Updated Export-ReconData

This commit is contained in:
mb 2018-12-19 15:11:15 +01:00
parent e7b0abd3d4
commit 04bd92f502
3 changed files with 219 additions and 80 deletions

View File

@ -1,113 +1,131 @@
#requires -version 2 #requires -version 2
<# <#
This script launches many PowerView cmdlets and stores their output in Clixml
files for later processing. This script is compatible with newest PowerView's version,
from dev branch (as of 2018) that uses Get-Domain*, Find-* (instead of Invoke-*) and others cmdlets.
This script launches many PowerView cmdlets and stores their output Author: Mariusz B. (mgeeky), '18
in Clixml files for later processing. License: BSD 3-Clause
Required Dependencies: PowerSploit's Recon.psm1
Author: Mariusz B. (mgeeky), '18
License: BSD 3-Clause
Required Dependencies: PowerSploit's Recon.psm1
#> #>
function Export-ReconData function Export-ReconData
{ {
$DirName = (Get-Date).ToString("PowerView-MM-dd-yyyy-hh-mm-ss") $DirName = (Get-Date).ToString("PowerView-MM-dd-yyyy-hh-mm-ss")
New-Item -Name $DirName -ItemType Directory | Out-Null New-Item -Name $DirName -ItemType Directory | Out-Null
Write-Output "`n:: Logs to be stored in: $DirName`n" Write-Output "`n:: Logs to be stored in: $DirName`n"
$ReconModuleCommands = Get-Command -Module Recon $ReconModuleCommands = Get-Command -Module Recon
$Commands = @() $Commands = @()
$ReconModuleCommands ` $ReconModuleCommands `
| Where-Object {$_.Name -like "Get-Net*"} ` | Where-Object {$_.Name -like "Get-Domain*" -or $_.Name -like "Get-Forest*" -or $_.Name -like "Get-Net*"} `
| Select Name ` | Select Name `
| ForEach-Object {$Commands += $_.Name} | ForEach-Object {$Commands += $_.Name}
$Commands += "Invoke-UserHunter -ShowAll" $Commands += "Find-DomainUserLocation -ShowAll"
$Commands += "Invoke-StealthUserHunter -ShowAll" $Commands += "Find-InterestingDomainShareFile"
$Commands += "Invoke-FileFinder -SearchSYSVol" $Commands += "Find-DomainShare"
$Commands += "Invoke-ShareFinder" $Commands += "Get-DomainTrustMapping"
$Commands += "Invoke-MapDomainTrust" $Commands += "Get-DomainGPOUserLocalGroupMapping"
$Commands += "Find-GPOLocation" $Commands += "Get-DomainUser -AdminCount"
$Commands += "Get-NetUser -AdminCount" $Commands += "Get-DomainForeignUser"
$Commands += "Find-ForeignUser" $Commands += "Get-DomainForeignGroupMember"
$Commands += "Find-ForeignGroup" $Commands += "Find-InterestingDomainShareFile"
$Commands += "Invoke-FileFinder"
$Commands | ForEach-Object { $IdentityBased = @(
$Name = $_ "Get-DomainGroupMember",
$Name -match "[A-Za-z]+-(.+)" | Out-Null "Get-DomainGPOComputerLocalGroupMapping",
"Get-DomainGPOUserLocalGroupMapping"
)
$FileName = $matches[1] + ".xml" $ToSkip = @(
$FileName = $FileName -replace ' ','' "Get-DomainDNSRecord",
"Get-DomainObject",
"Get-DomainObjectAttributeHistory",
"Get-DomainObjectLinkedAttributeHistory",
"Get-DomainSPNTicket",
"Get-DomainUserEvent",
"Get-ForestSchemaClass"
)
If ($Name -like "Get-Net*") $Commands | ForEach-Object {
{ $Name = $_
#$Name = $Name + " -Recurse" $Name -match "[A-Za-z]+-(.+)" | Out-Null
}
Write-Output "--- $Name ---" $FileName = $matches[1] + ".xml"
$Name | Invoke-Expression | Export-Clixml $DirName\$FileName $FileName = $FileName -replace ' ',''
Write-Output "Done.`n"
} If ($IdentityBased -match $Name ) {
$Name = $Name + " -Identity 'Domain Admins'"
}
ElseIf ($ToSkip -match $Name) {
}
Else {
Write-Output "--- $Name ---"
$Name | Invoke-Expression | Export-Clixml $DirName\$FileName
Write-Output "Done.`n"
}
}
} }
function Import-ReconData function Import-ReconData
{ {
Param Param
( (
[Parameter(Position = 0, Mandatory = $True)] [Parameter(Position = 0, Mandatory = $True)]
[ValidateNotNullOrEmpty()] [ValidateNotNullOrEmpty()]
[String] [String]
$DirName $DirName
) )
$path = Get-Location $path = Get-Location
Set-Location -Path $DirName Set-Location -Path $DirName
Get-ChildItem . -Filter *.xml | Get-ChildItem . -Filter *.xml |
Foreach-Object { Foreach-Object {
$Name = $_.BaseName -replace '-','' $Name = $_.BaseName -replace '-',''
$Results = Import-Clixml -Path "$_" $Results = Import-Clixml -Path "$_"
New-Variable -Name $Name -Force -Value $Results -Scope Global New-Variable -Name $Name -Force -Value $Results -Scope Global
Write-Output "Loaded `$$Name results." Write-Output "Loaded `$$Name results."
} }
Set-Location -Path $path Set-Location -Path $path
} }
function Get-ReconData function Get-ReconData
{ {
Param Param
( (
[Parameter(Position = 0, Mandatory = $True)] [Parameter(Position = 0, Mandatory = $True)]
[ValidateNotNullOrEmpty()] [ValidateNotNullOrEmpty()]
[String] [String]
$DirName $DirName
) )
$path = Get-Location $path = Get-Location
$Variables = Get-Variable $Variables = Get-Variable
Set-Location -Path $DirName Set-Location -Path $DirName
Get-ChildItem . -Filter *.xml | Get-ChildItem . -Filter *.xml |
Foreach-Object { Foreach-Object {
$Name = $_.BaseName -replace '-','' $Name = $_.BaseName -replace '-',''
If ($Variables | Where-Object { $_.Name -eq $Name }) If ($Variables | Where-Object { $_.Name -eq $Name })
{ {
Write-Output "Previously loaded: `$$Name" Write-Output "Previously loaded: `$$Name"
} }
} }
Set-Location -Path $path Set-Location -Path $path
} }
Try Try
{ {
# You need to be in PowerSploit\Recon directory # You need to be in PowerSploit\Recon directory
Import-Module .\Recon.psm1 Import-Module .\Recon.psm1
} }
Catch [System.Exception] Catch [System.Exception]
{ {
exit exit
} }

