Renamed Get-RegistryAutoRun to Get-ModifiableRegistryAutoRun
Renamed Find-PathHijack to Find-PathDLLHijack Fixed exposed functions in PowerSploit.psd1
This commit is contained in:
Harmj0y
parent
1b359e7875
commit
4915945292
|
|
@ -25,27 +25,29 @@ FunctionsToExport = @(
|
|||
'Add-NetUser',
|
||||
'Add-ObjectAcl',
|
||||
'Add-Persistence',
|
||||
'Add-ServiceDacl',
|
||||
'Convert-NameToSid',
|
||||
'Convert-NT4toCanonical',
|
||||
'Convert-SidToName',
|
||||
'Copy-ClonedFile',
|
||||
'Find-AVSignature',
|
||||
'Find-ComputerField',
|
||||
'Find-DLLHijack',
|
||||
'Find-ForeignGroup',
|
||||
'Find-ForeignUser',
|
||||
'Find-GPOComputerAdmin',
|
||||
'Find-GPOLocation',
|
||||
'Find-InterestingFile',
|
||||
'Find-LocalAdminAccess',
|
||||
'Find-PathDLLHijack',
|
||||
'Find-ProcessDLLHijack',
|
||||
'Find-ManagedSecurityGroups',
|
||||
'Find-PathHijack',
|
||||
'Find-UserField',
|
||||
'Get-ADObject',
|
||||
'Get-ApplicationHost',
|
||||
'Get-CachedRDPConnection',
|
||||
'Get-ComputerDetails',
|
||||
'Get-ComputerProperty',
|
||||
'Get-CurrentUserTokenGroupSid',
|
||||
'Get-DFSshare',
|
||||
'Get-DomainPolicy',
|
||||
'Get-ExploitableSystem',
|
||||
|
|
@ -53,6 +55,11 @@ FunctionsToExport = @(
|
|||
'Get-HttpStatus',
|
||||
'Get-Keystrokes',
|
||||
'Get-LastLoggedOn',
|
||||
'Get-ModifiablePath',
|
||||
'Get-ModifiableRegistryAutoRun',
|
||||
'Get-ModifiableScheduledTaskFile',
|
||||
'Get-ModifiableService',
|
||||
'Get-ModifiableServiceFile',
|
||||
'Get-NetComputer',
|
||||
'Get-NetDomain',
|
||||
'Get-NetDomainController',
|
||||
|
|
@ -79,21 +86,19 @@ FunctionsToExport = @(
|
|||
'Get-ObjectAcl',
|
||||
'Get-PathAcl',
|
||||
'Get-Proxy',
|
||||
'Get-RegAlwaysInstallElevated',
|
||||
'Get-RegAutoLogon',
|
||||
'Get-RegistryAlwaysInstallElevated',
|
||||
'Get-RegistryAutoLogon',
|
||||
'Get-SecurityPackages',
|
||||
'Get-ServiceDetail',
|
||||
'Get-ServiceFilePermission',
|
||||
'Get-ServicePermission',
|
||||
'Get-ServiceUnquoted',
|
||||
'Get-SiteListPassword',
|
||||
'Get-System',
|
||||
'Get-TimedScreenshot',
|
||||
'Get-UnattendedInstallFile',
|
||||
'Get-UserEvent',
|
||||
'Get-UserProperty',
|
||||
'Get-VaultCredential',
|
||||
'Get-VolumeShadowCopy',
|
||||
'Get-VulnAutoRun',
|
||||
'Get-VulnSchTask',
|
||||
'Get-Webconfig',
|
||||
'Install-ServiceBinary',
|
||||
'Install-SSP',
|
||||
|
|
@ -133,6 +138,8 @@ FunctionsToExport = @(
|
|||
'Set-CriticalProcess',
|
||||
'Set-MacAttribute',
|
||||
'Set-MasterBootRecord',
|
||||
'Set-ServiceBinPath',
|
||||
'Test-ServiceDaclPermission',
|
||||
'Write-HijackDll',
|
||||
'Write-ServiceBinary',
|
||||
'Write-UserAddMSI'
|
||||
|
|
|
|||
|
|
@ -2361,7 +2361,7 @@ function Find-ProcessDLLHijack {
|
|||
}
|
||||
|
||||
|
||||
function Find-PathHijack {
|
||||
function Find-PathDLLHijack {
|
||||
<#
|
||||
.SYNOPSIS
|
||||
|
||||
|
|
@ -2379,7 +2379,7 @@ function Find-PathHijack {
|
|||
|
||||
.EXAMPLE
|
||||
|
||||
PS C:\> Find-PathHijack
|
||||
PS C:\> Find-PathDLLHijack
|
||||
|
||||
Finds all %PATH% .DLL hijacking opportunities.
