Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added Set-DomainUserPassword to reset a particular user's password. 

Reformatted documentation.
This commit is contained in:
HarmJ0y 2016-12-13 16:00:28 -05:00
parent 813eab4a39
commit f4f5fb1460
8 changed files with 298 additions and 184 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -132,7 +132,7 @@ Displays Windows vault credential objects including cleartext web credentials.
Generates a full-memory minidump of a process.
#### 'Get-MicrophoneAudio'
#### `Get-MicrophoneAudio`
Records audio from system microphone and saves to disk

113
Recon/PowerView.ps1
View File

@ -4894,6 +4894,119 @@ http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-
}
function Set-DomainUserPassword {
<#
.SYNOPSIS
Sets the password for a given user identity and returns the user object.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-PrincipalContext
.DESCRIPTION
First binds to the specified domain context using Get-PrincipalContext.
The bound domain context is then used to search for the specified user -Identity,
which returns a DirectoryServices.AccountManagement.UserPrincipal object. The
SetPassword() function is then invoked on the user, setting the password to -AccountPassword.
.PARAMETER Identity
A user SamAccountName (e.g. User1), DistinguishedName (e.g. CN=user1,CN=Users,DC=testlab,DC=local),
SID (e.g. S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g. 4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
specifying the user to reset the password for.
.PARAMETER AccountPassword
Specifies the password to reset the target user's to. Mandatory.
.PARAMETER Domain
Specifies the domain to use to search for the user identity, defaults to the current domain.
.PARAMETER Credential
A [Management.Automation.PSCredential] object of alternate credentials
for connection to the target domain.
.EXAMPLE
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword
Resets the password for 'andy' to the password specified.
.EXAMPLE
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred
Resets the password for 'andy' usering the alternate credentials specified.
.OUTPUTS
DirectoryServices.AccountManagement.UserPrincipal
.LINK
http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/
#>
[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
[OutputType('DirectoryServices.AccountManagement.UserPrincipal')]
Param(
[Parameter(Position = 0, Mandatory = $True)]
[Alias('UserName', 'UserIdentity', 'User')]
[String]
$Identity,
[Parameter(Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[Alias('Password')]
[Security.SecureString]
$AccountPassword,
[ValidateNotNullOrEmpty()]
[String]
$Domain,
[Management.Automation.PSCredential]
[Management.Automation.CredentialAttribute()]
$Credential = [Management.Automation.PSCredential]::Empty
)
$ContextArguments = @{ 'Identity' = $Identity }
if ($PSBoundParameters['Domain']) { $ContextArguments['Domain'] = $Domain }
if ($PSBoundParameters['Credential']) { $ContextArguments['Credential'] = $Credential }
$Context = Get-PrincipalContext @ContextArguments
if ($Context) {
$User = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($Context.Context, $Identity)
if ($User) {
Write-Verbose "[Set-DomainUserPassword] Attempting to set the password for user '$Identity'"
try {
$TempCred = New-Object System.Management.Automation.PSCredential('a', $AccountPassword)
$User.SetPassword($TempCred.GetNetworkCredential().Password)
$Null = $User.Save()
Write-Verbose "[Set-DomainUserPassword] Password for user '$Identity' successfully reset"
$User
}
catch {
Write-Warning "[Set-DomainUserPassword] Error setting password for user '$Identity' : $_"
}
}
else {
Write-Warning "[Set-DomainUserPassword] Unable to find user '$Identity'"
}
}
}
function Get-DomainUserEvent {
<#
.SYNOPSIS

1
Recon/README.md
View File

@ -58,6 +58,7 @@ an array of hosts from the pipeline.
Find-DomainObjectPropertyOutlier- inds user/group/computer objects in AD that have 'outlier' properties set
Get-DomainUser - return all users or specific user objects in AD
New-DomainUser - creates a new domain user (assuming appropriate permissions) and returns the user object
Set-DomainUserPassword - sets the password for a given user identity and returns the user object
Get-DomainUserEvent - enumerates account logon events (ID 4624) and Logon with explicit credential events
Get-DomainComputer - returns all computers or specific computer objects in AD
Get-DomainObject - returns all (or specified) domain objects in AD

1
Recon/Recon.psd1
View File

@ -46,6 +46,7 @@ FunctionsToExport = @(
'Find-DomainObjectPropertyOutlier',
'Get-DomainUser',
'New-DomainUser',
'Set-DomainUserPassword',
'Get-DomainUserEvent',
'Get-DomainComputer',
'Get-DomainObject',

