mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-25 20:11:36 +01:00
Updated Export-ReconData
This commit is contained in:
parent
e7b0abd3d4
commit
04bd92f502
@ -1,9 +1,9 @@
|
|||||||
#requires -version 2
|
#requires -version 2
|
||||||
|
|
||||||
<#
|
<#
|
||||||
|
This script launches many PowerView cmdlets and stores their output in Clixml
|
||||||
This script launches many PowerView cmdlets and stores their output
|
files for later processing. This script is compatible with newest PowerView's version,
|
||||||
in Clixml files for later processing.
|
from dev branch (as of 2018) that uses Get-Domain*, Find-* (instead of Invoke-*) and others cmdlets.
|
||||||
|
|
||||||
Author: Mariusz B. (mgeeky), '18
|
Author: Mariusz B. (mgeeky), '18
|
||||||
License: BSD 3-Clause
|
License: BSD 3-Clause
|
||||||
@ -21,20 +21,35 @@ function Export-ReconData
|
|||||||
$Commands = @()
|
$Commands = @()
|
||||||
|
|
||||||
$ReconModuleCommands `
|
$ReconModuleCommands `
|
||||||
| Where-Object {$_.Name -like "Get-Net*"} `
|
| Where-Object {$_.Name -like "Get-Domain*" -or $_.Name -like "Get-Forest*" -or $_.Name -like "Get-Net*"} `
|
||||||
| Select Name `
|
| Select Name `
|
||||||
| ForEach-Object {$Commands += $_.Name}
|
| ForEach-Object {$Commands += $_.Name}
|
||||||
|
|
||||||
$Commands += "Invoke-UserHunter -ShowAll"
|
$Commands += "Find-DomainUserLocation -ShowAll"
|
||||||
$Commands += "Invoke-StealthUserHunter -ShowAll"
|
$Commands += "Find-InterestingDomainShareFile"
|
||||||
$Commands += "Invoke-FileFinder -SearchSYSVol"
|
$Commands += "Find-DomainShare"
|
||||||
$Commands += "Invoke-ShareFinder"
|
$Commands += "Get-DomainTrustMapping"
|
||||||
$Commands += "Invoke-MapDomainTrust"
|
$Commands += "Get-DomainGPOUserLocalGroupMapping"
|
||||||
$Commands += "Find-GPOLocation"
|
$Commands += "Get-DomainUser -AdminCount"
|
||||||
$Commands += "Get-NetUser -AdminCount"
|
$Commands += "Get-DomainForeignUser"
|
||||||
$Commands += "Find-ForeignUser"
|
$Commands += "Get-DomainForeignGroupMember"
|
||||||
$Commands += "Find-ForeignGroup"
|
$Commands += "Find-InterestingDomainShareFile"
|
||||||
$Commands += "Invoke-FileFinder"
|
|
||||||
|
$IdentityBased = @(
|
||||||
|
"Get-DomainGroupMember",
|
||||||
|
"Get-DomainGPOComputerLocalGroupMapping",
|
||||||
|
"Get-DomainGPOUserLocalGroupMapping"
|
||||||
|
)
|
||||||
|
|
||||||
|
$ToSkip = @(
|
||||||
|
"Get-DomainDNSRecord",
|
||||||
|
"Get-DomainObject",
|
||||||
|
"Get-DomainObjectAttributeHistory",
|
||||||
|
"Get-DomainObjectLinkedAttributeHistory",
|
||||||
|
"Get-DomainSPNTicket",
|
||||||
|
"Get-DomainUserEvent",
|
||||||
|
"Get-ForestSchemaClass"
|
||||||
|
)
|
||||||
|
|
||||||
$Commands | ForEach-Object {
|
$Commands | ForEach-Object {
|
||||||
$Name = $_
|
$Name = $_
|
||||||
@ -43,15 +58,18 @@ function Export-ReconData
|
|||||||
$FileName = $matches[1] + ".xml"
|
$FileName = $matches[1] + ".xml"
|
||||||
$FileName = $FileName -replace ' ',''
|
$FileName = $FileName -replace ' ',''
|
||||||
|
|
||||||
If ($Name -like "Get-Net*")
|
If ($IdentityBased -match $Name ) {
|
||||||
{
|
$Name = $Name + " -Identity 'Domain Admins'"
|
||||||
#$Name = $Name + " -Recurse"
|
|
||||||
}
|
}
|
||||||
|
ElseIf ($ToSkip -match $Name) {
|
||||||
|
}
|
||||||
|
Else {
|
||||||
Write-Output "--- $Name ---"
|
Write-Output "--- $Name ---"
|
||||||
$Name | Invoke-Expression | Export-Clixml $DirName\$FileName
|
$Name | Invoke-Expression | Export-Clixml $DirName\$FileName
|
||||||
Write-Output "Done.`n"
|
Write-Output "Done.`n"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function Import-ReconData
|
function Import-ReconData
|
||||||
|
@ -18,10 +18,11 @@ IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Com
|
|||||||
|
|
||||||
- **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
|
- **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
|
||||||
|
|
||||||
- **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-Net*`, `Invoke-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`.
