From 27596f51044f0a7d92cea8105e96000b53cedf1a Mon Sep 17 00:00:00 2001 From: mb Date: Tue, 18 Dec 2018 17:52:33 +0100 Subject: [PATCH] Renamed directory and added new script. --- README.md | 2 +- red-teaming/Export-ReconData.ps1 | 113 ++++++++++++++++++ .../Invoke-Command-Cred-Example.ps1 | 0 .../Macro-Less-Cheatsheet.md | 0 .../MacroDetectSandbox.vbs | 0 .../Phish-Creds.ps1 | 0 {social-engineering => red-teaming}/README.md | 44 +++++++ .../SubstitutePageMacro.vbs | 0 .../Various-Macro-Based-RCEs.md | 0 .../WMIPersistence.vbs | 0 .../backdoor-drop.js | 0 .../clickOnceSharpPickTemplate.cs | 0 .../compressedPowershell.py | 0 .../delete-warning-div-macro.vbs | 0 .../generateMSBuildPowershellXML.py | 0 .../macro-psh-stdin-author.vbs | 0 .../msbuild-powershell-msgbox.xml | 0 .../muti-stage-1.md | 0 .../set-handler.rc | 0 .../vba-macro-mac-persistence.vbs | 0 .../vba-windows-persistence.vbs | 0 .../warnings/EN-Excel.docx | Bin .../warnings/EN-Word.docx | Bin social-engineering/PhishingPost | 1 - social-engineering/RobustPentestMacro | 1 - social-engineering/VisualBasicObfuscator | 1 - 26 files changed, 158 insertions(+), 4 deletions(-) create mode 100644 red-teaming/Export-ReconData.ps1 rename {social-engineering => red-teaming}/Invoke-Command-Cred-Example.ps1 (100%) rename {social-engineering => red-teaming}/Macro-Less-Cheatsheet.md (100%) rename {social-engineering => red-teaming}/MacroDetectSandbox.vbs (100%) rename {social-engineering => red-teaming}/Phish-Creds.ps1 (100%) rename {social-engineering => red-teaming}/README.md (85%) rename {social-engineering => red-teaming}/SubstitutePageMacro.vbs (100%) rename {social-engineering => red-teaming}/Various-Macro-Based-RCEs.md (100%) rename {social-engineering => red-teaming}/WMIPersistence.vbs (100%) rename {social-engineering => red-teaming}/backdoor-drop.js (100%) rename {social-engineering => red-teaming}/clickOnceSharpPickTemplate.cs (100%) rename {social-engineering => red-teaming}/compressedPowershell.py (100%) rename {social-engineering => red-teaming}/delete-warning-div-macro.vbs (100%) rename {social-engineering => red-teaming}/generateMSBuildPowershellXML.py (100%) rename {social-engineering => red-teaming}/macro-psh-stdin-author.vbs (100%) rename {social-engineering => red-teaming}/msbuild-powershell-msgbox.xml (100%) rename {social-engineering => red-teaming}/muti-stage-1.md (100%) rename {social-engineering => red-teaming}/set-handler.rc (100%) rename {social-engineering => red-teaming}/vba-macro-mac-persistence.vbs (100%) rename {social-engineering => red-teaming}/vba-windows-persistence.vbs (100%) rename {social-engineering => red-teaming}/warnings/EN-Excel.docx (100%) rename {social-engineering => red-teaming}/warnings/EN-Word.docx (100%) delete mode 160000 social-engineering/PhishingPost delete mode 160000 social-engineering/RobustPentestMacro delete mode 160000 social-engineering/VisualBasicObfuscator diff --git a/README.md b/README.md index 2142fb6..9be9952 100644 --- a/README.md +++ b/README.md @@ -12,7 +12,7 @@ This repository is divided further onto following directories: - `linux` - Contains linux-based scripts for various purposes. - `networks` - Network devices & services Penetration Testing and auditing scripts - `others` - Others related somehow to penetration tests & Audits -- `social-engineering` - Powershell, Visual Basic, js, phishings and other alike candys +- `red-teaming` - Powershell, Visual Basic, js, phishings and other alike candys - `web` - Web-Application auditing, pentesting, fuzzing related. - `windows` - Windows utilities, scripts, exploits. diff --git