|
||||
|
||||
|
|
@ -2720,8 +2720,7 @@ function Get-RegistryAutoLogon {
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
function Get-RegistryAutoRun {
|
||||
function Get-ModifiableRegistryAutoRun {
|
||||
<#
|
||||
.SYNOPSIS
|
||||
|
||||
|
|
@ -2736,7 +2735,7 @@ function Get-RegistryAutoRun {
|
|||
|
||||
.EXAMPLE
|
||||
|
||||
PS C:\> Get-RegistryAutoRun
|
||||
PS C:\> Get-ModifiableRegistryAutoRun
|
||||
|
||||
Return vulneable autorun binaries (or associated configs).
|
||||
#>
|
||||
|
|
@ -3571,7 +3570,7 @@ function Invoke-AllChecks {
|
|||
# DLL hijacking
|
||||
|
||||
"`n`n[*] Checking %PATH% for potentially hijackable DLL locations..."
|
||||
$Results = Find-PathHijack
|
||||
$Results = Find-PathDLLHijack
|
||||
$Results | Foreach-Object {
|
||||
$AbuseString = "Write-HijackDll -DllPath '$($_.Path)\wlbsctrl.dll'"
|
||||
$_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString
|
||||
|
|
@ -3604,8 +3603,8 @@ function Invoke-AllChecks {
|
|||
}
|
||||
|
||||
|
||||
"`n`n[*] Checking for registry autoruns and configs..."
|
||||
$Results = Get-RegistryAutoRun
|
||||
"`n`n[*] Checking for modifidable registry autoruns and configs..."
|
||||
$Results = Get-ModifiableRegistryAutoRun
|
||||
$Results | Format-List
|
||||
if($HTMLReport) {
|
||||
$Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autoruns</H2>" | Out-File -Append $HtmlReportFile
|
||||
|
|
|
|||
|
|
@ -24,17 +24,17 @@ PowerShellVersion = '2.0'
|
|||
# Functions to export from this module
|
||||
FunctionsToExport = @(
|
||||
'Add-ServiceDacl',
|
||||
'Find-PathHijack',
|
||||
'Find-PathDLLHijack',
|
||||
'Find-ProcessDLLHijack',
|
||||
'Get-ApplicationHost',
|
||||
'Get-CurrentUserTokenGroupSid',
|
||||
'Get-ModifiablePath',
|
||||
'Get-ModifiableRegistryAutoRun',
|
||||
'Get-ModifiableScheduledTaskFile',
|
||||
'Get-ModifiableService',
|
||||
'Get-ModifiableServiceFile',
|
||||
'Get-RegistryAlwaysInstallElevated',
|
||||
'Get-RegistryAutoLogon',
|
||||
'Get-RegistryAutoRun',
|
||||
'Get-ServiceDetail',
|
||||
'Get-ServiceUnquoted',
|
||||
'Get-SiteListPassword',
|
||||
|
|
|
|||
|
|
@ -41,13 +41,13 @@ Optional Dependencies: None
|
|||
|
||||
### DLL Hijacking:
|
||||
Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes
|
||||
Find-PathHijack - finds service %PATH% .dll hijacking opportunities
|
||||
Write-HijackDll - writes out a hijackable .dll
|
||||
Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities
|
||||
Write-HijackDll - writes out a hijackable DLL
|
||||
|
||||
### Registry Checks:
|
||||
Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set
|
||||
Get-RegistryAutoLogon - checks for Autologon credentials in the registry
|
||||
Get-RegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
|
||||
Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
|
||||
|
||||
### Miscellaneous Checks:
|
||||
Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files
|
||||
|
|
|
|||
|
|
@ -873,10 +873,10 @@ Describe 'Find-ProcessDLLHijack' {
|
|||
}
|
||||
|
||||
|
||||
Describe 'Find-PathHijack' {
|
||||
Describe 'Find-PathDLLHijack' {
|
||||
|
||||
if(-not $(Test-IsAdmin)) {
|
||||
Throw "'Find-PathHijack' Pester test needs local administrator privileges."
|
||||
Throw "'Find-PathDLLHijack' Pester test needs local administrator privileges."
