PowerView and PowerUp have moved to the PowerSploit repository under ./Recon/ and ./Privesc/ respectively.
No pull requests will be accepted and no issues will be answered, however the repository code will be left up for the time being.
PowerTools is a collection of PowerShell projects with a focus on offensive operations.
License: Other
No pull requests will be accepted and no issues will be answered, however the repository code will be left up for the time being.
Should,
extern unsigned char PowerShellRnuner_dll[];
be
extern unsigned char PowerShellRunner_dll[];
Hello there,
Thank you for this awesome framework.
To me, it would be even more awesome if you would add a -Credential
option for (ideally) every function, especially Invoke-FileFinder
and its threaded version as it is useful to easily know which sensitive files one can access with different collected credentials.
Plus, it is convenient to be able to launch such functions from off-domain workstations (i.e the attacker one)
Again, thank you.
Cheers.
Currently, Invoke-FindDLLHijack does not differentiate between directories in the System path and directories in the current user's path. It'd be nice to be able to quickly determine if the hijack-able location is only in the current user's path since it affects whether or not the directory can be used for local privilege escalation.
PS C:\Users\xxxxxxDesktop\PowerTools\PowerView> Get-NetUsers
Get-NetUsers : The term 'Get-NetUsers' is not recognized as the name of a
cmdlet, function, script file, or operable program. Check the spelling of the
name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
- CategoryInfo : ObjectNotFound: (Get-NetUsers:String) [], Comman
dNotFoundException
- FullyQualifiedErrorId : CommandNotFoundException
I'm running with a local admin account, also tried a DA account, and using the hostname vs an IP address. Specifying the domain name with the user name also returned the same error. My target host is windows 7, PS ver 3, no host Firewall
Invoke-WmiMethod - Remote - 0x80070005 (E_ACCESSDENIED) on technet
beacon> powershell $PSversiontable
[*] Tasked beacon to run: $PSversiontable
[+] host called home, sent: 23 bytes
[+] received output:
Name Value
---- -----
PSVersion 3.0
WSManStackVersion 3.0
SerializationVersion 1.1.0.1
CLRVersion 4.0.30319.18444
BuildVersion 6.2.9200.16398
PSCompatibleVersions {1.0, 2.0, 3.0}
PSRemotingProtocolVersion 2.2
beacon> powershell Invoke-MassSearch -Hosts 192.168.1.100 -Username localadmin -Password P@ssword -Verbose -Debug
[*] Tasked beacon to run: Invoke-MassSearch -Hosts 192.168.1.100 -Username localadmin -Password P@ssword -Verbose -Debug
[+] host called home, sent: 103 bytes
[+] received output:
#< CLIXML
[+] received output:
<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
<S S="verbose">Sleeping, letting the web server stand up...</S>
<S S="verbose">Executing command on host "192.168.1.100"</S>
<S S="Error">Invoke-WmiMethod : Access is denied. (Exception from HRESULT: 0x80070005 _x000D__x000A_</S>
<S S="Error">(E_ACCESSDENIED))_x000D__x000A_</S><S S="Error">At line:508 char:13_x000D__x000A_</S>
<S S="Error">+ Invoke-WmiMethod -ComputerName $_ -Path Win32_process -Name _x000D__x000A_</S>
<S S="Error">create - ..._x000D__x000A_</S>
<S S="Error">+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~_x000D__x000A_</S>
<S S="Error">~~~_x000D__x000A_</S><S S="Error"> + CategoryInfo : NotSpecified: (:) [Invoke-WmiMethod], Unauthoriz _x000D__x000A_</S>
<S S="Error"> edAccessException_x000D__x000A_</S>
<S S="Error"> + FullyQualifiedErrorId : System.UnauthorizedAccessException,Microsoft.Pow _x000D__x000A_</S>
<S S="Error"> erShell.Commands.InvokeWmiMethod_x000D__x000A_</S><S S="Error"> _x000D__x000A_</S>
<S S="verbose">Waiting 30 seconds for commands to trigger...</S>
<S S="verbose">Killing the web server</S>
</Objs>
The result I'm getting back is a count of 0 members :(
However net group "groupname" /domain brings back lots
http://itq.nl/get-more-than-1500-members-from-an-active-directory-group/
If the 'member' count is 0 we should check if there is a property member;range=0-1499
and then member;1500-2999
etc
PS C:\Temp\temppowertools\PowerTools\PowerView> Import-Module .\powerview.psm1
You must provide a value expression on the right-hand side of the '-' operator.