a/red-teaming/Export-ReconData.ps1 b/red-teaming/Export-ReconData.ps1 new file mode 100644 index 0000000..4e8f5df --- /dev/null +++ b/red-teaming/Export-ReconData.ps1 @@ -0,0 +1,113 @@ +#requires -version 2 + +<# + + This script launches many PowerView cmdlets and stores their output + in Clixml files for later processing. + + Author: Mariusz B. (mgeeky), '18 + License: BSD 3-Clause + Required Dependencies: PowerSploit's Recon.psm1 +#> + +function Export-ReconData +{ + $DirName = (Get-Date).ToString("PowerView-MM-dd-yyyy-hh-mm-ss") + New-Item -Name $DirName -ItemType Directory | Out-Null + + Write-Output "`n:: Logs to be stored in: $DirName`n" + + $ReconModuleCommands = Get-Command -Module Recon + $Commands = @() + + $ReconModuleCommands ` + | Where-Object {$_.Name -like "Get-Net*"} ` + | Select Name ` + | ForEach-Object {$Commands += $_.Name} + + $Commands += "Invoke-UserHunter -ShowAll" + $Commands += "Invoke-StealthUserHunter -ShowAll" + $Commands += "Invoke-FileFinder -SearchSYSVol" + $Commands += "Invoke-ShareFinder" + $Commands += "Invoke-MapDomainTrust" + $Commands += "Find-GPOLocation" + $Commands += "Get-NetUser -AdminCount" + $Commands += "Find-ForeignUser" + $Commands += "Find-ForeignGroup" + $Commands += "Invoke-FileFinder" + + $Commands | ForEach-Object { + $Name = $_ + $Name -match "[A-Za-z]+-(.+)" | Out-Null + + $FileName = $matches[1] + ".xml" + $FileName = $FileName -replace ' ','' + + If ($Name -like "Get-Net*") + { + #$Name = $Name + " -Recurse" + } + + Write-Output "--- $Name ---" + $Name | Invoke-Expression | Export-Clixml $DirName\$FileName + Write-Output "Done.`n" + } +} + +function Import-ReconData +{ + Param + ( + [Parameter(Position = 0, Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String] + $DirName + ) + $path = Get-Location + Set-Location -Path $DirName + + Get-ChildItem . -Filter *.xml | + Foreach-Object { + $Name = $_.BaseName -replace '-','' + $Results = Import-Clixml -Path "$_" + New-Variable -Name $Name -Force -Value $Results -Scope Global + Write-Output "Loaded `$$Name results." + } + + Set-Location -Path $path +} + +function Get-ReconData +{ + Param + ( + [Parameter(Position = 0, Mandatory = $True)] + [ValidateNotNullOrEmpty()] + [String] + $DirName + ) + $path = Get-Location + $Variables = Get-Variable + Set-Location -Path $DirName + + Get-ChildItem . -Filter *.xml | + Foreach-Object { + $Name = $_.BaseName -replace '-','' + If ($Variables | Where-Object { $_.Name -eq $Name }) + { + Write-Output "Previously loaded: `$$Name" + } + } + + Set-Location -Path $path +} + +Try +{ + # You need to be in PowerSploit\Recon directory + Import-Module .\Recon.psm1 +} +Catch [System.Exception] +{ + exit +} diff --git a/social-engineering/Invoke-Command-Cred-Example.ps1 b/red-teaming/Invoke-Command-Cred-Example.ps1 similarity index 100% rename from social-engineering/Invoke-Command-Cred-Example.ps1 rename to red-teaming/Invoke-Command-Cred-Example.ps1 diff --git a/social-engineering/Macro-Less-Cheatsheet.md b/red-teaming/Macro-Less-Cheatsheet.md similarity index 100% rename from social-engineering/Macro-Less-Cheatsheet.md rename to red-teaming/Macro-Less-Cheatsheet.md diff --git a/social-engineering/MacroDetectSandbox.vbs b/red-teaming/MacroDetectSandbox.vbs similarity index 100% rename from social-engineering/MacroDetectSandbox.vbs rename to red-teaming/MacroDetectSandbox.vbs diff --git a/social-engineering/Phish-Creds.ps1 b/red-teaming/Phish-Creds.ps1 similarity index 100% rename from social-engineering/Phish-Creds.ps1 rename to red-teaming/Phish-Creds.ps1 diff --git a/social-engineering/README.md b/red-teaming/README.md