - if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") - { - $AccountName = $Matches[1] - } - elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") - { - $AccountDomain = $Matches[1] - } - } - elseif ($NewLogonSection) - { - if ($line -cmatch "^\s+Account\sName:\s+(\S.*)") - { - $NewLogonAccountName = $Matches[1] - } - elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)") - { - $NewLogonAccountDomain = $Matches[1] - } - } - elseif ($NetworkInformationSection) - { - if ($line -cmatch "^\s+Workstation\sName:\s+(\S.*)") - { - $WorkstationName = $Matches[1] - } - elseif ($line -cmatch "^\s+Source\sNetwork\sAddress:\s+(\S.*)") - { - $SourceNetworkAddress = $Matches[1] - } - elseif ($line -cmatch "^\s+Source\sPort:\s+(\S.*)") - { - $SourcePort = $Matches[1] - } - } - } - - #Filter out logins that don't matter - if (-not ($NewLogonAccountDomain -cmatch "NT\sAUTHORITY" -or $NewLogonAccountDomain -cmatch "Window\sManager")) - { - $Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort - if (-not $ReturnInfo.ContainsKey($Key)) - { - $Properties = @{ - LogType = 4624 - LogSource = "Security" - SourceAccountName = $AccountName - SourceDomainName = $AccountDomain - NewLogonAccountName = $NewLogonAccountName - NewLogonAccountDomain = $NewLogonAccountDomain - LogonType = $LogonType - WorkstationName = $WorkstationName - SourceNetworkAddress = $SourceNetworkAddress - SourcePort = $SourcePort - Count = 1 - Times = @($Logon.TimeGenerated) - } - - $ResultObj = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $ResultObj) - } - else - { - $ReturnInfo[$Key].Count++ - $ReturnInfo[$Key].Times += ,$Logon.TimeGenerated - } - } - } - - return $ReturnInfo -} - - -function Find-AppLockerLogs -{ -<# -.SYNOPSIS - -Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). - -Function: Find-AppLockerLogs -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). - -.EXAMPLE - -Find-AppLockerLogs -Find process creations from AppLocker logs. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - $ReturnInfo = @{} - - $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002} - - foreach ($Log in $AppLockerLogs) - { - $SID = New-Object System.Security.Principal.SecurityIdentifier($Log.Properties[7].Value) - $UserName = $SID.Translate( [System.Security.Principal.NTAccount]) - - $ExeName = $Log.Properties[10].Value - - $Key = $UserName.ToString() + "::::" + $ExeName - - if (!$ReturnInfo.ContainsKey($Key)) - { - $Properties = @{ - Exe = $ExeName - User = $UserName.Value - Count = 1 - Times = @($Log.TimeCreated) - } - - $Item = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $Item) - } - else - { - $ReturnInfo[$Key].Count++ - $ReturnInfo[$Key].Times += ,$Log.TimeCreated - } - } - - return $ReturnInfo -} - - -Function Find-PSScriptsInPSAppLog -{ -<# -.SYNOPSIS - -Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). -You can then backdoor these scripts or do other malicious things. - -Function: Find-AppLockerLogs -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). -You can then backdoor these scripts or do other malicious things. - -.EXAMPLE - -Find-PSScriptsInPSAppLog -Find unique PowerShell scripts being executed from the PowerShell operational log. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - $ReturnInfo = @{} - $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100} - - foreach ($Log in $Logs) - { - $ContainsScriptName = $false - $LogDetails = $Log.Message -split "`r`n" - - $FoundScriptName = $false - foreach($Line in $LogDetails) - { - if ($Line -imatch "^\s*Script\sName\s=\s(.+)") - { - $ScriptName = $Matches[1] - $FoundScriptName = $true - } - elseif ($Line -imatch "^\s*User\s=\s(.*)") - { - $User = $Matches[1] - } - } - - if ($FoundScriptName) - { - $Key = $ScriptName + "::::" + $User - - if (!