At C:\Temp\temppowertools\PowerTools\PowerView\powerview.ps1:10613 char:72
$groups = Get-NetGroups -Domain $Domain | Where-Object { -not ($_ - <<<<
When using Invoke-Mimikatz without specifying a Local IP, it fails to determine the Local IP when IPv4 and IPv6 are enabled. This is what happens if you run the current version of Invoke-MassMimikatz on a staging machine with both IPv4 and IPv6 enabled:
When digging into how Invoke-MassMimikatz determines the local IP if one isn't specified, I noticed that if IPv4 & IPv6 are both enabled, $LocalIPAddress returns the whole array instead of selecting a single IP (such as [0])
The trouble code is this:
$p = (gwmi Win32_NetworkAdapterConfiguration| Where{$_.IPAddress} | Select -Expand IPAddress);
$LocalIpAddress = @{$true=$p[0];$false=$p}[$p.Length -lt 6];
When running this on a staging machine with IPv4 & IPv6 enabled, the code above returns this:
I found the code below on an older version of Invoke-MassMimikatz. After testing, it still pulls to correct IP regardless if it is just IPv4, IPv6 or IPv4/IPv6:
$LocalIpAddress = (gwmi Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null}).ipaddress[0]
The code that seems to resolve this issue was, at one point, in Invoke-MassMimikatz but was changed to the trouble code...which leads me to assume it was changed and updated for a reason. Because of that, I won't put in a pull request suggesting the update as it is really just a rollback to older code.
Here is a difference view of the current code vs the older code:
I'm sure the older code was replaced for a reason, so all I know is that if IPv4 and IPv6 are enabled, $LocalIPAddress spits an array instead of a single IP to write output back to, which prevents any output from being returned.
When I run the function Invoke-MapDomainTrust
I get the following exception.
Exception calling "ContainsKey" with "1" argument(s): "Key cannot be null.
Parameter name: key"
At PowerTools-master\powerview\powerview.ps1:10924 char:42
+ if (-not $SeenDomains.ContainsKey <<<< ($Domain)) {
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException
WARNING: The specified domain redacted.com does not exist, could not be
contacted, or there isn't an existing trust.
It continues running and looping through each item but it's throwing a lot of the above exceptions in my current environment. It appears to still be returning good results as it finds them as well.
When attacking a domain with 4000-10000 endpoints, running userhunter takes fooorreeevvvvver.
It would be really really awesome to have the ability to specify threads so that this process is shortened.
The description blocks for Invoke-StealthUserHunter and Invoke-UserHunter don't include the SaveAll flag but do include ping which I don't think works any more.
While waiting for the userhunter(s) to complete, it would be super handy to have powerview say something like:
X number of machines discovered on X domain.
YY of XX machines examined, ZZ minutes/seconds remaining
Just to get an idea of "should I walk away from this or not".
On average, this one client we have, running stealthuserhunter takes 2-3 hours.
When invoked with the -Ping flag I get error:
Invoke-Netview : A parameter cannot be found that matches parameter name 'Ping'
At line:1 char:16
Using runas /netonly
technique, for some reason Test-Path returns false unless you have the drive mapped?
e.g. net use * \target.com
Then Test-Path will start returning true...
The following logic in this method appears to be incorrect:
if($GroupDN -ne $DistinguishedDomainName){
$GroupDomain = $($membership.substring($index)) -replace 'DC=','' -replace ',','.'
$GroupName = $membership.split(",")[0].split("=")[1]
}
A number of issues are here:
I fixed it with the following route:
if $GroupDomain.CompareTo($Domain)
Sorry cant submit a PR at the moment.
Something along the lines of:
function Get-Proxy {
$reg2 = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('CurrentUser', $env:COMPUTERNAME)
$regkey2 = $reg2.OpenSubkey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings")
$proxy_server $regkey2.GetValue('ProxyServer')
$url = $regkey2.GetValue('AutoConfigURL')
$wpad = (new-object net.webclient).downloadstring($url)
Write-Host $proxy_server
Write-Host $u
Write-Host $wpad
}
Hi,
the cmdlet Invoke-UserEventHunter from version 1.0 to 2.0 has change to Invoke-EventHunter would be great if you fix that to not confuse others.
Thanks for your work to the community.
Is it possible to identify foreign users based on the userprincipalname?
Wildcards are not possible on the DN or the SID.