View File

@ -18,10 +18,11 @@ IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Com
- **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c)) - **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c))
- **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-Net*`, `Invoke-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`. - **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. Those files (stored in an output directory as separate XML files) can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. **Warning**: Be careful though, as this script launches many reconnaissance commands one by one, this WILL generate a lot of noise. Microsoft ATA for instance for sure pick you up with _"Reconnaissance using SMB session enumeration"_ after you've launched `Invoke-UserHunter`.
**WARNING:** At the moment this script works only with older version of PowerView - from before 12 dev 2016, where **WARNING:** This script is compatible with newer version of PowerView (coming from dev branch as of 2018),
it had Get-NetUser/Get-NetComputer/Get-Net* commands only. that exposed various `Get-Domain*`, `Find-*` cmdlets. In order to save recon's data from the older PowerView,
refer to my `Save-ReconData.ps1` script in this directory.
Exposed functions: Exposed functions:
- `Export-ReconData` - Launches many cmdlets and exports their Clixml outputs. - `Export-ReconData` - Launches many cmdlets and exports their Clixml outputs.
@ -201,6 +202,13 @@ PS E:\PowerSploit\Recon> Get-DomainOU | Get-DomainOUTree
- [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques. - [**`RobustPentestMacro`**](https://github.com/mgeeky/RobustPentestMacro) - This is a rich-featured Visual Basic macro code for use during Penetration Testing assignments, implementing various advanced post-exploitation techniques.
- **`Save-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-*`, `Find-*` into _Clixml_ files. It differs from `Export-ReconData.ps1` in that it supports only older PowerView version from before 12 dec 2016.
Exposed functions:
- `Save-ReconData` - Launches many cmdlets and exports their Clixml outputs.
- `Load-ReconData -DirName <DIR>` - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates.
- `Get-ReconData -DirName <DIR>` - Gets names of variables that were created and contains previously imported data.
- **`set-handler.rc`** - Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. ([gist](https://gist.github.com/mgeeky/bf4d732aa6e602ca9b77d089fd3ea7c9)) - **`set-handler.rc`** - Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. ([gist](https://gist.github.com/mgeeky/bf4d732aa6e602ca9b77d089fd3ea7c9))
- **`SubstitutePageMacro.vbs`** - This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named `RealDoc` (configured via variable `autoTextTemplateName` ). ([gist](https://gist.github.com/mgeeky/3c705560c5041ab20c62f41e917616e6)) - **`SubstitutePageMacro.vbs`** - This is a template for the Malicious Macros that would like to substitute primary contents of the document (like luring/fake warnings to "Enable Content") and replace document's contents with what is inside of an AutoText named `RealDoc` (configured via variable `autoTextTemplateName` ). ([gist](https://gist.github.com/mgeeky/3c705560c5041ab20c62f41e917616e6))

