Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Consistency improvements in comment-based help

This commit is contained in:
bitform 2013-01-21 08:33:51 -05:00
parent 46aead39c6
commit 40eb187bca
21 changed files with 301 additions and 239 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
AntivirusBypass/Find-AVSignature.ps1
View File

@ -1,69 +1,84 @@
function Find-AVSignature {
function Find-AVSignature
{
<#
.SYNOPSIS
Find-AVSignature
Locate tiny AV signatures.
Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com
Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
License: BSD 3-Clause
PowerSploit Function: Find-AVSignature
Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
A script to locate tiny AV signatures.
Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com.
.PARAMETER Startbyte
Specifies the first byte to begin splitting on.
Specifies the first byte to begin splitting on.
.PARAMETER Endbyte
Specifies the last byte to split on.
Specifies the last byte to split on.
.PARAMETER Interval
Specifies the interval size to split with.
Specifies the interval size to split with.
.PARAMETER Path
Specifies the path to the binary you want tested.
Specifies the path to the binary you want tested.
.PARAMETER OutPath
Optionally specifies the directory to write the binaries to.
Optionally specifies the directory to write the binaries to.
.PARAMETER Force
Forces the script to continue without confirmation.
Forces the script to continue without confirmation.
.EXAMPLE
PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
PS C:\> Find-AVSignature -Startbyte 0 -Endbyte max -Interval 10000 -Path c:\test\exempt\nc.exe
PS C:\> Find-AVSignature -StartByte 10000 -EndByte 20000 -Interval 1000 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run2 -Verbose
PS C:\> Find-AVSignature -StartByte 16000 -EndByte 17000 -Interval 100 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run3 -Verbose
PS C:\> Find-AVSignature -StartByte 16800 -EndByte 16900 -Interval 10 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run4 -Verbose
PS C:\> Find-AVSignature -StartByte 16890 -EndByte 16900 -Interval 1 -Path C:\test\exempt\nc.exe -OutPath c:\test\output\run5 -Verbose
.NOTES
Several of the versions of "DSplit.exe" available on the internet contain malware.
Several of the versions of "DSplit.exe" available on the internet contain malware.
.LINK
http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
https://github.com/mattifestation/PowerSploit
http://www.exploit-monday.com/
http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
http://obscuresecurity.blogspot.com/2012/12/finding-simple-av-signatures-with.html
https://github.com/mattifestation/PowerSploit
http://www.exploit-monday.com/
http://heapoverflow.com/f0rums/project.php?issueid=34&filter=changes&page=2
#>
[CmdletBinding()] Param(
[Parameter(Mandatory = $True)] [Int32] $StartByte,
[Parameter(Mandatory = $True)] [String] $EndByte,
[Parameter(Mandatory = $True)] [Int32] $Interval,
[Parameter(Mandatory = $False)] [String] $Path = ($pwd.path),
[Parameter(Mandatory = $False)] [String] $OutPath = ($pwd),
[Switch] $Force = $False
[CmdletBinding()] Param(
[Parameter(Mandatory = $True)]
[Int32]
$StartByte,
[Parameter(Mandatory = $True)]
[String]
$EndByte,
[Parameter(Mandatory = $True)]
[Int32]
$Interval,
[String]
$Path = ($pwd.path),
[String]
$OutPath = ($pwd),
[Switch] $Force
)
#test variables

2
CodeExecution/Invoke-DllInjection.ps1
View File

@ -5,7 +5,7 @@ function Invoke-DllInjection
Injects a Dll into the process ID of your choosing.
PowerSploit Module - Invoke-DllInjection
PowerSploit Function: Invoke-DllInjection
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None

2
CodeExecution/Invoke-Shellcode.ps1
View File

@ -5,7 +5,7 @@ function Invoke-Shellcode
Inject shellcode into the process ID of your choosing or within the context of the running PowerShell process.
PowerSploit Module - Invoke-Shellcode
PowerSploit Function: Invoke-Shellcode
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None