127
docs/Recon/Set-DomainUserPassword.md Executable file
View File

@ -0,0 +1,127 @@
# Set-DomainUserPassword
## SYNOPSIS
Sets the password for a given user identity and returns the user object.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: Get-PrincipalContext
## SYNTAX
```
Set-DomainUserPassword [-Identity] <String> -AccountPassword <SecureString> [-Domain <String>]
[-Credential <PSCredential>]
```
## DESCRIPTION
First binds to the specified domain context using Get-PrincipalContext.
The bound domain context is then used to search for the specified user -Identity,
which returns a DirectoryServices.AccountManagement.UserPrincipal object.
The
SetPassword() function is then invoked on the user, setting the password to -AccountPassword.
## EXAMPLES
### -------------------------- EXAMPLE 1 --------------------------
```
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
```
Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword
Resets the password for 'andy' to the password specified.
### -------------------------- EXAMPLE 2 --------------------------
```
$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
```
$Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword)
$UserPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
Set-DomainUserPassword -Identity andy -AccountPassword $UserPassword -Credential $Cred
Resets the password for 'andy' usering the alternate credentials specified.
## PARAMETERS
### -Identity
A user SamAccountName (e.g.
User1), DistinguishedName (e.g.
CN=user1,CN=Users,DC=testlab,DC=local),
SID (e.g.
S-1-5-21-890171859-3433809279-3366196753-1113), or GUID (e.g.
4c435dd7-dc58-4b14-9a5e-1fdb0e80d201)
specifying the user to reset the password for.
```yaml
Type: String
Parameter Sets: (All)
Aliases: UserName, UserIdentity, User
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -AccountPassword
Specifies the password to reset the target user's to.
Mandatory.
```yaml
Type: SecureString
Parameter Sets: (All)
Aliases: Password
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Domain
Specifies the domain to use to search for the user identity, defaults to the current domain.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Credential
A \[Management.Automation.PSCredential\] object of alternate credentials
for connection to the target domain.
```yaml
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### DirectoryServices.AccountManagement.UserPrincipal
## NOTES
## RELATED LINKS
[http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/](http://richardspowershellblog.wordpress.com/2008/05/25/system-directoryservices-accountmanagement/)

14
docs/Recon/index.md
View File

@ -1,17 +1,3 @@
To install this module, drop the entire Recon folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules"
The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
To use the module, type `Import-Module Recon`
To see the commands imported, type `Get-Command -Module Recon`
For help on each individual command, Get-Help is your friend.
Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
## PowerView
PowerView is a PowerShell tool to gain network situational awareness on

223
docs/index.md
View File

@ -1,189 +1,74 @@
### PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:
## Overview
PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
## CodeExecution
### CodeExecution
Execute code on a target machine.
**Execute code on a target machine.**
Invoke-DllInjection - Injects a Dll into the process ID of your choosing.
Invoke-ReflectivePEInjection - Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
Invoke-Shellcode - Injects shellcode into the process ID of your choosing or within PowerShell locally.
Invoke-WmiCommand - Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel
#### `Invoke-DllInjection`
### ScriptModification
Modify and/or prepare scripts for execution on a compromised machine.
Injects a Dll into the process ID of your choosing.
Out-EncodedCommand - Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
Out-CompressedDll - Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
Out-EncryptedScript - Encrypts text files/scripts.
Remove-Comments - Strips comments and extra whitespace from a script.
#### `Invoke-ReflectivePEInjection`
### Persistence
Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
Add persistence capabilities to a PowerShell script.
#### `Invoke-Shellcode`
New-UserPersistenceOption - Configure user-level persistence options for the Add-Persistence function.
New-ElevatedPersistenceOption - Configure elevated persistence options for the Add-Persistence function.
Add-Persistence - Add persistence capabilities to a script.
Install-SSP - Installs a security support provider (SSP) dll.
Get-SecurityPackages - Enumerates all loaded security packages (SSPs).
Injects shellcode into the process ID of your choosing or within PowerShell locally.
### AntivirusBypass
AV doesn't stand a chance against PowerShell!
#### `Invoke-WmiCommand`
Find-AVSignature - Locates single Byte AV signatures utilizing the same method as DSplit from "class101".
Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.
### Exfiltration
All your data belong to me!
## ScriptModification
Invoke-TokenManipulation - Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.
Invoke-CredentialInjection - Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
Invoke-NinjaCopy - Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
Invoke-Mimikatz - Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
Get-Keystrokes - Logs keys pressed, time and the active window.