$ReturnInfo.ContainsKey($Key)) - { - $Properties = @{ - ScriptName = $ScriptName - UserName = $User - Count = 1 - Times = @($Log.TimeCreated) - } - - $Item = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $Item) - } - else - { - $ReturnInfo[$Key].Count++ - $ReturnInfo[$Key].Times += ,$Log.TimeCreated - } - } - } - - return $ReturnInfo -} - - -Function Find-RDPClientConnections -{ -<# -.SYNOPSIS - -Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user -usually RDP's to. - -Function: Find-RDPClientConnections -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user -usually RDP's to. - -.EXAMPLE - -Find-RDPClientConnections -Find unique saved RDP client connections. - -.NOTES - -.LINK - -Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell -#> - $ReturnInfo = @{} - - New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null - - #Attempt to enumerate the servers for all users - $Users = Get-ChildItem -Path "HKU:\" - foreach ($UserSid in $Users.PSChildName) - { - $Servers = Get-ChildItem "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue - - foreach ($Server in $Servers) - { - $Server = $Server.PSChildName - $UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint - - $Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint - - if (!$ReturnInfo.ContainsKey($Key)) - { - $SIDObj = New-Object System.Security.Principal.SecurityIdentifier($UserSid) - $User = ($SIDObj.Translate([System.Security.Principal.NTAccount])).Value - - $Properties = @{ - CurrentUser = $User - Server = $Server - UsernameHint = $UsernameHint - } - - $Item = New-Object PSObject -Property $Properties - $ReturnInfo.Add($Key, $Item) - } - } - } - - return $ReturnInfo -} diff --git a/Recon/Get-HttpStatus.ps1 b/Recon/Get-HttpStatus.ps1 index 8b60306..b271efd 100644 --- a/Recon/Get-HttpStatus.ps1 +++ b/Recon/Get-HttpStatus.ps1 @@ -5,11 +5,11 @@ function Get-HttpStatus Returns the HTTP Status Codes and full URL for specified paths. -PowerSploit Function: Get-HttpStatus -Author: Chris Campbell (@obscuresec) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Get-HttpStatus +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -42,7 +42,7 @@ C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL .NOTES HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error - + .LINK http://obscuresecurity.blogspot.com @@ -64,49 +64,54 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html [Switch] $UseSSL ) - + if (Test-Path $Path) { - + if ($UseSSL -and $Port -eq 0) { # Default to 443 if SSL is specified but no port is specified $Port = 443 - } elseif ($Port -eq 0) { + } + elseif ($Port -eq 0) { # Default to port 80 if no port is specified $Port = 80 } - + $TcpConnection = New-Object System.Net.Sockets.TcpClient Write-Verbose "Path Test Succeeded - Testing Connectivity" - + try { # Validate that the host is listening before scanning $TcpConnection.Connect($Target, $Port) - } catch { + } + catch { Write-Error "Connection Test Failed - Check Target" $Tcpconnection.Close() - Return + Return } - + $Tcpconnection.Close() - } else { + } + else { Write-Error "Path Test Failed - Check Dictionary Path" Return } - + if ($UseSSL) { $SSL = 's' # Ignore invalid SSL certificates [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True } - } else { + } + else { $SSL = '' } - + if (($Port -eq 80) -or ($Port -eq 443)) { $PortNum = '' - } else { + } + else { $PortNum = ":$Port" } - + # Check Http status for each entry in the doctionary file foreach ($Item in Get-Content $Path) { @@ -117,24 +122,23 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html $WebRequest = [System.Net.WebRequest]::Create($URI) $WebResponse = $WebRequest.GetResponse() $WebStatus = $WebResponse.StatusCode - $ResultObject += $ScanObject $WebResponse.Close() - } catch { + } + catch { $WebStatus = $Error[0].Exception.InnerException.Response.StatusCode - - if ($WebStatus -eq $null) { + + if (-not $WebStatus) { # Not every exception returns a StatusCode. # If that is the case, return the Status. $WebStatus = $Error[0].Exception.InnerException.Status } - } - + } + $Result = @{ Status = $WebStatus; URL = $WebTarget} - + $ScanObject = New-Object -TypeName PSObject -Property $Result - + Write-Output $ScanObject - } } diff --git a/Recon/Invoke-Portscan.ps1 b/Recon/Invoke-Portscan.ps1 index 6f059e2..7e28709 100644 --- a/Recon/Invoke-Portscan.ps1 +++ b/Recon/Invoke-Portscan.ps1 @@ -5,11 +5,11 @@ function Invoke-Portscan Simple portscan module -PowerSploit Function: Invoke-Portscan -Author: Rich Lundeen (http://webstersProdigy.net) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Invoke-Portscan +Author: Rich Lundeen (http://webstersProdigy.net) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -114,7 +114,7 @@ Force Overwrite if output Files exist. Otherwise it throws exception .EXAMPLE -C:\PS> Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 +Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 Description ----------- @@ -122,7 +122,7 @@ Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and m .EXAMPLE -C:\PS> echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" +echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" Description ----------- @@ -130,7 +130,7 @@ Does a portscan of "webstersprodigy.net", and writes a greppable output file .EXAMPLE -C:\PS> Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet +Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet Description ----------- @@ -141,7 +141,13 @@ Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all http://webstersprodigy.net #> - [CmdletBinding()]Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseLiteralInitializerForHashtable', '')] + [CmdletBinding()] + Param ( #Host, Ports [Parameter(ParameterSetName="cmdHosts", @@ -748,9 +754,9 @@ http://webstersprodigy.net #TODO deal with output Write-PortscanOut -comment $startMsg -grepStream $grepStream -xmlStream $xmlStream -readableStream $readableStream - #converting back from int array gives some argument error checking - $sPortList = [string]::join(",", $portList) - $sHostPortList = [string]::join(",", $hostPortList) + # #converting back from int array gives some argument error checking + # $sPortList = [string]::join(",", $portList) + # $sHostPortList = [string]::join(",", $hostPortList) ######## #Port Scan Code - run on a per host basis @@ -840,7 +846,6 @@ http://webstersprodigy.net $sockets[$p] = new-object System.Net.Sockets.TcpClient } - $scriptBlockAsString = @" #somewhat of a race condition with the timeout, but I don't think it matters @@ -885,8 +890,7 @@ http://webstersprodigy.net $timeouts[$p].Enabled = $true $myscriptblock = [scriptblock]::Create($scriptBlockAsString) - $x = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null) - + $Null = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null) } function PortScan-Alive diff --git a/Recon/Invoke-ReverseDnsLookup.ps1 b/Recon/Invoke-ReverseDnsLookup.ps1 index 5e811ee..36e6398 100644 --- a/Recon/Invoke-ReverseDnsLookup.ps1 +++ b/Recon/Invoke-ReverseDnsLookup.ps1 @@ -5,23 +5,23 @@ function Invoke-ReverseDnsLookup Perform a reverse DNS lookup scan on a range of IP addresses. -PowerSploit Function: Invoke-ReverseDnsLookup -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - +PowerSploit Function: Invoke-ReverseDnsLookup +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION -Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test. - +Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test. + .PARAMETER IPRange Specifies the IP address range. The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be provided. - + .EXAMPLE -C:\PS> Invoke-ReverseDnsLookup 74.125.228.0/29 +Invoke-ReverseDnsLookup 74.125.228.0/29 IP HostName -- -------- @@ -31,29 +31,29 @@ IP HostName 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the CIDR range. - + .EXAMPLE -C:\PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' - +Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' + IP HostName -- -------- 74.125.228.1 iad23s05-in-f1.1e100.net 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the IP range specified. .EXAMPLE -PS