142
Exfiltration/Get-TimedScreenshot.ps1
View File

@ -1,99 +1,101 @@
Function Get-TimedScreenshot {
function Get-TimedScreenshot
{
<#
.SYNOPSIS
Get-TimedScreenshot
Takes screenshots at a regular interval and saves them to disk.
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
PowerSploit Function: Get-TimedScreenshot
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
A function that takes screenshots and saves them to a folder.
A function that takes screenshots and saves them to a folder.
.PARAMETER $Path
.PARAMETER Path
Specifies the folder path.
Specifies the folder path.
.PARAMETER $Interval
.PARAMETER Interval
Specifies the interval in seconds between taking screenshots.
Specifies the interval in seconds between taking screenshots.
.PARAMETER $EndTime
.PARAMETER EndTime
Specifies when the script should stop running in the format HH-MM
Specifies when the script should stop running in the format HH-MM
.EXAMPLE
PS C:\> Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00
PS C:\> Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00
.LINK
http://obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html
https://github.com/obscuresec/random/blob/master/Get-TimedScreenshot
http://obscuresecurity.blogspot.com/2013/01/Get-TimedScreenshot.html
https://github.com/mattifestation/PowerSploit/blob/master/Exfiltration/Get-TimedScreenshot.ps1
#>
[CmdletBinding()] Param(
[Parameter(Mandatory=$True)]
[ValidateScript({Test-Path -Path $_ })]
[string] $Path,
[Parameter(Mandatory=$True)]
[ValidateScript({Test-Path -Path $_ })]
[String] $Path,
[Parameter(Mandatory=$True)]
[int32] $Interval,
[Parameter(Mandatory=$True)]
[Int32] $Interval,
[Parameter(Mandatory=$True)]
[string] $EndTime
)
[Parameter(Mandatory=$True)]
[String] $EndTime
)
#Define helper function that generates and saves screenshot
Function GenScreenshot {
$ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen
$ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height
$DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject)
$DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size)
$DrawingGraphics.Dispose()
$ScreenshotObject.Save($FilePath)
$ScreenshotObject.Dispose()
#Define helper function that generates and saves screenshot
Function GenScreenshot {
$ScreenBounds = [Windows.Forms.SystemInformation]::VirtualScreen
$ScreenshotObject = New-Object Drawing.Bitmap $ScreenBounds.Width, $ScreenBounds.Height
$DrawingGraphics = [Drawing.Graphics]::FromImage($ScreenshotObject)
$DrawingGraphics.CopyFromScreen( $ScreenBounds.Location, [Drawing.Point]::Empty, $ScreenBounds.Size)
$DrawingGraphics.Dispose()
$ScreenshotObject.Save($FilePath)
$ScreenshotObject.Dispose()
}
Try {
#load required assembly
Add-Type -Assembly System.Windows.Forms
Do {
#get the current time and build the filename from it
$Time = (Get-Date)
[String] $FileName = "$($Time.Month)"
$FileName += '-'
$FileName += "$($Time.Day)"
$FileName += '-'
$FileName += "$($Time.Year)"
$FileName += '-'
$FileName += "$($Time.Hour)"
$FileName += '-'
$FileName += "$($Time.Minute)"
$FileName += '-'
$FileName += "$($Time.Second)"
$FileName += '.png'
#use join-path to add path to filename
[String] $FilePath = (Join-Path $Path $FileName)
#run screenshot function
GenScreenshot
Write-Verbose "Saved screenshot to $FilePath. Sleeping for $Interval seconds"
Start-Sleep -Seconds $Interval
}
Try {
#load required assembly
Add-Type -Assembly System.Windows.Forms
Do {
#get the current time and build the filename from it
$Time = (Get-Date)
[string] $FileName = "$($Time.Month)"
$FileName += '-'
$FileName += "$($Time.Day)"
$FileName += '-'
$FileName += "$($Time.Year)"
$FileName += '-'
$FileName += "$($Time.Hour)"
$FileName += '-'
$FileName += "$($Time.Minute)"
$FileName += '-'
$FileName += "$($Time.Second)"
$FileName += '.png'
#use join-path to add path to filename
[string] $FilePath = (Join-Path $Path $FileName)
#run screenshot function
GenScreenshot
Write-Verbose "Saved screenshot to $FilePath. Sleeping for $Interval seconds"
Start-Sleep -Seconds $Interval
}
#note that this will run once regardless if the specified time as passed
While ((Get-Date -Format HH:%m) -lt $EndTime)
}
Catch {Write-Warning "$Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage"}
#note that this will run once regardless if the specified time as passed
While ((Get-Date -Format HH:%m) -lt $EndTime)
}
Catch {Write-Warning "$Error[0].ToString() + $Error[0].InvocationInfo.PositionMessage"}
}

