Integration of PowerView into ./Recon/

2015-12-03 21:50:45 -05:00 · 2015-12-03 21:50:45 -05:00 · 5fb690518d
parent 729e9ca267
commit 5fb690518d
4 changed files with 11260 additions and 16 deletions
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
--- a/Recon/README.md
+++ b/Recon/README.md
@ -0,0 +1,127 @@
+To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
+
+The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
+The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
+
+To use the module, type `Import-Module Recon`
+
+To see the commands imported, type `Get-Command -Module Recon`
+
+For help on each individual command, Get-Help is your friend.
+
+Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
+
+
+## PowerView
+
+PowerView is a PowerShell tool to gain network situational awareness on 
+Windows domains. It contains a set of pure-PowerShell replacements for various 
+windows "net *" commands, which utilize PowerShell AD hooks and underlying 
+Win32 API functions to perform useful Windows domain functionality.
+
+It also implements various useful metafunctions, including some custom-written 
+user-hunting functions which will identify where on the network specific users 
+are logged into. It can also check which machines on the domain the current 
+user has local administrator access on. Several functions for the enumeration
+and abuse of domain trusts also exist. See function descriptions for appropriate 
+usage and available options. For detailed output of underlying functionality, pass 
+the -Verbose or -Debug flags.
+
+For functions that enumerate multiple machines, pass the -Verbose flag to get a
+progress status as each host is enumerated. Most of the "meta" functions accept 
+an array of hosts from the pipeline.
+
+
+### Misc Functions:
+    Export-PowerViewCSV             -   thread-safe CSV append
+    Set-MacAttribute                -   Sets MAC attributes for a file based on another file or input (from Powersploit)
+    Copy-ClonedFile                 -   copies a local file to a remote location, matching MAC properties
+    Get-IPAddress                   -   resolves a hostname to an IP
+    Test-Server                     -   tests connectivity to a specified server
+    Convert-NameToSid               -   converts a given user/group name to a security identifier (SID)
+    Convert-SidToName               -   converts a security identifier (SID) to a group/user name
+    Convert-NT4toCanonical          -   converts a user/group NT4 name (i.e. dev/john) to canonical format
+    Get-Proxy                       -   enumerates local proxy settings
+    Get-PathAcl                     -   get the ACLs for a local/remote file path with optional group recursion
+    Get-UserProperty                -   returns all properties specified for users, or a set of user:prop names
+    Get-ComputerProperty            -   returns all properties specified for computers, or a set of computer:prop names
+    Find-InterestingFile            -   search a local or remote path for files with specific terms in the name
+    Invoke-CheckLocalAdminAccess    -   check if the current user context has local administrator access to a specified host
+    Get-DomainSearcher              -   builds a proper ADSI searcher object for a given domain
+    Get-ObjectAcl                   -   returns the ACLs associated with a specific active directory object
+    Add-ObjectAcl                   -   adds an ACL to a specified active directory object
+    Get-LastLoggedOn                -   return the last logged on user for a target host
+    Get-CachedRDPConnection 		-	queries all saved RDP connection entries on a target host
+    Invoke-ACLScanner               -   enumerate -1000+ modifable ACLs on a specified domain
+    Get-GUIDMap                     -   returns a hash table of current GUIDs -> display names
+    Get-DomainSID                   -   return the SID for the specified domain
+    Invoke-ThreadedFunction         -   helper that wraps threaded invocation for other functions
+
+
+### net * Functions:
+    Get-NetDomain                   -   gets the name of the current user's domain
+    Get-NetForest                   -   gets the forest associated with the current user's domain
+    Get-NetForestDomain             -   gets all domains for the current forest
+    Get-NetDomainController         -   gets the domain controllers for the current computer's domain
+    Get-NetUser                     -   returns all user objects, or the user specified (wildcard specifiable)
+    Add-NetUser                     -   adds a local or domain user
+    Get-NetComputer                 -   gets a list of all current servers in the domain
+    Get-NetPrinter                  -   gets an array of all current computers objects in a domain
+    Get-NetOU                       -   gets data for domain organization units
+    Get-NetSite                     -   gets current sites in a domain
+    Get-NetSubnet                   -   gets registered subnets for a domain
+    Get-NetGroup                    -   gets a list of all current groups in a domain
+    Get-NetGroupMember              -   gets a list of all current users in a specified domain group
+    Get-NetLocalGroup               -   gets the members of a localgroup on a remote host or hosts
+    Add-NetGroupUser                -   adds a local or domain user to a local or domain group
+    Get-NetFileServer               -   get a list of file servers used by current domain users
+    Get-DFSshare                    -   gets a list of all distribute file system shares on a domain
+    Get-NetShare                    -   gets share information for a specified server
+    Get-NetLoggedon                 -   gets users actively logged onto a specified server
+    Get-NetSession                  -   gets active sessions on a specified server
+    Get-NetRDPSession               -   gets active RDP sessions for a specified server (like qwinsta)
+    Get-NetProcess                  -   gets the remote processes and owners on a remote server
+    Get-UserEvent                   -   returns logon or TGT events from the event log for a specified host
+    Get-ADObject                    -   takes a domain SID and returns the user, group, or computer 
+                                        object associated with it
+    Set-ADObject                    -   takes a SID, name, or SamAccountName to query for a specified
+                                        domain object, and then sets a specified 'PropertyName' to a
+                                        specified 'PropertyValue'
+
+   
+### GPO functions
+    Get-GptTmpl                     -   parses a GptTmpl.inf to a custom object
+    Get-NetGPO                      -   gets all current GPOs for a given domain
+    Get-NetGPOGroup                 -   gets all GPOs in a domain that set "Restricted Groups" 
+                                        on on target machines
+    Find-GPOLocation                -   takes a user/group and makes machines they have effective
+                                        rights over through GPO enumeration and correlation
+    Find-GPOComputerAdmin           -   takes a computer and determines who has admin rights over it
+                                        through GPO enumeration
+    Get-DomainPolicy                -   returns the default domain or DC policy
+
+
+### User-Hunting Functions:
+    Invoke-UserHunter               -   finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
+    Invoke-StealthUserHunter        -   finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
+    Invoke-ProcessHunter            -   hunts for processes with a specific name or owned by a specific user on domain machines
+    Invoke-UserEventHunter          -   hunts for user logon events in domain controller event logs
+
+
+### Domain Trust Functions:
+    Get-NetDomainTrust              -   gets all trusts for the current user's domain
+    Get-NetForestTrust              -   gets all trusts for the forest associated with the current user's domain
+    Find-ForeignUser                -   enumerates users who are in groups outside of their principal domain
+    Find-ForeignGroup               -   enumerates all the members of a domain's groups and finds users that are outside of the queried domain
+    Invoke-MapDomainTrust           -   try to build a relational mapping of all domain trusts
+
+
+### MetaFunctions:
+    Invoke-ShareFinder              -   finds (non-standard) shares on hosts in the local domain
+    Invoke-FileFinder               -   finds potentially sensitive files on hosts in the local domain
+    Find-LocalAdminAccess           -   finds machines on the domain that the current user has local admin access to
+    Find-UserField                  -   searches a user field for a particular term
+    Find-ComputerField              -   searches a computer field for a particular term
+    Get-ExploitableSystem           -   finds systems likely vulnerable to common exploits
+    Invoke-EnumerateLocalAdmin      -   enumerates members of the local Administrators groups across all machines in the domain
+
--- a/Recon/Recon.psd1
+++ b/Recon/Recon.psd1
@ -10,7 +10,7 @@ ModuleVersion = '1.0.0.0'
 GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'

