-
Notifications
You must be signed in to change notification settings - Fork 8
/
powertools-help.ps1
174 lines (146 loc) · 11.3 KB
/
powertools-help.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
function Get-Poweruphelp
{
$poweruphelp="#PowerUp
PowerUp is a powershell tool to assist with local privilege escalation on
Windows systems. It contains several methods to identify and abuse
vulnerable services, as well as DLL hijacking opportunities, vulnerable
registry settings, and escalation opportunities.
Developed by [@harmj0y](https://twitter.com/harmj0y)
Part of Veil's [PowerTools](https://github.com/Veil-Framework/PowerTools)
## Service Enumeration:
Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name
Get-ServiceEXEPerms - returns services where the current user can write to the service binary path
Get-ServicePerms - returns services the current user can modify
## Service Abuse:
Invoke-ServiceUserAdd - modifies a modifiable service to create a user and add it to the local administrators
Write-UserAddServiceBinary - writes out a patched C# service binary that adds a local administrative user
Write-ServiceEXE - replaces a service binary with one that adds a local administrator user
Restore-ServiceEXE - restores a replaced service binary with the original executable
## DLL Hijacking:
Invoke-FindDLLHijack - finds DLL hijacking opportunities for currently running processes
Invoke-FindPathHijack - finds service %PATH% .DLL hijacking opportunities
## Registry Checks:
Get-RegAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set
Get-RegAutoLogon - checks for Autologon credentials in the registry
## Misc. Checks:
Get-UnattendedInstallFiles - finds remaining unattended installation files
Get-Webconfig - checks for any encrypted web.config strings
Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords
## Helpers:
Invoke-AllChecks - runs all current escalation checks and returns a report
Write-UserAddMSI - write out a MSI installer that prompts for a user to be added
Invoke-ServiceStart - starts a given service
Invoke-ServiceStop - stops a given service
Invoke-ServiceEnable - enables a given service
Invoke-ServiceDisable - disables a given service
Get-ServiceDetails - returns detailed information about a service"
Write-Host $poweruphelp
}
function Get-Powerviewhelp
{
$powerviewhelp="#PowerView
PowerView is a PowerShell tool to gain network situational awareness on
Windows domains. It contains a set of pure-PowerShell replacements for various
windows 'net *' commands, which utilize PowerShell AD hooks and underlying
Win32 API functions to perform useful Windows domain functionality.
It also impements various useful metafunctions, including a port
of [Rob Fuller's](https://twitter.com/mubix) [netview.exe](https://github.com/mubix/netview) tool,
and some custom-written 'UserHunter' functions which will identify where on the
network specific users are logged into. It can also check which machines
on the domain the current user has local administrator access on. See function
descriptions for appropriate usage and available options.
For detailed output of underlying functionality, pass the -Debug flag to most functions.
For functions that enumerate multiple machines, pass the -Verbose flag to get a
progress status as each host is enumerated.
Developed by [@harmj0y](https://twitter.com/harmj0y)
Part of Veil's [PowerTools](https://github.com/Veil-Framework/PowerTools)
Thanks to:
[@davidpmcguire](https://twitter.com/davidpmcguire) for inspiration,
[@mubix](https://twitter.com/mubix) for building netview.exe and open sourcing it,
[@obscuresec](https://twitter.com/obscuresec), [@mattifestation](https://twitter.com/mattifestation) and [darkoperator](https://twitter.com/Carlos_Perez) for examples and how to write proper PowerShell modules,
zeknox, smilingraccoon, and r3dy for the [local_admin_search_enum](https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/local_admin_search_enum.rb) idea in Metasploit,
dunedinite, normanj, and powershellmagazine.com, for some (cited) examples to adapt and draw from
## Misc Functions:
Get-HostIP - resolves a hostname to an IP
Check-Write - checks if the current user can write to the specified file
Set-MacAttribute - Sets MAC attributes for a file based on another file or input (from Powersploit)
Invoke-CopyFile - copies a local file to a remote location, matching MAC properties
Test-Server - tests connectivity to a specified server
Get-UserProperties - returns all properties specified for users, or a set of user:prop names
Get-ComputerProperties - returns all properties specified for computers, or a set of computer:prop names
Get-LastLoggedOn - return the last logged on user for a target host
Get-UserLogonEvents - returns logon events from the event log for a specified host