20
PETools/Get-DllLoadPath.ps1
View File

@ -1,8 +1,11 @@
function Get-DllLoadPath {
function Get-DllLoadPath
{
<#
.SYNOPSIS
PowerSploit Module - Get-DllLoadPath
Outputs the order of paths in which a dll would be loaded.
PowerSploit Function: Get-DllLoadPath
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
@ -14,7 +17,7 @@ Get-DllLoadPath returns the path from which Windows will load a Dll for the give
.PARAMETER ExecutablePath
Path to the executable from which the Dll would be loaded.
Path to the executable from which the Dll would be loaded.
.PARAMETER DllName
@ -38,7 +41,7 @@ C:\Windows\SysWOW64\Comctl32.dll
.OUTPUTS
$null, System.Management.Automation.PathInfo
System.Management.Automation.PathInfo
.NOTES
@ -51,8 +54,13 @@ http://msdn.microsoft.com/en-us/library/windows/desktop/ms682586%28v=vs.85%29.as
#>
Param (
[Parameter(Position = 0, Mandatory = $True)] [String] $ExecutablePath,
[Parameter(Position = 1, Mandatory = $True)] [String] $DllName
[Parameter(Position = 0, Mandatory = $True)]
[String]
$ExecutablePath,
[Parameter(Position = 1, Mandatory = $True)]
[String]
$DllName
)
if (!(Test-Path $ExecutablePath)) {

9
PETools/Get-PEArchitecture.ps1
View File

@ -1,8 +1,11 @@
function Get-PEArchitecture {
function Get-PEArchitecture
{
<#
.SYNOPSIS
PowerSploit Module - Get-PEArchitecture
Outputs the architecture for which a binary was compiled.
PowerSploit Function: Get-PEArchitecture
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
@ -19,13 +22,11 @@ Path to the executable.
.EXAMPLE
C:\PS> Get-PEArchitecture C:\Windows\SysWOW64\calc.exe
X86
.EXAMPLE
C:\PS> Get-PEArchitecture C:\Windows\System32\cmd.exe
X64
.LINK

7
PETools/Get-PEHeader.ps1
View File

@ -1,8 +1,11 @@
function Get-PEHeader {
function Get-PEHeader
{
<#
.SYNOPSIS
PowerSploit Module - Get-PEHeader
Parses and outputs the PE header of a process in memory or a PE file on disk.
PowerSploit Function: Get-PEHeader
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None

40
Recon/Get-GPPPassword.ps1
View File

@ -1,31 +1,39 @@
function Get-GPPPassword {
function Get-GPPPassword
{
<#
.Synopsis
.SYNOPSIS
Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
Retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.
.Description
PowerSploit Function: Get-GPPPassword
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password.
.DESCRIPTION
.Parameter Path
Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password.
The path to the targeted groups.xml file.
.PARAMETER Path
.Example
The path to the targeted groups.xml file.
Get-GPPPassword -path c:\demo\groups.xml
.EXAMPLE
.Link
Get-GPPPassword -path c:\demo\groups.xml
http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
.LINK
http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
#>
Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path = "$PWD\groups.xml" )
Param (
[Parameter(Position = 0, Mandatory = $True)]
[String]
$Path = "$PWD\groups.xml"
)
#Function to pull encrypted password string from groups.xml
function Parse-cPassword {

