Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

For ./Recon/ : 

-(More) PSScriptAnalyzering
    -Tweaking of synopsis blocks in order to support platyPS
    -Code standardization
    -Generated docs
This commit is contained in:
HarmJ0y 2016-12-14 19:23:28 -05:00
parent 59e6f94e76
commit ad32d6c75b
14 changed files with 177 additions and 189 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
Recon/Get-ComputerDetails.ps1 → Recon/Get-ComputerDetail.ps1
View File

@ -1,14 +1,14 @@
function Get-ComputerDetails function Get-ComputerDetail
{ {
<# <#
.SYNOPSIS .SYNOPSIS
This script is used to get useful information from a computer. This script is used to get useful information from a computer.
Function: Get-ComputerDetails Function: Get-ComputerDetail
Author: Joe Bialek, Twitter: @JosephBialek Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
@ -25,14 +25,14 @@ Switch: Outputs the data as text instead of objects, good if you are using this
.EXAMPLE .EXAMPLE
Get-ComputerDetails Get-ComputerDetail
Gets information about the computer and outputs it as PowerShell objects. Gets information about the computer and outputs it as PowerShell objects.
Get-ComputerDetails -ToString Get-ComputerDetail -ToString
Gets information about the computer and outputs it as raw text. Gets information about the computer and outputs it as raw text.
.NOTES .NOTES
This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to.
You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files.
.LINK .LINK
@ -42,6 +42,7 @@ Github repo: https://github.com/clymb3r/PowerShell
#> #>
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
Param( Param(
[Parameter(Position=0)] [Parameter(Position=0)]
[Switch] [Switch]
@ -50,14 +51,12 @@ Github repo: https://github.com/clymb3r/PowerShell
Set-StrictMode -Version 2 Set-StrictMode -Version 2
$SecurityLog = Get-EventLog -LogName Security $SecurityLog = Get-EventLog -LogName Security
$Filtered4624 = Find-4624Logons $SecurityLog $Filtered4624 = Find-4624Logon $SecurityLog
$Filtered4648 = Find-4648Logons $SecurityLog $Filtered4648 = Find-4648Logon $SecurityLog
$AppLockerLogs = Find-AppLockerLogs $AppLockerLogs = Find-AppLockerLog
$PSLogs = Find-PSScriptsInPSAppLog $PSLogs = Find-PSScriptsInPSAppLog
$RdpClientData = Find-RDPClientConnections $RdpClientData = Find-RDPClientConnection
if ($ToString) if ($ToString)
{ {
@ -88,29 +87,29 @@ Github repo: https://github.com/clymb3r/PowerShell
} }
function Find-4648Logons function Find-4648Logon
{ {
<# <#
.SYNOPSIS .SYNOPSIS
Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
Function: Find-4648Logons Function: Find-4648Logon
Author: Joe Bialek, Twitter: @JosephBialek Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
.EXAMPLE .EXAMPLE
Find-4648Logons Find-4648Logon
Gets the unique 4648 logon events. Gets the unique 4648 logon events.
.NOTES .NOTES
@ -120,11 +119,12 @@ Gets the unique 4648 logon events.
Blog: http://clymb3r.wordpress.com/ Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell Github repo: https://github.com/clymb3r/PowerShell
#> #>
Param( Param(
$SecurityLog $SecurityLog
) )
$ExplicitLogons = $SecurityLog | Where {$_.InstanceID -eq 4648} $ExplicitLogons = $SecurityLog | Where-Object {$_.InstanceID -eq 4648}
$ReturnInfo = @{} $ReturnInfo = @{}
foreach ($ExplicitLogon in $ExplicitLogons) foreach ($ExplicitLogon in $ExplicitLogons)
@ -216,7 +216,7 @@ Github repo: https://github.com/clymb3r/PowerShell
return $ReturnInfo return $ReturnInfo
} }
function Find-4624Logons function Find-4624Logon
{ {
<# <#
.SYNOPSIS .SYNOPSIS
@ -224,10 +224,10 @@ function Find-4624Logons
Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
network logons in to the server, what accounts RDP in, what accounts log in locally, etc... network logons in to the server, what accounts RDP in, what accounts log in locally, etc...
Function: Find-4624Logons Function: Find-4624Logon