similarity index 85% rename from social-engineering/README.md rename to red-teaming/README.md index 2b33916..4c564c5 100644 --- a/social-engineering/README.md +++ b/red-teaming/README.md @@ -18,6 +18,50 @@ IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s, [IO.Com - **`delete-warning-div-macro.vbs`** - VBA Macro function to be used as a Social Engineering trick removing "Enable Content" warning message as the topmost floating text box with given name. ([gist](https://gist.github.com/mgeeky/9cb6acdec31c8a70cc037c84c77a359c)) +- **`Export-ReconData.ps1`** - Powershell script leveraging [PowerSploit Recon](https://github.com/PowerShellMafia/PowerSploit) module (PowerView) to save output from Reconnaissance cmdlets like `Get-Net*`, `Invoke-*` into _Clixml_ files. Those files can later be extracted from attacked environment and loaded to a new powershell runspace using the same script. Very useful when we want to obtain as many data as possible, then exfiltrate that data, review it in our safe place and then get back to attacked domain for lateral spread. + +Exposed functions: +- `Export-ReconData` - Launches many cmdlets and exports their Clixml outputs. +- `Import-ReconData -DirName ` - Loads Clixml previously exported outputs and stores them in Global variables reachable when script terminates. +- `Get-ReconData -DirName ` - Gets names of variables that were created and contains previously imported data. + +``` +PS E:\PowerSploit\Recon> Load-ReconData -DirName .\PowerView-12-18-2018-08-30-09 +Loaded $FileFinderSearchSYSVol results. +Loaded $FileFinder results. +Loaded $ForeignGroup results. +Loaded $ForeignUser results. +Loaded $GPOLocation results. +Loaded $MapDomainTrust results. +Loaded $NetComputer results. +Loaded $NetDomain results. +Loaded $NetDomainController results. +Loaded $NetDomainTrust results. +Loaded $NetFileServer results. +Loaded $NetForest results. +Loaded $NetForestCatalog results. +Loaded $NetForestDomain results. +Loaded $NetForestTrust results. +Loaded $NetGPO results. +Loaded $NetGPOGroup results. +Loaded $NetGroup results. +Loaded $NetGroupMember results. +Loaded $NetLocalGroup results. +Loaded $NetLoggedon results. +Loaded $NetOU results. +Loaded $NetProcess results. +Loaded $NetRDPSession results. +Loaded $NetSession results. +Loaded $NetShare results. +Loaded $NetSite results. +Loaded $NetSubnet results. +Loaded $NetUserAdminCount results. +Loaded $NetUser results. +Loaded $ShareFinder results. +Loaded $StealthUserHunterShowAll results. +Loaded $UserHunterShowAll results. +``` + - **`generateMSBuildPowershellXML.py`** - Powershell via MSBuild inline-task XML payload generation script - To be used during Red-Team assignments to launch Powershell payloads without using `powershell.exe` ([gist](https://gist.github.com/mgeeky/df9f313cfe468e56c59268b958319bcb)) Example output **not minimized**: diff --git a/social-engineering/SubstitutePageMacro.vbs b/red-teaming/SubstitutePageMacro.vbs similarity index 100% rename from social-engineering/SubstitutePageMacro.vbs rename to red-teaming/SubstitutePageMacro.vbs diff --git a/social-engineering/Various-Macro-Based-RCEs.md b/red-teaming/Various-Macro-Based-RCEs.md similarity index 100% rename from social-engineering/Various-Macro-Based-RCEs.md rename to red-teaming/Various-Macro-Based-RCEs.md diff --git a/social-engineering/WMIPersistence.vbs b/red-teaming/WMIPersistence.vbs similarity index 100% rename from social-engineering/WMIPersistence.vbs rename to red-teaming/WMIPersistence.vbs diff --git a/social-engineering/backdoor-drop.js b/red-teaming/backdoor-drop.js