View File

@ -0,0 +1,113 @@
#requires -version 2
<#
This script launches many PowerView cmdlets and stores their output
in Clixml files for later processing.
Author: Mariusz B. (mgeeky), '18
License: BSD 3-Clause
Required Dependencies: PowerSploit's Recon.psm1
#>
function Export-ReconData
{
$DirName = (Get-Date).ToString("PowerView-MM-dd-yyyy-hh-mm-ss")
New-Item -Name $DirName -ItemType Directory | Out-Null
Write-Output "`n:: Logs to be stored in: $DirName`n"
$ReconModuleCommands = Get-Command -Module Recon
$Commands = @()
$ReconModuleCommands `
| Where-Object {$_.Name -like "Get-Net*"} `
| Select Name `
| ForEach-Object {$Commands += $_.Name}
$Commands += "Invoke-UserHunter -ShowAll"
$Commands += "Invoke-StealthUserHunter -ShowAll"
$Commands += "Invoke-FileFinder -SearchSYSVol"
$Commands += "Invoke-ShareFinder"
$Commands += "Invoke-MapDomainTrust"
$Commands += "Find-GPOLocation"
$Commands += "Get-NetUser -AdminCount"
$Commands += "Find-ForeignUser"
$Commands += "Find-ForeignGroup"
$Commands += "Invoke-FileFinder"
$Commands | ForEach-Object {
$Name = $_
$Name -match "[A-Za-z]+-(.+)" | Out-Null
$FileName = $matches[1] + ".xml"
$FileName = $FileName -replace ' ',''
If ($Name -like "Get-Net*")
{
#$Name = $Name + " -Recurse"
}
Write-Output "--- $Name ---"
$Name | Invoke-Expression | Export-Clixml $DirName\$FileName
Write-Output "Done.`n"
}
}
function Import-ReconData
{
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$DirName
)
$path = Get-Location
Set-Location -Path $DirName
Get-ChildItem . -Filter *.xml |
Foreach-Object {
$Name = $_.BaseName -replace '-',''
$Results = Import-Clixml -Path "$_"
New-Variable -Name $Name -Force -Value $Results -Scope Global
Write-Output "Loaded `$$Name results."
}
Set-Location -Path $path
}
function Get-ReconData
{
Param
(
[Parameter(Position = 0, Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$DirName
)
$path = Get-Location
$Variables = Get-Variable
Set-Location -Path $DirName
Get-ChildItem . -Filter *.xml |
Foreach-Object {
$Name = $_.BaseName -replace '-',''
If ($Variables | Where-Object { $_.Name -eq $Name })
{
Write-Output "Previously loaded: `$$Name"
}
}
Set-Location -Path $path
}
Try
{
# You need to be in PowerSploit\Recon directory
Import-Module .\Recon.psm1
}
Catch [System.Exception]
{
exit
}