Author: Joe Bialek, Twitter: @JosephBialek Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
@ -236,7 +236,7 @@ network logons in to the server, what accounts RDP in, what accounts log in loca
.EXAMPLE .EXAMPLE
Find-4624Logons Find-4624Logon
Find unique 4624 logon events. Find unique 4624 logon events.
.NOTES .NOTES
@ -250,7 +250,7 @@ Github repo: https://github.com/clymb3r/PowerShell
$SecurityLog $SecurityLog
) )
$Logons = $SecurityLog | Where {$_.InstanceID -eq 4624} $Logons = $SecurityLog | Where-Object {$_.InstanceID -eq 4624}
$ReturnInfo = @{} $ReturnInfo = @{}
foreach ($Logon in $Logons) foreach ($Logon in $Logons)
@ -362,17 +362,17 @@ Github repo: https://github.com/clymb3r/PowerShell
} }
function Find-AppLockerLogs function Find-AppLockerLog
{ {
<# <#
.SYNOPSIS .SYNOPSIS
Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run). Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
Function: Find-AppLockerLogs Function: Find-AppLockerLog
Author: Joe Bialek, Twitter: @JosephBialek Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
@ -380,7 +380,7 @@ Look through the AppLocker logs to find processes that get run on the server. Yo
.EXAMPLE .EXAMPLE
Find-AppLockerLogs Find-AppLockerLog
Find process creations from AppLocker logs. Find process creations from AppLocker logs.
.NOTES .NOTES
@ -390,9 +390,10 @@ Find process creations from AppLocker logs.
Blog: http://clymb3r.wordpress.com/ Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell Github repo: https://github.com/clymb3r/PowerShell
#> #>
$ReturnInfo = @{} $ReturnInfo = @{}
$AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002} $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 8002}
foreach ($Log in $AppLockerLogs) foreach ($Log in $AppLockerLogs)
{ {
@ -434,10 +435,10 @@ Function Find-PSScriptsInPSAppLog
Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log). Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
You can then backdoor these scripts or do other malicious things. You can then backdoor these scripts or do other malicious things.
Function: Find-AppLockerLogs Function: Find-AppLockerLog
Author: Joe Bialek, Twitter: @JosephBialek Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
@ -456,12 +457,12 @@ Find unique PowerShell scripts being executed from the PowerShell operational lo
Blog: http://clymb3r.wordpress.com/ Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell Github repo: https://github.com/clymb3r/PowerShell
#> #>
$ReturnInfo = @{} $ReturnInfo = @{}
$Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100} $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where-Object {$_.Id -eq 4100}
foreach ($Log in $Logs) foreach ($Log in $Logs)
{ {
$ContainsScriptName = $false
$LogDetails = $Log.Message -split "`r`n" $LogDetails = $Log.Message -split "`r`n"
$FoundScriptName = $false $FoundScriptName = $false
@ -506,27 +507,26 @@ Github repo: https://github.com/clymb3r/PowerShell
} }
Function Find-RDPClientConnections Function Find-RDPClientConnection
{ {
<# <#
.SYNOPSIS .SYNOPSIS
Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user
usually RDP's to. usually RDP's to.
Function: Find-RDPClientConnections Function: Find-RDPClientConnection
Author: Joe Bialek, Twitter: @JosephBialek Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user usually RDP's to.
usually RDP's to.
.EXAMPLE .EXAMPLE
Find-RDPClientConnections Find-RDPClientConnection
Find unique saved RDP client connections. Find unique saved RDP client connections.
.NOTES .NOTES
@ -550,7 +550,7 @@ Github repo: https://github.com/clymb3r/PowerShell
{ {
$Server = $Server.PSChildName $Server = $Server.PSChildName
$UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint $UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint
$Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint $Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint
if (!$ReturnInfo.ContainsKey($Key)) if (!$ReturnInfo.ContainsKey($Key))