|
- **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`.
|
||||||
|
|
||||||
**WARNING:** At the moment this script works only with older version of PowerView - from before 12 dev 2016, where
|
**WARNING:** This script is compatible with newer version of PowerView (coming from dev branch as of 2018),
|
||||||
it had Get-NetUser/Get-NetComputer/Get-Net* commands only.
|
that exposed various `Get-Domain*`, `Find-*` cmdlets. In order to save recon's data from the older PowerView,
|
||||||
|
refer to my `Save-ReconData.ps1` script in this directory.
|
||||||
|
|
||||||
Exposed functions:
|
Exposed functions:
|
||||||
- `Export-ReconData` - Launches many cmdlets and exports their Clixml outputs.
|
- `Export-ReconData` - Launches many cmdlets and exports their Clixml outputs.
|
||||||
@ -201,6 +202,13 @@ PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree
|
|||||||
|
|
||||||
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
|
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
|
||||||
|
|
||||||
|
|
||||||
|
- **`Save-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. It differs from `Export-ReconData.ps1` in that it supports only older PowerView version from before 12 dec 2016.
|
||||||
|
Exposed functions:
|
||||||
|
- `Save-ReconData` - Launches many cmdlets and exports their Clixml outputs.
|
||||||
|
- `Load-ReconData -DirName <DIR>` - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates.
|
||||||
|
- `Get-ReconData -DirName <DIR>` - Gets names of variables that were created and contains previously imported data.
|
||||||
|
|
||||||
- **`set-handler.rc`** - Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. ([gist](https://gist.github.com/mgeeky/bf4d732aa6e602ca9b77d089fd3ea7c9))
|
- **`set-handler.rc`** - Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. ([gist](https://gist.github.com/mgeeky/bf4d732aa6e602ca9b77d089fd3ea7c9))
|
||||||
|
|
||||||
- **`SubstitutePageMacro.vbs`** - This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named `RealDoc` (configured via variable `autoTextTemplateName` ). ([gist](https://gist.github.com/mgeeky/3c705560c5041ab20c62f41e917616e6))
|
- **`SubstitutePageMacro.vbs`** - This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named `RealDoc` (configured via variable `autoTextTemplateName` ). ([gist](https://gist.github.com/mgeeky/3c705560c5041ab20c62f41e917616e6))
|
||||||
|
113
red-teaming/Save-ReconData.ps1
Normal file
113
red-teaming/Save-ReconData.ps1
Normal file
@ -0,0 +1,113 @@
|
|||||||
|
#requires -version 2
|
||||||
|
|
||||||
|
<#
|
||||||
|
|
||||||
|
This script launches many PowerView cmdlets and stores their output
|
||||||
|
in Clixml files for later processing.