C:\> Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup +Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup IP HostName -- -------- @@ -69,13 +69,15 @@ Description ----------- Returns the hostnames of the IP addresses piped from another source. - .LINK http://www.exploit-monday.com https://github.com/mattifestation/PowerSploit #> + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')] + [CmdletBinding()] Param ( [Parameter(Position = 0, Mandatory = $True,ValueFromPipeline=$True)] [String] @@ -83,14 +85,14 @@ https://github.com/mattifestation/PowerSploit ) BEGIN { - + function Parse-IPList ([String] $IpRange) { - + function IPtoInt { Param([String] $IpString) - + $Hexstr = "" $Octets = $IpString.Split(".") foreach ($Octet in $Octets) { @@ -98,7 +100,7 @@ https://github.com/mattifestation/PowerSploit } return [Convert]::ToInt64($Hexstr, 16) } - + function InttoIP { Param([Int64] $IpInt) @@ -110,15 +112,15 @@ https://github.com/mattifestation/PowerSploit } return $IpStr.TrimEnd('.') } - + $Ip = [System.Net.IPAddress]::Parse("127.0.0.1") - + foreach ($Str in $IpRange.Split(",")) { $Item = $Str.Trim() $Result = "" $IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" - + # First, validate the input switch -regex ($Item) { @@ -139,11 +141,11 @@ https://github.com/mattifestation/PowerSploit } default { - Write-Warning "Inproper input" + Write-Warning "Improper input" return } } - + #Now, start processing the IP addresses switch ($Result) { @@ -152,14 +154,14 @@ https://github.com/mattifestation/PowerSploit $CidrRange = $Item.Split("/") $Network = $CidrRange[0] $Mask = $CidrRange[1] - + if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return} if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return} - + $BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0') #Generate lower limit (Excluding network address) $Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1" - #Generate upperr limit (Excluding broadcast address) + #Generate upper limit (Excluding broadcast address) $Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0" $LowerInt = [Convert]::ToInt64($Lower, 2) $UpperInt = [Convert]::ToInt64($Upper, 2) @@ -168,21 +170,21 @@ https://github.com/mattifestation/PowerSploit "range" { $Range = $item.Split("-") - + if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip } else { Write-Warning "Invalid IP address supplied!"; return } - + if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip } else { Write-Warning "Invalid IP address supplied!"; return } - + $Left = (IPtoInt $Temp1.ToString()) $Right = (IPtoInt $Temp2.ToString()) - + if ($Right -gt $Left) { for ($i = $Left; $i -le $Right; $i++) { InttoIP $i } } else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return} - + break } "single" @@ -193,28 +195,30 @@ https://github.com/mattifestation/PowerSploit } default { - Write-Warning "An error occured." + Write-Warning "An error occurred." return } } } - } } - + PROCESS { Parse-IPList $IpRange | ForEach-Object { try { Write-Verbose "Resolving $_" $Temp = [System.Net.Dns]::GetHostEntry($_) - + $Result = @{ IP = $_ HostName = $Temp.HostName } - + New-Object PSObject -Property $Result - } catch [System.Net.Sockets.SocketException] {} + } + catch [System.Net.Sockets.SocketException] { + Write-Verbose "Error: $_" + } } } } diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index eecf62f..49ee9c7 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -859,7 +859,7 @@ function Export-PowerViewCSV { <# .SYNOPSIS -Converts objects into a series of comma-separated (CSV) strings and saves the +Converts objects into a series of comma-separated (CSV) strings and saves the strings in a CSV file in a thread-safe manner. Author: Will Schroeder (@harmj0y) diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 71667c0..d0a4148 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -98,7 +98,7 @@ FunctionsToExport = @( 'Get-DomainForeignUser', 'Get-DomainForeignGroupMember', 