62
Recon/Get-HttpStatus.ps1
View File

@ -5,11 +5,11 @@ function Get-HttpStatus
Returns the HTTP Status Codes and full URL for specified paths. Returns the HTTP Status Codes and full URL for specified paths.
PowerSploit Function: Get-HttpStatus PowerSploit Function: Get-HttpStatus
Author: Chris Campbell (@obscuresec) Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
@ -42,7 +42,7 @@ C:\PS> Get-HttpStatus -Target www.example.com -Path c:\dictionary.txt -UseSSL
.NOTES .NOTES
HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error HTTP Status Codes: 100 - Informational * 200 - Success * 300 - Redirection * 400 - Client Error * 500 - Server Error
.LINK .LINK
http://obscuresecurity.blogspot.com http://obscuresecurity.blogspot.com
@ -64,49 +64,54 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
[Switch] [Switch]
$UseSSL $UseSSL
) )
if (Test-Path $Path) { if (Test-Path $Path) {
if ($UseSSL -and $Port -eq 0) { if ($UseSSL -and $Port -eq 0) {
# Default to 443 if SSL is specified but no port is specified # Default to 443 if SSL is specified but no port is specified
$Port = 443 $Port = 443
} elseif ($Port -eq 0) { }
elseif ($Port -eq 0) {
# Default to port 80 if no port is specified # Default to port 80 if no port is specified
$Port = 80 $Port = 80
} }
$TcpConnection = New-Object System.Net.Sockets.TcpClient $TcpConnection = New-Object System.Net.Sockets.TcpClient
Write-Verbose "Path Test Succeeded - Testing Connectivity" Write-Verbose "Path Test Succeeded - Testing Connectivity"
try { try {
# Validate that the host is listening before scanning # Validate that the host is listening before scanning
$TcpConnection.Connect($Target, $Port) $TcpConnection.Connect($Target, $Port)
} catch { }
catch {
Write-Error "Connection Test Failed - Check Target" Write-Error "Connection Test Failed - Check Target"
$Tcpconnection.Close() $Tcpconnection.Close()
Return Return
} }
$Tcpconnection.Close() $Tcpconnection.Close()
} else { }
else {
Write-Error "Path Test Failed - Check Dictionary Path" Write-Error "Path Test Failed - Check Dictionary Path"
Return Return
} }
if ($UseSSL) { if ($UseSSL) {
$SSL = 's' $SSL = 's'
# Ignore invalid SSL certificates # Ignore invalid SSL certificates
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True } [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
} else { }
else {
$SSL = '' $SSL = ''
} }
if (($Port -eq 80) -or ($Port -eq 443)) { if (($Port -eq 80) -or ($Port -eq 443)) {
$PortNum = '' $PortNum = ''
} else { }
else {
$PortNum = ":$Port" $PortNum = ":$Port"
} }
# Check Http status for each entry in the doctionary file # Check Http status for each entry in the doctionary file
foreach ($Item in Get-Content $Path) { foreach ($Item in Get-Content $Path) {
@ -117,24 +122,23 @@ http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
$WebRequest = [System.Net.WebRequest]::Create($URI) $WebRequest = [System.Net.WebRequest]::Create($URI)
$WebResponse = $WebRequest.GetResponse() $WebResponse = $WebRequest.GetResponse()
$WebStatus = $WebResponse.StatusCode $WebStatus = $WebResponse.StatusCode
$ResultObject += $ScanObject
$WebResponse.Close() $WebResponse.Close()
} catch { }
catch {
$WebStatus = $Error[0].Exception.InnerException.Response.StatusCode $WebStatus = $Error[0].Exception.InnerException.Response.StatusCode
if ($WebStatus -eq $null) { if (-not $WebStatus) {
# Not every exception returns a StatusCode. # Not every exception returns a StatusCode.
# If that is the case, return the Status. # If that is the case, return the Status.
$WebStatus = $Error[0].Exception.InnerException.Status $WebStatus = $Error[0].Exception.InnerException.Status
} }
} }
$Result = @{ Status = $WebStatus; $Result = @{ Status = $WebStatus;
URL = $WebTarget} URL = $WebTarget}
$ScanObject = New-Object -TypeName PSObject -Property $Result $ScanObject = New-Object -TypeName PSObject -Property $Result
Write-Output $ScanObject Write-Output $ScanObject
} }
} }