similarity index 100% rename from social-engineering/backdoor-drop.js rename to red-teaming/backdoor-drop.js diff --git a/social-engineering/clickOnceSharpPickTemplate.cs b/red-teaming/clickOnceSharpPickTemplate.cs similarity index 100% rename from social-engineering/clickOnceSharpPickTemplate.cs rename to red-teaming/clickOnceSharpPickTemplate.cs diff --git a/social-engineering/compressedPowershell.py b/red-teaming/compressedPowershell.py similarity index 100% rename from social-engineering/compressedPowershell.py rename to red-teaming/compressedPowershell.py diff --git a/social-engineering/delete-warning-div-macro.vbs b/red-teaming/delete-warning-div-macro.vbs similarity index 100% rename from social-engineering/delete-warning-div-macro.vbs rename to red-teaming/delete-warning-div-macro.vbs diff --git a/social-engineering/generateMSBuildPowershellXML.py b/red-teaming/generateMSBuildPowershellXML.py similarity index 100% rename from social-engineering/generateMSBuildPowershellXML.py rename to red-teaming/generateMSBuildPowershellXML.py diff --git a/social-engineering/macro-psh-stdin-author.vbs b/red-teaming/macro-psh-stdin-author.vbs similarity index 100% rename from social-engineering/macro-psh-stdin-author.vbs rename to red-teaming/macro-psh-stdin-author.vbs diff --git a/social-engineering/msbuild-powershell-msgbox.xml b/red-teaming/msbuild-powershell-msgbox.xml similarity index 100% rename from social-engineering/msbuild-powershell-msgbox.xml rename to red-teaming/msbuild-powershell-msgbox.xml diff --git a/social-engineering/muti-stage-1.md b/red-teaming/muti-stage-1.md similarity index 100% rename from social-engineering/muti-stage-1.md rename to red-teaming/muti-stage-1.md diff --git a/social-engineering/set-handler.rc b/red-teaming/set-handler.rc similarity index 100% rename from social-engineering/set-handler.rc rename to red-teaming/set-handler.rc diff --git a/social-engineering/vba-macro-mac-persistence.vbs b/red-teaming/vba-macro-mac-persistence.vbs similarity index 100% rename from social-engineering/vba-macro-mac-persistence.vbs rename to red-teaming/vba-macro-mac-persistence.vbs diff --git a/social-engineering/vba-windows-persistence.vbs b/red-teaming/vba-windows-persistence.vbs similarity index 100% rename from social-engineering/vba-windows-persistence.vbs rename to red-teaming/vba-windows-persistence.vbs diff --git a/social-engineering/warnings/EN-Excel.docx b/red-teaming/warnings/EN-Excel.docx similarity index 100% rename from social-engineering/warnings/EN-Excel.docx rename to red-teaming/warnings/EN-Excel.docx diff --git a/social-engineering/warnings/EN-Word.docx b/red-teaming/warnings/EN-Word.docx similarity index 100% rename from social-engineering/warnings/EN-Word.docx rename to red-teaming/warnings/EN-Word.docx diff --git a/social-engineering/PhishingPost b/social-engineering/PhishingPost deleted file mode 160000 index bbb1add..0000000 --- a/social-engineering/PhishingPost +++ /dev/null @@ -1 +0,0 @@ -Subproject commit bbb1add73362df40f04860a036926a71b96970c7 diff --git a/social-engineering/RobustPentestMacro b/social-engineering/RobustPentestMacro deleted file mode 160000 index 32992ad..0000000 --- a/social-engineering/RobustPentestMacro +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 32992adea5369e661eea6fabbbc95b8284cc2959 diff --git a/social-engineering/VisualBasicObfuscator b/social-engineering/VisualBasicObfuscator deleted file mode 160000 index 80e7515..0000000 --- a/social-engineering/VisualBasicObfuscator +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 80e7515ed6aff631b3449e654b67988b1f01baa4