41
Recon/Get-HttpStatus.ps1
View File

@ -1,47 +1,68 @@
function Get-HttpStatus {
function Get-HttpStatus
{
<#
.SYNOPSIS
PowerSploit Module - Get-HttpStatus
Returns the HTTP Status Codes and full URL for specified paths.
PowerSploit Function: Get-HttpStatus
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
A script to check for the existence of a path or file on a webserver.
.PARAMETER Target
Specifies the remote web host either by IP or hostname.
.PARAMETER Path
Specifies the remost host.
.PARAMETER Port
Specifies the port to connect to.
.PARAMETER UseSSL
Use an SSL connection.
.EXAMPLE
PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt | Select-Object {where StatusCode -eq 20*}
.EXAMPLE
PS > Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
.NOTES
HTTP Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
Status Codes: http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
.LINK
http://obscuresecurity.blogspot.com
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
#>
[CmdletBinding()] Param(
[Parameter(Mandatory = $True)] [String] $Target,
[Parameter()] [String] [ValidateNotNullOrEmpty()] $Path = '.\Dictionaries\admin.txt',
[Parameter()] [Int] $Port,
[Parameter()] [Switch] $UseSSL
[Parameter(Mandatory = $True)]
[String]
$Target,
[String]
[ValidateNotNullOrEmpty()]
$Path = '.\Dictionaries\admin.txt',
[Int]
$Port,
[Switch]
$UseSSL
)
if (Test-Path $Path) {

82
Recon/Invoke-ReverseDnsLookup.ps1
View File

@ -1,64 +1,66 @@
function Invoke-ReverseDnsLookup
{
<#
.Synopsis
.SYNOPSIS
PowerSploit Module - Invoke-ReverseDnsLookup
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Perform a reverse DNS lookup scan on a range of IP addresses.
.Description
PowerSploit Function: Invoke-ReverseDnsLookup
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script
is useful for performing DNS reconnaisance prior to conducting an authorized
penetration test.
.DESCRIPTION
.Parameter IPRange
Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test.
Specifies the IP address range. The range provided can be in the form of a single
IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be
provided.
.PARAMETER IPRange
.Example
Specifies the IP address range. The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be provided.
PS> Invoke-ReverseDnsLookup 74.125.228.0/29
.EXAMPLE
IP HostName
-- --------
74.125.228.1 iad23s05-in-f1.1e100.net
74.125.228.2 iad23s05-in-f2.1e100.net
74.125.228.3 iad23s05-in-f3.1e100.net
74.125.228.4 iad23s05-in-f4.1e100.net
74.125.228.5 iad23s05-in-f5.1e100.net
74.125.228.6 iad23s05-in-f6.1e100.net
C:\PS> Invoke-ReverseDnsLookup 74.125.228.0/29
Description
-----------
Returns the hostnames of the IP addresses specified by the CIDR range.
IP HostName
-- --------
74.125.228.1 iad23s05-in-f1.1e100.net
74.125.228.2 iad23s05-in-f2.1e100.net
74.125.228.3 iad23s05-in-f3.1e100.net
74.125.228.4 iad23s05-in-f4.1e100.net
74.125.228.5 iad23s05-in-f5.1e100.net
74.125.228.6 iad23s05-in-f6.1e100.net
.Example
Description
-----------
Returns the hostnames of the IP addresses specified by the CIDR range.
PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'
.EXAMPLE
IP HostName
-- --------
74.125.228.1 iad23s05-in-f1.1e100.net
74.125.228.4 iad23s05-in-f4.1e100.net
74.125.228.5 iad23s05-in-f5.1e100.net
74.125.228.6 iad23s05-in-f6.1e100.net
C:\PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'
Description
-----------
Returns the hostnames of the IP addresses specified by the IP range specified.
IP HostName
-- --------
74.125.228.1 iad23s05-in-f1.1e100.net
74.125.228.4 iad23s05-in-f4.1e100.net
74.125.228.5 iad23s05-in-f5.1e100.net
74.125.228.6 iad23s05-in-f6.1e100.net
Description
-----------
Returns the hostnames of the IP addresses specified by the IP range specified.
.Link
.LINK
My blog: http://www.exploit-monday.com
http://www.exploit-monday.com
#>
Param( [Parameter(Position = 0, Mandatory = $True)] [String] $IpRange )
Param (
[Parameter(Position = 0, Mandatory = $True)]
[String]
$IpRange
)
function Parse-IPList ([String] $IpRange)
{