34
Recon/Invoke-Portscan.ps1
View File

@ -5,11 +5,11 @@ function Invoke-Portscan
Simple portscan module Simple portscan module
PowerSploit Function: Invoke-Portscan PowerSploit Function: Invoke-Portscan
Author: Rich Lundeen (http://webstersProdigy.net) Author: Rich Lundeen (http://webstersProdigy.net)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
@ -114,7 +114,7 @@ Force Overwrite if output Files exist. Otherwise it throws exception
.EXAMPLE .EXAMPLE
C:\PS> Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50 Invoke-Portscan -Hosts "webstersprodigy.net,google.com,microsoft.com" -TopPorts 50
Description Description
----------- -----------
@ -122,7 +122,7 @@ Scans the top 50 ports for hosts found for webstersprodigy.net,google.com, and m
.EXAMPLE .EXAMPLE
C:\PS> echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080" echo webstersprodigy.net | Invoke-Portscan -oG test.gnmap -f -ports "80,443,8080"
Description Description
----------- -----------
@ -130,7 +130,7 @@ Does a portscan of "webstersprodigy.net", and writes a greppable output file
.EXAMPLE .EXAMPLE
C:\PS> Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet Invoke-Portscan -Hosts 192.168.1.1/24 -T 4 -TopPorts 25 -oA localnet
Description Description
----------- -----------
@ -141,7 +141,13 @@ Scans the top 20 ports for hosts found in the 192.168.1.1/24 range, outputs all
http://webstersprodigy.net http://webstersprodigy.net
#> #>
[CmdletBinding()]Param ( [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseShouldProcessForStateChangingFunctions', '')]
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseSingularNouns', '')]
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')]
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseLiteralInitializerForHashtable', '')]
[CmdletBinding()]
Param (
#Host, Ports #Host, Ports
[Parameter(ParameterSetName="cmdHosts", [Parameter(ParameterSetName="cmdHosts",
@ -748,9 +754,9 @@ http://webstersprodigy.net
#TODO deal with output #TODO deal with output
Write-PortscanOut -comment $startMsg -grepStream $grepStream -xmlStream $xmlStream -readableStream $readableStream Write-PortscanOut -comment $startMsg -grepStream $grepStream -xmlStream $xmlStream -readableStream $readableStream
#converting back from int array gives some argument error checking # #converting back from int array gives some argument error checking
$sPortList = [string]::join(",", $portList) # $sPortList = [string]::join(",", $portList)
$sHostPortList = [string]::join(",", $hostPortList) # $sHostPortList = [string]::join(",", $hostPortList)
######## ########
#Port Scan Code - run on a per host basis #Port Scan Code - run on a per host basis
@ -840,7 +846,6 @@ http://webstersprodigy.net
$sockets[$p] = new-object System.Net.Sockets.TcpClient $sockets[$p] = new-object System.Net.Sockets.TcpClient
} }
$scriptBlockAsString = @" $scriptBlockAsString = @"
#somewhat of a race condition with the timeout, but I don't think it matters #somewhat of a race condition with the timeout, but I don't think it matters
@ -885,8 +890,7 @@ http://webstersprodigy.net
$timeouts[$p].Enabled = $true $timeouts[$p].Enabled = $true
$myscriptblock = [scriptblock]::Create($scriptBlockAsString) $myscriptblock = [scriptblock]::Create($scriptBlockAsString)
$x = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null) $Null = $sockets[$p].beginConnect($h, $p,(New-ScriptBlockCallback($myscriptblock)) , $null)
} }
function PortScan-Alive function PortScan-Alive

