GithubHelp home page GithubHelp logo

anthrax3 / p0wnedshell Goto Github PK

View Code? Open in Web Editor NEW

This project forked from cn33liz/p0wnedshell

0.0 0.0 0.0 10.96 MB

PowerShell Runspace Post Exploitation Toolkit

License: BSD 3-Clause "New" or "Revised" License

C# 97.85% PowerShell 0.02% Smalltalk 2.13%

p0wnedshell's Introduction

p0wnedShell

PowerShell Runspace Post Exploitation Toolkit

Alt text

Author: Cn33liz and Skons

Version: 2.0 License: BSD 3-Clause

What is it:

p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier. What we tried was to build an “all in one” Post Exploitation tool which we could use to bypass all mitigations solutions (or at least some off), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defense strategies.

How to Compile it:

To compile p0wnedShell you need to import this project within Microsoft Visual Studio or if you don't have access to a Visual Studio installation, you can compile it as follows:

To Compile as x86 binary:

cd \Windows\Microsoft.NET\Framework\v4.0.30319

csc.exe /unsafe /reference:"C:\p0wnedShell\System.Management.Automation.dll" /reference:System.IO.Compression.dll /win32icon:C:\p0wnedShell\p0wnedShell.ico /out:C:\p0wnedShell\p0wnedShellx86.exe /platform:x86 "C:\p0wnedShell\*.cs"

To Compile as x64 binary:

cd \Windows\Microsoft.NET\Framework64\v4.0.30319

csc.exe /unsafe /reference:"C:\p0wnedShell\System.Management.Automation.dll" /reference:System.IO.Compression.dll /win32icon:C:\p0wnedShell\p0wnedShell.ico /out:C:\p0wnedShell\p0wnedShellx64.exe /platform:x64 "C:\p0wnedShell\*.cs"

p0wnedShell uses the System.Management.Automation namespace, so make sure you have the System.Management.Automation.dll within your source path when compiling outside of Visual Studio.

How to use it:

Just run the executables or...

To run as x86 binary and bypass Applocker (Credits for this great bypass go to Casey Smith aka subTee):

cd \Windows\Microsoft.NET\Framework\v4.0.30319 (Or newer .NET version folder)

InstallUtil.exe /logfile= /LogToConsole=false /U C:\p0wnedShell\p0wnedShellx86.exe

To run as x64 binary and bypass Applocker:

cd \Windows\Microsoft.NET\Framework64\v4.0.30319 (Or newer .NET version folder)

InstallUtil.exe /logfile= /LogToConsole=false /U C:\p0wnedShell\p0wnedShellx64.exe

What's inside the runspace:

The following PowerShell tools/functions are included:

  • PowerSploit: Invoke-Shellcode
  • PowerSploit: Invoke-ReflectivePEInjection
  • PowerSploit: Invoke-Mimikatz
  • PowerSploit: Invoke-TokenManipulation
  • PowerSploit: PowerUp and PowerView
  • Rasta Mouse: Sherlock
  • HarmJ0y's: Invoke-Psexec and Invoke-Kerberoast
  • Rohan Vazarkar's: Invoke-BloodHound (C# Ingestor)
  • Chris Campbell's: Get-GPPPassword
  • Tim Medin's: GetUserSPNS
  • Besimorhino's: PowerCat
  • Nishang: Copy-VSS and Invoke-Encode
  • Nishang: Invoke-PortScan and Get-PassHashes
  • Kevin Robertson: Invoke-Tater, Invoke-SMBExec and Invoke-WMIExec
  • Kevin Robertson: Invoke-Inveigh and Invoke-InveighRelay
  • FuzzySecurity: Invoke-MS16-032 and Invoke-MS16-135

Powershell functions within the Runspace are loaded in memory from Base64 encode and compressed strings.

The following Binaries/tools are included:

  • Benjamin DELPY's Mimikatz
  • Benjamin DELPY's MS14-068 kekeo Exploit
  • Didier Stevens modification of ReactOS Command Prompt
  • MS14-058 Local SYSTEM Exploit
  • hfiref0x MS15-051 Local SYSTEM Exploit

Binaries are loaded in memory using ReflectivePEInjection (Byte arrays are compressed using Gzip and saved within p0wnedShell as Base64 encoded strings).

Shout-outs:

p0wnedshell is heavily based on tools and knowledge from people like harmj0y, the guys from Powersploit, Sean Metcalf, SubTee, Nikhil Mittal, Besimorhino, Benjamin Delpy, Breenmachine, FoxGlove Security, Kevin Robertson, FuzzySecurity, James Forshaw and anyone else i forgot. So shout-outs go to them and of course to our friends in Redmond for giving us access to a very powerfull hacking language.

Todo:

  • Tab completion within the shell using TabExpansion2.
  • More attacks (Kerberos Silver Tickets e.g.)

Contact:

To report an issue or request a feature, feel free to contact me at: Cornelis at dePlaa.com or @Cn33lis

p0wnedshell's People

Contributors

cn33liz avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.