Looks like there's an unnecessary call to GetType:
https://github.com/Veil-Framework/PowerTools/blob/master/PowerView/powerview.ps1#L3387
If the connection string doesn't have a user/password we get the following result:
user : True
pass : 1800
dbserv : BLAH,PORT
vdir : PATH
path : PATH\Web.config
encr : No
from:
<add name="NAME" connectionString="Data Source=HOST,PORT;Initial Catalog=SOMETHING;Persist Security Info=True;Connection Timeout=1800; Workstation ID=SOMETHING; Max Pool Size=20" />
The StealthUserHunter calls Get-NetFileServers and by default calls Get-NetUser with just the domain flag.
Get-NetFileServers should take a $TargetUsers array. Invoke-StealthUserHunter should pass this to Get-NetFileServers...
We've been requested to potentially allow users to provide a file containing the search teams to look for within Invoke-FileFinder. This would be similar to how hosts can be provided within a hosts file.
Most of the other tools show (x of y) when they are running in verbose mode but invoke-filefinder doesn't, it would be useful to have it.
Version: 0.69.1.0
OS Version: Microsoft Windows NT 10.0.22621.0
IntPtr Length: 8
x64: True
Date: 12/05/2023 2:16:45 PM
Exception:
System.IO.FileNotFoundException: Could not find file 'C:\Program Files\PowerToys\modules\launcher\Images\app.dark.png'.
File name: 'C:\Program Files\PowerToys\modules\launcher\Images\app.dark.png'
at Microsoft.Win32.SafeHandles.SafeFileHandle.CreateFile(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options)
at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable1 unixCreateMode) at System.IO.Strategies.OSFileStreamStrategy..ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable
1 unixCreateMode)
at System.IO.Strategies.FileStreamHelpers.ChooseStrategyCore(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable`1 unixCreateMode)
at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share)
at System.Windows.Media.Imaging.BitmapDecoder.SetupDecoderFromUriOrStream(Uri uri, Stream stream, BitmapCacheOption cacheOption, Guid& clsId, Boolean& isOriginalWritable, Stream& uriStream, UnmanagedMemoryStream& unmanagedMemoryStream, SafeFileHandle& safeFilehandle)
at System.Windows.Media.Imaging.BitmapDecoder.CreateFromUriOrStream(Uri baseUri, Uri uri, Stream stream, BitmapCreateOptions createOptions, BitmapCacheOption cacheOption, RequestCachePolicy uriCachePolicy, Boolean insertInDecoderCache)
at System.Windows.Media.Imaging.BitmapImage.FinalizeCreation()
at Wox.Infrastructure.Image.ImageLoader.Initialize(Theme theme)
at PowerLauncher.App.<>c__DisplayClass19_0.b__0()
at Wox.Infrastructure.Stopwatch.Normal(String message, Action action)
at PowerLauncher.App.OnStartup(Object sender, StartupEventArgs e)
at System.Windows.Application.<.ctor>b__1_0(Object unused)
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)
PS C:\Users\Administrator\Downloads> .\PowerView.ps1
PS C:\Users\Administrator\Downloads> Get-NetUser | select cn
cmdlet, function, script file, or operable program. Check the spelling of the
name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ CategoryInfo : ObjectNotFound: (Get-NetUser:String) [], Command
NotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
I know this doesn't affect operations but reporting it as it looks untidy:
VERBOSE: Importing function 'ConvertTo-JSON'.
WARNING: Some imported command names include unapproved verbs which might make
them less discoverable. Use the Verbose parameter for more detail or type
Get-Verb to see the list of approved verbs.
VERBOSE: The command name 'Escape-JSONString' includes an unapproved verb which
might make it less discoverable.
I have been running into this error:
(Empire: lateral_movement/invoke_wmi) > interact RGCZ4KPVRRAPHVWY
error running command: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
It happens when I try to execute or run the command. I have 35 active agents, and about 136 captured credentials. I suddenly started getting this error after about 2 hours of use today. I have changed agents, credentials, and target computers. I have also rebooted a few systems, and cleared tasks for all agents.
Any ideas?
Thanks,
Ben
https://github.com/Veil-Framework/PowerTools/blob/master/PowerView/powerview.ps1
In the example on the line 2780:
Invoke-NetGroupUserAdd -UserName john -GroupName "Domain Admins" -Domain
You are missing the domain name
Get-UnattendedInstallFiles is looking for unattended.xml, but Microsoft documentation says this should be unattend.xml
https://technet.microsoft.com/en-us/library/cc749415(WS.10).aspx
Something along the lines of:
function Get-OUs {
$info = ([adsisearcher]"objectclass=organizationalunit")
$info.PropertiesToLoad.AddRange("CanonicalName")
$info.findall().properties.canonicalname
}
When running powershell (both with powershell -exec bypass or just setting the execution policy to unrestricted) I'm getting the below errors in trying to run Import-Module:
Import-Module : The module manifest 'C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PowerView\PowerView.psd1'
could not be processed because it is not a valid Windows PowerShell restricted language file. Remove the elements that
are not permitted by the restricted language:
At C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PowerView\PowerView.psd1:107 char:12
<!-- </textarea> --><!-- '"` --><form accept-charset="UTF-8" action="/Powe ...