 # Author of this module
-Author = 'Matthew Graeber'
+Author = 'Matthew Graeber', 'Will Schroeder'

 # Company or vendor of this module
 CompanyName = ''
@ -58,7 +58,72 @@ PowerShellVersion = '2.0'
 # NestedModules = @()

 # Functions to export from this module
-FunctionsToExport = '*'
+FunctionsToExport = @(
+    'Get-ComputerDetails',
+    'Get-HttpStatus',
+    'Invoke-Portscan',
+    'Invoke-ReverseDnsLookup',
+    'Set-MacAttribute',
+    'Copy-ClonedFile',
+    'Convert-NameToSid',
+    'Convert-SidToName',
+    'Convert-NT4toCanonical',
+    'Get-Proxy',
+    'Get-PathAcl',
+    'Get-NetDomain',
+    'Get-NetForest',
+    'Get-NetForestDomain',
+    'Get-NetForestCatalog',
+    'Get-NetDomainController',
+    'Get-NetUser',
+    'Add-NetUser',
+    'Get-UserProperty',
+    'Find-UserField',
+    'Get-UserEvent',
+    'Get-ObjectAcl',
+    'Add-ObjectAcl',
+    'Invoke-ACLScanner',
+    'Get-NetComputer',
+    'Get-ADObject',
+    'Set-ADObject',
+    'Get-ComputerProperty',
+    'Find-ComputerField',
+    'Get-NetOU',
+    'Get-NetSite',
+    'Get-NetSubnet',
+    'Get-NetGroup',
+    'Get-NetGroupMember',
+    'Get-NetFileServer',
+    'Get-DFSshare',
+    'Get-NetGPO',
+    'Get-NetGPOGroup',
+    'Find-GPOLocation',
+    'Find-GPOComputerAdmin',
+    'Get-DomainPolicy',
+    'Get-NetLocalGroup',
+    'Get-NetShare',
+    'Get-NetLoggedon',
+    'Get-NetSession',
+    'Get-NetRDPSession',
+    'Invoke-CheckLocalAdminAccess',
+    'Get-LastLoggedOn',
+    'Get-CachedRDPConnection',
+    'Get-NetProcess',
+    'Find-InterestingFile',
+    'Invoke-UserHunter',
+    'Invoke-ProcessHunter',
+    'Invoke-EventHunter',
+    'Invoke-ShareFinder',
+    'Invoke-FileFinder',
+    'Find-LocalAdminAccess',
+    'Get-ExploitableSystem',
+    'Invoke-EnumerateLocalAdmin',
+    'Get-NetDomainTrust',
+    'Get-NetForestTrust',
+    'Find-ForeignUser',
+    'Find-ForeignGroup',
+    'Invoke-MapDomainTrust'
+)

 # Cmdlets to export from this module
 CmdletsToExport = '*'
@ -73,8 +138,8 @@ AliasesToExport = ''
 ModuleList = @(@{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'})

 # List of all files packaged with this module
-FileList = 'Recon.psm1', 'Recon.psd1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsLookup.ps1',
-               'Invoke-Portscan.ps1', 'Get-ComputerDetails.ps1', 'Usage.md'
+FileList = 'Recon.psm1', 'Recon.psd1', 'PowerView.ps1', 'Get-HttpStatus.ps1', 'Invoke-ReverseDnsLookup.ps1',
+               'Invoke-Portscan.ps1', 'Get-ComputerDetails.ps1', 'README.md'

 # Private data to pass to the module specified in RootModule/ModuleToProcess
 # PrivateData = ''
--- a/Recon/Usage.md
+++ b/Recon/Usage.md
@ -1,12 +0,0 @@
-To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
-
-The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
-The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
-
-To use the module, type `Import-Module Recon`
-
-To see the commands imported, type `Get-Command -Module Recon`
-
-For help on each individual command, Get-Help is your friend.
-
-Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.