|
||||
}
|
||||
|
||||
It 'Should find a hijackable %PATH% folder.' {
|
||||
|
|
@ -887,22 +887,22 @@ Describe 'Find-PathHijack' {
|
|||
$OldPath = $Env:PATH
|
||||
$Env:PATH += ';C:\PowerUpTest\'
|
||||
|
||||
$Output = Find-PathHijack | Where-Object {$_.Path -like "*PowerUpTest*"} | Select-Object -First 1
|
||||
$Output = Find-PathDLLHijack | Where-Object {$_.Path -like "*PowerUpTest*"} | Select-Object -First 1
|
||||
|
||||
$Env:PATH = $OldPath
|
||||
|
||||
$Output.Path | Should Be 'C:\PowerUpTest\'
|
||||
|
||||
if ($Output.PSObject.Properties.Name -notcontains 'Path') {
|
||||
Throw "Find-PathHijack result doesn't contain 'Path' field."
|
||||
Throw "Find-PathDLLHijack result doesn't contain 'Path' field."
|
||||
}
|
||||
|
||||
if ($Output.PSObject.Properties.Name -notcontains 'Permissions') {
|
||||
Throw "Find-PathHijack result doesn't contain 'Permissions' field."
|
||||
Throw "Find-PathDLLHijack result doesn't contain 'Permissions' field."
|
||||
}
|
||||
|
||||
if ($Output.PSObject.Properties.Name -notcontains 'IdentityReference') {
|
||||
Throw "Find-PathHijack result doesn't contain 'IdentityReference' field."
|
||||
Throw "Find-PathDLLHijack result doesn't contain 'IdentityReference' field."
|
||||
}
|
||||
}
|
||||
catch {
|
||||
|
|
@ -952,14 +952,14 @@ Describe 'Get-RegistryAutoLogon' {
|
|||
}
|
||||
|
||||
|
||||
Describe 'Get-RegistryAutoRun' {
|
||||
Describe 'Get-ModifiableRegistryAutoRun' {
|
||||
|
||||
if(-not $(Test-IsAdmin)) {
|
||||
Throw "'Get-RegistryAutoRun' Pester test needs local administrator privileges."
|
||||
Throw "'Get-ModifiableRegistryAutoRun' Pester test needs local administrator privileges."
|
||||
}
|
||||
|
||||
It 'Should not throw.' {
|
||||
{Get-RegistryAutoRun} | Should Not Throw
|
||||
{Get-ModifiableRegistryAutoRun} | Should Not Throw
|
||||
}
|
||||
|
||||
It 'Should find a vulnerable autorun.' {
|
||||
|
|
@ -968,28 +968,28 @@ Describe 'Get-RegistryAutoRun' {
|
|||
$Null | Out-File -FilePath $FilePath -Force
|
||||
$Null = Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp -Value "vuln.exe -i '$FilePath'"
|
||||
|
||||
$Output = Get-RegistryAutoRun | Where-Object {$_.Path -like "*$FilePath*"} | Select-Object -First 1
|
||||
$Output = Get-ModifiableRegistryAutoRun | Where-Object {$_.Path -like "*$FilePath*"} | Select-Object -First 1
|
||||
|
||||
$Output.ModifiableFile.Path | Should Be $FilePath
|
||||
|
||||
if ($Output.PSObject.Properties.Name -notcontains 'Key') {
|
||||
Throw "Get-RegistryAutoRun result doesn't contain 'Key' field."
|
||||
Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'Key' field."
|
||||
}
|
||||
if ($Output.PSObject.Properties.Name -notcontains 'Path') {
|
||||
Throw "Get-RegistryAutoRun result doesn't contain 'Path' field."
|
||||
Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'Path' field."
|
||||
}
|
||||
if ($Output.PSObject.Properties.Name -notcontains 'ModifiableFile') {
|
||||
Throw "Get-RegistryAutoRun result doesn't contain 'ModifiableFile' field."
|
||||
Throw "Get-ModifiableRegistryAutoRun result doesn't contain 'ModifiableFile' field."
|
||||
}
|
||||
|
||||
if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Path') {
|
||||
Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'Path' field."
|
||||
Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'Path' field."
|
||||
}
|
||||
if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'Permissions') {
|
||||
Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'Permissions' field."
|
||||
Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'Permissions' field."
|
||||
}
|
||||
if ($Output.ModifiableFile.PSObject.Properties.Name -notcontains 'IdentityReference') {
|
||||
Throw "Get-RegistryAutoRun ModifiableFile result doesn't contain 'IdentityReference' field."
|
||||
Throw "Get-ModifiableRegistryAutoRun ModifiableFile result doesn't contain 'IdentityReference' field."
|
||||
}
|
||||
|
||||
$Null = Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name PowerUp
|
||||
|
|
|
|||
Loading…
Reference in New Issue