~
~
<li>© 2016 <span title="0.04437s from github-fe138-cp1-prd.iad.github ...
~
<li>© 2016 <span title="0.04437s from github-fe138-cp1-prd.iad.github ...
~
<li>© 2016 <span title="0.04437s from github-fe138-cp1-prd.iad.github ...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
~
~
- CategoryInfo : ResourceUnavailable: (C:\Windows\syst...\PowerView.psd1:String) [Import-Module], Missing
MemberException
- FullyQualifiedErrorId : Modules_InvalidManifest,Microsoft.PowerShell.Commands.ImportModuleCommand
It would take output from Invoke-FileFinder and download all the files in the list to a local directory.
Hi Guys,
Thanks for your awesome work on Red Teaming with Powershell. If I may suggest a onliner for desactivating the powershell Execution policy "issue", when the "powershell.exe -exec bypass" doesn't work.
function Disable-ExecutionPolicy {
($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue($executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))
}
src: http://www.nivot.org/blog/post/2012/02/10/Bypassing-Restricted-Execution-Policy-in-Code-or-in-Script
I've just tested it in an assignement, and it seems to work out very well. Hope that will help. Cheers !
Hello,
Excellent piece of work! It is too bad though that the Invoke-MapDomainTrusts cmdlet does not handle forest trusts. The result is not complete then.
Do you think it is possible to add the feature?
Something like:
function Get-DFSShares {
process {
$DFSSearcher = [adsisearcher]"(objectClass=fTDfs)"
$DFSSearcher.FindAll() | ForEach-Object {
$properties = $_.Properties
$properties.name
$properties.remoteservername
}
}
}
Would be useful to integrate with stealthuserhunter...
Without setting $searcher.PageSize we limit results to 1000 default, so ideally we always want to set a PageSize, and ideally this should all be refactored into the Get-DomainSearcher method? Additionally it may be worthwhile having it as customizable - so different page sizes can be specified :)
PS C:\temp\data> Invoke-UserHunterThreaded -GroupName {GroupName} -HostList {HostList} -MaxThreads 10 -Verbose
[*] Running Invoke-UserHunterThreaded with delay of
[] Querying domain group {GroupName} for target users...
[] Total number of hosts: {TotalCount}
VERBOSE: [*] Enumerating server {SystemName} (1 of {TotalCount})
Property 'runspacepool' cannot be found on this object; make sure it exists and is settable.
At {PowerViewPath}\powerview.ps1:5215 char:31
$ps[$counter]. <<<< runspacepool = $pool
You cannot call a method on a null-valued expression.
At {PowerViewPath}\powerview.ps1:5218 char:46
[void]$ps[$counter].AddScript <<<< ($EnumServerBlock).AddParameter('Server', $server).AddParameter('Ping', -not $NoPing).AddParameter('TargetUsers', $TargetUsers).AddParameter('CurrentUser', $CurrentUser).AddParameter('CurrentUserBase', $CurrentUserBase)
You cannot call a method on a null-valued expression.
At {PowerViewPath}\powerview.ps1:5221 char:51
$jobs += $ps[$counter].BeginInvoke <<<< ();
~ Line 6825 (might have changed) has a debugging group listed.
The $TargetServerAdmins option probably doesn't work as a result.
Probably was just changed.
I tried to back up the file Invoke-EnumerateLocalAdmins was saving its data to and must have done it just as it tried to write so it failed with the following error:
VERBOSE: [*] Enumerating server abc.com (12551 of 16544)
Out-File : The process cannot access the file 'admins.csv' because it is being used by another process.
At line:1 char:117
+ ConvertTo-Csv -NoTypeInformation | Foreach-Object {$start=$true}{if ($start)
{$start=$false} else {$_}} | Out-File <<<< -FilePath 'admins.csv' -Encoding
'ASCII' -Append
+ CategoryInfo : OpenError: (:) [Out-File], IOException
+ FullyQualifiedErrorId : FileOpenFailure,Microsoft.PowerShell.Commands.Ou
tFileCommand
It would be good if it had a way to try to recover from this, especially as I was at 12551 of 16544 servers scanned.
Is there a way to tell it to start again on the server it was trying when it failed? I have a list of all the servers and I have a list of all that it already scanned.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.