PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:CodeExecutionExecute code on a target machine.Invoke-DllInjectionInjects a Dll into the process ID of your choosing.
Invoke-ReflectivePEInjectionReflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
Invoke-ShellcodeInjects shellcode into the process ID of your choosing or within PowerShell locally.
Invoke-WmiCommandExecutes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.
ScriptModificationModify and/or prepare scripts for execution on a compromised machine.Out-EncodedCommandCompresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
Out-CompressedDllCompresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
Out-EncryptedScriptEncrypts text files/scripts.
Remove-CommentsStrips comments and extra whitespace from a script.
PersistenceAdd persistence capabilities to a PowerShell scriptNew-UserPersistenceOptionConfigure user-level persistence options for the Add-Persistence function.
New-ElevatedPersistenceOptionConfigure elevated persistence options for the Add-Persistence function.
Add-PersistenceAdd persistence capabilities to a script.
Install-SSPInstalls a security support provider (SSP) dll.
Get-SecurityPackagesEnumerates all loaded security packages (SSPs).
AntivirusBypassAV doesn't stand a chance against PowerShell!Find-AVSignatureLocates single Byte AV signatures utilizing the same method as DSplit from "class101".
ExfiltrationAll your data belong to me!Invoke-TokenManipulationLists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.
Invoke-CredentialInjectionCreate logons with clear-text
credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
Invoke-NinjaCopyCopies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
Invoke-MimikatzReflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to
dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
Get-KeystrokesLogs keys pressed, time and the active window.
Get-GPPPasswordRetrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
Get-GPPAutologonRetrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.
Get-TimedScreenshotA function that takes screenshots at a regular interval and saves them to a folder.
New-VolumeShadowCopyCreates a new volume shadow copy.
Get-VolumeShadowCopyLists the device paths of all local volume shadow copies.
Mount-VolumeShadowCopyMounts a volume shadow copy.
Remove-VolumeShadowCopyDeletes a volume shadow copy.
Get-VaultCredentialDisplays Windows vault credential objects including cleartext web credentials.
Out-MinidumpGenerates a full-memory minidump of a process.
'Get-MicrophoneAudio'Records audio from system microphone and saves to disk
MayhemCause general mayhem with PowerShell.Set-MasterBootRecordProof of concept code that overwrites the master boot record with the message of your choice.
Set-CriticalProcessCauses your machine to
blue screen upon exiting PowerShell.
PrivescTools to help with escalating privileges on a target.PowerUpClearing house of common
privilege escalation checks, along with some weaponization vectors.
ReconTools to aid in the reconnaissance phase of a penetration test.Invoke-PortscanDoes a simple port scan using regular sockets, based (pretty) loosely on nmap.
Get-HttpStatusReturns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.
Invoke-ReverseDnsLookupScans an IP address range for DNS PTR records.
PowerViewPowerView is series of functions that performs network and Windows domain enumeration and exploitation.
Recon\DictionariesA collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.UsageRefer to the comment-based help in each individual script for detailed usage information.
To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.
The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"
To use the module, type
Import-Module PowerSploitTo see the commands imported, type
Get-Command -Module PowerSploitIf you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts downloaded from the Internet' warning, once you've placed PowerSploit into your module path, run the following one-liner:
$Env:PSModulePath.Split(';') | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} }For help on each individual command, Get-Help is your friend.
Note: The tools contained within this module were all designed such that they can be run individually. Including them in a module simply lends itself to increased portability.
Contribution RulesWe need contributions! If you have a great idea for PowerSploit, we'd love to add it. New additions will require the following:
- The script must adhere to the style guide. Any exceptions to the guide line would need an explicit, valid reason.
- The module manifest needs to be updated to reflect the new function being added.
- A brief description of the function should be added to this README.md
- Pester tests must accompany all new functions. See the Tests folder for examples but we are looking for tests that at least cover the basics by testing for expected/unexpected input/output and that the function exhibits desired functionality. Make sure the function is passing all tests (preferably in mutiple OSes) prior to submitting a pull request. Thanks!
Script Style GuideFor all contributors and future contributors to PowerSploit, I ask that you follow this style guide when writing your scripts/modules.- Avoid Write-Host at all costs. PowerShell functions/cmdlets are not command-line utilities! Pull requests containing code that uses Write-Host will not be considered. You should output custom objects instead. For more information on creating custom objects, read these articles:
- If you want to display relevant debugging information to the screen, use Write-Verbose. The user can always just tack on '-Verbose'.
- Always provide descriptive, comment-based help for every script. Also, be sure to include your name and a BSD 3-Clause license (unless there are extenuating circumstances that prevent the application of the BSD license).
- Make sure all functions follow the proper PowerShell verb-noun agreement. Use Get-Verb to list the default verbs used by PowerShell. Exceptions to supported verbs will be considered on a case-by-case basis.
- I prefer that variable names be capitalized and be as descriptive as possible.
- Provide logical spacing in between your code. Indent your code to make it more readable.
- If you find yourself repeating code, write a function.
- Catch all anticipated errors and provide meaningful output. If you have an error that should stop execution of the script, use 'Throw'. If you have an error that doesn't need to stop execution, use Write-Error.
- If you are writing a script that interfaces with the Win32 API, try to avoid compiling C# inline with Add-Type. Try to use the PSReflect module, if possible.
- Do not use hardcoded paths. A script should be useable right out of the box. No one should have to modify the code unless they want to.
- PowerShell v2 compatibility is highly desired.
- Use positional parameters and make parameters mandatory when it makes sense to do so. For example, I'm looking for something like the following:
[Parameter(Position = 0, Mandatory = $True)]
- Don't use any aliases unless it makes sense for receiving pipeline input. They make code more difficult to read for people who are unfamiliar with a particular alias.
- Try not to let commands run on for too long. For example, a pipeline is a natural place for a line break.
- Don't go overboard with inline comments. Only use them when certain aspects of the code might be confusing to a reader.
- Rather than using Out-Null to suppress unwanted/irrelevant output, save the unwanted output to $null. Doing so provides a slight performance enhancement.
- Use default values for your parameters when it makes sense. Ideally, you want a script that will work without requiring any parameters.
- If a script creates complex custom objects, include a ps1xml file that will properly format the object's output.
via
KitPloitContinue reading
"Exploit-Me is a suite of Firefox web application security testing tools designed to be lightweight and easy to use. The Exploit-Me series was originally introduced at the SecTor conference in Toronto. The slides for the presentation are available for download. Along with this SecTor is making the audio of the talk available." read more...
Wirelurker for Windows (WinLurker)
Research: Palo Alto Claud Xiao WIRELURKER: A New Era in iOS and OS X Malware
"Odysseus is a tool designed for testing the security of web applications. Odysseus is a proxy server, which acts as a man-in-the-middle during an HTTP session. A typical HTTP proxy will relay packets to and from a client browser and a web server. Odysseus will intercept an HTTP session's data in either direction and give the user the ability to alter the data before transmission. For example, during a normal HTTP SSL connection a typical proxy will relay the session between the server and the client and allow the two end nodes to negotiate SSL. In contrast, when in intercept mode, Odysseus will pretend to be the server and negotiate two SSL sessions, one with the client browser and another with the web server." read more...
.jpg)