84
Recon/Invoke-ReverseDnsLookup.ps1
View File

@ -5,23 +5,23 @@ function Invoke-ReverseDnsLookup
Perform a reverse DNS lookup scan on a range of IP addresses. Perform a reverse DNS lookup scan on a range of IP addresses.
PowerSploit Function: Invoke-ReverseDnsLookup PowerSploit Function: Invoke-ReverseDnsLookup
Author: Matthew Graeber (@mattifestation) Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
.DESCRIPTION .DESCRIPTION
Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test. Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test.
.PARAMETER IPRange .PARAMETER IPRange
Specifies the IP address range. The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be provided. Specifies the IP address range. The range provided can be in the form of a single IP address, a low-high range, or a CIDR range. Comma-delimited ranges may can be provided.
.EXAMPLE .EXAMPLE
C:\PS> Invoke-ReverseDnsLookup 74.125.228.0/29 Invoke-ReverseDnsLookup 74.125.228.0/29
IP HostName IP HostName
-- -------- -- --------
@ -31,29 +31,29 @@ IP HostName
74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.4 iad23s05-in-f4.1e100.net
74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net
74.125.228.6 iad23s05-in-f6.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net
Description Description
----------- -----------
Returns the hostnames of the IP addresses specified by the CIDR range. Returns the hostnames of the IP addresses specified by the CIDR range.
.EXAMPLE .EXAMPLE
C:\PS> Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6' Invoke-ReverseDnsLookup '74.125.228.1,74.125.228.4-74.125.228.6'
IP HostName IP HostName
-- -------- -- --------
74.125.228.1 iad23s05-in-f1.1e100.net 74.125.228.1 iad23s05-in-f1.1e100.net
74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.4 iad23s05-in-f4.1e100.net
74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net
74.125.228.6 iad23s05-in-f6.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net
Description Description
----------- -----------
Returns the hostnames of the IP addresses specified by the IP range specified. Returns the hostnames of the IP addresses specified by the IP range specified.
.EXAMPLE .EXAMPLE
PS C:\> Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup Write-Output "74.125.228.1,74.125.228.0/29" | Invoke-ReverseDnsLookup
IP HostName IP HostName
-- -------- -- --------
@ -69,13 +69,15 @@ Description
----------- -----------
Returns the hostnames of the IP addresses piped from another source. Returns the hostnames of the IP addresses piped from another source.
.LINK .LINK
http://www.exploit-monday.com http://www.exploit-monday.com
https://github.com/mattifestation/PowerSploit https://github.com/mattifestation/PowerSploit
#> #>
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSUseApprovedVerbs', '')]
[CmdletBinding()]
Param ( Param (
[Parameter(Position = 0, Mandatory = $True,ValueFromPipeline=$True)] [Parameter(Position = 0, Mandatory = $True,ValueFromPipeline=$True)]
[String] [String]
@ -83,14 +85,14 @@ https://github.com/mattifestation/PowerSploit
) )
BEGIN { BEGIN {
function Parse-IPList ([String] $IpRange) function Parse-IPList ([String] $IpRange)
{ {
function IPtoInt function IPtoInt
{ {
Param([String] $IpString) Param([String] $IpString)
$Hexstr = "" $Hexstr = ""
$Octets = $IpString.Split(".") $Octets = $IpString.Split(".")
foreach ($Octet in $Octets) { foreach ($Octet in $Octets) {
@ -98,7 +100,7 @@ https://github.com/mattifestation/PowerSploit
} }
return [Convert]::ToInt64($Hexstr, 16) return [Convert]::ToInt64($Hexstr, 16)
} }
function InttoIP function InttoIP
{ {
Param([Int64] $IpInt) Param([Int64] $IpInt)
@ -110,15 +112,15 @@ https://github.com/mattifestation/PowerSploit
} }
return $IpStr.TrimEnd('.') return $IpStr.TrimEnd('.')
} }
$Ip = [System.Net.IPAddress]::Parse("127.0.0.1") $Ip = [System.Net.IPAddress]::Parse("127.0.0.1")