'Get-DomainTrustMapping', - 'Get-ComputerDetails', + 'Get-ComputerDetail', 'Get-HttpStatus', 'Invoke-Portscan', 'Invoke-ReverseDnsLookup' diff --git a/docs/Recon/Export-PowerViewCSV.md b/docs/Recon/Export-PowerViewCSV.md index 1597249..d2d2a89 100755 --- a/docs/Recon/Export-PowerViewCSV.md +++ b/docs/Recon/Export-PowerViewCSV.md @@ -1,7 +1,7 @@ # Export-PowerViewCSV ## SYNOPSIS -Converts objects into a series of comma-separated (CSV) strings and saves the +Converts objects into a series of comma-separated (CSV) strings and saves the strings in a CSV file in a thread-safe manner. Author: Will Schroeder (@harmj0y) diff --git a/docs/Recon/Get-ComputerDetail.md b/docs/Recon/Get-ComputerDetail.md new file mode 100755 index 0000000..15a3feb --- /dev/null +++ b/docs/Recon/Get-ComputerDetail.md @@ -0,0 +1,68 @@ +# Get-ComputerDetail + +## SYNOPSIS +This script is used to get useful information from a computer. + +Function: Get-ComputerDetail +Author: Joe Bialek, Twitter: @JosephBialek +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Get-ComputerDetail [-ToString] +``` + +## DESCRIPTION +This script is used to get useful information from a computer. +Currently, the script gets the following information: +-Explicit Credential Logons (Event ID 4648) +-Logon events (Event ID 4624) +-AppLocker logs to find what processes are created +-PowerShell logs to find PowerShell scripts which have been executed +-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ComputerDetail +``` + +Gets information about the computer and outputs it as PowerShell objects. + +Get-ComputerDetail -ToString +Gets information about the computer and outputs it as raw text. + +## PARAMETERS + +### -ToString +Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. +You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. + +## RELATED LINKS + +[Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/ +Github repo: https://github.com/clymb3r/PowerShell) + diff --git a/docs/Recon/Get-ComputerDetails.md b/docs/Recon/Get-ComputerDetails.md deleted file mode 100755 index 6bc3e91..0000000 --- a/docs/Recon/Get-ComputerDetails.md +++ /dev/null @@ -1,68 +0,0 @@ -# Get-ComputerDetails - -## SYNOPSIS -This script is used to get useful information from a computer. - -Function: Get-ComputerDetails -Author: Joe Bialek, Twitter: @JosephBialek -Required Dependencies: None -Optional Dependencies: None - -## SYNTAX - -``` -Get-ComputerDetails [-ToString] -``` - -## DESCRIPTION -This script is used to get useful information from a computer. -Currently, the script gets the following information: --Explicit Credential Logons (Event ID 4648) --Logon events (Event ID 4624) --AppLocker logs to find what processes are created --PowerShell logs to find PowerShell scripts which have been executed --RDP Client Saved Servers, which indicates what servers the user typically RDP's in to - -## EXAMPLES - -### -------------------------- EXAMPLE 1 -------------------------- -``` -Get-ComputerDetails -``` - -Gets information about the computer and outputs it as PowerShell objects. - -Get-ComputerDetails -ToString -Gets information about the computer and outputs it as raw text. - -## PARAMETERS - -### -ToString -Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor. - -```yaml -Type: SwitchParameter -Parameter Sets: (All) -Aliases: - -Required: False -Position: 1 -Default value: False -Accept pipeline input: False -Accept wildcard characters: False -``` - -## INPUTS - -## OUTPUTS - -## NOTES -This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. -You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. - -## RELATED LINKS - -[Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell](Blog: http://clymb3r.wordpress.com/ -Github repo: https://github.com/clymb3r/PowerShell) - diff --git a/docs/Recon/Get-HttpStatus.md b/docs/Recon/Get-HttpStatus.md index a8a7dbb..4311983 100755 --- a/docs/Recon/Get-HttpStatus.md +++ b/docs/Recon/Get-HttpStatus.md @@ -3,10 +3,10 @@ ## SYNOPSIS Returns the HTTP Status Codes and full URL for specified paths. -PowerSploit Function: Get-HttpStatus -Author: Chris Campbell (@obscuresec) -License: BSD 3-Clause -Required Dependencies: None +PowerSploit Function: Get-HttpStatus +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None Optional Dependencies: None ## SYNTAX diff --git a/docs/Recon/Invoke-Portscan.md b/docs/Recon/Invoke-Portscan.md index 49d9e32..8e1ef27 100755 --- a/docs/Recon/Invoke-Portscan.md +++ b/docs/Recon/Invoke-Portscan.md @@ -3,10 +3,10 @@ ## SYNOPSIS Simple portscan module -PowerSploit Function: Invoke-Portscan -Author: Rich Lundeen (http://webstersProdigy.net) -License: BSD 3-Clause -Required Dependencies: None +PowerSploit Function: Invoke-Portscan +Author: Rich Lundeen (http://webstersProdigy.net) +License: BSD 3-Clause +Required Dependencies: None Optional Dependencies: None ## SYNTAX diff --git a/docs/Recon/Invoke-ReverseDnsLookup.md b/docs/Recon/Invoke-ReverseDnsLookup.md index 348ad91..2c74e3c 100755 --- a/docs/Recon/Invoke-ReverseDnsLookup.md +++ b/docs/Recon/Invoke-ReverseDnsLookup.md @@ -3,10 +3,10 @@ ## SYNOPSIS Perform a reverse DNS lookup scan on a range of IP addresses. -PowerSploit Function: Invoke-ReverseDnsLookup -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None +PowerSploit Function: Invoke-ReverseDnsLookup +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None Optional Dependencies: None ## SYNTAX @@ -17,7 +17,7 @@ Invoke-ReverseDnsLookup [-IpRange] ## DESCRIPTION Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. -This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test. +This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test. ## EXAMPLES @@ -34,7 +34,7 @@ IP HostName 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the CIDR range. @@ -50,7 +50,7 @@ IP HostName 74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net - + Description ----------- Returns the hostnames of the IP addresses specified by the IP range specified. diff --git a/docs/Recon/Set-DomainObject.md b/docs/Recon/Set-DomainObject.md index 482d86d..8cb283b 100755 --- a/docs/Recon/Set-DomainObject.md +++ b/docs/Recon/Set-DomainObject.md @@ -12,8 +12,7 @@ Required Dependencies: Get-DomainObject ``` Set-DomainObject [[-Identity] ] [-Set ] [-XOR ] [-Clear ] [-Domain ] [-LDAPFilter ] [-SearchBase ] [-Server ] [-SearchScope ] - [-ResultPageSize ] [-ServerTimeLimit ] [-SecurityMasks ] [-Tombstone] - [-Credential ] + [-ResultPageSize ] [-ServerTimeLimit ] [-Tombstone] [-Credential ] ``` ## DESCRIPTION @@ -281,21 +280,6 @@ Accept pipeline input: False Accept wildcard characters: False ``` -### -SecurityMasks -{{Fill SecurityMasks Description}} - -```yaml -Type: String -Parameter Sets: (All) -Aliases: - -Required: False -Position: Named -Default value: None -Accept pipeline input: False -Accept wildcard characters: False -``` - ### -Tombstone Switch. Specifies that the searcher should also return deleted/tombstoned objects. @@ -332,14 +316,6 @@ Accept wildcard characters: False ## OUTPUTS -### PowerView.ADObject - -Custom PSObject with translated AD object property fields, if -PassThru is enabled. - -PowerView.ADObject.Raw - -The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled. - ## NOTES ## RELATED LINKS diff --git a/docs/Recon/index.md b/docs/Recon/index.md old mode 100644 new mode 100755 diff --git a/mkdocs.yml b/mkdocs.yml index a24f7e4..f4a0608 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -81,7 +81,7 @@ pages: - Get-DomainForeignUser: 'Recon/Get-DomainForeignUser.md' - Get-DomainForeignGroupMember: 'Recon/Get-DomainForeignGroupMember.md' - Get-DomainTrustMapping: 'Recon/Get-DomainTrustMapping.md' - - Get-ComputerDetails: 'Recon/Get-ComputerDetails.md' + - Get-ComputerDetail: 'Recon/Get-ComputerDetail.md' - Get-HttpStatus: 'Recon/Get-HttpStatus.md' - Invoke-Portscan: 'Recon/Invoke-Portscan.md' - Invoke-ReverseDnsLookup: 'Recon/Invoke-ReverseDnsLookup.md' -- cgit v1.2.3