4
ReverseEngineering/Get-ILDisassembly.ps1
View File

@ -3,7 +3,9 @@ function Get-ILDisassembly
<#
.SYNOPSIS
PowerSploit Module - Get-ILDisassembly
A MSIL (Microsoft Intermediate Language) disassembler.
PowerSploit Function: Get-ILDisassembly
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None

2
ReverseEngineering/Get-KernelModuleInfo.ps1
View File

@ -5,7 +5,7 @@
Returns loaded kernel module information.
PowerSploit Module - Get-KernelModuleInfo
PowerSploit Function: Get-KernelModuleInfo
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None

2
ReverseEngineering/Get-Member.ps1
View File

@ -5,7 +5,7 @@ function Get-Member
Gets the properties and methods of objects.
PowerSploit Module - Get-Member
PowerSploit Proxy Function: Get-Member
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause (Except for the help documentation derived from the original Get-Member)
Required Dependencies: None

2
ReverseEngineering/Get-MethodAddress.ps1
View File

@ -5,7 +5,7 @@
Get the unmanaged function address of a .NET method.
PowerSploit Module - Get-MethodAddress
PowerSploit Function: Get-MethodAddress
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None

2
ReverseEngineering/Get-PEB.ps1
View File

@ -5,7 +5,7 @@
Returns the process environment block (PEB) of a process.
PowerSploit Module - Get-PEB
PowerSploit Function: Get-PEB
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None

2
ReverseEngineering/Get-Strings.ps1
View File

@ -5,7 +5,7 @@
Gets strings from a file.
PowerSploit Module - Inject-Shellcode
PowerSploit Function: Get-Strings
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None

2
ReverseEngineering/Get-StructFromMemory.ps1
View File

@ -5,7 +5,7 @@
Marshals data from an unmanaged block of memory in an arbitrary process to a newly allocated managed object of the specified type.
PowerSploit Module - Get-StructFromMemory
PowerSploit Function: Get-StructFromMemory
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None

2
ScriptModification/Out-CompressedDll.ps1
View File

@ -5,7 +5,7 @@
Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
PowerSploit Module - Out-CompressedDll
PowerSploit Function: Out-CompressedDll
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None

2
ScriptModification/Out-EncodedCommand.ps1
View File

@ -5,7 +5,7 @@
Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
PowerSploit Module - Out-EncodedCommand
PowerSploit Function: Out-EncodedCommand
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None