foreach ($Str in $IpRange.Split(",")) foreach ($Str in $IpRange.Split(","))
{ {
$Item = $Str.Trim() $Item = $Str.Trim()
$Result = "" $Result = ""
$IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" $IpRegex = "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"
# First, validate the input # First, validate the input
switch -regex ($Item) switch -regex ($Item)
{ {
@ -139,11 +141,11 @@ https://github.com/mattifestation/PowerSploit
} }
default default
{ {
Write-Warning "Inproper input" Write-Warning "Improper input"
return return
} }
} }
#Now, start processing the IP addresses #Now, start processing the IP addresses
switch ($Result) switch ($Result)
{ {
@ -152,14 +154,14 @@ https://github.com/mattifestation/PowerSploit
$CidrRange = $Item.Split("/") $CidrRange = $Item.Split("/")
$Network = $CidrRange[0] $Network = $CidrRange[0]
$Mask = $CidrRange[1] $Mask = $CidrRange[1]
if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return} if (!([System.Net.IPAddress]::TryParse($Network, [ref] $Ip))) { Write-Warning "Invalid IP address supplied!"; return}
if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return} if (($Mask -lt 0) -or ($Mask -gt 30)) { Write-Warning "Invalid network mask! Acceptable values are 0-30"; return}
$BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0') $BinaryIP = [Convert]::ToString((IPtoInt $Network),2).PadLeft(32,'0')
#Generate lower limit (Excluding network address) #Generate lower limit (Excluding network address)
$Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1" $Lower = $BinaryIP.Substring(0, $Mask) + "0" * ((32-$Mask)-1) + "1"
#Generate upperr limit (Excluding broadcast address) #Generate upper limit (Excluding broadcast address)
$Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0" $Upper = $BinaryIP.Substring(0, $Mask) + "1" * ((32-$Mask)-1) + "0"
$LowerInt = [Convert]::ToInt64($Lower, 2) $LowerInt = [Convert]::ToInt64($Lower, 2)
$UpperInt = [Convert]::ToInt64($Upper, 2) $UpperInt = [Convert]::ToInt64($Upper, 2)
@ -168,21 +170,21 @@ https://github.com/mattifestation/PowerSploit
"range" "range"
{ {
$Range = $item.Split("-") $Range = $item.Split("-")
if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip } if ([System.Net.IPAddress]::TryParse($Range[0],[ref]$Ip)) { $Temp1 = $Ip }
else { Write-Warning "Invalid IP address supplied!"; return } else { Write-Warning "Invalid IP address supplied!"; return }
if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip } if ([System.Net.IPAddress]::TryParse($Range[1],[ref]$Ip)) { $Temp2 = $Ip }
else { Write-Warning "Invalid IP address supplied!"; return } else { Write-Warning "Invalid IP address supplied!"; return }
$Left = (IPtoInt $Temp1.ToString()) $Left = (IPtoInt $Temp1.ToString())
$Right = (IPtoInt $Temp2.ToString()) $Right = (IPtoInt $Temp2.ToString())
if ($Right -gt $Left) { if ($Right -gt $Left) {
for ($i = $Left; $i -le $Right; $i++) { InttoIP $i } for ($i = $Left; $i -le $Right; $i++) { InttoIP $i }
} }
else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return} else { Write-Warning "Invalid IP range. The right portion must be greater than the left portion."; return}
break break
} }
"single" "single"
@ -193,28 +195,30 @@ https://github.com/mattifestation/PowerSploit
} }
default default
{ {
Write-Warning "An error occured." Write-Warning "An error occurred."
return return
} }
} }
} }
} }
} }
PROCESS { PROCESS {
Parse-IPList $IpRange | ForEach-Object { Parse-IPList $IpRange | ForEach-Object {
try { try {
Write-Verbose "Resolving $_" Write-Verbose "Resolving $_"
$Temp = [System.Net.Dns]::GetHostEntry($_) $Temp = [System.Net.Dns]::GetHostEntry($_)
$Result = @{ $Result = @{
IP = $_ IP = $_
HostName = $Temp.HostName HostName = $Temp.HostName
} }
New-Object PSObject -Property $Result New-Object PSObject -Property $Result
} catch [System.Net.Sockets.SocketException] {} }
catch [System.Net.Sockets.SocketException] {
Write-Verbose "Error: $_"
}
} }
} }
} }