Get-GPPPassword - Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
Get-GPPAutologon - Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.
Get-TimedScreenshot - A function that takes screenshots at a regular interval and saves them to a folder.
New-VolumeShadowCopy - Creates a new volume shadow copy.
Get-VolumeShadowCopy - Lists the device paths of all local volume shadow copies.
Mount-VolumeShadowCopy - Mounts a volume shadow copy.
Remove-VolumeShadowCopy - Deletes a volume shadow copy.
Get-VaultCredential - Displays Windows vault credential objects including cleartext web credentials.
Out-Minidump - Generates a full-memory minidump of a process.
Get-MicrophoneAudio - Records audio from system microphone and saves to disk.
**Modify and/or prepare scripts for execution on a compromised machine.**
### Mayhem
Cause general mayhem with PowerShell.
#### `Out-EncodedCommand`
Set-MasterBootRecord - Proof of concept code that overwrites the master boot record with the message of your choice.
Set-CriticalProcess - Causes your machine to blue screen upon exiting PowerShell.
Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
### Privesc
Tools to help with escalating privileges on a target, including PowerUp.
#### `Out-CompressedDll`
PowerUp - Clearing house of common privilege escalation checks, along with some weaponization vectors.
Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
### Recon
Tools to aid in the reconnaissance phase of a penetration test, including PowerView.
#### `Out-EncryptedScript`
Encrypts text files/scripts.
#### `Remove-Comments`
Strips comments and extra whitespace from a script.
## Persistence
**Add persistence capabilities to a PowerShell script**
#### `New-UserPersistenceOption`
Configure user-level persistence options for the Add-Persistence function.
#### `New-ElevatedPersistenceOption`
Configure elevated persistence options for the Add-Persistence function.
#### `Add-Persistence`
Add persistence capabilities to a script.
#### `Install-SSP`
Installs a security support provider (SSP) dll.
#### `Get-SecurityPackages`
Enumerates all loaded security packages (SSPs).
## AntivirusBypass
**AV doesn't stand a chance against PowerShell!**
#### `Find-AVSignature`
Locates single Byte AV signatures utilizing the same method as DSplit from "class101".
## Exfiltration
**All your data belong to me!**
#### `Invoke-TokenManipulation`
Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.
#### `Invoke-CredentialInjection`
Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
#### `Invoke-NinjaCopy`
Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
#### `Invoke-Mimikatz`
Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
#### `Get-Keystrokes`
Logs keys pressed, time and the active window.
#### `Get-GPPPassword`
Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
#### `Get-GPPAutologon`
Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.
#### `Get-TimedScreenshot`
A function that takes screenshots at a regular interval and saves them to a folder.
#### `New-VolumeShadowCopy`
Creates a new volume shadow copy.
#### `Get-VolumeShadowCopy`
Lists the device paths of all local volume shadow copies.
#### `Mount-VolumeShadowCopy`
Mounts a volume shadow copy.
#### `Remove-VolumeShadowCopy`
Deletes a volume shadow copy.
#### `Get-VaultCredential`
Displays Windows vault credential objects including cleartext web credentials.
#### `Out-Minidump`
Generates a full-memory minidump of a process.
#### 'Get-MicrophoneAudio'
Records audio from system microphone and saves to disk
## Mayhem
**Cause general mayhem with PowerShell.**
#### `Set-MasterBootRecord`
Proof of concept code that overwrites the master boot record with the
message of your choice.
#### `Set-CriticalProcess`
Causes your machine to blue screen upon exiting PowerShell.
## Privesc
**Tools to help with escalating privileges on a target.**
#### `PowerUp`
Clearing house of common privilege escalation checks, along with some weaponization vectors.
## Recon
**Tools to aid in the reconnaissance phase of a penetration test.**
#### `Invoke-Portscan`
Does a simple port scan using regular sockets, based (pretty) loosely on nmap.
#### `Get-HttpStatus`
Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.
#### `Invoke-ReverseDnsLookup`
Scans an IP address range for DNS PTR records.
#### `PowerView`
PowerView is series of functions that performs network and Windows domain enumeration and exploitation.
## Recon\Dictionaries
**A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.**
* admin.txt - <http://cirt.net/nikto2/>
* generic.txt - <http://sourceforge.net/projects/yokoso/files/yokoso-0.1/>
* sharepoint.txt - <http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/>
Invoke-Portscan - Does a simple port scan using regular sockets, based (pretty) loosely on nmap.
Get-HttpStatus - Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.
Invoke-ReverseDnsLookup - Scans an IP address range for DNS PTR records.
PowerView - PowerView is series of functions that performs network and Windows domain enumeration and exploitation.
## License

1
mkdocs.yml
View File

@ -29,6 +29,7 @@ pages:
- Find-DomainObjectPropertyOutlier: 'Recon/Find-DomainObjectPropertyOutlier.md'
- Get-DomainUser: 'Recon/Get-DomainUser.md'
- New-DomainUser: 'Recon/New-DomainUser.md'
- Set-DomainUserPassword: 'Recon/Set-DomainUserPassword.md'
- Get-DomainUserEvent: 'Recon/Get-DomainUserEvent.md'
- Get-DomainComputer: 'Recon/Get-DomainComputer.md'
- Get-DomainObject: 'Recon/Get-DomainObject.md'