82
ScriptModification/Out-EncryptedScript.ps1
View File

@ -1,11 +1,11 @@
function Out-EncryptedScript {
function Out-EncryptedScript
{
<#
.SYNOPSIS
Encrypts text files/scripts.
PowerSploit Module - Out-EncryptedScript
PowerSploit Function: Out-EncryptedScript
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
@ -55,46 +55,46 @@ This command can be used to encrypt any text-based file/script
http://www.exploit-monday.com
#>
[CmdletBinding()] Param (
[Parameter(Position = 0, Mandatory = $True)]
[String]
$ScriptPath,
[CmdletBinding()] Param (
[Parameter(Position = 0, Mandatory = $True)]
[String]
$ScriptPath,
[Parameter(Position = 1, Mandatory = $True)]
[String]
$Password,
[Parameter(Position = 1, Mandatory = $True)]
[String]
$Password,
[Parameter(Position = 2, Mandatory = $True)]
[String]
$Salt,
[Parameter(Position = 2, Mandatory = $True)]
[String]
$Salt,
[Parameter(Position = 3)]
[String]
$InitializationVector = ( @( foreach ($i in 1..16) { [Char](Get-Random -Min 0x41 -Max 0x5B) } ) -join '' ), # Generate random 16 character IV
[Parameter(Position = 3)]
[String]
$InitializationVector = ( @( foreach ($i in 1..16) { [Char](Get-Random -Min 0x41 -Max 0x5B) } ) -join '' ), # Generate random 16 character IV
[Parameter(Position = 4)]
[String]
$FilePath = '.\evil.ps1'
)
[Parameter(Position = 4)]
[String]
$FilePath = '.\evil.ps1'
)
$AsciiEncoder = New-Object System.Text.ASCIIEncoding
$ivBytes = $AsciiEncoder.GetBytes("CRACKMEIFYOUCAN!")
# While this can be used to encrypt any file, it's primarily designed to encrypt itself.
[Byte[]] $scriptBytes = Get-Content -Encoding byte -Path $ScriptPath
$DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)
$Key = New-Object System.Security.Cryptography.RijndaelManaged
$Key.Mode = [System.Security.Cryptography.CipherMode]::CBC
[Byte[]] $KeyBytes = $DerivedPass.GetBytes(32)
$Encryptor = $Key.CreateEncryptor($KeyBytes, $ivBytes)
$MemStream = New-Object System.IO.MemoryStream
$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($MemStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
$CryptoStream.Write($scriptBytes, 0, $scriptBytes.Length)
$CryptoStream.FlushFinalBlock()
$CipherTextBytes = $MemStream.ToArray()
$MemStream.Close()
$CryptoStream.Close()
$Key.Clear()
$Cipher = [Convert]::ToBase64String($CipherTextBytes)
$AsciiEncoder = New-Object System.Text.ASCIIEncoding
$ivBytes = $AsciiEncoder.GetBytes("CRACKMEIFYOUCAN!")
# While this can be used to encrypt any file, it's primarily designed to encrypt itself.
[Byte[]] $scriptBytes = Get-Content -Encoding byte -Path $ScriptPath
$DerivedPass = New-Object System.Security.Cryptography.PasswordDeriveBytes($Password, $AsciiEncoder.GetBytes($Salt), "SHA1", 2)
$Key = New-Object System.Security.Cryptography.RijndaelManaged
$Key.Mode = [System.Security.Cryptography.CipherMode]::CBC
[Byte[]] $KeyBytes = $DerivedPass.GetBytes(32)
$Encryptor = $Key.CreateEncryptor($KeyBytes, $ivBytes)
$MemStream = New-Object System.IO.MemoryStream
$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($MemStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)
$CryptoStream.Write($scriptBytes, 0, $scriptBytes.Length)
$CryptoStream.FlushFinalBlock()
$CipherTextBytes = $MemStream.ToArray()
$MemStream.Close()
$CryptoStream.Close()
$Key.Clear()
$Cipher = [Convert]::ToBase64String($CipherTextBytes)
# Generate encrypted PS1 file. All that will be included is the base64-encoded ciphertext and a slightly 'obfuscated' decrypt function
$Output = 'function de([String] $b, [String] $c)
@ -121,9 +121,9 @@ $f.Clear();
return $encoding.GetString($h,0,$h.Length);
}'
# Output decrypt function and ciphertext to evil.ps1
Out-File -InputObject $Output -Encoding ASCII $FilePath
# Output decrypt function and ciphertext to evil.ps1
Out-File -InputObject $Output -Encoding ASCII $FilePath
Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"
Write-Verbose "Encrypted PS1 file saved to: $(Resolve-Path $FilePath)"
}

2
ScriptModification/Remove-Comments.ps1
View File

@ -5,7 +5,7 @@
Strips comments and extra whitespace from a script.
PowerSploit Module - Remove-Comments
PowerSploit Function: Remove-Comments
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None