2
Recon/PowerView.ps1
View File

@ -859,7 +859,7 @@ function Export-PowerViewCSV {
<# <#
.SYNOPSIS .SYNOPSIS
Converts objects into a series of comma-separated (CSV) strings and saves the Converts objects into a series of comma-separated (CSV) strings and saves the
strings in a CSV file in a thread-safe manner. strings in a CSV file in a thread-safe manner.
Author: Will Schroeder (@harmj0y) Author: Will Schroeder (@harmj0y)

2
Recon/Recon.psd1
View File

@ -98,7 +98,7 @@ FunctionsToExport = @(
'Get-DomainForeignUser', 'Get-DomainForeignUser',
'Get-DomainForeignGroupMember', 'Get-DomainForeignGroupMember',
'Get-DomainTrustMapping', 'Get-DomainTrustMapping',
'Get-ComputerDetails', 'Get-ComputerDetail',
'Get-HttpStatus', 'Get-HttpStatus',
'Invoke-Portscan', 'Invoke-Portscan',
'Invoke-ReverseDnsLookup' 'Invoke-ReverseDnsLookup'

2
docs/Recon/Export-PowerViewCSV.md
View File

@ -1,7 +1,7 @@
# Export-PowerViewCSV # Export-PowerViewCSV
## SYNOPSIS ## SYNOPSIS
Converts objects into a series of comma-separated (CSV) strings and saves the Converts objects into a series of comma-separated (CSV) strings and saves the
strings in a CSV file in a thread-safe manner. strings in a CSV file in a thread-safe manner.
Author: Will Schroeder (@harmj0y) Author: Will Schroeder (@harmj0y)

16
docs/Recon/Get-ComputerDetails.md → docs/Recon/Get-ComputerDetail.md
View File

@ -1,17 +1,17 @@
# Get-ComputerDetails # Get-ComputerDetail
## SYNOPSIS ## SYNOPSIS
This script is used to get useful information from a computer. This script is used to get useful information from a computer.
Function: Get-ComputerDetails Function: Get-ComputerDetail
Author: Joe Bialek, Twitter: @JosephBialek Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
## SYNTAX ## SYNTAX
``` ```
Get-ComputerDetails [-ToString] Get-ComputerDetail [-ToString]
``` ```
## DESCRIPTION ## DESCRIPTION
@ -27,12 +27,12 @@ Currently, the script gets the following information:
### -------------------------- EXAMPLE 1 -------------------------- ### -------------------------- EXAMPLE 1 --------------------------
``` ```
Get-ComputerDetails Get-ComputerDetail
``` ```
Gets information about the computer and outputs it as PowerShell objects. Gets information about the computer and outputs it as PowerShell objects.
Get-ComputerDetails -ToString Get-ComputerDetail -ToString
Gets information about the computer and outputs it as raw text. Gets information about the computer and outputs it as raw text.
## PARAMETERS ## PARAMETERS
@ -57,7 +57,7 @@ Accept wildcard characters: False
## OUTPUTS ## OUTPUTS
## NOTES ## NOTES
This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to. This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to.
You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files. You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files.
## RELATED LINKS ## RELATED LINKS

8
docs/Recon/Get-HttpStatus.md
View File

@ -3,10 +3,10 @@
## SYNOPSIS ## SYNOPSIS
Returns the HTTP Status Codes and full URL for specified paths. Returns the HTTP Status Codes and full URL for specified paths.
PowerSploit Function: Get-HttpStatus PowerSploit Function: Get-HttpStatus
Author: Chris Campbell (@obscuresec) Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
## SYNTAX ## SYNTAX

8
docs/Recon/Invoke-Portscan.md
View File

@ -3,10 +3,10 @@
## SYNOPSIS ## SYNOPSIS
Simple portscan module Simple portscan module
PowerSploit Function: Invoke-Portscan PowerSploit Function: Invoke-Portscan
Author: Rich Lundeen (http://webstersProdigy.net) Author: Rich Lundeen (http://webstersProdigy.net)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
## SYNTAX ## SYNTAX