Get-UserTGTEvents - returns TGT request events for a specified host
Invoke-CheckLocalAdminAccess - check if the current user context has local administrator access
to a specified host
Invoke-SearchFiles - search a local or remote path for files with specific terms in the name
## net * Functions:
Get-NetDomain - gets the name of the current user's domain
Get-NetForest - gets the forest associated with the current user's domain
Get-NetForestDomains - gets all domains for the current forest
Get-NetDomainControllers - gets the domain controllers for the current computer's domain
Get-NetCurrentUser - gets the current [domain\\]username
Get-NetUser - returns all user objects, or the user specified (wildcard specifiable)
Get-NetUserSPNs - gets all user ServicePrincipalNames
Get-NetOUs - gets data for domain organization units
Invoke-NetUserAdd - adds a local or domain user
Get-NetGroups - gets a list of all current groups in the domain
Get-NetGroup - gets data for each user in a specified domain group
Get-NetLocalGroups - gets a list of localgroups on a remote host or hosts
Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts
Get-NetLocalServices - gets a list of running services/paths on a remote host or hosts
Invoke-NetGroupUserAdd - adds a user to a specified local or domain group
Get-NetComputers - gets a list of all current servers in the domain
Get-NetFileServers - get a list of file servers used by current domain users
Get-NetShare - gets share information for a specified server
Get-NetLoggedon - gets users actively logged onto a specified server
Get-NetSessions - gets active sessions on a specified server
Get-NetFileSessions - returned combined Get-NetSessions and Get-NetFiles
Get-NetConnections - gets active connections to a specific server resource (share)
Get-NetFiles - gets open files on a server
Get-NetProcesses - gets the remote processes and owners on a remote server
## User-Hunting Functions:
Invoke-UserHunter - finds machines on the local domain where specified users are
logged into, and can optionally check if the current user has
local admin access to found machines
Invoke-UserHunterThreaded - threaded version of Invoke-UserHunter
Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks
the sessions one each file server, hunting for particular users
Invoke-UserProcessHunter - hunts for processes on domain machines running under specific
target user accounts
Invoke-ProcessHunter - hunts for processes with a specific name on domain machines
Invoke-UserEventHunter - hunts for user logon events in domain controller event logs
## Domain Trust Functions:
Get-NetDomainTrusts - gets all trusts for the current user's domain
Get-NetDomainTrustsLDAP - gets all trusts for the current user's domain using just LDAP
queries. This is less accurate than Get-NetDomainTrusts but
allows you to relay all traffic through your primary DC.
Get-NetForestTrusts - gets all trusts for the forest associated with the current user's domain
Invoke-FindUserTrustGroups - enumerates users who are in groups outside of their principal domain
Invoke-FindAllUserTrustGroups - map all domain trusts and enumerate all users who are in groups outside
of their principal domain
Invoke-MapDomainTrusts - try to build a relational mapping of all domain trusts
Invoke-MapDomainTrustsLDAP - try to build a relational mapping of all domain trusts using
Get-NetDomainTrustsLDAP
## MetaFunctions:
Invoke-Netview - a port of @mubix's netview.exe tool using Get-Net* functionality
finds all machines on the local domain and runs various enumeration
methods on what it finds
Invoke-NetviewThreaded - threaded version of Invoke-NetView
Invoke-UserView - returns parsable session/loggedon user data for a given domain
Invoke-ShareFinder - finds (non-standard) shares on hosts in the local domain
Invoke-ShareFinderThreaded - threaded version if Invoke-ShareFinder
Invoke-FileFinder - finds potentially sensitive files on hosts in the local domain
Invoke-FileFinderThreaded - threaded version of Invoke-FileFinder
Invoke-FindLocalAdminAccess - finds machines on the domain that the current user has local admin
access to
Invoke-FindLocalAdminAccesThreaded- threaded version of Invoke-FindLocalAdminAccess
Invoke-UserFieldSearch - searches a user field for a particular term
Invoke-ComputerFieldSearch - searches a computer field for a particular term
Invoke-FindVulnSystems - finds systems likely vulnerable to MS08-067
Invoke-HostEnum - run all available enumeration checks on a single host
Invoke-EnumerateLocalAdmins - enumerates members of the local Administrators groups across all
machines in the domain
Invoke-EnumerateLocalAdminsThreaded-threaded version of Invoke-EnumerateLocalAdmins"
Write-Host $powerviewhelp
}