|
||||||
|
|
||||||
|
Author: Mariusz B. (mgeeky), '18
|
||||||
|
License: BSD 3-Clause
|
||||||
|
Required Dependencies: PowerSploit's Recon.psm1
|
||||||
|
#>
|
||||||
|
|
||||||
|
function Export-ReconData
|
||||||
|
{
|
||||||
|
$DirName = (Get-Date).ToString("PowerView-MM-dd-yyyy-hh-mm-ss")
|
||||||
|
New-Item -Name $DirName -ItemType Directory | Out-Null
|
||||||
|
|
||||||
|
Write-Output "`n:: Logs to be stored in: $DirName`n"
|
||||||
|
|
||||||
|
$ReconModuleCommands = Get-Command -Module Recon
|
||||||
|
$Commands = @()
|
||||||
|
|
||||||
|
$ReconModuleCommands `
|
||||||
|
| Where-Object {$_.Name -like "Get-Net*"} `
|
||||||
|
| Select Name `
|
||||||
|
| ForEach-Object {$Commands += $_.Name}
|
||||||
|
|
||||||
|
$Commands += "Invoke-UserHunter -ShowAll"
|
||||||
|
$Commands += "Invoke-StealthUserHunter -ShowAll"
|
||||||
|
$Commands += "Invoke-FileFinder -SearchSYSVol"
|
||||||
|
$Commands += "Invoke-ShareFinder"
|
||||||
|
$Commands += "Invoke-MapDomainTrust"
|
||||||
|
$Commands += "Find-GPOLocation"
|
||||||
|
$Commands += "Get-NetUser -AdminCount"
|
||||||
|
$Commands += "Find-ForeignUser"
|
||||||
|
$Commands += "Find-ForeignGroup"
|
||||||
|
$Commands += "Invoke-FileFinder"
|
||||||
|
|
||||||
|
$Commands | ForEach-Object {
|
||||||
|
$Name = $_
|
||||||
|
$Name -match "[A-Za-z]+-(.+)" | Out-Null
|
||||||
|
|
||||||
|
$FileName = $matches[1] + ".xml"
|
||||||
|
$FileName = $FileName -replace ' ',''
|
||||||
|
|
||||||
|
If ($Name -like "Get-Net*")
|
||||||
|
{
|
||||||
|
#$Name = $Name + " -Recurse"
|
||||||
|
}
|
||||||
|
|
||||||
|
Write-Output "--- $Name ---"
|
||||||
|
$Name | Invoke-Expression | Export-Clixml $DirName\$FileName
|
||||||
|
Write-Output "Done.`n"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
function Import-ReconData
|
||||||
|
{
|
||||||
|
Param
|
||||||
|
(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[ValidateNotNullOrEmpty()]
|
||||||
|
[String]
|
||||||
|
$DirName
|
||||||
|
)
|
||||||
|
$path = Get-Location
|
||||||
|
Set-Location -Path $DirName
|
||||||
|
|
||||||
|
Get-ChildItem . -Filter *.xml |
|
||||||
|
Foreach-Object {
|
||||||
|
$Name = $_.BaseName -replace '-',''
|
||||||
|
$Results = Import-Clixml -Path "$_"
|
||||||
|
New-Variable -Name $Name -Force -Value $Results -Scope Global
|
||||||
|
Write-Output "Loaded `$$Name results."
|
||||||
|
}
|
||||||
|
|
||||||
|
Set-Location -Path $path
|
||||||
|
}
|
||||||
|
|
||||||
|
function Get-ReconData
|
||||||
|
{
|
||||||
|
Param
|
||||||
|
(
|
||||||
|
[Parameter(Position = 0, Mandatory = $True)]
|
||||||
|
[ValidateNotNullOrEmpty()]
|
||||||
|
[String]
|
||||||
|
$DirName
|
||||||
|
)
|
||||||
|
$path = Get-Location
|
||||||
|
$Variables = Get-Variable
|
||||||
|
Set-Location -Path $DirName
|
||||||
|
|
||||||
|
Get-ChildItem . -Filter *.xml |
|
||||||
|
Foreach-Object {
|
||||||
|
$Name = $_.BaseName -replace '-',''
|
||||||
|
If ($Variables | Where-Object { $_.Name -eq $Name })
|
||||||
|
{
|
||||||
|
Write-Output "Previously loaded: `$$Name"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
Set-Location -Path $path
|
||||||
|
}
|
||||||
|
|
||||||
|
Try
|
||||||
|
{
|
||||||
|
# You need to be in PowerSploit\Recon directory
|
||||||
|
Import-Module .\Recon.psm1
|
||||||
|
}
|
||||||
|
Catch [System.Exception]
|
||||||
|
{
|
||||||
|
exit
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user