14
docs/Recon/Invoke-ReverseDnsLookup.md
View File

@ -3,10 +3,10 @@
## SYNOPSIS ## SYNOPSIS
Perform a reverse DNS lookup scan on a range of IP addresses. Perform a reverse DNS lookup scan on a range of IP addresses.
PowerSploit Function: Invoke-ReverseDnsLookup PowerSploit Function: Invoke-ReverseDnsLookup
Author: Matthew Graeber (@mattifestation) Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause License: BSD 3-Clause
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
## SYNTAX ## SYNTAX
@ -17,7 +17,7 @@ Invoke-ReverseDnsLookup [-IpRange] <String>
## DESCRIPTION ## DESCRIPTION
Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records.
This script is useful for performing DNS reconnaisance prior to conducting an authorized penetration test. This script is useful for performing DNS reconnaissance prior to conducting an authorized penetration test.
## EXAMPLES ## EXAMPLES
@ -34,7 +34,7 @@ IP HostName
74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.4 iad23s05-in-f4.1e100.net
74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net
74.125.228.6 iad23s05-in-f6.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net
Description Description
----------- -----------
Returns the hostnames of the IP addresses specified by the CIDR range. Returns the hostnames of the IP addresses specified by the CIDR range.
@ -50,7 +50,7 @@ IP HostName
74.125.228.4 iad23s05-in-f4.1e100.net 74.125.228.4 iad23s05-in-f4.1e100.net
74.125.228.5 iad23s05-in-f5.1e100.net 74.125.228.5 iad23s05-in-f5.1e100.net
74.125.228.6 iad23s05-in-f6.1e100.net 74.125.228.6 iad23s05-in-f6.1e100.net
Description Description
----------- -----------
Returns the hostnames of the IP addresses specified by the IP range specified. Returns the hostnames of the IP addresses specified by the IP range specified.

26
docs/Recon/Set-DomainObject.md
View File

@ -12,8 +12,7 @@ Required Dependencies: Get-DomainObject
``` ```
Set-DomainObject [[-Identity] <String[]>] [-Set <Hashtable>] [-XOR <Hashtable>] [-Clear <String[]>] Set-DomainObject [[-Identity] <String[]>] [-Set <Hashtable>] [-XOR <Hashtable>] [-Clear <String[]>]
[-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>] [-Domain <String>] [-LDAPFilter <String>] [-SearchBase <String>] [-Server <String>] [-SearchScope <String>]
[-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-SecurityMasks <String>] [-Tombstone] [-ResultPageSize <Int32>] [-ServerTimeLimit <Int32>] [-Tombstone] [-Credential <PSCredential>]
[-Credential <PSCredential>]
``` ```
## DESCRIPTION ## DESCRIPTION
@ -281,21 +280,6 @@ Accept pipeline input: False
Accept wildcard characters: False Accept wildcard characters: False
``` ```
### -SecurityMasks
{{Fill SecurityMasks Description}}
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Tombstone ### -Tombstone
Switch. Switch.
Specifies that the searcher should also return deleted/tombstoned objects. Specifies that the searcher should also return deleted/tombstoned objects.
@ -332,14 +316,6 @@ Accept wildcard characters: False
## OUTPUTS ## OUTPUTS
### PowerView.ADObject
Custom PSObject with translated AD object property fields, if -PassThru is enabled.
PowerView.ADObject.Raw
The raw DirectoryServices.SearchResult object, if -PassThru and -Raw are enabled.
## NOTES ## NOTES
## RELATED LINKS ## RELATED LINKS

0
docs/Recon/index.md Normal file → Executable file
View File

2
mkdocs.yml
View File

@ -81,7 +81,7 @@ pages:
- Get-DomainForeignUser: 'Recon/Get-DomainForeignUser.md' - Get-DomainForeignUser: 'Recon/Get-DomainForeignUser.md'
- Get-DomainForeignGroupMember: 'Recon/Get-DomainForeignGroupMember.md' - Get-DomainForeignGroupMember: 'Recon/Get-DomainForeignGroupMember.md'
- Get-DomainTrustMapping: 'Recon/Get-DomainTrustMapping.md' - Get-DomainTrustMapping: 'Recon/Get-DomainTrustMapping.md'
- Get-ComputerDetails: 'Recon/Get-ComputerDetails.md' - Get-ComputerDetail: 'Recon/Get-ComputerDetail.md'
- Get-HttpStatus: 'Recon/Get-HttpStatus.md' - Get-HttpStatus: 'Recon/Get-HttpStatus.md'
- Invoke-Portscan: 'Recon/Invoke-Portscan.md' - Invoke-Portscan: 'Recon/Invoke-Portscan.md'
- Invoke-ReverseDnsLookup: 'Recon/Invoke-ReverseDnsLookup.md' - Invoke-ReverseDnsLookup: 'Recon/Invoke-ReverseDnsLookup.md'